Sandboxes could be key to enterprise Web 2.0 security
Security company Kaspersky Lab argued that the use of virtual sandboxes will play "an important role in defending users of Web 2.0 technologies from malware attacks".
By running potentially unsafe applications in a sandbox, computers will be largely unaffected if this software turns out to include malware. This will enable businesses to counter "an explosion of attacks that exploit the technologies and trusted environments created by social networking sites".
ComputerWeekly.com observed that criminals are being drawn to social networking websites because they provide an appealing method to distribute malicious code behind apparently legitimate applications, while users are still within a trusted environment. It said that while social networking sites are often focused on improving usability to retain existing subscribers and attract new ones, often this does not fit well with wider security considerations.
As has previously been noted, younger and more technology-aware staff are moving in to corporates, and calling for access to applications which fall outside of the traditional enterprise application sphere. While the benefits of businesses adopting social networking technology are open to question, there is no doubt that this is happening anyway, as new ways to interact with both customers and staff are sought.
If enterprises are to embrace this so-called "technology democracy", clearly IT security will become a more complex process due to the increased number of potential weak spots in the infrastructure. Kaspersky's solution seems a reasonable compromise by enabling wider adoption of Web 2.0 applications, but doing so at an arm's length, so that the potential for damage is limited. Deploying virtual sandboxes will certainly incur some IT overhead, but this may be a reasonable trade-off if security is protected further down the line.
Kaspersky's findings were presented at the Information Security Solutions Europe conference, organised by the European Network and Information Security Agency.