Security Perspective on Social Networking

Facebook, Twitter, LinkedIn... all words that can make the IT manager's skin crawl. The simple solution is to block the URLs at the firewall; once people are plugged in at the office, too bad, no social networking on work time. I think that's the way most IT manager's would prefer it. We're a bit of a draconian bunch, largely because this is the kind of stuff that just ends up making problems for us.

But is this the best approach? Other managers in the organisation may be concerned about morale, and want these sites available to their staff - well we certainly don't want to start creating exception rules in the firewalls or network compliance tools to manage which users get access and which don't. More business centric reasons exist as well; some business units may want to use these sites for market research, sales/marketing, recruiting, and other functions.

I've recently seen some interesting and creative use of combining the three main social media sites for marketing and recruitment processes. An organisation I was meeting with last week was telling me about how they use Facebook & Twitter accounts to monitor customer satisfaction with their products and services, and respond quickly to concerns from their customers or deal with urban myths about them that get propagated through these media. From a business perspective, that approach makes a lot of sense. This same organisation also uses individual LinkedIn accounts from their recruitment professionals as a mechanism to reach out to prospective new employees and contractors, and ties it all together with Facebook & Twitter promotion of new positions and recruitment drives.

So in this scenario, the IT team has to work with the other business units (sales, marketing, and HR) to make sure they can get timely access to the tools, ensure that they maintain corporate image and privacy, and verify the content of those sites - both what is "going out" and what is "coming in."

Where do you start?
Ensure first that the leaders of the organisation understand the challenges for the IT team, possible budget implications, and risks.

For certain, a review of existing organisational IT usuage policies. First off, so you have them in place? Secondly, have they been distributed (recently) and signed off? And lastly, does the language (hopefully not too "lawyered up" so that people understand what they are committing to) apply to this kind of scenario?

What questions should you ask?
Once you've established who's allowed to do what, it becomes a question next of enforcing the rules while allowing the business functionality that's been agreed to. Now we get into the business analysis side of the equation. Understand clearly what the business needs are so that your team can work with the rest of the business to deliver the solution that makes the most sense.

You'll need to look at technical considerations, some of which might be:
Will Twitter use be via the web interface, or 3rd party apps like TweetDeck?
Will you allow all Facebook apps, or try and block some (like games, etc.)?
Will this be allowed corporate wide, or group by group?


Who's already looking down this path?
There are developers such as Teneros and SocialWare who are developing middleware-like apps that monitor content for these sites, to ensure that the organisation knows what is going out or coming in. These tools have some limitations, so it's best to research the options closely, but it's good to know you HAVE options! SocialWare is particularly interesting to me and likely may be the subject of a future blog posting.

Check through your personal network (errr, via LinkedIn?) to see who else is in your shoes and dealing with this kind of challenge today. I was surprised to learn recently how many organisations haven't even started to deal with this from an IT perspective yet. I know we're busy, but...

As always, your feedback and input on this article is greatly appreciated; reply with your thoughts and I'll post them for continued conversation.