Web Application Controls

I wrote an article a few months ago talking about the new feature called "Web 2.0 controls". This feature has been firming up of late, and seems to be coalescing around the term "Web Application Controls". Each vendor does have a slightly different take on it, some focusing more on social networking, others being more broad based and covering a number of applications. Even those without real controls, are claiming "web application control" capability.

That being said, it's important to find out what a vendor means when they say "web application control". For some it just means blocking a web site based on its category. That alone probably isn't sufficient in today's malware laden web world. Really, the secure web gateway or web proxy needs to be able to control actions with web sites (applications). For example, does the web proxy allow the user to view the website, but prevent them from posting information to that update, restrict them from uploading a photo, a video or other documents? Is there any granular control over the types of information or document type that can or cannot be uploaded? Can a user be prevented from using a chat function within a page or an email function within a page?

Those are the important controls and the ones needed to customize a policy to adhere to an organization's compliance rules. It may be easy to say create a read-only Facebook policy, but it won't apply across the board. Marketing folks may need to add the ability to post to the company's Facebook site, but maybe you don't let them chat on Facebook. The CEO may be the only one allowed to do anything of Facebook, etc.

The key takeaway here? Make sure you know what your web proxy can do and make sure it fits your needs around "web application control".