As with most organisations, the society's network boundaries have become increasingly porous over the years, with...
staff taking laptops to work from home, and outside suppliers bringing their machines in and needing network access.
This has proved to be a growing challenge for head of IT Neil Williams: "We have a number of suppliers, maintenance engineers and auditors who visit the society, and they may need to gain access to a specific server, or in the case of PwC [PricewaterhouseCoopers Ltd.], our auditors, they need to get through to their own systems to pick up their emails."
Until recently, Williams was forced either to block outsiders altogether, or to put them through a manual check of their systems to ensure they contained no viruses or other malware. Auditors had to use a dial-up connection to get to their networks outside, "which meant they didn't use it unless it was something they desperately wanted to do," he added.
In addition, Williams had a handful of users from the building society who needed to work from home, sometimes using company-owned laptops. Considering the danger of machines getting infected outside the company environment, and the lack of control over the websites that users visited from home, employee laptops would have to go through a laborious quarantining and checking process when they were brought back into the office.
In other words, he had a classic network access control (NAC) problem.
The impact of 'Data Security in Financial Services'
Then in April of this year, the Financial Services Authority produced a major report entitled 'Data Security in Financial Services', which outlined in painful detail how many companies were failing to handle personal and financial data properly. It also warned that penalties for non-compliance would be severe.
That provided Williams with the impetus he needed to come up with a solution that would not only provide basic endpoint checking, but also help to control users' access to files and directories -- one of the FSA's prime requirements.
"We wanted to be able to monitor what staff were doing from an auditing point of view," he said. Williams had previously been using Web security gateway provider Websense Inc. to manage URL blocking and Internet access, but he still needed better visibility into the servers and files that users were accessing.
Another try at network traffic monitoring
Williams' security supplier Pentura Ltd advised him to look at the network security devices from Consentry Networks Inc., which appeared to provide what he needed. A pilot installation of a ConSentry LANShield Switch went ahead in July, and the technology has now been running in monitor mode for a sample group of users.
Williams says the results so far have been good. "We are currently monitoring about 15 staff in head office. The system lets us see what Internet sites they are going to, and what traffic on the network is created by those users. And we see what files and directories they have been to," he said. "We can now see if a user goes to a directory they should not go to. That may indicate we do not have the permissions set up properly, or they are doing something they should not." He says the facility is proving useful in preventing the situation where a user has moved from one job to another and may have retained access rights from his or her previous post.
In January, Williams plans to reconfigure the whole network to bring all 90 users under the control of the Consentry box, and to switch from merely monitoring traffic to actually enforcing policy. "Regardless of whether they are in a remote branch or on the head office LAN, users will be monitored, and will be stopped from exceeding their permissions," he says.
The system will also carry out checks on any new machine that is connected to the network, and ensure its antivirus and other settings are up to date. "We wanted a fairly non-intrusive solution. The thing I liked especially about the Consentry product is that it does not require a client module to be downloaded on the laptop," says Williams. "I would not allow any of my staff to have someone else's agent on their machine, so I didn't think it was fair to force that on others coming to the organisation from outside."
When new machines log on to the network, they will be initially quarantined while the system checks them, and any corrective action, such as updating the antivirus, can be carried out. It also means that the PwC auditors will be able to connect to their home systems if they need to. Also, external maintenance engineers will be given access to their specific servers, but will be blocked from other parts of the network.
"We can set up outside users on the Consentry box to go through quarantining when they sign on. Once they've passed that, we can specify which servers and directories they can access," says Williams.
His main task now, before going live in January, is to pare down the system's reports to a manageable level. "We have the alerts and dashboard to see if we have any network issues, but the main benefit is that we have a complete audit trail in case we need to go back and see who accessed what files and when they did so."
The Consentry system costs "well below £10,000" which Williams says is worth the investment for the reassurance it gives to the Market Harborough Building Society. The technology helps to prevent infected devices from being attached to the network. The product also allows the compliance department to take random samples of network traffic each month to check who has been accessing files.
If any suspicious behaviour is detected, they can mine the Consentry database for more information about an individual's habits or check activity on certain directories.
"It's very handy for compliance," says Williams. "In its data security report in April, the FSA emphasised access control. So it's a big tick for me against that report."