Question About Network Security

[olds]

<---Not IT but trying to get my head around this.

I work for a large agency and they are extremely particular (rightly so) about the security of the network.

We need an emergency notification system and a service is provided by a vendor on their server (software as a service).

To keep the contact list updated, it interfaces with our Outlook database. But IT isn't going to let that happen as it introduces a vulnerability.

Is there a way to mirror that Outlook database on another server that wouldn't cause vulnerability to the main network?

For reference, other agencies using this service let the vendor run an API (not sure what an API is) which lets its service talk to our Outlook and keep the database updated. My IT did think there was a way to do it but won't articulate the steps or commit the resources or time to the project. Even though they want to use the service (since I am paying) for their own notifications.

TIA

 

[Genx87]

Is this contact list within your exchange environment? And the people who need to update outside your organization? What generates the notifications?

 

[JackMDS]

http://money.howstuffworks.com/business-communications/how-to-leverage-an-api-for-conferencing1.htm

Whether it is secure (or not) depends on how it is implemented in-vivo with the networks.

http://apievangelist.com/2015/08/31/are-api-keys-and-secrets-actually-very-secure/

 

[olds]

Is this contact list within your exchange environment?
Yes

And the people who need to update outside your organization?
The vendor needs the Exchange info to keep the contact list updated. To do it manually for 20,000 people would be too much.

What generates the notifications?
We log into their portal, type a message or use a template, select who gets the message (groups or individuals) and send it. We can then see who received it and who responded.

In red.

 

[olds]

http://money.howstuffworks.com/business-communications/how-to-leverage-an-api-for-conferencing1.htm

Whether it is secure (or not) depends on how it is implemented in-vivo with the networks.

http://apievangelist.com/2015/08/31/are-api-keys-and-secrets-actually-very-secure/

Looks like the API may not be secure. Which brings me back to mirroring the Exchange information on a different server with no access to our real servers. Again, I am not IT.

 

[Mushkins]

Looks like the API may not be secure. Which brings me back to mirroring the Exchange information on a different server with no access to our real servers. Again, I am not IT.

Yes, you could create a Read Only Exchange Server in a DMZ, which will have data copied to it but cannot make changes, and the vendor could interface with this server instead (assuming their software even works with exchange in read-only mode, you'd have to consult them).

However, this opens up another can of worms as you don't ever want an exchange server with live company data on it in a DMZ. Plus you, y'know, have to license and configure a server to do this which costs money.

Honestly, we can't give you a best answer because we don't know anything about your network. Bottom line is your IT department *needs* to be involved in this process, that's kind of what they exist for. If the higher ups deem that this project isnt worth their time, well, that's not on you. Can't have it both ways.

 

[Phynaz]

SFTP the directory. They don't need access to exchange.

But, yeah, leave it to IT, it's their job.