Web 2.0 Security: 3 Key QuestionsBy Scott Likens | Posted 12-03-2008
They seemed like good ideas at the time.
Anxious to monitor teens' attitudes on emerging fashion trends, the clothing retailer added an opinion widget to its popular Web site. But when an attacker posted a false blog post via the widget that popular blouses were selling for 50 percent less at another site, unsuspecting shoppers started purchasing there, not knowing that the site was hosted in Romania for the sole purpose of harvesting credit-card information.
Hoping to reduce its promotional costs and sell more slow-moving products, an online sports retailer added an inexpensive ad widget to its site, pushing the latest promotions to desktops based on the user's browsing habits. Because they neglected the proper due diligence, the retailer didn't discover that the provider of the ad widget also installed a key logger. Now when the unsuspecting user conducts transactions on any Web site, the key logger captures the user's sensitive information, which is then sold in the underground market and exploited by crooks.
The scenarios are fictional, but they are entirely plausible. And their occurrence will skyrocket. Why? First, in a tough economy, companies are looking at Web 2.0 initiatives like widgets, wikis and blogs to cut channel costs and boost sluggish sales. Second, Web 2.0 security isn't top of mind when the business is breathing down your neck, waiting for solutions.
The CIO and his security team can mitigate risks by getting answers to some tough questions:
1. Who plays in this sandbox? Internally, do you need to establish a wide-open social network for all your employees to collaborate? Or something more structured to open new lines of communication between departments--say for R&D and sales? Externally, does the business case for adding new Web 2.0 functionality support the need for added security measures?
2. Who is responsible for maintaining the integrity of consumer-generated information on our Web site? Some companies are satisfied with letting volunteers or random employees provide online help to customers visiting a forum widget. Redirecting people to the forum is perceived as a way of lowering customer-care or helpdesk costs. Other companies assign subject matter experts to constantly monitor and revise information on wikis.
3. What due diligence is required to assess the risks of Web 2.0 technologies? Can someone from the advertising department drop their favorite app into their online marketing environment from the Twitter fan wiki? Or is a more formal approach to governance required to ensure that security concerns are addressed?
In mid-November, Net Vibe's directory hosted 4,402 business and finance widgets, a number that will only increase. For the CIO, this proliferation of Web 2.0 tools presents another difficult balancing act between innovation and security.
Getting answers to those questions is the first step in taking advantage of these emerging technologies, before the organization is taken advantage of by rogue Web 2.0 incursions that undermine the business.
Scott Likens is a partner with Diamond Management & Technology Consultants.