Extending VPN access to partners, contractors and consultants has quickly become part and parcel of modern business. Indeed, the extranet is an integral New Data Center concept. Not every company extends VPN access as safely as it might, however. The problem is that many enterprises provide the technology but fail to spell out adequately what network visitors can and cannot do. They underestimate the need for a VPN-use agreement.

Read a related story advising you not to forget about company insiders.

Such an oversight recently became clear to Contra Costa Community College District in Martinez, Calif. A software vendor with VPN access got on the network, hopped across the WAN and snooped around desktops at other campuses, says Katherine Ogden, network technology manager for the district.

As it turned out, no harm was done; the district issued a warning to the contractor but did not terminate the relationship. The incident did prompt the district to create a remote-access use agreement that all contractors now must sign before they can jump on the VPN.

Extranet-use agreements, as they sometimes are called, are essential to maintaining network integrity and protecting the host company from harmful data breaches, says Jalal Zamanali, CISO of Guaranty Bank in Austin, Texas. A VPN-use agreement's biggest benefit is that it sets ground rules for contractors. "They need to know what is expected of them and must know the consequences of not doing due diligence," he says.

VPN use, spelled out

A VPN-use agreement should cover a wide range of details. This includes how much access is acceptable and at what times, what users must do to recertify and revalidate themselves to the VPN, and what kinds of user devices are authorized on what types of connections. In addition, a use agreement should specify how the company will monitor user activities.

The need for a use agreement is more pronounced with Layer 3 IPSec VPNs because they expose an entire network, not just specific applications. "Just because something is accessible doesn't mean contractors have the right to access it," Ogden says. "We don't want them to use data gathered from us in any way without our express agreement."

To that end, every VPN-use agreement also should include a nondisclosure section. Through it, VPN users agree not to share data they've been authorized to access, and they agree to store the data securely.