Sprucing up the Security LandscapeBy Gordon Bruce | Posted 2009-09-04 Email Print
Modernizing Honolulu’s IT infrastructure involved implementing 150 major systems. but these endeavors created a host of new security challenges.
Sprucing up the Security Landscape
These changes to our IT infrastructure created a host of new security challenges. For example, we standardized on service-oriented architecture (SOA) from IBM and CA with Web portals to front-end all our applications. That required us to secure everything internally. At the same time, we were giving the public access to numerous new online applications.
We also wanted to enhance control over employees’ external Website access. Plus, we needed to protect thousands of city employees’ PCs and laptops from malware and spyware.
One tool that has been integral in helping us protect against infections and control external access is a Web gateway appliance from Blue Coat Systems. Chosen by our security and infrastructure IT teams, the appliance runs URL filtering software that works alongside a cloud-based ratings system that continually identifies new threats. We also can filter URLs that are known to be malware or have a high risk of infecting our 2,500 laptops and 4,000 desktop PCs.
Up-to-date information about the latest Web-based malware threats is automatically incorporated into our filtering policies every five minutes from Blue Coat’s WebPulse cloud-based service. Here’s how that works: A URL request is directed to WebFilter, where it is checked against a Blue Coat master database. If the URL isn’t in the database, the request will be directed to the WebPulse service, where it will assess the requested Web page for its risk level and provide a rating.
Combined with other tools, the appliance, software and cloud service also enable us to establish access rights for groups of our employees and to filter access to URLs that we believe are inappropriate. Since taxpayers fund government employees’ salaries, our staffers must be accountable to the public for their activities during working hours.
The Blue Coat ProxySG allows us to use so-called “coaching” pages to implement a “trust-the-employee” model that helps us straddle the fine line of keeping user behavior in check while avoiding black-and-white policies that might not be applicable in every instance. If applied inappropriately, those policies could get in the way of worker productivity.
To avoid this situation, we created departmental groups and five different access options: full access, low filter, medium filter, high filter and no access. Every department’s manager assigns each employee to an appropriate group depending on the staffer’s specific job function.
The appliance also allows department administrators to move people to different groups as their job functions change. Since the departments can handle this themselves, that eases our administrative burden and allows the departments to be more responsive to their users.
In addition, departments have the flexibility to use the coaching pages, which prompt a user to decide whether to access a site that’s not generally considered appropriate but may be necessary for the job. For instance, even though the city doesn’t want its workers visiting shopping sites while on the job, some city purchases fall into the shopping site category, and authorized personnel can legitimately visit those sites. When they do, they get a coaching page message that says, “This is a shopping category. Are you sure you are supposed to be accessing it?” This enables employees to exercise their own judgment.