Click here to close now.

Welcome!

Web 2.0 Authors: Ian Khan, Elizabeth White, Dana Gardner, Plutora Blog, Liz McMillan

Related Topics: SOA & WOA, Wireless, Web 2.0, Security

SOA & WOA: Article

Social Media Brings New Challenges to Government Security Administrators

The use of social networking sites and BYOD mobile devices at work brings new threats of data leaks to government agencies

Government agencies in the United States and around the world are increasing their use of social media to enhance the quality of government services and to encourage more citizen engagement and dialog. When used properly, social media can build trust and develop more efficient communications between government agencies and those looking for information. But, as beneficial as this approach is becoming for government and citizens alike, agencies must also be aware of the multitude of security problems that can be introduced when social media tools are used by government staff.

Personal use of social media by government employees while at work can introduce lost productivity, misuse of network bandwidth, exposure to unmanaged/inappropriate content, malware threats from clicking links and downloading infected content, and most important, the danger of confidential data leakage.

In addition to the many threats to government networks just mentioned, including the threat of confidential data leaks when staff members use social media on government computers, advances in personal mobile technology at work such as smartphones, MP3 players, tablets, and laptops demonstrate an even bigger more fundamental problem: the consumerization of government IT computing.

Use of mainstream public-cloud applications and personal mobile technologies from inside network security perimeters of our government networks represents a brave new world of risks for security administrators. Personal wireless devices are by-definition completely outside the control of IT security professionals, yet in many cases they are becoming approved for business use anyway due to IT budget cuts and social pressures. The fundamental fuel for this "bring your own device" (BYOD) phenomenon is the a growing percentage of employees want to remain active in social media during the work hours, monitor their personal email, and use their own "latest-greatest" personal devices rather than whatever may have been issued or approved by their government employer.

Combined, the use of social media and mobile devices increases the threat level to any government agency's network exponentially. We are seeing hackers writing code directly to attack mobile devices that can easily infiltrate the agency's networks once downloaded. Keyloggers, Trojans and other forms of malware released onto the network can be used to disrupt network operations and steal confidential government data. When logged into social media sites, government employees can post or upload (either accidently or intentionally) confidential information, and once released it can quickly spread or be passed down the line secretly to the wrong eyes.

The arsenal of Firewalls, AV, NAC, IDS, IPS, and other security tools can help mitigate the threat of malware and hacker threats on the network. Unfortunately, as the social media and BYOD culture grows, the new risk of "data leakage" must be addressed with new tools and approaches.

How can government agencies address these new threats?

Best Practice - Acceptable Use Policies
Government agencies should initially establish a thorough acceptable use policy for social media and BYOD for their employees. Depending on positions and responsibilities, employees may obtain different permissions. A well-thought-out use policy will help the agency enforce and secure social media and BYOD use, which also helps protect the agency from legal liability and compliance violations.

Best Practice - Technology and Security Solutions

In addition to policy development, technology solutions must also be deployed to ensure a successful and legally defendable policy. Complimentary technology should be flexible and allow the agency to automate the policy's enforcement. Even if an employee may not be aware of the policies, the software provides an added level of protection. For example, some security software can be used to block access to social media services and mitigate downloads from endpoint devices.

Unfortunately, we live in a time where there is no security silver bullet. But technologies that simultaneously help secure data leaks while also informing the employees in real time that their actions have been blocked because they violate use policies go a long way to create a culture of policy awareness and obedience. These "block and inform" technologies can be powerful tools because they educate staff in the exact moment of policy violation and put them on notice. For employees looking to use their own devices, written policies can limit their use or they can be required to allow security software to be installed by the IT staff.

Social media challenges arise with how to secure certain channels without blocking social media websites and services entirely. The solution requires the ability to differentiate between personal, corporate, public and confidential information in social media exchanges, so it must be data-centric and content-aware. In addition, for employees who are in positions that have legitimate reasons for social communications, this activity, in accordance with the acceptable use policy must not be affected.

Best Practice - Data Leak Prevention
Among the myriad of IT security technologies that are available, one that satisfies this set of requirements is Data Leak Prevention (DLP). A DLP solution used in conjunction with security and risk-management technologies already in place provides a critical layer of complementary protection.

With any technology, requirements for a DLP solution can be different for every agency/office and should be based on the needs, size of deployment, and associated risks. It is well documented that most data leaks originate from the inside or on a government owned machine that has been removed from the network. The added pressure of unmanaged BYOD only multiplies the threat. DLP solutions are able to stop the problem of data loss right at the source - at the workstation and mobile device. This "stop data leaks at the source" strategy offers the broadest DLP coverage precisely because it follows mobile endpoints like employee laptops outside of the network where traditional security solutions such as firewalls and content security gateways typically do not reach.

Conclusion
Government agencies should consider applying DLP technology on laptops and other endpoint devices to help eliminate the threat of data loss while addressing compliance regulations. The combination of a written, well-communicated acceptable use policy for social media and BYOD, coupled with DLP technology that includes pop-up educational warnings when a policy is being violated can reliably prevent data leaks while helping maintain compliance.

