Securing Data in a Web 2.0 World

You have probably heard a lot about a new Internet phenomenon called Web 2.0 -- an unfortunately misleading name not for a new version of the Web, but for an evolution in the way people use the Internet as a highly dynamic, connected, and interactive environment for distributing and sharing information. This evolution relies heavily on a number of new methods of sharing information that rely entirely on online connectivity. These include not just Web and email, but also:

• information delivery using chat and instant messaging (IM);
• Web logs ("blogs");
• portable audio recordings (podcasts);
• collaborative Web-based information-sharing (e.g., wikis);
• peer-to-peer (P2P) technologies (e.g., file-sharing or BitTorrent);
• real-time information delivery technologies such as RSS (Really Simple Syndication) or Atom news feeds;
• Web-based email (e.g., Google's Gmail);
• content portals (e.g., photo-sharing site Flickr); and
• even online communities such as Digg, Slashdot, and Fark.

These new information technologies are becoming more and more critical for delivering, sharing, and managing corporate and customer information, both inside the enterprise and beyond the firewall. For example:

• Email is by far the most common method of content delivery -- almost 90 percent of enterprises deliver information either exclusively or often by email.
• Web publishing is the most common static delivery format -- two-thirds of enterprises publish information to the Web either exclusively or often.
• Instant messaging is now a more popular form of information sharing than fax -- 25 percent of enterprises send information exclusively or often by instant messaging, compared to only 16 percent that send it by facsimile.
• Instant messaging, wikis, RSS, blogs, and podcasts are used exclusively or often by 41 percent of companies.
• Traditional information delivery is on the wane -- only a third of enterprises deliver content as hardcopy either exclusively or often, and over a third either rarely or never print and deliver content.

The use of these new online content technologies is significant, and it is growing rapidly. For example, over the next 12 months, use of IM or chat applications will grow by over 10 percent, corporate use of wikis and RSS/Atom feeds will double, and corporate blogging will almost triple. However, these usage and growth rates do not take into account unofficial or unauthorized use -- in fact, many more companies are using these so-called Web 2.0 technologies, whether they know about it or not. For example, almost as many organizations are using IM unofficially as officially, and more organizations are using blogs unofficially than officially. In addition, research has found that most companies lack any official processes or software to manage or control the information handled by these new technolgies: Less than a third of organizations using instant messaging have any such processes, and more than half of all companies using blogs, wikis, or RSS have none. Even more disturbing are findings that almost two-thirds of companies store important customer information in local or server-based email folders, and over a third of enterprises store content on external Web sites at least half the time -- meaning a significant volume of corporate content is located, at best, merely beyond the company's control, and, at worst, in full public view. This raises significant concerns regarding the security of the information that is being delivered and shared with these online content technologies, as companies are increasingly delivering and sharing corporate and customer information without any ability to capture, store, or manage it. These practices have significant security implications, as enterprise users relying on these so-called Web 2.0 technologies are not protecting their information, and using technologies that are insecure, with limited audit trail, no version control, and no accountability. Also, for the most part, information-management and -security systems have not kept pace with these new technologies. Traditional customer information management systems do not integrate well with these new technologies, and companies have no archiving -- and only limited backup -- for this important information. Companies that are unable to manage these new information-sharing mechanisms adequately face major security and compliance problems. Having no ability to capture, manage, and control this information will cause high-risk audit and compliance issues, and expose real difficulties protecting privacy and intellectual property. Ensuring adequate provenance, auditability, and accountability with this new Web-based electronic content is much more difficult, and monitoring where this information ends up is significantly harder. Web 2.0 technologies can certainly deliver specific and substantial gains in cost, speed, and efficiency for customer information management. Indeed, companies should deploy them, though in controlled and authorized ways. However, enterprises using these technologies need to ensure they can monitor these delivery channels; prevent leakage of corporate information; ensure auditability and accountability; and integrate them with standard content management systems, technologies, and processes. About the Author Andi Mann is a Research Director with leading IT analysis and consulting firm Enterprise Management Associates. Andi has over 20 years experience managing information in a variety of enterprises worldwide, and now provides comprehensive research and analysis into the intelligent and automated management of enterprise IT systems and applications for EMA and its clients. You can email Andi at amann@enterprisemanagement.com.