Enterprise Information Security versus Social Networking

Tuesday, October 05, 2010

Contributed By:
Robb Reck

The Trend

Since the internet was created users have been using it for connecting to other people. From the very beginning, with dialup bulletin boards, people have sought ways to connect with friends or strangers across the country and around the world.

The motivations behind today's social media are nothing new. It's simply been a process making connecting easier, thereby getting more and more of the population connected. 25 years ago the only folks connecting online were highly technical.

Today grandparents and young children have Facebook accounts.

Considering the momentum in our culture to be more connected to more people, it's no surprise that corporations have to deal with social media in the workplace. Employees spend much of their lives connected to their social networks.

Combine that with the reality that our employees are more and more becoming knowledge workers, and more and more reliant on technology, and our workforce does not expect their social networking to end when they punch in for the day.

Employees see ways to integrate social media into their jobs, and they want to take advantage of that.

The Conflict

Enter the Enterprise Information Security team. It's our job to protect the data and infrastructure of our company. It's our responsibility to assess risk to our systems, and implement countermeasures to keep the risk down to an acceptable level.

Connectivity is the enemy of security. The most secure system in the world is the one to which nobody and nothing can connect. As we start adding more connections we start adding vulnerabilities.

Yet, the holy grail of social networking is the ultimate nightmare of security; complete connectivity between everyone brings unlimited communication and exploitation abilities.

Often this conflict will turn information security into a roadblock. The potential for InfoSec to become an opponent of progress is real and harmful. Organizations do not flourish when they maintain the status quo.

When a new technology hits the market, the innovators at an organization are usually among the first adopters. They want that cool smartphone, software, or other do-hickey, and they want it now.

Information Security is tasked with performing immediate assessments on unproven technologies. Is the data on that phone sufficiently protected? Is that new laptop OS going to cause issues in our environment?

Social media is going through this wringer right now. The business wants to be plugged in.

There are some legitimate reasons for this (HR performing recruiting and background checks, Marketing connecting with potential clients, all professionals keeping tabs on what's going on in their field), and there are some serious risks as well (potential data loss through inappropriate posting, hacker attacks via social engineering, or malware).

The Solution

The solution is not to simply rubber stamp whatever new technology trend comes along. We have a responsibility to ensure our infrastructure is kept safe, and just rubber stamping new technologies is a poor execution of our duties.

The most important step is to consider new technology requests with an open mind. Work collaboratively with the business to accomplish goals. Rather than asking, "Is this thing secure?" ask the question, "How can we meet this business need?"

By asking the "how" question we start a collaborative process, putting our wits to work to solve the issue, rather than using our authority to quash innovation.

Social media is a polarizing force. InfoSec teams see it as an unnecessary risk to corporate systems. Organizational innovators see it as a new opportunity to connect with customers and learn about forces shaping their market.

Business leaders need to decide what is right for their organization. Are the benefits outweighed by the risks? These are the questions the business leaders must address.

We in information security exist as a tool to educate the business leaders on what the risks are. A disconnect occurs when we start creating policies on how business will be done.

The conflict between InfoSec and social media is not going to go away. As our society grows more connected the issue will be highlighted all the more. But just as social media will not go away, neither will the need to secure our data and systems.

The winning organization is the one that can find the balance between encouraging their employees to connect in meaningful ways and preventing data loss through those ways.

Each time a new technology is introduced to our environments it is going to bring along with it unknown risks and vulnerabilities. The way we handle that uncertainty is what defines us.

Cross-posted from Enterprise InfoSec Blog from Robb Reck.

Share This! |

Views:	4081
Categories:	Enterprise Security
Tags:	Social Networking

Post Rating I Like this!

Comments:

Anthony M. Freed I just interviewed Ben Rothke of BT Global on this very subject (to be published soon). Ben will present at the upcoming RSA 2011 conference, and I highly recommend his the following webinar - easily the most comprehensive examination on the subject that I have had the pleasure of reviewing:

http://www.youtube.com/watch?v=hfbET814MOs

1286329446

Robb Reck Thanks Anthony, I'll be interested in checking out the interview when it's published.

1286381236

Robert Gezelter Robb,

Social networking sites and corporate information security, in my opinion, pose a spectrum of problems. These problems compose a constellation of problems from other spheres.

On the "too much information" front, the only solution is education. The danger of giving out information that should not be public is the same as it always has been, social networking sites only increase the hazard. I noted this hazard in "Micro-Blogging and Personal Self Surveillance" last June (article at http://www.rlgsc.com/blog/ruminations/micro-blogging-and-personal-information.html).

