Travelport, the global travel services company which owns a range of well-known brands including ebookers.com and Galileo, is deploying a scanning system to analyse hundreds of databases for security vulnerabilities.
The company, which employs 8,000 people worldwide, is making the investment as part of a drive to demonstrate its compliance with Sarbanes-Oxley regulations and credit card firm Visa's PCI standard, which requires personal data to be stored securely.
The deployment comes as Travelport is strengthening its security by moving away from a centralised IT service to regional teams, following its demerger with Cedent in August this year.
Vince Pillay, director of information security for Europe and Asia, plans to roll out the scanning programme this month, to ensure that databases are free of vulnerabilities that could be exploited by hackers to download sensitive information. "If we did have a breach of confidence, it would be very damaging to our reputation," he said.
The system will also help the company ensure that its websites, which generate significant revenues by selling travel services, meet the company's target of 99.999% uptime.
"With a company that generates as much business as ours, we have websites that require no downtime at all. We have sites that generate dollars per second. We regard this technology as an important comfort factor," he said.
The company is using the Appdetective product from security software supplier Application Security. Appdetective is capable of analysing the firm's databases, including SQL, Sybase and Lotus.
The software, which can carry out audits over the company's networks, is able to identify, for example, databases that are still set on default passwords, or are vulnerable to buffer overflows. It can prioritise the risk, and give advice about patching.
Travelport has acquired a large number of databases over the years, after making a series of acquisitions, said Pillay.
"This product will give us a real-time picture of where we stand. Once we have done that, we can put down targets and milestones [for patching]," he said.
Scanning databases will allow Travelport to find faults proactively, before suppliers issue patch updates, said Pillay.
The system will also produce management reports that will allow the IT department to demonstrate to the board its progress at raising security levels.
"The business has already spent a great deal of money on becoming compliant for Sarbanes-Oxley. This was looked on as a small price to pay for automated compliance, " Pillay said.
Scanning software plays a key role in the company's three-pronged security strategy: risk analysis, risk mitigation and promoting security.
The strategy includes independent penetration tests, building in good security practices, and promoting awareness among staff, as well as the creation of regional security teams.