Securing Web 2.0: Writing’s on the wall
Love or loathe it, businesses can’t ignore the Web 2.0 phenomenon. As LinkedIn, Facebook, Twitter, wikis, blog sites, Flickr, music sharing and other collaborative applications have eased their way into peoples’ working lives, companies are having to work through the security implications.
These applications change the way people interact, blurring the line between what’s business and what’s personal. They allow people to put more data on the public internet, where it’s easily accessible. Which means that leakage of sensitive business data is potentially a huge issue.
We’ve all seen the headlines from the losses of unprotected CDs and memory sticks over the past 18 months or so. And embarrassing data breaches via Web 2.0 apps are already happening – witness the recent posting on a public blog of a controversial British political party’s member list.
So, to borrow a phrase from Facebook, the writing’s on the wall. Companies need to act, to stop sensitive information leaking out via Web 2.0. But what exactly are the security risks? And what steps can be taken to mitigate them?
Avoid infections and injections
In Feb 2009, the Secure Enterprise 2.0 Forum, comprising top executives at Global Fortune 500 companies, reported on the top Web 2.0 security threats for business. Three of the biggest threats involved malicious software, specifically developed to extract data from users, or infect their PCs.
That’s no surprise, really – the writers of computer viruses, worms and other nasty code no longer want attention or headlines. They want money, and stealing private data is one way of getting it. Naturally, as user numbers of Web 2.0 applications grow, they are increasingly exploiting those apps to try and steal the data they need.
So it’s essential that every PC in your business – whether desktop or laptop – is protected by anti-virus and anti-spyware software that is regularly updated. This will protect against the latest emerging threats.
You should also consider browser virtualisation, such as ZoneAlarm’s ForceField. This puts a protective bubble around each user’s web browser, so when they access Web 2.0 sites and applications, any malicious software cannot penetrate the browser to get at the PC. What’s more, it also stops key-logging and data-mining software sending data out from PCs, giving a valuable extra layer of defence.
Stop leaks and losses
The other main risk factor with Web 2.0 apps is people. The majority of data leaks in the UK in the last 18 months were not caused by criminals, but by ordinary people who were just trying to do their job a little quicker, or a little easier. People who thought it would be OK, just this once.
Because Web 2.0 apps offer unprecedented opportunities to share data in ways that bypass IT departments’ control (think of FaceBook’s or LinkedIn’s own mail services), businesses need to look at exactly which applications are in use, with or without their knowledge.
The starting point for protection is to include use of these applications in the business Acceptable Usage Policy. Specify to your staff which apps are allowed and which are not. Educate users on the importance of following policy, and the business risks if they don’t. State what data can and can’t be used on Web 2.0 apps. But policies alone aren’t enough, so they must be backed up and enforced by solutions, such as data encryption.
Encryption protects sensitive information on servers, PCs, laptops and removable storage against loss or leakage, by ensuring only authorised users can access it. he encryption should be automated, so users don’t have to decide what does or doesn’t need protection. The right solution will also deliver an audit trail covering when data has been decrypted and accessed, and by whom – so any losses can be quickly followed up.
In conclusion, IT security always comes back to two basic issues: controlling information, and controlling what people do with it. With a little planning, your organisation can securely embrace Web 2.0 applications.