Consumer Appeal: Skype, MySpace and Other Consumers Apps Pose Risks, Opportunities

When Paul Tang first downloaded Google’s desktop search application, he was impressed by its speed and power. Instead of painstakingly looking for data and files on his hard drive, he could find them with the ease of a Web search. However, Tang, chief medical information officer at the Palo Alto Medical Foundation (PAMF), quickly realized that the slick application could also be dangerous.

Tang saw that this early version of Google Desktop (it was released in 2004) would index encrypted webpages from the hospital’s online patient health system, caching the data on his PC. “We take great pains to avoid leaving personal health information on PCs, and we noticed that the search tool was doing that by default,” says Tang. Tang didn’t ban the software, but the hospital advised users to change its settings so that encrypted webpages—including those within its medical records system—would be excluded from searches.

Tang isn’t as worried now. Google has since changed that default setting, so it no longer leaves cached information on a user’s computer, and Tang counts himself an enthusiastic user of the software, among other consumer applications. But as a guardian of patient privacy, Tang knows he has to keep his eyes open for potential vulnerabilities. “Consumer technologies are useful and powerful—and difficult to regulate,” he says. “You have to be careful and conscientious about how you use them.”

The Consumer Tidal Wave

Not long ago, corporations were on the leading edge of technology adoption, providing employees with better equipment and software than they could purchase on their own. Now, however, consumer applications are easy and fun to use, and often free; in many cases, they also work better than corporate software. And the tables have turned on CIOs, as employees download software from the Internet, bring their handheld devices to the office and merge their home computing life with work. Concerned about losing control of their networks, some IT departments have banned all unauthorized software and electronics from the workplace.

While it’s true that consumer technologies such as desktop search, Internet telephone services such as Skype and devices such as iPods can weaken network security, the trend is hard to stop. In many cases users are downloading software unbeknownst to the IT department. In a Gartner survey conducted last year, half of the respondents reported that more than 60 percent of their IT users were employing consumer-grade software, whether approved or not.

Furthermore, employees may be on to something: Emerging consumer applications, when adapted to the enterprise, can make workers more productive and cut IT costs. In fact, Gartner predicts that between 2007 and 2012, the majority of new information technologies that enterprises adopt will have their roots in the consumer market. (For more about the impact of consumer technologies on enterprise IT, see “Enterprise Software Gets a Face-Lift,” Page 66.)

Instead of building a wall to keep consumer technologies out, CIOs need to be pragmatic and provide a place for employees’ favorite applications. A willingness to let employees experiment requires management strategies and policies for using external applications that will prevent serious security and privacy breaches. It will also mean, in some cases, making sure networks and architecture are configured to handle the consumer gadgets and software.

“CIOs are in a balancing act,” says Michael Gotta, principal analyst at the Burton Group. “Suddenly there are all of these lightweight, easy-to-use applications that people want to work with, but IT still has to make sure they’re meeting security and compliance requirements.”

Among dozens of technologies gaining momentum in the consumer market, we look at five that are making their way into the enterprise. These technologies—social networking software, Skype, desktop search, handhelds and mashups—exemplify the most important trends in software that will have an impact on business.

Social Networking Software

What it is: Social networking software allows users to interact and share information. Consumer versions of these applications include MySpace.com and Facebook.com, to which the younger crowd flocks to post pictures and network among friends, and LinkedIn, where the professional set keeps up with colleagues and finds out about job openings.

Other popular consumer applications include Flickr, which allows users to “tag” personal photos (a process in which users choose keywords or descriptive terms to classify them), and Del.icio.us, a service for storing Web bookmarks. These sites, both owned by Yahoo, enable users to share their photos and favorite websites. Tagging is sometimes called social bookmarking because it allows multiple users to categorize online content.

A few software companies, including Contact Networks and Visible Path, offer corporate applications that mirror these consumer sites, promising to help business users organize and find information.

