Stop! Access restricted

The uncertainty principle Extended Enterprise Innovator Award Stop! Access restricted Web services vs. legacy remote access systems Not-so-mobile enterprise apps Q&A: Director of MIT’s Center for eBusiness

Organizations planning to partner with Charleston Southern University in South Carolina better get ready for a rigorous vetting process. CIO Rusty Bruns is a stickler when it comes to security.

His biggest fear is that a hacker will find a security hole, break into university databases, and steal personal and financial information for thousands of students and alumni. "You have to make a conscious best effort that that's not going to happen," Bruns says. "I have to say we've done everything we can based on the school's budget and the technology that's out there to protect this information."

Bruns comes by such confidence in part because he audits the CSU network every 12 to 18 months and subjects all prospective partners to a thorough third-party audit. (He has even budgeted for external audits, in case a potential partner cannot afford one.) Among the information he gathers are frequency of password updates, firewall-monitoring procedures, and found vulnerabilities or access holes.

Once he's satisfied that the prospective partner has fixed any major flaws uncovered during the audit, he makes all project team members at that organization sign a security policy. With their signatures, they promise to take a variety of security precautions, such as changing passwords frequently, and they agree not to divulge any shared information. Bruns then checks the partner's references, asking direct questions about how the organization handles security.

Even when Bruns is satisfied that a prospective partner can be trusted, he only extends the CSU network via direct links, using two levels of application-specific passwords and encrypting all transmissions. He could not achieve high enough levels of security if he allowed Web access, Bruns says.

The more the merrier

Vinnie Cottone, vice president of infrastructure services at financial services firm Eaton Vance in Boston, takes a different tack. He is a big proponent of partnering and doesn't want to limit how many companies can access the network. To that end, he's created the Business Partner Network.

The Business Partner Network extends to about 40 partners, including one outsourcer that operates Eaton Vance's call center and another that cares for the firm's client data records. Also linked to the Eaton Vance network are 250 companies that supply financial data feeds. Any participating company must sign a security policy, Cottone says.

"Everybody has their own infrastructure. Since we can't mandate how it's going to be in their networks, the onus is on our enterprise, not our partners. We've got to figure out how to do it," Cottone says, especially given today's proliferation of viruses and worms, and the increasingly stringent regulations.

Firms signing up to be part of the Business Partner Network can choose from a menu of connection options, Cottone says. "It's more than a DMZ. We have Web-based applications, some private lines - it depends on the application we're trying to push out," he says. In the financial services world, "the big push is to go all Internet-based and get away from the real estate of private links," he says.