Web 2.0: Issues & Risks

Why Not Use Web 2.0 Tools?

  • Information is more difficult to monitor and secure.
  • Service interruptions are outside the organization’s control.
  • E-discovery is more difficult without physical access to storage
    media.
  • Data available for forensic examination is lost when data is
    moved from local storage.
  • They do not allow systematic control over creating, storing,
    or deleting information.
  • Lack or loss of connectivity prevents work for those depending
    on them.
  • Their casual nature may blur the line between business and
    personal use.

Patrick Cunningham, CRM

Bookmark and Share

Organizations are moving to the cloud, some faster than others. However,moving to the cloud presents the enterprise with a number of risks to assess. Depending upon an organization’s risk appetite, these risks may be significant. At the core of these risks is the inability of many cloud/Web 2.0 vendors to meet regulatory and legal requirements that are commonly encountered by many enterprise customers.

Security

At the top of the list of risks for many organizations is security of information. This may be driven by a need to protect intellectual property, trade secrets, personally identifiable information, or other sensitive information. Putting that information into the hands of a third party is certainly not uncommon. Having the third party place that information into a shared storage environment is somewhat less common. Having that information available on the Internet requires a significant investment in security controls and monitoring. Of concern is that many of the Web 2.0 applications contain no provision for monitoring content or traffic to ensure that sensitive information is not being transmitted inappropriately.

Use of Web 2.0 tools also requires assurance that the pathway to the data is adequately secured.With information theoretically accessible from any point on the Internet, the provider must be assured that the computer/user accessing the data or application is properly authorized. This requires a very high degree of coordination between the enterprise and what may be multiple service providers. The information being stored by the third party needs to be secured from the third party’s access as well. This need will likely be met by increased use of file and message encryption and public key infrastructure. Increased encryption, however, will likely mean loss of information when decryption keys are lost or a file becomes corrupted. Nonetheless, ensuring security of information outside the enterprise will be a growth opportunity both for the enterprise and the supplier community.

Resilency

Today’s buzzword for what we knew as “disaster recovery,” resiliency refers not only to uptime and availability, but it also has a focus on not allowing critical information to be corrupted or lost.

A challenge for many providers is ensuring that customer information is protected, but with shared data centers and storage devices, information from multiple customers may end up in the same backup media, creating issues when the media is restored and potentially exposing confidential customer information to third parties.

The enterprise will need to pay special attention to the means by which the provider will ensure uptime and access to information, as well as where and how the information will be stored and backed up. Some Web 2.0 suppliers will be unable to customize their offerings tomeet these requirements and will be unwilling to make fundamental changes to their business model to meet enterprise resiliency requirements. Free services will typically offer no enterprise-level resiliency. A significant concern is enterprise data managed on consumer-grade systems. While, statistically, Web 2.0 applications “simply don’t have downtime,” the reality is that an interruption in service by the provider can seriously affect numerous customers.

E-discovery

The current climate for e-discovery assumes, for the most part, that an enterprise knows specifically where its information is being stored, how it is being backed up, and how it is secured. The rules also assume that an enterprise will be able to physically examine storage devices and, when required, examine storage media for evidence of erased and/or deleted files. In the cloud/Web 2.0 environment, the enterprise may have little or no visibility to storage and backup processes and little or no physical access to storage devices. As noted above, the data from multiple customers may be stored in a single repository. This will create significant challenges to forensic inspection of the storage media and a proper understanding of file access and deletion. Arguably, the enterprise can document what it knows about the mechanics of hosted storage and applications, but it will likely need to contract with the provider for support with e-discovery and litigation matters.

E-discovery and the Law

Some pundits suggest that laws and regulations tend to lag the reality of technological advances by at least 10 years. The most recent amendments to the U.S. Federal Rules of Civil Procedure can thus be considered to reflect the computing environment of the late 1990s, rather than today’s environment. As noted above, the current set of legal expectations regarding electronically stored information (ESI) makes many assumptions about the manner and location of the enterprise’s ESI and the ability of the enterprise to describe how that information is created and
stored.

Of additional concern, particularly in criminal proceedings, is the ability of the enterprise to describe the flows of information, as well as the specific storage locations of information, so law enforcement can apply appropriate provisions of the criminal codes to criminal matters (e.g., a federal wiretapping statute may be applied in amatter because a data flow crossed a state border or a particular set of data was stored in another state).

Computer Forensics

For many organizations, computer forensics is a critical component both of e-discovery efforts and internal investigations. Computer hard drives, e-mail and local area network servers, thumb drives, and various storage media are all key locations of evidence for legal proceedings or actions against employees. The science of computer forensics often requires physical access to the storage device or computing resource.

