Internet Identity

Part of IID's DNS Dojo series

Businesses today are witnessing a renaissance. No, we’re not talking about the rebirth of the calculator or even the rebirth of communications (albeit through social media). We’re talking about a renaissance of the extended enterprise.

The concept of the extended enterprise isn’t new to business, but it surely has seen a reemergence recently. That’s because as business has transitioned to being conducted almost entirely online, the connections between partners, otherwise known as the extended enterprise, have become especially important. However, they have also led to a new kind of vulnerability. When a company uses a payment processor, for example, that service becomes an extended enterprise partner, and customers’ financial information is shared between the two companies. These connections are almost always made via the Internet these days, and with that fact comes risk to both the companies involved in the partnership and to the customers whose information is being shared.

Because so much sensitive information is shared between extended enterprise partners, it is especially important for businesses to know who those partners are and to stay informed about any compromises to their security. A security breach for one partner could easily snowball into major problems for everyone they connect with.

Who makes up your extended enterprise?

The extended enterprise includes relationships with partners, vendors, suppliers and key customers that enable enterprises to succeed. These partners have a direct impact on your business, but are not within your own control. Partnering with other businesses means that important and often sensitive information is shared and stored by the extended enterprise partner. For example, payroll services have employee information and company financials on record; the company law firm has legal and contract information about your organization and clients; various types of vendors have your corporate credit card on file for processing new orders. In each of these examples, the extended enterprise partner has information about your company, employees, customers and financials, and you can bet that in every case, that information is stored electronically, making it vulnerable to theft by cyber criminals.

In thinking about the specific partners who make up your extended enterprise, consider to whom you send information: vendors, payroll and payment processing services, legal counsel. Think also about who “houses” your business online: your domain registrar, Internet Service Provider (ISP), your webhost. Any of these partners can experience security incidents that affect your company. Your registrar might fall victim to a phishing attack, giving up access to your domain management. A payment processor might have their databases hacked, revealing your customers’ credit card information. Which brings us to the next section.

How does the extended enterprise affect security?

One thing to consider is that regardless of how secure you think your own company’s information is, you may have little or no insight into how your extended enterprise partners manage their security. Do your partners fully control their own infrastructure and communication channels? Do they have enforced policies on secure data storage and management? And do those policies include how they store your data?

The reality of the extended enterprise is that you can’t rely on your own internal security measures to protect your company completely, because plenty of what needs protecting lives outside your own company walls. And it’s not just stored data about your company, customers and employees. Companies that offer online checkout or bill pay services to customers, for instance, provide those customers with a connection from their site to a third party receiving and processing the payment. Making that connection uses the domain name system (DNS) and ties your company to the third party through it. You might know plenty about who your extended enterprise partners are, but do you know how they manage their DNS security?

Back to that example we used in our latest DNS Dojo post: when payment processor CheckFree was hacked in 2008, criminals redirected CheckFree visitors to a web address loaded with malware. And how did that redirection occur? Via their DNS, of course. The cyber criminals gained access to CheckFree’s domain management platform and changed the address of their authoritative DNS servers, sending all traffic intended for legitimate CheckFree domains to the malware drop site. Visitors weren’t mistakenly clicking on links to this malicious site, they were redirected there without any warning, and often from the websites of other businesses that were using CheckFree as an e-bill service provider for their customers. Such a case makes it clear that it’s not just your own organization’s security that matters, but that of everyone you partner with and connect your customers to.

So we’ve explained what exactly an extended enterprise is, and how it could be opening an organization and its customers up to having their data exposed via the DNS. But what is an organization to do to protect itself? One piece of technology that has emerged over the years is what is called domain name system security extensions or DNSSEC. In our next DNS Dojo post we’ll tackle just what DNSSEC is and isn’t, how it’s supposed to protect organizations from having their DNS hijacked and why it’s not the silver bullet to securing the domain name system. See you then!