|
The big guns of IT security
By Shelia Watson
Contributing Writer
Dave Ramsey is careful not to overstate the defense capabilities of the South Carolina Research Authority’s vast computer network.
“We have a lot of security measures in place,” he says as he sweeps his arm around the server room, “but I wouldn’t want anyone to think we’re bullet-proof.”
Perhaps not, but a bullet would have a difficult time getting in.
As SCRA’s vice president of research services, Ramsey oversees a great deal of the organization’s high-level computing. He points to some of the physical security features in the building, such as encrypted bar-coded ID cards and cameras throughout the hallways. Only five of the organization’s 200 employees are allowed into the server room.
“It’s critical to keep this area secure,” he says. “There’s a lot of sensitive information in here, not to mention the heart of our business.”
The information is segmented onto separate servers, so even if a hacker managed to get through, reaching the right server with the right information would be a shot in the dark.
John Gregg, SCRA’s executive vice president and general manager of corporate development, has the colossal task of protecting the network.
“First, we have a series of firewalls, both physical (separate computers that catch the incoming data) and digital,” says Gregg. “When you get to the actual network, in order to get through, you have to have the right passwords to get to a particular server. It’s a brick wall,
really.”
The network is a secure government network, which means even more firewalls, seven in all, and additional passwords.
Past the digital firewall, a user must provide a valid ID that is assigned by the chief information officer along with passwords, which are changed every 90 days. On the third unsuccessful try to enter a password, the user is locked out and must contact the CIO’s
office.
The layers of security continue, with specific file security and additional passwords for security access. “For instance, there are some files and folders on the network that only the chief financial officer can get into,” Gregg explains. “Everyone else is locked out of that
area.”
The security access codes on some of the ID badges change every 60 seconds and work only with the passwords the user has memorized. In addition, every connection to the network is captured digitally and logged. “We know the exact source of the movements,” he says. “So if there is an attack, we can track down where it’s coming from.”
Extreme measures
The security measures may sound like overkill, but Bill Mahoney, SCRA’s president and CEO, says the organization’s work with the Defense Intelligence Agency and with contractors who work with the U.S. Department of Defense requires such measures.
“In the past few years, our work from highly sensitive DOD projects has doubled,” Mahoney says, noting that two years ago, out of 150 employees, 16 had security clearances. Today 80 carry such clearances.
“Much of that is the result of Sept. 11 and the war on terror, but it’s also reflective of the marketplace and the nature of the work and effort we’re making,” he says. “And we believe that growth rate will continue.”
The Defense Intelligence Agency occasionally inspects and audits the security of organizations it deals with, giving rankings on its findings. The four levels of performance ratings are: unsatisfactory, satisfactory, commendable and superior.
Ralph Posey, SCRA’s security officer, says the SCRA is currently ranked commendable, which he says is considered “very good in this industry.” The next audit will take place in September.
A 2005 attack
Improvements to the system continue, particularly in light of an attack Mahoney says the organization suffered in early 2005.
“There were thousands of random cyber-attacks all over the place,” says Mahoney. “After that we put in new firewalls, card access for remote login, advanced password protection with various levels of security, things like that.
“Of course, we continue like every other commercial institution to receive attempts to attack our system, but we have good antivirus software and a good protection record, and there are best-industry practices we’ve adopted.”
One such practice is performing a full-system backup every night onto disks, which are stored off-site, as well as completing an electronic transfer of the entire system to the data banks at Clemson, Ramsay says.
Beyond the current measures, Mahoney says, the SCRA is upgrading and improving its three facilities, with an eye toward a significant increase over the next few years in the sensitive DOD work. In addition, the SCRA board has approved plans to build a facility next to Clemson’s innovation center.
“That will be a limited-access laboratory facility, one of the few fully equipped labs of its type in the country,” says Mahoney. “We’ll be using things like biometrics access cards. We’ll pilot the use of them there and, if it’s successful, we’ll use them in other areas.”
|
E-Mail This Article
Printer-Friendly Version