Q. What is your perception of the risks of Web 2.0 and what businesses should consider before deploying Web 2.0 applications?
A. The risks with using Web 2.0 are really not new (i.e., there is still the risk of data loss, breaches, identity theft, fraud, system compromise and so on), although they are certainly magnified by the capabilities of web 2.0 type applications. Simply put, the main security concern with Web 2.0 is how it broadens the threat/vulnerability spectrum. In essence, it creates more avenues for hackers to exploit and more avenues for internal personnel to send out information that could compromise the business. The technology (tools) used for protecting current threats are no longer efficient in protecting Web 2.0. In the past there was more concerned with the incoming threat via web downloads and email attachments. Today there is the concern with the bi-directional threats (incoming and outgoing) brought on by web 2.0 applications. With the introduction of blogs, feedback sites, chat and social applications like MySpace and YouTube, there is now the capability to provide (or push) data back to the business.
While Web 2.0 type services are beneficial to both companies and customers, the capabilities open up additional paths into the core network and create additional exposures. These are the very same paths for which wrong-doers can utilize to launch attacks. Think of traditional protection methods used years ago in the analogy of a “moat and castle” situation where there was one point of entry to guard your core. This single point of entry provided a better chance to defend the core network because all traffic funneled through it. Today it is a “shopping mall” situation; there is no longer a single point of entry to channel traffic through, there are now many doors to enter or exit from. This new landscape dramatically changes the approach in how to guard information. These new capabilities provide very easy methods to move data/information uncontrolled and undetected without the proper solutions in place.
Thus, the best method towards securing your infrastructure against current and evolving threats starts with one consistent approach, an information risk assessment process. This process enables you to:
• Understand what the threats and risks are with pursuing new initiatives
• Enables the prioritization of critical risks to reduce risks in the most beneficial way to the company
• Assists in determining the appropriate tools (e.g., data leakage, network access control, unified threat management (UTM), intrusion prevention systems, encryption, etc. ) needed to implement solutions that reduce these risks
With the advancement in technology and its expanding use comes the increase in threats and the increase in threats raises the level of risk. When considering web 2.0 initiatives or whatever the next phase is, you continually need to rethink your approach, because as the threats change, so to must the way we protect against them. The key to success is implementing an information risk management methodology and conducting information risk assessments. This ensures a holistic picture. There is no silver bullet solution. Good sustainable risk mitigation requires a risk management approach incorporating, policy, risk assessment, standards, monitoring, people, processes and technology to successfully implement sustainable “defense–in-depth” solutions.
Answer provided by David A. Meunier, Security Executive Council Content Expert Faculty