Allowing external people access to your Internal data (longish post)
Over the past 12 months, this question
has raised its head a few times, and I would love to get some opinions
from the community on what they see in the IT world or what they think
is a good practice.
Scenario:
More and more frequently, information
is being dealt with outside of email. A good working (browser based)
example of this is Quicr or Sharepoint, where people are collaborating
and sharing data using default templates. Pretty soon, this will
be escalated as Activity servers get deployed. As this is occuring
more and more frequently, a byproduct of this is the desire to allow external
people to your organisation access to this data. The question follows…
what way is the best way to accomplish this?
You have 2 specific problems. The
first problem how does mr external get access to the data you want him
to get access to. The second problem is how do you verify if the
person is who they say it is. A sideline problem of this is how do
you do this without tying yourself up with massive management overheads.
First problem – allowing mr external
access to your data
There are a few possible solutions to
this….
Solution 1 – Allow them inside.
Grant the external person access to
your network via VPN, Keyfob or whatever method you use. This has
license implications and management implications. However, the data
is still on your LAN always.
Solution 2 – Place some of the data
outside the network
It would be possible to replicate some
of the sites that ou want people to collaborate on to a DMZ, and grant
access that way. This has a lesser management implication, and if
the data is on your DMZ, it is still with you. Mr external can then
access it through a browser as needed.
Solution 3 – Place all your data offsite
in a data centre.
This is the "way out" soloution
(at the moment). Place all your data in a location that is available
to all users, be them internal or external, and use your security levels
to allow/restrict access. This is quite Web 2.0ish, but data protection
could have a lot to say about that. Do you trust the data centre?
Do you trust your security that much?
Second problem – trusting that Mr
external is Mr external
Going with solution 1 above means that
each external person has an external account created in your internal domain,
which is secure and you can manage the account. Assuming you
add a vpn account or keyfob/cert this is secure by today’s standards.
But lets say you don’t do that.
If you want to maintain external users
effectively, you need to maintain them in an external directory. This
is where their details are kept, including authentication information.
In addition, this is what your external data would be used for authorisation
off. Lets assume LDAP. The directory contains account information,
including their password. Microsoft and IBM use something along those
lines, with their passport sites (IBM’s has come a long way), and external
people enter their name and password on a SSL based site. But the
question remains, is a user name and password enough?. Typical answer
is "it depends on the data" so lets assume that the data could
hold sensitive information. The IBM one already does for Business
Partners. Is giving a person a user name and password enough to keep
corporate sites happy? Do you also issue SSL certificates to the
browser? Do you also require PIN number authorisation on top of name/password?
I would like to know what other sites
are considering good enough these days, especially ones that fall into
the above categories.
Philip Storry Said,
November 9, 2007 @ 10:45 pm
The one general thing I’d say is that the moment you allow you data to be accessed from outside your network, you have to make the assumption that the data is now going to be found outside your network.
By that I mean that people will, by their nature, cut and paste text and detach attachments.
When we implemented a webmail solution, it was made clear to management that whilst we could secure the transport layer with SSL, enforce a password policy within the Domino infrastructure, and secure the server enough to pass any penetration test… We couldn’t stop idiots from saving documents to the desktop of J. Q. Random’s cheap web cafe.
We could advise against it. We could train users. But there was no way we could guarantee that the data would remain secure at that point.
That’s then a business risk to be evaluated accordingly.
I have to say that I suspect over time devices like Blackberry handhelds will become powerful enough to do most simple bits of work – and the server-side software will present data that is light enough to not trouble the device too much. The two will meet in the middle, effectively, and provide a decent (if basic and cut-down) experience for mobile workers.
That will help immensely.
That won’t help with externals though. Everything I’ve said is about internals. For externals, I think the best option is going to have to be some kind of access contract that they sign, which requires them to follow appropriate guidelines and has suitable penalty clauses for failure.
There aren’t many good technical solutions to this, and whilst Domino is certainly the best platform for achieving some of the goals, I think that it has to be a contractual thing in the end.
Sean Burgess Said,
November 9, 2007 @ 10:45 pm
First, you have to take Sharepoint (SP) out of this discussion. Without real replication, access to SP requires access to your Active Directory and no admin is going to open that hole in their firewall. I am running into that problem currently and the external users work for the same company, but are at a different site.
The sites I have built for contact with external users have all been related to information about that specific customer. Most of the data was coming from the external user to my client, so using just a name and password was sufficient. We did employ SSL, but that was just to make my security guys happy. The larger security measure was the liberal use of Author and Reader Names fields and replication to a Utility server in a separate DMZ.
Maybe I am naive, but I tend to look at the OS as the weak link in my external facing Domino applications. I bet some of the ASPs will have some better information on this.