Even if you as a CISO can account for your internal traffic there is still the problem of third parties: vendors, contractors, auditors, etc.

Your system may be secure, but is theirs? Third-party errors or weaknesses are also potential threats for your organisation. You need to facilitate working with third parties but also control their access to avoid dangerous exposure to risks.

An organisation might want to open a section of their network to third party partners or suppliers without giving them full access to the system.

If third party traffic is routed through the corporate DMZ, the following security controls should be considered:

Authentication, to ensure the organisation knows who is accessing their resources.
VPN concentrators hosted in the DMZ.
Host boundary controls to perform anti-virus and intrusion prevention functions.

However, this isn’t always as easy as providing a web portal, since many line-of-business applications require other protocols that are normally blocked by a DMZ. In this case, potential connection methods that an organisation can use to connect third parties include:

An extranet providing a network on the periphery of the enterprise network, although this is less trusted than an internal network. The organisation might, for example, host one or more web servers in the extranet network that partners can access for ordering goods (trusted third party).
Through web services. These provide the means for applications to communicate with each other, either over the internet or within an intranet.
Through Electronic Data Interchange, or EDI, a protocol for exchanging business documents such as purchase orders and invoices. However, this is being phased out to make way for more modern web services technologies.

It’s also worth considering dedicated extranet web servers hosted in the DMZ rather than having third party connections into the internal network. If possible, this may provide more protection than an extranet within the enterprise network.

These solutions should be considered on their merits, as your organisation – as well as the third parties it deals with – will have unique needs. Again, striking a balance between security and usability is the aim. With the right use of technologies, the third-party danger can be reduced to an acceptable level.

Diagram showing three ways to improve security when using third party services: Extranet, web services and EDI.

Summary

In this step, you have again seen how much of a balancing act information assurance is, and the importance of good judgement when measuring security versus access.

Third-party access