MySpace in the Enterprise: Control or Chaos?

When one of our lead researchers, Chris Boyd, started looking into MySpace hacks and scams over a year ago, some of us at FaceTime questioned whether that was the best place for him to spend his time. Was it relevant to the business IT market that we serve?

 

Absolutely. The ability to control how employees use social networking on work computers is one of the key topics of conversation we have with new customers. We’ve heard from customers that they can’t block MySpace and Facebook because their HR departments use the sites to do background checks on potential employees. Many organizations are also setting up company-oriented communities on Facebook. We’ve spoken with companies who have lost new employee candidates because of their policies against use of Web 2.0 including social networking and instant messaging – these companies are perceived as legacy and uninteresting places to work.

 

MySpace and other social networking sites have entered the enterprise, and business leaders together with IT have to figure out how to turn it into an advantage for the company. It’s a much larger issue than simply making a binary decision to block or allow it.  Do you block it all, or do you allow some users or some aspects of it?  What are the cultural and employee morale issues if you shut down access? 

 

I have a good friend who works at a satellite office for a Fortune 100 company. His Internet is locked down beyond belief. Yet, the posters on the wall from the corporate office highlight value statements about “innovation” and other rhetoric that seems to me at odds with their Internet policy. I’m told that the morale there is a mess. Is there a relationship?

 

FaceTime is not in the business of establishing the Internet access policy for our customers.  We are in the business of enabling them to enforce their desired policy for Web access including control of MySpace and other social networking sites. But, my contention is that it’s not soley a matter of whether or not MySpace, Facebook etc. have a business purpose. The real point is that employees feel they have a right to use whatever applications or online sites on their work computers, and IT has to maintain the integrity of the network despite this trend.  Bringing these two perspectives together for the benefit of the business is where the challenge lies.

Facebook Chat and Unified Communications

A few weeks ago, I read an interesting blog post by Mike Gotta, a principle analyst for the Burton group. I’ve been mulling it over and wanted to share my thoughts – but let me give you a recap first.

 

Gotta writes about Facebook’s use of Jabber/XMPP for Facebook Chat and how he thinks this will impact enterprise organizations that are planning to roll out corporate instant messaging/presence platforms that are based in SIP/SIMPLE. Short term, Gotta does not expect Twitter’s nor Facebook’s use of XMPP to impact business decisions, but he predicts that XMPP in the near future could lay the groundwork for Unified Communications in the enterprise.

 

Gotta makes a couple of observations about IBM and Microsoft’s position in the UC market. Here is an excerpt from his post:

 

For IBM, I would expect someone from IBM’s unified communication and collaboration team to realize that this is a great marketing opportunity. At some point, I expect IBM to aggressively pursue interoperability between Facebook’s XMPP system and the Lotus Sametime Gateway. 

 

For Microsoft, this news presents them with a problem – they are in a position that is almost impossible to defend. There is absolutely no technical reason why the current Microsoft gateway does not support XMPP today. It is simply a political decision (in my opinion), by the folks at Microsoft as they compete with Google. Granted, GTalk does not have the market share of other public networks (Yahoo!, AOL), but even so, the strategy is clearly not customer-focused at all.  

Gotta makes a good point, but I’m not convinced the onus lies with the Microsoft gateway provider.  The Microsoft gateway doesn’t support XMPP… ok, so what?  You can make the case that Facebook (in which Microsoft invested $240 million) and other sites will need to add a SIP gateway to support connections from OCS.  It’s not a mandate, but one or a few sites may take the plunge and make themselves easily accessible to the millions and millions of (eventual) OCS users — the others will have to follow suit.

Or Microsoft bites the bullet and adds XMPP support to their gateway but restricts it so that can’t connect with their arch-rival Google.  That’s possible.  But again, will a company looking at OCS say “Gee, sorry I liked the solution but chose Sametime instead because it can connect to Twitter”?  Maybe that day will come, but not any time soon in my opinion.

Securing Web 2.0: We All Like To Jump On the Next New Thing

When something works others will adopt it. It’s true whether you are talking about TV reality shows, green products or IT security.  This was evident at the Gartner IT Security Summit  that I attended last week, where there were several references in the keynotes and breakout sessions to the trend toward end user adoption of collaborative applications such as Facebook and other Web 2.0 apps.  

