Your Web 2.0 App is a Security Threat
In the world of enterprise I.T., everything is a security risk: your insecure password, an unexpected email attachment, a careless web surfer clicking through to a malicious URL, or the unapproved software you installed on your computer. Today's I.T. has plenty of tools to handle most of these threats, ranging from firewalls and spam filters to malware fighting software and application control mechanisms. Now, they will soon have something more: a new Application Control Engine that specifically goes after and shuts down Web 2.0 apps and social network widgets.
Introducing ACE: A Tool to Shut Down Web 2.0
A company called FaceTime Communications, based in Belmont, California, recently introduced their new inspection and classification technology called "ACE," which simply stands for Application Control Engine. This patented security technology is capable of scanning a network and identifying more than 1400 Web 2.0 applications and more than 50,000 social networks widgets distributed by sites like Facebook, MySpace, and Orkut.
Scanning for rogue applications on the network is nothing new for I.T., but what's interesting about FaceTime's ACE technology is its focus on scanning for the technologies that often fly under I.T.'s radar: web apps.
The Danger of Web 2.0 Behind the Firewall
As we've mentioned before, I.T.'s failure to adapt to the changing needs of their user base, now younger and more digitally savvy than ever before, has led to a lot of self-provisioning of the easy-to-use applications found on the web. These tools can include anything from Facebook groups to standalone apps like the SharePoint-lite team pages found on Google Sites.
Of course, when users become their own I.T. department, they're unknowingly introducing inherent risks into the previously hardened network infrastructure. Just because a web app is easy to operate, that doesn't make it safe and secure for enterprise use. As users upload and share sensitive files through these unapproved backchannels or have business-related conversations through web-based IM chatrooms, they might not only be putting their company's data at risk, they could also be breaking various compliance laws as well.
The Difficulty of Monitoring Web Apps in the Enterprise
For I.T., the challenge is keeping up with the barrage of new web apps out there and shutting down those that present a threat. In an independent study commissioned by FaceTime Communications, 62% of I.T. respondents said that there were eight or more Internet applications installed on their enterprise networks - a 300% increase over the first study conducted in 2005. More importantly, the respondents noted that about one-third of their users downloaded the applications they wanted to use - regardless of company policy. Those apps were a mix between apps for business and those used for personal reasons.
I.T. has traditionally struggled to shut down many of today's web applications because they are not all strictly browser-based. Knowing that their adoption rate is dependent on behind-the-back installs on company desktops, many of the apps make sure they can't be blocked by a URL signature. The apps may also masquerade themselves as HTTP, FTP, SMTP and Telnet traffic while exhibiting evasive techniques that help them penetrate the company firewall and escape detection by the current crop of Unified Threat Management systems.
With FaceTime's ACE, though, more than 1,400 of these web applications can be identified and even more social networking widgets can be isolated, too. Those apps can be discovered and shut down regardless of the port, protocol, or evasive technique they use. In addition, the ACE software developers kit (SDK) allows third party solution providers the ability to extend their offerings in order to help their customers manage instant messaging, peer-to-peer file sharing, social networking, Web 2.0, voice-over-IP, anonymizers, IPTV, multimedia, games, virtual worlds, and unified communications.
What This Means for Enterprise 2.0
If FaceTime's ACE or other similar technologies become a mainstay in the enterprise I.T. toolkit, the explosion of Web 2.0 for business use, a trend typically called Enterprise 2.0, may be dealt quite a blow. The only Enterprise 2.0 apps that will succeed given that scenario will be the ones that worked with the I.T. admins from the very beginning to assure them of their safety. The apps reliant on a slew of the company's rule-breaking users for adoption, however, will be out of luck. Perhaps being sneaky may not have been a great business model after all.
Share
Comments
Subscribe to comments for this post OR Subscribe to comments for all ReadWriteWeb posts
Alternatively, perhaps the users that use these applications for legitimate purposes (e.g. to make money for the company) with cry out and overrule the over-cautious IT chaperones.
I've seen that happen in a few mid-sized companies already, where IT wanted to block things like Google Docs and the users got them to back off.
Daniel
Just because companies _can_ shut down Web 2.0 apps doesn't mean they should. Enterprise 2.0 is more about bringing the benefits of web based collaboration and social media into a work setting, for the benefit of the business - not about employees playing with Facebook when they should be working.
Dig deeper and you'll find Microsoft behind this foolishness.
...and as I unfortunately predicted, the day after Net Neutrality dies on the senate floor, the telcos have paid off the DoJ to convince you VoIP are "tools of terrorism":
http://www.nytimes.com/2008/12/09/world/asia/09mumbai.html?_r=1
Android and the EFF will be next to be demonized. Thankfully Misery Incorporated only has a few weeks left in office.
