Why security needs to catch up to Web 2.0

Network security by the book

Security managers can keep blocking Facebook, refusing to support mobile devices and vetoing cloud-based services, but they aren't going away. And ignoring ways to make room for them in your security program is like burying your head in the sand, according to Tom Gillis, vice president and general manager of Cisco's security technology business unit, and author of the new book Securing the Borderless Network: Security for the Web 2.0 World.

Gillis' main message in the book is that today's new Web 2.0, virtualization, mobility and collaborative applications offer huge potential for enhancing productivity and competitive advantage. But they also come with complicated new security issues. He spoke with CSO about the challenges that lie ahead for security professionals in a technological environment where the rules have changed.

CSO: Let's start by talking about the potential you think new technologies, such as mobile devices, offer organizations.

Tom Gillis: In the 1970s and 80s, I was an engineer and I used to write design memos on an IBM Selectric. When the personal computer came out, I was using a MAC SE/30. I was amazed at how quickly I could get my job done.

But when you rolled the productivity these machines offered up at the top level, it kind of disappointed economists, political leaders and business leaders. During that period, the 70s and 80s, we saw GDP growth on order of about 2 to 3 percent a year.

It wasn't until we figured out how to connect these devices, the introduction of the local area network and the internet, that that GDP shot up to 4 to 5 percent. That's what we saw in the late 90s and 2000s and it was driven primarily due to this new fluid exchange of information.

I believe, and many analysts believe, that the mobile internet will have that same level of impact. We're looking at another decade of 4 to 5 percent productivity enhancements. Companies that are forward thinking with their security policies will be able to adopt these technologies and better benefit from those 4 to 5 percent productivity enhancements better than others that don't.

When you say the mobile internet, you're referring to adopting technologies such as smartphones in the enterprise?

All kinds of mobile technologies. The iPhone was the first really usable web browser in a hand-held device, but now there are hundreds of other devices that are like it. And, as my son points out "This thing IS a computer." A user can do all the things they need to do using palm-based applications and a hand-held smartphone, instead of a laptop.

What are the challenges organizations will face with regard policies in this new Web 2.0 era?

It's not so much adopting new policies. Companies have security policies. And they are usually along the lines of: I'm general manager I need to get access to the financial information. Nuaf is my vice president of engineering and he needs to access source code. But I don't need to access source code and Nuaf doesn't need to have access to financial information. That's simple policy.

Expressing that as a these mobile devices come into the enterprise gets much, much harder and its more difficult to be able to enforce those policies. What we are advocating is that companies make the investment in new technologies and new infrastructure that allows them to enforce those polices that they had yesterday and will have tomorrow in this distributed, borderless, mobile enterprise that is clearly emerging.

Besides mobility, there are plenty of other new aspects in today's IT environment. There is the use of social networks, there is virtualization and cloud computing. What are some of the difficulties with these technologies?

Web 2.0, and I'll use the interpretation to include virtualization and cloud computing, is almost the evil twin of mobility. If mobility means I have more users on more devices outside of my traditional perimeter, then the Web 2.0, cloud-computing trend means my data may not reside behind the traditional perimeter in the data center.

When you combine those two, your worst case scenario from a security standpoint is when my VP of sales goes to conduct a sales force task in Salesforce.com on his smartphone, there is no traditional firewall, or traditional security solution in that transaction at all. As an IT person, how do I ensure the safety of my assets? Basic stuff; like customer lists, customer names?

How do I put controls in place to show who accesses this information and revoke those privileges if need be and provide some level of accountability of who accessed them when, where and how. We really need to rethink how we build and deploy security to address these types of use cases.

Where do you think enterprise organizations stand now with their adoption of technologies and infrastructure to handle this new environment you're describing?

At Cisco, our officially supported iPhone-user population is about 100 users. We think the actual number of iPhone users is somewhere between 6,000 and 9,000. I see this sort of scenario everywhere I go. The devices are coming into the enterprise whether we like it or not. Because they are good and they help people get their job done.

The solutions to secure these devices are fairly nescient. There are a number of use cases that customers want from us in this whole borderless, distribution enterprise that we can't properly address yet. We are working on it, and have a vision. I think a lot of this is work still to be done; both in the vendor community and IT community in rolling out and deploying some of this stuff.

You mention in the book that criminals are already taking advantage of many of these new technologies and exploiting them. What is the biggest cause for concern?

Attacks targeted specifically on mobile devices I think are quite narrow. The challenge is doing that security policy enforcement, basic access control. When a sales rep is using a mobile device to access a cloud-based application, and we terminate that employee, what is to stop them from when they get the termination to still go in (to that proprietary data) from their device, download customer lists and go to a competitor? I've had that happen in my career and there is basically nothing you can do. It's very frustrating.

So, the concerns range from malware and exploits, to basic access control and protection of your intellectual property. There is a broad array of concerns security professionals need to address.

What will play the bigger role in securing the network in a Web 2.0 world? Product or policy?

At the end of the day, it's clearly driven by policy. Policy then drives product. I can go off and give you ten examples of products I've built that are ahead of policy and people's ability to absorb the technology. So it starts with policy and a mentality.

We want to see our customers shift away from a security posture of no. Away from saying things like "Google Android? No, we can't support that. Web-based applications like Google docs? Not secure, don't use that." We want to get away from that to a posture that says "Absolutely. Use the tools that help you get your job done efficiently."

You mention the future and Web 3.0 in your book. What is Web 3.0 going to include?

If you look at the investment companies make in building data-center infrastructure to support their business, I do think ten or twenty years from now we will look back and say "Wow, that's crazy. Why were people building their own stuff?"

Imagine if every company in the world built their own hammer. Sure, they could build that hammer to fit exactly the job that needed to get done, put a pointy head on it, a special handle. But it's very inefficient for every company in the world to build their own tools.

Why can't we get to a world where there are organizations that focus on building hammers, do it well and do it effectively and deliver a better product at lower cost to the enterprise? Web 3.0 is going to take complicated enterprise infrastructure and make it more dynamic, more available and lower cost.

Join the PC World newsletter!

Error: Please check your email address.

Tags Internet-based applications and servicesCisco Systemssecurityinternetsocial media

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joan Goodchild

Show Comments


Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >


Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >


HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?