Web 2.0 Risky For Business
0Overall Score

Business users implementing Web 2.0 technologies are exposing themselves to significant security risks and giving up a great deal of control, according to Gartner Group Fellow Joseph Feiman. The new generation of tools can be beneficial but need to be managed carefully in the enterprise environment.

The term Web 2.0 refers to a perceived second generation of web-based communities and hosted services, such as social-networking sites and wikis which facilitate collaboration and sharing between users.

The GoogleApps suite of online applications including webmail, scheduling, instant messaging and VoIP applications is one web 2.0 concept which is growing in popularity globally.

Speaking at the Gartner IT Security Summit in Sydney today, Feiman said many of the concepts relating to the online services and communities of Web 2.0 run counter to traditional IT security practices.

“It is forcing enterprises to rethink their security strategies,” Feiman said. While driving unprecedented collaboration throughout the business world, Web 2.0 technologies bring risks that can only be managed if businesses build a solid security foundation early on.

 

“Using and participating in these online services and communities forces enterprises to relinquish a level of control that they historically would not tolerate,” Feiman said.

The risks related to inbound threats, such as malicious code in RSS feeds, or to outbound liabilities such as information leakage through inappropriate blogging or use of collaboration tools.

The external challenge is threats generated by enterprise usage and participation in Web 2.0 technologies, such as use of third-party content (mashups) and engaging in open user communities like MySpace or FaceBook.

As one example, he pointed to newspapers’ experience of user generated content posted via feedback forums and blogs, with some readers posting inflammatory or offensive comments online.

“It’s not yet clear what the rules are governing this kind of content or how it will affect the publisher’s reputation,” Feiman said.

 

He also posed employee blogging as a potential threat, in that it can “reveal corporate secrets, arm disgruntled employees and have undesirable consequences”.

The open nature of Web 2.0 also presents significant challenges to the traditional enterprise approach to controlling intellectual property and proprietary content. In the outbound sense information leakage can occur in a range of ways such as blogging, instant messaging, collaboration tools and even online calendars.

Similarly, any content served by a Web 2.0 application can be re-formed, reused and redistributed by third parties, making it practically impossible to control content.  This can include press releases, price lists, video and audio, all of which can be rapidly propagated across the Internet.  

“There is no technology that can effectively protect content that is publicly accessible,” said Feiman.  
He urged enterprises to determine what content they are willing to have in the public domain, keep the rest private, and use licensing agreements as often as possible to help control distribution and use.

Feiman identified the two most important practices for limiting risk when building Web 2.0-style applications as adopting a secure development life cycle and ensuring all inputs from internal users or business partners are validated.

Gartner made the following recommendations for enterprises adopting Web 2.0 technologies:

  • Secure coding is your best defence
  • Use web vulnerability scanners
  • Validate all input on the server-side
  • Assume any public content will be reused in unexpected ways
  • Protect internal users and corporate assets with technology tools and education
  • Consider using application firewalls, content monitoring and filtering and data loss protection (CMF/DLP) and database activity monitoring.