Tech Insight: How To Make Business Partner Security Work

Trading partners can be your biggest assets -- and, potentially, the greatest threats to your business' security. How can you keep your data safe?

Dark Reading Staff, Dark Reading

September 18, 2009

5 Min Read

Most businesses thrive on partnerships, and some businesses -- well, they simply can't exist without partners. But sometimes those relationships pose a real threat to your company's security.

A recent Verizon Business study of more than 500 data breaches during the past four years drives that point home. In the study, 57 percent of data breaches involved partners' networks being used by an external attacker.

Enabling contractors, suppliers, and other business partners access to your network does not have to be a recipe for disaster. To be successful, you need to know where your data is and who needs to access it. Only then can you plan your network and remote access infrastructure so it can be monitored and protected comprehensively.

The most important factor to remember during the process of enabling and securing partner connections is that your partners are third parties accessing your network. They are not your employees. You don't control their networks. You should treat them as untrusted, possibly malicious, entities who must be there, but might need to be removed at any time. You are the digital bouncer.

Before providing outsiders access to your environment, you must know which data they will need, where it's located, and how to allow just enough access for them to do their jobs. This is the part where most companies fall down. It sounds simple, but you need only look at recent partner-related breach news to see that many companies are doing it wrong.

Many of these breaches happen because of a disconnect between IT and the people behind the partner-related business processes. For example, say someone from purchasing requests access for a supplier to an internal, Web-based inventory application. IT configures a new VPN connection, sets the appropriate firewall rules, and marks the request as complete.

Unfortunately, it doesn't end there. Often, a request comes back that the supplier needs additional access to another system. After a back-and-forth between IT, the partner, and the business unit, management tells IT to "get it done or else." Now the company's sensitive systems are opened too much, so that the link works and management is happy. Sound familiar?

If IT had a better understanding of where the data is and who uses it, then the process of allowing and controlling that access would be greatly improved. A database activity monitoring (DAM) tool, for example, can provide insight into which users are accessing what data. Most can be configured to establish a baseline for what is normal -- and alert IT of any abnormalities.

In the case of a partner, policies can be defined in a DAM that say partner X is allowed to connect from network Y only during business hours and only to table Z in the database. Any deviations from that policy can be either blocked or flagged, depending on the features of the DAM product. Why doesn't the IT organization have a better understanding of how business users and partners interact with systems? One reason is a problem that plagues many enterprise environments: logging.

Most IT shops are either logging too little or too much. The former poses a problem when an issue crops up and the root cause cannot be tracked down. The latter turns into a problem when an issue arises and there is so much log data to sift through that the root cause cannot be found quickly.

Many IT shops don't log enough because they don't know how to centralize logs; other IT shops are overwhelmed with data because they don't know what to do with the logs once they are put into the central repository. In either case, an enterprise log management or security information and event management (SIEM) system can help.

Log management solutions and SIEM take different approaches and address slightly different needs, but the end result is essentially the same: They take logs from many disparate sources and turn them into actionable data. Splunk is a good example. It can take in logs from firewalls, routers, Windows servers, Apache Web servers, and more. Those logs are then searchable from the Web interface, and alerts can be configured to go off when something interesting is going on, such as repeated failures from a partner trying to log into an unauthorized server.

With the dropping cost of disk space, you can no longer argue that you can't log everything. But if you do log most everything, then you can be overwhelmed with data. So take the time to investigate the different solutions, which in addition to Splunk also include TriGeo, Nitro Security, ArcSight, and LogLogic. One of them is bound to fit your environment.

If we agree that all partners should be treated as hostile entities, then the question becomes how to protect your data. Do you use firewalls, intrusion prevention systems (IPS), network access control (NAC), or data leakage prevention (DLP) tools to protect your internal network from the malicious hackers on the outside? If so, then there's no reason you shouldn't be doing the same for your partners accessing the network.

In the typical site-to-site VPN setup -- where a partner's corporate network is joined to your company's network -- deploying DLP, NAC, and IPS is a smart move. When management asks why you're trying to protect yourselves from your partners, point them to the Verizon data breach report, where it states the majority of partner-related breaches were due to lax security on the partner's network -- and a lack of visibility and accountability in partner-facing systems.

For remote users connecting from laptops through a VPN, the same setup as the site-to-site VPN is valid, although it may be implemented a little differently. That depends on the VPN and NAC solutions. Some VPNs now support NAC-like features, such as posture assessment, to ensure that hosts connecting to your environment are patched and running up-to-date antivirus software. An IPS can block attacks coming in from the partner systems in case they are already infected by malware or compromised by an attacker. At the end of the day, businesses need to interact with partners in order to make money. But just like the business decisions that went into establishing the partnership, the risks of allowing third-parties access to your network needs to be evaluated and strictly controlled. Doing it wrong can be an expensive mistake -- and no one likes to be a statistic.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights