In his job as IT manager at Credit Protection Association Inc., Jerome Quiroga has two relentless worries these days: hackers and public opinion.
Hackers he knows. Dallas-based CPA manages collections for cable companies and other large businesses and, consequently, tracks personal information on millions of consumers. Prying eyes have long nettled Quiroga, and defending against them is routine.
Public opinion is a new and different beast to him. Thanks to a spate of high-profile mass identity thefts in the last year, consumers and lawmakers now clamor for ironclad protection of personal data.
CPA itself has never been the victim of a major data theft, and Quiroga wants to keep that record intact. So when he launched an IT security audit and upgrade last summer, he knew that public concerns would push him to higher standards.
“With everything being upfront now and things in the news,” Quiroga said, “we wanted to make sure we were doing the best we could possibly do.”
CPA had already made a respectable effort at IT security. All data—Quiroga estimates the size of the companys database to be nearly 3TB—was encrypted using the widely accepted PGP (pretty good privacy) protocols. The companys two dozen outward-facing IP addresses were all shielded behind several firewalls.
It used WebSense Inc.s WebSense to monitor employee Internet surfing and SurfControl plc.s SurfControl Enterprise Protection Suite to filter e-mail; both were integrated into network firewalls to be especially difficult to circumvent. Security audits were done quarterly, if not more often.
Still, by last year, CPA was under pressure to meet more rigorous standards imposed by Visa USA Inc. and MasterCard International Inc. Known as the Cardholder Information Security Program, CISP spelled out expectations that any business had to meet if it wanted to process credit card transactions online.
Visa and MasterCard forced the cable companies to obey CISP standards so that customers could pay bills; the cable companies, in turn, forced partners such as CPA to follow CISP as well.
A central element of CISP is to use a third party to evaluate IT security. To that end, CPA turned to BEW Global Inc., an Englewood, Colo., consulting company and system integrator that specializes in IT security and corporate compliance.
Quiroga considered several companies, but he said he liked BEWs philosophy of putting up formidable technology at the network perimeter while constantly monitoring interior network activity. Whats more, he said BEW knew the routines of meeting CISP standards.
Robert Eggebrecht, senior partner at BEW Global, described CISP as “a very long checklist you have to go through.”
Among the requirements are network penetration tests to ensure that all IP addresses are secured, tools to track and monitor access to cardholder data, restrictions on physical access to cardholder data, and encrypted transmission of sensitive data across corporate and public networks.
In all, CISP has dozens of specific criteria grouped under 12 broad categories.
BEW started working with CPA last August. Eggebrecht said he and his staff spent two weeks conducting an “exposure assessment,” observing every sort of communication—e-mail, chat, Web postings, peer to peer, instant messaging—to see what data was flowing into and out of CPAs network.
BEW compared that data with 58 categories of sensitive information, from adult content to nonpublic information to encrypted data, and then developed a sense of what improvements CPA should make.
BEW Moves to Integrate
From the exposure assessment, BEW identified three branches of security that had to be bolstered to meet CISP standards: encrypted e-mail, content monitoring and enterprise rights management.
CPA had solid defenses at its network perimeter, Eggebrecht said, but he said he believed it, like many companies, lacked effective tools to keep sensitive data locked down at all times to prevent leaks from inside the organization or hacks exploiting supposedly legitimate means of communication.
“The hard shell was in place; the castle walls had been built,” Eggebrecht said. “But nobody was watching the drawbridge, and thats where data was coming in and out of the castle.”
In January, BEW started a six-month project to integrate those upgrades. According to Eggebrecht and Quiroga, the plan was to implement the compliance-monitoring tool first, so CPAs network could always identify what data qualified as nonpublic information.
With that detail known, the e-mail and rights management tools could then automatically apply extra precautions as the data or communication warranted.
For a compliance monitor, CPA chose the Vericept Intelligent Protection Platform from Denver-based Vericept Corp. (the same software BEW used to do the exposure assessment last year).
Then came the e-mail filtering tool, SecureMail Gateway from GlobalCerts LC, in Charlottesville, Va. The enterprise rights management software was supplied by Liquid Machines Inc., of Waltham, Mass.
How does it work? Quiroga uses e-mail as an example. Eggebrechts team integrated SecureMail into the SurfControl tool used by CPA and then configured SurfControl to route any message with nonpublic information (as designated by the Vericept monitor) to SecureMail for encryption. The message can then safely transit public networks.
“I dont have to do anything on my end, and the user gets a secure e-mail on his end,” Quiroga said.
Liquid Machines, meanwhile, enables Quiroga to cease using PGP encryption—he said he disliked the idea that hackers might somehow obtain a decryption key—in favor of a tighter system that automatically sets restraints on data at the instant of creation.
Now, data sitting on a stolen laptop or somehow electronically smuggled past the firewall can still be rendered inert and unable to be passed to the wrong hands.
Quiroga described the implementation itself as “a large project plan” that took 10 months to complete. BEW deployed the tools, helped with integration issues and trained Quirogas staff on administration of the new system.
Indeed, Quiroga said, personnel issues were the hardest part of the project. He had to ensure that implementing new security procedures did not disrupt everyday activity and had to supply steady updates to CPAs users (approximately 200 in total) regarding what he was doing and how the new security would, or would not, affect their daily communications.
When CPA did its final network penetration tests earlier in the spring to meet CISP standards, it even hired a second security consultant to test BEWs work.
Quiroga is tight-lipped about precisely how much CPA spent on the whole project, only describing it as “a lot; it was a significant investment to the core business.”
But he is quick to note that CPA essentially had no choice in the matter. Without security that passed CISP standards, the company would have lost vital customers such as Cox Communications Inc. and Adelphia Communications Corp.
For his part, Eggebrecht said CPA is now in a good position to continue security improvements as the need arises, since it has embraced the idea of seamless, behind-the-scenes tools.
“Tools will only get you so far,” Eggebrecht said. “Data security is fluid. Tools are going to change, and you need the proper tools in place. But policies and procedures that are constantly checking those tools are where we foresee the success of any of these projects.”
Matt Kelly is a free-lance writer in Somerville, Mass. He can be contacted at [email protected].
- Customer Credit Protection Association
- Organizational snapshot CPA, a collections business for cable companies and other large enterprises, keeps nearly 3TB worth of personal information on millions of consumers
- Business need Rigorous new standards of data protection imposed by Visa and MasterCard forced the company to upgrade its tools to manage and protect sensitive information
- Technology partner BEW Global, a security consulting and system integration company
- Recommended solution BEW recommended Vericept Intelligent Protection Platform as a content monitoring tool to identify sensitive data; SecureMail Gateway encrypts sensitive e-mail before it travels the network (or goes onto the Internet); and rights management software from Liquid Machines protects data that might leave CPAs grasp by other means.