Marines can’t use Twitter or Facebook on duty, but soldiers and sailors can. For airmen, it depends on the base.
As for YouTube, the Air Force has created its own channel – which can’t be accessed from work computers.

A lot of people in favor of social media use (including yours truly) view it as an important communication and PR tool, providing some much needed openness and transparency in a time of record low recruitment and mistrust. It is also viewed as a weapon for the military to take back the narrative regarding the wars in Iraq and Afghanistan from the hype-driven media. The rate at which information can be gleaned from these media makes them effective early-warning systems on all manner of critical events – from earthquakes to civil war and revolutions. And don’t forget how incredibly useful it is as a tool for our troops to stay in contact with friends and loved ones. For a much better, insider take on how critical the use of social media is to our national security, read this extremely well-written article in the Federal Times.

I shared the story on twitter, along with my opinion that the ban was the wrong approach for the military to be taking. Brad Tumy challenged me to explain why I thought it was the wrong approach, and what I think they should be doing instead. I promised I would address his question in a blog post soon, so here goes.

Lets take a look at some of the main reasons given for banning social media.

1) Bandwidth Issues

The amount of bandwidth sucked up by YouTube, Facebook and the like puts a strain on limited DoD resources. But today, network tools that monitor bandwidth usage and throttle the traffic based on conditions are quite common. And using geolocation and device identification to cut off access on machines being used in the field (that use extremely limited satellite-based bandwidth) is technically possible (and as someone I met at Catalyst told me in a different context, is being done every day).

2) Spread of Malware

Highly publicized incidents like the Koobface worm spreading via Facebook have led some of the security experts to consider these sites to be tremendously dangerous to the integrity of the DoD networks. But the malware threat from social media is nothing compared to the attacks the DoD has to fend off on a daily basis via sanctioned channels, namely email and so called “good” websites. And the tools to protect against the malware attacks are well understood and widely deployed. Most folks learn pretty quickly to identify and ignore malware messages, no matter what the medium. And cloud-based social media sites will do a much better job of cutting an attack off at the knees than thousands of distributed email systems ever will.

3) Information Leakage

In providing their reason for banning social media, the Marine Corps said

the very nature of social networking sites creates a larger attack and exploitation window, exposes unnecessary information to adversaries and provides an easy conduit for information leakage.

This is probably the most serious cause for concern, and one where IAM and Security technologies can play a crucial role. In many cases, the challenge here is similar to the one faced when dealing with any communication channel, whether it be email or ftp. Many enterprises rely on Security Information Management to protect their most sensitive resources – their data. A well established Identity Management infrastructure provides the first layer of protection by ensuring that only authorized individuals have access to sensitive information, and then providing a complete audit trail around the access of that data. This has been shown to have a deterrent effect in information protection, and can assist in tracing back the source of a data leak. DLP (Data Leakage Protection) tools provide data security by enabling data identification, classification, usage and wrapping controls around it all. Firewalls are getting increasingly sophisticated (take a look at Palo Alto Networks, which is getting traction with a content inspection engine that can “accurately identify applications … and scan content to stop threats and prevent data leakage“). The fact that Facebook and Twitter have APIs that allow the creation of custom clients means that users can be given access in a secure way through apps developed by the military. And there is commercial software out there that does much the same.

Now, the way I see it, the armed forces are facing the exact same dilemma that most enterprises are facing when considering how to tackle the use of social media in the workplace. The only difference is in the amplification of the potential consequences. Exploitation of the attack window that social media use creates could lead an enterprise to lose a lot of money, but in the case of the armed forces it could lead to serious loss of life. That does mean that while the issues are the same, the risks are vastly different. This would necessitate a completely different risk mitigation strategy. But does that mean that the solutions that can help would change too?

A blanket ban such as the one being discussed would lead you to believe that there exists no ability to handle what are essentially security and access control issues in the system, and that simply is not the case. I’m not saying that it is perfect, but a combination of tools, policies and guidelines can make it possible for social media to be leveraged by the military in ways that serves their (and our) national cause without harming their mission. And that would be to everyone’s benefit.

