One of the big takeaways from IBM's powwow over collaboration tools was that Web 2.0 technology is easing its way into the enterprise.
First, companies like IBM and Cisco will adopt mashups that combine enterprise applications with external applications. Then CIOs will slowly adopt Web 2.0 approaches. These executives will experiment from the inside out. First, the mashups will be basic, say data scrapes from a travel site coupled with an internal travel application. From there, these mashups will bridge internal data with trusted partners. And finally, you'll be melding enterprise apps with Google Gadgets and other common toys found today.
It's early in this enterprise 2.0 game, but one question keeps popping up for me. What are the security implications here? It's no small issue. What if you had an Orkut/Google mashup when a worm hit (this isn't theoretical since TrendMicro reported it on Wednesday).
So what happens when these mashups are used in the regular flow of business?
Sure, there's ROI in application production time when Web 2.0 meets the enterprise. Perhaps productivity jumps. The great unknown is what happens on the security front. Just imagine if some mashup includes QuickTime. How about a MySpace mashup at an entertainment company?
Luckily, we're not to the point where we panic over an enterprise mashup, but it sure can't hurt to think about it.
In an interview, with Luba Cherbakov, a distinguished engineer at IBM, I brought up the issue at Big Blue's innovation talk on Tuesday. Bottom line: Big Blue is experimenting and noodling over the potential policy implications of mashups in the enterprise. Here are some big takeaways from our conversation.
Companies need a mashup policy. Cherbakov had a key point: While its innovation labs can cook up a mashup on the fly any big rollout across the company needs some sort of partnership even if the APIs are freebies. For instance, employees created a Hertz mashup with IBM's travel apps. It was handy. However, Cherbakov contacted Hertz to get that data in a REST format. That way the data was more consumable and scaled better.
These mashup policies could help on the security front. At the least, an enterprise would know a Web app would be swapping data with a trusted partner.
Keep mashups in your playground. IBM's Web 2.0-ish apps are reside in its innovation toy box. These pups aren't rolled out across the enterprise, says Cherbakov. That's a nice strategy as it keeps these mashups in an area where a) they can be improved; and b) they can be quarantined if something goes to hell in a hand basket.
Create a process to harden mashups to make them enterprise class. If a mashup graduates from IBM's innovation toy box it could follow a few routes:
In either case, a mashup would have to become industrial strength. Cherbakov says that IBM is still figuring this one out. "If some mashups need to go to more than 300,000 employees we need to develop some process to harden," says Cherbakov.
When Cherbakov refers to hardening, she's talking more about uptime and making a Web 2.0-ish app enterprise quality. Security, however, will play a role.
For now the best way to secure any enterprise 2.0 toys is to keep them private inside the company. But the day will come will these toys will be externally facing. In the meantime, you need to cook up a plan.