Enterprises are beginning to adopt social networking applications. They’re doing it for the same reasons millions of consumers do: because they offer a fast, easy-to-use way to keep in touch, organize activities and share ideas.
However, businesses and IT executives are wary, and for good reason. Whether they like it or not, employees are signing up for these tools regardless of whether it’s company policy or not. Younger employees joining the work force have grown up with social networking technologies, and businesses are being forced to play catch-up.
Because of this, there are three major concerns that are keeping IT up at night. First, consumer applications can cut into employee productivity for hours at a time. Second, social networking sites can become vectors for viruses, hacker attacks and phishing. Finally, social networking image, audio and video traffic steal bandwidth from business uses.
Keeping it under control
So, how are IT administrators supposed to control this problem? There aren’t many model companies to follow in terms of company-wide social networking deployments. A few brave companies have opened the door to social networking on corporate networks. Thousands of employees at companies as diverse as Shell Oil, Procter & Gamble and General Electric maintain social networking accounts. An exclusive Citigroup Facebook network has almost 2,000 members.
Alternatively, there are organizations actively working against social networking. In May 2007, the U.S. Army blocked URLs for MySpace and 12 other “entertainment” sites from their U.S. and overseas networks, citing bandwidth and security concerns. The government of Ontario, Canada, has blocked Facebook and YouTube URLs. And many corporations have followed suit or plan to.
This really doesn’t make sense, though, when you look at the usage statistics. P2P (Peer-to-peer) networks have millions of users sharing photos, software, music and video. Social networking reaches even further: MySpace claims more than 61 million active users; Facebook more than 65 million. The Pew Research Center estimates that half of online adults have used these services to connect with people they know.
But just like IM (Instant Messaging), Web-based e-mail and text messaging before it, social networking applications often find a way in. It may start as a shortcut for employees to set up videoconferences or coordinate functional teams across multiple time zones. Or a new CEO or vice president of sales may push a favorite technology. And sometimes, employee workarounds become so disruptive that it’s just easier to allow limited use – just to be able to monitor and manage it.
A Policy Framework
The decision to block or allow consumer applications is seldom black or white. Policies vary according to application, security requirements and network infrastructure. There are steps that organizations can take to let social networking into the network securely. To help you determine what’s best for your business, the following is a breakdown of three options:
1. Application-based policies
Blocking applications is one way to address this issue. However, proxy servers can quickly defeat clumsy URL-blocking attempts. Modern consumer applications – designed to work on many different network infrastructures – seldom use stable, well-defined port numbers. This makes them hard to detect and regulate. And, in many cases, policies may need to be ready for next-generation applications that may use even more sophisticated connection protocols.
Blocking applications is only half the story. Policies should also enable applications that offer business value – without compromising QoS (quality of service), either of the applications themselves or the networks they use.
2. Corporate policies
Although few organizations will apply policies without exception across their entire network, most start by establishing general guidelines. Blanket policies that block or regulate all peer-to-peer traffic can then be adapted to support authorized exceptions, while continuing to regulate or block the rest.
Certain functions raise special security concerns. P2P and IM file attachments, for example, can spread viruses just as e-mail attachments do. If network security infrastructure cannot inspect attachments for viruses, attachment capabilities may need to be disabled altogether.
3. User policies
Even when policies are consistent across a network or network leg, they may vary from one user category to the next. Users can be categorized many ways. For example, categories of users can be employees, contractors and/or partners. In general, policies for employees may resemble overall network permissions, contractors will likely have access to a subset of those applications, and partners may have access only to specific applications. The challenge is where and how to enforce user-based policies.
A common way to control application access is by user credentials at the resource. For instance, granting contractors access credentials for the e-mail server but not the finance database. But this method does not control use of the application itself, and invalid requests can cause unnecessary network traffic. User-based policies require tight integration of security appliances to minimize this traffic and block applications near the user – not at the resource.
How to Approach Access Control in the Social Networking Age
}
Balancing Requirements
Whether your company has identified a business need for social networking applications or simply decided to get ahead of the trend, managing consumer applications on corporate networks is a matter of balancing the following four priorities:
1. Security – to protect networks from external and internal threats, and sensitive information from breach and/or theft.
2. Quality of service – to meet the network bandwidth and latency requirements of business applications first.
3. Visibility – to monitor the type and volume of activity on corporate networks, especially useful and necessary to meet regulatory compliance.
4. Control – to align network activity of all kinds to company policy.
No single set of policies can meet these requirements for every business. Network security and performance requirements differ between and within organizations. Policies – especially access policies – must reflect the uniqueness of individual networks, the differing types of users and/or devices requiring network access, the level of network access required, and the information the network protects.
Regulating Application Usage
Whether they apply across the corporation or to an individual user, effective policies require accurate identification of application traffic. Because identifying applications by port numbers is no longer reliable, many organizations now regulate applications using IPS (Intrusion Prevention Systems).
Without compromising their contribution to network security, advanced IPS products support signatures specifically designed to detect applications. These IPS appliances use their ability to decode protocols and these signatures to identify application traffic quickly and accurately. Policies can then be set to block an individual application, or group of applications, or to follow QoS requirements.
Implementing Corporate-wide Policy
Equipped with tools to accurately identify application traffic, enterprises can implement corporate-wide policies based on applications, individually or in groups. But even these policies rarely cover growing enterprise requirements. When new applications are deployed, for example, application policies must add controls for their individual features and capabilities (based on the business requirements and security risks).
Some IPS appliances can identify not only the type of application traffic, but traffic associated with individual application features – for example, IM text messages vs. IM file attachments. This level of detail gives IT administrators the control they need to deploy and manage applications effectively.
Usage Based on Users and Applications
Policies that equate users with IP addresses (as firewalls do) are inadequate in modern enterprise environments. Genuine user-based policies need NAC (network access control) solutions to provide accurate user information (i.e., user “Joe Smith” instead of 192.168.1.235). But identifying users is not enough. There must also be a way to apply policies to users as well as applications.
Today, advances in NAC and IPS products have increased their interoperability. Now it’s possible to deploy a solution in which an IPS appliance signals a NAC appliance that a particular application is in use, and supply relevant data. The NAC solution can then identify the user or device and determine whether access is legitimate. If not, it can then set enforcement point policies – such as firewalls and switches – in real time, either to cease the user’s session, quarantine the user or block the user entirely from accessing the network. Working together to isolate network threats down to individual users or devices, NAC and IPS help enterprises to mitigate threats quickly, thus minimizing network and user downtime.
Operation
In everyday use, policies implemented across the network assure that mission-critical applications receive the network bandwidth and latency they require. They also assure that any social networking and other low-priority activities are restricted to authorized users, consuming only the capacity the business decides to allocate to them. At the same time, security policies protect the corporate network against viruses, worms, spyware and other malicious code that might otherwise be downloaded from social networking sites.
The compelling advantages of a coordinated approach come into play when the network is under attack – either from outside or inside. Instead of responding in piecemeal fashion, IPS and NAC solutions work together. If an external Denial of Service attack floods network gateways with junk traffic, a NAC solution working with IPS may restrict employees to applications with high business priority – sacrificing MySpace and Facebook, for example, to save VOIP telephone service. Internally, acting through the firewall, it can limit guest network access, disable wireless network legs and raise authorization thresholds to sensitive information until the problem can be isolated and solved.
Bottom Line: Consider a Balanced Approach