Holy Web 2.0 Herding Nightmare

Web 2.0 collaboration tools are irresistible to end users: They're easy to set up and use and can be accessed from anywhere. Employees can upload or create documents, spreadsheets, wikis, and blogs, then invite co-workers and partners to access, edit, and download content. These apps often include productivity enhancers such as search and tagging. And not surprisingly, vendors are encouraging the trend--Microsoft and IBM have added wikis and blogging capabilities to enterprise apps including SharePoint and Lotus Quickr, while Google and upstarts like Socialtext, PBwiki, and Jive Software are luring corporate users with freebie accounts and dead-simple deployment. Departments and business units can provision users in minutes, pay with discretionary funds--and never make a single call to IT.

Sadly, all IT gets out of the deal is a big fur ball as it struggles to organize corporate content run amok. The potential for exposure of sensitive information or theft of intellectual property runs high, as do concerns about noncompliance with corporate or third-party requirements as end users scatter sensitive information around the Internet. If the company gets tangled in litigation, data relevant to discovery requests may be lurking unknown on third-party servers, exposing the organization to financial or legal sanctions.

We have to get a grip on this problem, but how?

You can ignore Web 2.0 tools, or try to shoo users away. If you take one of these approaches, let us know how it works out for you. A better approach is to embrace new collaboration methods, whether through an in-house deployment, a software-as-a-service option, or both. In "SaaS: Red Light, Green Light", we discuss the new batch of decision metrics companies need to use when evaluating delivery of any business app in a service model. Fortunately for IT, many collaboration apps include authentication, access controls, change logs, and methods for exporting data into corporate storage, all of which help manage risk.BETTER THAN E-MAIL
E-mail stinks as a collaboration tool, particularly in today's business environment, where team members are often not in the same location at the same time. Users must send multiple copies of documents or files, wait for them to be marked up, and reconcile changes. Valuable project information may be buried inside long strings of correspondence or--even worse--users may be cc'ed on long, irrelevant discussions.

Web 2.0 Expo Online

Stay on top of breaking news and blog coverage from Web 2.0 Expo in San Francisco,
April 22 to 25, 2008

>> Web 2.0 Expo Coverage <<

Enter specialized collaboration apps. Whether these products are deployed like conventional software, such as Microsoft's SharePoint and IBM's Lotus Quickr, or via software as a service, they make it easy for co-workers and business partners to create and share information. Take Skanska, a global construction company with 26 U.S. offices, which worked with 40,000 subcontractors in 2007. "Collaboration is core to what we do," says Allen Emerick, director of IT, applications, and integration for Skanska's U.S. business. A typical building project involves a large cast, from clients to sales teams to architects, plus engineers and construction crews.

Employees used to rely heavily on e-mail and FTP to collaborate, but this was cumbersome. So Emerick deployed SharePoint to address the problem. Now, SharePoint is used for both internal and external communications. Internally, it acts as a portal where employees can find corporate forms and documents. Externally, clients access SharePoint to get information about ongoing projects. Emerick says these external sites are used throughout the life of a project, from sales to completion. During the sales cycle, proposals, RFPs, and presentations are put on the site for clients. In the planning phase, initial design and specification documents are available. During construction, architectural drawings are posted as PDFs, and job site photos may be added. Throughout the project, a calendar function lets parties track major milestones and meetings.

But SharePoint and Lotus Quickr aren't the only options. Doug Cornelius, a lawyer at Goodwin Procter, relies on PBwiki, a popular provider of online collaboration tools, for a variety of projects. As a member of the law firm's knowledge management department, Cornelius uses the wiki to manage meetings and agendas and to plan conferences. "It's tremendous for capturing information," he says. "Instead of a string of e-mails, you just go in and edit the wiki."

While the firm also uses SharePoint as an intranet platform, Cornelius wanted to experiment with other options. "We didn't need anyone from IT to do anything. Training and setup took 30 seconds," he says. After a year of use, the wiki has more than 100 pages and gets several edits every day. Other departments in the firm are also using the PBwiki service.

