VPN contracts: the missing link
Extending VPN access to partners, contractors and consultants has quickly become part and parcel of modern business. Indeed, the extranet is an integral New Data Center concept. Not every company extends VPN access as safely as it might, however. The problem is that many enterprises provide the technology but fail to spell out adequately what network visitors can and cannot do. They underestimate the need for a VPN-use agreement.
Such an oversight recently became clear to Contra Costa Community College District in Martinez, Calif. A software vendor with VPN access got on the network, hopped across the WAN and snooped around desktops at other campuses, says Katherine Ogden, network technology manager for the district.
As it turned out, no harm was done; the district issued a warning to the contractor but did not terminate the relationship. The incident did prompt the district to create a remote-access use agreement that all contractors now must sign before they can jump on the VPN.
Extranet-use agreements, as they sometimes are called, are essential to maintaining network integrity and protecting the host company from harmful data breaches, says Jalal Zamanali, CISO of Guaranty Bank in Austin, Texas. A VPN-use agreement's biggest benefit is that it sets ground rules for contractors. "They need to know what is expected of them and must know the consequences of not doing due diligence," he says.
VPN use, spelled out
A VPN-use agreement should cover a wide range of details. This includes how much access is acceptable and at what times, what users must do to recertify and revalidate themselves to the VPN, and what kinds of user devices are authorized on what types of connections. In addition, a use agreement should specify how the company will monitor user activities.
The need for a use agreement is more pronounced with Layer 3 IPSec VPNs because they expose an entire network, not just specific applications. "Just because something is accessible doesn't mean contractors have the right to access it," Ogden says. "We don't want them to use data gathered from us in any way without our express agreement."
To that end, every VPN-use agreement also should include a nondisclosure section. Through it, VPN users agree not to share data they've been authorized to access, and they agree to store the data securely.
Given all the ground a VPN-use agreement must cover, IT should solicit the help of a wide range of parties in writing one, Zamanali says. Obviously the corporate lawyer should be involved, but possibly so should, for example, business group leaders and human resources personnel. At Guaranty Bank, the VPN-use agreement becomes part of the service contract with vendors, which helps signal its importance, he says. "You want to keep them involved and their company involved so they know they have a stake in complying," he says. Violating the VPN use agreement could become grounds for termination of the overall contract.
In some cases, criminal penalties also may be applicable. At Contra Costa Community College District, for example, contractors misusing certain types of data may be subject to criminal penalties under California's data-breach notification statute, Ogden says. As a corollary, contractors must disclose any network breach that could endanger the district's data. The district, in turn, would have to notify people whose confidential data might have been compromised, she says.
A measure of trust
Given what's at stake, a prerequisite to any extranet agreement should be establishing trust with the company seeking VPN access by checking out contractors beforehand. For example, Guaranty Bank requires vendors to show they comply with generally accepted industry standards for network security by a third-party evaluation, such as a Statement on Auditing Standards review. This gives some level of assurance that the company follows accepted network security practices, Zamanali says.
Contra Costa Community College District requires a listing of the specific individuals who will be using the VPN and restricts access to just those few, Ogden says. Guaranty Bank takes vetting a step further by having its human resources department check the criminal backgrounds of the individuals to whom it intends to give VPN access, Zamanali says.
NetIQ Security Manager and other network monitoring tools that trigger notifications when users attempt unauthorized activity help with the difficult task of keeping an eye on contractors, Zamanali says. But not every violation needs investigating. "We look for patterns. If we get unauthorized attempts continuously from the same source, we investigate," he says.
Use agreements must be monitored over time to make sure privileges are revoked when contracts expire, Ogden says. Even with the best intentions, sometimes access must be granted to external users who haven't signed on the dotted line, she adds. "Frequently it doesn't become apparent until after the contract is signed that the vendor will need VPN access. Then suddenly we need them to fix a horrific problem that requires access," she says.
In those cases, Ogden says, the district bends the rules a little, but ultimately gets an agreement signed.