Two years ago, Port of Napier (PoN) allowed internal users and clients to access data online and reduced their dependence on fax machines and phone calls to confirm transactions. This was part of a major systems upgrade that put the enterprise ahead of the competition in e-commerce functionality and the provision of real-time data.
Opening up the system in this way, however, necessitated a parallel upgrade of the enterprise’s security applications.
Tony Wicks, network systems manager, says a “big push” for security was imperative. “Management recognised, with all this leading edge stuff, they need a leading edge network.”
PoN’s strategy involved a simultaneous rollout of both infrastructure and security upgrades. “It was all part of the one project, a whole package that went beyond security,” explains Wicks, who reports to information systems manager Steve Johansen.
“Basically, what we have done is installed a fully redundant network. The system now includes two separate computer rooms, fully redundant internet front end, with fibre connections supplied by TelstraClear and frame relay supplied by Telecom.”
Wicks says adopting best of breed technology allowed the enterprise to build a network “at a very reasonable cost with a very high level of security”.
For various reasons, he believes organisations are inclined to spend more money than is necessary on security. “They don’t understand what they’re actually protecting themselves against,” Wicks says.
Choose the appropriate tool
Through its use of best of breed, PoN’s security implementation did not exceed the spend it had anyway planned to make. “It’s very, very important to choose the appropriate technologies to do the job. Whether it be Microsoft, Linux, Cisco, it doesn’t matter. You choose the appropriate tool for the job. That’s the crux of it.”
The new system, says Wicks, “has proved itself over and over again with the accelerating rate of attacks” from viruses and worms.
For instance, the virus scanning systems on the servers, which Wicks says comprise the “last line of defence”, have caught only one virus in a year. The entry point was a laptop connected from outside the organisation. “The on-board virus scanner caught it before it even got anywhere near the network. It didn’t get past the first layer, let alone the next two layers of security.”
He points out the enterprise receives an indirect attack from viruses, worms and the like at an average frequency of four a minute. “The speed of attacks is staggering but, with a multi-layer defence, it has not turned out to be an issue.”
Wicks adds his background at TelstraClear and in an internet service provider helped him in his current job. “A background in the internet industry is like a trial by fire. You have to learn, because it is like standing on a median barrier in the middle of a motorway. The attacks and the security side change so rapidly.”
An imperative from a security point of view is patching, says Wicks. Indeed, he believes it to be the single most important thing a company can do for its network.
“A lot of people will patch their workstations but will not patch their Office package. While the task may be tedious, it has to be done.”
The PoN IT team spent over 600 man-hours in 2003 patching all the Microsoft-based systems. “The risk of not patching is so high now that you’re virtually guaranteed to be compromised if you don’t patch your systems.”
One vulnerable workstation can take down your entire network, he says. “A worm can get in and the worms are getting nastier. It is very simple to have your business brought to its knees in a matter of minutes by not patching your machines.”
Wicks is likewise emphatic about the importance of restricting desktop rights and locking down the workstations.
“Ninety nine per cent of users do not need administrative access to their machines. Lock down the access but don’t stop them from being able to be comfortable with their machines.”
No PoN laptop users have administrative access to their machines. When they connect externally, they have to connect via the virtual private network before they can go anywhere, says Wicks.
“Laptops are the single biggest cause of compromises. Educating the users that they actually don’t need administrative access to their machines, their laptops belong to the port and are a tool for business, has been a huge challenge.”
Security eye on email
PoN also trained its security eye on the email system. When an email comes in, two different virus scanners scan it before it is handed to the exchange server. Executable attachments are removed and html mail is converted into plain text.
“This takes out the active component of the email and that gives us another layer of security. All html email does is add some pretty bits. It doesn’t give you any more functionality, but what it does is it makes you much more vulnerable.”
Wicks admits there was initially some negative reaction from users, but they understood the move when it was explained to be part of multiple layers of defence.
Technology, however, is just a small part of ensuring security systems are in place. “The biggest challenge has been educating those people, so they know they need to follow a process.”
Now, systems have to be approved and checked before they are allowed to become part of the infrastructure, and this is coordinated with IT.
“Before, some of them were under the impression they could buy anything they want, stick it in and say ‘Hey, it doesn’t work!’ So a lot of the challenge is in implementing the policies, not the software or hardware or anything else.”
But implementing the policies does not mean stopping people from doing what they need to do for their job. “It just means everybody has to work together.” The IT department worked with human resources and communications on a handbook of policies for all staff, in which it outlines the strict web policy on scanning all internet access for pornography.
There is, however, an “open policy” allowing staff members to surf certain sites, such free web-based email hosts, eBay, trademe and internet banks during lunch breaks.
The enterprise employs a web management system developed by Wicks and some associates for another company, soon to be deployed commercially, and PoN already uses all the technologies it incorporates.
Although PoN actively encourages its staff to become familiar with their equipment, it limits their ability to experiment with it. “You want them to be happy and comfortable but you don’t want them to be able to break anything.”
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.