Extending VPN access to partners, contractors and consultants has quickly become part and parcel of modern business. Indeed, the extranet is an integral New Data Center concept. Not every company extends VPN access as safely as it might, however. The problem is that many enterprises provide the technology but fail to spell out adequately what network visitors can and cannot do. They underestimate the need for a VPN-use agreement.
Such an oversight recently became clear to Contra Costa Community College District in Martinez, Calif. A software vendor with VPN access got on the network, hopped across the WAN and snooped around desktops at other campuses, says Katherine Ogden, network technology manager for the district.
As it turned out, no harm was done; the district issued a warning to the contractor but did not terminate the relationship. The incident did prompt the district to create a remote-access use agreement that all contractors now must sign before they can jump on the VPN.
Extranet-use agreements, as they sometimes are called, are essential to maintaining network integrity and protecting the host company from harmful data breaches, says Jalal Zamanali, CISO of Guaranty Bank in Austin, Texas. A VPN-use agreement's biggest benefit is that it sets ground rules for contractors. "They need to know what is expected of them and must know the consequences of not doing due diligence," he says.
VPN use, spelled out
A VPN-use agreement should cover a wide range of details. This includes how much access is acceptable and at what times, what users must do to recertify and revalidate themselves to the VPN, and what kinds of user devices are authorized on what types of connections. In addition, a use agreement should specify how the company will monitor user activities.
The need for a use agreement is more pronounced with Layer 3 IPSec VPNs because they expose an entire network, not just specific applications. "Just because something is accessible doesn't mean contractors have the right to access it," Ogden says. "We don't want them to use data gathered from us in any way without our express agreement."
To that end, every VPN-use agreement also should include a nondisclosure section. Through it, VPN users agree not to share data they've been authorized to access, and they agree to store the data securely.
Given all the ground a VPN-use agreement must cover, IT should solicit the help of a wide range of parties in writing one, Zamanali says. Obviously the corporate lawyer should be involved, but possibly so should, for example, business group leaders and human resources personnel. At Guaranty Bank, the VPN-use agreement becomes part of the service contract with vendors, which helps signal its importance, he says. "You want to keep them involved and their company involved so they know they have a stake in complying," he says. Violating the VPN use agreement could become grounds for termination of the overall contract.
In some cases, criminal penalties also may be applicable. At Contra Costa Community College District, for example, contractors misusing certain types of data may be subject to criminal penalties under California's data-breach notification statute, Ogden says. As a corollary, contractors must disclose any network breach that could endanger the district's data. The district, in turn, would have to notify people whose confidential data might have been compromised, she says.