Web 2.0 - Meet Security 2.0
- By Craig Scroggie
- Published 03/7/2008
Like so many of the people I know, I live much of my life online. Every year, every month, every week I find more to do, enjoy and engage. “Balance,” you say. I know. I know – and I really will tackle that one next. But, for now, Web 2.0 is changing the way I, and many, many others, communicate with friends, family and business colleagues.
What we do on the internet has changed over the past two years. Typically there’s now much more social interaction and collaboration – I’m writing blogs, and commenting on others blogs, I post comments on forums, and I share photos and videos. And I’m not alone – according to recent research, some of us apparently even prefer our online friends to the friends we have in the physical world.
Meanwhile, at work I’m sharing information across Symantec via intranets, websites, corporate blogs and transacting online with customers, partners and suppliers.
Now it’s great that Web 2.0 technologies are creating exciting opportunities, but the down side is that they’re also introducing new security risks. That has little to do with technology per se, and everything to do with changes in the way we think of, and thus control, our organisational borders.
We can’t hide our business behind an impenetrable wall any more – trying to keep the users and their information safe inside by keeping the threats and dangers outside. My employees are everywhere, our partners are faceless, we sometimes have to trust our data to third-parties. Meanwhile we try to secure data that is not always in our control. That’s why at Symantec we say that people are the new perimeter.
With all this going on security can’t only be about locking things down. Security should help your business to thrive – confident that your infrastructure, information and interactions are protected.
To operate safely in the Web 2.0 world we need Security 2.0. By that I mean just the same way as Web 2.0 offers new ways to boost productivity, increase revenue and reduce costs, so does Security 2.0.
The bad guys today don’t just target your notebook or desk top or smart phone – what the hackers and attackers are really after is the information on them and the interactions you have with the people you do business with, your customers, partners, colleagues and suppliers.
Security 2.0 is about balancing risk so you and your business are protected but not restricted. Security should make doing business easy, not hold you back. You need it to keep the threats out, the information in, and help you to comply with regulations and policies. You do have to take some risks – after all, no risk means no opportunity. But, managing IT risk should be a simple, standard, automated process.
Since you can’t lock down the perimeter without crippling your business, the focus shifts to protecting the information itself. To do this, you need to know where your information is, what’s sensitive or confidential, who has access to it, who needs access to it, who definitely shouldn’t have access to it, and how you can make sure it’s protected and available when you need it. Sounds simple enough – but to get it working right you need security, operations and the business to work together.
With Security 2.0 you adapt security depending on the level of risk. How important is the information you’re protecting? Do you know and trust the person or company who is trying to access your systems and information? For example, security parameters should automatically change depending on whether you’re connecting to your network from inside the firewall or from an airport or hotel kiosk.
This kind of thing is happening already with anti-spam solutions, which analyse the behaviour and reputation of IP addresses to decide what messages get blocked. Products like Symantec Endpoint Protection use reputation-based security technologies like white listing and proactive threat protection – technologies that consider behaviour (good and bad) to determine which applications and executables are permitted.
But the biggest shift in Security 2.0 is how we need to drive it within our own companies. Judging by the people I’ve talked to recently, it seems that most businesses still address security and risk in silos, so there are distinct and often disconnected processes and technologies in different parts of the business. While the risks may be interconnected, the processes and technologies often aren’t.
In my opinion security needs to be embedded throughout your business processes from the start.
And the human side of security is just as critical. You need to define policies consistently and socialise them before controls can be put in place. Successful companies get the policy right first and then implement technology to make it work, not the other way around.
Security 2.0 is an evolution. The old goal of security – keeping the bad guys out – is still important but it’s not enough anymore. Nowadays security also needs to protect the information and interactions themselves. So you need a more dynamic view of security – technologies and processes that adapt to each device, person and application. Security 2.0 is policy first, then technology.
When you get it right it becomes part of your everyday operations. It will speed progress and reduce costs and give you the peace of mind to make the most of the opportunities Web 2.0 brings, not to mention free you up to spend more time on your personal blog…
About the author Craig Scroggie
Craig Scroggie is Symantecs Vice President for the Pacific region encompassing Australia, New Zealand and the Pacific Islands, responsible for driving Symantec’s sales and business development. Scroggie serves as senior leader for the overall Symantec business in the Pacific region.