How to Approach Access Control in the Social Networking Age

"Here comes trouble," say Knowledge Center contributors John Yun and Jay Kelley. Trouble in this case means social networking. Like instant messaging and e-mail before it, social networking can cause worries to companies that haven't learned to adapt - and real trouble to companies that haven't learned how to manage it.


Enterprises are beginning to adopt social networking applications. They're doing it for the same reasons millions of consumers do: because they offer a fast, easy-to-use way to keep in touch, organize activities and share ideas.

However, businesses and IT executives are wary, and for good reason. Whether they like it or not, employees are signing up for these tools regardless of whether it's company policy or not. Younger employees joining the work force have grown up with social networking technologies, and businesses are being forced to play catch-up.

Because of this, there are three major concerns that are keeping IT up at night. First, consumer applications can cut into employee productivity for hours at a time. Second, social networking sites can become vectors for viruses, hacker attacks and phishing. Finally, social networking image, audio and video traffic steal bandwidth from business uses.

Keeping it under control

So, how are IT administrators supposed to control this problem? There aren't many model companies to follow in terms of company-wide social networking deployments. A few brave companies have opened the door to social networking on corporate networks. Thousands of employees at companies as diverse as Shell Oil, Procter & Gamble and General Electric maintain social networking accounts. An exclusive Citigroup Facebook network has almost 2,000 members.

Alternatively, there are organizations actively working against social networking. In May 2007, the U.S. Army blocked URLs for MySpace and 12 other "entertainment" sites from their U.S. and overseas networks, citing bandwidth and security concerns. The government of Ontario, Canada, has blocked Facebook and YouTube URLs. And many corporations have followed suit or plan to.

This really doesn't make sense, though, when you look at the usage statistics. P2P (Peer-to-peer) networks have millions of users sharing photos, software, music and video. Social networking reaches even further: MySpace claims more than 61 million active users; Facebook more than 65 million. The Pew Research Center estimates that half of online adults have used these services to connect with people they know.

But just like IM (Instant Messaging), Web-based e-mail and text messaging before it, social networking applications often find a way in. It may start as a shortcut for employees to set up videoconferences or coordinate functional teams across multiple time zones. Or a new CEO or vice president of sales may push a favorite technology. And sometimes, employee workarounds become so disruptive that it's just easier to allow limited use - just to be able to monitor and manage it.

A Policy Framework

The decision to block or allow consumer applications is seldom black or white. Policies vary according to application, security requirements and network infrastructure. There are steps that organizations can take to let social networking into the network securely. To help you determine what's best for your business, the following is a breakdown of three options:

1. Application-based policies

Blocking applications is one way to address this issue. However, proxy servers can quickly defeat clumsy URL-blocking attempts. Modern consumer applications - designed to work on many different network infrastructures - seldom use stable, well-defined port numbers. This makes them hard to detect and regulate. And, in many cases, policies may need to be ready for next-generation applications that may use even more sophisticated connection protocols.

Blocking applications is only half the story. Policies should also enable applications that offer business value - without compromising QoS (quality of service), either of the applications themselves or the networks they use.

2. Corporate policies

Although few organizations will apply policies without exception across their entire network, most start by establishing general guidelines. Blanket policies that block or regulate all peer-to-peer traffic can then be adapted to support authorized exceptions, while continuing to regulate or block the rest.

Certain functions raise special security concerns. P2P and IM file attachments, for example, can spread viruses just as e-mail attachments do. If network security infrastructure cannot inspect attachments for viruses, attachment capabilities may need to be disabled altogether.

3. User policies

Even when policies are consistent across a network or network leg, they may vary from one user category to the next. Users can be categorized many ways. For example, categories of users can be employees, contractors and/or partners. In general, policies for employees may resemble overall network permissions, contractors will likely have access to a subset of those applications, and partners may have access only to specific applications. The challenge is where and how to enforce user-based policies.

A common way to control application access is by user credentials at the resource. For instance, granting contractors access credentials for the e-mail server but not the finance database. But this method does not control use of the application itself, and invalid requests can cause unnecessary network traffic. User-based policies require tight integration of security appliances to minimize this traffic and block applications near the user - not at the resource.