In some quarters, it’s being estimated that most enterprise web applications are insecure.

According to a study by Imperva, WhiteHat Security and the Ponemon Institute, 70% of respondents don’t believe web security is a strategy in their orgs, with appropriate budget targeted to web application security and associated risk.

This poses a major threat to the enterprise.  Most organizations today grant access to mission critical apps through their websites.  However, executive management doesn’t focus much on security – indeed, they may not even really understand it – and thus the proper emphasis and protections are not driven downward, into that bulk of managers and staff who actually do the doing in implementing security.

In all regards, security must be a central design element; in systems as well as human endeavors.  In other words, security must be inherent in functionality, and process must reinforce – even force – adherence to security.  In terms of human instruction, interactions, training, and use of systems, there must be the dissemination of appropriate protocols and refreshers and reminders for best security awareness.  And, of course, all necessary updates.

Most organizations lack a cohesive, coherent, monitoring system for intrusion detection/attempts.  Often, even simple event logs are not monitored, and logs are not synchronized across the enterprise in leveraging enhancing information, nor capturing an efficiency of review.

Unfortunately, security is a rather ho-hum endeavor.  The excitement and attraction is always the “next big thing,” with resultant mods of bells and whistles that further use and delivery; time and budget are precious, and developers are pointed forward.  They do not have time to look at the present lay of the land, in assessing or advancing security – until a breach forces them to, that is, by grabbing everyone’s attention by the throat.

It all starts with awareness.  Do your part as you can, within the limits of your power and authority:  Once the vulnerabilities are exposed (both systemic and organizational), the senior executive class understands that a breach can not only take some or all of business offline for some measure of time, it can result in the longer lasting liabilities in exposure of content, revenue loss, and compromise of reputation.

NP:  Rapid Shave – Shirley Scott / Stanley Turrentine, jazz24.org

Web 2.0, that is:  Increasingly, individuals and businesses alike are “going to the web.”

In my case, a recent event convinced me that storing my e-mail, contacts, and allied content on a “local,” home office computer is dicey. 

Understand:  I had a comprehensive backup – and – installation discs.  However, for anyone who has tried to re-install MS-Office components, fix corrupt PST files, and so forth, knows what a pain it can be.  I even have a backup PST, but for whatever reason, Outlook insists on balking – I won’t belabor the details.

I somehow had the foresight to create duplicate contacts on my ISP’s Webmail system.  I’ll resurrect my message store later – I’m good for the moment; I run lean and mean anyway.  But this has all got me to thinking…

Web 2.0 makes it easy to share information and collaborate.  Social media style dialog enablements, paired – not just with access to apps and data – but with ability to contribute, change, modify, and enhance apps and content, makes for a very powerful arena.  An approved virtual community of contributors and consumers of content makes for a savvy population, who can leverage any and all readily available Web 2.0 assets on behalf of the enterprise, its goals, its business.

What’s nice too is that, with appropriate planning and vetting, you can create a secured environment for apps and data… leveraging your provider’s (or multiple providers’) strengths:  Your provider performs backups and recoveries, as specified in a Contract, as guaranteed in  detailed Agreements.  They also provide platforms, paired with virtually an unlimited amount of capacity.  Your budget is their only limit.  No one needs to run out of physical room in a wiring closet or computer room anymore.  You sleep soundly at night.

As companies and individuals offload more things to a virtual environment (relatively speaking), just be sure to thoroughly vet your providers.  Contracts and Agreements are one thing:  Perform exercises to verify that enablements and data are truly recoverable in the case of local events and losses (or theirs).  There is no substitute for empiricism.  (The application of observation, not theory, in determining something).

Stay safe out there.

NP:  Avalon Sunset, Van Morrison, original Mercury LP.