Consumer-orientated Web 2.0 applications like Facebook are moving into the corporate environment and, while they offer users a familiar and useful experience they could play havoc with security.
Les Stevens, analyst and Gartner SA, believes the challenges of security conundrums associated with Web 2.0 applications need to be addressed urgently.
The business environment is rapidly becoming consumerised: technologies and models
that developed in the consumer space are moving into the business space, and enterprises need to work out the effects of this and find ways to take advantage of it.
As consumer devices become more popular and are increasingly connected to wireless networks, enterprises will be challenged to either secure these devices, or secure the enterprise from them.
Employees in many organisations are encouraged to work at home using high-bandwidth connections, often on their own PC, with wireless connections they configure themselves. Workers also often use community-based Web services (a Web 2.0 characteristic) and external e-mail as corporate-sanctioned options.
"In three different debate sessions at Gartner's Symposium/ITxpo 2007 in San Francisco, attendees voted on three propositions related to whether to control users or give them more autonomy. Respondents voted overwhelmingly in favour of relaxing controls over what applications, services and devices users employ," explains Stevens.
In April this year, Fortify Software, a provider of products for identifying, managing and re-mediating software security vulnerabilities, announced that it had documented a major vulnerability in Web 2.0 frameworks and Ajax-based software that allows an attacker to steal critical data by emulating legitimate users. An employee quickly checking what's happening on their favourite social networking site while at work could allow an attacker in.
"There is a greater use of personal devices on corporate networks, users are demanding more relaxed corporate security controls, and they're using more Web 2.0 applications for social interaction on their personal devices," says Stevens. "At the same time, researchers are finding more and more vulnerabilities in the Web 2.0 environment. There is a critical need to address the risks associated with IT consumerisation before it becomes a deeply entrenched part of working life."
Simply banning and blocking all consumer technologies, whether it's hardware, software or some kind of service, is not a realistic long-term strategy for most organisations.
Stevens believes that current tools exist to manage the risks of IT consumerisation, but may lack maturity and come at a high price. He says that while it may be too early or costly to invest in these tools, enterprises can at least start with policies and processes, and then use these to help guide future technology deployments.
"It's also critical to engage executive management and business units in the development of consumerisation policies – this is not the kind of decision IT departments can either ignore or make in a vacuum.
"By preparing today – using policy, process and technology – organisations will be well-prepared as more employees bring their personal technology into the office," he says.