Optrics In The News

By Shari Weiss
Freelance Writer from California

Maintaining a secure and compliant data environment is a challenge for companies of all sizes but mid-tier companies often find themselves stuck in the middle when it comes to finding cost-effective systems and processes for meeting regulatory requirements.

With regulatory compliance costing well into six and seven figures for large enterprises, and the packaged technology designed for small businesses ill-suited for larger networks, what are mid-tier organizations to do?

While mid-sized companies still face the myriad of obstacles in complying with regulations like Sarbanes-Oxley and HIPAA, the likely don't have the budget, personnel, and existing infrastructure to get the job done.

"The key is to demonstrate that you are making your best effort to meet legal requirements and secure your information network and system administration," says Bording Ostergaard, CEO and founder of Optrics Engineering, a professional engineering firm with staff specializing in network design, security and network-specific solutions. "A mid-tier company that does nothing has already, in a sense, agreed that they have failed to comply. If a problem arises or an audit is scheduled, this company may face severe liability issues. Everyone has areas of responsibility, and mid-tier companies do not usually have the resources to fund internal personnel and whole departments to address compliance issues.

"An alternative option is to hire an outside security professional and/or deploy a security appliance, thereby, in effect, buying liability insurance in the form of being able to point the finger in the direction of the hired expert or service," Ostergaard says.

The recently discovered Windows metafile security hole is a perfect example of the challenges and liabilities of ever thinking you can safely tell people their network is secure and in compliance, according to Ostergaard. "At best all you can do is provide your best efforts or best-intentioned opinion based on defined criteria you are confident you can monitor and assess," he said.

With new threats released so often, security is a moving target, according to Vann Abernethy, executive vice-president and CTO at Avanton, a vendor partner of Optrics. Avanton provides multi-function security products that eliminate the complexity gap for small- to medium-sized businesses to secure and manage their networks and meet regulatory demands.

"Mid-tier companies typically have smaller IS staffs with either no dedicated security officer or an overworked network administrator who has the added burden of being the compliance officer. They do not have the resources to purchase sophisticated solutions where staff members have to go off site to get certified, a process that could take a week or more," Abernethy says. "Our solution presents information that is useful to the average IT person, whether that be a systems administrator or network administrator. A person doesn’t need a super secret decoder ring to figure out our product. Just good, solid networking and systems administration knowledge is enough, a level of technical expertise required to be in those positions in the first place. We cater to that level of knowledge."

Compliance Department In A Box

Avanton does not sell its products direct, but works with value-added resellers like Optrics to introduce its appliance-based system to mid-tier companies. This was how Reading Eagle Company found its compliance-department-in-a-box.

Reading Eagle Company has been Reading, PA's local news source for more than a century, but in the last decade the organization has decided to venture into e-mail and web hosting, not only for their own purposes, but for other companies, as well. Over the past two years, this hosting business has sky-rocketed to more than 150 hosted Web sites, with hosted e-mails and other Web services, according to Roy Quickel, IS network administrator at Reading Eagle Company.

Reading Eagle Company had been able to develop direct relationships with a few technology vendors for computer hardware and software needs as well as networking hardware and switches. "But when it came to compliance issues, we were pretty much on our own," says Quickel. "With the sheer volume of Web sites hosted on our property, many of which are being provided with e-commerce solutions, we are subject to compliance reports.

"Compliance is a serious concern," Quickel continues. "We went looking through the Web for a solution and saw Avanton’s ReadyARM come up on the Optrics Web site. Optrics partnered with some of the same vendors already used by Reading Eagle Company, and their customer list impressed the staff of the news company. There was an element of trust that they were telling us what we need to know."

Reading Eagle Company did check out other vendors for basic set up costs and support, but the nearest competitor’s charges for the same type of solution were four times higher. "During our ‘Try and Buy Agreement,’ we decided the ReadyARM device met, and even surpassed, our needs for central monitoring and compliance reports, giving us exactly the support and functionality we were seeking," said Quickel who implemented the appliance-based system in October, 2005.

The hardware device plugs into a network device to monitor traffic, according to Quickel, who noted that, similar to an IDS, it sits outside of band so that it doesn’t affect bandwidth. "This solution gives our small staff a nice central location to view things like system logs and network equipment. It does vulnerability scanning so we can determine how severe a threat might be," he adds.

"Centrally located management and monitoring enables us to identify and respond to problems much quicker," Quickel explains. "I can go to one device and review the whole picture. With this product we did not have to make any changes to our infrastructure, nor did we have to retrain staff."

Quickel said that ReadyARM provided his company with a consolidation strategy that put several critical components into place: vulnerability detection, intrusion detection, system logs, and auditing reports.

A Four-Step Process

Compliance involves a four-step lifecycle process, according to Abernethy of Avanton. ReadyARM handles the first two steps: monitoring the network and generating reports. The third step is analysis, which is often handled by local administrators, but can also involve outside consultants. The fourth step, remediation, involves implementing changes in security policy to address flaws that were uncovered during the analysis and/or fixing specific issues—for example, low patch levels. These may require additional solutions. A systems integrator and network specialist like Optrics can offer advice specific to the problem.

IS managers of mid-tier companies can meet compliance requirements without revamping the entire IS infrastructure and retraining the workforce by implementing a two-fold approach, said Abernethy. "First you must have a defined policy and communicate it to the workforce," he says. "You do not have to change anything. But, secondly, you must enforce that policy. Where you find flaws in the policy, you will need to make changes. This does not require administrators to do a lot if they have something in place to identify threats and policy deficiencies and fine-tune when those are detected. This does not have to impact normal users."

Abernethy describes security as information warfare. "Most of today’s companies have some type of firewall and some flavor of antivirus," he explains. "These are the two biggest problems: defending the perimeter, i.e., the connection to the Internet and defending companies from themselves, i.e., users who download tainted files and click on problem sites. However, where mid-tier companies often fall down is that they forget the firewall is designed to not only stop things, but also allow access in and out over certain ports and protocols, and those ‘holes’ can be taken advantage of.

"The only way to completely stop things from coming in through the firewall is to unplug everything, but, of course, this is not a viable solution," Abernethy continues. "You must defend against what is coming in, but, more importantly for compliance issues, you must be diligent about what is going out. Knowing what is going on in your network allows the local administrator to make an informed decision about what steps are necessary to affect change and shore up security. If you talk to regulators and auditors, they will tell you that when they look at companies, 10 percent of issues involve the perimeter while 90 percent concern what is going on within the network. Polices must be kept up-to-date and enforced. To do that, companies need to be able to shine a bright light into the dark corners of the network."