The assistant chief information officer at the 45,000-member Screen Actor's Guild's benefits plan discusses the improtance of adding new encryption tools to fortify security.With all the reports of lost laptops and misplaced computer tapes, many organizations, such as the Screen Actors Guild-Producers Pension and Health Plans, are fortifying their computer security procedures with stronger encryption measures. The benefits arm of the Screen Actors Guild, which provides pension, medical and dental benefits to 45,000 actors and their dependents, recently installed Symantec's NetBackup Media Server Encryption Option. This device can encrypt large amounts of data at the media server level, which ensures that tapes are protected before they are transported to a backup facility. The Symantec product also simplifies the process of handling backup tapes by centralizing encryption key management. It automatically tracks which key was used for which tape, so customers no longer have to create and track a bunch of different keys.
Kevin Donnellan, the assistant chief information officer at SAG-PPHP, spoke recently with Baseline editor-in-chief John McCormick.
Has your need for security increased over the last year or two?
We've always been concerned with protecting our members' health data. We have sensitive information—claims information, health information—on basically any named actor that you know. We have always been concerned that [supermarket tabloid] papers could possibly get their hands on this information.
We also have HIPAA [Health Insurance Portability and Accountability Act] regulations that we have to abide by now, which are more stringent in terms of what we promised to do and how we promised to protect health information. There are up to $250,000 fines for breaking those regulations. And over the last two or three years, we have opened up our Web site. Our [members now have] access to their own health claims, their earnings information. So, it's become more and more important to protect.
If anything were to get out, even one incident, internally our I.T. name would be mud. There would be a measurable loss of trust in I.T. that we have worked for 20 years to build.
How much data are you dealing with? Can you give me a sense?
In our production environment, we are backing up somewhere in the neighborhood of 3 to 4 terabytes on a daily basis.
We have two storage area networks that we share between [our main and backup/disaster recovery] sites that total about 30 terabytes.
What steps are you taking to secure that data—anything new?
We've been using the Symantec NetBackup [backup and recovery] software product for a few years now, and we started looking at the encryption option that they offered.
How often do you back up your data?
Currently, we do a full backup once a week, which takes most of the weekend. And incremental backup of all our Oracle databases every night. That window basically is 6 to 7 hours long—[going from] late at night until about 6 a.m. We also send a set of backups to an off-site storage company.
How often do you do that?
Daily. Every business day, whether it's incremental or the full backups. We have a constant rotation of those tapes. We also have the disaster recovery site located in Ventura, Calif.
And one of our concerns was trying to manage the encryption keys. With the individual encryption of the servers, it was—I wouldn't say impossible—but it was very difficult to be able to restore data on another disaster recovery server.
Because of the different keys?
Because of the different keys, right. When Symantec came to us and said, "Hey, we've got this new option, we'd like you to test it," we were interested because we've been trying to do this for probably the past 16 to 18 months.
Has this extended the time it takes you to back up your data?
Backup time is extended by maybe 6% to 8%. Totally acceptable. So, with a 7-hour backup, we're looking at maybe adding another 30 to 45 minutes.
And the benefit?
We've got the centralized management of the keys; everything is kept on the media server itself, which is the centralized backup server that we use. So, there wasn't this individual management of all the clients that we would have had to do with the previous encryption method.
What other steps are you taking? I heard that the organization has instant-messaging protection. But could you just run down some of the other things you do to protect the data?
We run anywhere from physical security, card-key systems on our offices through managed security services.
We have Symantec running our intrusion detection, managing our firewalls. We have professionals within the Symantec organization that do [security] for a living. I've got fewer than 250 employees in our plant. We're not a large organization. I don't have a 24/7 staff of security specialists, so that was one of the big areas that we looked at—outsourcing or finding a business partner that was a professional, that did this for a living.
We use VPN [virtual private network] tunnels, encrypted VPN tunnels for any kind of external-to-internal communication. We encrypt all data that we transmit between any of our health vendors, and earnings information that we receive from the studios. Basically, that's the basis of the health and pension eligibility for the actors.
We have a triple layer and a virus protection. We use, as you mentioned, IM Manager from IMLogic [which was acquired by Symantec last year], which manages instant-messaging information. We really are looking at all electronic communication.
What about e-mail?
We are in the process of doing the same with e-mail.
We are implementing a management solution for e-mail that will allow us to comb through e-mail and sift out any character strings that we want, any other information that we're looking for, and quarantine it.
Laptop encryption is something that will be implemented within the next month or two.
We're looking at mobile devices, even down to our voice communication. We have certain people within the organization who have [Palm] Treos. [We] have software that allows us to automatically blow the device when it's reported lost. We've got antivirus software for Treos.
We try to protect all of these areas. It's getting more and more difficult. But from what I've learned, the first 90% [of security] is usually gained by the basic implementation of security policies and processes.
So, you think you've got everything covered?
I think we've got a very strong defense.
It's multilayered. And part of it is that everything is reasonable. There's always some sort of crack, but if we can say in I.T. that we have done the best that we can do and we've employed the proper business partners, we can sleep at night.
We can report to our bosses, our board of trustees, that we have done everything within reasonable limits to protect the [organization's] data.
And what kind of security budget are you working with?
I would say, ballpark, between the products, the managed security services that we use, probably half a million dollars.
The cost of security is obviously a factor for everyone. Do budget concerns ever weigh into your security decisions?
I think we have a very good board of trustees that does understand the security concerns, especially of late.
So, if you had to sum this up, what three elements of your security setup would you recommend to other chief information and chief security officers?
The layered defense, and employing business partners that are professionals at jobs because we cannot be jacks of all trades, especially with the size of my infrastructure staff, are the first two.
And the third really is employing the proper tools, like encryption—making sure that our business partners tell us about these security issues.
I don't enjoy a business partner that doesn't come to me at least once or twice a year and tell me about their new products, and that doesn't understand our business. A long-term relationship isn't kept that way.
Projects: Security 
