New Platforms, Same Problems for Biz Versus Security
The proliferation of technologies such as social networking sites and cloud computing, coupled with the ongoing economic uncertainty, is only complicating the high wire act that organizations must pull off these days to balance sustainable IT security with sufficient flexibility to support business initiatives, experts contend.
At a panel held at the SOURCE Boston 2009 Conference on Wednesday, leaders from the security and business communities recognized the challenges facing organizations in giving their workers all the tools that they seek to communicate and take advantage of emerging applications such as social networking, while at the same time protecting their IT operations from all the potential attacks lurking on today's computing landscape.
In a conversation aimed at defining the biggest issues facing organizations to that end, properties like Facebook became one of the central elements of the debate as panelists and attendees discussed the merits of allowing users to embrace such applications, versus all of the security risks that they might introduce.
Beyond social networking, emerging IT movements including cloud computing were also scrutinized heavily for the benefits they provide, compared with the potential problems they could eventually foster.
As always, businesses must in the end decide whether or not they are willing to accept the risks related to every IT system and application that they allow their users to access, the experts agreed. However, the reality of trying to account for every use case and control the behavior of every employee to maintain optimal security - while allowing for the adoption of newer technologies - remains a daunting task, especially as users beg for the ability to utilize tools like social networking sites to ramp up their productivity, they said.
"If you allow your employees to advertise their place of employment on Facebook, you're opening yourself up to potential attacks," said Adriel Desautels, a senior partner and co-founder at security consulting specialist Netragard. "An application like Facebook enables potential criminals who want to get into your business to use your employees to do so via social engineering; there will never be a solution to social engineering, but you have to have boundaries."
Forbidding workers from naming their employer on places like Facebook and MySpace is one step companies should take to lower their risk to targeted attacks, but those organizations who seek a maximum level of security should also try to keep as many productivity applications as possible under their own control, using internal messaging systems versus commercial tools, the consultant said.
While affirming the interesting new challenges posed by such popular applications, one of the biggest problems in containing security risk these days is a much more traditional quandary, that being, trying to prevent unwanted access to your systems in the midst of layoffs and the sporadic economy, business leader countered.
Social engineering by attackers over Facebook is new territory that demands to be addressed, but keeping departed employees from trying to break back into IT systems to wreak havoc or steal data is an even bigger concern at present, said Art Papas, CEO of corporate recruiting and staffing applications provider Bullhorn.
Helping its customers keep their information locked down even as they cut loose their own staff poses a huge area of risk, Papas said.
"We've got 15,000 users, and the staffing industry has really been affected by layoffs; so you have all these employees moving around from firm to firm, and many of them would love to have access to their old employer's data, to their old account data," he said. "We have to look at securing our applications in the same way that [a bank] looks at securing access to its money, except in many cases with our customers the data is worth more than money in terms of its value to them."
As for cloud-based computing, or the sharing of computing resources hosted over a distributed infrastructure - often supported by a third-party application or services provider - many large enterprises have not rushed to embrace the architecture based on security concerns, as other studies have noted, said Walter Kuketz, CTO at business management consultancy Collaborative Consulting.
Big businesses remain dead set on retaining control of their IT operations, even though cloud computing offers the potential to save significant amounts of money by offloading overhead costs onto services providers, he said.
"We're not seeing much use of data in the cloud. Big companies are more or less keeping their data internal. Their primary concerns come down to issues of data classification and security," he said. "They want their sensitive data locked down, and cloud hasn't been proven; it's still about early adopters. There's also the concern about these being new providers. When early cloud providers go out of business, customers are wondering, what will happen to their data?"
Moving forward, businesses will likely continue to straddle a fine line in trying to allow for the adoption of new technologies while doing the best job they can at maintaining sufficient security controls, the panelists said. One of the keys to succeeding in these efforts will be ensuring that end users themselves are consistently reminded of and somehow forced to comply with comprehensive security guidelines, the experts suggested.
"People always follow the path of least resistance. You can have lots of policies, but if an employee wants to do something, they're probably still going to do it unless you can push them not to," said Gene Meltser, senior consultant at IT risk management and security services provider Neohapsis. "If you really want to be protected, you have to have policies and some real method of enforcing them, because having policies alone isn't going to help."
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWEEK and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.