More Stories By Vincent M. Schiavo

Vincent M. Schiavo joined DeviceLock as Chief Executive Officer in September 2011. A veteran of the computer industry for more than 30 years, most recently Mr. Schiavo served as the Executive Vice President of Worldwide Sales for LogLogic, a San Jose based security information and event management provider. Prior to LogLogic, he was the Senior Vice President of Worldwide Sales and Marketing for Secure Computing, a San Jose based web information security company which was acquired by McAfee in 2008.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@ThingsExpo Stories
SYS-CON Events announced today that Dyn, the worldwide leader in Internet Performance, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Dyn is a cloud-based Internet Performance company. Dyn helps companies monitor, control, and optimize online infrastructure for an exceptional end-user experience. Through a world-class network and unrivaled, objective intelligence into Internet conditions, Dyn ensures traffic gets delivered faster, safer, and more reliably than ever.
As organizations shift toward IT-as-a-service models, the need for managing and protecting data residing across physical, virtual, and now cloud environments grows with it. CommVault can ensure protection &E-Discovery of your data – whether in a private cloud, a Service Provider delivered public cloud, or a hybrid cloud environment – across the heterogeneous enterprise. In his session at 16th Cloud Expo, Randy De Meno, Chief Technologist - Windows Products and Microsoft Partnerships, will discuss how to cut costs, scale easily, and unleash insight with CommVault Simpana software, the only si...
Even as cloud and managed services grow increasingly central to business strategy and performance, challenges remain. The biggest sticking point for companies seeking to capitalize on the cloud is data security. Keeping data safe is an issue in any computing environment, and it has been a focus since the earliest days of the cloud revolution. Understandably so: a lot can go wrong when you allow valuable information to live outside the firewall. Recent revelations about government snooping, along with a steady stream of well-publicized data breaches, only add to the uncertainty
Cloud data governance was previously an avoided function when cloud deployments were relatively small. With the rapid adoption in public cloud – both rogue and sanctioned, it’s not uncommon to find regulated data dumped into public cloud and unprotected. This is why enterprises and cloud providers alike need to embrace a cloud data governance function and map policies, processes and technology controls accordingly. In her session at 15th Cloud Expo, Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems, will focus on how to set up a cloud data governance program and s...
Roberto Medrano, Executive Vice President at SOA Software, had reached 30,000 page views on his home page - http://RobertoMedrano.SYS-CON.com/ - on the SYS-CON family of online magazines, which includes Cloud Computing Journal, Internet of Things Journal, Big Data Journal, and SOA World Magazine. He is a recognized executive in the information technology fields of SOA, internet security, governance, and compliance. He has extensive experience with both start-ups and large companies, having been involved at the beginning of four IT industries: EDA, Open Systems, Computer Security and now SOA.
The Workspace-as-a-Service (WaaS) market will grow to $6.4B by 2018. In his session at 16th Cloud Expo, Seth Bostock, CEO of IndependenceIT, will begin by walking the audience through the evolution of Workspace as-a-Service, where it is now vs. where it going. To look beyond the desktop we must understand exactly what WaaS is, who the users are, and where it is going in the future. IT departments, ISVs and service providers must look to workflow and automation capabilities to adapt to growing demand and the rapidly changing workspace model.
The industrial software market has treated data with the mentality of “collect everything now, worry about how to use it later.” We now find ourselves buried in data, with the pervasive connectivity of the (Industrial) Internet of Things only piling on more numbers. There’s too much data and not enough information. In his session at @ThingsExpo, Bob Gates, Global Marketing Director, GE’s Intelligent Platforms business, to discuss how realizing the power of IoT, software developers are now focused on understanding how industrial data can create intelligence for industrial operations. Imagine ...
Hadoop as a Service (as offered by handful of niche vendors now) is a cloud computing solution that makes medium and large-scale data processing accessible, easy, fast and inexpensive. In his session at Big Data Expo, Kumar Ramamurthy, Vice President and Chief Technologist, EIM & Big Data, at Virtusa, will discuss how this is achieved by eliminating the operational challenges of running Hadoop, so one can focus on business growth. The fragmented Hadoop distribution world and various PaaS solutions that provide a Hadoop flavor either make choices for customers very flexible in the name of opti...
Operational Hadoop and the Lambda Architecture for Streaming Data Apache Hadoop is emerging as a distributed platform for handling large and fast incoming streams of data. Predictive maintenance, supply chain optimization, and Internet-of-Things analysis are examples where Hadoop provides the scalable storage, processing, and analytics platform to gain meaningful insights from granular data that is typically only valuable from a large-scale, aggregate view. One architecture useful for capturing and analyzing streaming data is the Lambda Architecture, representing a model of how to analyze rea...
SYS-CON Events announced today that Vitria Technology, Inc. will exhibit at SYS-CON’s @ThingsExpo, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Vitria will showcase the company’s new IoT Analytics Platform through live demonstrations at booth #330. Vitria’s IoT Analytics Platform, fully integrated and powered by an operational intelligence engine, enables customers to rapidly build and operationalize advanced analytics to deliver timely business outcomes for use cases across the industrial, enterprise, and consumer segments.
