Virtually every company in America engaged in Business-to-Business (B2B) e-commerce gives partners some degree of access to its network. That is a huge mistake, says Evan Kaplan, president, cofounder and CEO of Aventail, a security-services company in Seattle. “The whole notion that you need to tie networks together to do B2B business is bad security,” he says.
At least a few companies agree with that sentiment and keep their networks in lockdown. Mt. Sinai/NYU Health System, a New York City network of six hospitals and two affiliated medical schools, shares medical records with outside medical practices. In the past, doctors and clinics could dial in to the network in an unsecured manner. But no more, says senior vice president and CIO Stuart Sugarman. With HIPAA privacy regulations coming, they?re taking no chances. Today, after the doctors enter an order, it?s sent back to them with read-only access. They can alter this data only by using the secure portal and with the proper sign-on authorization and patient access. They can download nothing, and the application shuts down after a certain amount of idle time. And when Mt. Sinai/NYU shares information to complete transactions with insurance companies, there?s no real-time connection. Everything is stored and forwarded in a batch environment. ?We just don?t believe the Internet is secure,? says Sugarman.
Similarly, Lockheed-Martin allows no partners beyond its firewalls. The Bethesda, Md.-based defense contractor may set up separate secure websites to do business with certain partners, but there?s no access into Lockheed?s networks, says Senior Security Analyst A. Padgett Peterson. And to further protect classified information, Lockheed maintains a special classified network with no connection to its main networks. ?This limits our exposure every time we enter into a contractual relationship with a partner,? says Peterson.