security

Is socializing a security threat?

I’ve just come back home from a day at Infosec’09. What emerged from my visit at the exhibition held at Earl’s Court, London, is that security people are heading towards two goals:
– implementing security solutions using the Cloud Computing paradigm
– limiting internal risks by cutting employees’ access to personal e-mail or social networking websites.

I don’t know if you share this view, but I believe the two goals rely on two philosophies that are too far away from each other to co-exist. Namely, Cloud Computing brings globalization to the world of utility computing. Company are allowed to run their applications on servers that are, ultimately, shared with other companies. The basis for cloud computing is, I think, the trust in your provider and in the Internet itself. Every contract (or, simply, contact) of externalization relies on a web of trust.

I believe cloud computing to be the technical counter-part of Web 2.0, a mash-up of some extent, this time on a lower level of the TCP/IP stack (where Web 2.0 is at application/presentation level). Cloud computing is a really good thing because it allows companies of every size to personalize their technical solutions. The allocation of server resources can be effectively tuned according to the company needs and possibility of expense.

Social networking is actually based on the same philosophy, the globalization of user contacts and information. Surely this poses threats to privacy, but I’m not sure that these are to be tackled using a cut-every-service approach. Let’s be honest: companies want their employees to work and be productive. They see the time spent on social networking websites as time lost to productivity goals. But are things really this way?

My feeling about social networking is that the information sharing is actually able to improve performances. Let’s face reality: an unproductive employee will be unproductive no matter the possibility to connect to Facebook or Twitter. On the other hand, productive employees can effectively exploit social networks as a work tool. Which means you can use web 2.0 to learn to do task in a different way, or simply to explore what competitors are making.

Let’s take Twitter as an example: many companies are using it as a tool for corporate communication. Are we sure that preventing an employee from reading what his or her peers of a direct competitor are doing is a loss in performance?

Summarizing, I can’t see how social networking can be a security threat more than allowing employees to keep printed newspapers on their desks. Good employees will read the news and will make good use – for the company – of what they read; bad employees will keep on reading instead of working. Once again, it’s not IT security that can solve human-related problems. When companies will understand this, we will be finally able to move the debate on what can be best practice rules for exploiting web 2.0 in a corporate environment.

Standard