In the last 20 some odd years corporate security has made some headway. Companies are now at the point where they are reasonably efficient at keeping ‘hackers’ out and letting employees in. The problem is that to get to this point the enterprise has had to put up walls in the name of safety and security, but at the cost of functionality and logic.
The current Jericho model of security (fitting name) is great a putting up impermeable walls to keep to dangers outside at bay, but not so at quickly adapting and reconfiguring them. Even inside the walls of the enterprise security has largely been based on group permission. Which is just a step up from the one size fits all XXXL t-shirts that get blasted out of an air gun at sporting events.
The problem is that organizations today need to be agile, reconfigurable, be able to leverage partners and third party expertise. Unfortunately to operate in this new environment security and permissions need to be dynamic and flexible both internally and externally. To become a next generation enterprise it will be increasingly important to both empower and trust employees when it comes to information and security decisions.
My feeling is that in moving beyond the current model for information security is going to take a little bit of technology and a lot of trust. Web 2.0 tools and the Net Generation will both be additional factors that push the issue to the forefront at leading organizations. Companies will need to move to a model of ‘decentralized security’, which I see as basically allowing users to manage their own security permissions. Organizations will first start experimenting with information inside the firewall, but eventually they will need to evolve and extend beyond the walls of the enterprise.
Take the simple example of sharing a proposal. In a traditional organization that would be done via email, perhaps a networked drive, or more sophisticated reporting tools. The problem is that in all of those cases the permissions for the document have predefined by the system (ok except email, but we all know that is not the best way to share something with and organization). IT predetermined who should see the document even though they have no idea what it contains (nor do they care). A good wiki product will allow an employee to set permissions they decide are appropriate based on the content in the document, not to mention tag it so others can actually find it.
Allowing users to manage their own security permissions may seem like common sense, but in the IT world we are still a ways away. Luckily organizations are currently recruiting a generation of security 2.0 experts. Net Gener’s are constantly granting permissions, blocking harmful people and materials and managing spam filters. Now with Facebook’s feature that enables social graphs, they are controlling the access and permissions of hundreds of their friends, colleagues and family members to their personal information. They decide on who to allow to view various content, use specific applications and access certain areas of their profile. They can define access levels on a group or individual basis. Should I stop? Sounds a lot like they are taking network admin 101 to me? The bottom line is that they will be a generation of employees that has been developing some skills and thought patterns that will be portable to a decentralized security environment.
Comments RSS
| TrackBack URI
Very provocative. Nice post!
Comment by Alan Majer - July 17, 2008 10:39 am
Nice post. The same thought has now being implemented inside enterprises through Information Rights Management. As you talked about Proposal sharing - an IRM tool can let the proposal move through system to system outside the firewalls of the organization, but only user defined persons can access the proposal for a pre-defined time period and carry out pre-defined actions ( e.g. printing/forwarding).
Comment by S Sahoo - July 17, 2008 12:35 pm
It’s changing, but the fact I wrote a very similar post in Jan 2007: http://thewayoftheweb.net/2007/01/it-could-lead-the-revolution/ shows how long it’s taking…
The best trick is to find the humans lurking in IT and bribe/befriend/beg them.
Comment by Dan Thornton - July 17, 2008 3:08 pm
Dan and Suvendu thanks for the comments and I agree that this is long over due. There was a time that security measures where needed to protect the enterprise, but much like unions that time has long since passed.
The interesting thing about web 2.0/Enterprise 2.0 is that to really make it work organizations have to empower and trust users again. Connectivity is at the heart of what makes the tools so engaging.
Comment by Brendan Peat - July 17, 2008 4:49 pm
[...] Wikinomics » Blog Archive » How Web 2.0, Facebook, and the Net Generation will change corporate se… “The problem is that organizations today need to be agile, reconfigurable, be able to leverage partners and third party expertise. Unfortunately to operate in this new environment security and permissions need to be dynamic and flexible both internally an (tags: security enterprise2.0 netgeneration) [...]
Pingback by links for 2008-07-18 | Bieber Labs - July 17, 2008 11:32 pm
Security will in such a case become more information centric than context ( location, network,… ) centric. I think identity federation for online identity, initiatives like Open ID can help unified identitificationof the employees within or outside of the enterprise. I had a long exchange with Chris Swan on his blog regarding identity and information rights management in such an environment. Check it out on http://thestateofme.wordpress.com/2008/03/22/the-wrongs-of-enterprise-rights-management/
Comment by Vishal - July 18, 2008 2:19 am
Interesting post Brendan. I’m all for empowering individuals (be it within or outside of a company environment)but I also feel that leaving security solely to the individual is a huge risk for a corporation. In my opinion it should be a layered approach. That is, individuals can set their security settings based on whatever criteria they have and for whatever reasons but then there still needs to be some corporate validation of those settings to ensure governance and other policies are not compromised. For example, I can see a scenario where a healthcare professional wants to share a piece of information (for a valid reason) and sets security policies accordingly. However, because there might be patient information that is subject to HIPAA the company needs to make sure the employee-set security policies don’t violate HIPAA and put it (and the patient) at risk.
In addition to protecting oneself against governance and legal issues, there is also the need to protect IP. The above example involves an employee with good intentions, but what about an employee with malicious intentions?…
Comment by JM Krikorian - July 19, 2008 12:54 pm
[...] How Web 2.0, Facebook, and the Net Generation will change corporate security View on the future of organisational security from the Wikinomics blog. (tags: enterprise2.0 IT security wikinomics facebook geny) [...]
Pingback by FutureGov » Useful links » links for 2008-07-21 - July 21, 2008 7:31 pm
[...] Comment on How Web 2.0, Facebook, and the Net Generation will …Interesting post Brendan. I’m all for empowering individuals (be it within or outside of a company environment)but I also feel that leaving security solely to the individual is a huge risk for a corporation. In my opinion it should be a … [...]
Pingback by Sciencehome » Blog Archive » krikorian - July 22, 2008 4:11 am
The socially mediated workspace…
Twenty years ago, a business case was required for the purchase of a single PC. Ten years ago, internet access was through a modem attached to a computer in a small locked room at the end of the corridor, with…
Trackback by Public Strategy - August 11, 2008 2:14 pm