Business benefits: In two words, knowledge management. Corporations have struggled with KM for years, trying to get employees to share information. Now some companies are experimenting with social networking applications, hoping employees will adopt them if they see these systems are easy to use and deliver benefits quickly. Other companies are working on ways to help employees find data more easily by adopting tagging technology such as that used by Flickr.

At the Boston law firm Mintz Levin, attorneys search for contacts on the firm’s intranet using Contact Networks’ software. Fred Pretorius, Mintz Levin’s director of IS, says he decided to give the enterprise social networking software a try two years ago, after attorneys complained about floods of messages from colleagues that would begin, “Does anyone know…?” Now, the firm’s 475 lawyers can search for contacts within the firm from a link on the company intranet page.

Pretorius provided Contact Networks with the firm’s global address list, and the software company then installed the application on an existing server. The harder part, he says, was convincing attorneys to expose their client lists. “This was a huge cultural obstacle because contacts are what defines their work,” Pretorius says. At first, 20 percent of the attorneys opted out of the system. As they began to see how it could help them, however, that resistance began to fade. Now, 99 percent of Mintz Levin attorneys use the system.

In addition to sharing personal information and contacts, companies are also trying out ways to organize corporate information using employee-generated tags, or keywords. Tagging makes information easier to find than is often possible on a corporate intranet. “I know of no organization that has an intranet that works well for everybody finding what they need,” says Thomas Vander Wal, founder and senior consultant for InfoCloud Solutions. (Vander Wal created the term folksonomy, which refers to a tagging system created within an Internet community.)

Mitre, a nonprofit research and development company, is experimenting with tagging using a customized application that was built on an open-source tool called Scuttle. The pilot project, dubbed “onomi,” is similar to Del.icio.us in that it allows employees to share annotated bookmarks. Donna Cuomo, chief information architect with Mitre’s center for information and technology, says the idea arose after she noticed that employees were using Del.icio.us and Flickr to share company information. So far, 900 of Mitre’s 6,000 employees are using onomi to organize their own bookmarks and share them with colleagues. “A lot of people have adopted it as the only way they want to share resources,” Cuomo says.

The risks: As consumer technologies go, social software poses few major risks. Employees may use consumer social networking sites for business purposes, sharing photos on their corporate blogs using Flickr or posting company information on LinkedIn. If employees start using such applications under the radar, however, there could be confusion about where and when it’s appropriate to share information. Mitre’s Cuomo says that she feels more comfortable using an internal tagging system because employees won’t be putting links to company information outside of the firewall.

Skype

What it is: Skype is one of a slew of applications in the emerging voice over IP telephony market that allow users to engage in voice and instant messaging conversations with each other. (Phone calls via Skype are free when made to another Skype user.) It has emerged—mainly through word of mouth—as one of the most successful Internet applications of all time, with more than 300 million downloads and more than 100 million registered users. Skype was acquired by eBay last year for $2.6 billion. Competitors include AOL’s AIM Triton and Microsoft’s Windows Live Messenger.

Skype’s appeal is that it’s easy to use and the quality of its voice service is high. “It’s better than most VoIP products out there,” says Steve Cawley, CIO with the University of Minnesota, where he suspects Skype is popular among international students and researchers.

Business benefits: VoIP technology offers huge cost savings over traditional telephone service, especially for companies that make a lot of long-distance calls or have employees working in places subject to high long-distance fees. Skype and applications similar to it can also help companies that haven’t yet deployed VoIP create a converged communications suite, including voice, video and instant messaging, writes Irwin Lazar, an analyst with Burton Group, in a report about the technology.

For example, Lazar says, many Burton Group employees use Skype for internal and external communications. At first, most were motivated by cheaper long-distance calls. But many are now using it for instant messaging. Saul Klein, vice president of marketing with Skype, says 25 percent to 30 percent of its customers use the application for business. In the corporate environment, Skype poses some security risks (see below). But companies, especially small ones, that are more focused on cost savings than security may be willing to take that risk. Even CIOs at some larger companies such as Greif, a maker of industrial packaging products, report that they are willing to test Skype and aren’t overly concerned with potential security risks.

