TransWikia.com

Risk of specific changes to the "Trusted" security zone

Information Security Asked on December 26, 2021

Our EDI VAN provides software to transmit sensitive customer and business data between our ERP and their website. This software requires that I add several URLs (including one plain HTTP) to the “Trusted” security zone on Windows 10. It also requires that I enable “Display mixed content”, “Access data sources across domains”, and “Don’t prompt for client certificate selection when only one certificate exists” for that zone.

What are the security implications of these changes? Are any of them clearly unnecessary security risks that I should warn my managers about? I already have a low opinion of our EDI VAN, so my bias may be fueling my suspicion.

One Answer

An EDI VAN is a secure outsourced network where EDI documents can be exchanged between business partners. Your company is provided with a "mailbox" or alternate means from which EDI documents are sent and received, similar to traditional paper based mail (snail mail). The “value added” part of the mailbox are often services like mail notifications, inspect, authentication, and validating the message. Messages should be tracked and recorded for auditing purposes, as well as other services available through VANs, such as backup and recovery, mapping, compliance and more.

For everything to be in order you must have high trust in the EDI VAN provider and / or be able to make sure it handles security in a sufficiently good manner. Otherwise, you may end up with something being compromised.

Setting everything as "trusted" is definitely not a good security practice. That would practically allow that software to do anything and transmit anything across your infrastructure (given the other settings).

Instead, you should ask the provider what ports or other limited settings are specifically needed to enable correct communication between the software and its destinations. Mixed content means the connection is not required to be secure, which is a big risk (you will transmit data that is not encrypted).

Therefore, you should definitely determine how trusted that provider is and warn your company in regard to security.

Answered by Overmind on December 26, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP