The Cleveland Clinic has garnered press over the years for everything from its famous patients to its filmless radiology departments. Each year, it ranks among the top four overall hospitals nationwide, according to U.S. News & World Report. Its director of information systems, though, lives in fear of becoming tomorrow's news.
"If a 200-bed hospital in, say, Illinois were to have an application hacked, it might make local newspapers. For us, because we have facilities all over the country -- as well as internationally -- not only will we make The New York Times, but chances are we'd make the international press as well," says Matt Speare. His job includes keeping intruders from accessing the Clinic's networks while simultaneously expanding Web-based initiatives that service millions of patients and health care workers.
Network protection for Speare has meant deploying several security solutions in a DMZ, including Check Point FireWall-1 and Cisco Secure PIX, routers, a VPN concentrator and intrusion detection systems. The routers, VPN and IDSes all carry the Cisco Systems brand name, but separate companies later acquired by Cisco made each. That means every one of these devices produces its own set of logs and alerts and operates on a different security alarm system and severity classification. Daily alerts alone number 2 million to 3 million.
For Speare and three other network administrators dedicated to the DMZ, keeping tabs on any one device is time-consuming; collectively, it's near impossible. "Every one of these generates a huge amount of logs that at any point 10 or 12 people could spend the better part of the week going through," he says.
To gain control of monitoring, The Cleveland Clinic last July began using ActiveEnvoy from netForensics, a security information management (SIM) application that normalizes security data over a heterogeneous network and automates the alarm process, triggering real-time alerts based on level of threat. By correlating security events and using rules-based aggregation, attacks can be prioritized and the amount of generated data condensed. Now, threats at the Clinic are defined and rated on a 1 to 5 scale, with Levels 1 through 3 not requiring immediate action and Levels 4 and 5 prompting e-mails or pages to IT staffers.
Speare's staff weighed six solutions, including an ACID system using Snort technology and managed security services provider Counterpane Internet Security. ACID was found too tedious, requiring high levels of technical expertise and constant manual updates. The MSSP option was attractive, but too expensive.
"Budgets here are set in stone a year before," he explains. The hospital couldn't cough up another $180,000 for external monitoring, but it could find reserve funds for a $25,000 control management solution.
Another strike against the MSSPs: The Cleveland Clinic staff wasn't sure it could turn over so much responsibility to a third party, given the revenue and reputation at stake. In addition to bad publicity for breaches, there are potential fines for failing to protect patients' medical files as prescribed by the Health Insurance Portability and Accountability Act (HIPAA). netForensics appears to be meeting The Cleveland Clinic's administrative needs and business goal of introducing one of the first hospital-based e-commerce models for patient- and physician-records access via the Internet -- introducing a massive number of new users to an already stretched system.
Archived logs generated by netForensics serve as proof that security measures -- including monitoring -- are in place for HIPAA compliance. The intelligent, automated netForensics system also reduces staffing needs -- a key for The Cleveland Clinic. Finding local infosecurity professionals can be difficult, Speare admits, and recruiting outside the area is even more so. "It's a nice town, but for some reason trying to get someone to Cleveland is near impossible." Initially, Speare was disappointed that netForensics lacked an open agent to support various platforms. Since then, the company added a universal agent feature that ties in with almost any device in his DMZ environment.
Now, he says, he'd like the company to address another drawback. "I'd like to see it in a packaged appliance. One issue we had was to get an appropriate server to run it on. They do offer an NT version, but we like Unix. If they offered a packaged appliance, it would be much faster for most organizations to [install] it rather than the open-source community building a Unix server to support it."
Speaking of support, netForensics appears able to handle the heavy-duty load of The Cleveland Clinic's estimated 10 million daily transactions. Most of the traffic comes from people submitting or accessing NIH reports, patient records or appointment schedules via the Web. That transaction level is bound to increase as more patient-and physician-oriented services are established in the DMZ environment, eventually prompting another server in redundant array.
"I think we've probably pushed it to the edge, and it's held up," Speare says.
Best practices guide a wireless deployment at BYU-Hawaii, meaning no trouble in paradise.
The 2,500 students and 500 faculty and staff at Brigham Young University–Hawaii live and learn in one of the most beautiful places on earth. What is not always so pretty, especially for the university’s small IT team, is the deployment of new campus-wide technology projects.
Our IT team constantly assesses the latest technology to help protect the campus network and its 3,000 users. With the goal of continuously improving network security, we sought to add greater authentication and authorization to campus resources through the deployment of 802.1X access control. The challenge was finding the right solutions to best facilitate ease of deployment and limit disruption of service to our users.
A key driver for this security upgrade was the fact that BYU–Hawaii’s open wireless network could easily be accessed by anyone on or near the campus. Our CTO, Jim Nilson, challenged the IT team to find a solution that worked with our existing infrastructure and was cost effective.
In addition to the obvious hazards of having anyone and any machine connect to the network, another big issue was being able to capture important information about the wireless users accessing the campus network. Previously, the team had no way of knowing who was on the network, or how the network was being utilized. For example, it is important to identify users who might be doing something inappropriate using network resources. All BYU–Hawaii students are required to sign an honor code of conduct. If someone violates a conduct policy, such as downloading inappropriate material, the IT team needed a way to identify the student as required by the Honor Code Office. With no way to identify users, reporting violators was next to impossible.
To address these issues, the team wanted to first secure the wireless network, with the long-term goal being to authenticate users on the wired network as well. They decided the best way to do this was to deploy 802.1X authentication, which is the IEEE Standard for port-based Network Access Control. This would provide a more secure authentication mechanism for approved users and devices attempting to connect to the network.
Since BYU–Hawaii’s network is made up of a mixture of 240 access points from Cisco and Xirrus, a key best practice for the 802.1X capability to function properly was to select a new authentication solution that worked in this multi-vendor environment.
Being a Cisco customer, BYU–Hawaii had tried to use the Cisco Clean Access solution to secure its wireless network, but found usability and reliability issues difficult to manage. With the Cisco solution, anyone could still connect to the network as a guest. Cisco Clean Access also required significant effort for configuration and profile management. It was clear to the IT team that if we were going to successfully deploy 802.1X, we needed something else.
After learning about new access control solutions at an annual EDUCAUSE conference on the mainland, BYU–Hawaii conducted a competitive bakeoff between Cisco’s latest version of Clean Access, Impulse Point’s Safe-Connect, and Avenda’s eTIPS identity-based policy platform. The goal for the new solution was for it to successfully operate in an 802.1X environment with Cisco and Xirrus access points, Cisco switches and a variety of users’ devices, which range from laptops and smartphones to gaming consoles.