 

The current catch phrases are based on the premise that the Internet has changed. Some call it the “Consumerization of IT,” some call it Enterprise 2.0 – and I believe I even heard it called “People-Based Computing.” (PBC)

 

No matter what you call it, IT security administrators must make a judgment call about the usefulness of these new real-time Internet tools and whether or not to spend money on security and management solutions. Are employees really going to use these tools to do business? Or are they virtually hanging out with friend on MySpace during work hours? And what if MySpace becomes Facebook, or Second Life, and then Twitter or Pownce or a widget… or whatever else the latest Web 2.0 application is?

 

The lines between work and personal time are blurring more than ever, and IT is continually challenged with “the next new thing.” The new Internet will create new strategic issues to sort out over the next few years. Will a SaaS model for security be considered?  How will virtualization impact security deployments?  These were the types of issues that were raised and debated over the three days.  All said, a solid conference that offered a combination of actionable recommendations and thought-provoking considerations.

 

By the way, Google started its keynote at the Gartner IT Security Summit with a message about collaborative applications, and I was pleased (and proud, I must admit) to see their reference to our very own Chris Boyd as a contributor to their security efforts.

Supply / Demand

Without research, there are no blog entries – and I hate putting out
“fluff pieces” (ie a line or two of text with a link to something
somebody else wrote) to make up the numbers. I prefer to create the
content myself, because not only do we have control over the material
and the subsequent activities that take place as a result, it
immediately makes the content unique, readable and more interesting
than many of the other blogs out there.

However.

Without blog entries, there is no research – or, at least (to the
general public, who only see the research security companies do
nowadays via an endless deluge of RSS feeds) – there is no research.
With nothing published, interest wanes. A few days go by, and the
number of people subscribed starts to dip slightly. You get a little
twitchy, and wonder why it’s so quiet.

Is it quiet? Or is it just that you’ve been looking in the wrong places the last couple of days?

You wonder if / when the next interesting thing to write about is going
to come along. You invest more time in research, but of course that
means less seconds in front of the PC hammering out the next blog
entry. When the majority of your online existence is devoted to
providing the public at large, curious passers-by, people in the
industry , journalists and (every so often) law enforcement with a
window into the world of making things a little more secure for
everybody, that can create a few problems.

Research feeds the writing, and
vice-versa (which too few people appreciate) because many more
discoveries in the research come to light only after an initial article
has been posted. Could be from a tip-off, a disgruntled victim –
perhaps someone from law enforcement who can’t really write about their
own findings on a blog somewhere but are quite happy for you to beat
the drum on their behalf.

Both writing and research eat into the time available for either
activity. Writing across two different blogs takes an enormous amount
of time, especially as they promote two different types of research.
Actually, no – that’s not right. They’re more like different facets of
the same research, with one
tending to look at the files and the other looking at the creators of
those same files. In tandem, they can be a particularly potent weapon
against those looking to hijack your PCs, steal your credit cards and
all those other wonderful things kids like to do these days when their
parents aren’t looking.

In that sense, the pressure to provide a never-ending stream of content
for two different sites is also a huge benefit, because when the more
“traditional” type of analysis dries up on Spywareguide – and of
course, it does from time to time (like when all the bad guys are too
busy eating their Christmas dinner to bother with virus writing) – you
can still usually find a collection of low level talent script kiddies
or wannabe hackers and have fun at their expense over here. Similarly,
when there are no bad guys practically begging to be outed on Vital,
you can still usually come up with some interesting infections for
further analysis on Spywareguide with the aid of the research teams we
have scattered across the globe.

As far as I’m aware, this gives us an edge over a lot of security
companies out there who only tend to have one solitary blog, usually
only geared towards pure research. When the tech stuff dries up, those
blogs tend to go silent for a while, and blog silence for me is not
a good thing. I want content, and I want that content daily. I become
hooked on those sites, and I’m disappointed when they fall off the
radar for a while. Yes, it’s childish and yes, it’s impatient – but
that’s how it works. Off the top of my head, the only company I can
think of that has one blog but can easily (and quite happily!) write
about non-security subjects is the Sunbelt Blog, and more power to
them. I mean, look at this
and tell me you expect to see something like that on a security site. You probably didn’t but wow, there it is, and isn’t it great?

Supply / Demand. It’s what blogging is all about.

Now if we could just
work out the oil Supply / Demand issues we’d be onto a winner….