Social Software and its place in Enterprise

So far there has been plenty of talk in the industry about web2.0 and more about social software. Within my company we are venturing into this space with one tool and it plays quite a large part in my objectives for the coming financial year.

My daily digest of news included the following: http://blogs.techrepublic.com.com/networking/?p=3106&tag=nl.e106 While this talks about it and I've seen case studies on other companies with their rollouts, I'm curious to see what thoughts the collective powers of OCAU can bring to the table

Ideally I'd like to know if anyone else is venturing into this field, or already has, and what they've found, particularly with a company of about 7000 users logging in

 

Social Software or 'Web 2.0' (I hate that term btw) presents many issues to an organisation that is thinking of trying to leverage it.

Here's just a few questions that your business will need to think about, it's hardly an exhaustive list.

Firstly... what does the busines hope to achieve with it?
Is it seen as an aide to collaboration?
A way of keeping in touch with customers?
A General means of communication?

Will it be for internal use only?
Personal use? a mixture?

Where is the data going to be stored (these systems all accumulate a lot of data)? Who will have access to it?

How is this data going to be managed?
If the web 2.0 facility is to be used to facilitate b2b and b2c communication then you may be required for statutory reasons to keep records for up to seven years, this needs to be given careful consideration if in future you decide to migrate to another web 2.0 app.

Will there be any integration with inhouse or externally housted applications?

Then there's the usual bugbears of privacy, confidentiality of information, possible breaches of disclosure agreements and so forth..

One organistion who's CIO I sometimes chat with was dabbling with the whole 'web 2.0' thing but it all went a bit pear shaped, legal and compliance issues just kept raising their heads and eventually management of 'web 2.0' services almost became a cottage industry, in the end it was killed off primarily because it was a cost that was not adding any value to the business.

And in my view, that's the harsh reality by which any I.T initiative must be measured against.

-NyarghNia

 

In the case of social networking websites, their place in enterprise is a deny rule in your firewall.

 

+1
And +10 for major ones like Facebook.

I do like wikis for collaborative documentation though. Internal use ones are good for documenting projects, systems, policies, etc. Especially once you link the wiki system to existing user accounts so it's all authenticated.

 

In a dying enterprise perhaps...

Times are changing, Social Network sites are just another communication channel that needs to be managed correctly. I see no argument for blocking facebook that cannot be made for blocking all extra-company E-mail. But that is still firmly on the 'allow' list

 

I would concur with this assessment.

Treat social software with extreme care, tread at your (or your company's) peril.

Not here it aint, i'm setting up a seperate system to handle extra-corproate e-mail (ie from customers), i'm talking to our security solutions provider about whitelisting of e-mail.

In last couple of weeks... (looks at firewall stats).. This is to provide an example of why many places are considering whitelisting of e-mail and even segregation of e-mail into 'public'
vs 'corporate/trusted/known'.

Messages processed: 25,000~

78% of all inbound mail is immediately confirmed as SPAM and just dumped, not even quarantined
More than 5% of all inbound mail contains viri and other 'nasties', which are stripped and mail quarantined
About 10% of mail is flagged a 'Spam Suspect' and quarantined, out of these, about 95% of them are eventually purged
That leaves less than 7% of all incomming mail as being legitimate

I shudder to think of the horrors being downloaded onto a network that allows social networking website embedded content...

-NyarghNia

 

They are another way for people to be logging in, click that link which says "New Funny Video" DURING WORK HOURS, and the rooting up their profile when it gets some new absurd 0 day spyware/malware installed that 3 major AV vendors missed.

But hey, it keeps me employed fixing the damage done.

 

Those figures correlate closely to what my personal mail server/domain sees (about 4,500-4,800 mails a day). Little bit higher on immediate spam, and less on suspect spam, but otherwise spot on.

Went years with no spam at all, then I guess the spammers discovered the .tk TLD.

 

We tried it for a few days on a network of 250 users. Productivity droped to almost zero and virii, spyway and junk was at an all time high detection and block rate on the workstations virus scanners.

As other have said. Social networkings place is to be blocked by the firewall.

 

Whitelisting incoming email for a company that expects new business is batshit insane.

Get a decent spam filter (Brightmail/Ironport Appliance), forget about it.

Ironport blocks some absolutely crazy number here per day, false positives are almost zero (I think i've had to troubleshoot 1 or 2 in the 2 and a bit years we've had the device) and we hold a small party when spam/virii/malware actually makes it to a user - these parties are few and far between.

 

I really liked the look of salesforces upcoming 'chatter' product (http://www.salesforce.com/chatter/). Would be very useful for project management.

I'm guessing this is the kind of thing you were talking about?

Does anyone know of anything similar to this that has come out / is coming out?

 

yes ironports for the win,

stuff like OCS is quite good. but we only use it internally. messanger and Video ( we have OCS but no VOIP.... ).

i have to disagree with the statement about Social networking should be a deny statement on a firewall. it should be a redirect to a web server hosting a picture of Mr T or a video of Terry Tate.

 

I'm so glad we block Facebook. If I could turn back time I would have never signed up in the first place.

 

Nah, not blocking it entirely, hard to describe here, but it's going to a seperate mail system that's in a seperate virtual network (if that makes sense), people can still access it fairly easily to check stuff, this is where 'new contacts' will go.

It's a bit extreme I admit but the problem we have is that Mr average Joe's PC is likely infested with god-knows-what and I can't have mail from Mr and Mr anyone just landing on the corporate network anymore.

For example, we had one guy a few months ago send us a mail the other day, his e-mail software embedded a graphics file (in PDF format), the firewall flagged it as being infected, turns out the file in his e-mail (Photo of a property) contained a virus/trojan, a real nasty one too.

If the mail server gets compromised, it just gets nuked, it's entirely isolated from the internal trusted network.

We're also revisiting the whole 'whitelisting' of the 'net and adopting a similiar approach.

The Internet is just damned dangerous. Maybe i'm being a bit extreme but ...

-NyarghNia

 

You are.

I don't know any federal government network that works like this. Or any Top500 company in Australia.

Clearly you have flaws in your Email, Email sanitation (AV/Spam) and Desktop AV solutions - it will be far cheaper, and give better results - to address these problems, than create some extreme crazy DMZ mail server idea.

 

With all due and sincere respect, I think you are mistaken.

We're already running state of the art proxy/firewall systems with deep packet inspection, UTM, reporting and content management. I have external and internal security audits carried out on a regular basis including active penetration testing from both the external network and the internal truted network.

The problem I am foreseeing is that all of this requires vendors to be 110% on top of catching the bad stuff, if we get a zero-day threat that is not yet detected by either the Firewall/Spam Filter/Gateway AV/Mail server AV and ultimately desktop AV then potentially we're all screwed and that goes for everyone.

All i'm doing is partitioning the problem, so far.. 100% of all 'nasties' which I have had arrive via E-mail have been from unkown/untrusted sources (ie.. Joe public).

If I can send the overwhelming, vast majority of traffic to a DMZ type mail system that is entirely disposable, then by defintion I am reducing the likelyhood of something nasty landing on the trusted corporate network.

-NyarghNia

 

This is why you have multi-vendor Spam/AV solutions (e.g Ironport supports Sophos and McAfee AV rules).

You've never really let on what your company does, but the questions you post here in B&EC let on that they've let a reasonably inexperienced person take on a fairly all encompassing role - which is fine, people need to start somewhere.

What you are suggesting reminds me of protected networks (fed gov has them for classified mail - however this is for transferring sensitive material, they still recieve regular unclassified mail from the greater WWW) taken to the extreme.

I'll wait for IACSecurity to step in, but the solutions your proposing don't really add up (in terms of them being required) from the information i've seen.

 

ive been looking for a good inexpensive corporate IM communication tool for the business. I had play with jabber but didnt really like it. Looking for more of an MSN messenger for the business but with only a business list of contacts available and that is logged and able to be audited.

anyone using google talk?

 

Microsoft makes it

Office Communicator.

http://office.microsoft.com/en-us/communicator/

 

but its damn expensive?