Similarly, the technology used for many social networking sites leaves a bit to be desired in terms of security. I often recommend considering running social networking sites (and situations with similar trust issues, such as webinar interaction software) from a disposable virtual machine. Such a machine explicitly has limited access to other data, and thus represents a lesser degree of risk. I covered this topic recently in "Disposable Virtual Machines: Deliberately Expendable", after having presented this concept at the at the 2010 Trenton Computer Festival (the article contains a link to the slide set; the article can be found at: http://www.rlgsc.com/blog/ruminations/disposable-virtual-machines.html).

All in all, the problem transcends the specifics of the technology. The technology has merely further dramatically lubricated the flow of information, with all of its attendant issues and concerns.

1286388151

Robb Reck It's the classic issue of functionality versus security. I believe the biggest problem is when we security folks dig in our feet and attempt to stop new technologies from moving forward. Rather than a roadblock to implementation, we should view our role more as a fellow traveler assisting the business in choosing the safest roads to get where we want to go.

1286402027

Robert Gezelter I agree. The reason for my two-pronged comment was that it is not social networking that is the problem, it is only a lubricant.

In the case of disposable virtual machines, they represent a technological way to segregate social networking (and similar unsafe www access) into a sandbox where the probability of spreading mayhem is far reduced.

Providing a degree of safety is far better than an attempt to stop the tide from coming in. While I have total control of my firm's internal information security, I still needed disposable virtual machines to calm MY concerns about webinar software that used ActiveX controls.

1286404936

Robb Reck The only issue I have with spinning up a VM for risky web surfing is the user productivity impact. Requiring users to make any change to their normal behaviors is usually met with reluctance. Requiring that they perform significantly more clicking to browse the web is going to be met with hostility from a percentage of users.

I do agree with the idea, and in my personal life I suggest friends/family use one VM for things their web browsing and another for their online banking/shopping. But getting that kind of movement in a business setting is a very tall order.

A good start would be some research showing the ROI on that kind of change. For the extra 1-3 minutes per day per user, how much time are we saving? Does the math work out showing that it's a wise move for a company?

1286406476

Robert Gezelter I agree. Usability friction is a serious impediment. In the corporate world, I view establishing separate VMs as a Corporate IT task.

The desired interface is a play on what Microsoft refers to as "Desktop Virtualization". In Microsoft-speak, this normally is a desktop from a centralized resource projected (generally using RDP) to the local desktop. Similar technologies with slightly different phraseology based upon X-Windows/Motif have had more longevity.

In this case, a VM can be self-hosted within the local machine, and be accessed by a icon on the desktop. Done properly, the user need not even necessarily have Administrator access.

Even without the cosmetics, switching back and forth is not a question of minutes per day. There are admittedly awkward areas involving mice, but it is mainly an acclimatization issue.

Personally, I use the VMs without usability jacketing, as it suits my needs. If I was doing it in a corporate environment, I would recommend smoothing out the edges.

Indeed, Microsoft has partially gone this route with "Windows XP" mode under Windows 7. In essence, Windows XP mode is merely a Windows XP instance running under Microsoft's Virtual PC. It is intended for backwards compatibility. However, used carefully, it represents a way to compartmentalize an application or use.

1286454841

Robb Reck Could we accomplish the same thing with the use of internet browsers as a Citrix app? In that case you could just replace the browser's icon on the desktop/quick launch bar with one to the Citrix instance.

Just a thought.

1286464006

Robert Gezelter If (and ONLY IF) the Citrix app ran in a dedicated VM.

The whole point of running within a disposable virtual machine is to obviate the security risks created by security issues surrounding the host platform.

The critical point is that after the disposable virtual machine is used, it can, if desired, be thrown away at zero cost (in the most primitive sense, the virtual system disk can be deleted and replaced with a new clone of the original which was non-writable and thus pristine).

1286464652

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"The author of this article is answering the wrong question. It appears (he) is writing this article in response to all the attention gi..."

NSA Surveillance Is Legal And Not Targeting ... John Smith on 06-13-2013

"Agreed, good post. There is the ISO standard take on processes and implementing lasting changes then there is the practical operational..."

Vulnerability Management and Root Cause Anal... Ian Tibble on 06-12-2013

"Good post. One of the key elements in Vulnerability Management is having the contact details of the person knowledgeable on why a certa..."

Vulnerability Management and Root Cause Anal... Koen Van Impe on 06-11-2013

"Near-field communication (NFC) technology permits a consumer to wave their mobile phone at a point-of-sale terminal to buy via the use ..."

Google Wallet and PCI Compliance... Casey Erini on 06-07-2013