IT professionals are under pressure from upper level executives to open the floodgates to the latest Web-based platforms, relaxing Web security policy, according to a new survey of 1,300 IT managers.
The survey, conducted by independent research firm Dynamic Markets Ltd., was commissioned by Web, DLP and email security vendor Websense Inc. Dynamic Markets conducted interviews with IT managers in Australia, Canada, China, France, Germany, Hong Kong, India, Italy, the U.K. and the U.S.
Nearly all those surveyed said they allow access to some Web-based services, such as webmail, mashups and wikis. But more employees are turning to online collaboration platforms; some are turning to Google Apps, which are integrated with Google's Gmail platform, and others are turning to popular social networking sites, such as Twitter and Facebook. Some users are bypassing Web security policy to access the services, according to 47% of those surveyed.
Web security, cloud security:
US-CERT warns of Gumblar, Martuz drive-by exploits: Websites poisoned with the Gumblar and Martuz drive-by download exploits could pass on malware to users who don't have their patches up to date.
XSS bugs, information leakage top list of website vulnerabilities: Companies are moving more rapidly to correct errors by feeding virtual patches into Web application firewalls, according to WhiteHat founder and CTO Jeremiah Grossman.
Podcast - Botnet threats and countermeasures: AT&T Labs' Brian Rexroad shares how the telecommunications giant detects and defends its network against botnets.
Pressure to relax Web security policy is increasing as well. The survey found that 86% of IT managers reported feeling pressure to allow more access to social networking websites, online collaboration tools and other cloud-based technologies. The pressure is coming from multiple sources, including C-level executives, marketing departments and sales.
Despite the pressures, 80% are confident in their organizations Web security practices. However, the survey found many organizations lack Web application firewalls and other tools for defending against Web-based attacks.
Sixty-eight percent said they lacked the ability to conduct real-time analysis of Web content to prevent data leakage, nearly 60% lacked the ability to prevent URL redirects and more than half had no tools to detect embedded malicious code on trusted websites.
Web-based attacks have been on the rise, fueled by easy to use automated hacking tools that can be purchased by unsophisticated hackers on the black market. The latest malware exploits seize on website flaws, injecting malicious code into them to prey on visitors with vulnerable Web browsers and applications. The drive-by downloads were highlighted this week by the U.S. Computer Emergency Response Team (US-CERT). The organization said the drive-by attacks have been seen on legitimate websites and sometimes silently attack a victim's machine with malware that monitors network traffic and steals sensitive information.
Chenxi Wang, a principal analyst at Forrester Research Inc., said the use of cloud-based services often complicates data security and privacy. Wang considers any Web-based service that hosts data outside the company walls cloud-based.
The organization can lose visibility and control when the data resides on another network, she said. A recent Forrester survey found that 40% of the workforce is using some kind of external cloud services either with or without IT security consent.
"Companies often don't know when they move a particular functionality into the cloud, the impact on the internal security practices and privacy concerns," Wang said. "A lot of those Web 2.0 applications are cloud applications and it's just not really understood completely."