NewslettersRelated Resources
EventSource December 2008 – Auditing web 2.0; 2009 security predictions and more Featured Article Auditing Web 2.0 By Jasmine Noel Don’t look now, but the Web 2.0 wave is crashing onto corporate beaches everywhere. Startups, software vendors, and search engine powerhouses are all providing online accounts and services for users to create wikis, blogs, etc. for collaborating and sharing corporate data, often without the knowledge or involvement of IT or in-house legal counsel. User adoption is growing in leaps and bounds because it is infinitely easier to fill out an online form than it is for IT operations to purchase and install corporate solutions like SharePoint. What is interesting about these online Web 2.0 services (I guess the hot new name for this is Cloud Computing) is the level of blind faith users have that these solutions can ward off attacks and that their use of these solutions are therefore secure by extension. Somehow people believe that because the solution provider has some security features then how they use the solution doesn’t matter – it will be safe. This is worrying for several reasons. Folks that implement security solutions for a living know that shoring up vulnerabilities is a task that is never done (kind of like renovating my house, but that is another story). For example "Web 2.0 - A Playground for the Good Old Mistakes" makes the point that “security is thought to be ‘built-in’ which is only partially true” and “the good old mistakes are still there, just playing in a bigger playground with new toys.” In other words, it takes a lot of complex technology working together to deliver collaboration that is both universally available and universally easy to use, and it is hard to completely bake security into complex, interacting technologies. This means that much of the discussion about auditing Web 2.0 centers on solution-level security vulnerabilities. Obviously, vulnerabilities such as cross-site scripting have to be addressed by the solution providers, because users want to focus on using not on securing the platform. However, this is not the whole scary story. Another part of it is that lots of people unwittingly use secured systems in ways that jeopardize sensitive information. A product development wiki for employees is great, but when someone can still access the wiki a year after getting fired is not great. It jeopardizes the company’s competitive future because its employee community is using the Web 2.0 solution in an insecure way. I’m not alone in thinking about this. Steve Lafferty, Prism Microsystems’ VP, recently blogged “When people think about cloud computing, they tend to equate “it is in the cloud” to “I have no responsibility”, and when critical data and apps migrate to the cloud that is not going to be acceptable.” The potential for exposure of sensitive information or theft of intellectual property runs high when people abdicate responsibility. But Jasmine, you’re an analyst that covers IT operations and management, not security and information lifecycle management, so what do you care. Well, I care because IT operations is sitting on a gold-mine of log data that can let people collaborate while unobtrusively ensuring that corporate policies are upheld. What I’m interested in is making sure that IT operations gets the tools they need to dig the gold out of the mountains of data (without killing the rain-forest, or spotted owls or polar bears or whatever else can be endangered by strip-mining :-D). It seems to me that the best way to do that is to get smarter about what operational data should be collected and what log analyses are completed automatically. Now, I’m not really a big fan of President Ronald Reagan, but there a few things he said that I agree with 150 percent, and one of them is “Trust, but verify.” I think that IT operations can be instrumental in making the verify part less intrusive to users – remember users want to focus on using not security and policy management. But this means that IT needs to get involved with the users that want to set up these cloudy Web 2.0 collaboration accounts, for example:
I think the key thing to keep in mind with this is that most people don’t mind having a safety net, so long as it doesn’t get in the way of their high-flying acrobatics. I think some well designed log analytics can help companies deliver a safety net while letting their employees perform dazzling feats of coordination that would make the Cirque du Soleil people jealous. Jasmine Noel is founder and partner of Ptak, Noel & Associates. With more than 10 years experience in helping clients understand how adoption of new technologies affects IT management, she tries to bring pragmatism (and hopefully some humor) to the business-IT alignment discussion. Send any comments, questions or rants to jnoel@ptaknoelassociates.com Industry News By definition, zero-day attacks always beat anti-virus vigilantes to the punch. That’s because these destructive viruses are able to exploit unknown, undisclosed or newly discovered computer application vulnerabilities before a software developer is able to release a patch to the public — which can render anti-virus programs practically ineffective. Did you know? Instead of banning USB drives, EventTracker provides a better alternative for managing external storage devices IT Security - Expect more misery in 2009 One of the nation's largest processors of pharmacy prescriptions said that extortionists are threatening to disclose personal and medical information on millions of Americans if the company fails to meet payment demands. Did you know? EventTracker protects your data where it resides, instead of just monitoring the perimeter, to ensure defense in-depth from all kinds of attacks, emerging or traditional. Prism Microsystems named Finalist in SC Magazine Award program 2009
|
© 2010 Prism Microsystems, Inc. • Privacy • Terms of Use