Although economists and other experts believe we are seeing light at the end of the recession tunnel, and IDC analysts expect IT spending to resume in 2011, we nevertheless still need to be very careful with our resources this year. If we are to be wise in the outlook for 2011, what should we be focusing on? This is the question that was put to several messaging insiders and the responses are as varied as the messaging field itself. How best to prepare for the road just up ahead? While it depends on a number of variables and there is no one-size-fits-all answer, presented here are a few thoughts on what to expect or what to think about this year in messaging. (Also see the related story “What to Focus on in 2011: The Road Ahead” for more views from messaging insiders.)
Social Media and Web Security
When Facebook emerged several years ago it was a common strategy to simply block the site. Today, the site is mainstream, and while it may or may not be right for marketing your company, you can bet a lot of your employees are on it. “One of the most popular questions from businesses around Web security is how to control Facebook specifically,” observes Paul Judge, chief research officer for Barracuda Networks, Inc. Judge notes that the types of questions are evolving. “A year ago people would ask: ‘Can you block Facebook?’ Now, we get more complex questions, such as: ‘Can you allow Facebook, but block chat? Can you allow Facebook, but block access to FarmVille during business hours?’ Just this week a customer asked about allowing access to fan pages, but not personal people pages.”
Judge goes on to say that responding to administrators and management that ask for more complete ways to control Facebook and how to create specific policies around Facebook that allow people to use it in limited ways has resulted in changes in their product line. “We have been adding a lot of functionality in the last six months,” he says noting that others in the Web security space have been doing the same. “We have seen Web security go from ‘control my users’ back five or six years ago attempting to keep people from going to porn sites and sports sites. Then it morphed to threat protection, AJAX protection, JavaScript protection and now we are once again seeing requests about control, but it is around the social networks.”
Getting granular with Facebook is probably the better approach, over trying to shut down the application. With the popularity of Facebook, many companies are using the application as part of their marketing efforts and as such people within the organization need access. “It has been all too easy for security folks to take a rigid stance on a lot of things that are blocked at the corporate level and just denied,” says Tim Helming, director of product management for WatchGuard Technologies, Inc.“However, it is getting to be where ‘no’ isn’t always the right answer. With something like Facebook, for example, most companies don’t want their employees wasting a lot of time at work just looking up Facebook and sending photos to their friends.” Helming says companies need to be able to control who can use it or during what hours or even getting more granular than that, doing things like controlling who can post to Facebook or use the games versus using the more basic functions. “That is going to become very important to organizations. These apps that were never designed for businesses are going to become a new reality, we are never going to go back to complete allow or deny.”
While the marketing advantages some companies have achieved with social media are very real, so are the possible threats. “We have spent a fair amount of time tracking malicious activity on social networks—especially Facebook and Twitter,” says Judge. “In the last year to year and a half, we have spent time analyzing behavior on Twitter network and also looking at how many accounts are legitimate and how attackers are evolving in how they try to use the network. We have recently done similar studies on Facebook.” Barracuda plans to announce the findings of these studies in February when it releases its 2010 Security Report.
Search Engine Malware
Another place to watch for next generation malware this year is search engines. According to Judge, Barracuda Labs is trying to quantify how much search engine malware is happening, and in particular study the types of topics that attackers are targeting most. Why target malware towards Google, Bing, Yahoo! and others? Barracuda Labs 2010 Midyear Security Report states that search volumes have reached new highs with 88 billion per month on Google sites, 24 billion per month on Twitter, 9 billion per month on Yahoo! sites and 4 billion per month on Microsoft sites. As the report notes, that is a lot of eyeballs. Judge reports everyday hundreds of pieces of malware are found by simply searching for popular terms and that search engine ranking and optimization contribute to the effectiveness for attackers.
Archiving
When money is tight even the things you might like to implement may not happen. One of the observations towards the end of last year, as the recession started to loosen its hold, and as we move into this year is a spike in the demand for archiving. “We saw a rapid increase in the number of customers that were purchasing message archiving solutions,” reports Steven Pao, vice president of product management with Barracuda Networks, Inc. “It’s been a largely predictable growing business for us, but we saw an initiation on the part of end customers beyond what we were pushing as a vendor. When we asked what was driving this, we’re told by customers that they had been deferring it.” Pao also suspects that enough time has elapsed where “poor email administrators have had to manually go through and hunt for messages” in response to Federal Rules of Civil Procedure (FRCP) and other similar mandates for document management and retrieval.
Mobile Devices
All experts agree that the prevalence and popularity of mobile devices will continue this year. The recommendation is to ensure that the device is as secure as if the user were in the office. “We have a number of customers coming to us asking how do I protect the iPads that I just launched to my marketing group, or my BlackBerry devices, so we have spent our time as it relates to mobile to get to the same level of security that you would have at your desk,” says Judge.
Securing devices is essential, agrees Julian Lovelock, senior director of product marketing for ActivIdentity Corporation that has primarily government, enterprise, healthcare, banking and high technology customers. “Wind the clock back 10 years, all those emails that the average government employee got came to their desktop. Today a good proportion of them, from the President down, are now coming in through BlackBerry, so securing mobile devices, as communication devices with all the same areas around encryption and signing is an area that we work heavily on.
The device itself is growing into a security tool in its own right. Companies are finding the use of the mobile phone as a replacement to a credential you might otherwise carry—to get into the building, or to securely access the network when out of the office, etc. “I’m still communicating through a desktop whether it’s a Skype session, email or IM chat, but rather than use my smartcard to secure that communication, the credentials are managed through my mobile device, and I am using my mobile device to actually secure the communication from the desktop,” explains Lovelock.
In many ways the mobile device is perhaps more secure from loss than a token. “If we lose a token, we might not notice for a couple of days, if we lose our phone, we notice that within 20 minutes,” states Lovelock “Because it’s a device of more importance to you, you notice it quicker.” Lovelock also points out that a phone is a device that is always connected. “I can remotely deactivate a phone in terms of it being used for security purposes, but I cannot remotely deactivate a token or a smartcard or other authentication methods. This is another reason why the mobile phone is actually more secure.”
Multi-Platforms
In companies of all sizes IT organizations are struggling with the sheer variety of devices coming into the workplace. This year the expectation is that the diversity will continue, especially as employees bring in more media tablets. “iPad is making serious inroads into businesses,” states Helming. “For so many years tablets have been trying to push their way into organizations and up until lately, we have said ‘no thanks’ but now everybody wanted an iPad for Christmas and they are popping up everywhere.”
Helming goes on to say that all Apple products, not just the iPads but OS X in general have been widely adopted in businesses. “I would urge IT folks to take Apple security seriously. Apple OS has the most vulnerability, according to some of the security research I have seen. There has been this assumption—whether it has been tacit or explicit—that Apple is more secure than Windows or that it was less prone to attack. Boy, that is just not the case right now. It is so important to have good anti-virus and intrusion prevention at the gateway and also on the device itself. Taking Apple security seriously is paramount.” He also sees Android “growing like mad.”
One of the benefits of the multiple platform mobile device trend might be that malware writers may not show as much interest in targeting a specific maker. “We will see some big headlines that will get a lot of airplay,” predicts Lovelock. “In reality, with the proliferation of mobile platforms, we will not see malware on mobile phones because as a fraudster, there is no one single point to compromise that can get 90 percent of the users. Fraudsters will go to where the easiest targets are. If I can write a virus that will compromise 90 percent of the machines, I am going to focus on that. The cost/benefit analysis for investing time in writing a virus to compromise Android doesn’t look that appealing, because it only gets a relatively small proportion of the market. Yes, we will see some compromises. Yes, they will be high-profile because they make good headlines, but whether they actually represent substantial percent of the fraud in 2011, I doubt it.”
That’s not to say security is not needed. With so many new device types, not to mention traditional hardware in use today, security is still a major concern. What is the best way to secure a variety of platforms? “One thing that IT can do is ensure that the perimeter is equipped with the latest and greatest generations of security appliances and software,” says Helming. “Also, make sure access points within the organization are under IT control and you sweep for rogue access points. Be sure that those iPads and iPhones are associating to access points that IT controls and runs. Given the reality of so many non-corporate issued devices floating around, those are a few common sense kind of measures that IT can take to help get a handle on security.”
If there is a very limited budget for messaging security, Judge recommends that resources be put towards Web security and making sure that the laptops or mobile devices that leave the office are secured. “We are still seeing glaring holes,” he explains. “Many organizations have something in place for email, and many organizations have some appliance-based solution at the gateway for Web security, but as soon as someone picks up their laptop and goes across the street to Starbucks or goes to a conference; they are out there unprotected. They come back and bring an infection back into the office. So many of the infections we see happen like this. With a limited budget, I’d at least consider what you’re doing about it.”
The Cloud
The popularity of the cloud for business is expected to continue as more companies move to cloud-based email infrastructures. “There are tremendous business benefits to be gained. The cloud is not so much powerful because it is all Internet enabled and all the technical aspects of it, but rather it has proven to be one of the easiest delivery mechanisms on which to do outsourcing and to gain the economies of scale associated with that,” believes Pao. “Email happens to be an application that doesn’t really differ that much as you go from business to business.”
The cloud is also appealing because it isn’t necessarily an all or nothing proposition. Many offer hybrid solutions that allow the use of the cloud, as well as keeping some parts on premises. “Inbound filtering can be done in the cloud, outbound is still best done on-premises,” says Pao. “Just because you decide you want to move your email off premise or outsource the management of email, it doesn’t mean you don’t continue to want granular control of your email policy and it doesn’t mean that you don’t still want to continue to provide the same level of security protection that you always did.”
User Behavior Changing
Perhaps one of the most important pointers for messaging in 2011 is not so much about technology as with the people using it. Lovelock thinks a trend worth watching is the active engagement of the user in security-related decisions. “We have already seen some of that in what Facebook has been forced to do,” he says. “Users have to think about their profiles online, and how much they want to share with people and define a security profile that says this group of people can access this much information and that group of people can access that information. This is a trend that is likely to continue.”
This concept of users being in control is also seen in the way the various devices are coming into the workplace. Users are deciding what mobile phone they want to use or iPad or apps. This might be a carry over to how we as consumers have increasingly become in control of how we want to communicate and using which channel (email, Facebook, SMS, etc.). In a recent whitepaper, “Preparing for Message Convergence: Prescriptive Advice for the CMO and Senior Management,” Dave Lewis, chief marketing officer for Message Systems explores this shift. “Technology is changing the way we communicate. It is changing the nature of how we communicate. We are not only emailing, we use SMS, IM, social and all those forms of communication are being accessed simultaneously. We are on the move constantly; we are not tethered to our desks anymore. The point is, we communicate through multiple channels and we often shift from one channel to the next.”
The user being in control plays a significant part in Lewis’ argument. As an example, he points to Facebook’s introduction of the unified inbox as one more step in this direction. “It’s not just a social inbox, it gives Facebook members an element of control that they have not had in the past to block the messages that they do not want to receive, and block the messengers they do not want to hear from. That form of blocking is making the consumer the final arbiter of what reaches them and that changes the nature of the game, relative to how enterprises interact with ISPs and telcos. If the consumer is the final arbiter of what they receive, they are making the decision not just on email but also across channels. The risk of not meeting the customers’ expectations is that you could lose your connections to the customer.”
Lewis doesn’t think many companies are acting on the preferences, needs and wants of customers, nor are they communicating via the right channel. “Our view is there are significant risks to those enterprises that do not rise to the occasion. Those that do, there are some real advantages.”
Asked if this is only a business-to-consumer issue, Lewis replies, “I don’t think it matters a whole lot. If you think about how technology is affecting us, the line isn’t between B2B or B2C. It is not really between customers and employees. We are all part of this sea change that is taking place. It’s not just a customer issue; it is an employee issue too. As you look forward, the types of employees that you will be taking into the workforce are using communications this way. These changes and the way that we are communicating are touching us all. It is applies to everyone.”