Web-Based Services Gallery: Sweet Dreams or Nightmare?

A decade ago, application service providers (ASP)–at least according to the hype—were going to pull the rug out from under packaged, locally installed software. Everything from office productivity suites to image editors to system tune-up utilities were appearing every day. After a while, though, people discovered that having to visit a Web site in order to edit a word processing document probably wasn’t such a fantastic idea. And the relative lack of broadband at the time hurt even the most promising ASPs.

But things have changed. Broadband is widely available, allowing for richer application delivery over the Internet. And consumer faith in the reliability and convenience of online-delivered tools has made a number of them at least modestly successful.

For CIOs, however, this success is a two-edged sword. Implemented properly, ASP-provided tools can give users the applications they need at reduced support and development cost for the IT department. But ASPs also have a dark side—users, even individual end users—can often use them without IT being aware, opening yet another potential hole through your careful crafted security systems. Some of these services are also hard if not impossible to detect. The best defense is probably awareness–your awareness–followed by a clearly stated company policy on the use of such services. Let users know you keep track of such services, that you’re always willing to listen to requests for usage privileges, but that you can’t condone unauthorized usage because of security concerns.

To give you an idea of the scope of available ASP products, we’ve rounded up eight-plus that could be an end-user’s dream—and a CIO’s nightmare. It all depends on your point of view.

1. BeInSync

The Dream:

Quickly and easily syncronize local and network folders with any other Windows 2000 or XP machine on the planet. The basic service is free, so there’s zero financial barrier to entry. A few bucks a month gets users a Pro subscription that  removes file limits and adds Web access to accounts. BeInSync is advertising a free iPod to its millionth customer, too, so you know a few people are taking advantage of what the company has to offer.

The Nightmare:

It can perform the syncronization through standard ports, so to your firewall, all that corporate data streaming to some unsecured PC in who-knows-where just looks like Internet traffic. And the optional Web access feature means that users can retrieve corporate data through any Web browser using just a username and password–which could easily be snagged by keylogging software or similar malware. You can also share syncronized folders with anyone, anywhere, anytime.

The Security Story: BeInSync highlights the fact that it uses heavy-duty encryption and creates a true peer-to-peer connection between syncronized machines–user data never resides on any third-party servers. But the company also seems to realize that some employers might not like users taking advantage of such tools and could block outgoing traffic on nonstandard ports. No problem, though. A page in the FAQ tells you how to get around that little problem.

“NOTE: If one of your computers is behind a corporate firewall which blocks outgoing traffic on non-standard ports such as 5584 and 5585, configure your other computer to listen to communication on one of ports that are permitted: 21 (FTP), 23 (Telnet), 80 (HTTP) or 443 (HTTPS).”

2. GoToMyPC

The Dream:

GoToMyPC is the grandaddy of remote access-over-the-Web tools. Users create an account and pay $19.95 a month to be able to access their machines from any Web browser anywhere. A small downloadable app turns user PCs into remote-access servers that display a complete desktop in a remote Web browser. Users log in using just a username and password.

The Nightmare:

Like we said, that’s a complete desktop, including those shared network drive icons containing all those juicy bits of proprietary data. Like BeInSync, GoToMyPC touts its encryption and other security features. But also like BeInSync, traffic over GoToMyPC can be impossible to discern from regular Web traffic.

The Security Story:

GoToMyPC is owned by Citrix and is obviously aware that some companies probably wish such services simply didn’t exist. In fact, it dedicates a page of its site to helping users convince their IT departments to support GoToMyPC officially. But if users decide to not bother telling IT, it’s unlikely that those network admins will ever know the difference.

3. Xdrive

The Dream:

Xdrive (owned by America Online) is far from the only provider in the Web-based backup space. Even Yahoo offers a similar option through the Yahoo Briefcase. And online backup is nothing new–it was one of the earliest entry points for ASPs. Pre-broadband connection speeds kept most people from taking advantage of the services early on. But DSL and cable modems now make backing up even relatively large files perfectly feasible. And such services provide a convenient way for on-the-road users to access the data they need from wherever they are.

The Nightmare:

It’s the same old refrain. Users can sign up for such services and dump gigabytes of your data “somewhere else” in minutes–and you don’t even know they’re doing it. What makes these backup services a little more scary than the likes of BeInSync and GoToMyPC, however, is that your data very likely could be living on someone else’s servers–and you have no idea what kind of security protections they have in place.

The Security Story:

These guys all know they’re going to have serious trouble if they let someone steal customer data. Xdrive’s overview page says that they protect data so completely, it might as well be in Fort Knox. So if your users go with a reputable provider, odds are that the data is pretty safe. The question is, do you want it getting out there at all? And if not, what can you do about it? Answer: Not much.

