Like the previous three versions of the Application Usage and Risk Report,  http://www.paloaltonetworks.com/researchcenter/reports/ the findings are based on actual analysis of application traffic, not survey questions.

Social networking, messaging of all types, cloud-based productivity, collaboration, blogging and wikis, are just a few of the types of applications that fall within that nebulous group of applications defined as Enterprise 2.0. This edition of the report shows that despite many enterprises’ attempts to block applications the rate at which they are making the crossover from personal to business use is happening faster than previous crossovers, such as instant messaging (IM). Some specific findings from the research include:

Enterprise 2.0 adoption – embraced or resisted – is in full swing.

• More than a third (38%) of the 651 unique applications found fall within the Enterprise 2.0 definition described above. Compared to the Application Usage and Risk Report (Spring Edition, 2009), many of the Enterprise 2.0 applications such as  SharePoint, Facebook, Twitter, and blog posting showed significant increases in usage from several different perspectives.

Enterprise 2.0 benefits are no longer elusive – companies are improving communications and ability to respond while reducing costs.

• Research shows that companies using these applications are seeing measurable benefits including increased ability to share ideas, more rapid access to knowledge experts, and a reduction in travel, operations, and communications costs.

Traditional business and technology distinctions are meaningless.

• Enterprise 2.0 applications highlight the dissolution of the traditional distinctions between business and personal use. More often than not, the same applications used for social interaction are being used for work-related purposes. Irrespective of personal or work related usage, the dominant underlying technology is the browser (72% of research sample).

Applications are not threats – yet they carry risks.

• The adoption of Enterprise 2.0 applications is being driven by users, not by IT. The ease with which they can be accessed, combined with the fact that newer (younger) employees are accustomed to using them, points toward a continuation of this trend. The somewhat disconcerting fact is that many of the users do not take into account the business and security risks that these applications present. Looking at the 202 Enterprise 2.0 applications found, 70% can transfer files, 28% are known to propagate malware, and 64% have known vulnerabilities.

Organizations are scrambling to determine policies, address security issues, and enable appropriate use. These applications are delivering business value – they are rapidly becoming part of “how business gets done” – but the risks are not being weighed by users.

Download the report

• LinkedIn is twice as popular as FaceBook for business networking, and 68% think that professional networking on the web is vital to career progression.
• 27% of people aged 18-30 consider Twitter is an important rapid-feedback tool for business. Only 7% of those over 45 agree.

—————–

July 14 update – Two more proof points on why companies need to positively enable applications. Both articles talk about how new employees are pressing employers for more lenient web surfing policies. The balance of course is allowing not only web use, but the use of non-web based applications, in a secure manner.

From the AP article:

It’s no different than spending too much time around the water cooler or making too many personal phone calls. Do you take those away? No,” says Gary Rudman, president of GTR Consulting, a market research firm that tracks the habits of young people. “These two worlds will continue to collide until There’s a mutual understanding that performance, not Internet usage, is what really matters.”

So, Wellman and others argue, why not embrace that working style when possible, rather than fight it?

From the Techdirt article:

It’s not hard to figure out why, really. First, allowing for a good balance between the two allows workers to take short mental breaks which allows them to be more fully focused on work when needed. On top of that, they don’t have to worry about personal things while at work, but can take care of issues quickly and easily. Finally, and most importantly, many start using social networking and other online tools to help them work. After all, despite what naysayers say, these tools can be very useful in many different jobs.

—————–

More interesting is the fact that while most companies have security and approval policies for the use of corporate tools such as email and press releases, very few have the same for the use of these applications.
“…we found that whereas nearly all businesses have policies on the use and content of emails, only 30% set similar policies for blogs, wikis and forums.” [see full report here– registration required].

This policy discrepancy strengthens the case for what we call positive application enablement. A process by which the security team, in conjunction with the business units perform the following:
• Identify the application and what it is being used for.
• Determine who is using it.
• Decide whether or not to allow it – if so, under what conditions and parameters.
• Scan the allowed content.
• Log and report on the activity.

