Sponsored By

In Lockstep On SecurityIn Lockstep On Security

More companies are doing detailed assessments of their business partners' information security. Failing grades can end a collaborative relationship.

InformationWeek Staff

March 15, 2002

16 Min Read

A company competing to win new business these days needs to bring more to the table than quality products at the right price. That company also better have effective information security--and be able to prove it. Anything less can be a deal-breaker.

Until recently, information security had been treated as an internal issue, even as businesses integrated supply chains to share production, delivery, and product-development data across company borders. Companies encrypt data so it's not nabbed in transit, but in the past, they've largely been content to rely on confidentiality agreements and trust to ensure that data is well-guarded at the other end. That's no longer enough. What's changing most dramatically is the level of detail companies are demanding to know about their business partners' information-security plans. A growing number of businesses require extensive and costly third-party audits. Some dictate that partners follow specific security practices, from the kind of passwords used and who has physical access to networked servers and workstations. The approaches vary, but the common point is that business and IT executives are making it their job to thoroughly examine and judge their partners' security as well as their own.
Rick Witherow
"There's a huge amount of up-front thought and architecting before you can begin rolling this out," Trigon's Witherow says of managing partners' access to Trigon's portal. Trigon Healthcare Inc. is a $2.9 billion managed-care company in Richmond, Va., that lets major insurance and hospital partners connect directly to its back-end computing systems through private frame relay and virtual private networks. But before Trigon lets a company connect, either a third-party consulting firm or a Trigon IT team visits the partner's offices and audits its information security. The cost of an outside firm can be $15,000 or more--a tab that Trigon will often pick up. Until Trigon is convinced that the company's firewalls, intrusion-detection systems, antivirus software, and overall security policy are adequate, it won't do electronic business with that company. The detailed audits, which are updated as often as every quarter, can drill down as far as examining the strength of a company's password policies. "With each new technology, application, and partner you bring on, you get a continuous, perpetuating infusion of risk," says Rick Witherow, Trigon's manager of information security. It's not an exaggeration to say poor information security can cost a company sales. Ray Gazaway, a VP with security company Internet Security Systems Inc., recently worked for a large bank that was doing an information-security assessment of a company that processes checks. The bank was a week away from signing a multimillion-dollar contract when its chief security officer visited the check processor's offices and asked the CIO for a security policy. "He knew he was in trouble when the policy was only a page long," Gazaway says. "The CSO left within 15 minutes." ISS did an audit and found that the check-processing company didn't have even basic security protections such as a firewall prohibiting unauthorized Internet access to its network. "They were completely focused on the business end and not on security," Gazaway says. The bank nixed the deal until the company improved its data security. Many companies are going back to suppliers with which they have longstanding relationships and testing their security with renewed vigor, Gazaway says. The ones that don't make the grade lose network access, and that doesn't bode well for a close business relationship. "Some of the big companies are going back to their vendors and saying, 'Either you shore up your systems, or we're going to unplug you,'" he says. Why the increased interest in partners' data security? One reason: Managers are learning the hard way that it's a bad idea to assume that partners have solid information-management practices. One network database administrator at a large East Coast financial-services company knows the perils of collaboration too well. Last year, the company decided to share customer information with one of its partners, and the customer data ended up being mixed in with the partner's own customer data. The financial-services company had expected its data would be kept separate and not made a part of the partner's records. When the it learned of the data commingling, the bank's security and privacy officer demanded a fix that segregated each company's data and called for a full security audit. The audit revealed more grisly details: weak passwords (using the last four digits of a Social Security number), poorly configured firewalls open to common attacks, and antivirus software that hadn't been updated in nearly six months. "It was a horror show. People almost lost their jobs," says the administrator, who asked not to be identified. A number of factors underpin the growing concern. Online collaboration keeps increasing. Customers' tolerance of mistakes is diminishing. And while the legal ground hasn't been tested, shareholders could hold company executives responsible for losses attributed to failing to do enough to secure information shared with partners. Michael Overly works at the intersection of IT and the law in his job as information systems attorney and a partner at the Milwaukee law firm Foley & Lardner. He's seen clients' concern increase this year, and they have far less faith in confidentiality agreements to protect them. "The fear is, what does a company do if three months after they connect their systems there's a major breach, and through an investigation, it becomes clear that the partner had four other prior breaches?" Overly says. "Failing to find that out before connecting networks could place the company officers liable to their shareholders for not taking reasonable care." Executives are more aware than ever of the extent of the threat, as well as the cost. An annual survey on computer crime the FBI and the Computer Security Institute conducted last year found that more than eight out of 10 companies detected security breaches in the past 12 months, and the average reported loss from 186 companies that could quantify their losses topped $2 million, twice the average from the year before. The largest reported loss reached $50 million, double the highest single loss in the previous three years. It's unclear whether the rising costs are because the damage is increasing or because companies are keeping closer track. But it's clear that there's a greater awareness of the problem. Finally, companies have come to realize they can't take for granted that data is safe once it's securely transferred to a partner's internal system. The CSI and FBI survey found 71% of companies suffered unauthorized access to systems by insiders. As the meaning of "insider" blurs to include the employees of partners and suppliers, the risk rises. The 2001 InformationWeek Global Information Security Survey, fielded by PricewaterhouseCoopers, shows that 23% of respondents cite authorized users and employees as the source of security breaches or espionage within the past year. And consider this: 14% of respondents suspect their customers as the source of attacks. As business partners move forward with plans to collaborate and share information, scrutiny is increasing. Executives say they can almost always find ways to solve security problems. At times, that means demanding a very specific security policy. Some companies ask for proof that computer hard drives have been destroyed so data isn't inadvertently released when a computer is donated to charity or tossed in the trash. Other times, it means finding ways to collaborate without a direct network link.
Chuck McDevitt
