Alpine Access, Denver, Colorado, USA
PHOTOS BY PATRICIA BARRY LEVY
from left, Rich Sadowski and Michael Kleck
An outsourcing service company
finds a way to secure data, but a last-minute glitch pushes the project over budget.
IT security at Alpine Access is a balancing act. Because the call center services outsourcer uses agents who work from home, the security team must constantly negotiate with the operations group to make sure the systems they develop are secure while still providing service reps the access they need.
“Security initiatives are often in opposition to operations initiatives,” says Michael Kleck, chief information security officer and director of IT infrastructure for Alpine Access. “We need to tightly control every piece of information that moves through our system, and operations wants to make it move faster.”
Those work-from-home employees create a complex and challenging security environment. “We've got people all over the United States, and I have to control all the information that comes in and out of their home offices,” he says.
With every new initiative, he has to figure out ways to create a secure network that gives service reps access to sensitive data from their home computers without jeopardizing confidentiality or the safety of end users’ personal data.
And operations insists he be quick about it.
“When we launch a new project, we are always under the gun,” Mr. Kleck says. “The goal is to get the system up and running quickly, but security tends to slow everything down.”
Some of Alpine's projects involve management of highly sensitive customer data, including credit card numbers, social security numbers and healthcare information.
If the project team doesn't make sure security is airtight, “we could end up with credibility and liability issues,” Mr. Kleck says.
NOTHING TO DREAD
To effectively manage the pressure and set realistic expectations, Alpine's IT team goes through a security review as part of every project planning process, explains Rich Sadowski, vice president of solutions engineering.
Through internal discussions and face-to-face meetings with each client, the project team identifies all of the possible security issues and how to deal with them. It uses Microsoft's DREAD risk-calculation model to determine a threat rating by asking the following questions:
- Damage potential: How great is the damage if the vulnerability is exploited?
- Reproducibility: How easy is it to reproduce an attack?
- Exploitability: How easy is it to launch an attack?
- Affected users: Approximately how many users are affected?
- Discoverability: How easy is it to find the vulnerability?
“This model helps us balance the operational needs of the business, timelines and budget against the risks on a project, and highlight risk areas that we cannot afford to cut corners on,” Mr. Sadowski says. “It's baked into our project management process and culture, and it makes it easier for the team to not succumb to pressures that can arise on complex projects.”
The Alpine IT team faced such intense pressure in September 2009, when it began designing a new, completely secure virtual operating environment for customer service reps to load on their home computers.
The project initially involved designing a secure, portable thumb (or flash) drive that would create a virtual operating environment on top of the service rep's desktop operating system. Once installed, it would take over the computer with a read-only environment that would allow the service rep to access the customer data necessary to support his or her clients but prevent data from being copied, shared or altered in any way.
“It took quite a bit of development, and we poured our entire brain trust into the project,” says Mr. Kleck.
>This model helps us balance the operational needs of the business, timelines and budget against the risks on a project, and highlight risk areas that we cannot afford to cut corners on. — Rich Sadowski
NO CHATTING ALLOWED
The team spent a year designing the technology and incorporating it onto a USB flash drive that, once installed, could not be used on any other computer.
Once the basic technology was developed, the IT team worked with the operations group to tweak it for various applications.
But again the goal of the operations team—in this case to create the most robust and flexible environment possible—conflicted with the objectives of the security group, to avoid any changes that could potentially compromise the system's security.
A particularly frustrating negotiation process with the operations team ensued over a few features deemed too insecure, including a chat tool.
“The chat feature was used to support our service reps. But with the new system, I had to say, 'No, we can't use it,’” Mr. Kleck says.
He won that battle eventually, and the final, secure environment was designed.
To verify that the technology worked as securely as his team envisioned, Mr. Kleck ran it through one final critical security review before rolling it out: He gave to it a third-party auditor with instructions to hack the system. It was unable to do so.
CAN YOU HEAR ME NOW?
By August 2010, Mr. Kleck was confident his new secure technology environment was ready to roll out to clients. But a final evaluation of the technology's functionality revealed a problem that completely changed the project scope.
Many Alpine clients prefer to shuttle phone calls from the reps’ homes through a centralized call center to make them appear to be coming from a single location. In some cases, the company uses voice over Internet protocol (VoIP) technology to route the calls. In lab tests, the technology worked fine with the new thumb drive, but in a live environment, the call quality was poor.
“It turned out the thumb drive couldn't handle the VoIP in an acceptable manner,” Mr. Kleck says.
For a call-service outsourcing company, a bad connection could kill the entire project.
Alpine had planned to begin using the new drives with clients in a matter of weeks, and the company was not prepared to miss its deadline.
The IT team flew into action. Working nights and weekends, it took the flash drive's read-only environment and built it into a stripped-down desktop computer. This was then “hardened” by locking all ports, blocking access to the hard drive, and creating a real-time alert system that sends notification to the Alpine IT team if users try to copy data, load an application or otherwise alter the system.
“It's got all the features of the thumb drive on a desktop computer, and users can't so much as move the icons around,” Mr. Kleck says.
The project team outfitted more than 100 PCs with the technology and shipped them to service reps. The new systems worked seamlessly with VoIP, and service reps began taking live calls using the new technology on 15 September, as scheduled.
“We met our timeline, but we absolutely went over budget,” Mr. Kleck admits. “Buying extra PCs was definitely not part of the project plan.”
That experience taught him a valuable lesson: “Never take shortcuts when it comes to testing,” he says. “We didn't think we had at the time, but it's the only answer. We should have been aware of the problem earlier.” —Sarah Fister Gale
PM NETWORK FEBRUARY 2011 WWW.PMI.ORG