Enterprise Microblogging Security
Last week I read an article that was co-written by one of the most knowledgeable social media experts I follow on Twitter, Aaron Strout of Mzinga, and Joe Cascio of JoeCascio.net. The article is titled Is the Enterprise Ready for Microblogging Tools Like Twitter?. It was full of useful information that any organization would want to consider before using a tool like Yammer or Present.ly, but the pieces that caught my eye were listed under the Key Considerations section:
"Single Sign-On (SSO): A growing problem in the social media world right now is identity proliferation. With some notable exceptions that accept OpenID, most sites still require you to create yet another account in their system (or identity domain). In most enterprises, a fair amount of effort has already been expended on establishing single sign-on through the intranets’ LDAP registry. It would be highly desirable to leverage this capability to enroll employees in the microblogging system. So, an enterprise microblogging solution must have flexibility in adapting to existing ID and sign-on registries."
Then further down:
"Security: This will probably be of paramount concern at least initially in most businesses. Most corporations are very aware of keeping internal communications safe from prying outside eyes. An enterprise microblogging solution must provide for fine-grained authorization and trustworthy security of communications. Management, through the IT department will want to be able to restrict who can see certain posts."
Some would say that the beauty of Twitter is its lack of walls. Granted you can globally secure your updates so that only those you approve may see them or leverage the DM feature to send private messages, but for the most part communication is done in the clear for all the Twitter community to see. But when discussions turn to private topics like corporate strategy and departmental policies, the need for enterprise microblogging to be secure becomes paramount. In other words, you don't want that jab about a competitor's product to become public because the person who made it was foolish enough to set their password = "password".
So how secure are these new microblogging tools? A quick check of Yammer's API Documentation shows the following:
"Authentication is done using HTTP Basic Authentication. The username is the full email address of the user, and the password is the same used to authenticate to the yammer.com web interface."
It's the same with Present.ly's API Documentation:
"Just as with the Twitter API, the Present.ly API can be accessed via HTTP Basic authentication. The primary difference is that there is no data accessible without authentication in the Present.ly API, since the data is all private."
For those who aren't familiar with Basic Authentication, Wikipedia points out its main weakness:
"Although the scheme is easily implemented, it relies on the assumption that the connection between the client and server computers is secure and can be trusted. Specifically, the credentials are passed as plaintext and could be intercepted easily. The scheme also provides no protection for the information passed back from the server."
This entry is not intended to knock Yammer or Present.ly for their API security protocols. I'm sure when their founders set out to deliver their solutions, security was barely a blip on their radars. But this is a security hole that Yammer & Present.ly's customers will need to address if they want to provide secure microblogging environments for their employees.
If you're part of an organization that needs help implementing SSO to a microblogging solution, or if you have any other security needs related to microblogging, we'd love to hear from you! CoreBlox has broad experience creating quick and effective solutions to these types of issues, and chances are we could help you figure this out. Drop us a line at email@example.com, or feel free to contact me directly on Twitter.
For those folks who work in the Identity & Access Management space or just have a general interest in this area- what are your thoughts on the security challenges that these microblogging solutions pose? Anything you see that makes their situations unique relative to other applications that are covered by enterprise security?