4. Advicebox and Mailinator

The Dream:

Tired of spam? Wish you had an email address you could hand out to people you don’t really know and aren’t sure you can trust? Wish you had an address you could send mail from, safe in the knowledge it couldn’t be tracked back to you? Enter Advicebox and Mailinator. Advicebox is all about anonymous email. Mail you send from AdviceBox has no unique identifiers attached to it–all mail appears to come from anonymous@advicebox.com. Mailinator is different. It allows you to create an email account on the spot. You simply make up a user name, append mailinator.com (or one of a handful of alternate domains) to it, and when mail arrives, the Mailinator service automatically creates a new account. To view your mail, you simply log in using the email address you invented. All messages disappear after a few hours.

The Nightmare:

Anonymity gives people a sense of power. How many raging email messages have gone out over the years filled with language the same person would never have used face-to-face? The ability to send and receive email without fear of having it linked to you could inspire some decidedly anti-employer activities–such as dispensing rumors designed to hurt stock prices or airing dirty laundry on public forums.

The Security Story:

Should anyone use either of these services for anything illegal, however, both companies readily state that they will comply with all laws and work with authorities whenever necessary. In fact, Mailinator’s FAQ states things a bit more bluntly:

“So if the government issued a subpeona to Mailinator to divulge emails or logs, you’d rat me out?Holy crap, yes. I’m not going to jail for you, I have a boyish face and very, very supple skin.

Privacy is a serious issue, and we want to be clear. We think Mailinator provides pretty decent privacy, and we want to keep providing that and even improve it, but we can’t promise it. A promise would require lawyers, money, and probably guns – and we don’t have any of those.”

5. ipEliminator et al

The Dream:

Anonymous Web surfing! Invisible peer-to-peer client use! Completely cloaked email! What more do you want?

The Nightmare:

Anonymous Web surfing! Invisible peer-to-peer client use! Completely cloaked email! What more do you want?

The Security Story:

Services such as IPEliminator, FindNot, Proxify and others cater to a more-security-conscious-than-average crowd of customers. Essentially, what these services promise is anonymity on the Internet by masking a user’s IP address and optionally encrypting all traffic so even your ISP can’t see what you’re doing. They also don’t keep logs from which your original IP could be gleaned. IPEliminator even goes so far as to assure customers that they run servers in countries that are “privacy oriented”–which seems to imply that it would take more than a US court order to get any information about your usage. IPEliminator and FindNot also provide tips on how to pay anonymously–thereby eliminating any trail back to the user. And you guessed it: These services claim to run just fine behind corporate firewalls.

6. Blogger

The Dream:

Thank Google once again. They didn’t create Blogger, but they own it and promote it now. And like other Google services, it’s free and super easy to use. Simply sign up and you’ve got your very own blog where only your imagination limits what you can say.

The Nightmare:

Of course, sometimes what people choose to say is nasty things about their employers. Widely reported tales of bloggers being fired for being a bit too candid about their workplace seemingly have would-be office tattle-tales a bit more on-guard these days (at least, we haven’t read about any recent sackings.) But that doesn’t mean that there isn’t a blog out there somewhere with your company’s name on it.

The Security Story:

Blogger is just a Web site. You can block it with a content filter if you want. But you still can’t keep people from using it at home. Like all of these services, the best defense is probably having a clear policy about use of such tools from work or about work–and making sure people know that the policy exists.

7. Flickr

The Dream:

Quickly drag and drop photos from your PC to public and private viewing areas on the Flickr Web site. Share them with friends. Drop them into your blog. It’s all fast, easy, and costs nothing to get started.

The Nightmare:

Just used your cell phone to take a snapshot of the latest product prototype in the engineering department? Pop it into an email on your phone and instantly upload it to Flickr for safekeeping–or public display. And desktop tools could let users drag an entire network folder’s worth of images onto Flickr in an instant.

The Security Story:

Users can create password-protected “private” viewing areas, but you’re depending on your users’ willingness to keep things out of sight. And with the phone-to-email-to-Flickr connection, there’s not a thing IT can do to block the process–it operates outside of your control. Nice, huh?

8. Skype

The Dream:

Unlimited local and long-distance calls between Skype users via voice over IP. For free. For a few cents more you can call outside phone numbers. Add a few dollars, and you can have a Skype phone number reachable from regular old phones. It sure appeals to someone, as Skype reports nearly 175 million downloads of its software.

The Nightmare:

Do you really have the network bandwidth to support herds of employees making long-distance calls through their PCs? (Though at least it’s cheaper than when Bob in accounting used to use his office phone to call his uncle in Berlin every other Friday afternoon, right?) And its telecommunications without accountability–IT or your telecom department have no knowledge of who’s making what calls when.

The Security Story:

Like most of the tools we’ve discussed, Skype traffic simply pours through most firewalls like they weren’t even there. But Skype is used by some enterprises as a cheap alternative to traditional telephony. As a result, Skype has a dedicated Security Center on its site where you can download a network administrator’s guide as well as view security alerts.