The Rising Role of Compliance Social Computing

From: http://www.networkworld.com/community/node/64427



When it comes to implementing a social computing strategy, many companies still abide by the security axiom of “only allow what is specifically permitted.” In fact, according to our latest research, 40 percent of (all?) companies block all access to public social networking sites such as Facebook, Twitter, YouTube, or MySpace. These companies tend to have conservative views toward technology, and consider the risk of allowing access too great—often from both security and productivity standpoints.

Even many of the 60 percent of companies that now allow access restrict it in some way, either by time of day, approved groups (e.g. marketing, customer service, sales), or for specific use cases. We often hear from IT leaders that initial efforts to block access entirely were thwarted by legitimate business needs for the organization to participate in public social networks. In some cases, the path is reactive; access is wide open until someone in legal and/or compliance functions becomes aware of this usage. Often then the reaction is a knee-jerk, “full stop” for any social-computing activities.

There are four primary areas involved in addressing security and compliance concerns related to social computing:

• Breach. Forty-six states, the District of Columbia, Puerto Rico, and the Virgin Islands have adopted legislation requiring notification of security breaches involving personal information. In addition, federal regulations, such as the Health Information Technology for Economic and Clinical Health, contain breach notification clauses.

• Attack. Compliance with legislation and regulations, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Payment Card Industry Data Security Standard (PCI-DSS), mandate organizations implement security best practices to prevent access to sensitive data.

• Unacceptable use. Typically, this is an internal policy that defines the acceptable use of corporate assets. Employees sign off on the policy and its ramifications, often as part of an employment contract.

• Accountability. Specific compliance requirements, such as Financial Services Regulatory Authority (FINRA) 10-6, require logging of trader communications. This may also include an internal compliance requirement to monitor and log communications with a high likelihood of becoming part of litigation and e-discovery.

One of the greatest concerns about social networking is the risk of a sensitive data breach. Social-computing applications are potential conduits to breach sensitive information—specifically, personally identifiable information and protected health information . Examples include a real-time breach in which sensitive information transfers in the clear during, for instance, an IM chat. Another example is a non-real-time breach in which a file transfers (intentionally or unintentionally) as part of a Skype session, for instance. Remember, the breach is the disclosure, not the exploitation of the data.

In addition to the breach challenge itself, there is also the challenge of tracking a breach. Without proper audit controls on all social-computing communications, the organization most likely will be totally unaware of any sensitive data breach. There is an additional concern that even when a company knows of a breach, they may have little recourse to limit its exposure. For example, a team within a manufacturing company sets up a Facebook group to facilitate collaboration on the design of its newest, and revolutionary, manufacturing process. There is an assumption of privacy since the group is closed with the exception of the team’s access. However, all it takes is one user without properly set privacy settings whose account is compromised to enable leakage of the group’s information. Users may not go through the due diligence required to determine data ownership for materials placed on public social sites.

Sites such as Facebook and LinkedIn are primary targets for cyber criminals. The primary attack vector is sending a legitimate looking link—from a “friend”—that takes the user to an infected Web page. The user opens the Web page, clicks on a link and inadvertently downloads malware, exposing the enterprise to significant risk. As discussed, blocking access to these sites is not absolute so the only option in this case is to block access to bad URLs.

Security practitioners who participate in Nemertes’ research indicate this attack vector is becoming one of their greatest challenges. In addition, recent reports indicate millions of compromised or fake Facebook accounts are available for sale. Protecting against these attacks requires, at a minimum, a Web-content-aware firewall with granular filtering to dynamically block access to specific Web pages, and even specific areas of an individual Web page. Companies that provide solutions in this area include Blue Coat, FaceTime Communications in partnership with Blue Coat, Palo Alto Networks, Socialware, Trend Micro, Webroot, WebSense, and Zscaler.

As more companies shift from “block everything” to “block some things,” the need for a proactive social security and compliance strategy will continue to gain importance.