In a surprisingly draconian move, the United States Marine Corps has decided to ban the use of social networking sites Facebook, Myspace and Twitter from all USMC-owned computers due to fears of malware and loss of secret data.
This is a setback for this generation of citizen soldiers who were raised on this technology to communicate with friends and family back home. The action is an example of paranoia overtaking security decisions when there are other preventive steps that could be taken.
A better approach for IT is to take a healthy suspicion of new technologies, learn as much as possible about the new capabilities and vigorously attack the security risks so the user community can use the tools productively and safely. In regulated industries, there may be valid reasons to delay support until audit features are available, but delaying support for malware or data loss reasons will prove to be as effective as trying to ban IM, Skype, texting, and cell phones. In fact, the armed services should be encouraging our troops to use social networking to strengthen bonds with civilians.
Here are a few things the USMC may try:
- Focus on securing browser sessions. One thing in common with the social networking services is that they are all accessed through a browser. IT can proactively deliver clean browsers to users, ensure that any malware picked up during a session does not persist on the device and run all traffic through a web security service. There are multiple approaches to evaluate including encapsulating browsers to isolate malware (Check Point, RingCube), virtualizing the browser so it is provisioned in a secure data center (Citrix, Microsoft, VMware), inspecting traffic for security problems (Cisco, Trend Micro), and restoring a PC to its compliant state after a session (Faronics, Virtual Computer). There are many other vendors – the point is that innovative solutions are starting to appear on the market.
- Build an in-house social networking service. The USMC can work with Myspace, Facebook, and Twitter to offer privately-hosted social networking sites that looks like a cloud service but is actually hosted in secure Marine Corps data centers. This would allow the Marines to possibly register users, scan websites for malicious code, build in activity auditing and apply DLP filters to protect against the loss of secret information. Rather than banning use of the cloud, the USMC can bring it in-house, help soldiers set up accounts, and even encourage links with those lifelong friends that have retired from the service.
- Expand the security awareness beachhead. Continually train users to make their own security decisions. The USMC cannot secure all activity of its personnel when they can so easily access personal computers, mobile devices and off-premise websites. Teach the troops how to be responsible with data and how to keep a PC clean. Continuous awareness training will help protect the Marines when automated security technology is not available.
The Marines are not alone in their head-in-the-sand approach – the ultra-secretive National Football League also bans Twitter among other things. But this will not work for most enterprises, especially those with marketing departments actively participating in social networks. Facebook and Myspace are not new – the business is far better off when security teams find ways for the organization to embrace exciting new capabilities.
Eric Ogren is founder and principal analyst of the Ogren Group, which provides industry analyst services for vendors focusing on virtualization and security. Prior to founding the Ogren Group, Eric served as a security industry analyst for the Yankee Group and ESG. Ogren has also served as vice president of marketing at security startups Okena, Sequation and Tizor. He can be reached by sending an email to firstname.lastname@example.org.