This article can also be found in the Premium Editorial Download "Information Security magazine: Spotlight on the incident response hot seat."

Download it now to read this article plus other related content.

Cutting costs was the only way to keep United Airlines flying high. Rich Perez's answer was to rebuild the network.

    Requires Free Membership to View

United Security Taking Off
United Airlines' network security rearchitecture project was a methodical process in which the existing infrastructure was examined and assessed before a consolidation and replacement plan was put into action. The following are some steps United took to consolidate and rebuild its security infrastructure.

  1. Reach out to departmental and IT managers for buy-in to the rearchitecture plan.
  2. Set security and architecture goals based on the business unit's needs. Compliance with government regulations and industry standards should also be taken into consideration.
  3. Inventory and assess the existing infrastructure.
  4. Tag existing, advantageous systems for enterprise-wide deployment. Schedule obsolete, redundant and unbeneficial systems for replacement.
  5. Devise a transition plan for consolidating the infrastructure, and phasing solutions in and out based on departments' operational requirements, budgets and security necessities.
  6. Fill in the gaps with security solutions that have low TCO and would complement and integrate with existing solutions.
  7. Re-examine the architecture and make adjustments to ensure it meets security expectations.

United Airlines wasn't necessarily about to be grounded by an inefficient IT network. A stagnant economy, rising fuel and labor costs, competition from discount carriers and the 9/11 fallout were doing a good job of that on their own. Yet, security manager Rich Perez had his mandate: Rearchitect on a shoestring budget and make the network more secure.

The project, which Perez launched in early 2004 after a four-month planning session with the airline's business units, ran in concert with an overall evaluation of United's cost structure. Nothing was left to chance as the Chicago-based giant put every expense on the table--flight schedules and routes, food services, baggage handling, fleet maintenance, ticket sales, marketing and promotions. The overall conclusion: United was a victim of its own fragmented organization.

Redundancies had to be eliminated and resources reused wherever appropriate. United's corporate flow chart made this even more daunting. United wasn't one large company, but rather a conglomerate of many small companies that provide services to the airline. From an IT perspective, each division acted like an independent company, complete with its own management and operational infrastructure. United.com, for example, had a different IT network structure than MyPoints.com. The same went for amenities services, the Silver Wings product line, the Mileage Plus program, the Star Alliance management and all overseas operations.

"The airline industry is staggering right now. Everything is being scrutinized more than ever. Every dollar is examined and cross-examined," Perez says.

"If we present a case, it really has to make sense both financially and functionally. The goals and the intents have to be crystal clear."

Consolidating the small service companies into United's corporate structure would eliminate redundant layers of management and save millions of dollars in operating expenses. Maintaining that efficiency, Perez found, would require a continual examination and adjustment of the network architecture. Without secure IT, United would cease to fly.

Cabin Pressure
Before taking off on the project, Perez cleaned out United's IT cabin, inventorying the infrastructure and assessing every security apparatus, application, service and policy.

As it turned out, most things weren't working well.

The most obvious weakness was the security provided by United's collocation service, which managed many of its e-commerce applications and Web-based services. "It provided security, but it was a generic model that responded more to its own requirements than the particular needs of United Airlines," Perez says.

Perez's team drilled down into every aspect of United's security. They applied broad assessment criteria, scrutinizing flexibility, functionality, scalability and--perhaps most important--the costs, both upfront and ongoing. If something was working, it would be kept and possibly deployed in other departments. If it wasn't working, it would be jettisoned.

United's precarious financial situation meant that there wasn't a lot of money for new purchases, big product deployments and staff education. Perez had to reuse as much of his existing infrastructure as possible.

"Reusage is one of the most critical factors in revising a network's architecture," he says. "This becomes especially true when you are in a financial crunch and you need to squeeze blood from the rock. If something only fits in one environment and cannot be leveraged anywhere else, it's not a solution--it's a problem."

Security experts agree, but they're quick to add a word of caution: Reusage is only a starting point. Threats evolve, solutions change and rearchitecting offers an ideal opportunity to augment existing solutions with new, innovative technology.

"It's a reasonable first pass to throw out everything that's stupid," says Eddie Schwartz, an independent security consultant. "But, having said that, it's becoming more complex to protect what becomes a more open perimeter.

So, you need more complex technology that you can embed within your existing technologies."

This was first published in March 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: