Web 2.0 Users Open a Box of Security Risks

When she can't find the financial information she needs in the system, the vice president asks her assistant to export the raw data from the financials database into a text file and e-mail it to her at a remote meeting. She receives the file, imports the proprietary data into a spreadsheet, massages the numbers and shares the document online with another assistant, who polishes the final product. The presentation is a success, but the process didn't involve Microsoft Office, SharePoint or other IT- approved enterprise-class collaborative tools.

In fact, everything happened out of band. The raw data went to the executive's personal Gmail account, and the new document was created and shared using Google Spreadsheets. Copies of the data now reside on Google's servers.

Google Apps, ThinkFree Office and other hosted Microsoft Office alternatives are gaining in popularity as ad hoc collaboration tools. But such software-as-a-service (SaaS) offerings have few, if any, service-level or security guarantees and can leave a trail of potentially sensitive data on publicly accessible servers on the Web.

The suites of hosted applications, built using Flash, AJAX or other Web 2.0 technologies, deliver a lightweight alternative to Microsoft applications at little or no cost. While far less full-featured than Office, the streamlined SaaS products are faster and easier to use than their bloatware analogs. As a result, the applications are growing in popularity among users. Fifty percent of ThinkFree's 250,000 customers are business users who share growth projections, marketing materials, sales presentations and other documents online. The technology is working its way in through business's back door in much the same way Web mail and instant messaging did.

Users may start using online application suites at home as a fast and easy way to set up collaborations with friends and colleagues in clubs, civic organizations or other groups. It's an easy way to use shared calendars, discussion forums, collaborative workspaces and tools for creating documents, spreadsheets and presentations. Because users need only a Web browser, there's no need to worry about application, file and cross-platform incompatibilities. Using those same, familiar tools in a business context is a natural progression.

Even some business unit managers are jumping on board, viewing these consumer-grade services as a way to reduce chargebacks from IT, says John Pescatore, an analyst at Gartner Inc.

Unfortunately, little thought is given to reliability or security risks. Authentication is typically limited to a user log-in name and password. While data in transit across the Internet is encrypted using Secure Sockets Layer, the services generally don't offer encryption for data at rest on the provider's servers. If something goes wrong, support may be limited. And availability isn't guaranteed (Google offers an uptime guarantee only for its Gmail application as part of its Google Apps Premier Edition subscription). "What if someone hits Google with a denial-of-service attack?" Pescatore asks. If that spreadsheet is inaccessible or takes 10 minutes to load, the user is out of luck.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

• Bookmark this page
• Share this article
  •  
  • facebook
  • slashdot
  • digg
  • Reddit
  • stumbleupon
  • linkedin
  • twitter
• Got more on this story? Email CIO
• Follow CIO on twitter

• Share
  Share this article

  •  google+
  • facebookfacebook
  • slashdotslashdot
  • diggdigg
  • RedditReddit
  • stumbleuponstumbleupon
  • linkedinlinkedin
  • twittertwitter
• print
• email
• Bookmark