Manage access to social networking sites with an acceptable use policy

Social networking sites can cause security issues, but sites like Twitter and Facebook can also open up significant business opportunities. Learn how to manage employee access to social networking sites to make sure only those employees who need access, have it.

Executives at my corporation have requested that employees no longer be allowed to access social networking sites like MySpace, Facebook and Twitter. However, there are some employees that use these sites (especially Twitter) for marketing purposes. What's the best way to cut off access to social network sites for most employees, while still allowing some to use them?

There are four options that come to mind that will not completely ban social networking sites, but either actively or tacitly put some restrictions in place. The first, depending on the corporate culture, is to put a social networking acceptable use policy in place that states: "Employees may not access social networking sites unless it is a requirement for them to perform their duties." This behavioral approach is normally the first line of defense in an organization. But in order to be effective, these policies must be enforceable. That may require monitoring and audit of enterprise traffic, educating the users on acceptable use and responding strongly to users who insist on violating them. Plus, it also assumes you can enforce your policies across your entire organization.

The next approach is to use a Web content filter appliance that can limit access to sites based upon user roles. In this case, the program uses enterprise roles (like Active Directory groups) to determine access in real time and block access -- usually with a warning page -- for unauthorized populations.

The third approach is to use a network proxy service. Similar to a Web filtering program, the device is configured on a per-user basis to control access to the network entry point into the Internet sites.

Finally, there's a new market for social network management and audit software. The first company I'm aware of that offers this type of software is SocialWare Inc. The SocialWare software provides an application gateway that does more than allow/disallow access; it actually provides fine-grained access to a social site's applications (like allowing access to Facebook but disallowing access to Facebook messaging) and gives admins the ability to moderate user postings before they actually go on a site. As an alternative approach, Palo Alto Networks Inc. has put application-level controls into its firewall product. This combines the management of applications, like social networking, with network access and the layer-4 router-level control. While these are powerful features, companies like SocialWare and Palo Alto Networks are providing these new features to the market and companies are only just starting to evaluate how effective this type of functionality really is.

So, of the four ways described above, what's the best way? I believe enforced policies are still the best. In other instances of Internet access, like preventing users from accessing porn sites, enforcing policy has proven to virtually eliminate this practice within corporate workforce populations (so long as HR policies addressing these infractions are in place as well). Technology isn't always the best preventive method.

For more information:

This was last published in December 2009

Dig Deeper on Social media security risks