The risks: As with any application exposed to the Internet, “the potential that some flaw will be discovered that would enable an attacker to either gain control of or disrupt a Skype user’s computer or mobile device is real,” notes Lazar. (In general, VoIP can pose a security risk because calls travel over data lines that may be vulnerable to Internet worms and viruses.)

These risks are magnified in the case of Skype because, unlike with enterprise VoIP systems from vendors such as Cisco and Avaya, there’s no way to track who is using Skype or how it is being used. That’s because it can be downloaded and installed by employees themselves.

Finally, Skype can’t log and monitor phone calls, so companies that have to track calls for compliance purposes may want to avoid it. Pharmaceutical company Novartis has banned it, and schools including Oxford University and the University of Minnesota have issued warnings against using Skype.

Minnesota’s Cawley also discourages using Skype because of the security risks. He worries about the capability for Skype users with a public IP address to become “supernodes,” acting as hubs that route calls for other users. In the meantime, he suggests that users pick another VoIP service, such as Free World Dialup, which has clients for Windows, Mac OS X and Linux. And although students and faculty can use Skype if they choose, they are asked to turn the application off when they are done calling. “If we do see a problem with Skype, we may go ahead and block it,” says Cawley.

Desktop Search

What it is: A free tool offered by Google, MSN, Yahoo and others that allows users to quickly search the contents of their hard drives. The latest version of Google Desktop can also be used to share files between computers. Users download the tool, which indexes everything on their hard drives in the same way that Google indexes the Web. The software can be set to return results on e-mail, text files, spreadsheets, photos, PDFs and more.

Business benefits: Desktop search can make work easier and increase productivity, especially for employees in industries such as biotechnology who need to find technical information quickly to do their jobs. Palo Alto Medical Foundation’s Tang says that even though initially he had concerns about the security and privacy implications of desktop search, it can be a valuable tool if users know how to protect their information.

Tang and other CIOs see desktop search applications growing in popularity, and they are putting together policies to determine when these tools can be used. Chris Holbert, CIO at Launchpad Communications, which operates an inbound sales call center in Los Angeles, says he currently sees no business need for desktop search. However, Holbert worked for seven years as head of IT at a biotech firm, where researchers made frequent use of a customized desktop search tool. Even some CIOs who currently ban desktop search applications say they are preparing for the day when they might have to change their position. “Desktop search seems to have a lot of momentum and we won’t be able to ignore it,” says James Kritcher, VP of IT at White Electronic Designs.

The risks: Company data may be exposed inadvertently. Once the tool is installed and files are indexed, a snoop can theoretically search someone’s hard drive for information. At PAMF, Tang went out of his way to help users understand how to make sure that sensitive data doesn’t get indexed, but freewheeling users may not always pay attention. Google’s desktop search software also has a feature that lets users search for content on multiple computers. The “search across computers” feature stores copies of PDFs, Word files, spreadsheets and other documents on Google servers. In theory, Kritcher points out, storing documents even temporarily on an external server could expose a company to litigation for violating its privacy, security or document retention policies.

Handheld Devices

What they are: Pagers, cell phones, iPods and PDAs have been around long enough that plenty of companies sanction them for everyday work (think BlackBerry). The devices are becoming so entrenched in daily life that lots of people (including you, probably) bring their own devices from home too.

Business benefits: While at many companies handheld devices are disdained as providing little more than a distraction during meetings, early adopters of the technology on an enterprise scale use them for more than idle chat or diversion. A doctor in Geneva, for example, has reportedly devised a software program that allows physicians to view medical images on their iPods.

At Mintz Levin, IS director Pretorius is testing a proposal from an associate suggesting that the firm build a podcast library of attorneys’ legal presentations. Some managers at the PAMF use PDAs to read e-mail that is not patient-related, look up information about drugs and check medical protocols.

