Gartner warns Web 2.0 will force business to re-examine approach to IT security

SYDNEY, Australia, August 14, 2007 � The adoption of Web 2.0[i]technologies in the enterprise is driving unprecedented collaboration throughout business, but brings with it significant security risks, according to Gartner. These risks are manageable, but only if enterprises engage security early in the process and build a solid foundation to support Web 2.0, whilst limiting the risks.

Speaking at Gartner�s IT Security Summit in Sydney today, vice president and Gartner Fellow Joseph Feiman said that while most Web 2.0 technologies are not new, many of the concepts run contrary to traditional IT security practices.

�Using and participating in these online services and communities forces enterprises to relinquish a level of control that they historically would not tolerate,� said Mr Feiman. �It is forcing enterprises to rethink their security strategies.�

A recent Gartner survey found that most organizations have work underway to develop a strategy for Web 2.0, but few are prepared for or executing on that strategy. Gartner predicts that by year-end 2007, 30 percent of large companies will have some form of Web-2.0-enabled business initiative under way.

In his presentation �Securing Web 2.0�, Mr Feiman said that the security challenges created by Web 2.0 could be divided into two categories: protecting internal users and the enterprise, and protecting external applications.

The internal challenge is characterised by inbound risks, such as malicious code in RSS feeds, and outbound risks, such as information leakage through inappropriate blogging or use of collaboration tools. The external challenge is threats generated by enterprise usage and participation in Web 2.0 technologies, such as use of third-party content (mashups) and engaging in open user communities.

�The perils of user generated content have already been experienced by some newspapers which face the difficulty of readers posting inflammatory or offensive comments online. It�s not yet clear what the rules are governing this kind of content or how it will affect the publisher�s reputation.

�A similar risk that many enterprises are currently dealing with is employee blogging. Some organisations encourage it, others forbid it, and some have no formal policies at all. It�s a two sided coin � on the positive side blogging can build strong communities, brand awareness and transparency; but on the negative side blogging can reveal corporate secrets, arm disgruntled employees and have undesirable consequences.�

According to Gartner, the open nature of Web 2.0 also presents significant challenges to the traditional enterprise approach to controlling intellectual property and proprietary content. In the outbound sense information leakage can occur in a range of ways such as blogging, instant messaging, collaboration tools and even online calendars. Similarly any content served by a Web 2.0 application can be re-formed, reused and redistributed by third parties, making it practically impossible to control content. This can include press releases, price lists, video and audio, all of which can be rapidly propagated across the Internet.

�There is no technology that can effectively protect content that is publicly accessible,� said Mr Feiman. �Rather enterprises should determine what content they are willing to have in the public domain, keep the rest private, and use licensing agreements as often as possible to help control distribution and use.�

As with any collection of technologies, Web 2.0 comes with a wide range of vulnerabilities and risks and a few basic practices can limit an organization’s exposure. Mr Feiman identified the two most important practices for limiting risk when building Web 2.0-style applications as: adopting a secure development life cycle and focusing on validating all input, whether it is from an internal user or a business partner.

Gartner makes the following recommendations for enterprises adopting Web 2.0 technologies:

  • Secure coding is your best defence
  • Use web vulnerability scanners
  • Validate all input on the server-side
  • Assume any public content will be reused in unexpected ways
  • Protect internal users and corporate assets with technology tools and education
  • Consider using application firewalls, content monitoring and filtering and data loss protection (CMF/DLP) and database activity monitoring.

Gartner�s IT Security Summit is underway at the Sydney Convention Centre on 14 and 15 August 2007. For more information and a full agenda, please visit www.gartner.com/ap/itsecurity

About Gartner

Gartner, Inc. (NYSE: IT) is the world’s leading information technology research and advisory company. Gartner delivers the technology-related insight necessary for our clients to make the right decisions, every day. From CIOs and senior IT leaders in corporations and government agencies, to business leaders in high-tech and telecom enterprises and professional services firms, to technology investors, we are the indispensable partner to 60,000 clients in 10,000 distinct organizations. Through the resources of Gartner Research, Gartner Consulting and Gartner Events, we work with every client to research, analyze and interpret the business of IT within the context of their individual role. Founded in 1979, Gartner is headquartered in Stamford, Connecticut, U.S.A., and has 3,800 associates, including 1,200 research analysts and consultants in 75 countries. For more information, visit www.gartner.com.