Web 2.0 Security - overview
Web 2.0 is about connecting people and amplifying the power of working together. Unfortunately, this power brings up a number of serious security challenges which we are tackling from various angles in this project.
Overview
The goal of Web 2.0, connecting people, is bringing together a broad range of technologies and social forces. We have witnessed a rapid proliferation of social computing web sites and content. This mixing of technology and social interaction is also occurring in the context of a wave of technologies that support rapid development of these interpersonal interactions. The broad functional security issues are with respect to management of identities, reputation, privacy, anonymity, and composition of function and content.
We are observing the rise and maturation of a variety of new social computing based services. Many of these rely on the composition of content and services from multiple sources. On one end of the technology spectrum we have simple services such as blogs and wikis. However there are more far more complex technology composition (mash-up) examples. The content composition trend is likely to continue. The lure is the promise of inexpensive and easy ways to compose software service and content.
Web 2.0 will increase its utility when there are broadly adopted and easy to use technologies supporting security related trust relationships between multiple collaborating parties. These support technologies relationships may be long lasting or transient. Applications are being developed from components that, in order to provide an enhanced user experience, require access to user identity, profile, and reputation information from a variety of sources. Progress along this front is impacted by the lack of broadly adopted interoperable global identity, trust, and reputation infrastructure. One of the current obstacles for doing so is that people possess multiple sets of credentials that describe the person in a particular context (personal, business, school, entertainment, etc.), and originate from multiple sources. Another current obstacle is the lack of protection mechanisms in the commonly used technologies in the web. Specifically, protection mechanisms to prevent undesirable interactions between multiple untrusting parties do not currently exist.
However, there are a wide range of security and privacy risks associated with these content and service compositions. While the security and privacy issues are not new (many of these issues already exist with portal servers), the security issue is increasingly becoming acute as the technologies are adopted and adapted to appeal to a wider developer audience.
IBM Research is investigating security issues in the Web 2.0 area. Specific topics include:
- Secure component model for cross-domain mashups
- Identity, reputation and anonymity
- End-to-end security for content mashups
- Security, privacy and rights management for content composition
- Usable security and privacy models
- Language-based security, using both static and dynamic techniques
- Provenance and governance