Web 2.0 Security Strategy

By Samuel Greengard  |  Posted 2010-10-12

Over the last few years, Web 2.0 has changed the way people access and exchange data. These days, it’s next to impossible to find a public or private sector enterprise that doesn’t rely on Web 2.0 functions to handle a variety of tasks and processes.

Although definitions vary, Web 2.0 generally refers to an interactive, extended computing experience. These tools boost information sharing and collaboration by interconnecting computers and data in a more seamless way.

Social networking sites, blogs, wikis, video-sharing sites, hosted services, Web applications, mashups and folksonomies are some examples of Web 2.0 capabilities. Cloud computing also incorporates Web 2.0 functions by sharing and syncing data across a variety of devices. For example, data backup and sharing services such as Dropbox and Apple’s Mobile Me make it possible to store and retrieve data across devices, including desktop computers, laptops and smartphones. And Google Apps and Salesforce.com offer features that aren’t available in a more conventional computing environment.

Despite these Web 2.0 benefits, there is a cost that’s beyond the price of the systems and software: significant security challenges. For one thing, IT must oversee a tangle of interconnected servers—sometimes spanning several organizations or entities—and attempt to understand how and where data flows. For another, there’s almost no way to enforce standards or adopt a consistent set of security applications spanning servers and organizations. Finally, it’s clear that Web 2.0 programming languages such as AJAX are exploitable.

“From a security standpoint, Web 2.0 is a big can of worms,” says Rob Cheyne, CEO of security consulting firm Safelight Security Advisors. “By definition, it’s an open and connected environment. Systems and services are always on and always available. Instead of keeping people out, you want them to enter and access the data. This is the complete opposite of traditional enterprise security, which focuses on building a closed and guarded environment.”

In recent years, Yahoo! Mail, Gmail, MySpace and Facebook have all been targeted with malicious code. The sheer openness of today’s computing environment is unprecedented. Employees, customers and business partners use an array of devices—including smartphones and other mobile units—to tap into intellectual property, credit card information, personal data, health care records and more. 

The key to success is to balance security requirements with business needs. Although every organization is different, shutting down social networking sites, cutting off access to blogs and wikis, and limiting a variety of other interactive services and capabilities will probably prove counterproductive. “Without many of today’s Web 2.0 tools, an organization is likely at a disadvantage,” explains Bill Phelps, executive director of Security Practice at consulting firm Accenture.

Today, the average organization channels approximately 3.4 percent of its IT budget into security, according to Gartner. However, that figure is expected to rise to 5.1 percent in 2010—and there’s no relief in sight. As business and data become more intertwined, and Web 2.0 applications and services—including computing clouds, social media, Web apps and mobile devices—become more pervasive, the risks increase dramatically.

“There is a growing focus on protecting the network and all the data that flows through it,” states Gary Loveland, U.S. Advisory Practice Leader for Security at consulting firm PricewaterhouseCoopers. “What makes security so difficult today is that it’s becoming more difficult to know where your data is located and who has access to it. Data is more transient than ever.”

To be sure, navigating security in today’s Web 2.0 world is no simple task. There’s no single approach or one-size-fits-all solution that addresses the tangle of challenges that enterprises face. As a result, it’s essential for organizations to develop a holistic strategy and deploy the right security tools and policies. Minimizing the risk of a breach is paramount. As Accenture’s Phelps puts it: “Web 2.0 creates enormous opportunities that businesses cannot overlook, but it also requires more sophisticated security, as it has dramatically expanded a variety of threats and risks.”

Developing a strategy for coping with Web 2.0 risks is essential. One area that organizations must address is data protection. Says Phelps: “Today’s highly interconnected environment dramatically expands the avenues for data leakage, which is attractive for those looking to exploit systems.”

The heart of the problem is that the line between work and personal life has blurred. When employees participate in social networking sites, they may not realize that they are posting sensitive corporate information. “They might not stop to think about what they’re posting,” Phelps notes. “Moreover, if one member of the group lacks an appropriate privacy setting, the information could be viewed by others.”

A Secure Cloud Environment

Protecting data is a core concern at Huntington National Bank, headquartered in Columbus, Ohio. The regional financial institution, which operates more than 600 branches and 1,300 ATMs in six Midwest states, stores an ever-growing volume of data in the cloud. A primary initiative has centered on using Salesforce.com in a secure cloud environment.

“In the past, we had different departments using different CRM tools, and it was difficult to manage and share data across silos,” recalls Mark Edson, infrastructure manager of Enterprise Desktop and Directory Services. This scattershot approach presented both business and security challenges. “When customers call and [the issue] involves multiple departments, we need to forward the data associated with that customer quickly and securely. In addition, we must adhere to regulatory requirements.”

One of Huntington Bank’s primary concerns was to avoid sharing passwords with the hosted service provider. So, Edson set out to build a system with single sign-on authentication that did not require employees to log in at the hosted site. That meant building a sandbox and designing the logins so that there “wasn’t another set of credentials for associates to remember,” he explains.

Huntington Bank turned to Novell’s Access Manager and relies on Security Assertion Markup Language (SAML) 2.0 to authorize and authenticate data exchanges between security domains. Within three months, the bank had the solution in place. 

Today, users log in to Huntington’s internal Web page, and the system pre-authenticates them for the cloud. Access Manager and the bank’s LDAP (Lightweight Directory Access Protocol) directory generate a random 132-bit or longer assertion string. A public and private key is sent to Saleforce.com, and the employee gains entry. 

