Showing results for 
Search instead for 
Did you mean: 

Security and Privacy in ESS


Given the well-publicized incidences of security and privacy issues in the Enterprise Social Software (ESS) public arena, it is instructive to consider the applicability of traditional security controls in corporate / institutional implementations of ESS. Afterall, one of the primary aims of ESS is to promote openness, to break down barriers and encourage mindshare. Can these two mentalities truly co-exist? It is an interesting question and one that is not entirely easy to answer when you get down to specific issues. I believe that the short answer to this is "yes"; they can co-exist, but there are nuances to the traditional privacy paradigm, for instance. What is a best practice around "opting out" for instance in the corporate ESS implementation ?

This blog purports to propose how to evaluate an ESS system and to implement security and privacy governance best practices in a corporate ESS setting. Of course, the "devil is in the details", but hope to spur discussion around the practicalities of implementing each area.

  1. Data Classification

          Implement data security practices      based upon overall corporate data classification policies. ESS system      should support the ability to implement           such policies. For instance, the ESS system could implement "hidden" communities to protect sensitive information and not allow searches to           include such content unless you are authorized.

     2.  Role-Based and Rule-Based Access Control Model

          Enforce role-based security to control access to information on a need-to-know basis. As ESS systems exist to promote openness in the           sharing of data, the deployment model should encourage      open access (perhaps the default)- while providing the mechanism to highly restrict           access when required. The system should provide a mechanism to develop custom rules to handle specific use cases.

     3.  Secure Development      Practices

          Apply best practices in secure application development and      testing when deploying custom portlets or gadgets. ESS developers should           undergo training in developing secure applications. Test suites should include vulnerability testing to validate that common attack surfaces are           accounted for.

     4.  Security Compliance

          Provide a process whereby security compliance and incident reporting of content can be provided. Compliance "officers" should be able to           edit, hide, and/or refer content back to the      originating author. The underlying ESS software should  provide a framework whereby high-level                compliance regulations can be enforced via role or rule-based access controls- for instance in industry-specific or country-specific           implementations.

     5.  Security Awareness Training

          In your overall security awareness training, include additional training relevant to social networking

     6.  Social Networking Conduct Policy

          Develop a corporate social networking conduct policy and extend      to your internal ESS system

     7.  Secure Operational      Procedures and Policies

  1. Provide an end user terms of use and license acceptance. Also provide a mechanism for end users to "opt out" of information they do not want to receive       or disclose. However, this must be balanced by the needs of the corporation where some information should be distributed to everyone       (e.g., executive blog or department head imparting important  information). As a minimum, users should be able to filter out some content with high volumes of information (e.g., activity feeds)
  2. Implement an access policy on who has physical or logical access to your ESS system data.
  3. Password policy for your  ESS system should follow similar best practices as other applications
  4. Limited access to privileged  accounts at an OS, database, and application level.
  5. Maintain a  separation of duties for support personnel
  6. Implement ESS network infrastructure best practices - encryption at the transport layer (e.g., HTTPS), security lockdowns on routers, switches, use of VLANS, network segmentation, etc.
  7. Logging and notification of  security events
  8. Define and implement data retention and disposal policies (in conformance with regulatory requirements).
Content for Community-Ad