Enterprise 2.0 applications have become the poster children of a flat world. They provide rapid and agile collaboration, sharing and information integration capabilities never seen before in enterprises. But, unlike enterprise applications, Enterprise 2.0 applications weren’t born in the enterprise world. Most started out as consumer-centric capabilities for searching, linking and tagging, and then moved on to authoring, networking and sharing. Almost all are accessible through a browser, and have no trouble crossing over from the consumer world into the enterprise world.
So, today we see Facebook and Twitter in over 95 percent of organizations worldwide. We see the penetration of Google Docs jump nearly threefold to over 80 percent in 2009, and the use of Twitter explode nearly eightfold in terms of bandwidth. But that’s not the dark side.
The real issue surrounding Enterprise 2.0 applications is their highly evasive nature. Their developers knew the enterprise security infrastructure very well and found ways around it. Using techniques such as port hopping, tunneling and encryption, they ensured that these applications could get through.
They also “overloaded” them with features. For example, 70 percent of Enterprise 2.0 applications are capable of transferring files, even though that may not be their obvious use. On top of that, the users have learned how to work around enterprise security. For example, if they hit a URL that gets filtered, they will find a public proxy to get through. Little do they know that 28 percent of Enterprise 2.0 applications propagate malware and 64 percent have known vulnerabilities.
However, this situation doesn’t justify an all-or-nothing decision. To flat-out block everything isn’t the answer because it destroys any business value. But to flat-out allow everything is clearly too risky. IT needs to actively participate in the Enterprise 2.0 movement and provide safe enablement through smart policies it closely manages.
Smart Policy Creation and Enforcement
Smart policy creation and enforcement
Enablement is about education, even when the users seem ahead. The role of IT is that of advisor and mentor, showing what applications are best at solving the requirements and how to best use them.
But it’s also about raising the awareness of the associated risks. For that, IT professionals need to become super users themselves by adopting Enterprise 2.0 wholeheartedly and without prejudice. Only then can they successfully educate users on all the risks-even those pertaining to social and reputational implications.
For governance to be effective, IT needs to take a major role in the definition of smart policies. But it is critical not to be the sole owner of these policies, as their effectiveness and relevance are inversely proportional to the amount of classic IT thinking. Adoption of Enterprise 2.0 was achieved with lots of non-IT executive sponsorship and support, which means that IT needs to avoid obvious mistakes. Examples of users making mistakes using social media are easy-but ultimately a losing argument because they are inevitable, just as building relationships is less than perfect.
Nor is it appropriate to pursue compliance arguments because no legislation exists per se that governs the use of Enterprise 2.0 applications. Smart policies come down to regulating the use of the right tool for the job in the right way. For example, in a heavily regulated environment such as stock trading, the use of instant messaging (IM) is subject to retention and auditability rules. IT needs to educate the traders on the implications of each of the tools, participate in the definition of the use policy and subsequently implement, monitor and enforce its use. In this example, that policy could prevent the traders from using Facebook chat but enable MSN Messenger.
Employee, Desktop and Network Controls
Employee, desktop and network controls
A corporate security policy for the use of Enterprise 2.0 applications needs to include the following three elements:
1. Employee controls
The development of policy guidelines for the use of Enterprise 2.0 applications is often challenging, as many examples are available. But the high tension between risk and reward has polarized the opinions. Enterprise 2.0 guidelines are part of an overall code of conduct and privacy policy, and a few key elements need to be represented.
Given the increasing number of “bad” applications, how will an employee know which applications are allowed and banned? How is the list of unapproved applications updated, and who ensures that employees know about it? What constitutes a policy violation? What are the ramifications of policy violations: firing or a reprimand?
Given that a large number of Enterprise 2.0 applications not only manifest themselves on the enterprise network or devices where they could be controlled, but also on the employees’ mobile devices, documented employee policies need to be a key piece to the Enterprise 2.0 control puzzle. However, employee controls will remain largely ineffective as a stand-alone control mechanism for safe enablement of Enterprise 2.0 applications.
2. Desktop controls
Desktop controls can complement the documented employee policies as a rather limited means to safely enable Enterprise 2.0 applications. Laptops connecting remotely, Internet downloads, USB drives and e-mail are all means of installing applications that may or may not be approved. Removing administrative rights completely has proven to be difficult to implement and, in some cases, limits user capabilities. USB drives are now capable of running an application so, in effect, an Enterprise 2.0 application could be accessed after the network admission was granted.
Network Controls
3. Network controls
Network controls minimize the possibility of threats and disruptions stemming from the use of Enterprise 2.0 applications. There are three possible control mechanisms that can be used at the network level, each of which carries certain drawbacks that reduce their effectiveness. First, a stateful firewall can be used as a first line of defense, providing coarse filtering of traffic and segmenting the network into different, password-protected zones. Its port-centric design is ineffective when faced with Enterprise 2.0 applications that hop from port to port until they find an open connection to the network.
Second, intrusion prevention system (IPS) enhances the network threat prevention capability by looking at a subset of traffic and blocking known threats or bad applications. It lacks the understanding of applications and the performance required to look at all traffic across all ports, and is only a partial solution.
Third, proxy server offers traffic control but looks at a limited set of applications or protocols and only see a partial set of the traffic that needs to be monitored.
Next-generation firewalls
The challenge with any of these network controls is that they do not have the ability to identify Enterprise 2.0 applications, look only at a portion of the traffic, and suffer from performance issues. Even combined, they can’t offer the right network protection. Next-generation firewalls, however, have proven to be the right approach. They combine application awareness with consolidated management against threats, vulnerabilities and fine-grained controls that allow for policies to be based on applications, users and content.
The question is not whether to block or not. Rather, the question is how can companies define and enforce policies that allow for smart and safe enablement, as there is ample evidence of the productivity and cost benefits of Enterprise 2.0 adoption around the world. IT executives need to act now and show leadership.
Lee Klarich is Vice President of Product Management at Palo Alto Networks. Lee brings a strong track record in network security product management to Palo Alto Networks. Previously, Lee was director of product management for Juniper Networks where he was responsible for firewall/VPN platforms and software. Lee joined Juniper Networks through the NetScreen Technologies acquisition where he managed the same product line. Prior to NetScreen Technologies, Lee held various positions at Excite@Home and Packard Bell NEC. He can be reached at lklarich@paloaltonetworks.com.