The recent exposure by Julian Assange's WikiLeaks Web site of classified information, said by critics to be harmful to international security, has emphasised the need for organisations to closely guard private information. Not since the early days of 'black hat' hacking and the first dramatic instances of cyber crime has data security been so high on corporate decision-makers' action lists.
Thanks to Wikileaks' exposures, the vulnerability of confidential information and personal privacy is clearly evident. This is particularly true in today's corporate environment, which is increasingly exposed to security break-ins and information theft through its ready embrace of social networks for business applications.
Social networks are beginning to play important marketing roles in business.
The benefits of these social business systems include faster ways to foster interactive relationships with customers and prospects, and better means of building brand identity and product awareness. Social networks are also an excellent channel through which Internet traffic can be driven to corporate Web sites and other online sales and promotion properties.
However, the benefits are increasingly clouded by security risks associated with the casual attitude towards privacy prevalent in the social networking community. These risks are exacerbated by the proliferation and uncontrolled use of unapproved freeware and applications designed to persuade social network users to reveal and share confidential information - be it private or corporate in nature.
Against this background, the future appears bleak for organisations set to adopt social networking, particularly those also intent on exploring the open world of cloud computing in which social networking applications thrive.
It need not be so. Enterprise social networks and other cloud-based applications can be deployed safely provided the correct approaches are maintained.
In essence there are three keys needed to secure corporate information held in unsecured solutions. The results of their use are tangible and measurable.
Significantly, they allow users to take advantage of the business benefits of social networks, the economic advantages of cloud-based computing, and the peace of mind that comes from tight security.
1. Verification
The first key is to update the current methods used to verify all approved corporate network users' identities. This is achieved by integrating existing single sign-on systems into the new social systems. Merging the regular username and password directory with social applications facilitates more secure validation and authentication processes.
The most widely accepted integration method is to adopt open industry standards and the SAML (Single Assertion Markup Language). Together they present consistent and cost-effective mechanisms, allowing software solutions from both inside and outside of the enterprise to connect.
That said, it is important to separate the verification/authentication processes used for internal and public communities. Keeping a clear divide between these communities will help avoid the possibility of users accidentally posting internal documents externally. It will also facilitate the adoption of more appropriate communication and collaboration procedures.
2. Authorisation
Authorisation processes are key to defining or specifying the amount and nature of information held by any one individual. An excellent example of lax authorisation processes can be found in the bulk of the data published on WikiLeaks.
In hindsight, it is easy to see that the individual(s) responsible for supplying content to Wikileaks should not have had access to this level and volume of confidential information in the first place.
Enterprise entitlement software systems, designed to assist companies to address regulatory compliance issues are, in many instances, also capable of defining the rules of entitlement with regard to access to data. Although not yet broadly adopted, these systems are capable of providing an excellent model for integration with social business software.
3. The audit
Undoubtedly, regular system and security audits help boost strong governance and - should the worst happen - assist with post-event reviews, root cause analysis and future remedial action. The key to effective, simplified auditing of security systems lies in the initial placement of efficient controls.
Today, a wide range of auditing systems is available, including new 'e-discovery' solutions that help facilitate forensic investigations. While many of these systems have been designed around e-mail auditing, the software is rapidly evolving to suit the nature of social media communications.
Moreover, by combining messaging, forums, document sharing and other popular social networking applications, these systems now present an integrated repository for disparate data. This makes it easier to aggregate the required information into a single system, further simplifying the audit process.
We are moving towards an era when information security awareness will be a vital source of new value for the organisations adopting social networking as a business tool.
Implementing the three keys to social networking security will give organisations the ability to balance their security requirements with the capacity to give their staff members enough creative licence to explore and innovate, using the significant potential associated with social networking.
* Join Martin May on Facebook: http://www.facebook.com/martin.may.enterasys
Share