Updated - see below. Please jump into the discussion - we need to talk more about this!.
Update 2: Here’s Matthew’s write up of the issue over on Open Port (communities.intel.com). Go read it, and comment there if you feel like it. They just turned on anonymous comments (something we discussed yesterday in our meeting) - yay! 
I just had a really interesting, heated discussion with Matthew Rosenquist, an IT@Intel blogger and enterprise security guy, about whether or not Intel should ban employees from accessing Facebook and other similar social network tools. He’s a corporate security risk assessment guy, and I was doing a demo of “how to use Facebook, and why”. He started asking questions about the security implications of Facebook, of someone being able to, say, send a malicious URL to all members of the intel network on Facebook, and compromise Intel computers and data. I maintained that Facebook is no different that email or any other website, but he seemed to believe that we shouldn’t be advocating use of Facebook, or any other social network, without conducting a formal risk assessment.
What do you think? I think it’s well intentioned, but ultimately impossible. Sure, Facebook may not be on the “approved” list of tools, but there are already more than 3.500 people right now in the “Intel” network on Facebook (meaning they have a verified intel.com email address). The genie is out of the bottle, and I say you can’t put it back in. If we were to go through a risk assessment, and decide that Facebook was verboten, there’s no way to enforce it. What are they going to do, fire every employee who doesn’t close their Facebook account? Wouldn’t it be better to be a little less reactionary, and say “hey, we know we’re never going to conduct a full assessment of the many diverse ways you can communicate online. We trust you to be good Intel employees, and not be stupid.”
If someone inside Intel wants to leak information or secrets, or otherwise do Intel harm, no amount of policy (on paper) or technical restrictions (like blocking IM or Facebook) are going to stop it. If someone wants to break the rules, they’re going to find a way to do it. Period. It’s futile to think you can do otherwise. It’s a waste of time.
Disagree with me? Great! Matt does. He’s going to post something up on communities.intel.com. I’ll be sure to link to it when it’s ready. We’ve been talking all day in this IT@Intel about how to really engage in good conversations as bloggers, so here’s a chance to eat our own dogfood. And you’re definitely invited to be part of the conversation? What is your company’s approach to employee use of Facebook, Twitter, LinkedIn, and other social network tools?
Important note! Intel IS NOT talking about banning access to Facebook or anything else. At least, not that I know of. This is just a debate, one that I think is valuable. Don’t read more into it that is here.
Update: Wow. I have to say that I’m kind of surprised by the reactions that I’m seeing to this so far. They seem to fall into a couple of different camps, both of which say that yes, Intel should ban Facebook (and Twitter, etc. while they’re at it).
The first argument is that yes, a security assessment should be performed, to make sure there’s no unacceptable risk in using the site. Greg Smith says in this comment that Intel has banned Plaxo (I don’t know if this is true, because I don’t use Plaxo, but I can believe it). I also know that FolderShare is banned/blocked by the Intel proxy.
In the case of Plaxo, I can understand why it would be blocked. Plaxo, in its first incarnation, basically imported all of your contacts from your address book, then spammed them to try to get them to join Plaxo. That was it’s main function - to be your online address book. I can understand Intel not wanting people’s address books being sucked up into Plaxo. There’s confidential information in there, like people’s home phone numbers, email addresses, etc. Yes, when you work for Intel, even your name and email address are considered “Confidential”.
Foldershare is a service that lets you install their little app on all of your computers, and then access the files on all of your computers from any one of them. It’s very handy - I use it on my home computers, when I need to get to something that’s not “in the cloud” (which is where most of my files live today). I’ve also set it up for my brother’s moving company, so he can get to work files from home securely. But since it opens up a relatively easy avenue for remote access to files that shouldn’t be shared, I can understand why it’s blocked by Intel. In both cases, it seems a risk assessment was done, and steps were taken. in reality, those are the only couple of sites I can think of that Intel actively blocks. It could be a lot worse there - they could implement topical web filtering like WebSense. They day they do that is the say I seriously consider quitting. Really.
