Computerworld - Other departments frequently ask me to approve firewall modifications to allow applications to "talk" to one another. This past week, one of the business units asked permission to open our external firewall to enable a business partner to transfer data to one of our quality assurance (QA) servers for testing.
This request was related to our education sales Web site. We sell online, in-house and computer-based training materials, as well as books and other publications, all geared toward teaching customers how to use our products. When revenue generation is involved, my review is more thorough, and that was my approach this time, even though it was for a QA environment.
I asked to see the network diagrams, data flows and the nature of the data to be transferred. While these are vital elements for deciding whether an external entity will be allowed to transfer data to our company, I usually ask for this information even when the request is internal.
By reviewing the network diagrams, I was able to learn about the other resources that are trusted by the QA server and environment. Sometimes network diagrams show that other critical servers or networks trust the affected system. If a server that's trusted by another sensitive resource is compromised, it's a trivial thing for a hacker to take advantage of that trust relationship. For this environment, the QA server was on a segregated network shared only by another QA server, which had been set up as a standby.
As for data flows, they depict how data moves from one entity to another within an application. They usually show information about things such as encryption, data in transit, data at rest and backup. In this case, I wanted to understand how the data would get from the external partner to our infrastructure, where the data would move to within our environment and, of course, the nature of the data.
From a legal and privacy perspective, the nature of the data that will be transmitted is probably one of the most important factors. The business units always play this down, suggesting that it's "just some data." But "just some data" usually turns out to include private information. In this case, there were customer names, mailing addresses, e-mail addresses and phone numbers. We have agreements with other vendors to sell our training materials, and this particular request entailed the vendor sending enrollment data from its site, where the training was purchased, to our site.
For this application, I insisted that the data in transit
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
