Auditing web 2.0; 2009 security predictions and more

December EventSource Newsletter
By Jasmine Noel

Auditing Web 2.0

Don’t look now, but the Web 2.0 wave is crashing onto corporate beaches everywhere.  Startups, software vendors, and search engine powerhouses are all providing online accounts and services for users to create wikis, blogs, etc. for collaborating and sharing corporate data, often without the knowledge or involvement of IT or in-house legal counsel.  User adoption is growing in leaps and bounds because it is infinitely easier to fill out an online form than it is for IT operations to purchase and install corporate solutions like SharePoint.

What is interesting about these online Web 2.0 services (I guess the hot new name for this is Cloud Computing) is the level of blind faith users have that these solutions can ward off attacks and that their use of these solutions are therefore secure by extension.  Somehow people believe that because the solution provider has some security features then how they use the solution doesn’t matter – it will be safe.

This is worrying for several reasons.  Folks that implement security solutions for a living know that shoring up vulnerabilities is a task that is never done (kind of like renovating my house, but that is another story). For example“Web 2.0 – A Playground for the Good Old Mistakes” makes the point that “security is thought to be ‘built-in’ which is only partially true” and “the good old mistakes are still there, just playing in a bigger playground with new toys.”  In other words, it takes a lot of complex technology working together to deliver collaboration that is both universally available and universally easy to use, and it is hard to completely bake security into complex, interacting technologies. This means that much of the discussion about auditing Web 2.0 centers on solution-level security vulnerabilities. Obviously, vulnerabilities such as cross-site scripting have to be addressed by the solution providers, because users want to focus on using not on securing the platform.  However, this is not the whole scary story.

Another part of it is that lots of people unwittingly use secured systems in ways that jeopardize sensitive information.  A product development wiki for employees is great, but when someone can still access the wiki a year after getting fired is not great.  It jeopardizes the company’s competitive future because its employee community is using the Web 2.0 solution in an insecure way.

I’m not alone in thinking about this.  Steve Lafferty, Prism Microsystems’ VP, recently blogged  “When people think about cloud computing, they tend to equate “it is in the cloud” to “I have no responsibility”, and when critical data and apps migrate to the cloud that is not going to be acceptable.”  The potential for exposure of sensitive information or theft of intellectual property runs high when people abdicate responsibility.

But Jasmine, you’re an analyst that covers IT operations and management, not security and information lifecycle management, so what do you care.  Well, I care because IT operations is sitting on a gold-mine of log data that can let people collaborate while unobtrusively ensuring that corporate policies are upheld.  What I’m interested in is making sure that IT operations gets the tools they need to dig the gold out of the mountains of data (without killing the rain-forest, or spotted owls or polar bears or whatever else can be endangered by strip-mining :-D). It seems to me that the best way to do that is to get smarter about what operational data should be collected and what log analyses are completed automatically.

Now, I’m not really a big fan of President Ronald Reagan, but there a few things he said that I agree with 150 percent, and one of them is “Trust, but verify.”  I think that IT operations can be instrumental in making the verify part less intrusive to users – remember users want to focus on using not security and policy management.  But this means that IT needs to get involved with the users that want to set up these cloudy Web 2.0 collaboration accounts, for example:

  • Get corporate accounts with some of the more popular service providers and demand that they link it to IT’s existing corporate authentication systems (many of them do this already) so that you don’t have to maintain user IDs in multiple places.  Operations will also have to work with corporate information lifecycle people to put policies in place so that and IT can streamline user provisioning and deprovisioning from these services.  Remember, users will do their own thing if it takes weeks to set up or take down a community.
  • Educate users that corporate accounts exist. This is really important for large companies where many times people start using private accounts because they don’t know a corporate account exists.  Users also must be educated about why corporate policies are important. This means explaining through examples why the policies you’re setting up are really about covering users’ behinds.  For example, if an employee uses a personal account to set up a wiki, that person has complete and total control over the wiki’s users, their permissions and all the information put into the wiki.  That person retains complete control even when they leave the company – why – because it is a personal account.  Examples like this help corporate users understand why it’s best to use the corporate accounts for work related collaboration.
  • Collect and analyze usage information.  Collect not only login/out info but when documents are created and edited and by whom. This gives the data mountain for mining.  Automating log analysis that looks through the usage information helps IT operations spot how behaviors are changing. Those changes are the early warning signs that something may not be right.  For example, the automated analysis will tell you that people stopped using a wiki, maybe there is a technical problem, maybe the project is over, maybe the leader left the company, or maybe some other bad thing is happening.  But IT operation’s job is to eliminate the technical problem option and pass the alert on to others to determine which of the other maybes is right and what to do about it.

I think the key thing to keep in mind with this is that most people don’t mind having a safety net, so long as it doesn’t get in the way of their high-flying acrobatics.  I think some well designed log analytics can help companies deliver a safety net while letting their employees perform dazzling feats of coordination that would make the Cirque du Soleil people jealous.

Jasmine Noel is founder and partner of Ptak, Noel & Associates.  With more than 10 years experience in helping clients understand how adoption of new technologies affects IT management, she tries to bring pragmatism (and hopefully some humor) to the business-IT alignment discussion.  Send any comments, questions or rants to jnoel@ptaknoelassociates.com

Industry News

Pentagon bans Thumb Drives
By definition, zero-day attacks always beat anti-virus vigilantes to the punch. That’s because these destructive viruses are able to exploit unknown, undisclosed or newly discovered computer application vulnerabilities before a software developer is able to release a patch to the public — which can render anti-virus programs practically ineffective.

Did you know? Instead of banning USB drives, EventTracker provides a better alternative for managing external storage devices

IT Security – Expect more misery in 2009
One of the nation’s largest processors of pharmacy prescriptions said that extortionists are threatening to disclose personal and medical information on millions of Americans if the company fails to meet payment demands.

Did you know? EventTracker protects your data where it resides, instead of just monitoring the perimeter, to ensure defense in-depth from all kinds of attacks, emerging or traditional.

Prism Microsystems named Finalist in SC Magazine Award program 2009