De Beers, Toronto, Ontario, Canada
A CLOSER LOOK: DE BEERS TORONTO, ONTARIO, CANADA
The De Beers IT team, from left, Thaer Ontabli, Email Safi and Cherian Thomas
PHOTOS BY NADIA MOLINARI
A global diamond mining and trading company develops a top-down vision for information security.
WHEN DE BEERS CANADA began developing two new mines, executives knew they needed a way to protect the information surrounding the company's multimillion dollar investment. So in mid-2007, the local outpost of the international diamond mining and trading giant launched an initiative to implement a comprehensive data-security plan.
Direct responsibility for the project fell to assistant administrator Cherian Thomas. In addition to enjoying the top-down support of senior-level executives, Mr. Thomas could leverage a global De Beers information security policy in place for the past decade.
But still, there was work to be done.
“In a large organization, having a policy and making it work are two different things,” he says. “Very often, policy is just a piece of paper. But with De Beers, as a global company, we try to pay a lot of attention to making sure that the policies work and that they are not draconian, that they don't get in the way of actual day-today usage. We spend a lot of time implementing products which are safe and secure, but at the same time don't end up encroaching on users' productivity. So, for the Canadian office, it was just a matter of taking this framework of a security policy and customizing it to the local environment.”
That included making sure the company's policy complied with the Personal Information Protection and Electronic Documents Act enacted by the government in 2000.
When you have laptops … out in the wild, you want to have some kind of assurance that if they do grow legs and walk away that we can mitigate those risks. —CHERIAN THOMAS, DE BEERS CANADA
An analysis of all sensitive data that would reside on both desktop and laptop computers in De Beers Canada's Toronto headquarters and its two mines lay at the heart of Mr. Thomas's planning.
“As part of the original scope of the project, we had the insight that prior to deploying solutions, we should be talking to department heads and asking them to identify which hardware in their departments had data that is important,” he explains.
As a result, De Beers adopted software providing full hard-disk encryption—which means that every bit of information is protected without exception—and access-control capabilities for all of its laptops and about 200 of its 700 desktops.
“The whole idea for us,” Mr. Thomas says, “is that we're happier being able to give assurances that the entire disk is encrypted, because if you have an unencrypted portion, that allows a hacker to install an application on the unencrypted part and then use brute force to try to figure out the unencryption algorithm. So our view is why provide them with a launch pad?”
LAPTOPS IN THE WILD
Another key De Beers concern were the 15 to 20 geologists who work remotely in the far reaches of Canada's Northwest Territories and the James Bay Coast of northern Ontario, where the new mines are located.
“We have spent millions of dollars to do sampling in areas where we feel there could be return for the company,” Mr. Thomas says. “So, when you have data like that on laptops out in the wild, you want to have some kind of assurance that if they do grow legs and walk away that we can mitigate those risks.”
As protection, De Beers chose software that allows organizations to monitor where laptops are, who's using them, and what hardware and software changes are made. In addition, De Beers can track lost or stolen devices and the remote removal of sensitive information from laptops that go missing.
As a second level of protection, De Beers deployed a couple different forms of “two-factor authentication,” meaning that along with the usual user name and password, another security measure is required to access any remote laptop and some desktops.
One application combines a web-based security gateway that provides an SSL (or secure sockets layer) connection to the De Beers network, with a device that generates a custom six-digit access code, or “token,” that changes every 60 minutes. A user must access a web page and input their traditional user name and password as well as the code.
“Users are able to log in from anywhere in the world without having any specific software installed, because all you're using is a web page,” Mr. Thomas says.
The other form of two-factor authentication involves a USB key or “smart card.” The USB key has a certificate unique to each individual user, who must plug it into a USB port before they can authenticate access to the network. The certificate on their key talks to the certificate server.
The percentage of organizations that reported they don't audit or monitor compliance with security policies
SOURCE: PRICEWATERHOUSECOOPERS, THE GLOBAL STATE OF INFORMATION SECURITY 2007
Why deploy two different types of two-factor authentication? One is specific to remote laptops; the other covers both types of computers.
“We like double-layer security,” Mr. Thomas says.
The final weapon in the De Beers arsenal is a piece of software that defends against viruses, malware, spyware, adware and intrusion.
“We can go as granular as to set a policy to be able to disable USB ports on laptops or desktops,” Mr. Thomas says. “That is really important because there are some desktops where people are working with information where you don't necessarily want them to plug in their iPods or memory sticks and take away data, because data leakage is a concern.”
To address that risk, De Beers uses a web-based application that allows analysis and reporting of file access and permissions.
“Access control is extremely important to us,” Mr. Thomas says. “We ensure that correct corporate governances are followed.” Now, that task is accomplished in an annual audit of data and quarterly educational sessions with employees.
“When we implemented the policy, we heard rumblings from the wild about why we needed to have all of this stuff in place,” Mr. Thomas says. “But when we have these workshops, people come because they want to know why we have the requirements we do. Once they come to a session, they understand and they comply.”
To add a further level of protection, Mr. Thomas is currently investigating a new application that will allow for real-time analysis and reporting of each employee's access to sensitive data.
With all that information floating around, De Beers recognizes security is just good business.
“All of our IT managers across the globe spend a lot of time making sure that all of our security policies are effectively implemented and that they are maintained,” Mr. Thomas says. “Every year we put ourselves through IT audits, which we take very seriously.”
The message from top management is clear, he says: “If you don't empower your IT department, then you can't expect them to give you assurances after the fact.” —John Buchanan
PM NETWORK JUNE 2008 WWW.PMI.ORG
Organizations must invest in building a culture - and project teams - that can turn cutting-edge ideas into reality, according to new PMI research.