As we have said before, the days of blocking applications that might not be “approved” are gone. These applications are here to stay. The applications themselves are not risks, but make no mistake, they can introduce risks and as such, need to be secured right along side Oracle, SAP, SharePoint and other business applications.

Thanks for reading.

I like dogs. Preferably big, active, smart dogs. So it stands to reason that I would like the American Staffordshire Terrier, a recognized member of the Terrier Group according to the American Kennel Club (AKC). Never heard of this breed? Maybe you’ve heard of a Pit Bull – a breed that can strike fear into many people because of the highly visible nature of their attacks. Ask any dog trainer or avid dog lover and they will tell you that there are no bad dogs – merely bad dog owners. Bad dog owners who mistreat the dogs, train them to fit, follow improper breeding practices and so on. Sure, this is open to debate and this is not the forum for such a debate.

Let’s look at a couple of examples of how applications are like dogs.

P2P: The underlying technology was developed back in the early days of networking as a means of moving large files by harnessing unused computing resources. The premise still works today in commercially available applications like BitTorrent, Gnutella and many others. Everyone know that the rap against P2P that they are used to illegally share files. Worse yet, many of the largest data breaches were the result of improperly configured P2P applications. Yet properly configured and used by say, IT, P2P is a very powerful tool. See the relationship here? Employee records do not naturally migrate to a P2P network. MarineOne blueprints are not stored on a P2P network. Users are the ones who are sharing the files. Users are the ones who failed to properly configure the application.

TOR (The Onion Router): Developed by the US military to encrypt spy and covert operation communications and is now in the public domain. Not only is the message encrypted, it uses other TOR nodes to send the data, finally being assembled by the intended recipient. The advantage here is that no one node has all the data so intercepting it is of little use. In an oppressive regime, TOR is an invaluable tool and it is recommended by several human rights organizations as a tool to communication with the outside world. In the hands of an employee or student, TOR is a black hole that acts as an avenue for threats (inbound) and data leakage (outbound). Again, the application is not acting on its own. It is acting on the commands of the user.

Ok, P2P and TOR may be extreme cases (and easy pickings). Let’s see how social networking applications like FaceBook and MySpace hold up to the analogy. Both applications are designed to keep friends, colleagues and family updated on what’s happening. An admirable goal to be sure. Yet social networking has been invaded by malware writers who prey on users who do not think before they click. Case in point, a friend received a FaceBook update from someone they thought was a friend – the update had a URL in it. So you guessed it, they clicked it. Bad user! The PC is infected with malware.

I challenge you to take any application and put it to this test. My guess is that more often than not, you will come to the same conclusion. There are several points to my ramblings.

Applications are not threats. The threats are from what the users do with them and the content that is transferred. If enterprises treat applications as threats, several things may occur:
1) The CEO may be the one using the application which may result in a quick termination.
2) The application in use may be benefiting the bottom line, so why stop it.
3) Today’s employees expect to be able to use many of these types of applications, so blocking them may reduce the ability to attract new employees. (No bad dogs, remember).

IT must become business enablers. The application landscape is moving more rapidly than ever before and it is an understandable challenge for IT to keep up. But somehow they need to determine what applications are on their network and then analyze the risk and weigh it with the business benefit. If the trade-offs are positive, then the use should be documented as part of the appropriate application usage policy. (IT needs to train the users dog owners).

Educate users on the appropriate application usage policy. When we ask companies (IT guys) what their appropriate application usage policy is, they tend to laugh, or ask “what policy” or worse yet, say we do not have one. Many of our customers are using our solution to achieve the two previous points and in so do, make their application usage policy a living, breathing document that is reviewed on a regular basis, as users try new applications. Just like dogs will continually learn what the master allows and press for more, so to will users.

Thanks for putting up with me.

The YouTube statistic combined with a recent Nielsen report confirms that users, at home or at work, are using the Internet to entertain themselves. The Nielsen report shows that the hours of Internet video watched, at home and at work, is up 53.2% to just about 3 hours per month.

The one thing that neither of these statistics looked at specifically was the use of video/photo applications within the enterprise. During our own analysis summarized in the Application Usage and Risk Report, guess which application consumed the highest amount of bandwidth? You guessed it. YouTube gobbled up nearly gig of bandwidth.

