If you haven’t heard the hype around Web 2.0, you’ve been living under a rock. Wikipedia is one of the most popular sites on the Web. There are more than 52 million blogs. And the research firm Gartner Inc. recently added Web 2.0 to its ubiquitous emerging technologies hype cycle, predicting widespread adoption within two years. In light of the success of startups like MySpace, YouTube and Digg, Dan Gillmor, director of the Center for Citizen Media, CIO Insight columnist and author of We the Media: Grassroots Journalism by the People, for the People (O’Reilly Media, 2004), says, “If I were a shareholder of a company that’s not wondering about how it can use Web 2.0 more effectively, I would sell my stock.”
In its most basic sense, Web 2.0 refers to any tool or application that’s delivered over the Internet and allows people to interact—by contributing, editing and sharing content. Instead of merely putting static content on a Web site (Web 1.0), the Internet is now delivering applications and tools that allow users to participate (Web 2.0). But Web 2.0 goes beyond even that. Does your company use any type of software as a service? That’s Web 2.0. And if you’re designing a service-oriented architecture, that’s Web 2.0, too. “Companies are looking at Web 2.0 as a new medium,” says Amrit Williams, an analyst at Gartner. “It’s an opportunity to innovate and create new revenue.”
That may be true, but Web 2.0 is also an opportunity for hackers and others who seek to do harm to the enterprise. “Any time there is a new advancement in technology, there is a new set of security problems,” says Williams. And those problems are different from the ones that have traditionally plagued the enterprise. Here’s why: Web services are often complex JavaScript applications that run through a browser and access data stored locally on an end user’s computer. Because the data and applications aren’t constantly being pulled from a central server, they run much more rapidly. The downside? Data is no longer properly protected. What’s more, in the rush to put these new tools in place, security is often an afterthought, making the applications themselves vulnerable to attack.
“Imagine I have a Web 2.0 app that’s an e-mail client, downloaded in Java onto my system,” says Tom Longstaff, deputy director of technology at Carnegie Mellon University’s CERT Coordination Center, which studies Internet security vulnerabilities. “The messages are cached locally. And because that client is not on my company’s server, it’s not as well protected. So along comes another application that attacks the e-mail client and gains access to my cached messages—and my system.” Another scenario: A banking employee uses a Web service for complex calculations of sensitive data. “If you are interacting with other Web pages you have visited, an advanced phishing attack could be launched that captures that data without the user even knowing it,” Longstaff says.
And because most companies don’t have visibility down to each individual desktop computer, monitoring vulnerabilities is practically impossible. “When you are running programs on a server and have control over the environment, you can monitor network activity,” Longstaff says. But with Web 2.0, the attacks are against individual computers. “What’s really going on,” says Gartner’s Williams, “is that firms are now creating services outside their corporate perimeters that allow interaction from stakeholders on the Internet. As a result, they are losing visibility over their security.”
Already, viruses have threatened Web 2.0 services like MySpace, which was taken down for two full days in October 2005. The threat to the enterprise has remained small—so far. “But hackers are still learning,” says Longstaff. And with the growing ease of creating new Web sites, “the ability for people to post malicious tools is also easier,” Williams says.
Ironically, most companies that have spent the past decade hardening their perimeter security are now finding they need to punch holes in their firewall to allow for Web 2.0 applications. And in this new reality, they’re not just worrying about bad guys getting in. At Wilson & Company Inc., an Albuquerque, N.M.-based engineering firm, Director of IT Ray Benegas says the bigger issue is keeping sensitive data from leaking out. “As a company, we have to acknowledge the existence of these new technologies,” he says. “Internally, these tools are necessary for collaboration, and we try to control them without hampering creativity. But we need to control and secure the environment.” As a result, Benegas’ firm recently revamped its policies around exactly what information can be shared. “We have specific internal policies that explain acceptable use, and how we expect our staff to behave.” So far, he says, the policies have been effective.
Next page: Making Web 2.0 Secure