As Web 2.0 applications continue to make their way into the corporate environment, solution providers and their customers are looking for new ways to take advantage of the increased collaboration and peer networking gains these applications provide. However, with those opportunities come new challenges and security risks many customers may not be aware of.
“Web 2.0 brings brings a whole new set of challenges that legacy security solutions just can’t address,” says Dave Meislick, director of product marketing for security vendor Websense.
The Web is now the most common application delivery mechanism, Meislick says, and while it’s faster and more efficient to deliver applications over the Web, the risks increase as access is made openly available and as development, testing and rollout processes are shortened, he says.
“The model used to be that companies would buy software packages and then distribute them as needed to their users—it was a more tightly controlled method,” he says. “But now these same applications are available publicly, and users can just go to the Web and access them without having strict controls in place,” he says.
“The underlying issue here is how solution providers and customers can take advantage of Web 2.0 without putting their businesses at risk,” Meislick says. Much of the appeal of Web 2.0 applications like Facebook, Twitter, MySpace and others is driven by the turbulent economy, says Ken Hamilton, founder, president and CEO of networking security solution provider Total Tech.
Many end users believe Web 2.0 can be a cost-efficient, extremely effective marketing and sales tool, but what they don’t understand is that if they leave themselves vulnerable to an attack, it will cost a mint to rectify that breach, Hamiton says.
An independent study commissioned by Websense details the full depth and breadth of the challenges Web 2.0 poses to organizations, but also underscores the potential for huge opportunity for solution providers to offer consulting, implementation and management of security solutions that can address Web 2.0’s biggest problems, Meislick says.
Though 80 percent of the survey’s 1,300 IT organization respondents worldwide said they were confident in their Web security strategy, only 17 percent were able to correctly define Web 2.0. The other 63 percent, Meislick says, are putting their businesses at risk simply by misunderstanding which applications make them vulnerable, how attacks are delivered and, most importantly, what security measures are needed to thwart them.
“Many customers don’t understand the full scope of Web 2.0 and what it means,” Meislick says. “Sure, they know FaceBook and Twitter are Web 2.0 applications, but they don’t get that Google, for instance, is a Web 2.0 property as well. They don’t think of Flickr or YouTube as Web 2.0 sites, even though they present the same kinds of risks.”
Hamilton adds that much of the sales process for security solutions that can handle the security challenges of Web 2.0 apps comes down to educating customers.
“It’s definitely an educational issue,” Hamilton says. “Even if customers understand Web 2.0, they don’t always understand what it means from a security perspective,” he says.
While sites like Facebook, Twitter and other may be harmless in and of themselves, content posted by users or streaming from hackers can be incredibly dangerous, he says.
“We have to use real-world examples when we’re explaining the threats,” he says, “Because many customers don’t really get how dangerous it is if a user goes to what they think is a legitimate site linked to by Facebook, but the content on that page just isn’t safe,” he says.
This is a great starting point for solution providers to begin a dialogue with customers, Meislick says, about their internal use of Web 2.0, how it can benefit their sales, advertising and new customer recruitment efforts as well as how it can help them research and track employee behavior, whether to better serve the needs of employees or to perform screening of potential employees.
“They can start a conversation, further the dialogue with their customers by explaining What Web 2.0 actually is, how it help their business, what risks there are and how to address them,” he says.
That’s exactly the approach Hamilton prefers to use when making sales calls on customers. Hamilton says he uses a list of applications, and asks potential customers to identify which ones fall into the Web 2.0 category.
“Most of the customers we try this with can’t identify all of the Web 2.0 applications successfully,” he says. “That’s a great starting point for us, a fantastic selling tool to say, ‘If you don’t know what the threats are, how can you protect against them?’” he says.
As Web 2.0 becomes more and more prevalent, Hamilton says prospecting for customers has gotten much easier.
“We’re getting a lot of calls and a lot of questions like, ‘What are my options other than just blocking [Web 2.0 applications]?’” Hamilton says. We know that these customers see Web 2.0 as critical to their marketing and sales efforts, and they’re really getting pressure from higher-ups to use these technologies,” he says.
Meislick says many WebSense solution providers have been successfully using Web 2.0 to do their own customer prospecting and education. For instance, he says solution providers can search Facebook for users employed by a specific organization, and then use that data to help them increase sales or drive new consulting services.
“Solution providers can then get in the door and say, ‘Mr. CIO, did you know there are 423 of your employees on Facebook? Are they accessing the site at work? Are they uploading or sharing confidential data? And if they were, how would you know?’” he says.
From there, solution providers can demonstrate how cutting edge security solutions can address the challenges posed by Web 2.0 for which legacy solutions like URL filtering, antivirus, reputation-based screening and file-based content filtering are inadequate.
Traditional URL filtering, for example, scans Web page content to identify potential risks and vulnerabilities, Meislick says. This solution worked extremely well a few years ago, but with the advent of Web 2.0, Web page content is no longer static.
“The content on that page your solution’s scanning is ever changing,” he says. “What wasn’t a risk at 2:03 pm can turn into a problem at 2:04 pm.” A solution that can provide real-time content scanning is imperative if customers want to mitigate malicious links and harmful embedded content.
Antivirus, too, was incredibly effective when the Web was more static, and when most viruses, worms and exploits were sent via e-mail, he says, or were downloaded by a user from a Web page. Now, however, most viruses are delivered via scripts, which target browser vulnerabilities and run an executable file without needing user input, totally bypassing antivirus solutions.
Many antivirus solutions introduced a reputation-based system to try to address this problem, but Meislick says this approach also isn’t adequate to solve these issues.
While sites like Google and Facebook in and of themselves have good reputations, the content streaming across those sites may be malicious, he says.
“You can’t block Google, you can’t block Facebook or other Web 2.0 sites if your company needs it,” Meislick says. “But what you do need are real-time content scanning and analysis to block individual pieces of content that are inappropriate,” he says. Solutions like security gateways that can identify and block harmful scripts and browser-based attacks are a great option for solution providers to offer customers that want to leverage Web 2.0 but mitigate the risks involved.
Of course, implementing many of these security technologies can drain network performance and resources, so solution providers should be aware that many security gateways, like WebSense’s own offering, also can address network bandwidth and usage by integrating load-balancing, redundancy, failover and high availability, Meislick says.
“We build in things like application controls, web caching and other features that limit network-hogging activities like streaming media, certain IM clients or other applications that are non-essential and risky,” he says.
With new Web 2.0 applications emerging every day, it’s imperative that solution providers educate themselves on their customers on both the risks and rewards inherent in the technology. By leveraging their own knowledge and expertise with Web 2.0, solution providers can build a stronger consulting and/or solutions integration practice that can help their customers safely use the technology, Meislick says.
“How are you going to stop people from using Google? How do you stop users from accessing FaceBook or LinkedIn and other sites? You can’t. So you instead have to identify and capitalize on these opportunities to educate and secure customers,” he says.