Security is a collaborative effort, says Goodrich's McDevitt. Goodrich Corp., a Charlotte, N.C., aerospace company, uses collaboration tools to exchange design drawings with suppliers. Since much of the company's $4 billion in annual sales comes from military aircraft projects, the threat of espionage is real. Yet the ability to cut costs by using file-sharing tools to slash development time means Goodrich must find secure ways to use those tools. "There's a tremendous amount of collaboration going on, but you have to be in lockstep when it comes to security," says Chuck McDevitt, Goodrich's director of technology. After members sign nondisclosure agreements, Goodrich sends its technical teams to review preventive security procedures of its supplier partners. The teams look at the level of encryption that partners use when transferring data and whether their firewalls are properly installed and maintained. The teams also check physical security around computer assets, such as whether access to networked workstations is restricted and if servers that hold sensitive data are separated from a partner's general network. Once the Goodrich team is convinced security is good enough that there's almost no chance of a partner having a security breach, it sets up a detailed procedure in case there is one. McDevitt requires a partner company to assign a response team that knows what to do and whom to contact at Goodrich if there's a security lapse. "As soon as something occurs, who do we contact?" he says. "If the security incident reaches a certain threshold, we want to be proactive about it." Big buyers such as Goodrich obviously hold the bargaining power in such relationships. But McDevitt says the process is more collaborative and that Goodrich has picked up security tactics from smaller partners. Nevertheless, the cost of upgrading security can be a major obstacle for smaller companies, which might be asked to make relatively large IT investments. Because security standards vary widely from company to company, a small supplier can't be sure that an investment for one customer will help it win business from another. Security managers at large companies have had to be creative in helping suppliers get up to speed. Foley & Lardner's Overly says the law firm helped two companies settle a conflict around security in which a large company wanted its partner to have a dedicated server for its data, but the partner balked at the $6,000 price tag. The larger company ended up picking up the cost. Even detailed security requirements aren't stopping collaboration so far. "In 100% of the cases, we've worked out a deal," Overly says. Georgia-Pacific Corp., which uses the Web to let customers place orders and manage their account information, takes a conservative view toward collaboration security by never directly tying its network to any of its partners. "We don't bond to another company, ever," says Herb Mattord, lead security analyst for the paper-products company, which had $22 billion in sales last year. Georgia-Pacific's IT staff designed its network in such a way that it keeps collaborative transactions between two levels of firewall protection, so a hacker needs to defeat two lines of defense to enter a system. "I think of it as a mud room," Mattord says. In computer-security jargon, Mattord's mud room is often called the demilitarized zone, a place where data is shipped for access by outsiders, so Georgia-Pacific can give its partners information without giving them direct access to its network. Georgia-Pacific gives higher-level access to its biggest customers. For them, the company built a Web site that partners access with leased-line connections--still an isolated mud room, but with a more direct and secure connection. Customers then must show credentials to access data. For smaller customers and the public, there's a separate Web site for conducting business that they can access without the leased-line connection. "We have one mud room for Web transactions, and another mud room that constitutes our business-partner network," Mattord says, adding that collaborating and integrating networks never will be risk-free. It's all a matter of reducing the "relative worry factor." Assorted Attacks Chart Ryder System Inc. is a logistics manager that has built its business on blurring the lines between it and the client. The goal: for a manufacturer, for instance, to treat Ryder as an extension of its business when it comes to knowing whether a shipment of parts from a supplier will arrive in time to keep production moving. That blurring requires extensive electronic data sharing. But Ryder now wants to extend its relationships so it's easier to swap ideas and questions across corporate boundaries using Lotus knowledge-management tools. That creates new security worries. "Anytime someone comes into the firewall, or information flows outside the firewall, it's reason to be concerned," says David Baildon, Ryder's group director of knowledge management. Baildon is building on two successful internal implementations, Lotus Sametime for online chat and QuickPlace for Web-based collaboration. The tools have built-in security features, such as document-level security, so that each file has its own rules for who can access it. Chat rooms are password-protected, and if users aren't authorized to enter a certain virtual room, the software makes those meeting places invisible to them. It's as if people walking into an office building could only see the doors of offices they were allowed to visit. Ryder's knowledge-management system lets an administrator limit what users can do with the documents, such as letting an employee view a document but not save or forward it. Ryder executives are concerned about internal security and confidentiality because it often works for companies that are competitors with each other, so employees get to access customers they directly serve. Despite those security features, and its close relationships with its customers, Ryder is planning to extend only the QuickPlace collaboration tool to its clients and partners--not the Sametime instant messaging. Ryder is concerned that messages not intended as permanent written records are logged and saved, Baildon explains. For Ryder, paranoia is safety. Although there's security built into the Lotus applications, when Ryder extends the collaborative tools to customers in coming months, it will establish a QuickPlace environment that's in a demilitarized zone separated from Ryder's main network. In that environment, it also will make available only the documents that a given customer is authorized to see. It's the difference between pushing documents outside the firewall for clients to see and letting customers inside the firewall and limiting document access. "We could give them access through the firewall, and only access to their room, but we don't trust that," he says. "Once someone has access through the firewall, that leaves an opening for hackers." The kind of in-depth security checks that Goodrich or Trigon require may make sense when directly connecting the networks of a few partners working very closely. But how do companies maintain security when collaborating with thousands of partners, where an individual audit of every one of them is impractical? Many companies use tools that manage access rights and help them to make sure that users are who they say they are and give them access only to applications and data to which they're entitled. This approach, most agree, lowers the risks associated with directly connecting networks. Since users are accessing applications over the Web, rather than directly connecting networks, companies don't have to worry as much about the security of their partners' networks. Trigon uses a Web portal, Trigon.com, for partners that are doing more manual and interactive data requests such as for patient data, rather than more automated transactions such as payments that are done through a direct network connection. Trigon.com has 23,000 users, including thousands of health-care providers and 1,500 insurance brokers. Using a portal makes Trigon's partners' security less of an issue than if there were a direct network connection. But the information accessed there includes extremely sensitive personal health-care records, so Trigon wants to make sure that only authorized users view it. "We need delegated administration, application-access control, and a way to identify users attempting to enter our system," Witherow says. The weakest links are determining that users are who they claim to be, making sure an employee's job description justifies a certain level of access, and that access rights change along with a person's job duties, including when an employee is fired or quits. That's a struggle even internally for companies, and tougher for a company such as Trigon when it's managing access for both employees and partners. The key is establishing contacts at each partner to inform Trigon of employee changes, Witherow says. Trigon uses Netegrity Inc.'s Siteminder identity-management software to manage its partners' access to its portal. Just as important as the software, though, is a tremendous amount of up-front research to make sure Trigon gives each partner's employee the correct access. "We decided to do this right from the start," Witherow says. That meant his IT team had to define the business functions and types of tasks each partner needs to perform, then drill down to the types of tasks and applications each partner's employees need to access. For Trigon, these include tasks such as checking claims, doctor referrals, and patient eligibility. "The user at a certain facility would only be able to see information for that particular provider," he says. "There's a huge amount of up-front thought and architecting before you can begin rolling this out."
Is your company using online single-sign-on technology?

