Network Security - Audit from client

[whitedragon2203]

Long story short, they want to be able to prove that we seperate data specific from them from everyone else. From the networking side that's fine with tagging Vlans, ACL's etc. But if their data all comes to the same host (a file server) as others, how can we mitigate that out without creating another host specifically for them? Is this feasible?

 

[kevnich2]

Ok you need to provide alot more info on this. First, what kind of provider are you? What services are you providing to this client? What industry is the client in and what are they trying to comply with?

 

[JackMDS]

Long story short, they want to be able to prove that we seperate data specific from them from everyone else.

When it comes to this type of "Demands", it can be anything from just a need of a written statement from your organization to be submitted to their insurance files for self legal protection. Or some real Security concern that is on their mind (or someone is looking for an excuse to terminate your service).

Whatever we will say about it is meaningless, you have to ask them what exactly they mean and need as a proof.

 

[whitedragon2203]

Client is in the banking industry. We provide logistics. In order for us to do business with them we must meet a compliance. Essentially they want any of their data to be monitored, traced, and secured. From a network level - easy. Once some of their data hits a "shared resource" such as a file server. What can I do about that? Other than making specific file servers/hosts JUST for their data, where the network traffic routes directly to them from their sources....

 

[azazel1024]

Probably going to need specific file servers/hosts just for them. Possibly VMs and their own paritions/drives might cover it. This is likely a question for them.

It sounds like they have requirements and should be providing them. Not simply a nebulous "we need security and stuff seperated".

 

[Mushkins]

Client is in the banking industry. We provide logistics. In order for us to do business with them we must meet a compliance. Essentially they want any of their data to be monitored, traced, and secured. From a network level - easy. Once some of their data hits a "shared resource" such as a file server. What can I do about that? Other than making specific file servers/hosts JUST for their data, where the network traffic routes directly to them from their sources....

Wouldnt that shared resource have a filesystem that presumably supports security settings? I would audit the filesystem security settings on that shared fileserver to show them that only XYZ authenticated users on XYZ domain have access to the partition with that companies data. The data is technically split up on the same disks as other clients on the SAN, but it's a RAID array, if someone were to pull a single disk they'd just get junk. If they have physical access to pull all the drives on the SAN, well, i'd hope it's all encrypted

At this point it's not really a network architecture issue, its a securities and permissions issue on the software end.

 

[whitedragon2203]

My 2 factor authentication system can utilize an LDAP to talk to AD, With Windows Auditing (EFS) can I integrate that with my multifactor authentication as well?

 

[cmetz]

whitedragon2203,

>they want to be able to prove that we seperate data specific from them from everyone else
>their data all comes to the same host (a file server) as others

So you're not separating their data from everyone else.

You need to turn the question around and ask them for detailed information on what kinds of separations they're looking for. Could be anywhere from directory permissions to a complete second everything - you need to work this out with your customer.

 

[alkemyst]

whitedragon2203,

>they want to be able to prove that we seperate data specific from them from everyone else
>their data all comes to the same host (a file server) as others

So you're not separating their data from everyone else.

You need to turn the question around and ask them for detailed information on what kinds of separations they're looking for. Could be anywhere from directory permissions to a complete second everything - you need to work this out with your customer.

QFT, you need the customer/client to tell you what the requirements really are. Else you are just poking around in the dark.

 

[imagoon]

whitedragon2203,

>they want to be able to prove that we seperate data specific from them from everyone else
>their data all comes to the same host (a file server) as others

So you're not separating their data from everyone else.

You need to turn the question around and ask them for detailed information on what kinds of separations they're looking for. Could be anywhere from directory permissions to a complete second everything - you need to work this out with your customer.

Thirded.

File server has ACL's also. Just like network gear.

 

[dave_the_nerd]

Fourthed.

And I'd point out that if you aren't using a VM cluster to stand up and kill new hosts as needed for your clients, you're missing out on all the fun.