Secure information sharing and the data residency dilemma

Computerworld - One of the top priorities for companies today is information sharing with a vast ecosystem of external entities, ranging from business partners and suppliers to customers. In the wake of a landslide of security threats and breaches, security is one of their top concerns, especially how to best extend organizational boundaries and where to centrally locate shared data.
There are dozens of technologies for information sharing, and they generally approach the problem in one of two ways. The first approach extends the infrastructure at the network level, using tools such as IPsec virtual private networks (VPN) and leased lines. These technologies create significant security challenges when extending network access to partners, customers and suppliers. Each one of these parties essentially becomes part of the enterprise network, but do you really want your business partners to have this full access, which can increase the likelihood of these parties voluntarily or accidentally introducing security risks?
Many companies try to overcome these security risks with a duplicate network -- literally a separate, redundant network that outsiders can join, either over the Internet (via VPN) or a leased line. While this may limit exposure of sensitive information, it's very expensive.
The second approach is to extend the organization on the application level with technologies such as Secure Sockets Layer VPNs and Web collaboration applications. Unlike network extensions, the application approach allows access to a predefined set of resources without having to allow complete access to your internal network.
Inside or outside the firewall?
If the company chooses to extend the organization at the application level, it faces a critical architectural decision: Should shared data reside inside or outside the firewall?
One approach to application extension is to keep information servers inside the firewall, within the enterprise's network. Middleware can function as a liaison between the internal data and the external users. This approach doesn't force the duplication of information and leverages existing security within the network, reducing investments in extra infrastructure and administration.
However, this architecture contains an unassailable hurdle: a hole needs to be opened in the firewall to enable the external middleware to access the internal information. This tunnel can be used to break into the enterprise network, initiating a domino effect that could cause significant damage or downtime.
Due to this potentially devastating result, it's not sufficient to minimize the risk by implementing security technologies and policies. Thus, the only satisfactory solution is to block all access from the outside world into the enterprise network. An analogy to illustrate the perimeter