The Internet of Things (IoT) promises to evolve the way the world does business; however, understanding how to apply it to your company can be a mystery. Most people struggle with understanding the potential business uses or tend to get caught up in the technology, resulting in solutions that fail to meet even minimum business goals. In his session at @ThingsExpo, Jesse Shiah, CEO / President / Co-Founder of AgilePoint Inc., showed what is needed to leverage the IoT to transform your business. He discussed opportunities and challenges ahead for the IoT from a market and technical point of vie...
Advanced Persistent Threats (APTs) are increasing at an unprecedented rate. The threat landscape of today is drastically different than just a few years ago. Attacks are much more organized and sophisticated. They are harder to detect and even harder to anticipate. In the foreseeable future it's going to get a whole lot harder. Everything you know today will change. Keeping up with this changing landscape is already a daunting task. Your organization needs to use the latest tools, methods and expertise to guard against those threats. But will that be enough? In the foreseeable future attacks w...
HP and Aruba Networks on Monday announced a definitive agreement for HP to acquire Aruba, a provider of next-generation network access solutions for the mobile enterprise, for $24.67 per share in cash. The equity value of the transaction is approximately $3.0 billion, and net of cash and debt approximately $2.7 billion. Both companies' boards of directors have approved the deal. "Enterprises are facing a mobile-first world and are looking for solutions that help them transition legacy investments to the new style of IT," said Meg Whitman, Chairman, President and Chief Executive Officer of HP...
Containers and microservices have become topics of intense interest throughout the cloud developer and enterprise IT communities. Accordingly, attendees at the upcoming 16th Cloud Expo at the Javits Center in New York June 9-11 will find fresh new content in a new track called PaaS | Containers & Microservices Containers are not being considered for the first time by the cloud community, but a current era of re-consideration has pushed them to the top of the cloud agenda. With the launch of Docker's initial release in March of 2013, interest was revved up several notches. Then late last...
Disruptive macro trends in technology are impacting and dramatically changing the "art of the possible" relative to supply chain management practices through the innovative use of IoT, cloud, machine learning and Big Data to enable connected ecosystems of engagement. Enterprise informatics can now move beyond point solutions that merely monitor the past and implement integrated enterprise fabrics that enable end-to-end supply chain visibility to improve customer service delivery and optimize supplier management. Learn about enterprise architecture strategies for designing connected systems tha...
The explosion of connected devices / sensors is creating an ever-expanding set of new and valuable data. In parallel the emerging capability of Big Data technologies to store, access, analyze, and react to this data is producing changes in business models under the umbrella of the Internet of Things (IoT). In particular within the Insurance industry, IoT appears positioned to enable deep changes by altering relationships between insurers, distributors, and the insured. In his session at @ThingsExpo, Michael Sick, a Senior Manager and Big Data Architect within Ernst and Young's Financial Servi...
The explosion of connected devices / sensors is creating an ever-expanding set of new and valuable data. In parallel the emerging capability of Big Data technologies to store, access, analyze, and react to this data is producing changes in business models under the umbrella of the Internet of Things (IoT). In particular within the Insurance industry, IoT appears positioned to enable deep changes by altering relationships between insurers, distributors, and the insured. In his session at @ThingsExpo, Michael Sick, a Senior Manager and Big Data Architect within Ernst and Young's Financial Servi...
PubNub on Monday has announced that it is partnering with IBM to bring its sophisticated real-time data streaming and messaging capabilities to Bluemix, IBM’s cloud development platform. “Today’s app and connected devices require an always-on connection, but building a secure, scalable solution from the ground up is time consuming, resource intensive, and error-prone,” said Todd Greene, CEO of PubNub. “PubNub enables web, mobile and IoT developers building apps on IBM Bluemix to quickly add scalable realtime functionality with minimal effort and cost.”
Sensor-enabled things are becoming more commonplace, precursors to a larger and more complex framework that most consider the ultimate promise of the IoT: things connecting, interacting, sharing, storing, and over time perhaps learning and predicting based on habits, behaviors, location, preferences, purchases and more. In his session at @ThingsExpo, Tom Wesselman, Director of Communications Ecosystem Architecture at Plantronics, will examine the still nascent IoT as it is coalescing, including what it is today, what it might ultimately be, the role of wearable tech, and technology gaps stil...
In the consumer IoT, everything is new, and the IT world of bits and bytes holds sway. But industrial and commercial realms encompass operational technology (OT) that has been around for 25 or 50 years. This grittier, pre-IP, more hands-on world has much to gain from Industrial IoT (IIoT) applications and principles. But adding sensors and wireless connectivity won’t work in environments that demand unwavering reliability and performance. In his session at @ThingsExpo, Ron Sege, CEO of Echelon, will discuss how as enterprise IT embraces other IoT-related technology trends, enterprises with i...