Secure information sharing and the data residency dilemma

Transferring Best Practice Analytics from Experts to Everyone When The BI You Know Isn't The BI You Need Gaining Insights Through Analytics Sign up to receive Security Resource Alerts

May 27, 2004 (Computerworld) -- One of the top priorities for companies today is information sharing with a vast ecosystem of external entities, ranging from business partners and suppliers to customers. In the wake of a landslide of security threats and breaches, security is one of their top concerns, especially how to best extend organizational boundaries and where to centrally locate shared data.
There are dozens of technologies for information sharing, and they generally approach the problem in one of two ways. The first approach extends the infrastructure at the network level, using tools such as IPsec virtual private networks (VPN) and leased lines. These technologies create significant security challenges when extending network access to partners, customers and suppliers. Each one of these parties essentially becomes part of the enterprise network, but do you really want your business partners to have this full access, which can increase the likelihood of these parties voluntarily or accidentally introducing security risks?
Many companies try to overcome these security risks with a duplicate network -- literally a separate, redundant network that outsiders can join, either over the Internet (via VPN) or a leased line. While this may limit exposure of sensitive information, it's very expensive.
The second approach is to extend the organization on the application level with technologies such as Secure Sockets Layer VPNs and Web collaboration applications. Unlike network extensions, the application approach allows access to a predefined set of resources without having to allow complete access to your internal network.
Inside or outside the firewall?
If the company chooses to extend the organization at the application level, it faces a critical architectural decision: Should shared data reside inside or outside the firewall?
One approach to application extension is to keep information servers inside the firewall, within the enterprise's network. Middleware can function as a liaison between the internal data and the external users. This approach doesn't force the duplication of information and leverages existing security within the network, reducing investments in extra infrastructure and administration.
However, this architecture contains an unassailable hurdle: a hole needs to be opened in the firewall to enable the external middleware to access the internal information. This tunnel can be used to break into the enterprise network, initiating a domino effect that could cause significant damage or downtime.
Due to this potentially devastating result, it's not sufficient to minimize the risk by implementing security technologies and policies. Thus, the only satisfactory solution is to block all access from the outside world into the enterprise network. An analogy to illustrate the perimeter security rule of thumb is that you should secure your castle by stopping the hordes at the gate. If you need to get something from the external world, go out and seize it.
Seizing ground outside the gate
In response to the challenges discussed above, many security architects choose to temporarily store information outside the enterprise's network and have internal applications retrieve it. These internal applications can monitor outside storage at a predefined interval of time and pull the data when needed. When the data is moving from within the enterprise outward, it will be stored on the external network and thus be accessible to outside entities.
This methodology eliminates the need to allow access from the outside world to the enterprise's network. The challenge of this architecture is that the information needs to reside outside the firewall, where lurking dangers of data exposure and destruction exist. Therefore, a security infrastructure that will provide protection for this external data must be designed.
Outside the firewall security checklist
To combat the potential security threats that networks face, security architects must design a multilayered security infrastructure. All of these threats need to be very carefully treated, since it's widely known that security is only as strong as the weakest link in the protection chain. Using the castle analogy again, securing the castle windows with bars and guards won't be effective if the front gate is left wide open.
A data security infrastructure should include, at the minimum, the following security layers:

• Authentication to identify the users with whom the company would like to share information.


• Access control to restrict trusted users only to their data. It's also important to keep the identities of customers and business partners confidential, so access control must prevent external entities from being aware of one another's presence.


• A firewall to ensure that only the collaboration application can access the external data.


• Tunneling to protect the information while it's in transit over communication lines.


• Encryption to protect sensitive data from physical threats, such as theft of storage devices or backup tapes.


• Key management to allow the creation of unique encryption keys, recovery capabilities and a secure method to exchange these keys.


• Auditing to track data-access activity in order to detect potential breaches and monitor legitimate communications.

Sharing data with customers and business partners is a requirement, not a preference, and special consideration is required when designing this information collaboration architecture. It's essential that this design avoids reducing network security levels by opening it to the outside world. To conduct business while maintaining a high level of security, information should be shared using a secured location outside the network perimeter.

Print this Story

Send Us Feedback

E-mail this Story

Digg this Story

Slashdot this Story

"We don't need al-Qaeda to blow us up. We are perfectly capable of lighting the fuse ourselves, courtesy of our..." Read more... "Analyzing data from online and your network may be a little easier because of a new browser. Yes, a browser...." Read more... Read more Business Intelligence posts or See all Blogs

Analysis: Why Hewlett-Packard wants EDS Hackers hijack a half-million sites in latest attack HP in talks to buy EDS for up to $13B More top stories...

Microsoft faults OEMs for some XP SP3 endless reboots Mozilla slates Firefox 3.0 RC1 for late May IPhone out of stock 'companywide,' say Apple sales reps