(click image for larger view)

BEHIND IT SUPPORT'S BACKWe're seeing a serious disconnect between user enthusiasm and IT support. For example, Forrester research shows that Web 2.0 technologies aren't necessarily front of mind for IT: When the analyst firm asked if implementing Web 2.0 technologies such as blogs and wikis was a major initiative for 2008, 42% of 1,017 IT manager respondents said it isn't even on the agenda, while 32% said it isn't a priority. But among users, there's a different story. Jive Software says bookings for its ClearSpace collaboration environment, which combines blogs, wikis, and discussion forums, jumped almost 100% between the first and second quarters of 2007, with customers ranging from the Fortune 500 to midsize companies. PBwiki says it has more than 30,000 business accounts.

If we don't get out in front on collaboration, users are going to act as their very own IT and compliance officers. That's a problem because when a user creates an individual account, that user has ultimate control over the content. The account holder can invite other users and manage their permissions, such as adding or editing content. But managing other users' permission levels and access rights isn't a task that should be left to individual employees. It would be far too easy for an account holder to forget to deprovision a co-worker who goes to work for a competitor. Worse, the employee who sets up an account retains ultimate control over the information--even if he or she moves on.

NOT-SO-WILD WEB
While the ease with which employees can post sensitive corporate information within collaboration tools may worry IT, the truth is that these apps--even software-as-a-service products--beat e-mail hands down when it comes to managing compliance, privacy, and legal risk.

"Adoption of SharePoint, blogs, and wikis is done with an eye toward better information management," says Rob Koplowitz, principal analyst at Forrester Research. "When they are deployed in a sanctioned way, there's a great amount of visibility into what's going on, which is different from e-mail."

While Web 2.0 vendors like attracting users, they're also aware of the conflict between freedom and oversight. Thus, many provide capabilities to make collaborative environments more palatable to IT. Socialtext, for example, offers an appliance that can be deployed behind the enterprise firewall, giving IT more control over the content and ensuring that corporate information gets integrated into the company's backup and archiving systems.

New Media, New Tactics

Lightweight collaboration tools aren't going away. The only choice IT has is how to respond.LOOK THE OTHER WAYIs ignorance bliss when it comes to Web 2.0 collaboration and social networking applications? Pretending the issue doesn't exist will certainly make your life easier--until an employee does something stupid or malicious with sensitive corporate information, or lawyers start delivering discovery requests. That's when this tactic begins to look really dumb.
PLAY WHACK-A-MOLEYou'll need policy and technology to ban Web 2.0 sites and tools from the enterprise. Be explicit about what kinds of sites and activities are forbidden, then be ready to back up your policy with technology. You probably already have Web filters in place, and Web proxies also provide fine-grained control over what gets in and out of the enterprise network. The downside is that new Web 2.0 sites sprout quickly, so you'll always be behind the curve. Hey, we never said it would be easy.
PLAY ALONG -- BY YOUR RULESCooperation is more productive than competition. If business realities allow, providing sanctioned alternatives that combine some IT oversight with the ease and mobility of Web 2.0 tools should make everyone happy--or at least able to live together.

Vendors such as PBwiki, Google, and Central Desktop also allow company accounts, which provide more IT control over collaboration. With a company account, IT can provision and deprovision users, set access rights, and prevent users from sharing information with outsiders. A company account also will prevent a user from signing up to a personal account using his or her corporate e-mail identity. For instance, a company setting up a corporate account for Google Apps would create its own domain, and then have full administrative rights over users. The account can also be linked into the enterprise authentication system, which may be stronger than the typical user name/password system used by collaboration providers.

"We have companies doing two-factor authentication on top of Google Apps," says Rajen Sheth, senior product manager for Google Apps. "Users get redirected and have to enter a SecurID code on top of a user name and password."

