What IT Executives Should Know about Extranet Security

RFG believes extranets, those managed, private communication networks that provide business partner and customer access to corporate information and other business applications via the Internet and/or dedicated facilities, represent a latent liability risk. Enterprises that provide extranet services should scrutinize the network architecture and user environment to verify that performance guarantees and security are congruent with IT delivery capabilities and service level agreement (SLA) guarantees. Otherwise, the risk factor for extranet liability lawsuits could be disproportionately excessive.

Business Imperatives:

• Extranets provide access to various business-to-business (B2B) applications, such as inventory control, sales and marketing information, and supply chain management (SCM). However, each business application has its own unique set of performance and security requirements, and it is challenging and complex to protect all extranet applications using the same security infrastructure. IT executives should analyze all extranet access to business applications individually to verify that performance and security measures are compatible with enterprise capabilities and business client expectations.
• While extranet services can be quite diverse, there are underlying commonalities that should be considered before guaranteeing any security or SLA performance metrics. IT executives should utilize business application profiles (BAPs) for extranet applications, to monitor performance and security characteristics, and ensure that they comply with enterprise delivery capabilities and user expectations.
• Extranets provide excellent value for numerous enterprises and their respective business partners. Nevertheless, enterprise liability for performance degradations, security breaches, or unexpected disasters must not be disregarded. IT executives should place extranet liability risks on enterprise radar screens, and identify the potential liability risks from B2B clients for unplanned disasters, performance degradations, and security breaches.

The basic tenet of an extranet is straightforward, “to provide a cost effective network transport infrastructure for B2B partners and related clients that is reliable and manageable.” When designed properly, extranets typically provide cost effective and secure environments for most B2B transactions. Many traditional brick-and-mortar companies, such as Chrysler Corp., Ford Corp., General Motors Corp., and Wal-Mart, already take advantage of extranet services for both intranet and Internet business commerce. In fact, the big three automotive manufactures have utilized the Automotive Network Exchange (ANX) for secure, global communications and B2B application access for several years.

Although private lines are still used for extranet access, connectivity via the Internet is now the most popular and pervasive choice. Accordingly, enterprises that support extranets must be prepared to deal with the complexity, security issues, and unpredictable performance indigenous to Internet connectivity. Still, most enterprises agree it is a prudent business decision to provide extranet services that help facilitate efficient and reliable access to B2B applications. Typically, the objective of the extranet is to seamlessly support various core and perfunctory B2B applications to maintain a business edge, or at least achieve competitive parity.

The significant challenge to extranet providers is how to support the differing sets of performance and security requirements B2B applications tend to exhibit. Because of this problem, BAPs are invaluable in establishing the requisite performance and security attributes on a per application basis. The figure below identifies a few examples of extranet B2B applications along with some high-level performance and security requirements that should be included in the BAP. IT executives should keep in mind that there are also different levels of risk and liability to address during extranet planning phases or scheduled performance reviews.

• Access requirements can differ for each B2B application and client environment. However, the more access technologies that must be supported, the more difficult it is for IT to maintain performance levels and extranet security. Therefore, IT executives should review all extranet access methods to validate that they represent the best choices for the specific business applications and user connectivity needs.
• Network availability metrics must be properly selected to ensure compatibility with both IT delivery capabilities and end-user requirements. BAPs and user application profiles (UAPs) should be utilized to verify that there is no mismatch in this critical area.

  IT executives should also understand the exponential cost factor to increase extranet availability, even by a tenth of one percent. Generally speaking, very few business applications can tolerate an availability of 99 percent which translates into a whopping 87.6 hours of downtime per year. On the other hand, few applications require an availability of 99.999 which translates into a mere 5.25 minutes per annum. Consequently, extranet availability guarantees should be carefully scrutinized to ensure that they are compatible with delivery capabilities, IT budgets, and user SLA requirements.

