While this interactivity is both exciting and motivating, losses in productivity, vulnerabilities to data leaks, and inherent increased security risks in Web 2.0 are a triple threat to enterprises. CISOs must find the delicate balance between security and the business need for these tools and enable their use in such a way that reduces the risk of data loss and reputational harm.
However, because of the rapidly evolving technologies of Web 2.0, time-tested security methods may not be the best defense in guarding against attacks and data loss. Traditional Web filtering, a primary defensive measure against Web threats for many enterprises, is not an adequate defense against Web 2.0 security issues because protocols such as AJAX, SAML and XML create problems for threat detection. Also, RSS and rich Internet applications are entering directly into networks, and non-static Web content makes identification difficult. Finally, user-generated content is hard to contain.
In addition to traditional defenses -- such as a standard image, IDS/ IPS, bandwidth-shaping, antivirus/antimalware and firewall rulesets -- many CISOs are turning to data loss prevention (DLP) technologies to mitigate the threat of data loss. But they are also finding that these emerging technologies are not plug-and-play. One must always remember the importance of striking a balance between speed, accuracy and adequate coverage when deploying either a network-based, host-based, or data identification DLP product.
DLP content analysis products offer various Web 2.0 security options, and the differences and similarities must be understood in order to implement a product that matches the business needs. DLP analysis techniques include: pattern-based searches using regular expressions, fingerprinting by searching elements of actual databases, exact file matching, statistical analysis to search for content that may resemble sensitive data or contain pieces of it, document matching for complete files, analysis of lexicons (ex. employment opportunities, insider trading, harassment), and vendor-supplied categories, to address regulatory mandates (such as HIPAA and GLBA). It's not one size fits all, and the technique you choose depends on the data you are charged with protecting.
How can security pros get their arms around Web 2.0 security? Think holistically, and broadly. It is OK to embrace Web 2.0, but proactively identify the risks and create a Web 2.0 security toolset to maximize its benefits. That toolset should feature a documented strategy based upon business objectives, clearly indicating what content to allow, what to block, and who should have access and when. New policy should be developed, or a current policy set should be updated, and they should be clear and enforceable.
After your policies are in place, focus on preventing any information from exiting your network. Your toolset must include technology that can monitor, prevent, alert, encrypt and quarantine as needed per your strategy. Deploy a product that is capable of stopping sensitive data from leaving via your outbound mail system, and have it act in real time in order to avoid affecting employee or business productivity.
Finally, even with all of these controls in place, data and information will inevitably find its way to the Internet. Enterprises should remain vigilant in scouring the Internet regularly for any information that may be sensitive in nature. Using reputation protection services, internal monitoring programs, or simply performing Web searches for keywords and key phrases can be essential in identifying and addressing instances when company information is made available via social communities, either inadvertently or intentionally.
As with all emerging technologies, Web 2.0 and its related components are advancing rapidly, and security professionals need to remain aware of the risks and defenses associated with them. Policy, technology and architecture to defend against the risks must be addressed proactively, and can be used by a CISO to further solidify their value to the business.
About the author:
As chief information security officer of Brown University, David Sherry is charged with the development and maintenance of Brown's information technology security strategy, IT policies and best practices, security training and awareness programs, as well as ongoing risk assessment and compliance tasks. A CISSP and CISM, Sherry has 20 years of experience in information technology. He most recently worked at Citizens Bank where he was vice president for enterprise identity and access management, providing leadership for compliance and security governance.