A Provider of Business Process Outsourcing Simplifies the Vulnerability Management of Hundreds of Client Networks.
Location: Dallas, Texas
Clients: in Financial, Government, Healthcare and Legal Services
Business: Business Process Outsourcing
Business Units: Multi-location data centers, 3,500 staff, hundreds of client companies
Recipe for Success: A leading provider of business process outsourcing solutions and specialized high-value consulting services, SOURCECORP uses AVDS for client VA/VM services.
Here's how a business process outsourcer manages security for hundreds of clients - each with their own security needs and system architectures!
Jeremy King is a security specialist for SOURCECORP, a provider of business process outsourcing to the financial, government, healthcare and legal industries. His company manages hundreds of isolated networks for clients.
Each network is governed by different IT security standards and integrity legislation. The cost of vulnerability scanning and client reporting using other VA/VM solutions proved prohibitive because of the great differences in network architecture and security requirements.
An AVDS management server and multiple local scanning servers from Beyond Security.
"Because we are a BPO organization, we manage hundreds of isolated networks, each configured to the needs of each customer. Other than a few key internal systems, there is no standard architecture for these networks. We build a solution tailored to a client’s process need," said King.
With clients in so many industries, and with so many unique processes under management, every supporting network is also governed by a unique mix of compliance and regulatory acronyms, including GLBA, HIPAA, SOX, SAS70, and PCI, to name a few.
"Our customers have the right to be pickier than the regulations themselves. They are paying us to manage their process and they want to ensure they are compliant. Since we are managing their processes, we are governed by the same regulations that our customers are governed by," said King.
To ensure that both the customers’ needs as well as the requirements of the regulations are met and reduce the cost of vulnerability scanning very strict best practices are implemented across the board along with AVDS from Beyond Security.
"Our CIO was looking for the best solution for the lowest possible cost. Because of the complexity of our networks, the other solutions were cost prohibitive because they charge on a per scan/per IP basis," said King.
In an effort to improve efficiency and provide more autonomy for each location, a number of automated scanning tools were evaluated. In the end Beyond Security’s AVDS was selected.
Beyond Security's AVDS performs a security mapping of an organization's network and simulates attacks originating from either the internal or the external network. Once the security mapping is complete, AVDS generates a detailed vulnerability report specifying the security breaches, along with several practical and easy-to-apply solutions to fix those vulnerabilities. The engine is updated on a regular basis for the most recent security vulnerabilities. The updates include security vulnerabilities that were discovered by the company's research and development team, as well as those discovered elsewhere.
By installing the AVDS appliance-based solution, King has a real-time view of all the networks and is able to clearly demonstrate compliance with emerging global IT security standards and integrity legislation.
When he started his job, King used freeware scanning tools such as Nessus to conduct security scanning but quickly found that the free tools were not conducive to the management of such a large, complex environment.
"I needed a way to give control out to the various locations and let IT staff to run their own scans and maintain their own scans instead of relying on me. It had gotten so that all my time was spent measuring benchmarks and tracking resolutions of those vulnerabilities. I wasn’t being strategic," said King.
AVDS generates a detailed vulnerability report specifying the security breaches, along with recommended fixes for each of the vulnerabilities. The engine is updated on a regular basis for the most recent security vulnerabilities. The updates include security vulnerabilities that were discovered by the Beyond Security's research and development team, as well as those discovered elsewhere.
"Since we started using AVDS, my job has evolved to ensure we have the proper controls in place from a policy and procedural perspective. I work to identify gaps in our existing security, and find areas where can we improve our security to be more compliant."
The automation of scans and vulnerability reports allowed King to focus on higher value work, including security awareness training. King believes most security breaches happen by accident – improper use of technology, forgetting to encrypt sensitive data, or bypassing important controls because someone is in a hurry.
"Now I create security awareness training, consult with IT on change management and work with audit and compliance on gap resolution….so now the ROI on me as a resource is much higher because we have moved our scanning to an automated platform."
King believes automated scanning is a cornerstone for improving security.
"We now can easily justify to management the cost of upgrading. For example if we have an operating system end of life and no way to patch vulnerabilities, we either need to accept those vulnerabilities or replace the machines. This kind of data gives you a lot of leverage with management for improving your security posture."