Travelport, the global travel services company which
owns a range of well-known brands including ebookers.com and
Galileo, is deploying a scanning system to analyse hundreds of
databases for security vulnerabilities.
The company, which employs 8,000 people worldwide, is making the
investment as part of a drive to demonstrate its compliance with
Sarbanes-Oxley regulations and credit card firm Visa's PCI
standard, which requires personal data to be stored securely.
The deployment comes as Travelport is strengthening its security
by moving away from a centralised IT service to regional teams,
following its demerger with Cedent in August this year.
Vince Pillay, director of information security for Europe and
Asia, plans to roll out the scanning programme this month, to
ensure that databases are free of vulnerabilities that could be
exploited by hackers to download sensitive information. "If we did
have a breach of confidence, it would be very damaging to our
reputation," he said.
The system will also help the company ensure that its websites,
which generate significant revenues by selling travel services,
meet the company's target of 99.999% uptime.
"With a company that generates as much business as ours, we have
websites that require no downtime at all. We have sites that
generate dollars per second. We regard this technology as an
important comfort factor," he said.
The company is using the Appdetective product from security
software supplier Application Security. Appdetective is capable of
analysing the firm's databases, including SQL, Sybase and
Lotus.
The software, which can carry out audits over the company's
networks, is able to identify, for example, databases that are
still set on default passwords, or are vulnerable to buffer
overflows. It can prioritise the risk, and give advice about
patching.
Travelport has acquired a large number of databases over the
years, after making a series of acquisitions, said Pillay.
"This product will give us a real-time picture of where we
stand. Once we have done that, we can put down targets and
milestones [for patching]," he said.
Scanning databases will allow Travelport to find faults
proactively, before suppliers issue patch updates, said Pillay.
The system will also produce management reports that will allow
the IT department to demonstrate to the board its progress at
raising security levels.
"The business has already spent a great deal of money on
becoming compliant for Sarbanes-Oxley. This was looked on as a
small price to pay for automated compliance, " Pillay said.
Travelport's strategy
Scanning software plays a key role in the company's
three-pronged security strategy: risk analysis, risk mitigation and
promoting security.
The strategy includes independent penetration tests, building in
good security practices, and promoting awareness among staff, as
well as the creation of regional security teams.