Are consultants compromising your network?

Your business partners, contractors and consultants increasingly require access your network. And, more and more, your employees need to access data and applications from their mobile phones, home offices, hotels, and Starbucks. But these points of access pose new data security and other risks. A new set of technologies – known as network access control (NAC) or network access protection (NAP) tools – can help mitigate these risks.

As a consultant who spends a large amount of time on site at clients, prospects and partners, I am endlessly amazed at how easy it is to get connected to most corporate networks.  Let me describe a recent day to illustrate my concern.

8 a.m.: I took the train downtown to meet with a client to discuss the status of a current project. I have 45 minutes of e-mail written that I want to synchronize.  My meeting does not start for another 30 minutes, so I go to the team’s project room, grab an Ethernet cable from my laptop bag, connect to an empty port on the wall and send my e-mail using Outlook Anywhere. 

What else am I doing on the client’s network while I’m connected?  Am I really an authorized user just because I’m sitting in the physical office?

10 a.m.:  I’m back at my office and I receive a call from another long-term client who wants me to evaluate a backup issue.  I still have a VPN profile for the client’s network, so I connect and look at the backup server.  The issue is resolved, and the client is happy. 

What happens now if I walk away from my laptop and forget to disconnect?  Does that nice person who waters the plants in the office now have complete access to my network and my client’s network?

1 p.m.:  One of my colleagues and I are visiting a prospect to demonstrate Microsoft collaboration tools.  We’re big believers in showing real-world deployments, so we arrive early so I can connect to the client’s network and access West Monroe Partners’ internal deployment of Microsoft Office SharePoint Server, Office Communications Server and Exchange 2007.

This prospect doesn’t yet know me, so he has to get a Help Desk rep to check my laptop in order to comply with his company’s corporate security policy.  The Help Desk rep checks that my anti-virus software is up-to-date and lets me plug into the network. 

While this method of policy enforcement is better than nothing, what happens if the vice president I’m meeting with is too busy to call the Help Desk or just trusts the consultants and skips this step?  Does checking for an anti-virus definition version level really make me trusted to have full access to the network?

6:31 p.m.:   I miss my train so I visit another long-term client near the train station so I can work from there and access the Internet. 

This client has implemented a “Guest Wireless” network, so my free hotspot does not threaten its network, or does it?  Once I access the guest network, what happens if the new hypothetical malware program I didn’t know was on my machine sees the active Internet connection and starts sending out phishing e-mails from the client’s Internet connection, causing the client’s ISP and other various SMTP blacklists to block its e-mail servers?

MITIGATING RISKS
An emerging set of technologies known as network access control (NAC) or, as Microsoft calls it, network access protection (NAP) is designed to mitigate some of these risks.  These technologies provide a wide range of capabilities, but they are primarily focused on automating the enforcement of security policies for network endpoints, primarily end-user computers, and the network ports (both wired and wireless) to which they connect.

NAC typically uses well-known and tested methods (IPsec, 802.1x) to authenticate connections to the network, and then provides mechanisms to test the compliance of the connected computers with a range of security policies, including functioning anti-virus software, firewalls and other such security measures typically installed on a network endpoint.

Authenticated computers that meet all of the required security tests are granted access to their desired applications.  Computers that are either non-authenticated, or that do not meet the required security tests can be denied access, provided Internet access only, shunted to a “remediation” network, or granted various combinations of controlled access and logging.

DIFFERENCES?
Traditional methods of network security use firewalls that block unknown IP addresses to separate the good guys from the bad.  The problem is that this method assumes that IP addresses authenticate someone.(Would you give your social security number to a caller because the caller ID indicated the call originated at your bank?) It also assumes the “bad guys” (either maliciously or unknowingly in the case of a compromised computer) are never found inside your network, but on the other side of the perimeter firewall. 

The benefit of NAC technologies is that we can use them to confirm who a person is rather than where the connection is coming from.  In today’s corporate climate of extranets, connected business partners, co-opetition, and telecommuting, these more comprehensive methods of identification, and authentication should be used to determine access to network resources.

Once we have used NAC technologies to identify the user, we can use automation to determine the data and applications to which the person should have access.  Rather than granting access to the entire network, NAC technologies can specify the applications a user may access and even define the days and times those applications can be accessed.  For example, you can specify that a consultant working on your Exchange 2007 upgrade can access related servers but not the Microsoft SQL Server installation that supports the Microsoft Dynamics-based financial application.

These policies also might include a requirement that the machine used to access the network is fully patched and has up-to-date anti-malware and anti-virus definitions.  The most sophisticated systems will observe what and how data is being accessed and grade the user’s network behavior to further define access and mitigate risk.

IMPLEMENTING NAC
There are many ways to design and implement these technologies, but any solution should focus on these questions:

• What are the goals of the deployment?
• What constitutes a successful system?
• How do we deploy the system without crippling productivity?

Given the relative newness and power of NAC/NAP systems, users should spend time clearly defining the project’s goals and desired achievements.  A NAC system automates some basic tasks, but misapplication of its capabilities can have expensive consequences.

Too often, NAC projects have been implemented under a threat from the chief security officer that without NAC, the business will face astronomical amounts of financial risk.  But, the reality is that business is about risk and as the chief security officer role evolves into that of chief risk officer, the organization will begin to recognize that technologies such as NAC allow it to manage risk rather than just minimize it. 

The need for partners, contractors and consultants to access your network will continue to increase, along with your employees’ needs to access data and applications from their home offices, hotels, Starbucks, and mobile phones.  The question for the chief risk officer is not, “How do I stop this connectivity so I can minimize my risk?”  Instead, the executive must ask, “How do I enable this connectivity to improve business performance while managing the risk?”

The risk of access to corporate data is real, as is the risk of direct financial cost if certain types of data are compromised.  California is leading dozens of states that already have privacy breach notification laws on the books, requiring companies to notify individuals of a breach. The federal government is likely to follow suit.

Companies can no longer sit quietly and only deal with those customers whose information is used fraudulently.  Beyond the difficult-to-measure brand and reputational losses, notifications have direct financial costs: One retailer recently spent $88 per compromised credit card record to notify and sponsor credit bureau monitoring services for affected customers. How many social security, account and/or credit card records do you have for customers, employees or contractors?  At $88 per record, how many compromised records does it take to pay for your NAC deployment?

The good news is that NAC deployments are becoming more affordable; the “intelligence” of today’s network edge devices means that many networks are already NAC-capable.  Previously, entire network infrastructures needed to be replaced, requiring a huge capital expenditure.  Now many organizations have already made these investments for other reasons, so implementing NAC can be done with limited capital expenditure. 

If you’re going to let those consultants jump on your network, you may want to consider having them deploy NAC to secure it first.

Ulery is with West Monroe Partners, which helps organizations design and implement IT systems and policies that are aligned with organizational goals and risk profiles. nulery@westmonroepartners.com.