We solve this problem very easily. Our technology is a security sub-system that turns networks into distributed MLS enclaves in an otherwise discretionary environment. Fine grained access and audit control at the data file level, on a per user basis, is enforced at the kernel level.

With this technology, all one has to do is create a specific user group that includes only the vendor partner(s) and your enterprise liaison with a definitive policy about what your staff person can bring into that user group. The policies are based on users, roles and groups, or in the language of the business rules, so they are very intuitive. Rather than ACLs, a couple of rules are usually all that are required. A vendor partner can also be removed, or access privileges changed, in minutes.

Even if the vendor partner’s own systems get owned, no one can ever tunnel past that user group from outside, and if the enterprise provides a laptop with our brand of MAC, MLS security on it to access their information, that laptop will not be owned either.

Sorry if I appear to be crossing the line into “selling” in any way. I am only trying to respond to your post topic.