Wellingtonians showed themselves to be pretty knowledgeable about Web 2.0 security issues at a vendor breakfast meeting held in the capital last week.
A representative of one government body had Peter Croft, the Asia-Pacific managing director of security vendor Clearswift, acknowledging that the company’s current mail and web-filtering products neither filter nor watch Skype traffic. However, another product, aimed at instant messaging, which was not a topic of the presentation, does, says Croft.
One obvious tactic is to block access to either the Skype website or the download of the Skype software, or to use in-house policy to prevent installation of the application even if it is downloaded, says Croft.
Delegates at the meeting said that Skype not only represents a vulnerability in respect of information leaking out of the organisation but it also has the potential to soak up bandwidth.
“Our organisation says if Skype is installed it must be done by IT, and users are not permitted to activate supernode capability”, said the questioner. Supernode allows unrelated users on the Skype network to use the organisation’s bandwidth.
While access to social networking sites can be blocked, and is routinely blocked, many organisations are in a bind here as they use such sites both in recruiting and to check on applicants. This means access might have to be selectively opened to the human resources department — something that Clearswift’s MIMEsweeper appliance can do.
The bugbear issue of SSL-encrypted traffic was also raised. The ability to examine the traffic on encrypted https sites will be added in the next release, due out about now, says Croft. This, in turn, raised questions about whether the data intercepted would become available unencrypted anywhere it might be read. Croft says any traffic that is not blocked will be re-encrypted before it is passed on.
Web 2.0 has forced a rethink in security, says Croft. Restricting access to undesirable websites is no longer enough. Nowadays, it is more important to check and, if necessary, block the content that passes through, once access has been granted.
Security precautions have to be backed by a clear policy, he says. (This can be set up quite straightforwardly through a GUI in Clearswift’s web and mail-scanning appliances.) But it is not as simple as blocking access to social networking websites, which are used by the skilled young people companies want to attract.
Almost no hands went up in the audience when Croft asked who checked outgoing traffic for possible confidential information leaving the organisation. The Clearswift filters can check for basic information such as the company name, the names of directors and credit card numbers — though clearly it is not always appropriate to put a blanket ban on these, says Croft.