Twitter has recently joined the ranks of fellow social media giants Facebook and Google by moving to more widespread and defualt use of SSL to protect their end-users’ information. Twitter announced on their blog that users can set a preference to secure all Twitter communication via HTTPS, which will in time become the default setting for the Twitter service. You can read the Twitter blog here: http://blog.twitter.com/2011/03/making-twitter-more-secure-https.html
This shift highlights a very real and important challenge for enterprise security that boils down to this:
- Social media applications continue to be the preferred point of contact between enterprises and targeted botnets. See the Information Warfare Monitor’s paper that covers in detail how social media fits in the botnet lifecycle: http://www.infowar-monitor.net/research/
- Social media applications are adopting SSL/HTTPS as default behavior.
- Many enterprises lack the ability to enforce security on SSL traffic.
The conclusion for enterprise security is pretty clear. If you can’t control social media, and specifically social media that is SSL encrypted, then you are leaving open a clear path for botnets and malware to get into and out of your network. This is a clear case in point where the consumerization of IT has serious downsides for security. The shift to SSL provides a moderate improvement in privacy for the end-user, but in the process makes the enterprise far more vulnerable to organized attacks, lost data and compromised systems. Obviously this also is yet another example of why a true next-generation firewall with the ability to control applications regardless of SSL is not just cool new technology, but absolutely mandatory for modern security.