BT's Web 2.0 security strategy

In 2006, just as the first tweet was being Twittered, BT Global Services launched an effort to keep its customers and 112,000 employees safe in a new world of Web-based communities and other interactive sites.

BT's security initiative started early, paralleling the emergence of collaborative Web 2.0 applications such as Twitter, LinkedIn and Facebook.

"We see social networking sites as an enablement tool" to help extend BT Group PLC's reach to prospective customers while helping employees build new business relationships online, says Ray Stanton, global head of BT's business continuity, security and governance practice.

But while BT stands apart from many companies in that it lets employees visit social media sites within the constructs of its Internet usage policy, it still needed a way to protect the company and its staffers from potential security threats lurking in cyberspace. For instance, the vulnerability of mashups to data leakage "has been one of our critical concerns," says Stanton.

A user might, for example, gain access to a mashup that combines a service for finding local restaurants with information from a social networking or mapping site, says Stanton. "There is the opportunity if the information is not secured across all the boundaries [that] residual information could be left or leaked at any point in the process," he says.

A criminal could figure out where the employee lives based on the restaurant's location and the mashup of the mapping system, adds Stanton. "And yes, if you book online, then guess what, we know where you live [and] what time you're out," he says.

In addition to keeping its employees safe, BT also wanted to apply technologies that would enable it to enforce its Internet usage policies. After holding a series of technical workshops with a number of security software vendors, Stanton and his team decided to use a set of URL filtering and security technologies from Blue Coat Systems Inc. about three years ago.

The systems include Blue Coat's ProxySG appliance, which BT uses to categorize URLs as either business productivity sites, such as LinkedIn, or sites that might be deemed improper, such as the Web pages of hate groups, says Steve Schick, a spokesman for the Sunnyvale, Calif.-based vendor. Depending on a customer's usage policies, the rackable ProxySG appliance can be configured to block access to certain sites or issue a warning when an employee is in violation of the company's acceptable-use policies, Schick says.

The appliance can also be configured to enforce usage policies for single users or groups of users. For example, a company that doesn't allow most of its employees to watch YouTube at work can program the ProxySG appliance to permit access only to employees of its marketing department who might use the site while developing marketing campaigns, says Schick.

BT is also using Blue Coat's ProxyAV, which enables the telecommunications giant to scan its network for viruses, worms, spyware, bots and other forms of malware.

While BT has taken a progressive approach toward employees' Internet use, it's important for it and other companies to also adopt practical usage policies, says IDC analyst Melanie Posey. "You have to know on some level what people are doing on the Internet and what impact it's having on network performance," she says.

Stanton declined to quantify BT's investment in the security tools. Schick says pricing for the ProxyAG appliance starts at $2,000, depending on the number of end users being monitored.

At a Glance

BT Group PLC

Headquarters: London

Company charter: One of the world's leading providers of communications services, operating in more than 170 countries.

Revenue for the fiscal year that ended March 31, 2009: $35.3 billion

Project champion: Ray Stanton, global head of BT's business continuity, security and governance practice, which has total oversight for BT's commercial security business.

Project payback: A return-on-investment study that's expected to be completed by year's end will examine the operational man-hours saved as well as capitalized IT infrastructure cost savings achieved.

Hoffman is a freelance writer in New York. You can contact him at tom.hoffman24@gmail.com.

This story, "BT's Web 2.0 security strategy" was originally published by Computerworld.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies