Enhancing Security in Large Enterprise Deployments: A Case Study

Written By David Gatewood

By: David Gatewood

In a recent review of our team metrics spanning the past two decades, we conservatively estimated that we have evaluated and consulted on the security of between 5,000 to 10,000 vendor applications, solution systems, and hardware devices. This extensive experience has highlighted recurring security concerns, particularly when products necessitate modifications to enterprise firewalls.

A frequent issue arises when vendors request that ports be opened in the enterprise firewall. From the vendor’s perspective, opening a few ports may seem trivial. However, for a large enterprise, each request to open up to 20 ports represents a significant security risk. This issue was recently underscored in a discussion with a vendor whose application, designed to meet a clinical need, was more suited for a small physician clinic rather than a large enterprise. The vendor was adamant about not supporting a B2B connection, which compounded the security concerns.

From the enterprise security standpoint, firewall rules must be configured across multiple firewalls, not just one. Each hole in a firewall potentially serves as an entry point for threat actors. With thousands of vendors on the network, each with unique requirements, the cumulative effect can quickly transform firewalls into Swiss cheese, leaving the company vulnerable.

After several weeks of negotiations, the division requiring the vendor’s product arranged a conference call. During this call, I was able to articulate the security concerns from both perspectives. I emphasized that by enhancing their services as requested, the vendor would not only meet our security standards but also position themselves to offer a more secure product to other clients. The vendor ultimately agreed that it was in both companies’ best interests to implement the enhancements and establish a B2B connection.

This case underscores an important lesson: as the client demographic grows, so do the security concerns. Vendors must consider the target environments and not just the system or application developed in a controlled environment. By doing so, they can ensure their products are secure and suitable for deployment in large enterprises.

David Gatewood
Previous

Understanding Information Security Services: Security Assessment, Vulnerability Scan, and Penetration Test
Next

Why We at ToriiGate Security Consulting Do What We Do