Business partner security: Managing business risk

Allowing outside business partner access to your systems and data always comes with some level of risk. Nick Lewis examines what those risks are and strategies for managing business risk.

Security issues surrounding business partners have been a reality since before computers were invented. A business...

partner, for the purposes of this discussion, is an organization or individual(s) that has a business relationship with your enterprise, and has been given access to potentially sensitive data or systems as a term of the partnership.

As organizations have interconnected with business partners and provided more access to internal systems, more information security challenges have arisen. Since business partners often have the same level of access to data or systems as trusted insiders or even outsourcers, many of the information security challenges bear striking resemblance to the insider threat risks organizations have faced for some time. Privileged access by a business partner only amplifies the risk since, like any insider, the business partner could bypass the security controls in place to thwart external or non-trusted access.   

Organizations need to perform their due diligence to ensure they are protected from risk posed by business partners. In this tip, we will examine typical risks involving business partners and methods to mitigate those risks.

Typical risks involving business partners

Typical risks involving business partners will depend heavily on the type of access, data and resources available to access the level of risk. Business partners could have access to the internal network in many different ways: in-person physical access, local login credentials or remotely. From a business process standpoint, such access may be critical to enable a partner to execute the role it’s been asked to perform, but from a security perspective, it assumes the partner knows how and is able to use that access responsibly. This is not always the case.

Similarly, another one of the risks is if the business partner has less-secure information security practices than your organization. A practice as routine in some partner organizations as sharing individual login credentials could lead to a partner’s access being stolen or used inadvertently to attack your systems. This method of attack, often coming over a trusted connection using legitimate access credentials, is difficult to detect. For example, if the business partner has a system setup with remote access over the Internet to their network via SSH using single-factor authentication and a password is captured via malware or brute-forced, an attacker could use that account to attack your systems over the trusted network connection. Using the trusted network connection into your organization from the business partner’s network would make the attack difficult to detect since it might not pass through your border security.

Separately, risks around any data that a business partner might have accessed, stored or processed will also differ depending on the business partner relationship, but could be a more significant risk than  access to a system. If a business partner has stored sensitive data like Social Security numbers, and its security is breached, your organization may be responsible for the notification to your customers of the security incident, the associated costs and potential liability, even though your security may not have been directly compromised. A more serious risk to the partnership could be any unauthorized access to intellectual property shared with the business partner.

Methods for mitigating and managing business risks

In short, the best way to go about managing business risk as it related to business partner security is to implement strong security controls. Technical security controls that your organization could implement to secure the access the business partner has to your system are: use encrypted connections for all transport of data, require all access to be via an individual account using strong authentication, log all access and activities, and then review the logs to look for suspicious activities. Business controls that could be put in place include proper authorization for new users, access list review by management, and having contracts in place that define the relationship.

Business partner contracts should include references to security controls, including the responsibilities and expectations the partner is expected to meet, i.e. adhering to the same security policy employees must follow. The contract could include details about reporting security incidents, minimum security controls necessary to protect systems and data, and details around access. Contracts that include such provisions -- or an addendum to an existing contract -- will help ensure expectations on both sides are understood.

For an atypical business partner arrangement or one that involves what the security team believes may present higher-than-normal security risks, your organization could also conduct a risk assessment as a part of the due diligence process prior to committing to the partnership. This ensures management and other stakeholders understand the technical risks involved with granting the business partner access to your systems, essentially making it a management decision as to move forward with the partnership, put special controls in place to decrease the risk, or choose not to initiate the engagement.

An additional method to manage the risks around business partners or even trusted insiders is to log and regularly review the logs to look for suspicious behavior. Depending on the volume of the logs, this may require automated tools to help identify events that require manual investigation, but ideally, your security team already has log review capabilities in place to do this.

While it might initially appear to a business partner that you do not trust them if you implement strong security controls, conduct a risk assessment or review relevant logs regularly. If you follow the same practices with all business partners and model the assessment after what’s practiced for internal security, this can easily be justified to the potential partner as standard due diligence. Keep in mind too that if you do not follow the security requirements that you place on business partners, the business partner may have concerns about providing your organization any access to its systems and stress the relationship between the organizations.

Managing business partner risks: Conclusions

Without question, the new interconnections and access that have been given to business partners in order to conduct business quickly and efficiently in today’s computer-centric world have brought about new risks. This new access to systems and to data has increased exposure to organizations, but these security risks surrounding business partners can be mitigated successfully. Remember though that business partner security risks will always exist in some form, and ultimately security’s role is to advise business leaders about those risks and put controls in place to mitigate those risks to the greatest extent possible.

About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.

This was last published in July 2011

Dig Deeper on Security Awareness Training and Internal Threats-Information