Web 2.0 Security Strategy

Over the last few years, Web 2.0 has changed the way people access and exchange data. These days, it’s next to impossible to find a public or private sector enterprise that doesn’t rely on Web 2.0 functions to handle a variety of tasks and processes.

Although definitions vary, Web 2.0 generally refers to an interactive, extended computing experience. These tools boost information sharing and collaboration by interconnecting computers and data in a more seamless way.

Social networking sites, blogs, wikis, video-sharing sites, hosted services, Web applications, mashups and folksonomies are some examples of Web 2.0 capabilities. Cloud computing also incorporates Web 2.0 functions by sharing and syncing data across a variety of devices. For example, data backup and sharing services such as Dropbox and Apple’s Mobile Me make it possible to store and retrieve data across devices, including desktop computers, laptops and smartphones. And Google Apps and Salesforce.com offer features that aren’t available in a more conventional computing environment.

Despite these Web 2.0 benefits, there is a cost that’s beyond the price of the systems and software: significant security challenges. For one thing, IT must oversee a tangle of interconnected servers—sometimes spanning several organizations or entities—and attempt to understand how and where data flows. For another, there’s almost no way to enforce standards or adopt a consistent set of security applications spanning servers and organizations. Finally, it’s clear that Web 2.0 programming languages such as AJAX are exploitable.

“From a security standpoint, Web 2.0 is a big can of worms,” says Rob Cheyne, CEO of security consulting firm Safelight Security Advisors. “By definition, it’s an open and connected environment. Systems and services are always on and always available. Instead of keeping people out, you want them to enter and access the data. This is the complete opposite of traditional enterprise security, which focuses on building a closed and guarded environment.”

In recent years, Yahoo! Mail, Gmail, MySpace and Facebook have all been targeted with malicious code. The sheer openness of today’s computing environment is unprecedented. Employees, customers and business partners use an array of devices—including smartphones and other mobile units—to tap into intellectual property, credit card information, personal data, health care records and more. 

The key to success is to balance security requirements with business needs. Although every organization is different, shutting down social networking sites, cutting off access to blogs and wikis, and limiting a variety of other interactive services and capabilities will probably prove counterproductive. “Without many of today’s Web 2.0 tools, an organization is likely at a disadvantage,” explains Bill Phelps, executive director of Security Practice at consulting firm Accenture.

Today, the average organization channels approximately 3.4 percent of its IT budget into security, according to Gartner. However, that figure is expected to rise to 5.1 percent in 2010—and there’s no relief in sight. As business and data become more intertwined, and Web 2.0 applications and services—including computing clouds, social media, Web apps and mobile devices—become more pervasive, the risks increase dramatically.

“There is a growing focus on protecting the network and all the data that flows through it,” states Gary Loveland, U.S. Advisory Practice Leader for Security at consulting firm PricewaterhouseCoopers. “What makes security so difficult today is that it’s becoming more difficult to know where your data is located and who has access to it. Data is more transient than ever.”