How Florida boosts network security and uptime
- By Trudy Walsh
- May 13, 2003
There's no spring break for Florida's network security this year.
The Sunshine State in February installed two Symantec Corp. products on its agency servers, said Mike Russo, Florida's chief information security officer.
NetRecon, Symantec's hacker-in-a-box enterprise software, resides on agency servers and scans networks for vulnerabilities, Russo said.
State agencies also are using the Cupertino, Calif., company's Enterprise Security Manager to enforce security policies, including the latest security updates mandated by the Health Insurance Portability and Accountability Act of 1996.
If, for example, policy mandates that passwords be six characters long in capital letters, ESM could be programmed to check that, Russo said.
When Florida CIO Kim Bahrami looked for a way to boost network security, she said she knew she 'didn't want a proliferation of what we had in the past'a multitude of tools with different levels of capability. We wanted to give every agency best-of-breed tools and make sure our network was being scanned regularly.'
Bahrami also wanted a security tool that would provide management reports. ESM tells managers when a user is not updating SQL Server patches, for instance.
Also, she said, Gov. Jeb Bush didn't want the state to buy a huge security infrastructure but wanted to use available tools to do the work less expensively.
Bahrami also felt it was important for the state and its employees to feel a sense of ownership of the security structure.Outsourcing security
'You can outsource a lot of things, but security is one area where we took a hybrid approach,' Bahrami said. 'Our employees understand that it's ultimately their responsibility to keep their systems protected. We all felt strongly that systems security is one thing we don't want to outsource.'
Bahrami and her team are creating a spreadsheet of measurable data about intrusions into the state's networks and the damage that resulted.
'In the past, we've had some network issues that resulted in downtime,' Bahrami said. 'When your state network serves 143,000 employees, it's a significant loss when you're down for an hour.'
Since installation of the Symantec products, the state's networks have had 99.9 percent availability, Bahrami said. The approach could be a model for other states looking to save money while keeping networks secure, she said.
'We think we have the best crackerjack approach to systems security in the nation,' she said.
Trudy Walsh is a senior writer for GCN.