Web 2.0 Brings Increased Array of Threats

By Renee Oricchio

At least 5,000 Microsoft Corp. employees have their own company web blogs. Not only are they allowed and blessed by upper management, they’re even hosted on Microsoft’s own servers.

Compare this to Apple, Inc., which has such tight restrictions on its employees that they’re not allowed to talk to anyone outside the company about their work via blog or any other method. Apple has even gone so far as to sue some unofficial company blogs in attempts to pressure them to reveal inside sources.

What this shows is that even technology companies don’t know what to do about regulating Web 2.0 technologies like blogs. What makes Web 2.0 security so complicated is that it covers such a broad range of applications.

“RSS can be implemented in as little as 12 lines of code, and 12 lines of code aren’t going to change the world. Web 2.0 is not any one thing; it’s more like 12 things,” says Ray Valdes, a research director at Gartner. Valdes divides security concerns into two categories: how to manage the technology and how to manage the people who use the technology.

Managing the technology
“Web 2.0 applications can be more vulnerable to security attacks,” adds Chenxi Wang, a principal analyst at Forrester Research. “It’s harder to know whether the content is trustworthy. Today the client has a much bigger role to play, with the user contributing to the content. It presents a risk both inbound and outbound.”

Wang recommends that CIOs take these additional steps to safeguard their networks from Web 2.0 security challenges.

• Filtering engines  In the past, companies have just used URL filtering for things like porn sites and sports sites. “Now they need to analyze content in real-time as it enters and leaves the system,” says Wang.
• Outsource the job  Wang points out that this kind of real-time analysis is very expensive and time-consuming. Most companies would be better off to hand it over to a specialized vendor with greater expertise, along with the economy of scale to do it more cheaply.
• Schedule automated scans frequently  Because these applications are so much more dynamic, it’s important to scan and test them on a regular basis. For example, Wang recommends that a simple wiki used to share harmless information should still be checked at least once per quarter. Applications that host sensitive information should be scanned once a month, if not weekly.
• Conduct human-based audits routinely  This is best done by an objective third-party team, as well. It should be done at least once a year, if not every six months, to check for vulnerabilities, track problems over time and monitor the value of the application to the business.

Managing the people who use the technology
A Forrester Research survey of enterprise-level IT and security managers taken in September 2007 found that data leakage is considered the number one worry, ahead of viruses and Trojans. Data leaks aren’t likely to happen from a hole in the code, but more likely loose lips from insiders.

Both Wang and Valdes agree the first and most important step to secure Web 2.0 use begins with a clear employee policy, which will vary depending on the nature of the company and sensitivity of its information.

As highlighted by the differences between Microsoft and Apple, every organization has its own comfort zone in how much control it exerts over its employees. Typical policies range from no Web 2.0 use at all to using only applications implemented by the IT department, or no use of third party Web 2.0 applications to limited use of third-party Web 2.0 applications from a list of approved vendors.

“At the social level, we now have wikis and blogs,” says Valdes. “At any time, an employee can publish company secrets. It’s analogous to getting a phone system and worrying that an employee might call someone and reveal trade secrets. Your best security is an employee code of conduct and corporate culture that honors those policies, regardless.”

In other words, whatever a CIO does, the effort to secure Web 2.0 technologies is only as strong as the trust between employer and employee.

Renee Oricchio is a freelance writer in Norwalk, Conn. For the past 20 years, she has been writing and producing news segments about technology and business for CNN, MSNBC, Ziff-Davis, CNET and a variety of Silicon Valley-based local news outlets.