How to protect Network Security in the Social Networking Age; by Dr Anton Grashion, EMEA Security Strategist, Juniper Networks.
Productivity tool or security headache? Like instant messaging and e-mail before it, social networking can be a great tool but can also cause concern in companies that haven’t learned to adapt – and real trouble to companies that haven’t learned how to manage it. Enterprises are beginning to adopt social networking applications to offer a fast, easy-to-use way to keep in touch, organize activities and share ideas.
Whether businesses like it or not, employees (especially younger ones) are signing up for these tools regardless of whether it’s company policy or not, and forcing the businesses to play catch up.
Because of this, there are three major concerns that are keeping IT up at night. First, consumer applications can cut into employee productivity for hours at a time. Second, social networking sites can become vectors for viruses, hacker attacks and phishing. Finally, social networking image, audio and video traffic steal bandwidth from business uses.
So, how are IT administrators supposed to control this problem? There aren’t many model companies to follow in terms of company-wide social networking deployments. A few pioneering companies have opened their doors to social networking on corporate networks such as Shell Oil, Procter & Gamble and General Electric maintain social networking accounts. An exclusive Citigroup Facebook network has almost 2,000 members.
When you look at the usage statistics, peer-to-peer (P2P) networks have millions of users sharing photos, software, music and video. Social networking reaches even further: MySpace claims more than 61 million active users; Facebook more than 65 million. The Pew Research Center estimates that half of online adults have used these services to connect with people they know.
There are also organisations actively working against social networking. As the nature of government information is often sensitive, social media tools are a big concern for many government organizations. For instance, in May 2007, the U.S. Army blocked URLs for MySpace and 12 other "entertainment" sites from their US and overseas networks, referring bandwidth and security concerns. Interactive communities such as YouTube, LinkedIn, Facebook and many others are a perfect target for hackers to plant malicious worms and viruses masked as legitimate user content, and present the potential for inadvertent leakage or misuse of mission-critical data. But these tools can be important for instant communication to spread government information internally and between the organizations, yet monitoring public opinion, there is a long way to pass over these concerns. For this reason, rather than rushing into new decisions to implement these social networking tools, there should be a cautious approach to ensure the right technology pieces are in place to enforce appropriate protection, access and use. There are many technology solutions available to organizations to let them support access to social media tools while enforcing strict control over network traffic to protect information assets and avoid data loss.
The decision to block or allow consumer applications is not black or white. Policies vary according to user, application, security requirements and network infrastructure. There are steps that organizations can take to let social networking into the network securely.
1. Application-based policies Blocking applications may address this issue. However, modern consumer applications are designed to work on many different network infrastructures. This makes them hard to detect and regulate. The policies should also enable applications that offer business value – without compromising quality of service (QoS).
2. Corporate policies
Although few organizations will apply policies without exception across their entire network, most start by establishing general guidelines. Blanket policies that block or regulate all peer-to-peer traffic can then be adapted to support authorised exceptions, while continuing to regulate or block the rest.
3. User policies
Even when policies are consistent across a network or network leg, they may vary from one user category to the next. Users can be categorized many ways. For example, categories of users can be employees, contractors and/or partners. In general, policies for employees may resemble overall network permissions, contractors will likely have access to a subset of those applications, and partners may have access only to specific applications. The challenge is where and how to enforce user-based policies.
Balancing requirements
Whether your company has identified a business need for social networking applications or simply decided to get ahead of the trend, managing consumer applications on corporate networks is a matter of balancing four priorities: Security, Quality of Service, Visibility and Control.
No single set of policies can meet these requirements for every business. By deploying a combination of policy-centric and interoperable technology solutions, organizations can customize their security profile and reflect their uniqueness of individual networks, and they can grant access when, where and to whom they want adapting permissions and defenses as required to counteract internal and external threats.
Now is the time to put these controls in place because, like entropy, the pace of technological change is always increasing. No sooner have we become accustomed to the ideas of Web 2.0 than we are turning our attention to Web 3.0 and beyond. With these changes we are faced with opportunities and challenges, don’t let evolution pass you by.
About the IT firm
Juniper Networks is exhibiting at Infosecurity Europe 2009, held on April 28 to 30 in its new venue Earl’s Court, London. The event provides a free education programme, and exhibitors showcasing new and emerging technologies. For details – visit www.infosec.co.uk