The risks: Mobile phones and PDAs are usually not password protected; therefore, companies risk compromising corporate data if it is downloaded onto the devices. The same goes for iPods, which can be used as backup storage devices. Data security standards set by the Payment Card Industry Security Standards Council could prohibit most pagers and cell phones from being used in offices where information about cardholders is known by employees, such as in call centers or at e-commerce sites.

Mashups

What they are: Mashups are applications that combine data from two or more online sources and run within a Web browser. Think of mashups as Web services lite. Mashups were born a little more than a year ago when Paul Rademacher, an animation expert at Dreamworks, created HousingMaps.com, which merged Craigslist and Google Maps to help people locate real estate listings. Since then, mashups have gained ground among developers; there’s competition to create the most innovative applications. One of the most talked about mashups is the combination of Google Maps and the CRM application Salesforce.com.

Business benefits: Mashups offer faster and easier integration of some services than may be possible using Web services within a service-oriented architecture (SOA). Mashups are less complex, and developers concern themselves less about complying with technical standards because the applications are browser-based, according to consultant Dion Hinchcliffe, president and CTO with Hinchcliffe & Co.

One way mashups are making inroads into the enterprise is when corporate developers adopt the mashup approach for integrating data internally, says John Musser, a consultant who operates the website Programmableweb.com. Investment management company T. Rowe Price, for example, has combined data from multiple applications in order to simplify its call center systems. Kirk Kness, VP of architecture and strategy at the company, says he prefers to call the development technique “composite applications,” because “the term mashup implies that we might be winging it, and we’re not doing that.” Kness and his team are using portal software from IBM and Ajax, a development methodology for generating interactive Web applications.

Meanwhile, IBM is working on a project called QEDWiki (so called because it uses wikis, a tool that allows multiple users to edit a webpage) that is designed to let businesspeople create their own webpages by dragging information from both private and public websites. Using QEDWiki, an employee could integrate weather data, information from an ERP system and the location of company facilities in a single webpage.

“Companies have been wrestling with integration for decades,” says Musser. “Mashups offer a whole new level of power and sophistication that comes for free.”

The risks: These applications can have a lot of security holes. Some mashups that use Ajax scripts, for example, expose their code in the browser, which may allow the mashups to be used maliciously. What’s more, passwords for accessing components of a mashup may also be exposed in the browser, putting the underlying services at risk. Hinchcliffe says that many mashups pull code in live from the Web (think of any service using Google Maps) and run without being previously tested. The danger there, he says, is that the code from an underlying source could change the next time the mashup is loaded, and users won’t know what’s in it.

How to Manage the Consumer IT Invasion

There are several steps CIOs can take to manage consumer technologies as they make their way into the enterprise:

• Find out what’s happening. By determining which consumer technologies are popular with employees and why they want to use them, IT leaders can figure out the best ways to adapt them internally. Some technologies that have taken off on the consumer side already have offshoots better suited for enterprise use. For example, Google Desktop 3 for Enterprise, currently in beta, allows administrators to disable features they don’t want employees to use. X1 Technologies, which has partnered with Yahoo, offers a competing enterprise search tool.
• Identify and mitigate risks. If employees need a particular technology to do their work, companies might need to shore up their network security or add bandwidth to support it. If a company allows the use of Skype, for example, it will want to block unsolicited incoming connections to Skype clients to discourage malicious activity.
• Govern usage. If you’re going to ban an application, set up controls to prevent it from slipping in. Among the options: identity management systems, network access controls and intrusion prevention. “Rather than trying to create a secure perimeter and keep the consumer technology out, you should assume a hostile environment and drive security deeply and broadly into everything you do,” says Gartner analyst David Smith.

If you’re open to experimentation, make sure users know how far they can go. “You don’t want to lose control with what’s happening on your network,” says Mintz Levin’s Pretorius. “But at the same time you don’t want to stifle creativity and innovation. Balancing the concerns and benefits related to consumer technologies is a constant battle, but I see it as a major part of my job going forward.”