COMMENTARY--One of the largest priorities for modern organizations remains information sharing with a vast ecosystem of external entities, ranging from business partners to suppliers and customers. In a wake of a landslide of security threats and breaches, the question that is top of mind for information sharing architectures is security—generally around how to best extend organizational boundaries and where to centrally locate shared data.
There are dozens of technologies for information sharing and they generally approach the problem in one of two ways. The first information sharing approach extends the infrastructure at the network level, using tools such as IPSEC Virtual Private Networks (VPNs) and leased lines.
These technologies create significant security challenges when extending network access to an ecosystem of partners, customers and suppliers. The fact that each one of these parties literally becomes part of the enterprise network, may allow full connectivity to this network, but do you really want your business partners to have this full access which can significantly increase the likelihood of these parties voluntarily or accidentally introducing security risks.
Many companies try to overcome these security risks with a duplicate network—literally a separate, redundant network that outsiders can join, either over the Internet (via VPN) or a leased line. While this may limit exposure of sensitive information, the costs are enormously prohibitive.
The second general approach is to extend the organization on the application level, with technologies such as Secure Sockets Layer (SSL) VPNs and Web collaboration applications. Unlike network extensions, the application approach allows access to a predefined set of resources without having to allow complete access to your internal network.
Inside or outside the firewall?
If the company chooses to extend the organization at the application level, it faces a critical architectural decision. Does shared data need to reside inside or outside the firewall?
One approach to application extension is to keep information servers inside the Firewall, within the enterprise's network (see diagram #1). Middleware can function as a liaison between the internal data and the external users. This approach does not force the duplication of the information and leverages existing security within the network, reducing investments in extra infrastructure and administration.
Unfortunately, this architecture contains an unassailable hurdle: a hole in the firewall needs to be opened in order to enable the external middleware to access the internal information. This tunnel can be used to break into the enterprise network, initiating a domino effect that could cause significant damage or downtime.
Due to this potentially devastating end result, it is not sufficient to merely minimize the risk by implementing security technologies and policies. Thus, the only satisfactory solution is to block all access from the outside world into the enterprise's network. An analogy to illustrate the perimeter security rule of thumb is: secure your castle by stopping the hordes at the gate. If you need to get something from the external world, go out and seize it.
Seizing ground outside the enterprise
In response to the challenges discussed above, many security architects choose to temporarily store the information outside the enterprise's network and have internal applications retrieve it. These internal applications can monitor the outside storage on a predefined interval of time, and pull the data when needed. When the data is moving from within the enterprise outward, it will be stored on the external network, and thus becomes accessible to outside entities.
This methodology eliminates the need to allow access from the outside world to the enterprise's network. The challenge of this architecture is the fact that the information needs to reside outside the Firewall, where lurking dangers of data exposure and destruction exist. Therefore, a security infrastructure, that will provide protection for this external data, must be designed.
In order to combat the potential security threats that networks face today, security architects must design a multilayered security infrastructure. All of these threats need to be very carefully treated as it is widely known that security is only as strong as the weakest link in the protection chain. Using the castle analogy again--securing the castle windows with bars and guards will not be overly effective if the front gate is left wide open.
A data security infrastructure should include, at the minimum, the following security layers:
• Authentication to identify the users the enterprise would like to share information with.
• Access Control to restrict trusted users access only to their data. Additionally, it is paramount to keep the identities of customers and business partners confidential, therefore, Access Control must prevent external entities from being aware of each others existence.
• Firewall to ensure that only the collaboration application can access the external data.
• Tunneling to protect the information while it is in transit over communication lines.
• Encryption to protect the data from threats such as direct access to the storage device or backup tapes.
• Key Management to allow the creation of unique encryption keys, recovery capabilities, as well as a secured method to exchange these keys.
• Auditing to track data access activity, in order to detect potential breaches and monitor legitimate communications.
As sharing data with customers and business partners is now a requirement rather than a preference--special consideration is required when designing this information collaboration architecture. It is essential that this design avoids reducing network security levels by opening it to the outside world. In order to conduct business while maintaining a high level of security, information should be shared using a secured location outside the network perimeter.
biography
Ronen Zoran is director of technical services for Cyber-Ark Software, a Vaulting security solutions provider. He can be reached at ronen.zoran@cyber-ark.com.
