Research shows that more and more enterprises are embracing Web 2.0 in the workplace. Yet, with all the excitement around Web 2.0 technologies and the new ways for businesses to use them, organizations must also be prepared for the increased security risks that they bring.
One recent example of all the excitement around Web 2.0 was the public launch of Google Wave, which aspires to be a step forward in the way people communicate and collaborate online. Google Wave consolidates elements of e-mail, chat, wikis, document collaboration, blogs, photo-sharing and other Web 2.0 applications into one hosted Web conversation, or a “wave.”
Given the public excitement and the strong brand recognition of Google, enterprises will likely see employees “pulling” Google Wave into the workplace -- with or without IT permission. To examine the risks that this presents, we asked Web and data security experts from Websense to weigh in with their opinions. 
Q: Google Wave incorporates many different Web 2.0 elements and allows third-party developers to create new gadgets for additional functionality. What Web security concerns does this create for businesses?
A: Dean Coza, Director, Product Management: As interactive Web 2.0 functionality becomes more pervasive on Web sites and more enterprises allow employee use of Web 2.0 technologies, Google Wave is one more step in the process of Web 2.0 consolidation. It goes beyond email, Web browsing, blogging and file transfer to create a communication exchange that’s built on a Web 2.0 platform. Its open API allows any developer to create new applications and gadgets to add to waves. However, with this level of openness and connectivity, there comes increased risk.
Google Wave presents another delivery mechanism for the same types of attacks that we’ve already seen propagated on Web 2.0 sites like Facebook, Twitter and others. Attackers rely on the popularity of these sites, their open platforms and the inherent trust users place in their online “friends” to quickly spread their malware to a large number of victims.
The hyper-connected nature of Web 2.0 requires organizations to have real-time Web security that can analyze dynamic Web content on the fly to immediately identify and prevent inappropriate or malicious content on an otherwise safe site or application. And, if you still think organizations should simply block employee access to Web 2.0 sites and applications altogether, consider this:
-- A Penn State study showed that 20 percent of all tweets on Twitter are requests for product information or responses to those requests. With millions of tweets a day, that’s a lot of customer interactions that businesses can’t afford to miss.
-- 95 percent of IT managers say they already allow access to some Web 2.0 sites, and 62 percent feel that Web 2.0 is necessary to their business.
-- In a survey of 500 American consumers about the impact of social media on consumer decision making, 70 percent of respondents said they visit social media Web sites such as message boards, social networks, blogs and chat rooms to get information about a company, brand or product.
-- Research from Forrester shows that social media plays a significant role in the decision making process of buyers in business-to-business sectors.
Q: Is there a way for enterprises to allow employee use of these types of Web 2.0 technologies, while still protecting from dynamic threats?
A: Patrick Murray, Director, Product Management: Google Wave and other Web 2.0 technologies are working their way into the enterprise, whether or not they are sanctioned by IT. As employees collaborate and communicate using these new technologies, organizations need to ensure that they are not being exposed to malicious code or other unwanted content. They’ll also need to ensure that their valuable corporate data and communications are not being mistakenly transmitted to unauthorized recipients or instantly onto blogs and other Web sites.
That’s a lot for an organization to consider. The bottom line is that these Web 2.0 technologies can benefit their business. It just needs to be approached in the right, secure manner. The best strategy for organizations is to be prepared in advance by establishing appropriate Internet usage policies that specifically address popular Web 2.0 and social media sites, and deploy real-time Web and data security technologies to enforce those policies.
Q: One of the highly-touted features of Google Wave is the ability to drag and drop documents and files into the wavelet and make them instantly accessible to other participants (no need to upload and download attachments). What are your thoughts on the Google Wave from a data security perspective and how can businesses be sure that users aren’t sharing confidential data and documents on waves?
A: David Meizlik, Director, Product Marketing: Web 2.0 applications can bring significant security risks to a company’s valuable corporate data if they’re used without the proper security policies and protections in place. Many employees have legitimate business needs for using Web 2.0 sites and tools, but businesses must ensure that, for example, their finance employees are not collaborating on confidential financial data “in the cloud” or on Google Waves that are stored on Google servers. The ease with which Google Wave and other Web 2.0 applications allow people to share information over the Web greatly increases the risk of unintentional data leaks.
Securing an organization’s essential information begins with understanding who is using what data, how they’re using it and where they’re sending it. The first steps include identifying what data should be deemed sensitive, understanding where it exists in the organization and setting specific policies for how that data cannot be used. For example, an organization may want to allow employees to collaborate on confidential corporate data on authorized Web-based applications like SalesForce.com or ADP.com, but may not want employees sharing sensitive data on a Google Wave, a blog or a wiki.
Once an organization has an understanding of what information is sensitive and how it should and shouldn’t be used, it must monitor Web communications, including Google Wave and SSL traffic to ensure that sensitive data is only being used on authorized Web-based applications. Monitoring should include deep content inspection for customer data, intellectual property and regulatory compliance so they can show auditors and management what steps are being made to secure the organization’s information assets.
Employee education is also a critical requirement for protecting corporate information. Most employees do not intentionally leak information, but if they don’t understand the reasons why they should not email confidential data to their personal webmail address, or why they should not upload corporate data to hosted applications that are not approved by IT, then they will look for ways to circumvent any security policies in place. However, given the right training and reinforced with flexible data security technologies that support the business policies and processes, the risk of data loss or misuse diminishes dramatically.
Q: What type of threats have you already seen, or what potential security challenges do you expect to see with regards to Google Wave and other emerging Web 2.0 technologies?
A: Patrik Runald, Senior Manager, Security Research for Websense Security Labs: As with any event that has a lot of publicity around it, cyber criminals will look for a way to use it for malicious purposes. In fact, on the day of the public launch, the Websense Security Labs quickly identified examples of search engine optimization (SEO) poisoning around the topic of Google Wave invitations.
The Web has proven itself a useful tool for speed, connectivity and collaboration. Consumers are actively using Web tools to interact daily and corporations are making social networking and online collaboration a foundation of the way they engage customers and do their business. Google Wave takes this concept to the next level, where the browser is the platform - communication, gadgets and widgets all flow through port 80 - that allows this real-time collaboration. The challenge here is that with this real-time sharing, there is the potential for malicious exploits to hitch a ride on this wave. It is only a matter of time until the bad guys find a way to use this beneficial technology for malicious purposes.
Much like we have seen on other platforms, such as Facebook, Google Wave will allow third party developers to integrate their technology into Waves through an API. The question remains: Who will ensure that all 3rd party gadgets and applications are legitimate and free of malicious intent? Or are we going to see a repeat of what’s happening on Facebook, where malicious applications spread to online friends?
The Websense Security Labs will continue to evaluate the Wave platform for its security threat potential, but much like any collaborative Web 2.0 tool, gadget or wiki where content can change in an instant, the only way to safely take advantage of the benefits of this real-time collaboration is to also have real-time threat protection.
English (US)