Web 2.0: issues & risks.

• Author: Cunningham, Patrick

[ILLUSTRATION OMITTED]

Organizations are moving to the cloud, some faster than others. However, moving to the cloud presents the enterprise with a number of risks to assess. Depending upon an organization's risk appetite, these risks may be significant. At the core of these risks is the inability of many cloud/Web 2.0 vendors to meet regulatory and legal requirements that are commonly encountered by many enterprise customers.

Security

At the top of the list of risks for many organizations is security of information. This may be driven by a need to protect intellectual property, trade secrets, personally identifiable information, or other sensitive information. Putting that information into the hands of a third party is certainly not uncommon. Having the third party place that information into a shared storage environment is somewhat less common. Having that information available on the Internet requires a significant investment in security controls and monitoring. Of concern is that many of the Web 2.0 applications contain no provision for monitoring content or traffic to ensure that sensitive information is not being transmitted inappropriately.

Use of Web 2.0 tools also requires assurance that the pathway to the data is adequately secured. With information theoretically accessible from any point on the Internet, the provider must be assured that the computer/user accessing the data or application is properly authorized. This requires a very high degree of coordination between the enterprise and what may be multiple service providers. The information being stored by the third party needs to be secured from the third party's access as well. This need will likely be met by increased use of file and message encryption and public key infrastructure. Increased encryption, however, will likely mean loss of information when decryption keys are lost or a file becomes corrupted. Nonetheless, ensuring security of information outside the enterprise will be a growth opportunity both for the enterprise and the supplier community.

Resilency

Today's buzzword for what we knew as "disaster recovery," resiliency refers not only to uptime and availability, but it also has a focus on not allowing critical information to be corrupted or lost.

A challenge for many providers is ensuring that customer information is protected, but with shared data centers and storage devices, information from multiple customers may end up in the same backup media, creating issues when the media is restored and potentially exposing confidential customer information to third parties.

The enterprise will need to pay special attention to the means by which the provider will ensure uptime and access to information, as well as where and how the information will be stored and backed up. Some Web 2.0 suppliers will be unable to customize their offerings to meet these requirements and will be unwilling to make fundamental changes to their business model to meet enterprise resiliency requirements. Free services will typically offer no enterprise-level resiliency. A significant...