ATLANTA -- Kenneth Tyminski is in an unenviable position. As chief information security officer for Prudential...
Insurance Company of America, he's the first one likely to receive blame when a network security snafu affects his company's bottom line.
But Tyminski told attendees at TechTarget's Networking Decisions conference that he rarely loses sleep over security, because, in reality, the burden for keeping the network safe isn't his alone.
The 30-year Prudential veteran said that a successful enterprise network security strategy must not only be based on a rigid, company-wide policy that keeps sensitive data in and viruses out, but must also allow the security burden to be shared equally among senior executives, junior network managers and everyone in between.
Most companies, Tyminski said, don't even know who is in charge of security, never mind have an established policy. By having a security officer in every major business unit, and then ensuring that those officers hold lower-level admins responsible when security problems occur, he said, his company encourages everyone to keep network defense in mind when performing day-to-day tasks.
Prudential augments that technique with a set of rigid security rules that includes automatically revoking unnecessary access privileges when an employee changes jobs, disabling print capabilities within some applications that use sensitive customer data, and denying developers access to production data.
"Whenever we can, we systematically enforce policy," Tyminski said. "Whether you like it or not, we make you change your password every 30 days, and we don't let you reuse it for a year. If you do, we make your life miserable."
That mindset applies to business partners as well. Tyminski said he recently delayed an IT project that would have saved Prudential $12 million annually because the vendor involved, whom he declined to name, decided not to share its security policy with him. Upon further review, Tyminski learned that was because the company didn't have a security policy.
Mapping the network on a monthly basis is another important element of the company's strategy. With a network the size of Prudential's -- four data centers, 5,000 servers in the United States and more than 60,000 network nodes overall -- unauthorized equipment is constantly finding its way onto the network.
During a recent scan, Tyminski said admins discovered three unauthorized Wi-Fi hot spots and later, during a physical search, two more. It also learned that one of its consultants was not only running more than a dozen unauthorized Linux machines on the network, but was also scanning network ports, all without explanation. Tyminski said that consulting relationship was soon terminated.
Though Prudential's strategy includes using IBM's Lotus Notes e-mail and instant messaging applications, along with SSH Communications Security Inc.'s Secure Shell, IntruShield from Network Associates Inc. and more, Tyminski said that hardware and software don't make the security policy a success.
"People are really what make or break security," Tyminski said. "Security people are especially valuable, but it's network people that really make security happen."
Olaf Gradin, a conference attendee and information services specialist for ConAgra Foods Inc., in Duluth, Ga., said that, as long as people are in charge of security, "There's no perfect system out there."
Gradin said that some of Tyminski's policies might help him get a better handle on remediation, especially for Microsoft's Windows operating system. He said it's a big issue for his company, which had to patch 20,000 systems overnight following word of a recent vulnerability.
Attendee David Amster, a vice president for Equifax Information Services LLC, in Alpharetta, Ga., said that for financial companies like his and Tyminski's, rigid policies are essential.
TechTarget is the organizer of Networking Decisions and owner of the family of Web sites that includes SearchNetworking.com.
FOR MORE INFORMATION:
See more of our special coverage of Networking Decisions.