Gartner : Web 2.0 Demands Security Re-Think

Wednesday, August 15, 2007

The adoption of Web 2.0 technologies in the enterprise is driving unprecedented collaboration throughout business, but brings with it significant security risks, according to analysts speaking at Gartner’s IT Security Summit in Sydney today.  The Web 2.0 risks are manageable, but only if enterprises engage security early in the process and build a solid foundation to support Web 2.0, while limiting the risks.  Vice president and Gartner Fellow Joseph Feiman said that while most Web 2.0 technologies are not new, many of the concepts run contrary to traditional IT security practices.  “Using and participating in these online services and communities forces enterprises to relinquish a level of control that they historically would not tolerate,” said Mr Feiman.  “It is forcing enterprises to rethink their security strategies.”…..In his presentation ‘Securing Web 2.0’, Mr Feiman said that the security challenges created by Web 2.0 could be divided into two categories: protecting internal users and the enterprise, and protecting external applications.  The internal challenge is characterised by inbound risks, such as malicious code in RSS feeds, and outbound risks, such as information leakage through inappropriate blogging or use of collaboration tools.  The external challenge is threats generated by enterprise usage and participation in Web 2.0 technologies, such as use of third-party content (mashups) and engaging in open user communities…..“A similar risk that many enterprises are currently dealing with is employee blogging.  Some organisations encourage it, others forbid it, and some have no formal policies at all.  It’s a two sided coin — on the positive side blogging can build strong communities, brand awareness and transparency; but on the negative side blogging can reveal corporate secrets, arm disgruntled employees and have undesirable consequences,” said Feiman.  According to Gartner research, the open nature of Web 2.0 also presents significant challenges to the traditional enterprise approach to controlling intellectual property and proprietary content.  In the outbound sense information leakage can occur in a range of ways such as blogging, instant messaging, collaboration tools and even online calendars.  Similarly any content served by a Web 2.0 application can be re-formed, reused and redistributed by third parties, making it practically impossible to control content.  This can include press releases, price lists, video and audio, all of which can be rapidly propagated across the Internet.  “There is no technology that can effectively protect content that is publicly accessible,” said Mr Feiman.  “Rather enterprises should determine what content they are willing to have in the public domain, keep the rest private, and use licensing agreements as often as possible to help control distribution and use.” 

As with any collection of technologies, Web 2.0 comes with a wide range of vulnerabilities and risks and a few basic practices can limit an organization’s exposure.  Mr Feiman identified the two most important practices for limiting risk when building Web 2.0-style applications as: adopting a secure development life cycle and focusing on validating all input, whether it is from an internal user or a business partner.  Gartner makes the following recommendations for enterprises adopting Web 2.0 technologies:

  • Secure coding is your best defence
  • Use web vulnerability scanners
  • Validate all input on the server-side
  • Assume any public content will be reused in unexpected ways
  • Protect internal users and corporate assets with technology tools and education
  • Consider using application firewalls, content monitoring and filtering and data loss protection (CMF/DLP) and database activity monitoring.

Reference : http://www.tekrati.com/research/News.asp?id=9237

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: