Secure Enterprise 2.0 Blog

With usage of public Web 2.0 services such as personalized homepages and social networks growing daily, these services become an increasingly significant tool in the information worker’s toolbox. They are used to network, collaborate, research and stay up-to-date on the latest news and trends.

At the same time, concern arises for the potential security risks involved. In many organizations, the knee-jerk reaction of the information security organization is “block out and lock down” – block the services at the web access layer and make sure all workstations are locked down.

Even if such locks and blocks could be implemented effectively, which is questionable, CISOs should reexamine whether such a strategy is best in the long term. Keeping the latest Web technologies out of the workplace can have a detrimental effect on productivity, as well as employee moral and retention. Ultimately, organizations that decide to lock out the Web today may find themselves left behind.

All that said, security challenges are real, and the intuitive reaction of many organizations is not unjustified. New technologies provide new capabilities but also present new risks like an employee publishing proprietary information on a public blog or using a public bookmarking site as a research tool. Other security breaches may be more elaborate and malicious in nature, such as phishing attempts or newfangled attacks against the latest Web technologies in use within the organization (e.g. JavaScript hijacking and script injection in RSS feeds).

For information security professionals, a balance needs to be struck between providing employees with the tools they need to be productive and maintaining sufficient control to keep security incidents at an acceptable level.

First and foremost, it is critical to define and implement clear use policies for Web 2.0 tools both inside and outside the organization.

In addition to defining policies, there are technical measures that can be taken to reduce the risk of using Web 2.0 technologies in the enterprise:

• Place a middle tier between information back-end systems and Web 2.0 front-ends – Web 2.0 front-ends such as RSS and AJAX gadgets tend to generate many requests. It is therefore advisable to include a middle tier that is optimized for Web 2.0 front-ends and capable of communicating efficiently with back-ends.
• Leverage existing security mechanisms – even when accessing data from Web 2.0 front ends, there is no reason not to leverage existing enterprise single-sign-on or centralized access management.
• Provisioning is critical – maintain full control of application and data provisioning, regardless of how data is consumed or where applications run.
• Address ‘Attacks 2.0’ from the get-go – train developers on the risks specific to Web 2.0 technologies and the accepted best practices to handle them.

The benefits of using Web 2.0 tools in the enterprise are many, ranging from increased productivity to improved employee retention. As with all new technologies, with new capabilities come new risks. While mitigating these risks is challenging, preventing the use of such tools altogether is, in the long term, a much more risky strategy.

Yuval

6:00AM – Bzzzzz. My cell phone alarm clock throws me off the bed, subtly reminding me that I need to get myself in gear. I tune in online to the 101FM website for local news, and learn that today is going to be a nice, bright, sunny day. Yay, that means I can snap on my iPod and peddle to the office on my 10-speed.

6:35AM – Just got out of the shower, and couldn’t resist - going through my Facebook profile. Apparently a friend from the London office just changed his status to “Engaged”. I send him a quick Congrat’s… and throw a sheep at him. He is online, not happy about the sheep, and reminds me that today our group needs to send him the Momo Project presentation. I log into my company’s enterprise social network, WorkBook, and send him the latest draft just to calm him down.

7:30AM – After a nice ride through downtown, I lockup my bike near the sandwich place. Got to get some coffee. As I wait for the morning’s caffeine intake, I twitter a quick “anyone for coffee?” using my cell to see if anyone following me at the office is also craving some Java. Surprisingly enough, two people from the Java team respond with a resounding yes. I should have seen that one coming.

9:45AM - Just got out of the weekly meeting. There’s some good stuff happening and more to come in the pipeline. I get on my laptop, and see on SharePoint that someone from the New Delhi office had formed a new group on the secure WorkBook social network focused on Marketing Initiatives. That’s interesting, I don’t know him personally, but apparently he is looking into similar things. I join up and we brainstorm some new ideas on the upcoming product release. I need to show my boss some of this stuff.

10:30AM – My boss is excited my the del.icio.us bookmarks I shared with her, following my discussion with the New Delhi contact (aka @asiamarketman on twitter. From now on I follow him). She’s going to bring it up in the next management meeting. Cool.

12:10PM – I go down to the sandwich place for a quick bite. Nothing fancy, but worth a Facebook status update – “..is eating. This time no MSG.”

2:07PM – I log into LinkedIn and see that one of our competitors has posted a Q&A about SEO. I need to read up on it, so I open up my RSS reader and skim the techy blogs. ReadWriteWeb has some nice info that I share with some people at R&D, and quickly set up a specialized RSS feed on the topic. Immediately three people from R&D ask to get access to the feed, so I give them permission.

4:26PM – Just got off the phone with some potential partners. There is good chemistry there and I like their attitude. There is something to be said about setting up strategic partnerships at this stage of our company’s growth, and I plan to post a quick entry about it on my blog later tonight.

6:15PM – Kept busy writing up the new proposals on the wiki and finally posted them to our network. Sweet, I see that my buddy at the L.A. office just downloaded it through the secure Facebook overlay.

7:23PM – Before packing up, I remember I need to get approval for my business trip expenses, so I post a request on my iGoogle gadget. I see that my manager has already approved my upcoming vacation request. That was fast. I go downstairs, get on my bike and head home. Another good day at the office.

10:25PM – Changed Facebook status to “…Zzzzzzz :-)”