RSA Conference: Blocking Consumer Applications Won’t Help Enterprise Security

The explosion of consumer and Web 2.0 applications being utilized by end-users within businesses will cause a new paradigm for corporate information security, where blocking URLs and setting firewalls won’t be nearly enough to control a company’s intellectual property and data, according to a panel of chief information security officers (CISOs) and vendors today at the RSA Conference in San Francisco.

Instead, they argued, companies will have to do a better job at tracking what types of applications their employees use, how they access them, and for what reasons.

Patrick Heim, CISO of Kaiser Permanente, says he has also been reluctant to block too many applications at the health care organization because it risks stifling innovation and turning away younger employees.

“We need to be very careful about how we implement controls,” he says. “We need to recruit the next large generation to come and get work done. They [younger workers] have grown up with 50 different flavors of IM and many different apps.”

Due to the various workarounds and the adeptness with which many consumer apps on the web can find an open port in the firewall, blocking URLs has become a near exercise in futility, says Nir Zuk, founder and CTO, of Palo Alto Networks.

“You can do as much as filtering as you want,” he says. “You can’t stop it. If you have a single port open on your firewall, anything can go to that port,” he says.

As an example, he noted that Google’s IM service, Google Talk, can run in a web-based version on top of Gmail, rather than the user actually typing in a URL that a company could guard against if they didn’t want an employee to use the service.