Keeping web technologies out of the workplace can have a detrimental effect on morale, says Yuval Tarsi.
As usage of iGoogle, Facebook and other public Web 2.0 services grows daily, these offerings become increasingly significant tools in the information worker's toolbox. They can be used for networking, collaboration, research, staying up-to-date on the latest news and trends, and getting things done at work.
Yet, at the same time, concern about potential security risks is also on the rise. In many organizations, the knee-jerk reaction of the information security team is to block these services at the web access layer and make sure all workstations are locked down so end-users can't circumvent the blocks.
Even if such locks and blocks could be implemented effectively, which is questionabl, CISOs should carefully consider whether such a strategy makes sense for their organizations in the long term. Keeping the latest and greatest web technologies out of the workplace can have a detrimental effect on employee morale, as well as on productivity. Down the road, frustrated, web-savvy employees may find themselves looking for a more accommodating workplace.
All that said, the enterprise security risks are real, and the intuitive reaction of many organizations is not unjustified. New technologies provide new capabilities, but also present new risks.
For information security professionals, managing risk when deploying these new technologies is a real challenge. A balance needs to be struck between providing employees with the tools they need to be productive, and maintaining sufficient control to keep security incidents at an acceptable level. First and foremost, it is critical to define and implement clear acceptable use policies for Web 2.0 tools both inside and outside the organization.
Think of the potential damage an employee can do by misusing email. Such misuse is rare – not because it is blocked by technical measures, but because it is very clear to employees what is considered unacceptable use of email, and what the implications will be for them if they cross that line. The primary difference between email and blogs, wikis and social networking websites in this respect is not that they are based on different technologies, but that it is still not clear to most users what the rules are and what happens when they are broken.
In addition to defining policies, there are, of course, technical measures that can be taken to reduce the risk of using Web 2.0 technologies in the enterprise. Perhaps most important is to decouple backend systems from Web 2.0 front-ends. Web 2.0 front-ends, such as RSS and Ajax gadgets, tend to generate many requests. It is a good idea to place a middle tier between these components that is optimized for Web 2.0 front-ends and capable of communicating efficiently with back-ends.
Next, IT security pros must leverage existing security mechanisms. Even when accessing data from Web 2.0 front-ends, there is no reason not to leverage existing investment in enterprise single sign-on (SSO) or centralized access management.
In addition, provisioning is critical. Maintain full control of application and data provisioning, regardless of how data is consumed or where applications run.
Also, address ‘attacks 2.0' from the get-go. Train developers on the risks specific to Web 2.0 technologies and the accepted best practices to handle them. Perform code audits to ensure the correct measures are implemented.
The benefits of using Web 2.0 tools in the enterprise are many, and range from increased productivity to improved employee retention. As with all new technologies, with new capabilities come new risks. While mitigating these risks is challenging, preventing the use of such tools altogether is, in the long term, a much more risky strategy.
Yuval Tarsi is founder & CTO of WorkLight, an Enterprise 2.0 company with offices in Boston and Yakum, Israel.