How Do Companies Manage Multiple Users on Twitter and Other Social Media Accounts?

This year at SXSW I moderated a panel about OpenID, OAuth and data portability in the Enterprise. We had a community lunch after the panel, and walking back to the convention center, I had an insight about a key missing piece of software -- Privileged Account Management (PAM) for the Social Web -- how are companies managing multiple employees logging in to their official Twitter, Facebook and YouTube accounts?

I thought I should also explain some key things to help understand conventional PAM then get to social web PAM in this post covering:

  1. Regular identity management in the enterprise
  2. Regular Privileged Account Management in the enterprise
  3. Privileged Account Management for the Social Web

1) IdM (Identity Management) in the Enterprise

There are two words you need to know to get IdM and the enterprise: "provisioning" and "termination".

a) An employee is hired by a company. In order to login to the company's computer systems to do their work (assuming they are a knowledge worker), they need to be provisioned with an "identity" that they can use to log in to the company systems.

b) When an employee leaves (retires, quits, laid off, fired), the company must terminate this identity in the computer systems so that the employee no longer has access to these systems.

The next thing to understand is logs.

So, an employee uses the company identity to do their work and the company keeps logs of what they do on company systems. This kind of logging is particularly important for things like accounting systems - it is used to audit and check that things are being accurately recorded, and who did what in these systems is monitored, thus addressing fraud with strong accountability.

I will write more about other key words to understand about IdM in the enterprise (authentication, authorization, roles, directories) but I will save these for another post.

2) Ok, so what is Privileged Account Management in the Enterprise?

A privileged account is an "über"-account that has special privileges. It is the root account on a UNIX system, a Windows Administrator account, the owner of a database or router access. These kinds of accounts are required for the systems to function, are used for day-to-day maintenance of systems and can be vital in emergency access scenarios.

They are not "owned" by one person, but are instead co-managed by several administrators. Failure to control access to privileged accounts, knowing who is using the account and when, has led to some of the massive frauds that have occurred in financial systems. Because of this, the auditing of logs of these accounts are now part of compliance mandates in:

  • Sarbanes-Oxley
  • The Payment Card Industry Data Security Standard (PCI DSS)
  • The Federal Energy Regulatory Commission (FERC)
  • HIPAA

Privileged Account Management (PAM) tools help enterprises keep track of who is logged into a privileged account at any given time and produce access logs. One way this software works is: an administrator logs in to the PAM software, and it then logs in to the privileged account they want access to. The privileged account management product grants privileged user access to privileged accounts [1].

Links to articles on PAM, [1] Burton Group Identity and Privacy Blog, KuppingerCole, Information Security Magazine.

3) Privileged Account Management on the Social Web.

Increasingly companies have privileged accounts on the social web. Dell computers has several for different purposes. Virgin America, (they link to the account from their website - thus "validating" that this is their real account), JetBlue, Southwest Airlines, Zappos CEO, (employees who twitter), Comcast Cares (Frank Eliason) (interestingly comcast on twitter is blank).

Twitter is just the tip of the iceberg - there are also "fan pages" on Facebook for brands. Coca-Cola, Zappos, NYTimes, Redbull, Southwest, YouTube Channels, Dunkin' Donuts, etc., on thousands of other platforms and yet-to-be-invented services.

These are very powerful accounts - they are managed and maintained by many employees around the clock and are the public voices of companies.

I have yet to see or hear of any software tools to enable enterprises to manage Social Web privileged accounts. How are companies managing access by multiple employees to these accounts?

Is there software that does this yet?

Is anyone working on these kinds of tools?

Leave your comments here or tweet with me @identitywoman

Published on my blog earlier today as Missing: Privileged Account Management for Social Media.

Add New Comment

12 Comments

  • Marisa Smith

    My Company @thewholebraingroup has been using @CoTweet to do this really well. We've tried @Hootsuite as well, but I'm liking the "on duty" and "followup assignment" features on CoTweet.

  • travis arnold

    at Sendouts all business social media is regulated at a central hub. it is effective when regulating comm. coming from the company, but does take away from the 'moment' when an employee has something to share. all in all it's effective, but does limit the footprint. i manage a personal and business twitter acct and find http://www.tweetdeck.com to work great and have a few people that can admin our facebook fan page in the event of a layoff or position change.

    http://www.sendouts.com

  • Oo Nwoye

    It seems this article was written by CoTweet (I know it wasn't). But to put it mildly, CoTweet answers ALL your questions perfectly!

  • Michael Winn

    Recently I was asked to compare a few of the current Twitter client applications on the Social Web. Of course there are several blog reviews about each of these applications on sites like Social Media Today, Mashable, and others. The point of my post is to specifically look through the lens of which client application provides the most features related to SocialCRM (Social Customer Relationship Management). There are five free multi Twitter account client application contenders in this space: CoTweet, HootSuite, PeopleBrowsr, Seesmic, and Tweetdeck.

