Three IT projects that matter

While rapid-fire cost-savings and consolidation efforts typically dominate an IT executive's annual to-do list, what's getting the green light this year are multiphase projects that protect organizations from regulatory fallout and data leakage.

At the California Department of Health Care Services (DHCS), for example, increased federal mandates and heightened media attention have led to a focus on projects that prevent data loss, says Christy Quinlan, CIO at the Sacramento agency.

"I know that whatever we spend on projects to secure data would be a whole lot cheaper than having to deal with even one leak," she says.

IT executives in a cross-section of industries, including government, education and the private sector, share the sentiment. In fact, three specific project areas -- privacy, enterprise rights management and data center automation -- are all getting the go-ahead because they can enable better data protection.

Privacy

Since she took office as CIO in 2005, Quinlan has had a laser-like focus on improving the systems at the DHCS, a 2007 Enterprise All-Star Award honorable mention designee. She describes herself as a doer, not a talker, and doesn't understand why implementing new technologies takes some IT teams so long. Being a doer served her well earlier this year when the U.S. Social Security Administration (SSA) notified her team that its main system, Medi-Cal, was in violation of the Health Insurance Portability and Accountability Act regulations.

The mainframe-based application lacked the ability to prove that only need-to-know personnel were gaining access to private patient information, the SSA said. More than 70,000 workers in 58 counties use Medi-Cal to access Medicare and Medicaid claims.

To come into compliance, Quinlan needed to install role-based access privileges coupled with auditable time-stamping. "The SSA said we only had a short time to fix the problem or it was going to deny us access to its network," she says. The DHCS had no time to rewrite the Medi-Cal application code itself or to do any major system changes.

Instead, the agency opted to tack IBM's Resource Access Control Facility (RACF) onto the mainframe to manage and log role-based permissions atop the Medi-Cal system's own basic built-in privileges. Now Quinlan can set multilevel security policies based on users and the types of files they are trying to access. "This depth of tracking allows us to create a full audit trail," she says.

To avoid passing the complexity of a layered system on to users, Quinlan's team synchronized username and passwords for RACF and Medi-Cal. "They have a single point of entry and don't have to log on with separate identities," she says.

Having met the SSA's deadline, Quinlan has since returned to other privacy initiatives, including encrypting the more than 8,000 DHCS desktops and laptops in accordance with -- and in some cases ahead of -- state and federal regulations. "There's still no requirement to encrypt desktops, but why wouldn't you when you could have tremendous damage to the organization's credibility if data were lost?" she says.

Andreas Antonopoulos, senior partner at Nemertes Research, applauds organizations that are tackling privacy problems head-on. "You can easily protect against data loss with checks and balances and separation of duties," he says.

He also recommends prioritizing what data you need to retain and for how long. "The best security policy is not storing data you don't need," he says. Also, he advises IT teams to avoid using Social Security numbers and other critical data as identifiers.

In Pennsylvania, the Department of Agriculture follows right-to-know policies to make farmers feel safe providing sensitive information, says Sean Crager, CIO at the Harrisburg agency. "By having strong privacy policies, we increase enrollment in important [animal disease] awareness programs," he says.

For instance, the department encrypts sensitive information at the field level in its SQL Server database. This gives the department a two-fold advantage, Crager says: It allows the agency to be granular in the data that is secured as well as to avoid performance hits that would arise from encrypting the entire database.

Crager also ensures he stores only necessary information, offloading tasks such as credit-card processing to trusted third parties. "My goal is to keep as little personal data as possible. If we don't need it, I don't want it," he says.

Page Break

Enterprise rights management

While Quinlan and Crager home in on how to keep their customers' personal data secure, Bill Leo, CIO at management consultancy Oliver Wyman Delta Organization & Leadership in New York, is putting in place technology that will help him lock down his firm's own intellectual assets.

"We author many industry reports on organizational change and leadership development. We want to make sure that that intellectual capital doesn't fall into the wrong hands to be used in a competitive nature," he says.

In the past, users were able to download reports to their laptops. "People were walking around with our entire intellectual database on their computers," Leo says.

