The biggest challenge to IT security is marketing
by David Meyer - VP of Engineering at OneLogin - Monday, 13 January 2013.
Most companies today are using social media and online marketing channels to tell their customers and prospects about what they do. From company Twitter accounts, LinkedIn profiles through to website CMS or marketing automation platforms, all these tools have two things in common: one, they are essential to running marketing. Two, they are all outside the control of the IT department.

How does this have an impact on IT and security? First, customer data is being collected within these applications, which is incredibly valuable to the organization. Keeping this data secure is just as important as traditional information security management. Most of the applications used by marketing today are delivered as a service, available for free or with a credit card. IT professionals have to consider this as part of a growing trend too.

Second, there is the potential impact on an organizationís reputation. During 2013, we have seen hacking attacks on Twitter accounts, Facebook pages and other marketing tools that are available over the Internet. For example, publications like the Financial Times, the Associated Press and The Guardian have all seen their Twitter accounts hijacked and used by dissident organizations like Anonymous and the Syrian Electronic Army. The URL shortener tool used by Barack Obamaís advocacy group was itself attacked, leading to links being redirected to unsafe sites rather than the intended pages.

Control over Twitter accounts and Facebook pages should be under greater scrutiny. While there have been many high profile hacking attacks over the past year, there have also been multiple instances of corporate profiles being used by disgruntled former employees. These events have led to serious reputation damage and loss of revenues.

For marketing professionals, guarding against adverse brand impact is essential alongside supporting customer acquisition and sales. Yet their own use of social media channels or applications that contain customer data in unsafe and insecure ways can lead to the very problem that marketers are looking to protect against.

The reason for this is that marketing folk are not as aware as they should be of the rules and best practices that exist around managing applications, particularly on the password and identity management sides. IT has great experience in these areas around on-premise and traditional applications, but while the strategies might be the same, the tactics are not.

There are a couple of options for IT security professionals in this situation. The first is to provide some guidance on the situation around password management policy and best practices to the marketing team. This would involve briefing the marketing team on the rules for password management. However, there is no way for IT to enforce these rules or make sure that suggestions are followed.

The other option is to get involved in the management of these applications directly. While IT doesnít have control of the applications directly as they are cloud-based or delivered as SaaS, it is possible to control how they are accessed. This can be achieved by linking the user identities on the company network through to those cloud applications.

Standards like SAML (Security Assertion Markup Language) exist to make this process easier. Based on XML, SAML provides an easy way to control authentication into application sessions that are running in a browser environment. Checking the marketing teamís current applications for SAML support is a good first step for IT to take in regaining control.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th