Ensuring consistent security implementation within a distributed and federated environment

Abstract

Keep your friends close Collaborating with other companies during a shared venture brings shared security headaches. Companies in a federation may be forced to put up with project partners who don't have as high security standards as they do. How can you ensure you don't get dragged under by the weakest link? A weaker partner could have poor user management systems leaving employees who have left the organization with active accounts, or have privileged accounts with weak authorization levels. It may connect your organization to an unknown external network or expose you to malware infections. To guard against such weaknesses the federation must have a governing body that manages a policy that all partners comply with. According to Paul Stephenson at Insight Consulting, a legally binding contract should be set up to make sure everyone pulls their weight in a federation. A policy should set standards ranging from data handling and personal processes to platform hardening to anti-virus control. If members fail to comply it is recommended that penalties be imposed that could involve financial fines or disconnection from the network. It is suggested that even IDS systems could be installed on shared networks to ensure partners do not port scan each other. Making sure partners in a federation all pull their weight to ensure no links in the security chain are broken needs strict code of conduct. Paul Stephenson puts forwards guidelines to ensure partners have to pull up their socks.