Developing secure extranets and customer portals

When a business needs a way to provide quality, manageable information to their own staff, clients or customers and they want it to be in the most secure way possible, an extranet is the best option. 

large orange circle with white padlock

What are extranets, customer portals and intranets?


An extranet is a kind of website that allows access to controlled information to people outside an organisation. In a business-to-business (B2B) context that usually means partners, distributors or suppliers. Secure access is usually controlled using a username and password.

Customer portal

In a business-to-consumer (B2C) context an extranet may be called a customer or membership portal. Access is still controlled through a secure login area, but the information provided may be oriented around the services or products that the organisation provides to the customer.


An intranet is a network which exists within an organisation, for its employees or close-working partners. It usually includes a website with internal information on it. Access may be controlled through a a login system, but this is often not necessary because the connection to the network is controlled in other ways, such as via a VPN (Virtual Private Network).

Cuttle fish on black background with text

Are extranets good for business?

Extranets take a variety of forms, and here are a few examples:

- Distributor extranets help a manufacturing company collaborate with its distributors and retailers. An extranet can contain product information (service manuals, marketing materials, image galleries etc.); it can provide online tools such as product registration, warranty claims; it can have online calculators for field sales personnel, such as consumable calculators; it can be used for advertising vacancies across a group of companies.


- In a professional services context, an extranet can have a database of personal profiles, listing the relevant skills and services offered; the password-protected area of the site can have a profile management tool, while a perhaps public area of the site can have a search engine so that customers can find people with the skills they need.

- An online document library is a common application, with the information being made available to consumers, distributors or in-company personnel.

Managing users

The management of users is an important part of any extranet. You will need to consider the user experience as much as the means of managing them.

An initial user base may be imported from a company directory or other list. Once imported, those users will be able to log in. There may be a self-registration form but on an extranet an in-house administrator usually must approve all new user access.


For extranets with large user bases, there is often a grouping or graded permission system, so that access to different parts of the extranet can be granted only to the right people. With groups, a user may typically be a member of one or several groups, and the permission to access content is granted to the members of a group.

Organisation models within an extranet

Some extranets have tools to model an organisation. For example, the user data model may be hierarchical, so as to model different levels of management. The CMS may have the ability to display an organisation chart.


External companies or locations may be modelled, and the CMS may permit users to be related with those organisations, possibly even capturing their job roles. In this way, it is possible to grant access to one of those organisations, such that when its employees log in, they have the appropriate access rights.


Security is a key aspect of any extranet, and many things should be considered.

The physical hosting is important, perhaps more so than for a brochure website, as the site may be targeted by hackers or even competitors if it is known to contain commercially valuable information.

It's common to use SSL security on the website to encrypt the website traffic. There should be an appropriate password policy for both users and administrators: tough passwords are a must, and ideally passwords should be stored in an encrypted form rather than plain text. 


This means that if a user loses his password he'll have to ask for one to be regenerated rather than a reminder, but that small inconvenience is in balance the best approach, compared to the cost if the database should ever be compromised.

There may be a need to keep the membership "fresh", so the extranet system includes a system which expires users who don't log in frequently enough. Users should have their accounts suspended or deleted if they become inactive, as this may be an indication that they have left a partner company.


Recent work