Extranet Connection Policy
This security policy deals with “how to handle” and “the requirements” necessary for those not affiliated with your organization to connect to and access resources on the network.
The “who’s” and “why’s” behind such a request vary greatly and, when considering them, you should review the section on trust in Chapter 1, “There Be Hackers Here,” before making a decision. Requests will come to you from the following parties:
• Contractors/consultants trying to do legitimate work with your company
• Business partners of all sorts
• Customers, usually large and requiring special handling
This security policy provides the necessary guidelines for answering such requests and the requirements to be placed on the requestor. It also enables the members of the IT staff to deal with pushy and insistent people, making this policy a virtual panacea.
SANS (www.sans.org) provides a wide range of security policies freely available on its website. These policies are based on these publicly available policies. You should visit SANS and use the discussions in this chapter to spark your ideas. Granite Systems (www.granitesystems.net) based these policies on those recommended by SANS and allowed the policies to be presented here.
In this policy, the company’s IT security department is known simply as the Corporate Security Team for Granite Systems. Granite Systems and other Granite Systems–specific departments appear in italics throughout the policy; if you want to reuse this policy, you can replace these designations with your own.
Purpose
This document describes the policy under which third-party organizations or consultants connect to the Granite Systems network for the purpose of conducting business related to Granite Systems.
Scope
Regardless of whether a dedicated telecommunications circuit (such as frame relay or ISDN), broadband, or VPN technology is used for the connection, connections between third parties that require access to nonpublic Granite Systems resources fall under this policy. Connectivity to third parties, such as Internet service providers (ISP) that provide Internet access for Granite Systems or to the Public Switched Telephone Network (PSTN) do not fall under this policy.
Note
Some clarification is warranted for that last part, where the policy seems to make an exception for the corporate Internet access and telephone usage through the PSTN. These are excepted because they are commodities purchased by your company; as such, if you requested that the phone company follow this policy prior to getting telephones, trust me, you would never get any results.
Security Review
All new extranet connectivity will go through a security review with the Corporate Security Team. The security review ensures that all access matches the business requirements in the best possible way, and that the principle of least access and privilege is always followed.
Third-Party Connection Agreement
All new connection requests between third parties and Granite Systems require that the third-party and Granite Systems representatives agree to and sign the Third-Party Agreement. This agreement must be signed by the Senior Vice President of the Sponsoring Organization and a representative from the third party who is legally empowered to sign on behalf of the third party. The signed document is to be kept on file with the company’s Legal Department and Corporate Security Department.
Business Case
All production extranet connections must be accompanied by a valid business justification, in writing, that is approved by the Senior Director of Corporate Security|C|ISO. Included in this business case is the identification of the network resources that are requesting to be accessed.
Point of Contact
The Granite Systems Sponsoring Organization must designate a person to be the point of contact (POC) for the extranet connection. The POC acts on behalf of the Sponsoring Organization and is responsible for those portions of this policy and the Third-Party Agreement that pertain to it. If the POC changes, the relevant extranet organization must be informed promptly.
Establishing Connectivity
Sponsoring Organizations within Granite Systems that want to establish connectivity to a third party are to file a new site request with the Corporate Security team. The sponsoring organization engages the Corporate Security Team to address security issues that are inherent in the project. The Sponsoring Organization must provide full and complete information as to the nature of the proposed access to the extranet group and Security Team, as requested.
All established connectivity must be based on the least-access principle, in accordance with the approved business requirements and the security review. In no case does Granite Systems rely upon the third party to protect Granite Systems’ network or resources.
Modifying or Changing Connectivity and Access
All changes in access must be accompanied by a valid business justification and are subject to security review. Changes are to be implemented via corporate change management process. The Sponsoring Organization is responsible for notifying the Corporate Security Team when there is a material change in their originally provided information so that security and connectivity evolve accordingly.
Terminating Access
When access is no longer required, the Sponsoring Organization within Granite Systems must notify the extranet team responsible for that connectivity; this terminates the access. This might mean a modification of existing permissions up to terminating the circuit, as appropriate. The Corporate Security Teams must conduct an audit of their respective connections annually to ensure that all existing connections are still needed and that the access meets the needs of the connection. Connections that are deprecated and are no longer being used to conduct Granite Systems business are terminated immediately. Should a security incident or a finding that a circuit has been deprecated and is no longer being used to conduct Granite Systems business necessitate a modification of existing permissions or termination of connectivity, the Security Team notifies the POC or the Sponsoring Organization of the change before taking any action.
Conclusion
Every security policy should end with a few common elements. These elements clear up all potential miscommunication and confusion on the part of the users now that they understands what is and is not permitted:
1. Enforcement: The most important element is the enforcement and the ramifications to an employee if these policies are violated.
2. Definitions: Not every employee or user understands some of the terminology used in a policy; thus, it is always a good idea to provide yet another level of clarification by defining industry-specific terms.
3. Revisions: Changes are always applied to policies such as these. The source of these changes alter with time, however; it might be a change in management, new laws, or perhaps a clarification of older laws, new threats against your network’s security, your company has decided it wants to become certified (for example, ISO), or perhaps your company has new technology that needs to be covered. All these factors might require a policy change, and it is wise to document the changes.
It is always a touchy subject to grant such access to those outside your company. One of the things that happens is that employee A works with business partner Z, who needs to access some resource on your network; to complete the business, employee A promises partner Z access. Alternatively, it is someone in management that makes a promise.
These scenarios are common, and this policy helps ensure that, if such a requirement is needed, the proper due diligence is taken before making any promises given this established process.
Perhaps the fastest growing certification authority is the International Standards Organization (ISO). The following section briefly discusses how ISO has entered into the security arena. It is fitting to bring it to your attention because more and more companies are becoming ISO-certified to one degree or another.