Does enterprise 2.0 threaten your security ?


Among the many questions businesses have about enterprise 2.0,  this one has an important place. Not because enterprise 2.0 is necessarily dangerous but because any new thing brings a change in a situation that’s supposed to be secured. So the principle of precaution plays its part in organization where risk aversion is more important than anything else.

The purpose here is not to discuss the fact this risk aversion causes (or not) a form of phobia toward any kind of novelty that would be a barrier to any kind of evolution, of improvement. It’s about assessing if enterprise 2.0 brings a new security risk in organizations and, if so, how to deal with it.

What security ?

Security is a legitimate concern that, in fact, has to do with lots of different things to such an extent that when someone broaches this subject it(s hard to really know what he has in mind. With hindsight, businesses have to main concerns about security : the one is about structure security, the other is about information security.

By structural security I mean protection againt attacks toward the IT system itself. By information security I mean concerns about unauthorized information broadcasting or disclosure.

Structure security : a concern that is neither 2.0 nor new

The concern is related to possible attacks on the IT infrastructure aiming at destroying/accessing datas. So it’s about preventing from malicious actions. A first sight we may say that there’s nothing new here and that this risk is as old as corporate IT and networks. As for “external” attacks it’s about the security of the whole infrastructure that hosts not only E2.0 solutions but the whole corporate IT and that is not specific to E2.0. As for internal unauthorized accesses, IT depts must check that the vendor provides the required guarantees and has secured its product. All these things are about a classical security audit that has to be done for any kind of solution.

So there is no reason to be afraid. So, what is the reson of such worryings ?

Most of times, it comes from a big misunderstanding. Enterprise 2.0 is unconscioulsy related to Saas in people’s mind. Let’s be clear : even if, in fact, even if enterprise 2.0 takes its roots in web 2.0 an if Saas is its prefered delivery mode, the Enterprise 2.0 = Saas equation is false. It may be the most frequent situation but it’s in no way a systematic truth. Moreover many vendors offer to host their solution on the enterprise’s servers, what ends the debate and takes us back to the previous paragrah. If not, the provider has to make the proof of its own infrastructure security and corporate IT have to check it wisely. There’s nothing new here for IT depts that have been used to outsource some things in the past.

Conclusion :  if the need for security is true and legitimate, this point is not specific to enterprise 2.0. It’s a classical security concern as businesses have been used to deal with for ages. And it has to be treated the way it has always been.

Information security : an human concern above all

Enteprise 2.0 aims at a better information sharing and at removing many obstacles to interpersonal connexions and exchanges. Information being a work tool, and sometimes a strategic asset, loosing its control is a real danger. More, for many people information means power and security is often raised as a means to protect one’s ego. This case excepted, we need to have a closer look at those new usages upon which a presumption of risk often hangs over.

Of course, one have to make sure the chosen solution has good right management system in order to be sure that an information meant to a defined group of people leaks outside of this group. That’s not because E2.0 is about fluidify things and providing more flexibility that everyhting can be done. A social spaces has to be structured in many zones according to their purpose and the needed privacy for each one. It’s an issue that has to be managed as such.

So the true question remains : of to prevent from uncontroled information spreading. A simple answer would be that it’s not because people exchange more within a group that information leaks more toward the outside. It’s obviously the contrary. But I don’t think such an answer would satisfy any executive that need more rational arguments. Leaks have tow causes : malevolence and clumsiness.

Nothing can be done againt malevolence. The only point is to be careful when you hire someone. But that is not a matter of tools : in the past people used to copy documents, forward emails…

Clumsiness is when people give someone an information that had to be kept secret without knowing he’s doing wrong. It’s often caused by the lack of internal exchanges that make people bypass the ‘official’ ways and channels. In some ways, a social platform can limit clumsiness because it provides people with more means to communicate and connect and gives them less reasons to try to find solutions elswhere, talking to other people.

But the facts remain : risk is not in the tool, as it was not either with email or written mail. The risk is human and have to me managed at and human level. As paradoxical is it may look, a technical response to a human risk often increases the risk because human try to bypass the technical protections and develop usages that are not under control and are not “secured”.

Whatever, the human risk will always exist, regardless to the technology that’s used. To much rigidity increases the risk. Not taking it into account too. The solution is a relevant governance.

Conclusion : there’s really nothing new

I’m sure no one will learn nothing from what’s above. At best, it can help someone that is not tech-savvy to have a better understanding. The reason is obvious : enterprise 2.0 doesn’t create any new security risk. It is not less or more secure than everything that has been done before. IT security is a corporate issue, it’s not an E2.0 specific issue.

Maybe your datas are safer outside. Maybe not. Maybe more flexible user managed spaces give people less reason to bypass your policies. Maybe not.

What about the Google/twitter case ?

Of course, we have to mention what recently happen with Google. For those who where on Mars, I remind that confidential datas belonging to some companies and hosted on Google’s infrastructure where stolen and made pubic by a hacker. One of the victim was twitter whose business plan was made public on many sites.

A key argument against enterprise 2.0 and Saas ? According to me that proves that a risk exists. It’s also the proof that it’s not so important knowing the amount of datas hosted by Google, Amazon, Salesforce and many others. Don’t forget that many companies already had their own servers hacked but this kind of information that is always kept secret. (Btw, do anyone have numbers about that ?). And the best to end : the breah that was used to enter the system was not a technical breach but a behavioral one due to user’s negligence. Of course, more and more constraints can be implemented to force peopleto be more careful, but people will always remain the weakest point of the security system.

Let’s be clear : this case is the perfect case of irrelevant argument because systemes where accessed without having been forced. It’s like everybody was choosing “1234” or “0000” as a pincode for their credit cards or leaving their pin on a piece of paper with their card in their wallet. We also have to be happy that no malicious cleaning leady tried to use the many secret codes writen on post-it sticked on 90% of computer’s screens in many offices. Or maybe they do…but it’s not publicized.

Don’t forget you trust your bank’s account manager not to make your situation public and tell evryone what you’re using your money for. You also trust your doctor to keep your file secret.

So, to anwer the original question mentioned in this note’s title, I’d say “not more than before”.