The adoption of Web 2.0 technologies in the enterprise is driving unprecedented collaboration throughout business, but brings with it significant security risks, according to Gartner. These risks are manageable, but only if enterprises engage security early in the process and build a solid foundation to support Web 2.0, whilst limiting the risks.

Speaking at Gartner's IT Security Summit in Sydney today, vice president and Gartner Fellow Joseph Feiman said that while most Web 2.0 technologies are not new, many of the concepts run contrary to traditional IT security practices.

"Using and participating in these online services and communities forces enterprises to relinquish a level of control that they historically would not tolerate," said Feiman. "It is forcing enterprises to rethink their security strategies."

A recent Gartner survey found that most organizations have work underway to develop a strategy for Web 2.0, but few are prepared for or executing on that strategy. Gartner predicts that by year-end 2007, 30 percent of large companies will have some form of Web-2.0-enabled business initiative under way.

Feiman said that the security challenges created by Web 2.0 could be divided into two categories: protecting internal users and the enterprise, and protecting external applications.

The internal challenge is characterized by inbound risks, such as malicious code in RSS feeds, and outbound risks, such as information leakage through inappropriate blogging or use of collaboration tools. The external challenge is threats generated by enterprise usage and participation in Web 2.0 technologies, such as use of third-party content (mashups) and engaging in open user communities.

"The perils of user generated content have already been experienced by some newspapers which face the difficulty of readers posting inflammatory or offensive comments online. It's not yet clear what the rules are governing this kind of content or how it will affect the publisher's reputation.

"A similar risk that many enterprises are currently dealing with is employee blogging. Some organizations encourage it, others forbid it, and some have no formal policies at all. It's a two sided coin -- on the positive side blogging can build strong communities, brand awareness and transparency; but on the negative side blogging can reveal corporate secrets, arm disgruntled employees and have undesirable consequences."

According to Gartner, the open nature of Web 2.0 also presents significant challenges to the traditional enterprise approach to controlling intellectual property and proprietary content. In the outbound sense information leakage can occur in a range of ways such as blogging, instant messaging, collaboration tools and even online calendars. Similarly any content served by a Web 2.0 application can be re-formed, reused and redistributed by third parties, making it practically impossible to control content. This can include press releases, price lists, video and audio, all of which can be rapidly propagated across the Internet.

"There is no technology that can effectively protect content that is publicly accessible," said Feiman. "Rather enterprises should determine what content they are willing to have in the public domain, keep the rest private, and use licensing agreements as often as possible to help control distribution and use."

As with any collection of technologies, Web 2.0 comes with a wide range of vulnerabilities and risks and a few basic practices can limit an organization's exposure. Feiman identified the two most important practices for limiting risk when building Web 2.0-style applications as: adopting a secure development life cycle and focusing on validating all input, whether it is from an internal user or a business partner.

Gartner makes the following recommendations for enterprises adopting Web 2.0 technologies:

  • Secure coding is your best defense
  • Use Web vulnerability scanners
  • Validate all input on the server-side
  • Assume any public content will be reused in unexpected ways
  • Protect internal users and corporate assets with technology tools and education
  • Consider using application firewalls, content monitoring and filtering and data loss protection (CMF/DLP) and database activity monitoring