The other camp/argument for Intel banning sites like Facebook, Twitter, etc. comes from long time commenter Rebecca. I think Rebecca either works for Intel, or her husband does (I can’t remember - Rebecca, please correct me if you wish). In this comment, she says basically that yes, Intel should ban Facebook, and Twitter, and any other site that you don’t use to “get your work done”, because you’re not at work at Intel to be “socializing”, or catching up with friends, or basically goofing off.
There are several assumptions made in this argument. First, the assumption that you aren’t getting your work done if you ever use these sites. The second is that there is no legitimate reason to access one of these sites for work purposes.
The first assumption, that you must be unproductive, goofing off, and costing Intel money if you use Facebook or Twitter, is pretty narrowminded, I think. Rebecca calls me out specifically, noting that I often post on Twitter or on my blog during “work hours”. She’s right. I do. But it’s not the only thing I’m doing during “work hours”, nor is it harming my productivity. You can ask my boss, Bill Pearson, about that. I’m going to try to get him to post his thoughts on this topic in a comment or on his own blog, if he doesn’t beat me to it. (EDIT: Here’s Bill’s comment on the matter).
Every time I hear someone use the “work hours” line of reasoning, I cringe. I don’t know about all the companies in the world, but Intel is definitely one that requires most of its employees to do work related things on “non-work hours”. Answering email on your BlackBerry. Calling into an early meeting with Israel, or a late meeting with India from home. There are very few job roles at Intel I know of (in the factories, maybe) where there’s a very clear demarkation between “work” hours and “non-work” hours. If my manager wanted to enforce a “no personal activity during work hours” policy, he’d have every right. But I’d have every right to enact a “no work during personal hours” policy. As it is, there’s a policy that says “you can do personal stuff during work time, within reason.” That is, if it’s not impacting your performance, it’s fine. It’s between you and your manager. Some companies, like Google, are so demanding on their employee’s “personal” time that they offer things like free onsite food, laundry, exercise, etc. to make it easier for people to never go home.
So, unless you’re a factory worker or some other kind of manual laborer, where taking time out of your job to find a computer and post to Twitter is an obvious negative impact on your productivity, I don’t buy the “Intel doesn’t pay you to use Facebook and Twitter on their time and on their computers”. Once you start banning “unproductive” sites, it’s a slippery slope. Where do you stop? Do you ban Google? ESPN.com? Why not just make a “whitelist” of sites that are allowed, and only allow access to that list?
There’s another angle to this. A couple, actually. First, what message does a company send to its employees when it bans/restricts access to sites on the basis that employees will waste time on them? Here’s what I hear: “we don’t trust you not to steal from us. We think you’re going to try to steal from us by not working during every minute for which you’re being paid. We think you’re out to screw us out of something, and by gosh we’re going to do everything we can to stop you.”. Adversarial, derogatory, and downright hostile, if you ask me. How would you feel if your employer sent you an email every day with those exact words? Because that’s basically what they’re doing if they have a Draconian filtering/acceptable use policy. I would NOT want to work for a company like that. And I sure as hell wouldn’t be willing to do work on my “personal” time, or give one iota more than the bare minimum required of me to be “productive”. No innovation. No “extra mile” efforts. Just “productivity”.
Next, unless you’re a company that doesn’t need to care about the future, already has perfect marketing that will never change, has all the money you’ll ever need, and already employs every employee you’ll ever need, it’s CRITICAL to have people that are familiar with, even native users of, technologies like Facebook and Twitter. Two decades ago, how many companies thought they would NEVER need to know how to use email? A decade ago, how many companies felt the same about having a web site? How many of those companies are around today? If you are a technology company, I say you MUST not just allow, but encourage your employees to learn as much as they can about these social technologies, so you can think about how they’re going to impact your business. Because they’re already impacting your business, whether you know it or not. If you don’t believe me, I say “denial ain’t just a river in Egypt”. I don’t trust your crystal ball that says we’ll never need to care about or use these technologies.
Furthermore, how are you ever going to attract and hire smart people, college graduates who use Facebook and Twitter as if it were second nature, people who only use email to communicate with their parents, professors, and other “old” people who just aren’t up to date with the web? How on earth would Intel attract the smart people it needs to stay a leader in the technology world with that kind of hostile anti-social network policy? They wouldn’t. The smart people would stay away in droves. They’d go to competitors (although AMD strictly forbids employee blogging, and probably Facebook, too). Or they’d start their own companies to take over when the fossilized dinosaurs that couldn’t see why they should allow their people to be smart and creative and have fun and communicate with each other die off, dry up, and blow away.
