Background
Davidson is a full service hotel management company, managing all aspects of hotel operations for owners/investors. Davidson’s management activities include responsibility for more than 30 properties across the country, responsibilities which include facility management, staffing, technology, financial management, and technology management.
All technology deployment and support is handled by a small, seven-person IT team, which includes both headquarters and field-based personnel. Davidson is a “Microsoft shop,” and security solutions that have been deployed include: a network firewall; the McAfee Antivirus Defense Suite; IPsec VPN to connect the company’s disparate facilities; and SSL VPN for remote worker connectivity. They have also created a segmented network which separates guest/customer traffic from administrative connectivity.
The Need for Compliance
As a private company, Davidson had never needed to comply with the types of regulations imposed on public companies. But, because some of the properties that Davidson manages are owned by public companies, and because Davidson is considered a third party accounting services provider for these public companies, the company’s owner/investors expected Davidson to be compliant with Sarbanes-Oxley (SOX) and with SAS 70. In addition, because all of Davidson’s hotels accept credit cards, it was also necessary for the company to be PCI compliant.
In particular, the SAS 70 requirements mandate establishing clear processes, having adequate and accurate documentation, and ensuring auditability. And, many of the SAS 70 guidelines and those for PCI overlap. “SAS 70 is not specifically about security, it is a bit esoteric and is about having auditable standards and being able to prove what you are doing. PCI is about data security and is very specific—it tells you exactly what you need to do.”
Complying with SAS 70 and PCI requires doing many of the basics, such as firewalls, individual user IDs, and periodically changing passwords. Yet, one of the findings from Davidson’s initial SAS 70 audit was that the company needed a patch management system, although no specifics were provided regarding what was required.
Their Server Patching Challenge Required a New Approach
Previously Davidson’s approach had been to periodically apply major service packs, not having the resources to quickly and safely test and apply each individual server security patch.
Now the need for a server security system caused Davidson to assess their situation and needs, and to think through the costs and benefits of different types of solutions. Davidson saw two types of solutions on the market:
1. Rigorous, resource intensive solutions: Patch management systems that involved receiving patches, evaluating them, testing them, and then deploying them. Such systems were designed to make sure the patches that were applied didn’t break things, but such systems and processes struck Davidson as extremely resource intensive.
2. Automated, expensive solutions. The other types of systems were more automated and involved subscribing to a service. These solutions required fewer resources but were seen as much more expensive.
This investigation led Ron Hardin and Davidson to conclude that none of the solutions they saw on the market were optimal. “Our investigation [into patch management solutions] showed us that you can spend way more than the benefit you receive.”
Selecting Blue Lane Technologies
Davidson’s lack of satisfaction with the existing solutions on the market made Hardin very receptive to speaking with Blue Lane to learn more about their solutions. (Hardin was also immediately impressed with an atypical level of professionalism from Blue Lane’s sales representative.)
Because Hardin was so focused on and locked into the traditional paradigm of patch management—which involves some process and method to patch every device on a network—that he was not initially clear about Blue Lane’s unique concept.
But then Blue Lane’s sales representative clearly explained the concept to Hardin—and Hardin was immediately sold. From Hardin’s perspective, Blue Lane Technologies analyzes network traffic at the application and protocol layers and then corrects traffic that is associated with a vulnerability. It essentially provides the benefits associated with fast server patching without jeopardizing server availability or increasing operational expense.
For Davidson, this concept is especially valuable for their servers. They face a dilemma: they lack the time and resources to actively test their server patches; yet, the risk of patching business critical systems without first testing is too high to patch without testing.
