Experts agree that part of the investment that enterprises are making in Web 2.0 technology must include security measures to protect organizations' intellectual property. One reason that Web 2.0 garners more attention for security safeguards than its predecessors is that its open nature makes it naturally more vulnerable to breaches.

Web 2.0 applications have opened up a lot of communication channels -- and opportunity -- for business professionals. They can, more than ever before, reach out to individuals from across the globe and share content and web applications. Through blogs, wikis, and social networking sites such as Facebook and LinkedIn, people are becoming more and more electronically intertwined. "There's a sense of security in a Web 2.0 world where people trust their personal information to others," says Jordan Frank, VP of sales and marketing for Traction Software. "They trust these sites." Frank points out that some people trust such systems just because their friends do, and because sites such as Facebook haven't let people down -- yet. He cautions that a breach could cause a backlash against such networks. "Ensuring success in Web 2.0 means that trust doesn't get broken," says Frank.

Most companies don't want to inhibit the collaborative flow that Web 2.0 has brought with it; they don't want it to hinder their overall operations and they want to continue to build on their Web 2.0 platforms. A Gartner Executives Programs survey of 1,500 CIOs from across the globe revealed that half of the respondents expected to invest in Web 2.0 technologies for the first time in 2008.

Internet experts agree that part of that investment must include security measures to protect organizations' intellectual property. One reason that Web 2.0 garners more attention for security safeguards than its predecessors is that its open nature makes it naturally more vulnerable to breaches. "The fact that security is becoming an issue speaks to the growth that Web 2.0 applications are having in the business world," says Isaac Garcia, CEO and co-founder of Central Desktop, which offers a web-based business collaboration platform.

Companies need to recognize the fact that the benefits that new technologies afford are typically accompanied by challenges. Web 2.0 is no different in this regard than any other technology offering. "The key thing is that when you're rolling out new technologies, these new technologies bring new vulnerabilities, as well as renew old vulnerabilities," according to John Pescatore, VP of Internet research at Gartner, Inc. "It's an important time to build security features."

The Implications

Web 2.0 security goes beyond the content that users find on the web and share with others within their network. It also involves preventing data leakage; that is, ensuring that that content doesn't find its way out, notes William "Sandy" Bird, CTO for Ql Labs. The main vulnerabilities can be found directly in the collaboration applications such as wikis and blogs, in syndication (from RSS feeds and mashups), as well as Rich Interface Applications (RIA) and AJAX-enabled Web sites. Web 2.0 applications are vulnerable to a variety of threats, from cookie tampering to cross-site scripting (XSS) attacks.

Oftentimes, when such attacks occur, the user is unaware that his computer -- and important data -- has been compromised. It's a different world from years ago when viruses would wreak immediate (and very obvious) havoc on computer users. The threat may be imperceptible, and potentially even more dangerous.

The potential for security breaches caused by Web 2.0 technology is not likely to go away on its own. As more and more individuals use these applications (especially in the workplace), the risk of suffering from security breaches will likely increase considerably. Tn fact, companies are facing security issues on both the client side and the server side, says Danny Allan, director of security research for IBM Rational. Both can have devastating effects on companies, their employees, and their customers when the data created and stored in these Web 2.0 environments is compromised.

"Web 1.0 was a static page. With Web 2.0, you've got more client-side processes, like AJAX and widgets. Technically, there's more going on," says Doug Camplejohn, CEO and founder of Mi5 Networks, which focuses on the client side of the security issue.

Don't Drop Your Guard

This collaborative environment seems to be one in which users have let their guards down. "People don't read licensing agreements, they'll add a widget or they'll click on a link," adds Camplejohn, noting that the "bad guys" have gotten better at making harmful applications look legitimate. What has also changed, notes Camplejohn, is that when a virus and spam infected a system, their effects were noticed immediately. "The new threats are silent," says Camplejohn. "They sneak in under the radar."

Mi5 Networks provides companies with Webgate appliances that help prevent vulnerabilities from occurring as well as helping to dean up any problems that do occur. The Webgate solutions don't require any installation and immediately monitor and block vulnerabilities. "Companies use us for two reasons: to see what employees are doing and what they are not doing; and to see what applications are okay and not okay," explains Camplejohn.

Imperva stresses the importance of having security measures in place on the server side when explaining its security solutions to customers. "What we talk to customers about is the need to apply security on the server side because that's where you have control," says Mark Kraynak, Imperva's director of strategic marketing. Still, with this approach, the goal is to prevent future problems. "We can show how the applications are working and we use the model to prevent attacks," explains Kraynak. Imperva's SecureSphere monitors the activity in its customers' applications and databases to prevent vulnerabilities. By using dynamic profiling, Imperva creates profiles of applications and databases, so changes and possible malicious activity can be more easily noticed.

Experts agree that such a proactive approach is the best approach, and one of the most popular solutions seems to be the technology that enables its clients to closely monitor its Web 2.0 systems and send alerts when a security breach is detected.

It's also helpful for companies to identify exactly who caused a security breach, and Ql Labs' flagship product offers clients that visibility. QRadar enables its clients to uncover the source of a security problem and protect themselves against any security threats before they cause problems. "It's providing visibility to the incident as a whole," says Bird.

Most often, violators don't have malicious intentions, notes Camplejohn. However, safeguards still need to be in place to prevent users from accessing harmful Web sites and applications. Mi5 Networks has technologies that will block users from visiting a webpage that is identified as a risk. They receive a message that informs them that the particular page violates company policy. "We can also block a portion of a page and still deliver the good content," adds Camplejohn.

Pescatore notes that many organizations seek solutions that have security features already built in. He points to IBM and HP, which both purchased companies last year that offer security tools. IBM acquired Watchfire and HP bought SPI Dynamics. (Allan actually joined Watchfire in 2000 and transitioned to IBM with the acquisition).

Within a few months, IBM released IBM Rational AppScan, which is a complete suite of automated web application security tools that scan and test web applications for security vulnerabilities. It also offers recommendations for how to fix problems that are identified, which helps organizations close the loop on their security issues.

Securing Enterprise 2.0

Frank notes that while security in the Web 2.0 world is focused more on the protection of personal information, Enterprise 2.0 security (or Web 2.0 in the Enterprise) is targeted on protecting information in the project or community workspace. "The matter of security goes beyond simple authentication -- am I who I say I am? -- and privacy control -- who can see what information," says Frank. In addition to authentication, he notes that other important aspects of security include permissions/access control (What can you see and do in the environment?), an audit trail (What happened over time? When was a document emailed? What comments were included on it?), and monitoring (the ability for users to keep up-to-date on new activity). It also enables administrators to monitor harmful content and suppress it as it's posted.