In Cory Doctorow’s book “Down and Out in the Magic Kingdom“, science of the future has figured out how to cure death - you can back yourself up and restore into a freshly grown body, effectively becoming immortal. in the book, there was mention of great debate between people who felt that this technology was wrong and immoral, and those who didn’t:
The Bitchun Society has had much experience with restores from backup—in the era of the cure for death, people live pretty recklessly. Some people get refreshed a couple dozen times a year.
Not me. I hate the process. Not so much that I won’t participate in it. Everyone who had serious philosophical conundra on that subject just, you know, died, a generation before. The Bitchun Society didn’t need to convert its detractors, just outlive them.
Human beings are social creatures. We need to communicate to thrive. It makes us smarter. Better. Happier. The era of a dictatorial company structure where your employer owns every minute of you when you’re on the clock are over. At least, in the technology world. Don’t believe me? That’s fine. I’ll just wait until you turn to stone, dry up, and blow away.
TinyScreenfuls Feed (this blog)
I think that Intel has the right idea in banning FaceBook, and other social netowrking tools. You are not there to socialize, catch up with friends, etc. You are there to work. If you want to do anything other than work, maybe you should be at home. I also think that they should ban things like Twitter. I have watched and read your blog, and while I am not calling you out on purpose, I do have to wonder, how do you get anything done? You appear to spend so much of your work day Twittering and working on this public blog. Now, if you were to multiply that by X number of employees, I can clearly see how Intel would be concerned and not just from a security standpoint. You keep saying, and I can see it to my right that Intel’s security is paranoia. It seems to me, that you are completely clueless what risks you are taking, and could potentially, however inadvertanly, expose Intel to. Intel is not in business to be your source of external entertainment during your business hours.
I am disappointed to read that you could not have a conversation with a coworker without “almost” shouting. It just strengthens my viewpoint that you must feel somewhat offended that Intel would dare to control what you do on their machines on their time. How much sense does that make? And to call IIRS paranoid is a compliment, it is what they do well.
Why not, they blocked Plaxo. Not the same but they have some similar capabilities.
Bocking Facebook because someone could send an URL would seem to be a “less than smart” decision. How many e-mails do you receive with links in them? Should Intel ban Outlook?
Whether FaceBook is a time waster is another issue altogether. Depending on one’s job description, networking could be viewed as “working.”
Thank you all very much for your comments. I really appreciate them.
I just did a monster update to the post above, so have a look, and let me know what you think.
What ever happened to the Intel ideals of Management By Objective and evaluating employees based on productivity and contribution, rather than task-management? If employees are truly less productive by using Facebook, it will be evident in their evaluations. If their productivity is not adversely affected, than I submit there’s no problem.
I find it odd that employees are free to come and go from the campus as they please (they could go anywhere…home to take a nap, the gym, a movie theater, a drive through the gorgeous countryside of scenic Hillsboro) but possibly not trusted to use Facebook appropriately and responsibly. Goof offs could just as easily do crosswords in the cafeteria if they are inclined to waste time and conscientious workers are not going to forsake their careers and suddenly become poor employees for a site like Facebook (which in my opinion isn’t all THAT exciting anyway).
Well last week I was on a social media panel at Intel Developer Forum which I am not going to link to the video thereof due to bad hair day combined with obligatory male domination of the shirt selections. That is referred to in my blogs.intel.com opinionating, where I am trying to introduce some of the “other gender” side of things.
So at this panel, there was the CTO of SocialText http://www.socialtext.com/
Peter Kaminski put forward the idea of an enterprise facebook where there would be a little firewall around the space and you could plot social network connections internal to a corporation, something I am very interested in. So, despite the major display of territoriality and security-vs-freedom testosterone pyrotechnics we experienced today, there is a middle ground.
On to another point. Josh, you have accused me of writing “essays” in my posts. Ahem! Shall we do a comparative word count?
@Brent and @Todd - very good points. If an employee wants to be slacker, they’re going to find a way to do it. Crosswords in the bathroom, anyone?
More private than the cafeteria, you know. And who would question how much time you spend in the john? 
Eleanor, you totally got me on the post length on this one. I call it my Eleanor writing style.
I just noticed Rebecca’s post. How DO we all find time to blog? Well how DO people find time to read blogs? This is like the Nathan Zeldes argument that e-mail is driving him crazy–so-called “infomania”, meanwhile nobody clogs the ether more than he does with his anti-mail campaign. For my part, while not as prolific as Josh, I could easily be if I gave up other Internet searches and online shopping. A blog post typically takes me an hour and a half, which is amazing as the time seems to fly by, but I do it on a Friday, Saturday, or Sunday night, usually. And often pretty late. Just the time it takes to commute to a workplace is enough time to both write posts and reply to many others’. It isn’t really time, and most of our work is not about the hours we log tweaking spreadsheets to death. It is the quality of output. This “how do you find time to do real work?” question bugs me. As I say to Nathan, “hey, just don’t read it,” then it won’t bother you.
I see two issues here. The first is whether there is a legitimate security issue. The second is about productivity and appropriate work behavior. My opinion is that the security folks need to do a risk assessment of anything that they believe poses a legitimate threat to the company. They’d be hard pressed to make a case that Facebook is a security threat. Anything new feels threatening until we get a better understanding of it.
On the issue of productivity and appropriate work behavior, Todd got it right when he said that a person’s review should be based on their productivity. For my team, Facebook is a tool that we’re using to build relationships with software developers. It’s also a view into what’s happening on one of the most popular sites on the Internet. In addition to the work connection, there’s the issue of what work time means. In today’s environment employees often work from home in the evenings. The concept of a 9-5 work day is gone. We work when we need to. We run errands when we need to. Intel enables (encourages) this behavior with tools like remote access and laptops. At the end of the day, my employees are more productive when they find a balance or blend between their personal and professional lives.
This debate is interesting though, as it’s a question that more and more companies are asking themselves. The balance of productivity, security, employee morale, and the changing nature of work / life balance continue to present challenges and opportunities for the saavy employer.
I have the following thoughts. Social media (facebook, communities, blogs, etc) are a means to end to connect with our End Users, IT enthusiasts & fellow travelers. Am I using it for work? Absolutely! Do I think there is a personal aspect to this that is key when dealing with communities? Absolutely!.
Do I think it’s a security risk? depends on what you post. there is always in any media vein a potential to have mis information or data pass outside of the corporate firewall & understanding the security risk is mission critical (period). however, I agree that anything new usually falls into High Risk until I can be understood. If there is a need for a risk evaluation, then I highly recommend & we move on from the dialogue.
One of the presentations @ Office 2.0 conference 2 weeks back was a speaker from australia talking about the new paradigm of workers & how the conventions from the past don’t work any more i.e. 8-5′er’s, only do work doing work hours, etc.. SO what does this all mean to me? You have to be flexible with your employees & understand the social elements, this new culture of social media & what the new boundaries of execution are.
I look forward to hearing the contrarian views on this post. I also am awaiting the Security post on the communities site @ http://communities.intel.com/
Cheers..
Josh H
Here’s my view. Security for any corporation is a key element of a company’s success, either from physical or cyber, the threats are real & risks are something that can be measured. Most new capabilities upon entry are deemed as a risk until further analysis can be completed & the true risk can be understood across the IT & Security teams. These are more data points then an opinion. Now for my opinion, for any tool there is a positive & a negative on how you utilize. For social media it is a gray area for how the Enterprise adopts & institutionalizes the already growing toolset of Web 2.0 to Web 3.0 tools. When you start to apply the enterprise vision on a gray area, you start to see the differing views & you start to blend the social aspects outside of work with how the company operates with it’s End users, Fellow Travelers & Employees. The real test is how do you take this very powerful tool set & extrapolate a true business value that can be connected to changing the business for your company.
For me, social media & communities have now begun to take a large % of my day job, it has become a blossoming avenue to connect with IT Enthusiasts, End users, Fellow Travelers & Intel Architects to come together to make a difference in the platforms that we are delivering & how we in the future will deliver capability to our End users. This model I’m explaining is the start of how business’s can leverage Social Media tools in the enterprise. Okay, so now you’re asking yourself.. what does this all have to do with facebook for a corporate or not? Well, let me put in perspective, when I started my community I kicked off my facebook account so that I could make a personal connection to fellow community members & start a richer dialogue with them. Not because I was “playing†around or not doing my job, it was quite the opposite, it was the tool of choice to setup my profile so that folks could see I was real & have dialogue with me beyond a discussion board. Don’t be fooled, I’m paranoid, Andy Grove said it best “Only the paranoid survive†& you can consider me in that camp.
So.. what do I think? Social media tools are the new norm, they will be the future life line to how we operate at all level’s, in all groups & it will be the new frontier to harness the knowledge of the Industry. The quicker we understand, remove past FUD, the better any company can start to transition to this new paradigm.
Do you agree? Do you see the same?
Josh H
Ever since the inklings of knowledge work and knowledge management crept into corporate awareness, there has been a perpetual contradiction between sharing openly and maintaining security. It is a policy problem that has to be solved, by various methods. One of them is to maintain a separation between the inside and outside spaces, while using the same tools for both of them. Just as you would be appropriate in passing on information you were privy to in a purely social setting. What are the consequences? Security people, like legal people, are intensely aware of all that can go wrong. It doesn’t mean we can’t use these media within restricted settings. However, the boundaries of appropriate internal sharing need to change, and that is only for the better. The more we understand our internal context, the better we can respond. Shoshanna Zuboff wrote a classic book In the Age of the Smart Machine, where she talks about the “informatization” of work in general, of all kinds. Knowledge workers are more empowered by the very fact that they manipulate symbols, not material objects. The tools that they use for this include all of the technologies discussed above. And the other powerful idea is that knowledge is socially constructed, by groups. It is not just a block you move around; it changes when it is shared and discussed. Just like we are doing here. This is an essential process for the development of strategy, quality, innovation and effectiveness, and these media facilitate that process.
@Josh H - great comment - thanks for sharing. I’m glad you say that social tools are the new norm. We’re in agreement there, for sure.
@Eleanor - jeez! Even your comments are essays!
I work at Intel and manage a segment of our relationship with one of our strategic partners. I have several connections to key stakeholders at this account in Facebook, and even more in LinkedIn. Both have proved to be very useful in my day job. My job is particularly “social” in nature but I think any job would benefit from professional networking. Although Facebook is more informal it can and is still used for professional purposes.
Oh yeah? Your comment was 30 lines, mine was sixteen. You must be referring to the profound nature of my wisdom!
BTW: this is the heart of the matter of “Social Media - friend of foe for IT”. I would like to hear more of the contrarian view of why this is not a good thing for any conmpany. To bad I wasn’t able to join the mtg today to hear the dialogue first hand, I’m passionate about this topic (but aren’t we all)..
@Eleanor - that 30 line comment was Josh H., not me.
And of course I was referring to your profound wisdom.
These tools, yielded correctly, can generate an amazing amount of goodwill and leads for sales, and also help product teams communicate with customers in a more effective way.
Banning the use of social networks is akin to stopping a tsunami with an umbrella.
LOL @ Jeremiah - I love that line! I’m totally going to steal it.
Josh– not sure as I have no expertise in the security area; however in the social networking area: Facebook, linkedin and their ilk do improve productivity as they are communication vehicles that have an inherit network effect. –Nick
banning facebook is suck a backward step, ‘they’ used to try and ban private email at work and private phone calls too
We know live is a distrubuted knowledge management environment and things have got to change..
I can’t add too much more to this debate on top of what JP Rangaswami has written;
http://confusedofcalcutta.com/2007/07/27/facebook-and-the-enterprise/
I think he says all that is needed to be said.
However, couldn’t you just see Facebook replacing the crappy enterprise directories we have right now?
Imagine being able to look up your co-workers and see what stuff they are in to, rather than just thier email address and phone number and a tiny pic (if you’re lucky)
I’m looking forward to see which Enterprise takes the leap and installs Facebook, I’m talking to my Senior VP’s at Orange about it.
I wonder what is going on at Intel these days. I am sure morale must be good somewhere, but in my group, we are at an all-time low nowadays. GPTW has been greatly overlooked by our management. Should we now start blocking things employees clearly use a lot (3000+ members in the Intel community at Facebook testifies to that)?
But even if you want to completely scrap GPTW from our list of values, you still have to approach this with at least a little bit of logical thinking. Why on earth would we ban that site?
Security? What exactly is the security problem with Facebook? I am sure there are many. I am just not sure there are any issues on Facebook that are not in thousands of other sites and other Internet features out there. As someone pointed already. Can’t you get an URL by e-mail? What about IM? Heck, I do get URLs by both IM and e-mail every day.
Productivity? That’s naïve. I blog from work, I “twitt”, I google and I even talk to people on IRC. I even leave work early many times when I am done with my work. Sometimes I work from home. My review this year was still “Exceeded Expectations” and I got a promotion.
the idea of the 9-5 work does not apply here. I have a weekly meeting every Thursday at 9pm and a “geo hour” meeting every two weeks that starts at 7am. So don’t tell me that I cannot do personal stuff during “work hours.”
I understand the concern about security, but to say Facebook is specially dangerous is just lazy thinking.
And in the end, there’s the practical issue of selecting which sites are “work-related.” How can you tell? You’ve got 100,000 people working in this company. Can you come up with a list of sites that are appropriate? Maybe only those inside intel.com?
Gosh, I don’t even care much about Facebook, but just the fact that someone is considering banning it makes me mad. It’s just lazy thinking. This is a big problem at Intel–people whose job is to come up with ways to justify their jobs.
Ok, beat me with a frozen trout. I obviously misread the post as “Intel is considering banning Facebook” instead of “a guy who happens to work at Intel thought we should not advocate Facebook before a complete security assessment was completed.”
“It’s not WHAT you know, it’s WHO you know.” This saying has been around for a long time and for good reason - because it’s true. Networking has been a critical part of business since the first guy who made fire showed it to his astonished buddies, I bet. “Hey look what Grog do. It burn. Want me show you how to make burn? Grunt, grunt.”
Basically, there’s nothing wrong with networking during work hours. Think about how much time you spend at Intel in hallway chats, “informal” 1:1s, long lunch breaks with a colleague…that time adds up just as the time does that people spend networking via Facebook, Twitter, blogs, etc. It’s just a new way of doing things, which bothers some people I guess. I don’t know enough about the security implications to make a salient point one way or the other, but as far as the concept of social networking and productivity, I can talk to that. Do I check my Facebook account during work hours? Yeah, sometimes I do. Do I still manage to get my work done and get glowing reviews at Focal every year? Yep, I do that too. It’s all about time management and how you work smarter, not harder. I don’t think you should feel obligated to spend hours upon hours tinkering with a spreadsheet if you could get the same task done in half the time, just with less tinkering. Let’s face it, no one cares if the cells are light blue or light green…really, they don’t. Let it go.
To the post above that says social networking is the norm nowadays, especially with young people, he’s 100% correct. I’m 26, and I have a Facebook account (not linked to my Intel email though), MySpace account, a blogspot account, and I use MSN LiveMessenger all the time. It’s what I know…I’m much more inclined to shoot an IM to my friends or post a comment to their Facebook “walls” than call them. And I’m not alone - most of my friends are the same way. And my 20-year-old brother’s friends. And my 18-year-old sister’s friends…you see my point? It’s the ‘new normal’ (to borrow a lame buzzphrase)in networking, and Intel better start finding ways to leverage it for internal employee use.
All, I have posted a few rambling thoughts here: http://communities.intel.com/openport/blogs/it/2007/09/26/social-applications-friend-or-foe-on-the-corporate-network
Snippet: Corporations institute security mitigations to control and manage risks to the corporate network, systems, data, reputation, customer goodwill, liability protection, etc. Many of these new social applications expose employees to a new set of social engineering threats. Connecting to these services from company machines across corporate networks exposes potentially critical assets as well.
The benefits are undeniably great for these tools, but should corporations embrace such potentially risky communication channels? If so how?
Social media/collaboration is a fantastic (yet scary) transition into the next generation of data & knowledge sharing. Old security models simply won’t work in this next phase. Twenty years ago, identity theft was done by stealing mail out of mailboxes or rummaging through someones trash - today it’s done that way, but also a dozen other ways as well via internet, cellphones, PDA’s, laptops, etc… We simply need to find that ‘hitch point’ that allows us the controls or enforce the security around the newer technology/transfer methods.
A person signs a contract with an employer when they join the company, maybe new contracts need to be developed (and revisited!) for employees. If someone posts something that doesn’t meet the guidelines - then BAM - they’re excused from work, and legally it can happen because of failure to meet contract policies.
The problem with the media realm is that we now have 1st Amendment activists fighting for blogging rights, and data sharing overall. It’s not going to be a simple battle. If someone is hell bent on posting something - it will happen. Knowing when (or how) it happens is up to the security & technology teams to best mitigate those risks.
Overall, the company is made up of employees who should be protecting their own turf, if there’s a bad apple - pitch it.
What’s after FaceBook, or MySpace, or Twitter, or Product-X? We need people focused on acquiring higher intelligence levels of these new media based methods to better meet the threats when they arise, otherwise we’ll be chasing our own tail each time a new ‘method’ is released into the wild…
Oh - and remember - we’re responsible for this… remember? the Pentium 4 increased your Internet experience
due to my penchant to stand up for the underdog in a given situation, I say we have to listen to Matt’s concerns. It is reasonable for corporations to protect their interest, period. As it is for any person or entity. It is a policy conundrum that needs a lot of thinking and technology to resolve. I don’t think Matt ever said we should ban Facebook. Just that there are risks as to what people put on their external Facebooks, right? Hence the firewall proposition. Remember corporations are not charities, nor are they even defenders of rights, except as they define them and laws require. I wonder if we are not over-polarizing the question.
Nice commercial reminder Toadster… I agree with Eleanor. Read Matt’s post, he is not asking to ban Facebook. But Josh is right, Facebook poses risks that have been in play, but have relied on governance via policies not firewalls. IT pros do have a responsibilty to assess the business risk of emerging and popular social networks. Just do it swiftly, its a fast moving tsunami.
As a security people, we’re commonly perceived as the ones who say “no” to every new thing. Unfortunately, this is the result of our nature to consider carefully the implications of new technology, processes or automation. We need time to understand what it is, how it works, and most importantly how it can broken or exploited to the detriment of whatever it is we are trying to protect. That’s really where the “no” comes from. But we are human and we have different expertise and time. So that’s why we have processes like Risk Assessments and Threat Assessments and things like Corporate information security policies that attempt to capture what is important for a company and it’s employees to consider as they conduct their work for that company.
Inherent to the process of understanding new technology is the fact that we, as security professionals, are in forced to understand the constant state of change and evolution. We need to keep up with evolving technology, its uses and users. Social network based systems and the automation surrounding it is the current wave of technology that a lot of us are still trying to wrap our heads around. I’m finding that we do need to move fast to comprehend the risks and explain them to not just the users of the tools and tech but also management.
Ultimately, our job is not to ban but to capture and document the danger to the corporation and allow the managers to either accept that risk or allow us to figure out what to do about it (if anything). Doing something about of course can include things like educate how people should follow policy in using these new tools and not just wholesale bans.
in reply to Esteban, it is easy for us experimental risk-taking types to want to go full steam ahead with new things. I myself have used experimental software of various kinds, mentally brushing aside the risk. But when I get a security review I find two things: 1. “Wow I did not know that data was being extracted by the program!”; 2. the security review person is usually excited about the software too and wants to find a way to make it work with the security guidelines. That is a real innovation opportunity.
Speaking as someone who enjoys social media and considers it an important part of my job and learning, while working at a company that has blocked every popular social (facebook, myspace, youtube, twitter, you name it) site that exists, I can say it pretty much sucks and is a pointless effort. You can babysit your employees all you want, but it should be about whether the job is getting done. Also, the points about the blending of work time/personal-time are right on. It’s pointless because 1) there’s always a way around, and you’ll probably inadvertently encourage your employees to do riskier things (security-wise) when you put the blocks up and 2) as has been already said, if you want to slack, there are plenty of other ways to do it too.
Good insight, Eleanor. Yes, we are often excited about the new tech, software or hardware and I think a great many of actually jump on those beta bandwagons to participate and learn.
So to continue this, I’m curious what people think about dealing with the security issues that something like facebook raises. Assume the risks are information leakage (ie, contacts, etc) and client side attacks (ie, some app on facebook owns your brower and then your system which leads to slurping your data or making your system do something bad; send spam, DOS Estonia). So what do you all think the solution should be? How do we make this a safe technology for people to use?
I’m curious about this from a few different perspectives. What do you do to protect yourself (your kids, your friends, etc) at home? What do you do as an employee of a company with assets and business to protect (is your behavior different from that at home)? If you’re the company what do you do to protect your business?
So to provide some starts: I’m inclined to focus more on user awareness and education along with aggressive patching of user systems. I’d Follow this with aggressive monitoring of the corporate network, ie, look for bad things. This only works when a machine is severely compromised;(IE becomes virus swamped, turns into a zombie and starts spamming, or shows evidence of being controlled remotely by bad guys. We could try to detect when the entire internal corporate address book (or a confidential strategic doc on a CIO admin workstation) is slurped up by a facebook application. I know this is all doom and gloom stuff and I don’t want to focus on the details of those specific issues. Perhaps you can think of different or even more malicious scenarios. I’m more interested in what should we be considering when want to address the general risks within a corporate environment.
There is a lot of interesting work going on in adaptive and resilient computing that relates to security. Robert Ghanea-Hercock is a leader in this area. http://labs.bt.com/pict/RobertGhanea-Hercock.html, as is Fabrice Saffre http://research.bt.com/is/ and Intel’s own Hong Li http://www.intel.com/technology/techresearch/people/bios/li_hong.htm
The new security paradigms are based on complexity science including crossover metaphors from epidemiology research.
I think the answer to some of these questions lies in this new science paradigm.
So, as a total 3rd party - the mentions of infosec ‘babysitting’ employees is totally off the mark.
Believe me, there’s usually too many fires to put out to worry about how any individual is spending his or her time, let alone tens of thousands of employees.
However, if these users run this software and is causes a security compromise, regardless of who was still getting their project timelines in on time - there’s something afoot and the secops team or whatever needs to address that.
As far as that goes, I’d say Facebook (similar to Plaxo) offers some concerns, the default signup process encourages people to enter in credentials for various -other- sites so they can pull from you address books, buddy lists, etc. and for lack of a better term, spam them with invites. I had several friends who were outright offended when they got these. It’s basically the internet equivalent of “get a low low discount if you give us the # of five of your friends!” It’s pretty scuzzy, absolutely has privacy and security concerns, and that’s just the initial signup process.
Getting all up in arms about a risk assessment is acting like chicken little really - an assessment should be just that and isn’t an immediate denial, nor is it carte blanche - after an assessment and review is made, then decisions happen, so stop putting the cart ahead of the horse.
Lastly, I’d say as a devil’s advocate - who cares if work blocks everything anyway, even cell phones have good browsers, ssh clients, and fast network connections (evdo, hdspa and such) - use that, and don’t worry about the corporate policy! In turn, they won’t worry about whether your cell phone/personal laptop gets compromised.
There’s something to be said about keeping work and personal life separate. I demand that work provides me a good laptop and highspeed network access so that I can VPN in from anywhere and do my job 24×7. But if I want to have fun, I do it from a personal machine.
These days, Virtual Machines can make such separations even easier to do _potentially_ but again, as an information security professional, separate physical access will always trump separate VM’s.
Josh,
I am not advocating disallowance of these tools and services, rather I recommend management take the time and care to diligently understand the risks and decide what will be allowable within their environment. Employees, shareholders, governments, and customers rightfully hold management to making those decisions and ultimately hold them responsible for adverse effects.
Visit the Intel Communities thread for more of this discussion. http://communities.intel.com/openport/blogs/it/2007/09/26/social-applications-friend-or-foe-on-the-corporate-network#cf