Excerpted from InfoSec Outlook newsletter, published by The Information Technology Association of America, Volume 1, Issue 6. www.itaa.org.
Key questions to ask ensure the security of your extranet
By Marty Lindner
Extranets are invaluable resources for corporations nearly everywhere, serving to reduce the cost of distributing information, cutting administrative costs, and encouraging effective communication across an organization. But when you make internal resources potentially available to Internet users over a common protocol (TCP/IP), security becomes the highest priority. The hardware required to build an extranet is becoming cheaper every day. But the cost of securing extranets rises as intruders find more paths to your data. Once again-for those who value security-there's no free lunch.
But consider what happens when you add an extranet to the mix. You need another firewall to protect internal web site information. And what if you want to provide authorized access to business partners from a secure portion of your public web site? Now you must secure the pipeline of communication that connects the Internet site to your sensitive files. After considering even basic configurations of an extranet, it becomes clear: intruders have multiple paths to some of the most valuable information.
The Five A's
Underlying a successful extranet is a comprehensive security policy that defines the details for extranet implementation and provides a roadmap for maintenance as the extranet matures. The five A's act as general guidelines:
Administration: Determine who will maintain, modify and monitor security policy information.
Authorization: Insist on providing only authorized access (internal employees as well as business partners).
Assets: Keep information confidential.
Accountability: Make sure you can track and monitor who performs transactions at all times. Be able to determine if these transactions are appropriate.
Assurance: Understand that the survivability of your extranet is related to the survivability of your security policy.
Security from the Start
The key to a secure extranet begins with clear definitions of what your extranet should be. You will sometimes learn from mistakes and may redefine the role of your extranet, but answering these questions in the extranet's infancy will eliminate some headaches and provide insurance for the future.
The first question to ask is, Who is granted access? Will it include business partners?
Giving a business partner a set of credentials (a username and password) to be shared among the employees of that partner is one option for granting access to your extranet. This approach is much easier for your organization to manage but introduces several interesting problems. First, it reduces your level of accountability and it puts an extra responsibility on the partner. The partner must change the password and notify all authorized employees every time someone loses access to this shared account.
Creating credentials for each authorized employee of a business partner is a much better approach. This gives you a high level of accountability. The business partner's only responsibility is to notify you when an employee no longer needs access to your information.
The next consideration is, what level of access is granted?
Defining distinct access levels from the beginning can streamline the maintenance of your extranet. When an employee leaves, for example, it is beneficial to know what he or she could access; a new employee in that role may need similar access. The process of defining access levels depends on the organization and hierarchy of the information you want to protect. If your information is stored haphazardly, it will be difficult to create access levels that map correctly to important data.
Another issue is, who will monitor and maintain the correct levels of access? Or, perhaps of greater importance, does anyone do it at all?
The responsibilities of this role can easily amount to a full-time job. The cost-benefit ratio of an extranet will diminish when a business partner cannot receive the information he or she needs, because of incorrect access levels. Conversely, the survivability of an extranet is jeopardized when a released employee still has extranet access because nobody performed access maintenance.
Can non-business partners access your extranet?
This question might seem obvious and could insult an IT professional, but it happens all the time.
Can authorized business partners gain access to unauthorized extranet resources?
Let's temporarily forget about the obvious threat of an attacker stealing user passwords or proprietary information. An extranet can become a liability when one business partner can see the information about another business partner on your system.
Can your IT professionals monitor all extranet activities?
Software is becoming extremely easy to use. Hardware that once required intimate knowledge of individual components can be set up with a few connections. It may not be difficult to run an extranet at basic configurations. But your IT professionals need to know what is really happening within the system.
The Future of Your Extranet
You cannot guarantee the survivability of your extranet by simply acquiring the most sophisticated hardware. The self-checking mechanisms described here are essential throughout the life of your extranet. You may get more hardware "bang for the buck" these days, but a secure extranet is sustained through policies and guidelines that your employees create and follow.
Marty Lindner works at the CERT Coordination Center (CERT/CC), a center of Internet security expertise. It is located at the Software Engineering Institute, a federally funded research and development center operated by Carnegie Mellon University.
Copyright, 2000. The Information Technology Association of America. All rights reserved.