Delving more deeply into the video application findings within the report shows the following:
* A sizable 4.4 terabytes of bandwidth was consumed by video applications alone, nearly double the amount observed in the previous report (2.3 terabytes).
* There were 44 different photo/video applications found – up from 30 detected in the previous report.
* The underlying technology used is primarily browser-based (24) with p2p and client/server powering 10 applications each.

To a certain extent, these enterprise specific statistics support the findings mentioned earlier in this post – video use and the corresponding bandwidth consumption is up.

Before the naysayers jump on me and say employees should be allowed to do what they want, let’s be perfectly clear here – no one is saying we should block these applications. The decision on what to do with these applications is left entirely to the corporations. In nearly every case, our customers felt their bandwidth was being consumed by non-business applications but were unsure which ones. Now they know which are the heaviest consumers – both in terms of applications and users. Some customers are hardnosed about it, blocking the use, others are merely collecting data while others are re-writing their policies, allowing the use but scanning for threats. In one case, the applications were blocked and user backlash was such that management bought a bigger pipe, allowing use but adding control elements around it.

The bottom line is that now the customers know that a big chunk of that sucking sound is video oriented.

Thx for reading.

Why? It’s all about numbers. There are millions of users worldwide who want access to their content. And as we discuss in this ThreatPost article, users will proactively circumvent controls. A 45 second search on the web provides a wealth of information on how to circumvent security controls and blocking mechanisms. Some examples:
* There are at least 7700 public proxies that users can access merely by visiting proxy.org.
* Users can build their own private proxy.
* Visit circumventor.net to find a list of circumvention tools.
* There are new encrypted tunneling applications like Gbridge popping up on a regular basis.
I could go on. And while I am sure that Hulu has a very smart and dedicated team of IT professionals, can they win against millions? My view is that they will not because of the sheer numbers. But I do wish them luck. But let’s look on the bright side, they have a good product and people want it.

Thanks for reading.

Matt talks a little about circumventing applications in this post, and they are covered extensively in our Application Usage and Risk Report.

“In approximately four of 10 hacking-related breaches, an attacker gained unauthorized access to the victim via one of the many types of remote access and management software. Rather than for internal usage, most of these connections were provisioned to third parties in order to remotely administer systems. As discussed extensively in this and previous reports, the ultimate attacker is not typically the third party (although that certainly happens). More often, an external entity compromises the partner and then uses trusted connections to access the victim. From the victim’s perspective the attacker appears to be an authorized third party, making this scenario particularly problematic. This is especially so when trusted access is coupled with default credentials.”

Why is it interesting to me? Because our own Application Usage and Risk Report (April 2009) indicates that these types of applications are being used not only by IT – but also by sophisticated employees who want to access their home machine – or someone else’s – while they are at work. Overall we found that 95% of the companies who participated in the analysis had remote control applications present. Not surprising really. What is surprising is [1] the breadth of application variants (24 different remote access control applications) and [2] the high rate of SSH usage (89% out of 63).

No doubt there are IT personnel in this group, but we know from looking at the user names and talking with customers that SSH usage is expanding to non-IT users. These intrepid users are accessing their home machines to do whatever they want. Little do they know that they are exposing themselves and the company they work for to numerous business and security risks. A visit to wikipedia provides background on SSH, free dameons and clients for anyone to use. And today’s end users ARE smart enough (or bold enough?) to use these tools.

But as the Verizon Data Breach Report points out, remote access applications carry risk – which is confirmed by the Internet Storm Center article about SSH. This article reminds IT folks to tighten their controls around SSH – particularly the passwords – which are easy to crack if less than 8 characters. So the 89% of the companies we found using SSH had better make sure that their SSH is locked down.

So back to the question in the title: are remote desktop access/control applications valuable? Without question – yes — assuming proper controls and security are implemented and is being followed. But given the two data points above, it looks like we need to do some work.

Thx for reading.