Central Desktop's corporate accounts let administrators set access rights to workspaces, which are the collaboration areas created inside Central Desktop. Companies with multiple workspaces can control user access to spaces, and manage rights within those workspaces, such as the ability to read, edit, and download information.

Central Desktop recently announced a security pack that customers can add to its service-based collaboration tools. Features include the ability to set minimum password length and complexity, mandating the use of letters, numbers, and special characters. The security pack also lets admins set up e-mail domains, so that information may be sent only from Central Desktop to domains on the list. E-mail also can be encrypted in transit using TLS, as long as the recipient's mail server supports the Transport Layer Security protocol.

Another feature is trusted IP addresses, in which admins can force users to log in from a defined set of IPs. "The most common scenario for restricting IP addresses is when they only want users to access the site through a VPN," says Central Desktop CEO Isaac Garcia.In addition, most online collaboration and wiki products can integrate with Active Directory or LDAP. They also use SSL or TLS to encrypt content in transit and have basic access control features to prevent unauthorized users from viewing particular content.

Another compelling feature is the audit trail. Most systems log changes made to content on these sites, including the user who made the changes. Users and administrators can compare different versions of content side by side, and unwanted changes are easily removed. These products also can log user activity to see who uploaded or downloaded content or documents. An audit trail has value to IT because it can monitor logs for unwanted behavior and track down policy and compliance offenders.LIMITED USEFULNESS

Despite these nods to enterprise IT, there are still drawbacks to corporate versions of these products. For one, administrative workflows may be primitive. For instance, while Central Desktop provides a dashboard to manage workspaces and users, administrators have to provision and deprovision users one at a time. This may not be burdensome for a dozen accounts, but it will get annoying fast as numbers grow.

For its part, PBwiki has limited control over documents. While content owners can assign, read, and edit rights to users of wiki pages, those controls don't extend to documents. Any user with access to a collaboration area has full access to any documents posted inside that area. "We are hearing more requests for file-based access control," says Chris Yeh, VP of enterprise marketing for PBwiki.

Companies not comfortable with the service model or startups also have options. Microsoft SharePoint sits at the top of the heap for enterprise collaboration. IBM offerings, including Lotus Connections and Lotus Quickr, provide collaboration and Web 2.0 features such as tagging. BEA's CollabraSuite creates virtual meeting spaces and offers features such as a shared whiteboard and the ability to store shared and personal files. And EMC Documentum's eRoom is a well-established collaboration system with a strong focus on document management. It integrates with Microsoft Office to let users upload and share files.

These in-house options may be attractive to IT for their extended security and management capabilities. For instance, SharePoint lets administrators create data disposition policies for information inside SharePoint servers, such as ensuring that business contracts be retained for seven years. IBM Lotus Quickr's content repository lets employees and business partners share documents and files while also providing strong change management features, such as check-in and check-out functions.

DIG DEEPER

RISKY MEDIA

Blogs, wikis, podcasts ... communications mechanisms improve interaction but also pose a risk.

Download this
InformationWeek Report

>> See all our Reports <<

However, these products also come with the downsides of enterprise software--longer and more costly deployment than software as a service, and longer lag between upgrades. Enterprises are unlikely to dip their toes into collaboration through a six-figure software deployment. It's not uncommon to find companies using SharePoint and third-party SaaS products.

"It's a classic story of enterprise 2.0," says Goodwin Procter's Cornelius. "We're up and running with PBwiki in 30 seconds, and SharePoint is taking a year." Fact is, users will find ways to make their working lives more convenient--with or without the input of IT. This is particularly true when it comes to Web collaboration tools.

"The challenge is to stay ahead of the curve of providing tools for employees so they don't feel compelled to find others," says Skanska's Emerick. Because once data strays outside your borders, herding it back in is a job we wouldn't wish on anyone.

Photo illustration by Mick Coulas

Continue to the sidebar:
Web 2.0 And Legal Discovery0