May 2010

Q&A with Andy Ellis, Senior Director of Information Security, Akamai Technologies

The collaborative benefits of social media such as LinkedIn, Twitter and blogs are becoming clear to enterprises around the globe. They speed communication and make it possible to reach many more partners, experts and customers than ever before. Less clear, however, is how to manage social media’s impact on IT security and risk. For some answers, we turned to Senior Director of Information Security at Akamai Technologies Inc., Andy Ellis. Akamai provides Web application acceleration and network delivery software, and Ellis is a frequent speaker at security events and conferences. This month he will be a panelist at MIT Sloan CIO Symposium on the topic of security and mobility. Ellis recently spoke with Smart Enterprise Exchange contributor George Hulme.

Q: What are the top risks social media creates for enterprises?

A: I see three primary risks around social media, and one straw man. The risks are data leakage, brand damage and organizational process bypass. The straw man is the claim of lost productivity as a result of these services.

One of the real risks is data leakage. I’m not referring to exposing credit card numbers as much as revealing information about operational security and things going on within the organization that an adversary would be interested in knowing. These could be travel plans, who is meeting with whom, and other internal activities.

The second risk is one I would call attribution or brand damage. If an executive is on Twitter complaining about how he hates this or that company, are those personal opinions, or are they the opinions of the executive’s employer? That distinction really matters if the executive is complaining about customers, or prospects, of the employer.

The third area is one people don’t think about much. It’s what I call process bypass. An example would be a manager needing to fill a position and reaching out directly over Twitter, LinkedIn or Facebook and bypassing the human resources process. Social media makes this much easier to do.

Q: And what about this “straw man,” loss of productivity?

A: When it comes to lost productivity, some companies want to control and lock down employees. There is a natural tendency in a lot of security and IT organizations to try to limit what people can do. Generally, I perceive two types of organizations that use IT. One is the type that is people-oriented, hiring people because they are going to be smart, do things for the company and use IT to make themselves more productive. And then there’s the second type, which has built an almost completely “silicon organization” that just “plugs” humans in: Think call centers. But the fact is, when used properly, social media can help people be much more knowledgeable about their industry and more productive in their communications.

Q: What about malware distributed through social media or through e-mail on these services?

A: I don’t see malware as a social media threat nor increased by social media. We have that same problem with HTML e-mail and regular Web sites. In fact, you don’t even have to click on exploits [malware and attack software] today. Just open and view the e-mail, or surf to a Web site, and it's possible to pick up malware. The risks in social media need to be handled by the security controls most enterprises already have in place.
 
Q: Are there risks for stakeholders and partners when companies start using social media?

A: There is a bit of risk there. I'll see people talking about customers they met, and partners talking about each other. Usually it's very positive. But there is a risk if a partner starts to paint you in a bad light.

Q: How do you identify violations?

A: A key area is in brand monitoring. The best preventive technologies are going to fail, but paying attention to what is being said about you gives you the ability to quickly react before a problem escalates out of your control.

So you want to monitor users for any possible after-the-fact violations, and decide how the organization will respond. For instance, what will be the disciplinary action for an employee who talks in a way that could reflect badly on a customer, or a partner? How will the company deal with those situations? They’re bound to happen, so it’s important to think all of this through before it does.

Q: You don’t seem to view social media security as a technological problem. Does employee education actually work?

A: Yes, because you can't block it. You won't win. People can access Facebook and Twitter from their phones. So you can block it from all of your corporate machines, but all you've done now is make the employee less productive. You've also made it so that you can't see what they're doing. That makes it less likely that you'll find things that you want to.

I think it comes down to training people about the company’s expected behavior, and explaining that what they say online also reflects on their employer. Train them not to talk about customers, prospects, competitors or anything that would be considered confidential. Basically, it’s about training and trusting them to act and make prudent decisions. It won't always work, but it gives you a framework to correct mistakes, provide better training and move forward. Most of your people don't want to do the wrong thing; they just want guidance on how to best behave.

ASK THE EXPERT

Andy Ellis, Senior Director of Information Security and Chief Security Architect, Akamai
Andy Ellis oversees the security architecture of Akamai’s globally distributed network and sets the strategic security direction of the company’s Web application offerings. He also manages the Information Security organization at Akamai, where he provides security education and leadership to the R&D team.
Previously, Ellis was an Information Warfare Engineer officer in the U.S. Air Force, serving as the technical lead in network engineering, communication and security duties. He received a degree in computer science from the Massachusetts Institute of Technology.