InformationWeek

ollaboration. Risky business. To the security-minded, they can feel like one and the same. Nearly one in five companies surveyed by InformationWeek Research report security problems as one of the downsides to increased collaboration.

Business partners thinking about linking applications or networks to share information must first sort out the security issues based on the kind of relationship they'll have, how closely their networks will be tied, and who will be responsible for security.

The first step in assessing IT security in collaboration efforts has nothing to do with technology and everything to do with the nature of the relationship between the companies, says Frank Prince, a security analyst with Forrester Research. If the relationship is a loose, ad-hoc project collaboration, a fairly informal security relationship probably will do. Still, managers of even an informal collaboration should agree on how and when any problems will be communicated and resolved, since security failures at one company may put the collaboration partner at risk. "It has to be decided what level of breach warrants informing your partner, and who will be notified at both companies," he says.

When a partnership involves tight integration of two companies' business processes, and the companies have established permanent, joint management of their endeavor, security management should be handled the same way--with one person responsible for both companies' collaboration security. "You'll need someone solely in charge," Prince says.

Companies shouldn't underestimate the task--security issues may present one of the early challenges to the trust needed to create a collaborative relationship. When networks or applications have to be integrated, security experts suggest conducting an initial security review to get a baseline image of both businesses' security postures. This is a tricky proposition because most companies don't want to share security information even with the closest of corporate allies.

To limit risk, companies should avoid connecting their networks directly, Gartner analyst John Pescatore says. Instead, if possible, they should connect only a few applications. Pescatore recalls that after a trucking company gave network access to a business partner, the partner then began entering the trucker's dispatch system to schedule its own deliveries without established approvals.

Rodney Satterwhite, chief counsel for knowledge management for McGuireWoods LLP, a Richmond, Va., law firm, is dealing with these conflicts. The legal industry has seen an explosion of documents shared over the Internet. Lawyers often collaborate with other firms working on the same case, or with expert witnesses, by sharing documents that clients expect will never be made public. "Security is a critical factor," Satterwhite says. For these ad-hoc collaborations, the firm often shares documents by E-mail or the Web, and for security relies on legal agreements that shared documents will be destroyed once a case is complete. The firm is looking to IT to put some teeth into those agreements. Satterwhite is considering using Authentica Inc.'s NetRecall software to let the firm control information even after it's been downloaded to a Web browser. "With this type of technology," says Satterwhite, "we can enforce the level of security clients expect."