We're building the future of Supply Chain Security. View Roles

15) Does your organisation keep a list of approved network connections (such as site to site VPNs) between your corporate network and third parties?

August 31, 2022 Network and Cloud Security Approved Network Connection List

Answer yes if your organisation keeps a list of approved network connections between its own network and any third party networks.

What is the control?

You may have connections from your internal network to third-parties for a number of reasons. For example, an outside company may be processing data for an internal process, or handling transactions for your e-commerce site’s back end.

It’s important that these connections are well documented as the information is needed to support a number of security processes (typically those focused on limiting access to only what is needed).

Why should I have it?

Without a detailed inventory of network connections, what traffic is expected over them, and what business purpose they serve, it would not be possible to apply a “deny all” policy on the network as the accepted exceptions wouldn’t be known.

Nor would it be possible to configure the network firewalls to allow only the needed ports, or your intrusion detection systems to be configured with the right rules to discern anomalous outside traffic from normal traffic.

Finally, if the functions requiring the outside connections are terminated (due to a change in service or a contract termination) there would be no way of associating what access and configuration should be allowed or disallowed as a result.

All of these things would lead to a lack of understanding of what network connections are active and justified, which each unaccounted connection adding potential security risks over time that could result in unauthorised traffic and a breach of your internal corporate network.

How to implement the control:

You should maintain a register of all third-party connections that is fed by your change and/or procurement processes and referred to any time a service is provisioned, changed, or terminated. This register should then feed into your networking, firewall rule, security configuration update (for things such as IDS, EDR, SIEM, etc.), and other relevant processes.

There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.

Leave a public comment

Please do not submit your answer on the knowledge base.