By now you might be tired of hearing all the hype around Web 2.0. Everybody from Oprah to Time magazine is talking about the growth of Twitter and Facebook, but there is much more to Web 2.0 than social networking. Businesses using Web 2.0 sites and applications are seeing tangible benefits, from increased revenue to improved collaboration and streamlined processes. However, even among IT professionals, much confusion still exists around what exactly constitutes Web 2.0, whether businesses should enable employee access to Web 2.0 and, if so, how to do it safely.
IT managers are also confused about Web 2.0. A recent global survey of 1,300 IT managers found that only 17 percent were able to correctly identify Web 2.0 sites and tools from a list. Only roughly half realized that wikis, mashups such as iGoogle.com, and video uploading sites such as YouTube.com are all examples of Web 2.0. The term “Web 2.0” can be used to describe any Web site that hosts user-generated content. This can be anything from cloud computing and hosted software provider sites to popular news sites such as CNN.com and mashups such as iGoogle.com.
Because anybody can contribute content, Web 2.0 sites pose an increased risk to visitors. Almost half of the top 100 destinations on the Internet host user-generated content, and 70 percent of the top 100 have hosted either malicious code or masked redirects to infected sites. The global survey mentioned previously also revealed a dangerous security gap when it comes to Web 2.0 at work: 80 percent of IT managers said they feel confident in their organization’s Web security, 62 percent currently allow access to some Web 2.0 sites-yet only nine percent have the necessary security solutions to protect from all threat vectors associated with Web 2.0.
Are there real benefits to Web 2.0 at work?
The excitement around Web 2.0 is not all hype. Web 2.0 allows companies to improve collaboration and information exchange, streamline communication and processes, gather detailed customer and market research, interact with key stakeholders, and drive revenue. There are many examples of organizations that have used Web 2.0 to their advantage in very compelling ways, for various objectives including the following:
1. Market research: The consumer products company Kimberly-Clark Corp. created an online community for users of its Scott brand personal care products. The company analyzes data and customer profile information to identify its most loyal customers, and to market products to specific segments.
2. Collections: Employees in the collections department at Addison Avenue Federal Credit Union in California regularly search social networking sites, as well as picture and video uploading sites, to find evidence (such as photos) of the items they’re trying to collect. These could include a car of which the credit union is the lienholder. The organization also uses a blog to help it communicate with, attract and retain younger members.
3. Revenue generation: Dell says Twitter has produced $2 million in revenue through sale alerts.
4. Government agencies are also getting in the game. The Obama administration made government adoption of Web 2.0 a priority, holding an Open Government Brainstorm to discuss how agencies can incorporate more Web 2.0 in their everyday workings. The White House uses a blog, Facebook and Twitter accounts, and the Federal Web Managers Council says the federal government should require government agencies to allow Web 2.0 access.
Even before arriving in the White House, the Obama campaign used Web 2.0 in the form of an online community called My.BarackObama.com that let users create blogs to rally support during the presidential campaign. It was instrumental in the coordination of nearly 4,000 house parties and raised more than two million individual donations of less than $200 each.
A New Threat Landscape
A new threat landscape
While many organizations have found ways to put Web 2.0 to good use, the CIOs and Chief Security Officers (CSOs) at those companies are left to worry about malware risks, data loss and other security concerns.
Traditional security solutions such as anti-virus alone cannot protect from dynamic Web 2.0 threats that evade anti-virus detection by using active scripts, obfuscated code, converged Web and e-mail delivery methods, and social engineering tactics. Security in a Web 2.0 world requires real-time analysis and categorization of never-before-seen Web content on the fly.
For example, earlier this year, hackers took advantage of the aforementioned My.BarackObama.com site, using the site’s blogging platform to distribute pornographic content and a malicious Trojan attack. Of even more concern, only 30 percent of leading anti-virus vendors were able to detect the threat.
In addition to the threat of malware, IT professionals also need to prevent employees from uploading intellectual property, trade secrets or other sensitive information to blogs, cloud computing sites such as Google Docs, or other Web 2.0 applications.
For example, my own company worked recently with a large hospital to help them monitor data regulated by the Health Insurance Portability and Accountability Act (HIPAA). The IT department was shocked to discover that nurses doing their rounds typed patient notes into Google Docs from their laptops (rather than taking notes on paper), and then would transcribe them into the hospital’s secure system.
At the end of their rounds, the nurses would copy the patient information from Google Docs into the hospital system. They were simply trying to be more efficient in their work, but the practice violated HIPAA regulations. If the hospital had the right security technologies in place, the nurses could securely use cloud computing and collaboration tools without violating policy.
How to Safely Take Advantage of Web 2.0
How to safely take advantage of Web 2.0
Rather than simply blocking employee access to entire Web sites, businesses need the right security solutions and policies in place to allow for flexible access to Web 2.0 sites and applications.
They need to do this while also being able to block only the malicious or inappropriate content on a particular page, and to stop confidential data from leaking out.
The first step begins with setting the right policies and providing employee education. IT should collaborate with other areas of the business, including the human resources and legal departments to document appropriate Internet usage policies-particularly with regards to Web 2.0 sites. Companies need to define business use and personal use of the Internet, and how to manage use of social networking sites where relationships may blur the line between professional and personal.
IT must educate employees that the reasons for the policies include protecting employees and the company from potential network security risks, loss of intellectual property, brand reputation management, and creating a safe work environment, among others. IT managers need to specifically delineate what types of corporate data can and cannot be shared on cloud computing sites, and use the same security model to assess cloud computing risks as they do for their enterprise software implementations.
Crucial Web 2.0 Solution Features
Crucial Web 2.0 solution features
Once the security policies have been set, IT should look for a single Web gateway control point for Web, data and e-mail security. Look for the following four features in a Web 2.0 security solution:
1. Real-time, in-line content and security scanning, with the ability to examine all Web traffic including encrypted Secure Sockets Layer (SSL) traffic, and to quickly classify never-before-seen Web content. To be effective in a Web 2.0 environment, a solution must be able to block only the specific offending content at any layer within the site, while still allowing access to the overall site.
2. Integrated data security to monitor and enforce data protection polices for sensitive data as it travels through Web traffic, e-mail traffic or on endpoints such as laptops and USB drives. Monitoring data in motion limits the exposure to data loss through spyware by only allowing protocols sanctioned by IT. For ease of use, make sure that the Web and data security solutions are integrated on one platform, with centralized management and reporting.
3. Flexibility to set granular security policies depending upon employee role. Different functions need access to different types of Web 2.0 sites, and will have different ways of using those sites. Flexible policy controls and the ability to block specific content on a page allows you to let employees use iGoogle, for example, but block any specific widgets on the mashup page that may be malicious or inappropriate.
4. Web 2.0 security updates from a security research team that proactively searches billions of Web sites and e-mails, as well as comments and links posted to blogs and social networking sites in order to discover Web 2.0 threats as they emerge. Proactive research is the only way to identify and prevent threats that evade traditional anti-virus detection.
Jim Haskin is CIO and Senior VP of Marketing at Websense, Inc. Bringing more than 20 years of experience in his dual role, Jim is responsible for IT direction and execution, as well as worldwide marketing. Prior to joining Websense, Jim served as group leader at Acxiom Corporation. Before Acxiom, Jim was VP of global services for Manufacturing and Distribution at Siebel Systems, Inc.
Jim has a Bachelor’s of Science degree in information systems from the University of Maryland and a Master’s degree in business administration from the University of California, Irvine. He can be reached at firstname.lastname@example.org.