New York City Housing Preservation & Development
 |
New York City Housing Preservation & Development Achieves High Level of Security, Results and Business Availability with Lumension |
Overview
The New York City Department of Housing Preservation and Development (HPD) is the largest municipal developer of affordable housing in the nation. Since 1987, HPD has provided more than $6.3 billion to support the repair, rehabilitation and new construction of hundreds of thousands of housing units. HPD protects the existing housing stock and expands housing options for New Yorkers as it strives to improve the availability, affordability and quality of housing in New York City.
Ray Jacob, serving as the agency’s Director for Network & Systems Management during the past ten years, is responsible for managing IT infrastructure development and overall IT security strategy. In the last five years, he’s witnessed an increased need to address security at multiple points on the network, given the continued risk of data theft and the never-ending stream of vulnerabilities that exist today.
The Challenges
“It’s become clear that Microsoft operating systems, which is the OS platform running our servers and workstations, will always contain security vulnerabilities that must be addressed regularly,” Jacob comments.
Microsoft recognizes this, and each month it makes available a suite of security updates for closing known vulnerabilities — a process widely referred to as ”Patch Tuesday.” Microsoft also occasionally releases additional updates in between the monthly cycles.
“I decided that we had to stay current with the Microsoft update cycle, especially since our enterprise is widely exposed to the Internet, which is rife with security threats,” Jacob explains. “Even with good firewall and antivirus strategies, you don’t want to get behind on your OS vulnerabilities because the bad guys are always working to exploit those.”
Jacob and his staff knew that implementing the right patch management technology was key to deploying OS security patches in a timely and efficient way.
“As long as we continue running systems that interact with the Internet, there is constant exposure to a changing landscape of vulnerabilities that is possibly infinite,”
Jacob says. “We knew that as long as we put a system in place to identify and eliminate those vulnerabilities — in a way that would not consume our IT staff — we were taking the right steps to effective and efficient vulnerability management.”
In tandem with the desire to streamline and automate its patch and remediation processes, Jacob and his team also needed a tool to automatically add or update other software on the PCs that span the entire HPD organization.
“In the past, we used Active Directory Group policies and scripts,” Jacob explains. “However, in most cases, this married us to scripts that were executed during login or logoff, forcing a user to wait for the installation to complete before they regained full control of the PC. Another problem was that in order to measure deployment success, we had to develop our own, rather crude, method for logging.”
The Solutions
HPD deployed Lumension® Patch and Remediation for automated patch and vulnerability management in 2004 to protect its IT environment from the latest threats. To address its software updating concerns, HPD deployed Lumension® Content Wizard (formerly Patchlink Developer’s kit) in 2009.
With Lumension Patch and Remediation, HPD is able to automatically and more efficiently protect its 2,600 workstations, which span all five NYC boroughs, from vulnerabilities present in Microsoft operating systems. When asked how hard of a “sell” it was to bring Lumension’s vulnerability management technology into their IT environment, Jacob describes it as an easy one.
“Many people have a very negative view about running Microsoft OSes because of that constant obligation to conduct software updates. However, I think the security negatives are balanced by how well Microsoft OSes support the broadest scope of software tools. And when you can present a solution like Lumension’s to deal efficiently and effectively with the security maintenance, you’re showing that you have all the bases covered,” Jacob says.
“At HPD we have many different types of PC users — we have neighborhood planners, architects, legal staff, mapping experts, loan coordinators, etc. — all of whom run very different kinds of software. The Lumension/Microsoft combination has worked great here,” Jacob adds.
Jacob and his IT staff know that without a patch and vulnerability management solution like Lumension Patch and Remediation, “there would be very serious concerns about unfriendly exploitation,” Jacob says. “There is simply no way that, with the size of our IT organization, we’d be able to keep pace with the Microsoft patch cycle. You can’t throw bodies at this, that’s wasteful. You can’t let Windows Updates run on all your boxes because you lose the opportunity to do compatibility testing and you will break things. Managed automation is the only answer. With Lumension, we solved the patch concerns with a single technician who spends 30 to 40 percent of his time addressing security updates, testing and pushing those updates to our workstations from a centralized location.”
