Networking

09:50 PM
Adam Ely
Adam Ely
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

White List Or Black List?

I have spent my week deep in thought on how to secure connections from third-party business partners into my organization. Many of these partners work as an extension of the company, such as outsourced development and operations. These partners have access to source code, business documents, and other sensitive data we would prefer that no one could get to. Data theft is a serious concern, as are other issues, such as a malware infection that hops from a partner's system onto our network.

I have spent my week deep in thought on how to secure connections from third-party business partners into my organization.  Many of these partners work as an extension of the company, such as outsourced development and operations. These partners have access to source code, business documents, and other sensitive data  we would prefer that no one could get to. Data theft is a serious concern, as are other issues, such as a malware infection that hops from a partner's system onto our network.

When I ask my coworkers about this issue, some say to give full, open access, while others advise locking down resources as tight as possible. This is a problem many security professionals wrestle with, and I'm not sure IT has the right solution for every situation.

Traditional theory tells us to use a white list: allow specific source and destination, port and protocol, and only provide access to those we believe to be safe.  In dynamic and changing environments, however,  this leads to lots of changes for IT and reduced productivity for the requestors. Have you ever developed code only to find out when it moved to production that some firewall rule blocks access and IT can't make the change for a week? I have, and it sucks.

Blacklisting is more effective. You identify what needs protecting and don't allow access to it.  I bet there are fewer systems and data that need to be protected than accessed.  This approach may require moving some systems or blocking entire subnets, but white listing can lead to the same work.

I am willing to admit this is not a one-size-fits-all approach. If you have a limited number of partners that only need a specific number of static resources, white listing is the way to go. But if you have integrated partners with ever-expanding responsibilities, evaluate blacklisting as a serious alternative. Once the access control method is in place, be it a white list or black list, other protections can be layered on as needed to identify and respond to access violations or attacks.

Adam Ely is the founder and COO of Bluebox. Prior to this role, Adam was the CISO of the Heroku business unit at Salesforce where he was responsible for application security, security operations, compliance, and external security relations. Prior to Salesforce, Adam led ... View Full Bio
Comment  | 
Print  | 
More Insights
Cartoon
Hot Topics
2
Why Large Data Centers Need Overlay Networks
Cisco Press, Publishing Alliance,  8/21/2014
2
Real-World SDN, Lesson 2: Conquer The Enemy Within
Symon Perriman, Senior Technical Evangelist, Microsoft,  8/25/2014
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed