Web 2.0 is changing the way private corporations and public service organizations get business done, drawing on the increasing popularity of such services as Facebook, iGoogle, Windows Live, RSS social tagging and desktop gadgets.
Yet with the advent of these popular tools, new security challenges arise, requiring organizations to implement security safeguards and adequate policies in place.
The popularity of Web 2.0 services such as personalized homepages and social networks is increasing rapidly, bearing a significant impact on how we, as customers and constituents, connect to organizations.
In the corporate world, consumer Web 2.0 services are already a reality - A global survey of almost 2,000 executives by McKinsey Quarterly recently reveals that 87% of respondents confirmed Web 2.0 is used in their company to interact with customers, 94% of companies use the technology also for internal use, and 75% extend their business reach by using Web 2.0 tools to interface with suppliers and partners.
As companies extend their business reach beyond the corporate portals, government and local authorities will also extend their presence beyond the traditional online government website into the places where people spend the majority of their time.
In the public sector, Web 2.0 allows individuals to connect to government services with web-based or desktop gadgets to carry out civil duties in their preferred platform. By personalizing and customizing government, constituents are more effective at completing their government-related tasks, thus greatly lowering government transaction costs and service costs. Furthermore, the public image of the agency is improved.
Constituents, employees, partners and customers are already using Web 2.0, and government and companies can tap this significant trend and embrace this technology with the utmost security safeguards.
Yet, how can we be assured that our personal, confidential information is secured through these publically available tools? After all, security is fundamental to the successful implementation of Web 2.0 in both the corporate and government environments.
Faced with this emerging technology and associated security risks, many information security executives dictate a “block out and lock down” policy; blocking the services at the web access layer and make sure all workstations are locked down.
The security challenges are real, as emerging technologies provide new capabilities but also present new risks, like an employee publishing proprietary information on a public blog or using a public bookmarking site as a research tool.
Other security breaches may be more elaborate and malicious in nature, such as phishing attempts or newfangled attacks against the latest Web technologies in use within the organization (e.g. JavaScript hijacking and script injection in RSS feeds).
For information security professionals, a balance needs to be struck between providing employees with the tools they need to be productive and maintaining sufficient control to keep security incidents at an acceptable level.
First and foremost, it is critical to define and implement clear use policies for Web 2.0 tools both inside and outside the organization.
In addition to defining policies, there are technical measures that can be taken to reduce the risk of using Web 2.0 technologies in the enterprise:
· Place a middle tier between information back-end systems and Web 2.0 front-ends – Web 2.0 front-ends such as RSS and AJAX gadgets tend to generate many requests. It is therefore advisable to include a middle tier that is optimized for Web 2.0 front-ends and capable of communicating efficiently with back-ends.
· Leverage existing security mechanisms – even when accessing data from Web 2.0 front ends, there is no reason not to leverage existing enterprise single-sign-on or centralized access management.
· Provisioning is critical – maintain full control of application and data provisioning, regardless of how data is consumed or where applications run.
· Address ‘Attacks 2.0’ from the get-go – train developers on the risks specific to
Web 2.0 technologies and the accepted best practices to handle them.
These useful security safeguards will be incorporated over time into the corporate and government IT toolbox, as more and more organizations embrace consumer Web 2.0 web-based and desktop services. In the meantime, those organizations that identify the inherent value of using this new technology to reach both customers and constituents will outshine competitors in the business world and serve as trailblazers for other government agencies in the public service sector.
The benefits of using Web 2.0 tools for government are many, ranging from improving the taxpayer’s image of government to reducing transaction and service costs. Yet, with new technologies, come new risks. While mitigating these risks remains a challenge, preventing the use of such tools altogether may be, in the long term, risky business.
