Keep Corporate Away From Production

Published: by

For a very long time, corporations treated their corporate networks as safe protected environments. The data and applications inside that network are:

  1. confidential and must be kept safe from unauthorized access (protect from loss), and
  2. crucial to business processes and must be kept accessible to employees (protect from denial of service).

Over time, however, two trends have challenged these assumptions.

First, more and more business-critical data has migrated to the Internet. It began with remote access to employee applications, often protected over VPNs. Over time, more and more business applications have become customer-facing. This means they must be accessed over the Internet, and without the usual employee burden of a VPN.

For example, when I worked in financials, most of the crucial systems were internal IT. We worried about traders and investment bankers accessing their systems. Nowadays, my neighbour manages customer-facing Web-based, real-time trading applications.

A net result is that the data and services accessed over the Internet are at least as critical and sensitive as, and in many cases even more so than, internal data and applications.

Second, the assumption of a secure internal space protected by firewalls simply does not exist any more. Since my early days as an engineer of designing and building firewalls, before CheckPoint existed, we knew that defense in-depth - adopted from military strategy - was the only way to go. To paraphrase, Werner Vogels, CTO of Amazon, assume "everything is breached, all of the time."

Because no one has infinite human or capital resources, companies had to choose where to deploy those scarce resources. Compare corporate and production:

  • Internal: Full of employees and guests running around in open spaces, mix of security buildings, pesky laptops and mobile devices with direct network access, serves employees only.
  • Production: Extremely limited access, VPN network only, serves customers and generates revenues directly.

Where would you invest?

Here is one example. Every company that processes payments has some form of intrusion detection system (IDS) on their production environment; some have automated intrustion prevention systems (IPS). A very small percentage have even a basic free IDS on their corporate environment. This isn't bad or wrong; it simply is a rational choice where to deploy those scarce resources.

Since corporate networks are less secure, the logical follow-on is that they should be treated as less secure.

How does that impact how you operate?

  1. Never connect your corporate networks to your production network.
  2. Put your business-critical corporate applications on the Internet.

Keep them Separate

Never connect your corporate networks to your production network. Many companies have a "standard practice" to connect their corporate network to their production network (in a data centre or the cloud) using a VPN. They do this for one of two reasons:

  1. Convenience: If many employees need to connect to production from the office, then it is convenient to allow unfettered access from their work desktop.
  2. Security: Rather than having employees connect directly over the Internet, an extra step through the corporate network should provide additional security.

In truth, neither of these applies. It may indeed be convenient to connect from the corporate network, but the overhead of a client VPN when within the office is minimal. In any case, it should be inconvenient to connect to production. Discourage connecting to production except when absolutely necessary.

At the same time, adding a corporate layer reduces security. Your security in a path will always be the weakest link in that path, not the strongest. Since your corporate environment almost always will be less secure, connecting through your corporate network reduces security. This is the exact opposite of the intended effect!

Several years ago, a client of mine went through the process of completely separating corporate and production environments. While some of the administrators did, indeed, complain about the inconvenience of launching a VPN client for each production access, the complaints lasted barely days as they quickly got used to it.

A few years later, the company began processing payments, and went through an extensive Payment Card Industry (PCI) certification audit. The auditors immediately identified dozens of weaknesses in the corporate environment, a list whose remediation would have taken at least a year and untold capital.

However, because there was zero connectivity between corporate and production environments, the team was able to demonstrate to the auditors that corporate was unconnected to any payment system, and thus completely out of scope for the audit. When the auditors agreed, we had better security and a faster and cheaper path to compliance.

Invert It

If production is more secure than corporate, then the logical conclusion is to put truly important internal applications on the Internet.

Sounds backwards? Many companies already do it without realizing. Companies use expensify for expense management, salesforce for CRM, zenefits for HR. Many companies tell me, "we never outsource anything," yet pull out their pay stub and see "ADP" on it; similarly many firms, including large ones, already have business critical applications on the Internet... they just don't realize it.

According to this article in the WSJ, Google, often a leader in this space, is taking exactly this approach to their own in-house IT applications. They realize how much usage patterns, employee work locations, and relative security of the environments have changed, and take the next step. It is only logical.

Summary

If your corporate environment connects to your production customer-facing environment, kill it! If your internal business applications really are business critical, take a long hard look at whether they really are best served and secured internally, or facing the Internet.

Ask us to help you evaluate which apps should live internally, which in the cloud, and how the two should connect securely. The answers might just make your employees' lives better while saving money.