Web 2.0 users open a Pandora’s box of security problems

Next generation net brings benefits but introduces hazards

When she can’t find the financial information she needs in the system, the vice president asks her assistant to export the raw data from the financials database into a text file and email it to her at a remote meeting. She receives the file, imports the proprietary data into a spreadsheet, massages the numbers and shares the document online with another assistant, who polishes the final product. The presentation is a success, but the process didn’t involve Microsoft Office, SharePoint or other IT-approved enterprise-class collaborative tools.

In fact, everything happened out of band. The raw data went to the executive’s personal Gmail account, and the new document was created and shared using Google Spreadsheets. Copies of the data now reside on Google’s servers.

Google Apps, ThinkFree Office and other hosted Microsoft Office alternatives are gaining in popularity as ad hoc collaboration tools. But such software-as-a-service (SaaS) offerings have few, if any, service-level or security guarantees and can leave a trail of potentially sensitive data on publicly accessible servers on the web.

The suites of hosted applications, built using Flash, AJAX or other Web 2.0 technologies, deliver a lightweight alternative to Microsoft applications at little or no cost. While far less full-featured than Office, the streamlined SaaS products are faster and easier to use than their bloatware equivalents. As a result, the applications are growing in popularity among users. Half of ThinkFree’s 250,000 customers are business users who share growth projections, marketing materials, sales presentations and other documents online. The technology is working its way in through business’s back door in much the same way web mail and instant messaging did.

Users may start using online application suites at home as a fast and easy way to set up collaborations with friends and colleagues in clubs, civic organisations or other groups. It’s an easy way to use shared calendars, discussion forums, collaborative workspaces and tools for creating documents, spreadsheets and presentations.

Because users need only a web browser, there’s no need to worry about application, file and cross-platform incompatibilities. Using those same, familiar tools in a business context is a natural progression.

Even some business unit managers are jumping on board, viewing these consumer-grade services as a way to reduce chargebacks from IT, says John Pescatore, an analyst at Gartner.

Unfortunately, little thought is given to reliability or security risks. Authentication is typically limited to a user log-in name and password. While data in transit across the internet is encrypted using Secure Sockets Layer, the services generally don’t offer encryption for data at rest on the provider’s servers. If something goes wrong, support may be limited. And availability isn’t guaranteed (Google offers an uptime guarantee only for its Gmail application as part of its Google Apps Premier Edition subscription).

“What if someone hits Google with a denial-of-service attack?” Pescatore asks. If that spreadsheet is inaccessible or takes ten minutes to load, the user is out of luck.

Some products offer a file synchronisation function, but in most cases, backups require downloading a local copy of each file to the user’s machine — a cumbersome process if you have many files. (One vendor, AdventNet, offers a version of Zoho Virtual Office that can be hosted on users’ own servers, where files can be managed and secured by IT.)

Then there’s patching. Microsoft issues patches once a month, and administrators test each before deployment. With services such as Google Apps, updates and patches happen automatically and without warning. If online applications become the primary tools for workflows and collaboration, as Microsoft Office is in many businesses, it’s possible that things could break.

“These applications — the enterprise doesn’t get any visibility into them,” Pescatore says.

Most important, the security of data on back-end servers can’t be guaranteed.

“How does Google demonstrate that I can’t link to some other company’s spreadsheet?” Pescatore asks. It doesn’t.

Providers of enterprise-grade hosted applications, such as Salesforce.com, don’t just make promises about such things. They go through audits to prove to customers that their back-end servers are secure. Google and others provide no such assurances — even to those paying US$50 (NZ$70) per year for Google Apps Premier Edition. A US$50 subscription is still a lot less than Office 2007 costs, but you get what you pay for.

“You either accept the risks to save money or you spend more to mitigate the risks. Then the savings aren’t as large,” Pescatore says.

One way around the problem is to ban the use of hosted application services and provide users with viable alternatives, such as web-accessible in-house collaboration platforms and virtual desktops using products such as Citrix’s Presentation Server or VMware Desktop.

As with public instant messaging and web mail, however, the services may have valid business benefits in some situations — especially in smaller businesses working with less-sensitive data. But administrators need to establish clear policies with regard to their use and educate users about the risks.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Web 2.0Security ID

Show Comments