Isolating contractors from sensitive data

For information security directors at large corporations, the growing reliance on contractors is a major concern. Local and offshore programmers provide businesses a competitive edge, but they also increase security risks. Once within the network, they often have free access to confidential data and business systems. Even when access is restricted, these savvy individuals can easily jump to unauthorized systems -- unknown to the corporation.

The sensitive work performed by many contractors places them within reach of customer data, confidential documents and strategic plans. How can businesses prevent contractors from accessing sensitive or business-critical data? Is there a cost-efficient way to isolate contractors from essential business systems?

To meet the challenges, businesses are turning to software-based contractor isolation solutions. Designed to limit the access of contractors without adding costly and complex firewalls or virtual LANs (VLANs), these security solutions are helping large corporations protect their critical assets.

Challenges in securing data from contractors
Recent studies indicate that nearly half of all American technology companies rely on offshore. While perimeter security is efficient for preventing unknown parties from gaining network access, its value is greatly limited for the contractor invited inside the network -- either physically or remotely.

In the past, configuring firewalls or VLANs to allow only specific IP addresses was sufficient because desktops were physically tied to an exact location. However, users now carry laptops in and out of the network, creating challenges for IP-based firewall and VLAN access control.

Many businesses rely on a single security baseline for allowing users to access the network. However, this is insufficient for contractor-reliant organizations. Given the many security challenges that must be overcome to allow contractors access to the network, a new approach is needed to protect corporate data.

Software-based contractor isolation
Designed to limit a contractor's access once inside the network and eliminate access to sensitive data and systems, software-based contractor isolation helps corporations impose flexible yet secure access policies for contractors. No longer do developers need access to the entire corporate network to perform their tasks.

Eliminating the need to reconfigure firewalls, change VLANs and alter access control lists, software-based contractor isolation ensures policies are enforced regardless of a contractor's location or entry-point to the network.  By establishing logically segmented security zones, software-based contractor isolation can be highly customized. In addition, multiple zones can overlap; allowing layers so different groups can access the same system (see Figure 1). This eliminates the need to set up physically separate networks exclusively for contractors. This new approach adds network-layer authentication that is tied to each contractor's physical computer.

Figure 1: Logical security zones can be layered within the enterprise or across geographic boundaries.

Designed to accommodate large networks with many contractors, software-based contractor isolation strictly controls access to security zones. It also provides an economical alternative to managing many internal network firewalls or VLANs.

Software-based contractor isolation solutions can be used to isolate servers, endpoints and business critical data into security zones regardless of their platform or physical location.  Access to these zones can be strictly controlled based on policy while communications are optionally and selectively encrypted.  Now, large corporate enterprises have access to levels of flexibility and efficiency not available with traditional hardware-based network security solutions.

What to look for
When seeking a software-based contractor isolation solution, consider the following important requirements:

Transparent to infrastructure and applications: Transparency ensures seamless operation with existing infrastructure and eliminates long and costly integration.

Certificate-based authentication: Ideally, a solution should use X.509 v3 certificates to ensure operator credentials cannot be spoofed.

Interoperates with VPN clients: To accommodate external contractors, look for a solution that works with the company's existing VPN infrastructure.

Centralized management: Look for a solution that provides a single point of security management to simplifying policy deployment.

Not dependent on IP addresses: The ideal solution should be able to enforce security standards regardless of the connection method of the contractor or IP address changes.

Supports a multiple operating system environment: Any solution should accommodate both leading and legacy operating systems.

Centralized access logging and reporting:
To aid with auditing, the solution should track and report who accesses or attempts to access systems, and allow alert notifications.

Designed for complex IT environments: Solutions should be robust and scalable to accommodate highly complex environments.

By implementing logical security zones layered within the enterprise and across geographic boundaries, large corporate enterprises can rest assured that their contractors are accessing only what they need to get the job done – and nothing more. Implementation of such a strategy can enable organizations to minimize rogue contractor activity while optimizing their corporate network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.