Your help desk career: Dead end or launching pad? A role on an IT help desk is what you make of it, tech pros say — just don't get too comfy. The darker side of Webmail Web-based e-mail may be exposing you to privacy and security dangers you didn't sign up for. Performance showdown: Flash drives versus hard disk drives Ever been tempted to replace the mechanical hard drive in your laptop with a shiny new solid-state disk? Our expert did so, and here's what he found. Xerox touts erasable paper, smart documents PARC showed erasable paper and other technologies that adds intelligence to documents with raw text. Windows Vista A to Z Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS. More Continuing Coverage After 9/11: Homeland SecurityAsk a Premier 100 IT LeaderBlackBerry Legal BattleData Security BreachesElectronic VotingFirefoxH-1B VisasHP's Boardroom ScandalHandheld DevicesHurricane Katrina AftermathMicrosoft Legal IssuesMicrosoft's VistaOpen SourceRFID TechnologySCO's Linux FightSarbanes-Oxley ActSpamVoice Over IPWi-FiWindows Meta File VulnerabilityWindows XP Service Pack 2 IT Careers 2010 Four years from now, the IT field will be a vastly different place. Will you be ready? More Special Reports Premier 100 IT Leaders 2007 Best in Class2006 Computerworld Horizon Awards2006 Premier 100 IT Leaders2006 Salary Survey2007 Best Places to Work in IT2007 IT Forecast2007 Premier 100 IT Leaders40 Years of ComputerworldASPs, Take TwoBest Places to Work in IT 2003Best Places to Work in IT 2004Best Places to Work in IT 2005Best Places to Work in IT 2006Business Intelligence Home RunsBusiness Intelligence: Smarter BIBusiness Intelligence: The Future of BICRM Goes VerticalCRM: Sober CRMCareer Planning Guide 2005Careers: IT Profession 2010Computerworld Horizon Awards 2005Data Management: Mining for GemsData Management: Taming Data ChaosDevelopment: Hard-Workin' Web SitesDevelopment: New Tools New ChoicesDevelopment: The New World of Application DevelopmentDevelopment: The Web Services TsunamiDevelopment: Web Services HurdlesDisaster Recovery: Preparing for the WorstE-commerce Grows UpE-mail/Groupware: Big DecisionsFaces of Mobile ITForecast 2006Global MobileHardware: Multiple Cores, Multiple ChallengesHardware: On-Demand Un-HypedHardware: The Shape of Things to ComeHorizon Awards: 10 Cool Cutting Edge TechnologiesIT Management: Guide to Managing VendorsIT Management: Navigating Global ITIT Management: Recovery AheadIT Management: The Future of ITIT Management: The Resourceful Project ManagerInnovative Technology Awards 2004Management: Reinventing ITMicrosoft in TransitionMobile/Wireless Leaders and LaggardsMobile/Wireless: The Untethered WorkerMobile/Wireless: Tiny Gadgets, Huge CostsNetwork Management: Taking ControlNetworking: Turbulence Ahead!Networking: VoIP Goes MainstreamOperating Systems: In the Slow LaneOperating Systems: Linux Goes GlobalOperating Systems: Should You Nix Unix?Outsourcing: Offshore Buyer's GuideOutsourcing: Outsourcing DangersPremier 100 IT Leaders 2004 Best in ClassPremier 100 IT Leaders 2005 Best in ClassROI: Do the Math!Salary Survey 2003Salary Survey 2004Salary Survey 2005Security Action PlanSecurity: Compliance HeadachesSecurity: Proactive SecuritySecurity: Risk and RewardSecurity: Tips From Security ProsSouped-up SecurityStorage: Battling ComplexityStorage: Cheap & Secure Data StoresStorage: Stretching Your Storage DollarsStorage: The Lean Storage MachineStorage: The New Rules of StorageStorage: The Ultimate Backup GuideSupply Chain: Missing LinksSupply Chain: RFID Reality CheckThe Business of SecurityWeb 2.0 SecurityWireless: Wireless At Work All Zones Application Performance Zone Enterprise-Class Security Zone Enterprise Solutions Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone The Data Center Management Zone See your link here

Computerworld Report: Storage Gets Strategic Download this Computerworld Report, free, compliments of HP. (Source: Computerworld) Data Storage has emerged from the back room to become a key part of regulatory compliance, disaster recovery and strategic tecnhology plans. Learn more in this new this Computerworld report, a $49.95 value, available free for a limited time, compliments of HP. Download this executive briefing  Long Tail Supplier Collaboration - What's In It For You? Long Tail Supplier Collaboration - What's In It For You? Download this webcast, free, compliments of Sterling Commerce Go to the webcast  The Advantages of a Hosted Messaging Security Solution Get this report now! (Source: Microsoft Office Live Meeting) Messaging management is becoming more difficult thanks to the growing malware threat. At the same time, messaging system administrators are under enormous pressure to push their messaging infrastructures to do more than ever, including archiving messaging content for regulatory compliance, archiving to support legal discovery and for overall litigation support, providing services to a growing body of mobile users, and ensuring continuity by making the messaging system more reliable, and managing policies for message encryption. Download this white paper  White Papers Read up on the latest ideas and technologies from companies that sell hardware, software and services. New Fujitsu High-End Itanium Windows- and Linux-Based PRIMEQUEST Servers Offer the Utmost in High Availability New Fujitsu High-End Itanium-Based PRIMEQUEST Servers Offer Industry-Leading System Management for Linux and Windows Symantec State of the Data Center Report 2007 View more whitepapers

• Analysis: Why Hewlett-Packard wants EDS
• Hackers hijack a half-million sites in latest attack
• HP in talks to buy EDS for up to $13B
• More top stories 

Computerworld Technology Briefing: An open-source path to optimal virtualization Looking for a virtualization strategy that offers both the flexibility and reliability to meet the demands of mixed-source environments? Look no further than the fast-emerging open virtualization approach backed by some of the biggest names in enterprise computing. Together they are pointing the way toward higher data center performance without higher costs. Download this briefing



XenServer FREE trial Citrix XenServer is the simplest and most effective way to virtualize and provision servers. XenServer combines comprehensive server virtualization capabilities with unparalleled scalability, performance, economics, and ease-of-use. Based on the open source Xen hypervisor, XenServer delivers fast performance, easy management, and advanced features such as live migration. Request free trial now



Since You Asked A weekly storage column from storage analyst, Steve Duplessie of the Enterprise Strategy Group Click here to read the latest column by Steve Duplessie