Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Incident Response, TDR, Governance, Risk and Compliance, Compliance Management, Privacy, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Event describes importance of securing Web 2.0

The Secure Enterprise 2.0 Forum debuted today in New York. The event looked at the advantages and security risks of Web 2.0 technology use in the enterprise, and was sponsored by Credit Suisse and software vendor WorkLight.

While the tone of much of the discussion advocated for the integration of Web 2.0 technology into the corporate environment, highlighting the efficiencies that Web 2.0 applications bring to the work experience, speakers certainly did not neglect the inherent security risks.

Keynote speaker Chenxi Wang, principal analyst, security and risk management, Forrester Research, as well as presenters from WorkLight, outlined the vulnerabilities of Web 2.0, but detailed the advantages integration brings to corporate networks, if this can be achieved securely.

Perhaps more questions than answers were provided as to the viability of allowing blogs, Wiki, instant messenger and other social networking tools into the corporate environment. But the groundwork for enterprise Web 2.0 advocacy was laid, inviting input from attendees with an intent to get the ball rolling. The half-day event follows a similar presentation held in January in England.

"The consumer and enterprise worlds are colliding," said Yuval Tarsi, founder and chief technology officer of WorkLight, which makes enterprise Web 2.0 software solutions.

David Lavenda, the Newton, Mass.-based company's vice president of marketing and product strategy, led off the day referring to a Forrester report claiming that 2008 will be the year of Web 2.0. And he backed up his words with statistics that show that MySpace has 110 million users and Facebook has more than 70 million active users. In addition, iGoogle experienced 267 percent growth year over year. It now has 22 million users with personalized home pages.

However, he laid out the challenges faced by IT staff charged with securing corporate networks.

"Security concerns are not well understood by a lot of folks and they don't have a handle on using Web 2.0 in the enterprise," he said.

Web 2.0 is a whole new user experience, it's not just a set of tools, he said. It offers a personalized user experience that allows users to easily gather and aggregate information onto their browser, whether iGoogle, Facebook, MySpace, Yahoo!, etc.

The business trends, he said, show that there's growth of a distributed workplace with mobile and remote users, and with many applications being outsourced. Also, there's a new generation of people entering the workforce who are used to doing things collaboratively, he said, adding that traditional enterprise tools do not facilitate that work.

"There is a huge opportunity to fulfill business needs which allow people to work efficiently," he said.

Using Web 2.0 technology in the enterprise presents risks, he said, opening the corporation to data theft, information leakage and liability for information misuse by employees. While Web 2.0 tools are easy to use, they weren't built for enterprise use, he pointed out.

Wang followed, describing security issues beyond AJAX and Flash, the building blocks of Web 2.0 technology.

She began by defining Web 2.0 as "a set of technologies and applications that enable efficient interaction among people, content and data in support of fostering new business, technology offerings and social structures."

Two-way content is a reality, she said. Today, clients, browsers and other sorts of client structures have been active in creating content. There has been, however, a fundamental impact on security, she added.

The web is becoming an application platform, she said. Users can create their own applications on the fly. The technology and programs used in Web 2.0 nurture a social phenomenon of new behaviors allowing real-time communication: IM, VoIP, web conferencing; and information-sharing platforms: blogs, WiKi, RSS, she said. This has led to a mass decentralization of resources.

Wang then cited a third-quarter Forrester study that asked IT decision-makers what percentage of staff is using Web 2.0 technology for business purposes. While the numbers came in at single digits, the significance should not be overlooked, she said. Many companies are interested in Web 2.0 because "CIOs tell us that it leads to efficiencies and improved productivity." She also pointed out that the younger generation entering the workplace is already familiar with these tools and want to use them. And this group will only grow.

Asia just might be ahead of the curve in this regard. A company there, Tencent, which provides chat and SMS, has 350 million users all using QQ, a social collaborative platform.

The web is becoming more dangerous, she said, but there are strategies and best practices to mitigate the risks. Topping the list was corporate governance, which seeks to ensure that policies track the entire lifecycle of content, she said. Corporations need web filtering to block not only unacceptable sites, but internal pages within legitimate sites, such as Facebook and MySpace.

Second on her best practices list was identity management. Identity federation is coming, she said. Corporations should embrace open standards-based identity management solutions, such as OATH and the Liberty Alliance.

Third was client security. The role of the client is changing, Wang said. They are more active and therefore now part of the Web 2.0 attack surface. Client security goes beyond desktop monitoring and anti-virus defenses, she said. It includes desktop vulnerability scanning, content discovery, tagging and management.

Finally, she pointed to application security, the development of secure Web 2.0 applications. It's a complex challenge, especially as AJAX and Flash are prone to coding errors and there is no reliable way to test security. But for those developing applications, she said for secure functioning it was necessary to include threat modeling, static analysis, black-box and pen testing. Or make sure to use third-party applications that are dependable. Demand secure development lifecycle best practices, if reasonable, she said.

Also necessary for corporate security is the deployment of a web application firewall for "right-now" protection. Wang also advised establishing a periodic black-box scanning process, as well as a vulnerability remediation process.

The use of Web 2.0 tools is growing whether sanctioned or not, said WorkLight'sTarsi.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.