With 60,000 employees, a $65 billion budget and 22 ministries, the government of Ontario has the unenviable task of providing a secure IT environment not only to carry out its own duties, but also to provide more than 300 services for millions of citizens.
“To achieve proper security in our environment, we needed to develop a strategy,” said Doug White, manager of operations and contingency service with the Ontario government, at the recent Canadian Forum on IT Security and Governance in Toronto.
This is especially important, he said, now that many of the 300-plus government services have an electronic interface with Ontarians. These services include everything from parts of the justice department to health information to driver’s licences. When you have 300 services it becomes a “very complex environment to manage,” White said. “It is a case of dealing with everything that surrounds [a] system.”
It’s not just technology interacting with other technology but also people interacting with technology, he said.
The starting point was to create a strong central corporate security core with connections to the various ministries’ own IT people, since a central office could not deal with every application running in the government. The result was “cluster security offices,” White said. Every application that is installed in the government has to be signed off by corporate security, effectively saying that they are happy with the level of security built into both the application and the architecture. White’s group often has to reject an application when it is deemed insecure.
“That doesn’t make us that popular,” he said, so there’s now a move to push security further back into the application development phase, to harden the application from the start.
The solution “is not (exclusively) an IT security strategy,” White was quick to point out. IT was just one facet of a multi-pronged approach dealing with everything from information classification and risk assessment to policy and education.
But all security initiatives, whether public or private, start with people. “We believe that there are 60,000 people in our organization that need to understand the importance of security,” White said. This includes everyone from clerical workers to ministers. White fully understands that most people will not grasp the nuts and bolts of security, but he and his team want them to at least understand the importance of security and the basic concepts. To help this process the government has specific policy guidelines for everyone to follow. “A security policy is your first line of [defence],” he said.
“There is no point to ask your 60,000 employees to act in a specific way if you don’t…have a policy in place.” The government starts with simple rules, like never giving someone a password over the phone, and goes on to a thoroughgoing education program. An important part of the education process is to get senior managers to “do the right thing(s)” when it comes to security, White said.
In order for employees to understand the sensitivity of the information they may be dealing with on a daily basis, the government is introducing a comprehensive information classification system. There will be three levels of classified (low, medium and high) and one level of unclassified. An example of a high-level classified document could be something pertaining to a witness in a protection program, White explained.
Like all systems exposed to the Internet, the Ontario government’s network, one of the largest in Canada, has to deal with from the mundane (almost daily viruses) to the serious (hack attempts). But unlike the corporate world, where a down system tends to affect only the bottom line, “for us it can mean life and death…if police systems are down, or ambulance systems are down,” White said.
If all the services could be run independently it would make security much easier, but Ontarians “don’t care which level of government supplies the service,” White said. Because of this there is a requirement for a certain level of interconnectivity not only with the federal government but with the hundreds of municipalities in the province.
This is the third year of the comprehensive security strategy in the government. The first years dealt with everything from risk assessment and security education to the identification of mission critical applications and the start of an information classification system. Subsequently, the government will deal with mobile computing — “it is not something that we have embraced cheerfully, but we have embraced it” — and over-all increases in threats to its systems. There will also be improved efforts around business continuity and resilience. White said there will be a three-fold spending increase for continuity and disaster recovery planning from previous years.
University tries antivirus education
Ariel Silverstone has 55,000 people who rely on him to keep Temple University’s networks running. But unlike the corporate world, where security policies can be enforced with an iron fist, Silverstone has to create a functional, secure environment in the relatively amorphous world of academia, where absolute rules are difficult to mandate and diversity of technology is the norm.
But one area where the Philadelphia-based chief information security officer laid down the law was in antivirus programs. And it has paid off in spades.
While speaking to the Toronto security forum, Silverstone had an emergency call from his tech people about the 120,000 copies of the Bagle and Mydoom blended threats that had hit Temple’s systems.
The near total antivirus adoption did its work. “Zero machines at Temple” were infected, he said. In fact the only machine related to the university that was hit was in someone’s home. Today, 99.9 per cent of the computers on Temple’s network have Symantec Corp. antivirus software installed and running.
But Silverstone admitted it wasn’t always this way. The events of the past year have led him and his colleagues to focus on creating a university-wide antivirus plan. The day after Microsoft Corp. released a security bulletin for a Windows RPC vulnerability, Silverstone and his team sent out 55,000 e-mails to ask people to make sure their copies of Windows were updated. At that point — July 17, 2003 — only 2,000 of Temple’s 14,000 networked PCs had up-to-date Symantec antivirus software.
Blaster hit the Temple network on Aug. 12. “Within four hours 600 computers are identified as infected (and) the network crawls to a snail’s pace,” Silverstone said. Each of the 600 machines took an hour to fix. “How much would that cost your business?” he asked his audience.
With his four-person team overwhelmed, Silverstone enlisted the help of about 100 other Temple IT personnel. They disconnected infected machines, fixed them and began installing antivirus software across the university.
They had to be prepared, since 6,000 new students enter the residence halls and connect to the network around Aug. 30 every year. When a student machine connects to the network it is checked to see if Symantec is in place; if not, the connection is terminated.
The 99.9 per cent antivirus coverage has been a blessing. SoBig and MyDoom (more recently NeySky and Bagle) have had “zero” effect on the university’s network, Silverstone said.
Putting tech on equal footing
For the general manager of information technology at the Greater Toronto Airports Authority (GTAA), the requirement for updated, and fail-safe systems was as important as it was for Silverstone — some might argue more so, since lives could be put at risk if systems were to go down.
Gary Long, who started at the GTAA a little over three years ago, said it has been a bit of a challenge to get IT security on equal footing with physical security, something that is front and centre at airports in general. His boss felt that if others were afflicted by viruses and the GTAA wasn’t, then “we must be perfect.” Management still views IT security as a background issue “until something breaks,” he said — and not just at the GTAA. His team has created a multi-layered security system with intrusion detection, multiple firewalls (including internal ones) and multiple backup sites for information.
Long supports about 140 different applications, many of them proprietary and automated. So if there are other failures (weather, not surprisingly is a big one at Canadian airports) the systems must adapt seamlessly. For example, gate and runway access is all controlled from the control tower. But if a storm affects arrivals the control tower, can’t just order planes to park at any available gate.
Some planes physically can’t go next to others and some airlines (El Al is one) refuse to park next to certain airlines for security reasons, he said. “The algorithms (controlling gate assignment) are quite complex.” For all of this to work, the GTAA has to take the attitude that “the fact nothing has happened isn’t an indication that it won’t,” Long said. They tend to look at “worse case scenarios.” “It is really, at the end of the day, about risk mitigation (since) the next threat is just around the corner.”
Chris Conrath is a department editor at ComputerWorld Canada who specializes in issues related to IT security. He can be reached at [email protected].