July 19, 1999 Web posted at: 11:54 a.m. EDT (1554 GMT) by Cara Cunningham and Matthew Nelson

From...

(IDG) -- The concept of a company fostering communication with its business partners is not new; electronic data interchange and dial-up connections to host systems have provided fairly good information access for years. But talk of making a company more competitive using a fine-tuned extranet -- one that gives partners secure, inexpensive access to data based on policies and that guarantees performance levels -- will prick up any CEO's ears.

The problem for IT managers is that the first volley of Internet security products only blocked the corporate perimeter. As the Internet, networks, and electronic business force companies to provide greater access to information, previous network designs will no longer be up to the task. Corporate networks will need to turn their focus outward and introduce fine-grained access to information, as well as the management tools and infrastructure that are currently reserved for internal users.

A second-generation set of extranet management products is beginning to emerge. These products aim to simplify this transition by integrating extranets into greater management schemes or by taking advantage of the technology that a company already has installed.

But the pillar of extranet management continues to be security. Because there is a high risk factor in opening up a corporate network to external access, security will remain at the heart of this market segment regardless of how it evolves.

"This is the future of the business. What we are now referring to as the extranet will become the totality of IT," says Ted Julian, an analyst at Forrester Research, in Cambridge, Mass. "But unless you find a way to secure the systems, there is no way to expose them."

In most IS managers' minds, security has meant a firewall at the boundary of the network. But with the growing need to provide direct connections to customers, partners, employees, and other users, the issue becomes: How does one secure the network when boundaries become fluid?

MORE COMPUTING INTELLIGENCE
	IDG.net home page
InfoWorld home page
InfoWorld forums home page
InfoWorld Internet commerce section
Get Media Grok and The Industry Standard Intelligencer delivered for free
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

"We're dealing with medical records. There's a big financial hit if someone hacks in -- it doesn't look good for the institution if that happens," says Jeff Bernstein, a network engineer at Overlake Hospital Medical Center, in Bellevue, Wash.

Overlake is using Aventail's ExtraNet Center to allow doctors and other medical professionals to access patient information by establishing an encrypted Secure Sockets Layer session with the hospital's server via the Internet and then entering their name and password. The extranet user's access rights are set in the Aventail software that Overlake distributes to users as an .exe file, Bernstein says.

Aventail's software replaces a system in which doctors dialed in to Overlake's minicomputer and accessed a medical application.

"The minicomputer required you to give it your password, but that was it. There was a point-to-point connection, but that still isn't secure -- if someone really wants to look at the data, it's not encrypted," Bernstein says.

Pieces of the puzzle

Extranet security often starts with authentication and authorization of users to networks. This can take the form of user names and passwords, digital certificates, tokens, and even smart cards, but each must be supported as needed by a company's customers, and brings to the fore the promise of interoperability through the use of public key infrastructure (PKI) systems for use in authentication.

"Access control has to be fine-grained. You can't say you can just get to this server; you have to say what applications they can get to as well," says Cliff Hannel, vice president of product development at extranet management vendor Internet Dynamics, in Westlake Village, Calif. "But once you are dealing with business partners from other domains, you don't want to maintain users' names and passwords for all that as well. ... PKI is essential."

Other related technologies include encryption to secure messages, firewall compatibility to ensure uninterrupted connections, virtual private networks (VPNs) for secure access, scalable directories of user information -- which often comes in the form of Lightweight Directory Access Protocol directories -- and role-based policy engines.

But truly managing extranets means more than providing secure access to networks; it means controlling all aspects of access to ensure that business partners are getting the information they need.

"You are talking about information management when you talk about extranet management," says Juan Carlos Colosso, director of product marketing at enCommerce, a secure e-business portal management company in Santa Clara, Calif. "With the next level, it's not managing the network per se, but it is managing the information that moves through those networks."

To that end, a new generation of products is emerging that promises to let companies manage these external links in much the same way that they manage their systems and networks.

"People are definitely managing secure extranets, and they also are at least in the beginning stages of monitoring the health of those -- the performance and availability," says Sue Aldridge, a senior consultant at the Patricia Seybold Group, in Boston.

Extending internal networks

One of the first companies to approach this arena is Tivoli, which sees extranet management as a natural extension of systems management -- except that the users on the system don't stop at the firewall.

Tivoli earlier this year released a product suite called CrossSite, which performs three basic functions: security, in the form of intrusion detection; monitoring the availability of information for the extranet client; and deployment, which publishes applications and data to extranet partners.

Although CrossSite doesn't require Tivoli's systems management suite in order to work, it does integrate with Tivoli Enterprise, according to Chuck Stern, Tivoli's vice president of Internet Business Solutions, in Austin, Texas.

Some Tivoli customers have tapped CrossSite to extend their internal systems management investments.

"Tivoli was a good fit because it's already monitoring and managing our internal environment," says Jim Haney, director of architecture and planning at appliance maker Whirlpool, in Benton Harbor, Mich., which is installing the security module of the CrossSite suite and evaluating the availability piece. "We know that if we get alarms that someone is trying to hack into our environment, we already have the [Tivoli Enterprise] infrastructure in place that does centralized alarming, alerting escalation, and paging."

CrossSite also monitors the performance that an extranet client is getting from a company's Web site by including a piece of software that sits on the client's PC. If that client gets response times below a preset level from the company's Web server, alarms are sent back to the company's network manager.

"We had been monitoring our own Web server, but the ability to look at those servers from the outside is significant," says Walt Zilahy, vice president of IT operations at Travelers Property Casualty, in Hartford, Conn., which is evaluating CrossSite.

Novell also has an initiative under way to bring extranet management into its Novell Directory Services (NDS) fold.

"Companies would like to have a single directory to manage both sides [of the firewall]. ... They want to give extranet users access to data inside a company without having to duplicate this data," says Lubor Ptapcek, product marketing manager at Novell, in San Jose, Calif. "Novell has strong competencies with directories on the inside of networks. Now we're looking at ways to take it out to the extranet."

Novell's goal is to get network administrators to the point where they can manage extranet users like any other users on the network -- by using the same management policies, security, single sign-on, inherence of rights, and access control that NDS manages for internal users, Ptapcek says. This way, companies would be able to offer their extranet partners quality-of-service guarantees, he adds.

What's the policy?

Systems management giant Computer Associates, which is developing PKI and VPN products for this space, believes that policy-based authentication is going to be key in extranet development.

"The whole industry is moving away from the firewall and beyond the firewall. The whole thing comes down to one thing, and that is the policy," says Ranjit Ramakrishnan, security product manager for CA, in Islandia, N.Y. "Policy-based security management is built into UnicenterTNG. UnicenterTNG provides the foundation of the policy engine."

The issue of changing network access is merging with another new phenomenon: the creation of portals for users, partners, and suppliers to access a company via the Internet.

"Our customers don't tend to talk about intranets and extranets; they talk about their portal. One of the distinctions that is really being made as we move from intranets to extranets to portals [is] this notion of the organization without walls -- the virtual organization," says Ed Forman, vice president of marketing at enCommerce.

"What we are talking about is www.mycompany.com as the single front door to the Internet to which your employees, suppliers, partners, customers -- all of your constituents come to access your resources," Forman adds.

Indeed, it isn't difficult for some managers to imagine a not-so-far-off world in which the principle of extranets -- providing reliable access to real-time information -- is extended to every aspect of business.

"It sure would make it easier if we started at the raw materials through manufacturing, through shipping, through distribution, [and] if everything became more real-time and electronic," says Whirlpool's Haney. "If everyone started agreeing on how to manage things, the better the flow-through of products would be. Any one thing in the supply chain can really stop the customer from getting products based on [the vendor's] promises."