Although many companies focus on the security of their internal systems, it's important to examine the external supply chain as well—one weak link can have an adverse effect. Here's how to work with business partners to establish a comprehensive security strategy.
In Summary:
•
Understand the connection points—and potential weaknesses—between various companies in your supply chain.
•
Manage access, permission, and rules through an enterprise system such as Windows Server 2003 Active Directory.
•
Use rights management services (RMS), encryption, and other tools to protect sensitive files.
In the quest to keep systems and data secure from hackers and viruses, companies might neglect a critical area of concern: business partner connections. The applications and tools your company uses to communicate with partners might include access to core systems and networks. Inadequate controls with external organizations and individuals can lead to an array of problems, including malware infections, unauthorized access, denial-of-service (DoS) attacks, system abuse or misuse, and fraud.
By including partners and suppliers in your security strategy, you can lower risk assessment and compliance management costs; gain a more comprehensive view of business units and external partners; and demonstrate to clients, partners, auditors, and regulators that you have carefully examined third-party relationships.
Here's how you can navigate partner security:
•
Develop a holistic strategy. Most companies already have systems that block intrusions, viruses, spyware, and other maladies. Yet any business entering a new partnership must also conduct an assessment that spans organizations—and the links connecting them. It's a good idea to have a task force that can outline rules and procedures, adjust processes, identify required hardware and software, tackle cost-sharing issues, and define rights and privileges in a consistent and workable manner.
Of course, business partnerships can span years or decades. As a relationship evolves, you need to monitor changes in business conditions, policies, and technology. Companies should agree to certain standards—such as how to transmit and store data. Once you've documented practices and procedures, you can replicate them throughout the partner base. This will make it faster and easier to add new partners to your network securely.
•
Protect external connections. There's no single approach to protect systems and files shared by multiple companies. However, you can start with virtual private networking and secure, password-protected Web pages to prevent unauthorized access to systems, security experts advise. Likewise, centralized logging, filtering, authentication, and other network controls are critical.
To ensure that you can audit PCs, servers, and other devices across the network, implement a management console, such as Microsoft Forefront, suggests Bertrand Manhe, director of strategic alliances at SecureWave, a security consulting firm and Microsoft Gold Certified Partner in Luxembourg. The console provides a dashboard and administrative center for viewing security status and managing tasks.
An application such as Microsoft Active Directory for Windows Server 2003 helps ease the administration of system rights and permissions, which manages employee access and partner access to your systems. In addition, Active Directory Federation Services allows companies to "share" their identity management systems. This means that a user needs only one account to access corporate and partner systems.
Next step: protect files and communications. Use rights management services (RMS), a feature built into Windows Server 2003, to control sensitive documents and files. RMS features control who views the file; how long the person can view it; and whether he or she can alter it, make a copy of it, or e-mail or print it. Encryption adds an extra layer of security to sensitive documents. Applications such as Microsoft Office Outlook offer certificates, password protection, and encryption support.
Finally, there's message scanning and IP-based filtering, which helps control the types of attachments someone can send or receive, the size of files, and other criteria. Microsoft includes message scanning and filtering features in Microsoft Exchange and offers the Microsoft Windows Filtering Platform that provides filtering for application-based policies.
•
Create a process to manage problems. If a security lapse occurs, partners must immediately identify the problem and know how to address it. This typically requires a defined policy and communication protocol. Additionally, each company—as well as the entire group of partners—should have a contingency plan for dealing with any ramifications, especially if it involves customers and a public response. For example, a company might identify a vulnerability created by instant messaging or an MP3 player, Manhe says. The company that discovered the vulnerability is responsible for notifying the rest of the network so that everyone can take action: this collaboration demands partners and suppliers to put aside competitive issues and work together for the sake of security. Consider appointing a security liaison to manage partner relationships and handle conflicts.
What if a partner company fails to maintain adequate security or notify others of a security incident? As with all relationships, determine what is your limit. If the partner continues to ignore security issues, then you might need to dissolve the relationship. You can reduce potential problems at the beginning with a service level agreement (SLA) or contract that specifies some type of remediation in the event of a lapse, Manhe says. Otherwise, the situation can degenerate to accusations—and nobody wants that.
Best-practice companies understand that just as their supply chain is a partnership that requires collaboration and communication, partner security is also a crucial success factor.
Samuel Greengard is a West Linn, Oregon, writer who specializes in business and technology. He contributes regularly to the Microsoft Midsize Business Center.
