Erecting secure infrastructure
- 16 November, 2004 10:46
Lend Lease had antivirus software running on all of the gateways, e-mail servers and desktops that serve its 10,000 workers worldwide, but that wasn't enough to prevent a Blaster attack on Aug. 3, 2003. That incident prompted the global real estate management and financing company to begin a process that resulted in a sweeping revamp of its IT infrastructure.
"Blaster hit us rather hard and on a global scale," says Chief Security Officer John Miles. The antivirus protections notwithstanding, he says, "we didn't have the right tools for proper insight to tell where the virus was coming from."
Sydney-based Lend Lease appraised its security, systems and service management software. The goal: to be better prepared for attacks and to improve how the business deals with internal and external customers.
A little more than a year after the Blaster attack, the company had completed a US$1.8 million project to purchase and install 18 software products from six vendors, including Remedy, a unit of BMC Software. Lend Lease dubbed the project HighRISE, after the company's work on skyscrapers and because it includes Remedy identity, system and endpoint management tools. The products, deployed together, went live in early September.
Miles describes HighRISE as a five-level pyramid, with service management functions at the top. These include help desk, service level, asset and change management products from Remedy, as well as remote-control and business intelligence products from ManageSoft.
The next tier down, the identity and trust management level, includes password and identity management products from M-Tech Information Technology Inc., as well as documentation that Lend Lease created based on IT Infrastructure Library (ITIL) standards for operations and security management.
The directory management tier includes administration products from NetIQ, plus directory software from Microsoftand Oracle.
The configuration and vulnerability management layer includes configuration, security path and vulnerability management tools.
The bottom tier, threat and availability management, includes application, security and inventory management functions.
Lend Lease CIO Jay Skibinski says he wanted the products to be integrated at the same time to keep the project rollout time short. "Integrating all the products in series would have taken years to complete, and integration would have been a challenge," he says.
Lend Lease set up a bidding process, invited three vendors for each functional area and then picked the one with the best features and technical quality. As part of the deal, Skibinski required the vendors to meet upfront and agree to make their products interoperate. By doing so, Lend Lease was able to avoid hiring an independent integrator. "The vendors understand it's a big win for them as well to interoperate, and it's something that leads to better business," Skibinski says.
However, oversight of the vendors took considerable work. Miles delegated responsibility for mitigating the risks to eight project managers and urged teams to communicate bad news quickly. He kept a "risk register" throughout the process, sharing it with the project teams. Miles and other managers informed the vendors immediately when problems developed.
At one juncture, Miles recalls, project managers encountered a problem integrating NetIQ and ManageSoft products. ManageSoft's team agreed to build a fix and brought in developers to do the work overnight.
Skibinski, Miles and others placed a great deal of emphasis on sound planning, including putting 80 percent of the effort on people and the process and only 20 percent on the technology, Miles says. "Analyze, analyze and make sure the design is correct before you get in the build phase of the project," he says.
While the Blaster attack was the catalyst for change, the HighRISE project was prompted by other factors, including the need to become more efficient. In recent years, Lend Lease has had a 33 percent reduction in IT staff, from 356 people to 240, and its IT operations budget was cut from $90 million to $60 million after the company consolidated seven North American data centers into one Atlanta-area facility called the Shared Technology Center.
Skibinski, Miles and about 90 IT staffers now work in the Shared Technology Center. That center and two others in England and Australia control IT for the US$7 billion company, which has offices in 44 countries.
While bolstering security was the general theme behind HighRISE, Skibinski says Lend Lease also had to be able to respond to constant audit requests from customers curious about its internal operations. That task was made more difficult by government reporting standards for companies like Lend Lease that provide construction financing as well as management services. Mergers and acquisitions also complicated this process.
HighRISE will make it easier for Lend Lease to process construction bids online so it can stay competitive and communicate better with other companies. And it will simplify the process of setting up and managing IT operations at project sites. Those IT facilities are built and then taken down several years later as buildings and bridges are finished.
While conceiving and finishing a project in a year is noteworthy, the HighRISE effort is also unusual in other ways. One was Skibinski's decision to put Miles, the company's top security official, in charge of what became a complete systems, service and security management overhaul. Skibinski says it helped to have someone with knowledge of IT security working to integrate security and related software into all of Lend Lease's processes.
Also, Lend Lease worked upfront to develop ITIL-based standards that affected the people and process components as much as the technology. Lend Lease used a life-cycle management process, gleaned from several sources, that relied on intense planning to reduce implementation problems, says Tom Peck, assistant project director.
Lend Lease sees two areas where HighRISE will quickly pay for itself. One is a reduction in the cost of labor for disseminating antivirus patches, which Lend Lease estimates required 1,200 worker hours each. At $100 per hour for labor, deploying a single patch could cost $120,000, and Lend Lease estimates that it faces 10 to 20 critical security events per year. With an automatic change and security patch management system, those costs can be nearly eliminated, Miles says.
Password management tools will also help reduce costs. Miles estimates that 20 percent to 30 percent of some 90,000 annual help desk calls came from users who were confused about or had forgotten their passwords. At up to $30 per call, the annual cost of helping users with passwords could hit $500,000 or more. Skibinski says at least half of those calls will be eliminated.
Instead of getting the help desk involved, the new password management system requires employees to use a unique nine-character password that must be changed every 90 days. Users set their passwords and follow a string of prompts that serve as reminders for those who forget.
Password and patch management are areas in which benefits from the HighRISE technologies are most easily measured, Miles says. But there have been improvements in other areas, including security. "We've noticed attacks are down, and our ability react to them has drastically increased, and in a matter of seconds we can get alerts saying things such as, 'This server is causing a virus outbreak,' " Miles says.
Dennis Griffeth, IT manager of shift operations, helps monitor Lend Lease's global operations on a daily basis, and he says the HighRISE improvements have been dramatic. "We are seeing an increase in productivity to allow us to respond faster to problems and can respond 30 percent faster than before," he says. In addition, reporting tools help keep track of patterns of problems and help Lend Lease be more proactive in dealing with IT systems planning.
Because the rollout of HighRISE has gone well, Skibinski says Lend Lease is planning a second phase. "Now, single sign-on would be nirvana," says project manager Bob Chapman.
Overall, Lend Lease was "very forward thinking" in piecing together so many management products at once, saving time in the project rollout, says Scott Crawford, an analyst at Enterprise Management Associates, who has discussed the project with Lend Lease.
Many management software vendors are still two to five years away from integrating security into their systems management products. Companies often need to integrate them on their own, and only a few large companies have the IT management insight and resources to do so, Crawford says. "Lend Lease recognizes where security management needs to go and that it needs to be well integrated with enterprise management generally," he says.
Crawford credits executive management at Lend Lease for supporting initiatives such as a comprehensive password overhaul. "Security is a people business first," he says. "You have to be good at the people issues first before you get to the technology."