Press Release

SYDNEY, Australia, August 14, 2007 View All Press Releases

Gartner warns Web 2.0 will force business to re-examine approach to IT security

The adoption of Web 2.0[i]technologies in the enterprise is driving unprecedented collaboration throughout business, but brings with it significant security risks, according to Gartner.  These risks are manageable, but only if enterprises engage security early in the process and build a solid foundation to support Web 2.0, whilst limiting the risks.

Speaking at Gartner’s IT Security Summit in Sydney today, vice president and Gartner Fellow Joseph Feiman said that while most Web 2.0 technologies are not new, many of the concepts run contrary to traditional IT security practices.

“Using and participating in these online services and communities forces enterprises to relinquish a level of control that they historically would not tolerate,” said Mr Feiman. “It is forcing enterprises to rethink their security strategies.”

A recent Gartner survey found that most organizations have work underway to develop a strategy for Web 2.0, but few are prepared for or executing on that strategy. Gartner predicts that by year-end 2007, 30 percent of large companies will have some form of Web-2.0-enabled business initiative under way.

In his presentation ‘Securing Web 2.0’, Mr Feiman said that the security challenges created by Web 2.0 could be divided into two categories: protecting internal users and the enterprise, and protecting external applications.

The internal challenge is characterised by inbound risks, such as malicious code in RSS feeds, and outbound risks, such as information leakage through inappropriate blogging or use of collaboration tools.  The external challenge is threats generated by enterprise usage and participation in Web 2.0 technologies, such as use of third-party content (mashups) and engaging in open user communities. 

“The perils of user generated content have already been experienced by some newspapers which face the difficulty of readers posting inflammatory or offensive comments online. It’s not yet clear what the rules are governing this kind of content or how it will affect the publisher’s reputation.

“A similar risk that many enterprises are currently dealing with is employee blogging.  Some organisations encourage it, others forbid it, and some have no formal policies at all.  It’s a two sided coin – on the positive side blogging can build strong communities, brand awareness and transparency; but on the negative side blogging can reveal corporate secrets, arm disgruntled employees and have undesirable consequences.”

According to Gartner, the open nature of Web 2.0 also presents significant challenges to the traditional enterprise approach to controlling intellectual property and proprietary content.  In the outbound sense information leakage can occur in a range of ways such as blogging, instant messaging, collaboration tools and even online calendars.  Similarly any content served by a Web 2.0 application can be re-formed, reused and redistributed by third parties, making it practically impossible to control content.  This can include press releases, price lists, video and audio, all of which can be rapidly propagated across the Internet. 

“There is no technology that can effectively protect content that is publicly accessible,” said Mr Feiman.  “Rather enterprises should determine what content they are willing to have in the public domain, keep the rest private, and use licensing agreements as often as possible to help control distribution and use.”

As with any collection of technologies, Web 2.0 comes with a wide range of vulnerabilities and risks and a few basic practices can limit an organization's exposure.  Mr Feiman identified the two most important practices for limiting risk when building Web 2.0-style applications as: adopting a secure development life cycle and focusing on validating all input, whether it is from an internal user or a business partner.

Gartner makes the following recommendations for enterprises adopting Web 2.0 technologies:

  • Secure coding is your best defence
  • Use web vulnerability scanners
  • Validate all input on the server-side
  • Assume any public content will be reused in unexpected ways
  • Protect internal users and corporate assets with technology tools and education
  • Consider using application firewalls, content monitoring and filtering and data loss protection (CMF/DLP) and database activity monitoring.

Gartner’s IT Security Summit is underway at the Sydney Convention Centre on 14 and 15 August 2007. For more information and a full agenda, please visit www.gartner.com/ap/itsecurity


[i]Web 2.0 refers to business, social and technology evolutions, including new models for community and collaboration; how its participative nature can be leveraged inside and outside the enterprise; the new business models that Web 2.0 facilitates; the lightweight programming models used to build Web 2.0-style mashups; and various Web 2.0 applications, such as blogs, wikis, folksonomies and social networks.

Contacts
About Gartner

Gartner, Inc. (NYSE: IT) is the world's leading research and advisory company. The company helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions. Gartner's comprehensive suite of services delivers strategic advice and proven best practices to help clients succeed in their mission-critical priorities. Gartner is headquartered in Stamford, Connecticut, U.S.A., and has more than 13,000 associates serving clients in 11,000 enterprises in 100 countries. For more information, visit www.gartner.com.

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.