IT managers under pressure to weaken Web security policy |
 |
By Robert Westervelt, News Editor
20 May 2009 | SearchSecurity.com |
|
|
|
| SearchSecurity.com: |
| To get security news and tips delivered to your inbox, click here to sign up for our free newsletter. |
|
|
|
|
IT professionals are under pressure from upper level executives to open the floodgates to the latest Web-based platforms, relaxing Web security policy, according to a new survey of 1,300 IT managers.
The survey, conducted by independent research firm Dynamic Markets Ltd., was commissioned by Web, DLP and email security vendor Websense Inc. Dynamic Markets conducted interviews with IT managers in Australia, Canada, China, France, Germany, Hong Kong, India, Italy, the U.K. and the U.S.
Nearly all those surveyed said they allow access to some Web-based services, such as webmail, mashups and wikis. But more employees are turning to online collaboration platforms; some are turning to Google Apps, which are integrated with Google's Gmail platform, and others are turning to popular social networking sites, such as Twitter and Facebook. Some users are bypassing Web security policy to access the services, according to 47% of those surveyed.
Pressure to relax Web security policy is increasing as well. The survey found that 86% of IT managers reported feeling pressure to allow more access to social networking websites, online collaboration tools and other cloud-based technologies. The pressure is coming from multiple sources, including C-level executives, marketing departments and sales.
Despite the pressures, 80% are confident in their organizations Web security practices. However, the survey found many organizations lack Web application firewalls and other tools for defending against Web-based attacks.
Sixty-eight percent said they lacked the ability to conduct real-time analysis of Web content to prevent data leakage, nearly 60% lacked the ability to prevent URL redirects and more than half had no tools to detect embedded malicious code on trusted websites.
Web-based attacks have been on the rise, fueled by easy to use automated hacking tools that can be purchased by unsophisticated hackers on the black market. The latest malware exploits seize on website flaws, injecting malicious code into them to prey on visitors with vulnerable Web browsers and applications. The drive-by downloads were highlighted this week by the U.S. Computer Emergency Response Team (US-CERT). The organization said the drive-by attacks have been seen on legitimate websites and sometimes silently attack a victim's machine with malware that monitors network traffic and steals sensitive information.
Chenxi Wang, a principal analyst at Forrester Research Inc., said the use of cloud-based services often complicates data security and privacy. Wang considers any Web-based service that hosts data outside the company walls cloud-based.
The organization can lose visibility and control when the data resides on another network, she said. A recent Forrester survey found that 40% of the workforce is using some kind of external cloud services either with or without IT security consent.
"Companies often don't know when they move a particular functionality into the cloud, the impact on the internal security practices and privacy concerns," Wang said. "A lot of those Web 2.0 applications are cloud applications and it's just not really understood completely."
|
|
|
|