Gee, don't spread this around... IT will love it and shut us down.. ;-)
It is articles like this that continue to fuel the "us versus them" mentality inherent in so many organizations between IT and "everybody else". We want to be the enabling organization, the sentry that guards at the door to prevent the bad stuff from getting in, not for keeping the good stuff from getting out! In general, many of us in IT always jump to the thought that all things we cannot touch are bad and that all that Web2.0 stuff is a threat. Granted, we need to be very cautious about what we do and how we do it (particularly if it is attached to the network) from both a security and a legal standpoint. I do not doubt that we all have employees who are goofing off on FB or twittering when they should be working, but there is also tremendous indisputable potential business value to many of these Web2.0 channels. Web2.0 is simply the Web evolving and I doubt anyone would argue the value that the Web itself has brought to us. Rather than fearing and cutting off what we don't know, how about we instead take the cautiously optimistic point of view and see how we could design an actual plan that balances technology with business needs? Controls are necessary and good. Guidelines, standards and protections from known threats is a good thing. But incendiary headlines like "Your Web 2.0 App is a Security Threat" are going to do very little to improve your organization's success or internal communication issues. Can't we all just get along?
That's just $.02 from an open-minded IT Director.
Bill Greeves
--------------------
Bill Greeves, IT Director, Roanoke County, VA
skype: bill.greeves
Twitter: http://twitter.com/bgreeves
LinkedIn: http://www.linkedin.com/in/bgreeves
Blog: http://digitalcommunitiesblogs.com/munigov/
Second Life: Greever Wemyss
O: 540.777.8551 / C: 540.589.9512
Nice title. Just what I need the CEO to see.
Okay, this whack-a-mole strategy will work for a bit, but eventually you will be overwhelmed by the flood of new technologies and evasive strategies. Network admins for high schools run into this every day. New technology or site, whack it. New proxy service, whack it. New redirection, whack it. They spend every day chasing their tails.
An hour spent in conversation with the users and in education is worth 10 hours spent on putting a prophylactic on the internet. Spend your time on information security & web safety training and strategic planning, for example.
We are struggling to add basic security layers in our shop, so we CAN open up social networking & blog sites.
You need to examine the business value of the web 2.0 apps before you invest time and money in shutting them down. To do this, you have to get out of your IT cube and examine them from the business perspective. What problems do they solve? What risks do they bring? Do they fill a void you have no budget to fill on your own?
Speaking as a CIO with 5,000 internal customers and 300,000 external ones, I am always looking for a better, cheaper, easier way to help my users. I try not to say "no" just because I can't control something.
Barry Condrey
CIO, Chesterfield County Virginia
CondreyBa@chesterfield.gov
Twitter: barrycondrey
blog: cio-musings.blogspot.com
O:804-748-1590
Many apps have backdoors
I wonder what this app is going to do to many office 2.0 startups.
I dont think those startups are using sneaky tactics necessarily to 'get by' IT. Its just that their business, product and economies make sense to be talking to the group-manager themselves.
Many Office 2.0 products are best understood by the team lead in an organization that needs such an app right away. What's more, they are often priced so that that lead or manager can use his discretionary funds to purchase the app for her team.
Even if these apps fit with the company policy, wouldnt the vetting process of getting approvals from IT pretty much kill that sale?
The manager wont get the app right away, and the startup wont be able to bear the cost of the 2-month approval cycle. The end-price point charged to make a profit would increase out of discretionary budget ranges, which means the only way it would make sense next would be to charge $4000+ for the app and aim for a site-wide deployment across the enterprise.
I'd be much happier to see companies launch products that can help IT vet web applications at light-speed... that would not only keep the economies intact but encourage software vendors to seek out those approvals from IT because it would give them a quick quality benchmark to aim for.
But a product that only helps IT shut down services means this can be a system that corrupt IT managers can abuse (unfortunately that is still a plague in many parts of the world) and discourages more small vendors from making the effort.
Very interesting read !
Web 2.0 apps are not necessarily bad, but the security threat is real.
Also, when IT can control this, they can help their employees with the applications that are accepted and supported, and also make sure that all employees use the same (or similar) applications to ensure increased communication WITHIN the organization.
The web 2.0 area is changing rapidly, and many people love to try new things all the time. However, the business value is often very limited, if not negative because of much time wasted learning a new web 2.0 app that is soon to be forgotten.
The introduction of such a tool just shows that the problem is real.