In today’s commercial world, the lines between an organisation’s internal digital workplace and the wider internet are becoming more and more blurred.
Virtually every company has a website and conducts some or all of its business online. Most organisations also have some requirement to extend access to its intranet to suppliers, business associates, customers or vendors via an extranet. This access, although necessary for the smooth conducting of business, can provide an entry point for hackers and corporate cybercriminals.
There have recently been a number of high-profile examples of hackers accessing sensitive company and personal data, using ransomware and other forms of malicious malware, the recent attack on the NHS being a case in point. Therefore, if your company handles clients’ personal and financial data, it is essential for user confidence that your extranet is secure.
Here are four proven strategies for securing your extranet, allowing access to those you need to work with, whilst keeping those with malicious intent out.
The most important aspect to consider when designing an extranet is how to protect the network from itself.
Most organisations use a firewall to manage the security of its intranet. This firewall is often divided into three primary zones:
• A private network
• A public network
• A DMZ
The idea of this strategy is to isolate from each other all of your operating systems with varying levels of public access. The strategy for your extranet is the same in that you should seek to isolate extranet systems from both the private network and the public network. One thing you absolutely don’t want to do is expose sensitive internal systems and documentation to your business partners without any limitation on who can access what.
So, when designing your extranet, keep in mind that you only want to expose data and company assets that are required for a successful business partnership with all your third parties.
The second essential component of a secure extranet set-up is the use of robust authentication techniques.
Wherever possible your extranet should use some form of two-factor authentication.
One sound solution involving human interaction in the authentication process entails the use of a key fob token approach, for example, Secure Computing’s SafeWord or RSA’s SecurID.
If your extranet communications are likely to take place between servers that are unattended, you should consider the use of digital certification to give an added level of confidence to the authentication process.
Granular access controls
Granular access controls are absolutely essential to the security of very complex extranet set-ups.
In the case of large, multi-faceted organisations where there is a continual need to interact with a large number of different customers, vendors, third party suppliers, and business partners it will be necessary to take the appropriate steps to enforce the principle of least privilege.
In an ideal world, you would implement isolation to such an extent that all your extranet clients receive access to a zone within your network that contains only the resources that are relevant to them and to which they have authorised access. However, in the case of extremely complicated extranets with many different parties requiring access to multiple areas or zones, this approach may well prove impractical.
In this instance, it is necessary to complement your robust authentication controls with granular authorisation controls. Your extranet administrators or designers should configure access lists in such a way that the access privileges of each extranet user are restricted to those specific resources that are necessary for the partnership to be workable and productive, without proving obstructive or overly restrictive.
The final security strategy that should be adopted by extranet designers is to make use of the very latest available encryption technology.
Extranets are designed to share sensitive corporate data over the Internet. Your clients and other third parties that you work with should be encouraged to make use of VPN (virtual private network) technology. VPN connections provide strong encryption for data sent across these unsecured networks.
In addition, it should be ensured that both the VPN solution (including client and server intranet software and hardware) and the encryption algorithm that they use are in line with your own organisation’s security requirements.
The security protocols and controls outlined above are just a starting point in developing strong extranet security. It is also essential that you complement these basic controls with other mechanisms and policies that encompass basic Internet security best practices.
For instance, the extranet agreements that you hold with all the third parties you work with must clearly specify the security configuration standards for the internal systems that connect to your extranet. This is essential to ensure that, having implemented the technical controls outlined above, your efforts are not thwarted simply by a poorly secured user workstation that imports a virus from an insecure website.