This article can also be found in the Premium Editorial Download "Information Security magazine: Spotlight on the incident response hot seat."
Download it now to read this article plus other related content.
Cutting costs was the only way to keep United Airlines flying high. Rich Perez's answer was to rebuild the network.
|United Security Taking Off|
United Airlines wasn't necessarily about to be grounded by an inefficient IT network. A stagnant economy, rising fuel and labor costs, competition from discount carriers and the 9/11 fallout were doing a good job of that on their own. Yet, security manager Rich Perez had his mandate: Rearchitect on a shoestring budget and make the network more secure.
The project, which Perez launched in early 2004 after a four-month planning session with the airline's business units, ran in concert with an overall evaluation of United's cost structure. Nothing was left to chance as the Chicago-based giant put every expense on the table--flight schedules and routes, food services, baggage handling, fleet maintenance, ticket sales, marketing and promotions. The overall conclusion: United was a victim of its own fragmented organization.
Redundancies had to be eliminated and resources reused wherever appropriate. United's corporate flow chart made this even more daunting. United wasn't one large company, but rather a conglomerate of many small companies that provide services to the airline. From an IT perspective, each division acted like an independent company, complete with its own management and operational infrastructure. United.com, for example, had a different IT network structure than MyPoints.com. The same went for amenities services, the Silver Wings product line, the Mileage Plus program, the Star Alliance management and all overseas operations.
"The airline industry is staggering right now. Everything is being scrutinized more than ever. Every dollar is examined and cross-examined," Perez says.
"If we present a case, it really has to make sense both financially and functionally. The goals and the intents have to be crystal clear."
Consolidating the small service companies into United's corporate structure would eliminate redundant layers of management and save millions of dollars in operating expenses. Maintaining that efficiency, Perez found, would require a continual examination and adjustment of the network architecture. Without secure IT, United would cease to fly.
Before taking off on the project, Perez cleaned out United's IT cabin, inventorying the infrastructure and assessing every security apparatus, application, service and policy.
As it turned out, most things weren't working well.
The most obvious weakness was the security provided by United's collocation service, which managed many of its e-commerce applications and Web-based services. "It provided security, but it was a generic model that responded more to its own requirements than the particular needs of United Airlines," Perez says.
Perez's team drilled down into every aspect of United's security. They applied broad assessment criteria, scrutinizing flexibility, functionality, scalability and--perhaps most important--the costs, both upfront and ongoing. If something was working, it would be kept and possibly deployed in other departments. If it wasn't working, it would be jettisoned.
United's precarious financial situation meant that there wasn't a lot of money for new purchases, big product deployments and staff education. Perez had to reuse as much of his existing infrastructure as possible.
"Reusage is one of the most critical factors in revising a network's architecture," he says. "This becomes especially true when you are in a financial crunch and you need to squeeze blood from the rock. If something only fits in one environment and cannot be leveraged anywhere else, it's not a solution--it's a problem."
Security experts agree, but they're quick to add a word of caution: Reusage is only a starting point. Threats evolve, solutions change and rearchitecting offers an ideal opportunity to augment existing solutions with new, innovative technology.
"It's a reasonable first pass to throw out everything that's stupid," says Eddie Schwartz, an independent security consultant. "But, having said that, it's becoming more complex to protect what becomes a more open perimeter.
So, you need more complex technology that you can embed within your existing technologies."
This was first published in March 2005