As is often shown on popular television programs, the process of collecting and examining data must be done in a manner that limits contamination of the evidence. Much can be learned from information stored by a computer’s operating system, both in physical storage and volatile storage (information that is retained in a computer’s random access memory, which will disappear almost immediately after a computer is turned off). When data and applications
are moved off a local computer, the forensics investigator may lose the ability to access critical information for the case. The provenance of a particular file or the time the file was last accessed can often be crucial in determining how the file was used andwho had access to it. If the data storage shifts to the cloud, the ability to obtain uncontaminated copies of evidentiary datamay be reduced, if not eliminated.

Basic RecordsManagement

Like the law, records management practices often trail technology. Steve Bailey’s Managing the Crowd makes this point numerous times. At the same time, technology is often designed and implemented without regard for even basic records management principles. ManyWeb 2.0 applications allow the user to create and delete content at will. E-mail stored in the cloud is designed to use search capabilities rather than classification and retention processes. Many service providers believe that because data storage is incredibly cheap, deletion of data is unnecessary. The systems
are thus designed with no retention management functionality.

Data Privacy

On the heels of all these issues, increasing awareness and attention to the protection of personally identifiable information (PII), as well as other data of concern to individuals, plays a role in determining the enterprise’s appetite for risk. EU data privacy requirements mandate that PII be deleted as soon as it is no longer required. Other principles of data privacy require disclosure of data transfers and data processing beyond local jurisdictions, which can be a problem for data that is processed and maintained in the cloud.

Infrastucture Duplication

While many end users find the capabilities of Web 2.0 applications meet their everyday needs, many organizations will need to retain e-mail infrastructure and licenses to commercial off-the-shelf software. This defeats an aspect of cost savings and infrastructure management that Web 2.0 applications promise.

Connectivity Requirements

For the desk-bound office worker, Web 2.0 applications may make a lot of sense. Most organizations have “always-on” connectivity to the Internet with high bandwidth. The worker likely doesn’t know where the applications or data reside. The experience is seamless and trouble-free.

The gap is for mobile workers who are relying on consumer grade cable or DSL connections that may lack the bandwidth and uptime of office colleagues. High-speed Internet offerings in hotels and retail establishments are sometimes unreliable, with help desks incapable of resolving connectivity issues. For mobile workers relying on Web 2.0 applications to make a living, lack of connectivity means they are unable towork. This contrasts with mobile workers who have a full suite of office and e-mail applications loaded on their computers. Those workers can be productive in an offline mode, even with little or no connectivity. This remains a significant barrier to full adoption ofWeb 2.0 applications.

The “Don’t Be Stupid” Factor

The public nature of many Web 2.0 applications invites users to share about themselves. The blurring of lines between what is personal and what is business is another factor to be considered.

Many organizations already have significant challenges with employees leaking company information in their “personal spaces” on the Internet. As organizations adopt more Web 2.0 tools, great care will need to be taken to clearly define what belongs to the enterprise and what belongs to the individual. The organization that implements YouTube-like video sharing for business purposes will need to be cautious about employees posting inappropriate content.

While most users know that they shouldn’t talk about internal issues in public, the reality is that many find it difficult to draw that line – or simply choose not to draw the line. As noted above, the organization will need to work closely with the service provider to secure sensitive information andmonitor access to, and distribution of, that information.

Migration Paths

While many Web 2.0 applications are open and standardized, there is still a significant risk involved if the business relationship does not pan out for an organization. Migrating petabytes of stored files and e-mail to another provider will be a significant task. Converting a sales application or human resource data is a substantial undertaking, regardless of who is managing the application. The organization moving down this pathwill always have an exit strategy in place – one that accounts for potential incompatibility between applications, and one that ensures that the information can be
quickly and efficiently moved to another provider.

Web 2.0 and the cloud present the enterprise with considerable risks to consider when making the shift. For some organizations, the risks will be too great; for others, the reduction in cost will be the compelling driver. In either event, the enterprise must develop requirements to mitigate or accept risks that conflict with policy or law. And while today’s low-cost business models are driving many organizations to consider moving to the cloud, the costs to the providers are not insubstantial and will require significant cash inflows to grow and sustain the infrastructure.

The lesson today is that you get what you pay for. Adding necessary functionality, security, and resiliency will require service providers to spend considerable sums of money on behalf of the customer – all of which will need to be recovered over time. While the economies of scale will mitigate these costs to some extent, service providers will need to monetize and make profitable their offerings in some fashion.

See "Web 2.0 Benefits & Considerations" by Jesse Wilkins.

Patrick Cunningham may be contacted at patrick.cunningham@motorola.com.

 

From January - February 2009