Take our poll

No matter how hard companies try to verify what their partners are doing, there comes a point when they need to trust that a partner is doing what it's promised. That's how Rick Perry, director of enterprise operations and security at the Burlington Northern Santa Fe Railroad in Fort Worth, Texas, is approaching rights management as it triples in the next couple years the number of external users it lets access its system. Burlington Northern's IT team is in the final stages of deploying Waveset Technologies Inc.'s Lighthouse access-management software to better control access by its 40,000 employees and the 10,000 or more external users it expects. Today, partner companies can log on to the Burlington Northern Web site to track shipments, pay bills, and gain information regarding rail use, information that's become more sensitive since Sept. 11. Yet Perry will rely on partners to maintain their digital-access rights, saying they're just as motivated as Burlington Northern to get it right. "Suppose an employee left one of our customers. That company wouldn't want the employee to be able to access the system either, so they administer it on their end," he says. Perry says there's no alternative. "We're always dependent on someone telling us that the employee is no longer there," he says. Ultimately, though, there's still no substitute for trusting that a partner is holding up its end of the bargain. It's an inescapable reality of business that's becoming more important as the benefits of collaboration become clear. The days of a slapdash virtual private network connection to link one company to another are gone, replaced by a new spirit: trust, but verify. The scrutiny of security policies will only become more detailed and, for those that aren't prepared, uncomfortable. As Erik Naugle, VP and chief technology officer of networking provider ANXeBusiness Corp., puts it, "You're getting pretty far up the knickers of your partners."

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights