Nortel: Feature Articles: Web 2.0 Creates New Challenges to Secure Information Everywhere

Web 2.0 Creates New Challenges to Secure Information Everywhere

Wendy Herman, Nortel
April 2008

RELATED LINKS

Subscribe to the latest news and events from Nortel.>>

Week after week, the variety of new ways security of information can be breached is making news headlines, from breaking into Paris Hilton's * confidential Facebook account to unauthorized access * of electronic passport files of U.S. presidential candidates.

Availability of so much information online, plus the steadily increasing range of access – remotely or wirelessly while on the go – results in a myriad of opportunities for security hooligans to hack into confidential information or unleash crippling viruses and worms.

Each creative, new way to share information through Web 2.0 applications and every new type of device accessing wireless networks like smart phones or network connected MP3 players, brings with them unique risks to security. While social networking sites like Facebook * and Second Life * were created as communities for sharing personal interests and information, the power of their collaborative technologies are also used by companies for business purposes, subjecting corporate networks to yet another external level of security risk.

The much publicized Facebook breach in March, 2008 resulted in a hacker gaining access to Hilton's information through routine 'tags' inserted into family photos for easy sharing. Facebook quickly corrected the security flaw, but as its privacy policy * posted on its web site warns, "...Although we allow you to set privacy options that limit access to your pages, please be aware that no security measures are perfect or impenetrable."

Every hyperconnected enterprise faces this kind of security paradox. The openness and sheer volume of available information that make Web 2.0 applications such powerful business tools also open them to potential liability because the Web was designed to share, not to protect. The many access points that allow customers, remote and mobile users into a trusted corporate network potentially allow cyber-thieves in as well, as they continually look for holes in new applications to slip past security, like the photo tags on Facebook.

Web 2.0 applications can transform web browsers into security battlefields that need to be defended as vigorously as each computer and mobile device accessing the network in a trend that is escalating. Hyperconnectivity – where everything that can be connected, will be – is continuing to drive huge increases in devices, users and applications accessing networks. Nortel estimates that, by 2010, there will 10 devices connected to the network for every person using them, resulting in five billion connection points around the world.

Even when security is designed to be high for corporate information, employees often disregard their company's safeguards, in practice, adding another level of risk that's hard to defend against. UK-based, IT Governance Limited recently issued a report * based on its survey that found 68 percent of employees admit to bypassing their employers' information security controls in order to do their jobs.

"Employees aren't being malicious when they do things like send a highly confidential document to a colleague through public IM services like Yahoo or connect their laptop to WiFi at an airport, They are probably just trying to use some valuable time to make progress on their work," says Ionut Ionescu, director of Security Services for Nortel in Europe, Middle East and Africa (EMEA).

"Security is usually taken for granted or it is not a top priority for busy employees who are trying to get things done quickly," says Ionescu, who provides consulting services for enterprise security to Nortel customers. "That further complicates the challenge for today's IT professionals who must keep security tight across all devices and applications without putting so many restrictive barriers in place that they slow down business processes and productivity."

Shackling an enterprise with too many security features, for example, can slow corporate web servers to a crawl as they bog down with processing-intensive tasks like encryption and decryption of all data, causing network delays that can seriously disrupt the real-time quality needed for live Webcasts or VoIP conversations.

"It's a constant balancing act between what's an acceptable level of risk and when does security get so restrictive that it's too much?" Ionescu asked. "While the complexity of securing the enterprise today across so many interconnected devices and applications is certainly much higher, the basic approach is simple and the principles are no different from how things worked with Web 1.0."

"Security is still all about defending the perimeter," he says. "But where you once had only one perimeter to defend around the whole corporate network, like a moat around a castle controlling who could enter, you now have lots of little perimeters, lots of little defensive circles that have to be placed around each device and many of the applications. In effect, the corporate network is like a castle that has been opened to the public and each of its rooms now requires protection from each visitor whether that involves a person or another machine. Security becomes very granular and complex. It is no longer – install a firewall and forget about it."

When collaborating with customers on their security issues, Ionescu applies Nortel's Layered Defense approach which is designed to ensure there are no single points of security failure in a network. This is accomplished by using multiple approaches to security enforcement at multiple areas within a network, including access points, virtual private network (VPN) routers, encryption, firewalls, plus network core protection, to isolate and eliminate any threat that happens to slip through all other layers.

"Despite the publicity surrounding high-profile breaches, when you consider all the millions of electronic banking, commerce and other business transactions that are safely completed every minute of every day, around the world, security technologies are already doing a monumental job," says Ionescu.

"But the advice I always give to our clients is to never take anything for granted. What was secure yesterday may not be secure today," he said. "Just because things are made easy – posting pictures on the Web rather than emailing them to friends. Or are made cheaper – think VoIP calls versus traditional calls – it doesn't mean that their level of security is high enough. Every individual and every business has to weigh the real level of security against the value of their risk when using any ICT systems. Be vigilant and never assume anything is safe until it's been checked and is continuously re-checked."