BEW Moves to Integrate
New Updates"> From the exposure assessment, BEW identified three branches of security that had to be bolstered to meet CISP standards: encrypted e-mail, content monitoring and enterprise rights management. CPA had solid defenses at its network perimeter, Eggebrecht said, but he said he believed it, like many companies, lacked effective tools to keep sensitive data locked down at all times to prevent leaks from inside the organization or hacks exploiting supposedly legitimate means of communication.In January, BEW started a six-month project to integrate those upgrades. According to Eggebrecht and Quiroga, the plan was to implement the compliance-monitoring tool first, so CPAs network could always identify what data qualified as nonpublic information. With that detail known, the e-mail and rights management tools could then automatically apply extra precautions as the data or communication warranted. For a compliance monitor, CPA chose the Vericept Intelligent Protection Platform from Denver-based Vericept Corp. (the same software BEW used to do the exposure assessment last year). Then came the e-mail filtering tool, SecureMail Gateway from GlobalCerts LC, in Charlottesville, Va. The enterprise rights management software was supplied by Liquid Machines Inc., of Waltham, Mass. How does it work? Quiroga uses e-mail as an example. Eggebrechts team integrated SecureMail into the SurfControl tool used by CPA and then configured SurfControl to route any message with nonpublic information (as designated by the Vericept monitor) to SecureMail for encryption. The message can then safely transit public networks. "I dont have to do anything on my end, and the user gets a secure e-mail on his end," Quiroga said. Liquid Machines, meanwhile, enables Quiroga to cease using PGP encryptionhe said he disliked the idea that hackers might somehow obtain a decryption keyin favor of a tighter system that automatically sets restraints on data at the instant of creation. Click here to read about Microsofts solution to the Zotob worm attacks. Now, data sitting on a stolen laptop or somehow electronically smuggled past the firewall can still be rendered inert and unable to be passed to the wrong hands. Quiroga described the implementation itself as "a large project plan" that took 10 months to complete. BEW deployed the tools, helped with integration issues and trained Quirogas staff on administration of the new system. Indeed, Quiroga said, personnel issues were the hardest part of the project. He had to ensure that implementing new security procedures did not disrupt everyday activity and had to supply steady updates to CPAs users (approximately 200 in total) regarding what he was doing and how the new security would, or would not, affect their daily communications. When CPA did its final network penetration tests earlier in the spring to meet CISP standards, it even hired a second security consultant to test BEWs work. Quiroga is tight-lipped about precisely how much CPA spent on the whole project, only describing it as "a lot; it was a significant investment to the core business." But he is quick to note that CPA essentially had no choice in the matter. Without security that passed CISP standards, the company would have lost vital customers such as Cox Communications Inc. and Adelphia Communications Corp. For his part, Eggebrecht said CPA is now in a good position to continue security improvements as the need arises, since it has embraced the idea of seamless, behind-the-scenes tools. "Tools will only get you so far," Eggebrecht said. "Data security is fluid. Tools are going to change, and you need the proper tools in place. But policies and procedures that are constantly checking those tools are where we foresee the success of any of these projects." Matt Kelly is a free-lance writer in Somerville, Mass. He can be contacted at firstname.lastname@example.org. Case file
Customer Credit Protection Association
Organizational snapshot CPA, a collections business for cable companies and other large enterprises, keeps nearly 3TB worth of personal information on millions of consumers
Business need Rigorous new standards of data protection imposed by Visa and MasterCard forced the company to upgrade its tools to manage and protect sensitive information
Technology partner BEW Global, a security consulting and system integration company
Recommended solution BEW recommended Vericept Intelligent Protection Platform as a content monitoring tool to identify sensitive data; SecureMail Gateway encrypts sensitive e-mail before it travels the network (or goes onto the Internet); and rights management software from Liquid Machines protects data that might leave CPAs grasp by other means.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
"The hard shell was in place; the castle walls had been built," Eggebrecht said. "But nobody was watching the drawbridge, and thats where data was coming in and out of the castle."