What if those consultants are spread across 125 offices around the world? What if three-fourths of those consultants are camped out at client sites at any one time? And what if these highly mobile , highly paid professionals rarely show up at headquarters and won’t put up with downtime? They just want to plug in at the client site and run the applications they need to run.
That’s the tall order facing the IT team at Booz Allen Hamilton, where a massive army of consultants needs security tools that are not only flexible enough to let them quickly load client-specific applications, but responsive enough to pass rigorous security checklists.
The key for the McLean, Va., company’s IT staff was to create a system that would stream security policies and the latest patches to users, says Brian Oswald, senior desktop architect.
Underpinning Booz Allen’s security architecture is a carrier-class-sized SSL VPN gateway from Juniper. Technically, Booz Allen falls into the midsize enterprise range, with only 18,000 employees, 95 percent of whom are consultants, but the company chose to go with the oversized SSL VPN to accommodate those remote users.
“Our gateway can handle as many as 12,000 simultaneous connections, even though we’ve really never had more than 3,000 at one time,” says Stan Kiyota, a Booz Allen certified information systems security professional and certified information security manager. “The robustness of a network with enterprise capabilities lets us push patches and check for vulnerabilities by centrally managing antivirus and other security tools,” he adds.
For antivirus protection, Booz Allen uses Symantec products automatically disseminated to remote employees, who might be situated for years in posts as far away as Russia. “If a particular user has not accessed the network in quite some time, the software will automatically check Symantec’s site for policy updates,” Kiyota says.
Booz Allen also uses McAfee ‘s IntruVert line of intrusion-detection tracking products, which immediately report incidents of infected PCs. Microsoft ‘s Active Directory and NetWare provide for centralized directory synchronization. And the firm relies on nCircle Network Security for proactive vulnerability and risk-management tools.
The final piece of the puzzle is automated patch management . The IT team in 2002 hired PatchLink and now relies on PatchLink Update to more accurately inventory and assess the status of deployed laptops, as well as servers and the firm’s few desktop computers.
Incorporating PatchLink Update meant the elimination of time-consuming manual updates. “Previously, our primary method of updating was through reimaging,” Oswald says. “On a biannual basis, we would rebuild desktop images to accommodate updates.”
At Booz Allen, manually updating laptops simply wasn’t acceptable. “The imaging process took two to three hours,” Oswald recalls. “Then the data had to be uploaded. We are talking about a user base that is so mobile and rarely available that it was almost impossible to take a user’s machine away for hours to do these updates.”
PatchLink Update houses a massive repository of patches — more than 10,000, including patches issued for current and legacy operating systems. To keep up with each piece of equipment scattered throughout a dispersed enterprise, PatchLink Update makes use of a feature dubbed Digital Fingerprint Technology, which creates a unique profile for each machine to monitor whether a particular PC or laptop has the latest patches.
“Using PatchLink and improving our vulnerability management, we had the best security performance that we’ve ever had. For three months in a row, we had no virus attacks,” Kiyota says. Before and after its virus-free stint last summer, Booz Allen experienced only a handful of incidents — down significantly from years past when virus attacks and other threats hovered in the double-digit range, he adds.
Not only does automated patching protect Booz Allen’s internal infrastructure, PatchLink also helps the firm produce security reports that clients regularly demand. “We’ve got to keep users up to date, so they don’t run into situations at a client site,” Kiyota says. Hours spent tweaking the settings on a deployed laptop or hang-ups during the security reporting process would not only tax the technical expertise of remote consultants but also irk a client’s already burdened IT staff. These roadblocks can easily cost Booz Allen Hamilton revenue. Even so, the firm often must interact with the technology staffs of its many clients to get consultants up and running. “The challenge in this scenario is for the companies that hire Booz Allen. They have to set up their policies to allow the consultants to plug into their network and gain access to their resources,” says Natalie Lambert, a Forrester analyst. Naturally, Booz Allen’s goal is to make life as easy as possible for the customer. “We customize our equipment for each customer engagement,” Kiyota says. “We also have a policy of not restricting any client-required tools on our equipment.”
That creates a natural conflict between the desire to lock down the computer for security reasons vs. the business need to allow new applications to be deployed on the laptop. Booz Allen grapples constantly with the narrow range of user rights options afforded by Windows XP. “It has proved difficult to lock down a computer completely with XP, since administrator or superuser rights are required to install or use different software. We give our consulting team members those rights. In an ideal world, we would not do that,” Kiyota says.
Booz Allen IT staff members are counting on Windows Vista to address some of these problems. “Vista will allow companies to downgrade the rights of users while still giving them full access to their machines,” Lambert says.
However, neither XP’s limitations nor Vista’s new user rights scheme should dictate enterprise decisions to grant select employees generous access rights,” Lambert adds. “I do believe that information workers — those who understand technology and need quick access to their computer while away from the office — need to run in administrator rights in XP,” she says. It’s a philosophy Booz Allen maintains out of sheer necessity, and consultants will retain a wide berth to respond as quickly as possible to client needs. “As a professional services firm, we must be very flexible in accommodating our clients. They are paying our bills, and we are providing a service,” Kiyota says.