What ever happened to the lazy days of summer? For IT and security managers in businesses, hospitals and universities across the country, summer is just another season to get things done. Here’s a roundup of IT security projects we’re hearing about.
Overstock.com: Web application firewall
Compliance with the Payment Card Industry (PCI) data security standards is paramount for this Salt Lake City-based online retailer, which specializes in close-out merchandise. To meet the end-of-June PCI deadline for Web application protection, (often called the “6.6 rule”) it’s mandatory to either install a Web-application firewall or undergo an extensive software code review if a business processes card payments over public networks.
“Our business relies on this, and now that we’re a ‘Tier 1’ in terms of the numbers of cards processed, assessment is more strict,” says Bear Terburg, manager of network engineering for Overstock.com.
So Overstock.com has been installing the Web Defense application firewall close to its load balancers, says Terburg — and readying for a PCI review by auditors and banks that keep an eye on what the larger card-processing merchants do.
OhioHealth: Biometrics and single sign-on
With its flagship Riverside Methodist Hospital and over two dozen other hospitals and medical facilities, OhioHealth is a major healthcare provider in central Ohio. The Dublin Methodist Hospital, which opened this year, has been dubbed OhioHealth’s “digital hospital” because it was built from the ground up with advanced wireline and wireless networks. At Dublin Hospital, doctors, nurses and support staff can contact and speak to each other via a Star Trek-like communications badge they wear, made by Vocera. The Vocera system works over the wireless LAN, as does a wireless IP-based video service for language interpretation that’s instantly available when needed.
Jim Lowder, chief technology officer for OhioHealth, says an ongoing project is adding biometric-based fingerprint authentication at the computer keyboard. This is strong security that supports the State Board Pharmacy’s new rule requiring two-factor authentication if physicians want to prescribe medications using electronic means rather than paper. Tying it all together is the Imprivata OneSign single sign-on appliance that lets users log in once to use all hospital-controlled computer and voice devices. “We’re applying technology to the business and clinical-quality issues,” says Lowder, adding, “This is the hospital of the future.”
University of Nevada at Reno: New building on campus
On the university campus, the library, study hall and learning lab of the future is taking shape. The Mathewson-IGT Knowledge Center is a 300,000-square-foot building housing about 400 computer workstations on a very high-speed network complete with multimedia applications and teaching areas where students will be able to blend academic discipline with Web 2.0 collaboration. “It’s the post-Gutenberg environment,” says Steven Zink, vice president of IT and dean of university libraries. He says it’s been the thrill of a lifetime to be part of the design team on the US$110 million project, which started over two years ago.
The traditional paper library isn’t going away entirely, Zink points out, but books have been moved to the second floor and will be retrieved by an automated robot system. With opening planned for mid-August, the Mathewson-IGT Knowledge Center is in the final stages of preparation. One of the most important management tasks involves preparing for the security challenge of keeping the hundreds of computers clean and safe for students, who will be allowed to use them to learn about multimedia but not store their own personal files. To prevent computers from becoming a mess, the University of Nevada is installing the Faronics Deep Freeze software, which preserves a computer’s programmed image, and during a reset erases personal information a student may have left, even as it provides a warning that will occur. “They can save their material to a server or hard drive,” says Zink. “There’s a security issue, and a copyright issue, too.”
Meredith Corp.: Data leak prevention
Meredith Corp.’s businesses include such household-name publications as Better Homes & Gardens, Family Circle and Ladies Home Journal. One of the more complex IT projects under way at the Des Moines, Iowa-based media and marketing group is implementing Palisade Systems’ data-leak prevention (DLP) appliance.
“It’s to make sure we know where content is flowing,” says Dan Carlson, director of IT security. The DLP equipment is viewed as a boon for compliance with data-protection rules such as PCI and Sarbanes-Oxley. But the company, which brought the DLP gear in-house last fall, is still on a learning curve and so far uses the technology more for monitoring than blocking. As monitoring discovers the unexpected, the DLP technology triggers a problem-resolution process. “It increased security awareness,” says Carlson. “We found some things that that were unexpected,” declining to specific them. “As we identity things that are happening, we have an obligation to deal with it.” Although DLP is a disruptive technology, as many have found out using it, Meredith isn’t pulling back from it. “We’re in it for the long haul,” says Carlson.
Baylor University: Encryption
A project expected to get under way in July is adding whole-disk encryption software based on PGP’s software to about 150 Macintosh computers used by university staff, says Jon Allen, information security officer as the Waco, Texas university. The goal is ensuring data privacy, but if officials at the university need to access encrypted data, they’ll be able to do that through PGP’s key-escrow mechanism.
“Somebody may have involuntary separation, or we need access for other reasons. For use of key-escrow, which is pretty rare, we need the approval of a [university] vice president or organization head,” Allen adds.
