I personally like proxy services for the data leakage protection they provide. As most industry analysts will tell you, the threat of embedded email viruses has shifted to compromised websites where malware is loaded onto an employee's PC or the employee is tricked into giving up passwords or IDs. Because of this, organizations are limiting social networking sites like Facebook, MySpace or Twitter, which have become territorial hunting grounds for the makers of Trojans and other malware. (However, be aware that management executives see the possibilities of social networking for business use and are considering opening access to them in order to leverage these sites for commerce.)
Limiting access to the network can have other benefits, such as preventing sensitive information from exiting the company through unauthorized sources (like exiting employees), preventing employees from accessing other unauthorized sites and services, preventing Trojans and other malware that have already crept into your organization from sending data out to cybercriminals, and limiting bandwidth utilization to key personnel and applications.
In addition, be aware that tying network protection tools to identity management protection tools (for example, tying Active Directory to Group Policy) will incur a higher level of administrative burden on the organization (not to mention that the repository schema must be extended and the data inputted and maintained correctly, which may be a project in and of itself).
As far as business justification for these services goes, it depends on your organization's sensitivity to risk. Some organizations inherently trust that their workers are knowledgeable, ethical and careful when using the Internet, while other organizations believe that taking away the temptation of the Internet is the safest action for their general populations. As such, selling protection services will be more difficult in the first organization and easier in the second. Also, it's not a good idea to spread fear, uncertainty and doubt (FUD), so selling the concept of proxy services as added protection should be done with sensitivity to your management's feelings about the possibility of breaches and unauthorized disclosures of information. And of course, educating your management on what proxy services do and their business value in the reduction of identity theft and fraud is a good place to start.
Proxy services are becoming a de facto tool in many organizations' security arsenal, but which tool or tools you need to maintain the surety of your environment must be considered carefully in terms of its business justification.
For more information:
This was first published in September 2009