• Security requirements for B2B applications vary drastically in complexity and cost. Recently, state and federal agencies have undertaken a much stronger role in the overall security arena, and are likely to continue their focus on data and network security. Consequently, enterprises will be forced to keep abreast of current, as well as future security initiatives and legislation, or risk liability resulting from a failure to comply lawsuit. IT executives should always take into account the entire B2B communication path, from the end-user device to the business application, before selecting appropriate security measures. In addition, costs to administer, integrate, and manage extranet security should not be overlooked or underestimated.
• Liability risks are probably the most overlooked aspect for those enterprises providing extranet access to business clients. As a result, IT executives should take appropriate actions to guarantee that they are not blindsided in this critical area. In the last year alone, legal actions have increased significantly against many network providers for both performance and security problems. Extranet providers that either fail to or cannot prove they implemented adequate or best practice measures to protect their users from poor performance and security breaches will likely be culpable for associated damage claims.

During the liability risk analysis, IT executives should identify the impact poor network performance or a security breach could have on extranet applications, and incorporate suitable measures to help protect the enterprise from business partner liability claims. RFG believes many extranet SLAs may require downward performance adjustments to protect against over committing to superfluous performance and security guarantees. IT executives should review all extranet SLA guarantees to confirm that they are not over committing in the areas of performance and security, and that all guarantees are achievable with minimal liability.

One thing is clear, extranet growth continues, and thousands of extranets are currently in service in just the U.S. alone. Although it is unusual for any two extranets to exhibit similar performance and security profiles, there are some guidelines enterprises should consider when extranet services are the order of the day.

• Liability risks for B2B applications must be assessed, especially in the event of a disaster, major service failure, or a security breach.
• Performance metrics must be judiciously selected and tested to verify that the IT infrastructure can support them from both a cost and technology standpoint.
• Security measures must be considered on a per application basis. This includes data encryption and protection, mutual client/server authentication, and user access rights verification along with non-repudiation.
• Security policies and user requirements must be established, disseminated to users, and actively enforced.
• User environments, including the communication equipment and PCs, must be capable of meeting required performance, reliability, and security standards.

IT executives should also be prepared to allocate appropriate funds to update extranets on an annual basis. Likewise, IT executives should contemplate the following questions during extranet performance reviews, to ascertain if adjustments are required to the IT or network infrastructures.

• Are administration tools for assisting B2B clients to access and utilize extranet services up to par?
• Are current securities monitoring systems providing proactive alerts and notifications for all types of security breaches?
• Are existing network management and reporting tools proactively monitoring fault and performance management as required?
• Are there any improved communication technologies that could provide cost or performance benefits?
• Are there any new security legislations or best practices that should be evaluated and added to the existing extranet infrastructure?

As a final point, IT executives should take special interest in emerging or existing federal and state security-oriented legislation. For example, the Sarbanes-Oxley (SOX) Act of 2002 that addresses the controls auditing, reporting, and record retention directives for IT systems should be a mandatory read for all IT organizations. Likewise, those extranets that are required to support regulated transactions, such as financial services under the Graham-Leach-Bliley Act or healthcare under the Health Insurance Portability and Accountability Act (HIPAA), could subject the extranet provider to additional liability risks if B2B partners fail to comply.

Likewise, those SLA guarantees that deal with availability, performance, or security should be scrutinized to certify that the enterprise is not at significant risk if SLA guarantees are not met. RFG believes the following list of questions should be considered as a part of the extranet planning process (in order of occurrence).

• Are there effective disclaimers in extranet contracts that limit liability for disaster situations, performance degradations, and security breaches?
• Do B2B parties agree to end-to-end security requirements, and have user environments been tested to verify enterprise compliance?
• What is the required extranet availability guarantee? Can it be delivered consistently and reliably?
• Can all critical performance metrics be proactively monitored?
• Have single points of failure (SPOF) in the extranet infrastructure been identified? Are there acceptable back-ups available?
• Are regular performance reviews conducted to ensure that performance and security are working as planned?

RFG believes extranets perform a key role for many enterprises by facilitating cost effective and reliable access to B2B applications. Even though extranet benefits far outnumber the risks, performance guarantees and security must be painstakingly determined and implemented to preclude liability issues from B2B clients and other extranet users. IT executives should verify that SLA guarantees and security requirements are being met by existing IT and network infrastructures, and if not, take appropriate actions to protect enterprise assets and maintain reliable and secure extranet access.

RFG analyst John Stehman wrote this Research Note. Interested readers should contact RFG Client Services to arrange further discussion or an interview with Mr. Stehman.