Posted by Suw Charman-Anderson

Secure Web 2.0, an opportunity not an oxymoron
Standard Chartered Bank, big bank, not much presence in UK though. Very diverse, and also very spread out around the world. Have globalised, used to have each country with its own network etc. But still hard to communicate.

Eternal pursuit of more efficiency, noticed that workforce have gone out there and found ways of communicating, forming communities. going to focus on Facebook, but could say same for LinkedIn and MySpace. Have >1000 SCB users in Facebook, including senior middle management. But Facebook was banned on official laptops, so forcing people to work less efficiently. Compelling case to use social tools, but a problem is security.

Want people to help people to work on new products, but that’s very sensitive, and you don’t want it on Facebook. Firstly, needed to check that you’re not completely mad, and looked at their peers. Many other businesses felt there was an efficiency gain to be had.

Used to work on a network that had various applications available, and around mid 90s, businesses realised that you could allow stuff to go across that network boundary, such as email. In meantime, businesses started to use more third party networks, e.g. outsourcing some services, and these are mediated over these networks. But your network becomes everyone’s network. As a result of this, there are some security issues, so you end up adding sticking plaster, so you’re always running to keep things secure. You can’t patch all the holes.

Net results is that you have a very hole-y boundary, because you’re putting so much info over your network boundary, you’re pumping info through firewalls that were designed to restrict information to a few types over a few channels. Firewall is becoming increasingly unusable. If you have a third party datacentre, you have a third party network within yours.

Am not the boy with the finger in the dyke trying to hold that back, because hits is driven by good business needs. Efficiency,productivity.

Network begins to Balkanise, to shrink into islands, sometimes to individual application servers. Begin to de-emphasis the security that is given to you by virtue of being put on the network boundary and shrink the security mechanisms down to the PCs to the servers. Endpoint is to shrink protection down to the info itself, which is maybe 5 years ahead. When you do that, you don’t care where the information is, so long as it’s protected.

We are beginning to lose control of our data. Lots of leakage stories. Have a mindset back in yesterday’s network, still allow information to spread without protection that’s credible. Don’t know where the information is, or what that information is. Once you take data out of an application, how do you know what it is?

How do we react to this? To begin to solve this problem we look at two things - encryption. We all use encryption every day without thinking about it, e.g. buying things from Amazon, using an ATM, payment transaction within the banking system. So old tech.

SSL - secure socket layer. Good, powerful.

Encryption is the ultimate solution. If we could protect everything with it.

IRM - information rights management. Protects any information, available to anyone using MS Office 2003 or 07. Has IRM built in. Can make it work if you use a central key management server.

We’re not using it because it’s not user friendly. Too difficult for end user. No good interface. Yet if we want to let SCB managers using Facebook we need to stop them from posting information that they shouldn’t. Right now, it’s too difficult for the end user.

How do we solve that problem?

The user problem: A survey should that 25% of Britons have disclosed their PINs to someone else. We give away the information that is supposed to protect us. People struggle with more than one password, but the advice is to use a different pin for each one. How realistic is it to say that you should always keep hard of your bank card? We are trying to make the browser to be secure, but it was never designed to be secure, so how can we expect the user to take responsibility for that?

The solution should be flexible to the user.

Have mapped where their info is. Need to know where the sensitive information. It’s concentrated in places like call centres where they talk to customers on the phone. Mapping the org can also tell you where you might want to blog access to Facebook as a potential leakage route for this information.

Strategy says, discover where the info is, then interact with user to let them know when they re using valuable information. That’s different to saying “If this is confidential”, this actually has a dialogue with the user to draw their attention to what they are doing.

What about this opportunity? Can’t afford to wait til big solution comes along. In meantime, use WorkLight. Takes interim approach. if you are going to allow social networking, rather than have your data go out into the jungle, put in an intermediate point. Make Facebook available, but keep all info on that server. WorkLight goes further, you can keep your enterprise applications exposed on a Facebook homepage through a gadget running on your network. Exposes your information but retains it at home. No point trying to remake Facebook as they have don’t it themselves already.

So when you use WorkLight, all the information stays within the business’ own servers. Manages access rights to prevent some people seeing some things. Allows you to ensure that it’s only your own people who can join your Facebook so you can tie it into your own security systems.

WorkLight doesn’t secure everything, though. It can’t.

Piloted this, but you can’t predict how people are going to use it. Started off with three communities that they thought really needed it. Make it available to everyone, why try to predict how people are going to use it, just let them do it.