No Passengers Beyond This Point

When CSC and a major financial institution rationalised their data centres, CSC reduced 'passenger' rules for systems access, reducing costs and improving cybersecurity for essential data.

When one of Australia’s most respected financial institutions transformed its Data Centres, CSC’s security services team made sure that the program did not leave their confidential systems open to sniffing or intrusion during the migration while at the same time simplifying the security environment and reducing both cost and risk.

The Challenge

Consolidating multiple data centres across multiple business units is no easy task. The day to day business must continue uninterrupted.

Under normal business conditions each hardware component in a secure network implements rules about who can connect to it and what they are allowed to do with what authentication and using what protocol.

Other rules are implemented at the organisation or network boundary.

Typically, rules are developed and applied over time – and they are more likely to be added to than removed. When a hardware component is upgraded or replaced, the technical team works carefully through all these rules to ensure that the new component behaves as it is expected to, and users can access their systems or information. When the whole data centre is transformed, the complexity multiplies exponentially.

The Solution

CSC's CSS team rapidly assessed the in scope customer requirements and reviewed the options available. The assessment team noted that some components had more than 600 rules, of which a significant minority were not used, while others were no longer valid. These ‘passenger’ rules had accumulated because it was easier to add a new rule than to determine which rules could be removed safely. Because the effectiveness of an organisation’s firewall depends on the quality of the applied rules, this was a serious risk.

Maintaining the customer’s defensive firewalls depends on designing, implementing and actively managing a highly effective set of rules. CSC’s Managed Firewall Ruleset Assurance service reliably and efficiently analyses and reports on firewall rulesets, enabling the business to know what is working, to prune ‘passengers’ and provides a basis for effective reporting of compliance and assurance.

CSC selected a vendor with a strong candidate solution – FireMon Security Manager, and with the Firemon team and our customer’s IT security experts, we identified and analysed numerous firewall rulesets (who, where, what), and using the Firemon toolset, transposed these complex syntagms into efficient, consolidated and secure migration ruleset definitions.

The Results

In the first two weeks of monitoring and analysis, over 3,000 traffic patterns were identified, and key specific service requirements had more discrete rules defined and risks reduced by nearly 10%.

The customer was delighted with their improved confidence in their data security. “That's absolutely fantastic, thank you. I appreciate how much work there is in this - but it's absolutely worth the effort from a risk perspective!” said the Information Security Leader.