Three must- haves to securing the social web

by amarinder on July 28, 2011

The social web
Social networking and Web 2.0 are all the rage. With Facebook, Twitter, Bebo, YouTube, Google, Yahoo, Flickr, LinkedIn, WordPress, and more, there are over a billion socially active people today — a number that continues to grow at an astounding rate. The social web has emerged as a valuable business tool for the modern enterprise, touting rich applications with real-time interaction and user-generated content.

But along with its enormous popularity come significant risks. So in the race to maximize its potential, enterprises must take due care to protect the business. The following are three must-haves to securing the social web:

Acceptable use policy control

The URL is no longer sufficient for acceptable use policy controls. Web is the content the employee sees on the page. Facebook, for example, is a social networking site, but the content on any given page within it could be entertainment, gambling, pornographic, or a security risk. So to provide acceptable use policy controls in today’s social web, you need technology that scans the content on the page (not just the URL) in real time, as the user accesses it, and can control access to discrete portions of content (not just the entire page), as well as applications (e.g., Farmville, MafiaWars) used within it. This is called real-time content classification and must be done at the Internet gateway for both HTTP and HTTPS protocols

(since Facebook and many other sites support SSL). Only with real-time content classification can you get visibility and control to enforce acceptable use policy in the social web. 

Malware protection

Attackers are now social too, which is why we’re seeing an increase in security threats on social networking sites, both old-style attacks being reborn in the social Web medium as well as new and sophisticated threats that target vulnerabilities in the browser and gaps in antivirus solutions. The social web is built on a platform that is dynamic and script-based, and so too is the modern malware that lives within it. Like real-time content classification used for acceptable use policy control, enterprises must be able to perform real-time security scanning for malware on the social web. This includes scanning all code on the page in real time, at the Internet gateway for both HTTP and HTTPS protocols, going beyond signature and reputation-based scanning (since sites like Facebook, for example, are reputable) to decompile Flash, JavaScript, and the rest of the code on the page, on the fly, to inspect for both legacy and modern attacks. Only with real-time security scanning can you get protection from modern malware in the social web. 

Data loss prevention

39 percent of malicious web attacks include data-stealing code. And one of the prime benefits of social networking is that users can share content. Of course, with all the malware out there and user’s ability to share content, comes big risk. While your first instinct may be to block all posts to Facebook, this can erode the utility of the application. What’s more, how you identify data loss is critical to stopping it. Using basic keywords and regular expression-based detection can often lead to false positives and negatives, and may lack the necessary workflow and reporting to contextually-aware controls for DLP. This approach allows you to, for example, prevent sensitive and regulated customer information from being uploaded to any social networking, personal email, or personal storage site, but lets that same data be posted to SalesForce.com, your CRM solution. With accurate data identification and contextually-aware controls (i.e. controls that tie user, data, and destination policy objects) you can safely enable use of social networking and cloud-based applications simultaneously.

Reasonable security for sensitive personal information

Parag Deodhar is Chief Risk Officer and Vice President – Process Excellence & Program Management, Bharti AXA General Insurance Company Limited. 

In the information security (info-sec) realm, we generally get to hear the prefixes ‘total’, ‘comprehensive’, ‘best in class’, etc.  I had never heard the prefix ‘reasonable’ (in context of security) before it was mentioned in the IT (Amendment) Act 2008. Even then, it has only come up for debate amongst the info-sec professionals.

‘Privacy’ is another term, which was very rarely used in the Indian context. True to the Indian fondness for ‘imported’ stuff, we were well-versed with laws like HIPAA, EU data protection, PCI-DSS. But we continue to lack indigenous data privacy legislation.

On 11 April 2011, the Government of India brought about a sweeping change in one stroke – the IT (reasonable security practices and procedures and sensitive personal data or information) Rules 2011. This, in my view has changed the rules of the game. But what does it mean for Indian organizations?

Sensitive personal information

To begin with, organizations will need to understand what constitutes personal sensitive information, analyze the information being collected at various points from their prospective/current customers, partners, and suppliers. It may be at the point of acquiring the customer or when doing a promotional event (outsourced to a marketing company), or a contest on the website. As per the rules, password also constitutes sensitive personal information. So, if you require a customer or partner to create an account on your website with user id and password, you are required to comply with these rules, though you may not be taking any other personal information like financial details, debit/credit card/bank account numbers or health information, etc.

Privacy policy

All organizations in India, collecting, storing or transfering sensitive personal information will need to put in place a privacy policy and make it available publicly i.e. on the company website.

Information collection and retention

The Organizations will also need to take explicit permission from the information owner regarding purpose of usage, in writing, through a letter, fax or email. This could turn out to be a very challenging process. While organizations that get forms filled for account opening, proposal forms, etc. could include the consent in the form itself, it would be difficult to implement where forms are filled/information is collected online e.g. online insurance policy issuance, hotel booking, visa applications, etc. The rules do not make it clear whether ticking the ‘I Accept’ box on terms and conditions on the website will be good enough. If organizations choose to take this consent over email, will this electronic record held valid only if digitally signed in accordance with the IT Act?

Organizations will be required to educate the information owner on the purpose, intended recipients as well as agency, which will retain the information. This means, if you have outsourced any of your data processing activities, you will need to disclose the names of your outsourced partners who will use this personal information at the time of collection.

Organizations are also required to allow the information owners to review the information stored and correct it if any discrepancies are found. This will probably require an addition to the customer service window. A grievance officer will need to be appointed and details published on the website.

The information owner can also withdraw this consent (in writing of course) and the personal information will need to be taken off from the records. In such cases, the organization reserves the right to stop providing the service to the information owner. I wonder if organizations will still need to keep the information in their record, if required by law for a particular period. Seems to be a contradiction and will need some clarification.

Data transfer

If organizations want to transfer the sensitive personal information to any other organization, e.g. outsourced data processing unit, call center, data center, then they need to ensure that such third parties should also have same levels of security as maintained by the organization. It will be imperative for organizations to mandate the level of security and also ensure that the standards are met by the partners through regular audits.

Data destruction

Organizations should not store data for a period longer than is required for providing the product/services unless required by law. Organizations will need to implement secure data deletion processes for all data including backups store on tapes, offsite locations, DR sites, not to forget the Cloud. They will also need to ensure that data is deleted securely from outsourced partners and their DR sites also.

Reasonable security

Organizations are required to document and implement reasonable security practices and processes covering managerial, technical, operational, and physical security measures, commensurate with the information to be protected. The rules also recommend ISO 27001 as a standard, which covers all these requirements. In case the organizations prefer to follow their own security measures, they need to get their measures approved by the Central Government.

Organizations will also be required to get security measures audited anually by an independent auditor approved by the Central Government. In the event of an information security breach, organizations must demonstrate that they had implemented reasonable security processes. 

Checker-board

Looking at the history of information security breaches in India, both published and unpublished, data privacy rules are definitely required. However, in my opinion these rules should be practical and ‘reasonable’ to implement. In their current form, some of these rules pose multiple challenges in implementation in true spirit. Again, what constitutes ‘reasonable’ security will remain matter of interpretation and I suspect would be an area of major debates in the coming days.

Related Posts:

Previous post:

Next post: