Compliance concerns dog enterprise 2.0 collaboration platforms

CIOs need to walk a fine line when deploying enterprise 2.0 collaboration platforms: keep access open and information flowing, but enable security and compliance.

Can an enterprise leverage collaborative software like blogs, wikis and microblogging platforms and retain compliance? It can, if collaboration platforms are built in-house from selected technologies, as opposed to an all-in-one suite from an Enterprise 2.0 (E20) vendor. Enterprise 2.0 compliance, in other words, is something best baked in from day one.

More on collaborative tools and compliance
Booz Allen wins Open Enterprise Award for collaborative environment

Twitter security risks, popularity spark regulatory concerns

Professor McAfee on Enterprise 2.0 and compliance: Slight risk
What lies beneath that reality? Mike Gotta, a senior analyst at Burton Group Inc., believes that "compliance isn't a first-order design point for more enterprise 2.0 vendors," he said at the recent Enterprise 2.0 Conference 2009 in Boston. "How many vendors have permission models around their activity streams?"

Such controls are crucial under the European Union's privacy laws -- or perhaps under a proposed national data privacy law here in the U.S. Sameer Patel, an Enterprise 2.0 execution and social software consultant, shared that assessment. When asked if E20 vendors "get" compliance, he responded, "Nope, not yet. It may be overkill, but spending 10 minutes with enterprise content management vendors or the IBM collaboration group exposed how little E20 has attended to this."

Two platforms presented at the conference provide case studies in successfully implementing enterprise 2.0 collaborative platforms and retaining compliance: Unity, built by Lockheed Martin Corp., and Hello, created by Booz Allen Hamilton Inc. Both successfully created hybrid models that preserved access management, logging and monitoring controls for regulated data while allowing a distributed staff to more effectively communicate and collaborate across geography and time zones. Whenever an employee using the collaboration platform tried to access protected content, access controls would engage.

The enterprise 2.0 compliance challenge in integrating social messaging technologies into the intranet or bringing social networking platforms content inside the firewall -- or allowing employees to use services there like Facebook or Twitter there -- lies both in data leakage risks and in the requirements to track, log and make available for e-discovery certain conversations.

"Blogs individually are easy to audit, but distributed conversations are not," Gotta said. These conversations, however, are precisely what need to be made discoverable, as evidenced by a recent decision in Canada where an Ontario court found a Facebook profile to be discoverable. "None of the customers [of enterprise 2.0 vendors] are saying no because of the lack of tools. Email and IM went out without compliance tools, but we triaged as best we could," he said.

Kailash Ambwani, CEO and president at security vendor FaceTime Communications Inc., noted at a panel on privacy and data ownership at the Enterprise 2.0 Conference that his firm has observed a transition in how enterprises think about social software "The enterprise position towards Web 2.0 -- social networking, etc. -- is much more enlightened. Now when we talk to customers, we don't find anyone who talks about blocking Web 2.0. The question for the enterprise now is, 'How do I manage it? How do I control it? How do I ensure I'm compliant?'"

Sam Curry, vice president of product management and strategy at RSA Security Inc., noted that a number of forces come together on a massive scale when it comes to the adoption of enterprise 2.0 collaboration platforms. "Regulations are more prescriptive and penalties more severe," he said. "There's a trend towards better controls and better containment of IP, but it runs right into trends in the social world, like Generation Y. Gen Y is dedicated, works long hours, and is used to texting and messaging using multiple social networking apps. This generation finds way around things. Is it cruel and unusual punishment to deny them?"

That's no easy feat. Ambwani said FaceTime tracks more than 900 social networks. Facebook alone has more than 40,000 applications. When FaceTime analyzed anonymous data provided from more than 100,000 enterprise users, the average enterprise had 95 social networking platforms being accessed.

Gotta said he sees specific compliance challenges with enterprise 2.0 technologies. "The time delay associated with wikis and white-label social networks can be significant when it comes to removing sensitive content. An email is a known issue for compliance but has limited collateral damage potential. With a blog or a wiki, we don't know how many eyeballs have looked at it." In Gotta's view, "there an after market for other vendors to provide analysis of the bread crumbs these systems leave behind. Where's the wiki monitoring software?"

At least one startup at the Enterprise 2.0 Conference was aware of the issue and opportunity. Chris Richter, CEO of SocialWare Inc., demonstrated middleware that adds access controls, archiving and monitoring for enterprise employees interacting with social networking and messaging platforms like Facebook, Twitter and LinkedIn.

SocialWare captures and archives all outgoing messaging at the application programming interface level in a way that's transparent to the user. The software provides data leakage protection using a patented message replacement capability that shows only filtered messages to authorized users. A cipher functionality allows administrators to filter for data that needs to remain private, like account numbers or other personally identifiable information, trapping the messages and preventing external transmission.

Jon Kerner, CIO of MPS Group Inc. in Jacksonville, Fla., said, "We're constantly having discussions that are constrained by the risk of proprietary data protection." He has other fears about integrating external networks, like LinkedIn, into the enterprise: "If employees start building networks of business contacts and then leave, who owns them?" That said, Kerner is moving cautiously but steadily toward integrating targeted pieces of collaborative technologies into his organization, like Confluence wikis. "We came here because social media in the recruiting industry is dripping with potential."

Gotta noted an additional concern specific to a recent feature unveiled by Telligent: so-called "sentiment analysis," where an administrator of that E20 content platform could instantly observe how happy workers were as evidenced by the tenor of status messages or microblog posts. Such tools "could create thorny privacy issues, especially in the EU," Gotta said. "What's well-received in the outer world may not be so well regarded in the enterprise."

Now when
we talk to customers, we don't find anyone who talks about blocking
Web 2.0. The question for the enterprise now is, 'How do I manage it? How do I control it? How do I ensure I'm compliant?'

Kailash Ambwani
CEO and presidentFaceTime Communications Inc.
Gotta said he sees a clear divergence among how social software works on the open Internet, in Web 2.0 applications and behind the firewall in the enterprise. "The enterprise is tougher than consumer environments because of so many contrived regulations. There should be higher expectations of the enterprise 2.0 vendors to prioritize the features that will help enterprises manage compliance."

Gil Yehuda, an independent analyst, noted that "enterprise 2.0 does work in highly regulated industries, but only some of the E20 vendors are targeting these cases." He said he suggests to buyers that they "consider E20 solutions that work with existing compliance solutions, rather than creating a new information silo. If your solution is SharePoint, for instance, then look at vendors that integrate with SharePoint and add E20 functionality to it."

Software and compliance tools aside, successful compliance efforts in the enterprise depend on the employees themselves. "Governance comes back to people and policy," Gotta said. "At the end of the day, don't be stupid!"

And to date, most employees in regulated industries haven't been, at least in the view of Andrew McAfee, a professor at Harvard Business School.

"I do not think these tools substantially alter the compliance risk profile of organizations," said McAfee in an email interview with SearchCompliance.com on enterprise 2.0 and compliance. "Employees today are acutely aware of compliance issues, and I don't see that they'll be tempted to disobey policy or break the law simply because 2.0 tools become available.

"There may be some slight risk of inadvertent noncompliance, but the fact that contributions to 2.0 environments are so visible means that any such breaches are likely to be detected quickly."

Let us know what you think about the story; email: Alexander B. Howard, Associate Editor

Dig deeper on ID and access management for compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close