Designing the system required the bank’s IT department to generate code for a new driver that would link Huntington’s HR system and directory services with Saleforce.com. “At no point does the authentication data get sent to the cloud,” Edson adds. “The cloud provider never sees the password and does not have it on file.”

Consequently, there is no way Salesforce.com can access any of the data. What’s more, the system accommodates real-time provisioning, deprovisioning, departmental moves and name changes. When an employee updates information in the HR system, it automatically populates the LDAP directory and Access Manager.

“We are very conscious of our fiduciary duty to protect customer data,” Edson says. “We don’t want to miss the opportunity of Web 2.0, but we also know that we have to make the environment as secure as possible.”

One thing that makes security so difficult in the Web 2.0 world is that it typically spans so many different applications and services. There’s no way for a single development team or security group to oversee an entire enterprise. As a result, Safelight’s Cheyne says, there’s a need to “really lock down applications and add security as developers build and introduce systems.”

It’s also critical to conduct a full set of tests before any new application enters the picture. “It’s important to conduct a secure code, design and architecture review—and run a vulnerability scan,” he adds. 

The goal, Cheyne says, is to identify data floating around in various systems—including those connected to outside organizations or available to customers, business partners and others—through Web 2.0 applications. It’s also vital to gauge how sensitive the data is, who potentially has access to it and what could happen if the data falls into the wrong hands. 

At Community Options for Families and Youth (COFY), a not-for-profit Walnut Creek, Calif., organization that assists families and children subjected to violence and crime, the need for data security is paramount. What’s more, a cloud environment that’s used to store documents magnifies the risks. 

By law, the organization must document every conversation and interaction with clients and maintain confidentiality according to HIPAA (Health Insurance Portability and Accountability ACT) compliance requirements. Supervisors must access and review notes from various locations. 

“In the past, we took the risk of e-mailing password-protected documents and sharing them using encrypted flash drives,” recalls Rick Quisenberry, a behavioral therapist who supports the organization’s IT environment. “It was inefficient and unsecure.”
COFY required a cloud-based file server that could sync files from offline storage devices to the cloud so that 30-plus staff members could easily share the data. As a result, it turned to cloud-services provider Egnyte. 

By keeping a copy of the data in the cloud, as well as on a local device, caseworkers now have instant access to data whether they’re in the office or in the field. The data, upward of 500 documents each month, is encrypted and password-protected.
The system also allows therapists to write, edit and save documents directly on the server rather than on their local PCs and Macs. At the same time, the system generates an e-mail or text notification and sends it to the appropriate person if a change takes place. In addition, employees carry encrypted flash drives, with which they can access files securely if they lack an Internet connection. 

“The system has saved us money and has greatly simplified security,” Quisenberry says.

A Comprehensive Strategy

Like Huntington National Bank and COFY, many organizations recognize the value of identity management, authentication, encryption and other access controls. However, these methods are only part of a comprehensive Web 2.0 protection strategy, says PricewaterhouseCoopers’ Loveland. 

Data loss prevention (DLP), which tracks the flow of sensitive documents and data, is another key consideration. It controls who accesses data and where it’s allowed to go by monitoring and locking down endpoints. 

Likewise, organizations are turning to e-discovery and digital rights management (DRM) software to control the flow of documents, audio, video and other types of intellectual property. In some instances, these applications run in a cloud environment, but the technology can also help track data flow into social networking sites and other Web 2.0 tools by producing an audit trail and a record of all change actions. 

For example, at Roke Manner Research, a leading U.K. technology research and development center, the need to manage highly sensitive information—including documents and data from clients in military defense—is of the utmost importance. “A data breach could result in damage to the reputation of the company and subsequent loss of further orders,” explains Rob Matthews, IT security officer. With 430 employees and 1,200 PCs, he doesn’t take the task of securing systems lightly.
In 2005, Matthews began looking for an endpoint-security solution. He opted for a Safend Protector, which secures all physical and local ports, including USB, Firewire, PCMCIA, wireless endpoints (including Wi-Fi, Bluetooth and IrDA), and removable storage devices (including smartphones, iPods and flash drives). 

The system also uses endpoint monitoring and device identification to block keyloggers and other malware. “The monitoring and alerting functions have already proven useful and assist in identifying where we might have problems,” he says.

Security is more than the sum of tools and technologies. As PricewaterhouseCoopers’ Loveland puts it, “At a certain point, it becomes a policy issue. It’s important to develop focused rules—while educating and training employees about the dangers of security breaches. This is particularly true for social media, where privacy settings and a momentary lapse in judgment can have dire consequences.” He also recommends establishing an audit committee and using it to better frame questions and issues.

Accenture’s Phelps says that it’s imperative for organizations to have a well-defined social media policy to complement security systems and software. What’s more, the policy must reflect the needs of different departments and stakeholders within the organization. These rules and guidelines should appear in written form, and employees should have easy access to them. No less important: They must be updated regularly in order to reflect today’s fast-changing business environment. 

Of course, developing workable policies is easier said than done—particularly when competing interests are involved. “It’s important to create realistic and practical policies,” Phelps explains. He cites this example: “A rule that stipulates that employees cannot post anything about work is unrealistic and counterproductive. You want them to post in a positive way and say the right things. You have to keep the big picture in mind.”

Make no mistake, organizations that put the right mix of tools and policies in place are able to connect people with information in ways that business and IT executives couldn’t have imagined only a few years ago. But in order to take advantage of the full potential of Web 2.0, it’s essential to address security in a proactive way. 

 “You have to put controls in place, but they have to be the right controls,” PricewaterhouseCoopers’ Loveland concludes. “We’ve entered a new and challenging era, and there must be recognition that there’s no simple or single way to address these challenges.”