Brian Roddy is the senior vice president of engineering for Jive Software.
The recent news of government secrets posted to WikiLeaks has refocused enterprise IT on data security. Due to the ease of gathering and transmitting massive amounts of data in a short period of time, the cost of a single leak continues to grow exponentially. Meanwhile, thanks to exciting innovations in the consumer web, employees are demanding the benefits and openness of social networking inside the enterprise. Enterprise social solutions yield huge, measurable benefits. It's just a matter of time before these two forces collide in your organization — if they haven't already.
While social networking has relaxed an individual's notion of privacy,"oversharing"in the enterprise context leads to increased risk. This risk is increased by unsanctioned social freeware that encourages employees to bypass IT altogether. In the name of openness and the cloud, these freeware solutions actively solicit people to share confidential company information with their co-workers, completely outside of the enterprise, on a system without any formal corporate controls. This is a regulatory lawsuit waiting to happen.
But, there are alternatives. Enterprise social software can be securely deployed from the cloud or from within the enterprise if adopted in the right way. To address these challenges, IT has to rely on the same tried and true security approaches, adapted for the new, social world. And most of the work involves addressing AAA — authentication, authorization and accounting — in the context of these new, open systems. Here are three lessons my company has learned by working with our customers that you can use in rolling out secure deployments of social business software to avoid your own WikiLeaks-like disaster.
Lesson 1: Authentication
Authentication enables a system to validate a user's identity. For more than 10 years, enterprises have been rolling out single sign-on systems to simplify the management of usernames and passwords across multiple internal systems. A huge advantage is that, if needed, you can revoke a user's account in one place and know that he or she will be denied access to all the integrated systems.
Integrate your SSO into your social system.In the context of a social system, the identity of the user becomes paramount. Integrating this system with the store of usernames and passwords not only gives you the ability to authenticate, but provides access to other data in the directory such as organization structure. The good news is that adoption of open industry standards has radically simplified this kind of integration. Almost every company has adopted SAML (Single Assertion Markup Language) as the integration method of choice. Even some of the holdouts, like Microsoft, are now on board with providing this cheap and consistent mechanism across software. This lets solutions from both inside and outside of the enterprise connect.
Segment authentication between your internal and public communities.An interesting and related development is that many companies now have multiple single sign-on systems. It's oxymoronic but true. One SSO is used for internal employees; another is used for external partners, vendors and/or customers. Because external communities are an important part of the social system, all the same requirements and challenges apply in both contexts. One company we spoke with had the same SSO for both internal and external communities and often people accidentally posted internal documents externally. Maintaining clear separation between these communities is important, as is keeping a bridge between them to allow the right communication and collaboration.
Don't forget username and password basics.It's more important than ever to remember the human element. External communities are targets of hackers all the time. People still leave passwords with their default values. People still create guessable passwords. The same goes for usernames. In one instance, a company set up its system so that an end user could choose “admin” as his username. This wasn't done maliciously but the person did get administrative privileges and could have done real damage.
Lesson 2: Authorization
Authorization is the function of specifying the kind of data or functionality a user can access. The data that was published on WikiLeaks is an example of the danger of loose authorization. Very few individuals should have access to that much confidential information. In the enterprise context, the Sarbanes-Oxley Act (Sarb-Ox) mandates documented controls on access to information systems that can affect the finances of publicly held companies.
Map your existing data security policy to your social system. To address Sarb-Ox compliance, some enterprises have invested in enterprise entitlement software that provides a rich model that defines access to data. Although this software is powerful, because it is relatively new and complex to deploy, it is not broadly adopted yet. If available, it provides a great starting point for integration with social business software. Even if not, most companies have a well-documented data security policy. Make sure your social system has enough fine-grained controls to map this policy directly to the forms of collaboration provided by the system.
Use your community to help secure data.One example of where social software can provide surprising value is on the community policing of data availability. A few of our customers have implemented reward schemes for their employees who discover data that has been incorrectly shared. This helps catch a surprising amount of mistakes that cannot be caught programmatically.
Lesson 3: Accounting
Accounting typically refers to having controls and auditability of the security systems in place. This facilitates strong governance and forensics when things go wrong. More recently, people have included regulatory electronic discovery requirements in this category.
Have an e-discovery plan.There's a wide range of systems for supporting security accounting. The current hot trend is around e-discovery solutions that can not only store this information but also help facilitate forensic investigations. This is top of mind for many IT departments today. Many of these systems were designed around e-mail. Unfortunately, the way people have integrated with them is by converting every transaction within systems (instant messaging, social business software, etc.) into an e-mail. Software is evolving rapidly and most vendors will have new capabilities that are much more suited to the richness of communication. Get educated on these solutions and start thinking about how you could roll them out.
Leverage social business software to simplify e-discovery.Besides the obvious requirement to eventually connect the social business software to these kinds of systems, there are some hidden benefits to collaboration systems. By combining messaging, forums, document sharing, etc., these systems provide an excellent integrated source for what was previously disparate data. This makes it easier to aggregate the needed information into a single system.
Don't Let a"WikiLeak"Happen to You
The benefits of enterprise social solutions are too great to ignore. And so are the security risks. Unsecured cloud-delivered solutions are creeping into and around enterprise in an undisciplined and dangerous way. Your company must be proactive in addressing these challenges. You need to define your security requirements for these systems and create a roll-out plan that embraces not only the critical community aspects but also how to map to compliance and regulation. It's not overly difficult; it just takes a little time and forethought. The end results are powerful and give you the best of both worlds.
More Business Resources from :
- HOW TO: Win the War for the Most Talented Employees - 3 Tools Realtors Can Use to Increase Sales on the Web - 7 Handy iPhone Apps for Creating Expense Reports - HOW TO: Get the Most Out of Facebook Insights for Small Business - 6 Free Chrome Apps and Extensions for Small Businesses
Image courtesy of iStockphoto, gulfix