Today, Leo is piloting an enterprise rights management (ERM) system that will control access to and retention of the company's intellectual assets. Using a combination of Microsoft Office SharePoint Server and Microsoft Active Directory, authors can set policies that govern who can view and distribute their reports.

In the first phase of the new system, Leo is focusing on rolling out internal access rights management for more than 200 employees worldwide by year-end.

Once an employee creates a report, he loads it into the SharePoint repository and assigns it access rules. For instance, he can designate it for internal use only and make only a brief description of the report viewable.

The Web server-based system protects documents from being downloaded, copied or sent into unsecured environments. "No one can distribute a report later because it does not reside locally," Leo says.

Employees can search through the database via Active Directory, and depending on their access rights either view reports or receive information about who to contact for access to the documents. "By incorporating SharePoint with Active Directory, there is a single point of governance around the data," he says.

In the second phase of this ERM project, Leo wants to enable document sharing between employees and external users, such as customers and business partners, on a limited basis. Toward this end, he is evaluating digital rights management (DRM) tools that tack privileges onto specific files such as Adobe Systems' Adobe Document Center.

"DRM allows for different criteria to be established for document management such as one-time-only printing, making document viewing computer-specific, and retaining and expiring documents according to policies," he says.

Leo has coupled this project with acceptable use education, explaining to employees that the ERM system has been put in place to protect corporate assets. He also works closely with the business units to develop criteria for access rights. "If it were up to me, I'd say nothing is allowed. But I can't speak to what's sensitive and what's not. IT is the custodian of the information, not the owner," he says.

Most important is coupling ERM with strict policy enforcement as well as intrusion-detection/prevention systems, says Nemertes' Antonopoulos, an admitted DRM skeptic. "There is no way you can stop a determined person from stealing data. Anything that can be viewed, heard or consumed in any way by an end user can be copied," he says regarding his concern about DRM's effectiveness. At least ERM involves a closed system with enforceable policies, he adds.

Page Break

Data center automation

Joanne Kossuth, CIO at 2006 Enterprise All-Star winner Franklin W. Olin College of Engineering in Needham, Mass., takes a different tack on data protection. "In my experience, data leakage often occurs because of human errors in [software and hardware] configurations throughout the enterprise," she says.

These errors leave data vulnerable to hacking and theft. "When something goes wrong you have a 'he-said/she-said' scenario and it's difficult to determine who did what and the consequences those actions had," she says.

For Kossuth, whose network falls under the Sarbanes-Oxley Act and other compliance mandates, this is unacceptable. So she employs automated tools wherever possible to monitor and audit changes to configurations, including switches, servers and storage devices.

For instance, she uses Nortel's Enterprise Switch Manager and Optivity Telephony Manager to watch over her switch and VoIP environments, respectively. She also takes advantage of Microsoft tools such as SQL Server Configuration Manager for her Windows servers.

She's even applied automated change and configuration management tools to ensure her newly upgraded Nortel/Trapeze 802.11g wireless environment won't succumb to data leakage. "We automatically configured all access points instead of configuring each one separately," she says.

Her next project involves automating changes in configurations among the virtual servers in her data center. "It's going to be very challenging to handle change and configuration management in a highly virtualized environment," she says. From what she's seen in the testing she's done so far, "the tools out there are not yet that sophisticated and need to evolve to provide a good overview of the current state and allow for testing of new configurations and their consequences before applying them."

Kossuth is not alone in her thinking that automation is the answer to protecting data, says Andi Mann, research manager at Enterprise Management Associates (EMA). In a recent EMA study, 45% of respondents said data center automation addressed their need to reduce human errors, 43% said it enabled them to have better security and reduce risk, and 35% said it allowed them to have better audit and control from compliance.

Data center automation is critical as organizations build out their infrastructures to support the creation and retention of ever-increasing amounts of data. "Each server requires several thousand configurations on it and the average data center has 300 servers," Mann says. "Being able to manage that load manually is impossible. Automation offers a lot of payback in these environments."