Avoid data leakage in a Web 2.0 world

Losing data such as intellectual property can harm an organisation competitively and, if it can be proven how the loss occurred and what party benefited, can potentially lead to expensive litigation.

Businesses face many regulations that force them to improve their security and implement safeguards. In a recent Quocirca survey 82 per cent of 250 respondents cited data protection laws as the most worrying regulation they face ­ more than twice as many as for any other.

Organisations are now taking great pains to ensure the data on which they rely, including personal data related to partners, customers and employees, is secure. But, in many cases, they are struggling to keep ahead of hackers who have turned their attention from using fairly simple methods, such as sending a virus as an email attachment, to a more targeted approach. One such method of attack is through the software applications that run on computer networks.

Software applications often contain millions of lines of code, making it likely that some mistakes will have been made in the writing of the code. Such flaws can be targeted by hackers and new types of attacks are emerging that look for insecurely written code and hunt for vulnerabilities in software applications.

However, while organisations are under pressure to protect the information they generate, they are increasingly making use of Web 2.0 applications that provide a much higher degree of interaction and allow for dynamic content to be produced on the fly, providing users with a much richer experience than the static web content of yesteryear.

To write Web 2.0 applications, a number of new programming tools have been developed, using dynamic user-friendly interfaces that allow a higher degree of collaboration. However, in focusing on the functionality that these programming techniques enable, less attention was paid to their security vulnerabilities.

A key problem is that through use of next-generation programming languages, m ore of the business logic, such as access controls and session management logic, is exposed to users and therefore to hackers.

Many Web 2.0 applications allow users greater control over the content they generate and give them the ability to publish content online. This is something that organisations should be wary of, since security issues can be raised by employees giving away personal, or even company-related information, through the use of such applications.

The need to place controls on the use of applications using new programming techniques ­ as well as to solve the productivity drain seen in some organisations through the use of newer, more socially oriented applications, such as social networking sites and blogs ­ is leading many companies to try to block or limit their use.

There are a number of technology tools that can be used to do this effectively. However, a large proportion of survey respondents are relying on policies alone for blocking or restricting access ­ and policies are notoriously hard to enforce.

A better strategy is to deploy both technology and policies and to ensure that employees are aware of their obligations laid out in the policies set. Organisations cannot afford to be complacent.

Quocirca’s report Why Application Security is Crucial is free to CRN readers and is due to be published shortly at www.quocirca.com.

Fran Howarth is principal analyst at Quocirca