Consumer Web 2.0 tools and services like personalized homepages, gadget and widget frameworks, instant messaging, social networks, and others were built to be easy-to-use, open and ubiquitous. Security, compliance, data integration and other “enterprise-grade” traits were not a design consideration. As such, these technologies are not appropriate for use within the enterprise. But the popularity of Web 2.0 is spilling over to the enterprise. A recent Yankee Group survey found that 86% of non-IT employees are using at least one consumer Web 2.0 tool at work already.
The question is: can you leverage the convenience of consumer Web 2.0 tools and technologies while achieving the level of enterprise security and governance needed to be acceptable?
To address this challenge, companies must consider the following:
Authentication – how do you leverage existing authenticatioin mechanisms such as SSO and Web authentication while enabling secure access via Web 2.0 front ends?
Authorization – how do you apply existing authorization policies to enterprise data and services to Web 2.0 front ends without duplicating authorization logic and while avoiding overloading existing backends?
Application Security – how do you ensure the security of Web 2.0 front ends that run within untrusted third party containers such as personalized homepages, social networking sites and RSS readers and side by side with untrusted gadgets, applications and feeds?
Application Provisioning – how do you allow users to add applications to their Web destination of choice, maintaining the seamless ‘add-to’ experience while ensuring the integrity of the provisioning process and preventing unsanctioned distribution of the applications?
Scalability – how do you protect enterprise application servers from data-intensive consumer interfaces like RSS and AJAX that continuously poll servers for updates?
Integration – how do you connect to a wide variety of enterprise applications and data sources without falling into endless integration projects?
Self-service – how do you allow staff to define information views without requiring them to be programmers or getting IT involved?
Governance – how can you monitor and audit online activities? How do you retain information required by regulation?
Customization and Development – consumer-oriented web services are unique in how easy they make it for users to create new applications or customize existing ones. How can this be replicated in the enterprise?
Multitude of Web 2.0 Interfaces – there is a wide range of diverse “Web 2.0”-style services and technologies available. But there is very little in common between them (for example, SIP-based Instant Messaging, RSS, and a Google web page gadget). How do you support these consumer platforms without custom development each time?
The popularity of Web 2.0 in the enterprise introduces two new types of information security threats:
Previously-existing threats made more dangerous due to the proliferation of usage patterns popularized by Web 2.0 technologies (e.g. through user-generated content)
Threats associated with new Web 2.0 technologies (such as RSS)
Two of the most pernicious of these new threats include Cross-Site Scripting, Cross Site Request Forgery, and vulnerabilities associated with various client tools. WorkLight deals effectively with each of these threats and many more, making Web 2.0 tools safe for use in the enterprise.