    CoTweet is a solid and simple web-based solution with scheduling features, but currently cannot link to any other social channels such as Facebook or Linkedin. You can assign Twitter followers to other CoTweet users which would be useful in a customer service environment. There is an area to add notes on a specific Twitter profile as well as view number of followers/following and previous conversations. Two small features missing are the capabilities to mark Twitter profile as VIP, or linking identified Twitter profiles to Plaxo. CoTweet users can sync a Bit.ly account for tracking Tweet click throughs, but that is as far as it goes with regards to tweet analytics.

    HootSuite also a web-based solution multi Twitter account client application. HootSuite offers Twitter and Facebook update sync through Ping.fm (this can feed other social channels if you wish) and you can schedule tweets for both channels. However, the URL shortner Ow.ly has some resistance in the Social Web community because of the annoying banner across the page when visitors click through. The benefit to HootSuite Ow.ly URL shortener provides click through analytics within the application. Similar missing features as in CoTweet is the ability to add notes, mark as VIP contact, or link to other social media networks.

    PeopleBrowsr is a power house application on Adobe AIR or as a web-based application. Don’t bother with the AIR app: stick with the Browser version. In Business mode, users can click on a Twitter avatar in the tweet stream and select from various activity functions such as Follow, Favorite, Group, Note, VIP, Email, Plaxo, and Rate. PeopleBrowsr provides users the ability to schedule tweets for multiple social networks such as Facebook, Twitter, Linkedin, Plaxo and FriendFeed just to name a few. This multiple social network feed is something that no other social client application can do. The only drawback to PeopleBrowsr is that they have the Twitter API on their server which results in a slight lag in the update columns, however users have a small chance of reaching the 150 API limit on PeopleBrowsr causing application crash. (Note: When scheduling tweets to Twitter and Facebook, the associated Facebook account will automatically update where as the Twitter tweet will go out as scheduled.)

    Seesmic is a leader in the Adobe AIR and web-based client applications, but still lacks the fundamental elements needed in a Social CRM tool. The most recent update has caused many users to go back to TweetDeck. I have had several friends report that it crashes more often than before the update. Seesmic will address these issues in their next update. Seesmic and TweetDeck both offer iPhone applications for mobile usertweetdeck-logos.

    TweetDeck is on top of the Twitter client AIR applications right now and is one of my favorites. Many people don’t realize that it offers multiple account management as well as a Facebook integration. Keyword searches and unlimited tabs can be useful in tracking brand mentions. Unfortunately, TweetDeck doesn’t offer tweet scheduling, notes, or tweet rating capabilities.

    My goal was to outline the pros and cons of some of the free Twitter client applications available for individuals, small business, and non-profits. Leveraging the information contained in the real-time social streams is a valuable asset to small businesses. Listening for mentions of your own brand as well as that of your competitor is a best practice of business growth 2010. Stop shooting in the dark. There is an application that’s right for your business.

    http://tallydigitalbiz.com

  • Ronald Ladouceur

    The simplest solution to the security issue is to funnel posts through a single “approver,” restrict direct access to platforms to a limited number of people and log all entries.

    The trick is to do this without killing the social part of social media.

    Collaborative platforms like Media Logic’s Zeitgeist & Coffee do this by creating an “off-line” multi-user forum for post development attached to a flexible protocol for social interaction moderated by a dedicated “conversation manager.”

    Admittedly, this “solves” the PAM problem by avoiding it. But for marketing applications, maybe the human solution is the right solution.

  • Jon Dale

    PeopleBrowsr.com's business and enterprise levels offer a full suite of features including access control for users and twitter accounts.

    Jon Dale
    Dale Interactive Group

    Disclosure: PeopleBrowsr is a client.

  • Susan Clizbe

    I've just begun trying CoTweet but it seems to me to achieve precisely the purpose you mention, for Twitter at least. There is still the bigger picture, of the myriad such activities available, with new ones appearing regularly. Something like the Facebook connection I just used to make this post would work, if adopted broadly enough. Then one FB account would be closed at the conclusion of employment, ending access to all the linked accounts.

  • Shaun Dakin

    Yes.

    @HootSuite allows for multiple editors.

    @Tweetdeck allows for mulitple accounts to be accessed from one interface. Orgs allow multiple people to access (via one password, not very secure) and then they ID who is Tweeting with the following procedure.

    Tweet - ^sd

    ^sd = the name of the person tweeting. In this case Shaun Dakin

    Regards,

    Shaun Dakin
    @IsCool, @EndTheRoboCalls, @PrivacyCampDC

  • Gavin Baker

    In terms of twitter, http://cotweet.com does it the best in terms of access, with a close second of http://hootsuite.com and http://tweetdeck.com

    Facebook fan pages allow multiple admins which takes care of that from the get go.

    What is missing is a tool that the enterprise can use to give and remove access (provision/terminate) to the social suite (twitter, facebook, corporate blog, flickr, other social tools used) as part of the regular process they go through when employees are added/released. This way all internal IT protocols can be followed:
    -security and lockout risk mitigated
    -logging of which employees have access
    -password strength requirements

    Of course those services playing nice with the enterprise could be a long time coming, but I hope I eat my words.

    Gavin Baker
    Ruby Tuesday, Inc.
    @gavinbaker