This article can also be found in the Premium Editorial Download "Information Security magazine: Nine tips to guarding your intellectual property."
Download it now to read this article plus other related content.
|A NAC for Securing Contractors|
A network access control appliance helps a health care company manage contractors' access to corporate resources.
By Marcia Savage
On any given day, accountants, IT contractors and vendors come into the Florham, N.J., headquarters of Managed Healthcare Associates needing network or Internet access. To control these outsiders--and protect corporate assets--MHA uses a network access control appliance from Vernier Networks.
With Vernier's EdgeWall, contractors and other third parties at MHA--a provider of contract purchasing services to long-term care pharmacies--are granted access to the network resources appropriate for their roles. For example, an accountant might get a certain amount of Internet bandwidth and printer access but no access to file shares.
"You know you're doing as much as possible to be flexible--assign someone a policy, or a permission set, that allows them access to the network but in a controlled fashion," says Gregory Thomas, vice president of IT at MHA.
EdgeWall, which doesn't require client-side software, allows the company to authenticate not only users but their machines, and screens machines for viruses, worms and spyware before allowing them onto the network.
The appliance also acts as a monitoring and reporting tool, tracking when a contractor is logged in, and what he or she accessed or was denied access to, or copied. If a contractor is downloading more data than his role allows, the device gives MHA the ability to block the activity or issue an alert.
Marcia Savage is features editor of Information Security.
An organization can create and enforce IT policies and procedures to prescribe the best ways to protect data, detect inappropriate data access, respond to suspected incidents, and govern the recruiting and hiring of contractors, such as requiring levels of screening for all contractor staff.
Policies should also define the concept of data custodian within the organization and make it clear to contractors that the role applies to them. A data custodian has access and some supervisory authority over data but no ownership of it. Policies should enumerate specific responsibilities of the data custodian, including keeping information confidential and not copying or redistributing it. Other policies might include using antivirus and other safeguards when downloading or transferring corporate information, and not sharing passwords.
Barbara Buechner, manager of IT information security engineering for Verizon Wireless, points out that agreements with contractors should include special provisions to ensure they recognize, accept and will adhere to company policies.
"Your two most important tools are the terms and conditions that you place in your contracts, and your ability to periodically recertify access privileges," adds van de Gohm.
This was first published in May 2007