How to Ensure Your Business Partners Have Adequate SecurityBy James Bindseil | Posted 2004-02-18 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
The Microsoft code leak raises the question: How do you secure the information you share with business partners? James Bindseil, Technical Operations Manager for Symantec Security Services, offers a 12-point plan.
Information sharing between organizations and their business partners is an increasingly critical business requirement. Companies that provide these capabilities enjoy a competitive advantage. The process of meeting these requirements and the constant struggle to lower costs while improving business efficiency have created complex network and information security issues that companies must address.
Organizations often provide business partners with higher levels of access to proprietary information than their external customers. This process is a two-way street, with partners sharing sensitive information as well. Organizations often approach the task of providing partners with increased level of access as only a technical challenge, neglecting to give security policies the attention they deserve.
To provide partners with necessary access, organizations should build security into the original design of all access control and authentication methods. Policy requirements must be kept in mind, from the initial needs assessment through implementation and management of the solution. Organizations should also audit their business partners' connectivity to ensure they can access only the data they require.
Of no less importance is the need to address people, process, and technology issues during assessment, design, implementation, and management of a remote business connection. Only when all these elements are included is a solution truly effective.
Defining architecture assessment requirements
Defining architecture assessment requirements The most important aspect of performing an assessment of a partner connection is to define the required levels of access and identify the areas of the network that must be accessed. Many organizations that enable a partner connection will first open complete connectivity, intending to add further security at a later date. The problem with this approach is that more urgent activities will always demand attention, and seldom, if ever, do organizations ever adequately revisit security once connectivity is provided. It is much more effective to perform an adequate initial assessment of requirements and to use this knowledge to provide security from the outset.
The challenging aspect of performing a security assessment involving business partners is that half of the environment being considered for connectivity is usually beyond your control. Although it is important to assess your partner's information capabilities and environment from a purely technical viewpoint, the most effective way to approach the assessment is to treat each organization as if it is insecure and to provide appropriate levels of security within your own environment. By examining your own environment with a mind towards securing the required levels of connectivity, you can ensure that any lapses in security are addressed regardless of your partner's security state.
The following items are typically included in an assessment for partner connectivity:
- To which resources does the partner require access? Typical levels of access would include a web server / database for information retrieval, printers for submitting information to a department or specific files servers to retrieve documents.
- What resources do you require access to in the partner's environment? As with the partners access, you might need access to web servers, databases, printers, and file servers.
- What elements of the environment will be traversed in providing access to the required information? Examples include your network perimeter, communications circuits, perimeter to the partner environment, network infrastructure, and host-level and application-level security where the access terminates.
- What controls are needed to meet your requirements defined in policies, procedures, standards and guidelines at each level of communication?
- What are the technical dependencies from both your side and the partner's? Examples include the ports on which communication will take place, the owners of the communication infrastructure, and the protocols required.
Developing solution options
Developing solution optionsAfter all requirements have been defined in the assessment process, potential solution options that meet both business and security needs should be developed and evaluated. The option that best meets all objectives and does not expose the organization to undue risk should be selected and designed for implementation. The options range depending on business needs but frequently it is as simple as a Firewall with VPN encryption and a strong authentication system. As mentioned earlier, it is important to remember that there is much more to consider in the design phase than technical requirements. All people who require access and who will administer the solution should be identified, and the processes they are required to follow and the training they will need must also be provided.
From a design perspective, the following aspects should be considered:
- All partners should be segmented from the internal corporate network and the corporate Internet connection. They should be provided access to only the resources they require. This will help prevent security threats such as worms from reaching into your environment when a partner is compromised and vice versa.
- The segmentation should be implemented such that all partners can be removed from connectivity at one point if required. This can be achieved through the creation of a partner network segment with only one entry point.
- Intrusion detection should be a part of the solution in addition to the standard connectivity platform so that all communications can be monitored.
- As with all security projects, the basic elements of cost, time, security provided, business need, manpower requirements, knowledge base, and skill requirements need to be addressed to ensure that the designed solution is appropriate for the environment.
The implementation phaseThe implementation phaseThe implementation phase is the process of installing, configuring, and tuning the system design created above. Many organizations start with the implementation phase, but the previous phases are required if adequate security is to be achieved. A critical first part of implementation is to reach a legal agreement between both parties that outlines the designed solution and explains what ongoing security activities are required of both sides. After this agreement has been accepted, the implementation can commence according to plan.
After the solution has been implemented, the next critical task is to perform an immediate audit of the connectivity to ensure that it meets the requirements of the partnership:
- The required connectivity is present
- No other connectivity is available
- Audit trails are functioning as desired for future management
- Other security controls such as intrusion detection systems are functioning.
Once the solution has been certified to function as required and security is adequate for the circumstances, it is important to develop complete documentation that contains the legal agreements for connectivity and describes the structure and configuration of the deployed solution. This document will be the basis for change control and provides a basis for all future assessments.
Effective managementEffective managementEffective management of the deployed solution is usually where organizations lapse in their security effort. With the pressures placed on security staff size, it is difficult to find the time to revisit a working solution to verify its posture. For partner access systems, however, proper ongoing management techniques must be implemented to ensure that only the required level of access is possible. The initial management responsibility is typically placed with the Audit Department. Routine audits should be performed and any deviations from the desired security state would be addressed by the security or network staff responsible for the deficiency.
The most routine task in this phase is execution of regular security audits on the connectivity solution. Certainly, most organizations will want to perform these tests themselves. It is also prudent to create a cooperative arrangement to have the partner conduct similar tests in parallel. This helps to ensure that both halves of the communication are routinely validated to be secure. The documentation prepared as a part of implementation serves as the base for a regular gap analysis that identifies changes and required modifications. If there has been any security degradation, steps can be taken to reinstate the security level to the required state. When mitigation is required, the connectivity documents must be updated so that future assessments can rely on accurate as-built designs.
In addition to the proactively assessing your environment, organizations must also plan for reactive situations. If a security incident occurs either at your facility or your partner's, a plan for immediate responsive action must be available. There also must be special mechanisms within your existing change control system to identify and scrutinize any changes that could affect partner connectivity. Having these two items in place will foster continued positive relations with your partners during changes or challenges.
Providing access to partners can be a security challenge as well as a technical one. If the correct process is followed, however, security can still be managed at a level acceptable to all parties. This process, effectively applied, revisited regularly, and changed when appropriate, can be a powerful tool for success. All organizations must deal with change; the ones that will be successful are the ones who do so with a plan.
James L. Bindseil is a Certified Information System Security Professional (CISSP) with more than 13 years of information technology experience, with an emphasis in consulting large financial organizations. As the Technical Operations Manager for Symantec Security Services, Bindseil applies his extensive network engineering and business knowledge to provide integrated solutions to global corporations of all sizes, including numerous Fortune 50 companies.