With this process in place, HPD has accomplished an essential hardening of its endpoints from where information theft and denial-of-service (DoS) attacks could be launched with the potential for crippling the business.
Relative to Lumension Content Wizard, Jacob explains that ease-of-use and customization capabilities have been great benefits to rolling the software out across the organization.
“Lumension Content Wizard allows us to leverage our Lumension Patch and Remediation technology investment as a means to push software enhancements and applications out to each of our workstations,” Jacob says. “We’ve accomplished this using the same server/agent architecture created for the security patches, while the basic deployment/monitoring procedures executed by our Patchlink administrator remained the same.”
As a result, Jacob and his team are now able to schedule transparent after-hours software updates to the enterprise while using Lumension Patch and Remediation reporting tools to measure their progress, identifying conditions that require special attention. These are the very same reporting tools that are also used for deploying security patches. Leveraging both technology offerings from Lumension has resulted in invaluable time saved from having to manually deploy patches and software updates, which is a priceless benefit in the current economic climate.
Ease of Deployment
Once HPD decided to deploy Lumension’s technology, the deployment was fast, “especially for an enterprise-wide deployment,” Jacob explains. “We were 100 percent operational in about six weeks, which is fast when we compare our experience implementing other enterprise solutions.
“And, once we had the Lumension’s Vulnerability Management solution in place, we never looked back. While we’ve reconsidered other enterprise-wide solutions we’ve deployed over the years at HPD, we have never done so with Lumension.
“What made a big difference was that if we did run into technical health issues, we felt support was very good. As a government entity, we’ve been comfortable dealing with Lumension, beyond just the day-to-day operational perspective, which has been a great added benefit.”
Benefits of Lumension® Vulnerability Management
“Patch management is one of the security cornerstones in an enterprise because you might have one Internet perimeter in your data center, maybe two,” Jacob says. “But you have thousands of workstations, so that’s thousands of endpoints where vulnerabilities could hurt you. Without having in place a vulnerability management solution to protect those endpoints, what exists is a gaping hole at risk. Having Lumension in place gives us a very high level of confidence in that area; this is backed by our positive results in the last several years.”
As a result of HPD’s deployment of Lumension Vulnerability Management, Jacob’s IT staff has more time to spend on projects that directly improve business, rather than being bogged down hunting risks and remediating breaches.
“We don’t want our PC technicians running around performing manual installations and attack remediation because we weren’t prepared,” Jacob says. “Instead, we have one Lumension administrator who tackles the patch management for the organization, which frees technical people for more business-solutions tasks.”
Jacob also credits Lumension, in part, with a reduction in help desk calls, which are down about 75 percent from a few years ago.
“That was the result of a combination of things, of which reliable patch and vulnerability management played a big part,” he notes. “The layered approach locks down the desktop, employs perimeter protection and adds an endpoint security strategy. When we reduced all those calls to the help desk, we freed staff for more business-targeted assignments.”
Conclusion
Jacob is quick to point out that Lumension plays an integral role in its overall, multi-point, multi-vendor security strategy, one that has evolved in recent years.
“In the past five years, our IT security strategy has matured. We’ve become much more security conscious than we were before,” Jacob says. “Today, everyone who works in the data center, regardless of his or her role, has a level of security consciousness that wasn’t always present. That even includes the group responsible for building servers — they realize that servers are not ‘born’ as secure devices. Before being provisioned, that server gets the full security treatment — patching, installation of vulnerability management and anti-virus software, and other agents to fully secure them. As a result of this deeper security consciousness, we have procedures in place that are designed in such a way that there aren’t even minutes of exposure to exploit attempts when the new server is plugged in. An attack can happen that quickly. We weren’t there a few years back.”
Equally important to HPD’s layered approach to security, Jacob recognizes that “automated patch and vulnerability management is not a ‘set it and forget it’ platform. This is very important for IT managers to realize. Just because you hear ‘automated management’ does not mean that you can click ‘enable’ and be done with it. It requires some level of human intervention, too. This is something that we at HPD have committed to fully, and as a result, we have a solid, efficient and smart approach to patch management in place today.”
New York City Housing Preservation & Development