The biggest challenge to IT security is marketing
Most companies today are using social media and online marketing channels to tell their customers and prospects about what they do. From company Twitter accounts, LinkedIn profiles through to website CMS or marketing automation platforms, all these tools have two things in common: one, they are essential to running marketing. Two, they are all outside the control of the IT department.
How does this have an impact on IT and security? First, customer data is being collected within these applications, which is incredibly valuable to the organization. Keeping this data secure is just as important as traditional information security management. Most of the applications used by marketing today are delivered as a service, available for free or with a credit card. IT professionals have to consider this as part of a growing trend too.
Second, there is the potential impact on an organization’s reputation. During 2013, we have seen hacking attacks on Twitter accounts, Facebook pages and other marketing tools that are available over the Internet. For example, publications like the Financial Times, the Associated Press and The Guardian have all seen their Twitter accounts hijacked and used by dissident organizations like Anonymous and the Syrian Electronic Army. The URL shortener tool used by Barack Obama’s advocacy group was itself attacked, leading to links being redirected to unsafe sites rather than the intended pages.
Control over Twitter accounts and Facebook pages should be under greater scrutiny. While there have been many high profile hacking attacks over the past year, there have also been multiple instances of corporate profiles being used by disgruntled former employees. These events have led to serious reputation damage and loss of revenues.
For marketing professionals, guarding against adverse brand impact is essential alongside supporting customer acquisition and sales. Yet their own use of social media channels or applications that contain customer data in unsafe and insecure ways can lead to the very problem that marketers are looking to protect against.
The reason for this is that marketing folk are not as aware as they should be of the rules and best practices that exist around managing applications, particularly on the password and identity management sides. IT has great experience in these areas around on-premise and traditional applications, but while the strategies might be the same, the tactics are not.
There are a couple of options for IT security professionals in this situation. The first is to provide some guidance on the situation around password management policy and best practices to the marketing team. This would involve briefing the marketing team on the rules for password management. However, there is no way for IT to enforce these rules or make sure that suggestions are followed.
The other option is to get involved in the management of these applications directly. While IT doesn’t have control of the applications directly as they are cloud-based or delivered as SaaS, it is possible to control how they are accessed. This can be achieved by linking the user identities on the company network through to those cloud applications.
Standards like SAML (Security Assertion Markup Language) exist to make this process easier. Based on XML, SAML provides an easy way to control authentication into application sessions that are running in a browser environment. Checking the marketing team’s current applications for SAML support is a good first step for IT to take in regaining control.
Common marketing apps like Salesforce, SugarCRM, Dropbox, Marketo, WordPress, HootSuite, KnowledgeTree, UserVoice and Lithium already support SAML as standard. Putting formal rules in place around user log-in to accounts on those sites is fairly easy. Others like Twitter, Facebook and LinkedIn use forms of OAuth for controlling sign-on to applications. Access to these services can be automatically linked to the user’s identity within Active Directory; all access can then be put through a secure channel based on single sign-on (SSO).
For applications that don’t support the SAML standard, there are several options:
- Start shouting at your vendors for SAML support as part of their development road-map – there are open source SAML toolkits out there, so implementing this should not be difficult for the tool provider. Getting this in place should also help them in the long run, as it aids the provider in other sales situations.
- Explore other options – these include checking for WS-Federation, Kerberos or OAuth support. Building authentication support based on these standards instead could be suitable.
- Help find another tool that is SAML-compliant – There are so many available to marketing professionals that it is often easy to find a replacement. As they are SaaS or cloud apps, there should not be much lock-in to those applications either from a technology perspective.
- For apps that don’t support a standard like SAML you can use a password vaulting solution that encrypts the passwords and allows IT to manage them from a central location. There’s no reason why a social media manager should ever know the credentials for the company’s Twitter account. A side benefit is you can give many more employees access to things like Twitter in a very safe way.
While these options might seem like more work, it does give IT a chance to get involved in the decision-making process. Rather than running the continued risk of “shadow IT” implementations building up, getting involved in the process ensures that rules are at least being followed in future.
Once this situation has been looked at, there is then the question of ongoing management. After all, there is no value in solving the problem once only for things to then drift back to being unmanaged again in the future. The point here is whether marketing retains the management of the tools that its users require, or if this shifts back into IT’s domain again.
At this point, IT should be able to automate much of the management side too. By providing guidance on processes and collaboration as well as taking on the management responsibility around security, IT can help marketing be more productive. Use of SSO and identity management tools can help here, particularly as more applications move over to being hosted in the cloud.
Looking further into the future, the shift of applications and services over to the cloud will not stop. Marketing is a strong outlier as the teams here tend to take up new technologies and applications quickly; other functions within the business will also start their journey over to cloud apps too, if they have not done so already. Being able to keep pace with this move and help users across the business to keep secure should be a long-term goal for security professionals.
As a department, marketing wants to use the best tools open to them in order to carry out innovative campaigns and drive business. For IT, looking at standards and cloud identity management tools together can help marketing achieve its goals.