If you ever saw the movie “Breach” about how Robert Hanssen leaked national secrets by photocopying files and carrying them out in his bag, just think of how much more quickly he might have been caught if he had been sending those files over a social media connection. USB drives and email are far bigger threats (right now) than social media. and by being proactive, the military can turn these tools to their advantage. On the other hand, by not playing in one of the emerging technologies in the market, the US military risks becoming outdated, outmoded and outplayed by our adversaries.

Tags: Data Leakage Protection, DLP, Facebook, Firewall, Identity Management, Military, Oracle_IDM, Social Media, Social Networking, Twitter

Computer scientists Arvind Narayanan and Dr Vitaly Shmatikov have proven that the anonymized data sets that social sites sell to marketing firms are not really that anonymous. It is possible to reverse engineer these data sets and obtain actual names and addresses, by looking at the content and structure of the data (in their example, correlating data from Twitter with Flickr).

• BBC Coverage
• Detailed look by Ars Technica
• The paper: De-anonymizing Social Networks

This raises grave concerns about a practice that has becoming increasingly common as social networking sites seek ways to monetize their data. They routinely release social graphs from which a few bits of personally identifiable information (PII) has been stripped to interested parties – advertisers, third-party apps, government and academic researchers. Conventional thinking is that this is good enough to protect people’s identities.

But as the paper shows, this is nowhere near good enough. It’s an interesting study that essentially redefines the term PII, and could (should) have grave implications for social networks and their responsibility towards their users.

The lesson, as Ars Technica points out, is that “anonymity is not sufficient for privacy on the web”.

Tags: PII, Privacy, Social Graph, Social Networking

As seen on Wikipedia:

Enterprise social software, also known as Enterprise 2.0, is a term describing social software used in “enterprise” (business) contexts. It includes social and networked modifications to company intranets and other classic software platforms used by large companies to organize their communication. In contrast to traditional enterprise software, which imposes structure prior to use, this generation of software tends to encourage use prior to providing structure.

Opinions are mixed on whether there actually is something concrete behind the enthusiasm, or just a case of collective 2.0-itis. But the easiest way to think about it (and understand how it will benefit businesses) is to think of it as the next stage in the evolution of collaboration tools that can boost productivity, responsiveness and knowledge sharing in enterprise environments. If you have a Facebook account, you know just how much your communication with your friends and family has changed (and hopefully improved, those photographs you never wanted anyone to see notwithstanding) because of it. Think of that same transformation, just in an Enterprise context.

Oracle has thrown their hat in the Enterprise 2.0 ring by providing a sneak peek at Oracle Sales Prospector during their keynote at this weeks Enterprise 2.0 Conference in Boston. It’s a CRM add-on that leverages collective intelligence from the network of salespeople to identify qualified leads and provide better targeted recommendations. Built on open, standards-based technology including Oracle Fusion Middleware, this next-generation sales productivity application leverages an enterprise social networking foundation and is delivered via a Software-as-a-Service (SaaS) model leveraging Oracle Grid Computing. Click here to read Ian Yip’s post about a conversation he had with Oracle President Charles Phillips about Enterprise 2.0.

With a whole slew of products looking to hit enterprises soon, the implications for Identity Management are obvious. We are about to enter a stage where applications are going to leverage more and more information about a person’s identity and their social network. In order for this to be accurate, manageable and sustainable, these applications will HAVE to sit on a backbone of identity services that manage and control this information.

Accuracy of data will be critical, which will be a death-knell for replication/copying based strategies. Age old issues of “who owns the data” will become both more prevalent and yet less important, as more and more applications seek to share data. Issues of privacy are bound to explode, leading to a greater need for user-centric and policy-driven controls in such a rich information environment. Without a proper identity services stack to sit on, these new Enterprise 2.0 Applications are going to find their foundations very shaky indeed. This is one of the fundamental things we have been trying to solve as part of our involvement in Project Fusion.

Now to go “friend” my expense administrator. Wonder what benefits I can reap from that

Tags: Enterprise 2.0, Fusion Identity Management, Identity in Social Networking, Oracle Identity Management, Social Networking