Browser-based filesharing, as a category, is something we’ve been tracking for a couple of years, and have noted its rapid rise in popularity (see Matt’s post on the popularity and the different use cases of browser-based filesharing here).

The new browser-based filesharing App-IDs, FileServe, FuFox, and Filesonic, suggest that we’re still seeing the proliferation of applications for Matt’s third use case – those applications that appear to be primarily targeted at the sharing of media files.  Searchable, shareable, easy access.  Supporting the trend towards monetizing uploads, FileServe and Filesonic will pay you for popular downloaded files.

Homepipe, on the other hand, is another in a growing set of applications designed to serve personal content from a home computer to a full range of devices – other computers, mobile phones, etc.  Homepipe joins other examples of this sort of application (e.g., GoToMyPC), but with a specific focus on file access, rather than a general purpose remote access facility, or a specific file synchronization purpose (e.g., Windows Live).  The risks, obviously, are bi-directional depending on where the agent is installed, but the demand for such applications, and the expectations that go along with it, are the interesting bit (see Mike Rothman’s recent post on loss of control)

The bottom line is that users have both the expectation, and the means of accessing content whenever and wherever they choose.  Which, in certain scenarios, is a good thing.  In other scenarios – those that security folks are used to thinking about – is a risky thing.  The trick is safely enabling the former, and eliminating the latter.

But did you know that:

1) According to Gartner (March 2009), SharePoint is the 3rd most popular collaborative tool (20%) behind Oracle (30%) and IBM (32%).
2) SharePoint is growing at 48% year over year while the others creep along at 10%.
3) According to Neil McDonald of Gartner, it is estimated that 30% of the SharePoint deployments are rogue!
4) SharePoint uses IIS and MS-SQL as part of a 3 tiered architecture – which of course introduces business and security risks (IIS and SQL are targeted by attackers).
5) Palo Alto Networks identifies and controls six SharePoint application elements (SharePoint, SharePoint-admin, SharePoint-blog-posting, SharePoint-calendar, SharePoint-documents, SharePoint-wiki) as well as MS SQL to enable fine-grained policy control over SharePoint use.
6) SharePoint showed up in 86% of the enterprises analyzed in the two most recent Application Usage and Risk Reports (n=123).
7) In those same two Application Usage and Risk Reports, we found thousands of instances of 38 Critical, High and Medium severity threats that target MS SQL, IIS and SharePoint.

To learn more about our findings around SharePoint and how Palo Alto Networks can help enterprises protect those deployments using a combination of segmentation, App-ID, User-ID and Content-ID, check out the new whitepaper – Protecting SharePoint Deployments with Palo Alto Networks.

Thanks for reading.

Any organizations that are not yet diving into social networks headfirst will be doing so shortly.  There are lots of legitimate business reasons to embrace social networking applications – seems like lists of why you should engage are cropping up weekly – here most recently, but marketers also salivate over the sheer size of the audience – here.  Mostly, organizations are interested in new, fast, cost-effective marketing channels, customer intimacy, and reaching a new generation of consumers (although social networking adoption is rapid among the over 55 set – with 19% of over 55 Internet users participating).  Some organizations embrace these apps for purely employee culture reasons.  It is worth noting that many organizations don’t quite know what they’re going to get out of the experience – so there is a tremendous amount of experimentation.

In most organizations, information security professionals cannot (and should not) stand in front of the social networking steamroller, but instead help their organizations manage the risks associated with social networking applications?  But what are they?  And how does one manage it?

Step 1:  Understand the Risks.  Worms like Koobface have been discussed extensively.  Obscured or shortened links leading to phishing scams or malware are the current darling of the press.  Legitimate accounts are being hacked to spread trojans to followers.  Some organizations have concerns about employee productivity drain, compliance issues, or the potential for data loss.  The most interesting (and dangerous) piece though is summed up nicely in this SecurityFocus piece, and is historically consistent with the dynamics associated with other types of communication technologies upon initial adoption (e.g., email, IM) – that the hundreds of millions of users of social networking applications are far too trusting of interactions that they have within the medium.

Step 2:  Manage Risks.  So given that information security professionals can’t/shouldn’t stand in the way of this steamroller (that scene in Austin Powers comes to mind), and that enterprises will be experimenting heavily, what can be done?  First, understand what’s going on.  Most organizations guess, try to glean bits of information from various security components, but don’t REALLY know what applications are running on their networks.  Second, work with the business to create policies that enable the business to experiment, innovate, and realize the benefits of social networking applications – but limit the exposure to the aforementioned risks.  In other words, don’t ban the apps unilaterally, but limit use by user, group, application function, time, or content (threat, confidential data, etc.) – to ensure benefit without taking on undue risk.  By the way, because we’re still in the experimentation phase, these policies are going to be pretty dynamic for a while.  Third – get control over which applications are running on your network (enforce those policies).

Social networking applications are here to stay, and will be part of various business initiatives (we just don’t fully understand how yet).  Don’t get hit by the steamroller.

Which applications do you think are currently running in your organization’s IT environment? Attendees were able to select all that applied and the results of a total of 181 votes showed the following:
P2P 43.6% (79)
Google apps 73.5% (133)
Anonymizers/proxies 33.7% (61)
Unauthorized IM 56.4% (102)
Encrypted tunneling apps (e.g. TOR)Â 43.6% (79)

In this case, the poll is a valuable tool to keep audience members engaged but often times they do not show all the data or tell the entire story.

Here’s why I say this. Our recently published Application Usage and Risk Report analyzed application traffic on more than 60 customer networks and the findings show very different numbers.
P2P 92%
Google apps 81%
Anonymizers/proxies 81%
Unauthorized IM 97% (to be fair, we did not ask if the use of IM is approved or not).
Encrypted tunneling apps (e.g. TOR) 11%

Real data always tells a more complete story. And what this report tells us is that enterprises collectively spend more than $6 billion annually on firewall, IPS, proxy and URL filtering products – yet the data shows that these products are unable to control the application traffic traversing the network. Here’s some of the key findings to support that conclusion.

* Applications are designed for accessibility. More than half of the nearly 500 unique applications found are “firewall friendly” in that they can hop from port to port, use port 80 or port 443 as a means of simplifying end-user access.
* Users are actively circumventing security controls. Employees are going to the extreme measure of using external proxies (typically not endorsed by corporate IT), remote desktop access and encrypted tunnel applications to do what they want on the network.
* File sharing usage is rampant. Despite the known risks, employee use of P2P is rampant and browser-based file sharing has effectively doubled in use over the last 12 months.

What else did we find? We found more than 111 collaborative applications – social networking, email, webmail, IM, blogging – you name it we found it. Many of these applications are beneficial. David Smith, from Gartner comments in this SC Magazine article that “some applications enable users to more easily do their job”. Absolutely true. No question about it. But when employees use them without IT oversight and the associated security, then the company is exposed to unnecessary business and security risks. Bill Brenner from CSO Magazine summarizes some of the risks in his article about the 4 Reasons Botnets are Hard to Fight.

You get the picture. I encourage you to read the executive summary, download the report or listen to a 10 minute overview here.

Check it out. Post a comment. The data does not lie.