With Social Media exploding, F5 solutions supporting Web 2.0 applications and many experts saying 'Get On the Social Bus or Get Lost,' we've been exploring ways to introduce & extend the F5 brand into those communities. Of course, learning, conversing and understanding the challenges in the marketplace and how best to solve them is also part of the venture. Up front, I want to say these are not replacements to our groundbreaking Social Site, DevCentral but extensions of F5 in places we've never been. DevCentral will always be our primary community with exclusive content all with the purpose of serving and sharing with you all the awesomeness of BIG-IP. We also understand, however, that folks like yourselves get content and information from a varity of sources whether it be for entertainment, technical knowledge or both.

To that end, we'd like to share with you our current active social sites and ask, if you so desire, to join, become friends and participate in these communities just as you do here. It'll be a little different but still fun. I also thought I'd chronicle, at times, some of our Social Media experiences here - successes, mistakes, experiences and other anecdotal stories to share. I even have one now! At first we went out and signed up/created a bunch of sites but then I saw this article on the 7 deadly sins of social media and realized Gluttony was creeping in. We needed to focus on a few. So, for your social pleasure here are a few of our most active Social Media sites.

MySpace: www.myspace.com/f5networks

Facebook: http://www.facebook.com/profile.php?id=1564450374

YouTube: http://www.youtube.com/user/f5networksinc

Twitter: http://twitter.com/f5networks

We'll start with those and add as new ones emerge. Also, if you have social sites where you'd like to see F5, please let us know! This medium is about listening. As Homer (Mr. Plow) says, 'Now we play the waiting game. OK the waiting game sucks, let's play Hungry, Hungry Hippos!'

"With the explosive growth of road warriors, telecommuters, temporary workers, and mobile users, it is virtually impossible for organizations to ensure that endpoint devices remain secure and compliant. Even devices that initially are fully compliant may become non-compliant when settings are inadvertently changed or when new corporate policies are implemented. IT administrators must be able to enforce consistent, current policy settings on endpoints whether they are connected or disconnected from the enterprise’s Active Directory domain.

Flexibility and simplicity are vital for enterprises struggling to manage and secure the numerous access policies of their mobile workforce. Policies cannot be applied with a “one size fits all” approach. Some organizations divide users into location or connection type categories like corporate office, home office, wireless, mobile, kiosk, and so forth. It really comes down to a determination of whether the device is trusted—such as a corporate laptop—or whether it is untrusted device— like a home computer. The potential risks of these devices are different so they must be treated as such. Traditionally, Group Policies for remote clients have been dependent on centralized Active Directory (AD) domain controller services and have been limited to the network domain boundaries defined by AD security and administration. This means a device had to be both part of and connected to the domain for a policy to be enforced, since it must be pushed to the device. Active Directory and Group Policy go hand in hand. However, there are limitations that are outside this influence, such as remote and non-AD endpoints that need policy enforcement and remediation when they connect to an organization’s intranet. Endpoint lockdown and security is a continuously moving target. Most major legislation requires security auditing for any device that connects to the infrastructure. Financial institutions are also imposing more strict auditing legislation and verification for end-to-end financial transactions."

• Extending Group Policy enforcement  without the domain access limitations of Microsoft Active Directory (AD).
• Enhancing endpoint security to mobile workers and non-trusted devices.
• Ensuring simple and quick implementation, with ready-to-use policy templates.
• Preventing breaches with secure endpoint protection.
• Maintaining complete compliance as standards change.
• Providing active enforcement with centralized management to prevent policy decay.

It's been a while since I've written but ran across this article titled 'MyFamilyHealth is a great Web 2.0 health site', while researching another topic and had to type something. First, I'm not a web2.0 expert like my esteemed collegue, LoriMac, - but I do cover security for our team. Anyway, the blog starts with:

The folks at MyFamilyHealth.com have combined online genealogy, social networking, and basic personal health record management for a single and eminently useful purpose: learning more about your family’s medical history to help improve your own health by better understanding your genetic risks. It will be fascinating to see how people use it over the next few years.

Now I'm sure Shahid's intentions were good but I have to wonder about a few things:

First HIPAA and if Social Networking sites in which I choose to supply with sensitive health information, are covered? HIPAA describes a 'covered entity' as

• a health care provider that conducts certain transactions in electronic form
  (called here a "covered health care provider").
• a health care clearinghouse.
• a health plan

But at the same time the regulations clarify that facilitation should be of a ‘transaction’, which means, just accepting data and historical information is not a covered transaction under HIPAA and thus not necessarily regulated. However, personally identifiable health information which, if shared, could constitute facilitation of a transaction under HIPAA and thus require the business (site) to comply.

So a couple questions need to be asked:

Q1: “Does the business or agency process, or facilitate the processing of, health information from nonstandard format or content into standard format or content or from standard format or content into nonstandard format or content?” Yes.

Q2:” Does the business or agency perform this function for another legal entity?” Technically, yes as the individual is a legal entity.

If the site provides the means by which you can designate who can/cannot see the data, that should be enough for HIPAA compliance regardless, as HIPAA defaults to a deny all/whitelist policy for sharing of information. I would think that if these type of sites start integrating (as in Web 2.0) with actual health care providors, then I would think they MUST comply.

But I'm the one who choose to put it out there in the first place.

One of the problems I have with Shahid's blog is he talks about all the great benefits of putting your health info for the family to see but nothing about the Security of that data or any cautions about the type of data you supply. So I went to check it out.

Which brings me to issue number two:

so to logon, it's http: http://www.myfamilyhealth.com/account/login_form "email/pw"

https://www.myfamilyhealth.com/account/login_form

gives you:

123genes.com takes you the same myfamilyhealth.com
look, except http://www.123genes.com/home is the path.

https://www.123genes.com/account/login_form takes me to the same logon, without cert prompt in SSL. Shahid should've, especially now, talked a little about the security of the site. Not only holding sensitive info (or at least caution about putting actual prescription numbers in a site like this, along with pharmacy, docs names, etc) Potentially, even the above issue. This re-enforces the bad behavior of users just clicking thru these warnings (see Lori's blog about FF3 warnings here). Add to that, in IE, you get the; There is a problem with this website's security certificate error/message & then what? You'll either be reinforcing bad behavior or driving people AWAY from the site since IE is telling them, 'do not continue.'

They say, 'MyFamilyHealth takes extensive and proactive measures to ensure privacy and security,' but doesn't even have a https logon. They say that only members of your family tree can see your tree but it's only http. I'm sure this site is good for consolidating important health info and allowing others to see it but with recent malicious attempts (both successful and not) against Facebook, Myspace and other social sites - do you really want your sensitive health info just 'out there' especially when their privacy policy states:

BY SUBMITTING YOUR SENSITIVE PERSONAL DATA TO US AND/OR CLICKING TO ACCEPT THE TERMS OF THIS PRIVACY POLICY AND THE DATA PROTECTION NOTICE, YOU CONSENT TO ALLOWING US TO PROCESS THIS SENSITIVE PERSONAL DATA IN ACCORDANCE WITH THIS PRIVACY POLICY.