PART 2:CASE STUDY(25 MARKS)

Providence Health Systems and Others: Challenges of IT Security Management

Heightened concern about cyber-terrorism and the increasing need to open internal networks to outside access are pushing corporations to bolster network and data center security, on both the IT front and physically. The goal is to add multiple layers of protection and redundancy around the data center and its hardwares, softwares, databases and network links, while still maintaining the levels of service demanded by the business. On the physical side, companies are boosting their business continuity and disaster recovery capabilities by buying and building redundant hardware and facilities or paying for such services, and geographically separating their IT assets. The technology effort, meanwhile, is focused on supplementing traditional network firewall protection with newer intrusion monitors, access control tools and tougher IT age policies.

The need for such protection is being driven by both the increasing threat of cybercrimes and the growing use of Internet to link companies with partners and customers, says David Rymal, Sector of technology at Province Health Systems in Everett, Washington. "There is an increasing pressure to enable wide and unfettered access from our business units. We are getting so many nests to open up ports in our firewall that pretty soon it is going to look like Swiss cheese" Rymal says. "The more of them you have open, the more vulnerabilities you create."

The whole notion of "Web services" under which companies will use common Web protocols to link their business systems with those of external partners and suppliers, is only going to increase the need for better security, users say. Adding to the pressures is the growing number of remote workers and the trend toward wireless applications. This has meant finding better ways of identifying and authenticating users and controlling the access they have on the network. "You have to keep in mind that the minute you open your servers or services to the Internet, you are going to have bad people trying to get in," says Edward Rabbinovitch, the Vice President of global networks and infrastructure operations at Cervalis Inc., a Stamford, Connecticut-based Internet hosting service.

Companies are also building "air gaps" between their outside facing applications and black end data. Providence Health, for instance, doesn't permit external Internet connections or wireless access to terminate on any internal machine. It's far safer to end such connections outside the firewall and then screen all external requests through secure network services, Rymal says.

Antivirus and email filtering tools are being supplemented in many companies with new measures aimed at reducing the risk of attack via email. "Email, to me, is always the weakest link, because you are open to just about anything and everything that comes over the Web," says George Gualda, CIO at Link Staffing Services Inc. in Houston.

Link prohibits attachments of certain types and sizes on its network. All Internet based chatting is banned, and users aren't allowed to download and install software. Scripting functions are disabled to prevent unauthorized scripts from wreaking havoc, says Gualda. Link Staffing uses a secure virtual private network (VPN) service from OpenReach Inc. to connect its 45 remote sites. The OpenReach VPN provides firewall and encryption services, but Link placed an extra firewall in front of the VPN anyway.

While it's impossible to guarantee 100 percent security, companies should make things as difficult as possible for outsiders or insiders to steal or damage IT assets, IT managers say. Cervalis security, for instance, begins at its ingress points - where the Internet meets its networks. The company uses strict port control and management on all of its Internet facing routers to ensure that open ports don't provide easy access for malicious attackers. Redundant, load-balanced firewalls that are sandwiched between two layers of content switches filter all traffic coming in from the Internet. Network based intrusion detection systems are sprinkled throughout the Cervalis network.

Augmenting physical and electronic security measures with IT security policies that are clearly articulated and enforced is also crucial, Gualda says. Link Staffing has a tough IT usage policy that employees must abide by. Failure to comply can result in termination, say Gualda, who has fired two employees for this reason in the past. To enforce the policy, the company uses monitoring and auditing tools to inventory employee computer usage.

Securing operations also means auditing IT security by regularly going through a checklist of maintenance items, IT managers say. Periodic reviews and external audits are also needed to ensure that there is adequate security. "There is never going to be a 100% security solution; there is always theoretical way for someone to wind their way through," Rabbinovitch of Cervalis says. "The task, therefore, is to make it as challenging as possible for the hacker."

Question 1

Why is there a growing need for IT security defenses and management in business? What challenges does this pose to effective IT security management?(7 marks)

Question 2

What are some of the IT security defenses companies are using to meet these challenges? Use each of the companies in this case as an example. (8 marks)

Question 3

Do you agree with the IT usage policies of Link Staffing and the security audit policies of Cervalis? Why or why not?(10 marks)