How public can an intranet be?

I'm employed at a Swedish plant of a corporation with global presence. The corporation runs an Internet based intranet connecting plants in the Americas as well as in Europe, Australia and Asia including China. This means that about 100 000 people potentially have access to the various sites in the network, apart from family, friends, relatives and neighbours of quite a few employees who occasionally work from home.

In my eyes this comes very close to a public network, whereas according to Swedish law it does not, meaning that a lot more slack is allowed when it comes to handling personal data.

Every new employee is photographed for the mandatory identity card, which is entirely legal in Sweden. Sadly some of these photos tend to show up on the intranet without the objects' consent, which is equally legal for a non-public network, but deeply unethical to say the least IMO.

The corporation is obviously large enough to have among its employees at least one person with court ordered identity protection and at least a few immigrants from countries that practice refugee surveillance. Furthermore there's a whole lot of people who just really feel very bad about having their photos flashed about publicly. So these are my questions:

Even if the network cannot be Googled, it's nevertheless on the Internet. At work you log in simply by logging in to Windows. Doesn't this mean that it can be accessed by anyone with some experience of finding non-indexed info? If so, how difficult would it be?

 

Well no that is where your network gateway, firewall, and other access controls should kick in (I am not sure how your windows machines are configured, they can be set up to automatically do authentication and VPN connection in the background). An intranet doesn’t have to be a single isolated LAN inside a building; it can be multiple LANs across an area, or even span countries. The main focus of the term is around limitation to only those who work for an organization or have a need to know. Obviously resources and systems residing inside the intranet should only be accessible after the client authenticates with a gateway or VPN. It can be further expanded with extranets which allow for approved third parties to access certain resources. Sounds like you may have a bit of both in your topography.

In your case to address the private information that is indexed on your organizations systems, that would be more of a policy problem than a networking one. However if your intranet is properly configured then no one outside the company should be able to easily access those resources containing that information. Meaning I will not be able to find the information on Google, I would need to attack and exploit the network itself first.