Which applications do you think are currently running in your organization’s IT environment? Attendees were able to select all that applied and the results of a total of 181 votes showed the following:
P2P 43.6% (79)
Google apps 73.5% (133)
Anonymizers/proxies 33.7% (61)
Unauthorized IM 56.4% (102)
Encrypted tunneling apps (e.g. TOR)Â 43.6% (79)

In this case, the poll is a valuable tool to keep audience members engaged but often times they do not show all the data or tell the entire story.

Here’s why I say this. Our recently published Application Usage and Risk Report analyzed application traffic on more than 60 customer networks and the findings show very different numbers.
P2P 92%
Google apps 81%
Anonymizers/proxies 81%
Unauthorized IM 97% (to be fair, we did not ask if the use of IM is approved or not).
Encrypted tunneling apps (e.g. TOR) 11%

Real data always tells a more complete story. And what this report tells us is that enterprises collectively spend more than $6 billion annually on firewall, IPS, proxy and URL filtering products – yet the data shows that these products are unable to control the application traffic traversing the network. Here’s some of the key findings to support that conclusion.

* Applications are designed for accessibility. More than half of the nearly 500 unique applications found are “firewall friendly” in that they can hop from port to port, use port 80 or port 443 as a means of simplifying end-user access.
* Users are actively circumventing security controls. Employees are going to the extreme measure of using external proxies (typically not endorsed by corporate IT), remote desktop access and encrypted tunnel applications to do what they want on the network.
* File sharing usage is rampant. Despite the known risks, employee use of P2P is rampant and browser-based file sharing has effectively doubled in use over the last 12 months.

What else did we find? We found more than 111 collaborative applications – social networking, email, webmail, IM, blogging – you name it we found it. Many of these applications are beneficial. David Smith, from Gartner comments in this SC Magazine article that “some applications enable users to more easily do their job”. Absolutely true. No question about it. But when employees use them without IT oversight and the associated security, then the company is exposed to unnecessary business and security risks. Bill Brenner from CSO Magazine summarizes some of the risks in his article about the 4 Reasons Botnets are Hard to Fight.

You get the picture. I encourage you to read the executive summary, download the report or listen to a 10 minute overview here.

Check it out. Post a comment. The data does not lie.

Several observations come to mind. First off, is this really a surprise? Come on. No one should be overly surprised here. Think back to the Gmail announcement where they offered free use and massive amounts of storage with the assumption that the user would be targeted with ads based on their email content. A mild uproar occurred but Gmail is still the most widely user webmail application, appearing in 58 out of 60 organizations (Fall 2008 Application Usage and Risk Report).

Now take a look at their terms of service, as pointed out on the Google Docs blog where Jacob Browne said:
Why are people surprised? This lack of security is clearly stated in the google terms of service: Section 11.1 ” . . . you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive licence to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content which you submit, post or display on or through, the Services.” The license is perpetual for all content, it doesn’t end just because you mark it as private or deleted the content or the account. So legally, since we agreed to this license, google can do this. Morally, that is another question. I think google should modify their terms more like Yahoos, which does end upon deletion of content or account, and does distinguish between public and private content.

Google’s business relies on what people post on the web – either through their tools or elsewhere. Blocking access to content, simplifying removal, extending more granular permissions over content is counter productive. Not only is personal privacy an issue here, but corporate privacy is also at risk. The Fall 2008 Application Usage and Risk Report showed that 48 out of 60 enterprises had Google Docs – and none of them endorsed it as an “approved application”. Connecting the dots shows that the risk of exposing intellectual property is high, given these three security risks.

Google Docs is not unique. Google Desktop presents users and companies with a similar security dilemma. If improperly configured, Google Desktop will index a users hard drive to the Google site. A year or so ago, a financial services firm described how they had cleared un-approved applications off every employee desktop and within 3 weeks, they were all installed again. One of the applications they were concerned about was Google Desktop indexing brokers desktops – a severe SEC violation.

The use of these applications only continues to grow. For good reason – they are convenient and they work. But they do present users with risks that they need to be aware of.

Want to learn more? Watch for our Spring 2009 Application Usage and Risk Report where we will discuss issues and trends around application usage in the enterprise.

Thanks for reading.