Security and privacy engineering for corporate use of social community platforms

Social media (SM) platforms are being used for many purposes. As they were successful in accumulating a large number of well-networked user communities over the recent years, those platforms and their communities became interesting for corporate and commercial use, visible in a wave of books on businesses and SM. However, the “corporate user” normally is composed of many individual users that implement a subset of corporate functions, and has other security needs as those of private consumers. This article reviews corporate use cases for SM, and presents an overview of information security and information privacy requirements following from these uses. The article concludes with a comment on today’s SM platforms capabilities to support these requirements. 1 Corporate use of social communities Social communities are computer platforms that allow their users to represent themselves in profiles to establish social relationships to other users, and to supply and share media objects with subsets of their network [1, 2]. Such sharing produces many problems related to user’s roles and user’s access and object use permissions that should be aligned with the collaboration workflows intended by the users. Roles and permissions for individual users are defined in a single place, where the object access permissions and personal relationships (from here on called “policy”) are defined. SM have grown to become popular private interaction platforms for multimedia [3]. However, policy management is different for corporate users. A corporate user is here defined as: A corporate user of SM is an organization based on workflows using communication and collaboration in SM as part of their organizational strategy. Complementing this definition, these assumptions on corporate users are made: Other, more seasoned communication channels, such as telephony, e-mail, paper messages, video conferencing, web portals and personal meetings are used as well to implement corporate strategy. Next, there are information objects and interactions that are restricted to the public, e.g. business secrets, patent applications, customer data records, price lists and contract conditions to particular customers. For many of the restricted objects above, the corporate user has developed rules and processes. These involve both the definition of access restrictions on objects, and the definition of workflows and processes for the handling of typical business actions.