A new threat landscape
While many organizations have found ways to put Web 2.0 to good use, the CIOs and Chief Security Officers (CSOs) at those companies are left to worry about malware risks, data loss and other security concerns.
Traditional security solutions such as anti-virus alone cannot protect from dynamic Web 2.0 threats that evade anti-virus detection by using active scripts, obfuscated code, converged Web and e-mail delivery methods, and social engineering tactics. Security in a Web 2.0 world requires real-time analysis and categorization of never-before-seen Web content on the fly.
For example, earlier this year, hackers took advantage of the aforementioned My.BarackObama.com site, using the site's blogging platform to distribute pornographic content and a malicious Trojan attack. Of even more concern, only 30 percent of leading anti-virus vendors were able to detect the threat.
In addition to the threat of malware, IT professionals also need to prevent employees from uploading intellectual property, trade secrets or other sensitive information to blogs, cloud computing sites such as Google Docs, or other Web 2.0 applications.
For example, my own company worked recently with a large hospital to help them monitor data regulated by the Health Insurance Portability and Accountability Act (HIPAA). The IT department was shocked to discover that nurses doing their rounds typed patient notes into Google Docs from their laptops (rather than taking notes on paper), and then would transcribe them into the hospital's secure system.
At the end of their rounds, the nurses would copy the patient information from Google Docs into the hospital system. They were simply trying to be more efficient in their work, but the practice violated HIPAA regulations. If the hospital had the right security technologies in place, the nurses could securely use cloud computing and collaboration tools without violating policy.