Equifax, the company that compiles credit reports, has chosen network-access-control technology to make sure contractorsand employees access its network with machines that meet the firm's security requirements.
Maintaining such control is key because it helps reduce the risk to breaches that could undermine customers' confidence in Equifax as a repository for confidential financial data, says Tony Spinelli, chief compliance and security officer for the $1.8 billion company headquartered in Atlanta. "We can't have a loss of reputation or we suffer," he says.
That means securing the network against possibly infected contractor machines and making sure those used by Equifax employees are properly configured to the latest corporate desktop image, he says.
To that end Equifax deployed Juniper Networks' NAC gear -- which Juniper calls unified access control -- to check every endpoint for compliance as it tries to connect to the network. (Compare NAC products.) The deployment consists of the Juniper NAC client that checks the endpoint configuration that is evaluated by its NAC policy server and enforced by Juniper perimeter firewalls and firewalls placed in front of the corporate data center, Spinelli says.
Spinelli included NAC in the second year of the company's three-year network-security plan that he wrote two years ago hoping to put more controls on the outsourcers -- totaling about 100 users in all -- the company uses to handle call centers and to develop and maintain applications. About three months ago, the firm finished deploying NAC to its contractors and more than 6,000 Equifax employees at about 100 sites in 13 countries.
"We want to have some way of knowing that only our assets are joining the network," Spinelli says. Also, he wants to be able to make sure managed devices have the appropriate security profile -- encryption in use, antivirus protection at the right level, host intrusion-prevention turned on, and so forth.
To accomplish a uniform software image, the company insisted outsourcers use machines managed and owned by Equifax Â -- a stipulation that took some negotiating with the vendors but to which they ultimately agreed.
Spinelli didn't want to rely on outsourcing contracts to stipulate compliance with the security standards, with penalties for noncompliance. "Penalties really aren't going to do a lot for us," he says. "It's a great deterrent, but we developed an assured model."That means outsourcers can buy their own laptops but Equifax gets to impose its standard software-image.
"They are not allowed to have any software, security or systems that are theirs," Spinelli says. "They have to be ours."The vendors pushed back, but Equifax was able to overcome their resistance. Business units and senior management stuck to their guns because the importance of the company's reputation as a trusted steward of information overrode any protests about inconvenience, Spinelli says. "I think a lot of the premier outsourcing vendors are getting used to working in this manner," he says.As a tool to convince the outsourcers, Equifax tied their agreeing to use Equifax-managed machines to the guarantee of multi-year contracts, Spinelli says.
There was no such struggle internally because the company already had laid out a global security policy. All sites must comply with the same set of rules, configurations and procedures, Spinelli says. "These decisions are made globally. They are never made by a single business unit," he says.
The NAC rollout started with the contractors because if anything went wrong, it wouldn't disrupt the main line of business.
"Thankfully we didn't break anything," Spinelli says.
About 60 days later, the company started a nine-month NAC deployment for Equifax employees, starting at headquarters and progressing country by country.
Before turning on the enforcement of NAC policies, Equifax ran the gear in monitor mode to discover how many machines were noncompliant and to fix them. That avoided the problem of locking hundreds or thousands of employees out the first day and crippling their ability to do their jobs, Spinelli says.
The monitoring discovered cases of outdated versions of Pointsec (now Check Point Software) hard-drive encryption software that was a mandatory part of desktop images, Spinelli says. There were even some cases of the software inadvertently still installed in pilot mode, he says.
"NAC is a fail-safe control as we put it in," Spinelli says. "We feel confident we are promulgating the right set of security policies, but without NAC I'm not sure how comfortable I would be saying we've got Equifax covered. We're very confident now."