Secure Enterprise 2.0 Blog

With usage of public Web 2.0 services such as personalized homepages and social networks growing daily, these services become an increasingly significant tool in the information worker’s toolbox. They are used to network, collaborate, research and stay up-to-date on the latest news and trends.

At the same time, concern arises for the potential security risks involved. In many organizations, the knee-jerk reaction of the information security organization is “block out and lock down” – block the services at the web access layer and make sure all workstations are locked down.

Even if such locks and blocks could be implemented effectively, which is questionable, CISOs should reexamine whether such a strategy is best in the long term. Keeping the latest Web technologies out of the workplace can have a detrimental effect on productivity, as well as employee moral and retention. Ultimately, organizations that decide to lock out the Web today may find themselves left behind.

All that said, security challenges are real, and the intuitive reaction of many organizations is not unjustified. New technologies provide new capabilities but also present new risks like an employee publishing proprietary information on a public blog or using a public bookmarking site as a research tool. Other security breaches may be more elaborate and malicious in nature, such as phishing attempts or newfangled attacks against the latest Web technologies in use within the organization (e.g. JavaScript hijacking and script injection in RSS feeds).

For information security professionals, a balance needs to be struck between providing employees with the tools they need to be productive and maintaining sufficient control to keep security incidents at an acceptable level.

First and foremost, it is critical to define and implement clear use policies for Web 2.0 tools both inside and outside the organization.

In addition to defining policies, there are technical measures that can be taken to reduce the risk of using Web 2.0 technologies in the enterprise:

• Place a middle tier between information back-end systems and Web 2.0 front-ends – Web 2.0 front-ends such as RSS and AJAX gadgets tend to generate many requests. It is therefore advisable to include a middle tier that is optimized for Web 2.0 front-ends and capable of communicating efficiently with back-ends.
• Leverage existing security mechanisms – even when accessing data from Web 2.0 front ends, there is no reason not to leverage existing enterprise single-sign-on or centralized access management.
• Provisioning is critical – maintain full control of application and data provisioning, regardless of how data is consumed or where applications run.
• Address ‘Attacks 2.0’ from the get-go – train developers on the risks specific to Web 2.0 technologies and the accepted best practices to handle them.

The benefits of using Web 2.0 tools in the enterprise are many, ranging from increased productivity to improved employee retention. As with all new technologies, with new capabilities come new risks. While mitigating these risks is challenging, preventing the use of such tools altogether is, in the long term, a much more risky strategy.

Yuval