For Hong Kong-based Gips Ltd.-more commonly known as GipEx-the challenge of providing digital media management services to its customers hinged on its ability to deliver on SLAs requiring stringent security and data integrity. Faced with client demands to examine security and integrity levels within the firm"s operations, GipEx embarked on the arduous road to comply with the BS7799 security standard to provide further assurances to customers.
According to Kenneth Sung, CEO at GipEx, the company provides management of digital media for clients such as ISPs, mobile operators, banks and other commercial companies. GipEx stores allows digital media of all types to be stored, viewed, processed and uploaded to servers from smart phones and handheld devices and PCs.
Sung added that MMS has driven much of the business with online photo-finishing service now provided for customers who require ordering photo prints of multimedia content.
Rising complexity
Client content managed by GipEx has typically resided at a partner data center, and securing that data in the past has proved to be challenging. GipEx"s CTO, Dennis Yue noted that the company"s network security in the past consisted of dual Linux-based firewalls from Check Point and multiple VPN servers for various networking configurations.
But as the management function grew in complexity and time consumption, GipEx decided to outsource it to its data center partner. However, GipEx"s customers (now including top-tier enterprises and service providers like Sony, HSBC and Hutchison) wanted greater assurances on the integrity of their data.
Some customers even wanted to scan and check the integrity of GipEx"s systems for themselves, which was not considered a viable option, noted CEO Sung. It was suggested to GipEx that achieving a BS7799 security standard would assure customers.
"Getting BS7799 certified would give the customers confidence that their data was adequately protected and that necessary procedures were in place to continue and ensure data integrity-it gave us the necessary trust," said Sung.
BS7799 is the most widely recognized security standard in the world covering intrusion detection, incident handling, routine checks, self policing, internal security systems audits and management review. Compliance is typically a tortuous task, even for the most security-conscious organizations.
Getting help
GipEx engaged security consultants TI Consulting to audit the existing security posture and help prepare the firm for BS7799 certification.
To ensure client SLAs would be met, BS7799 required GipEx to initiate and streamline many policies and processes, including a detailed list of computing assets, from hardware to software to labor and processes. "We now have to review potential threats and manage risks in a quantitative matter," said Yue.
In addition to the new processes and procedures, TI Consulting recommended GipEx centralize its network security management, which meant bringing it back in-house.
Previously the network security systems were built piecemeal, which led to complex and difficult management and monitoring. "We were recommended to move to a single box incorporating both firewall and VPN functions which aids configurations and changes," added Yue. "This helped improve turnaround time and flexibility in making future changes."
Tools for the job
New technology was required and Microsoft"s Internet Security and Acceleration (ISA) Server was adopted by GipEx after other systems were evaluated including Linux-based offerings. ISA Server is Microsoft"s stateful packet and application-layer inspection firewall, virtual private network (VPN), and Web cache offering. GipEx found during product evaluation that Windows provided a reliable platform with lower overall TCO than other offerings.
The key gain from the consolidation has been easier to administer, maintain, and support of security than the previous system, added Yue. "The processes and procedures stipulated by BS7799 means the challenge of change management must be met with a flexible management system for security," he stressed.
Consolidating the security functions has produced at least 50 percent time savings for network security configuration tasks, stated Yue. "While actual security levels are similar to before, we are now more efficient in handling network and security configuration changes."
The BS7799 certification was completed in August 2004, almost a year from the initiation of the project-Sung observed that this is in line with most other implementations of the security standard. The cost of the whole initiative-minus hardware investment-totaled HK$200,000 (US$25,652).
GipEx has a pool of servers, mostly Linux-based, holding 8TB of data serving around 30 clients. Given the Linux-heavy environment, Yue noted the firm had some concerns about the security levels offered by ISA Server but after porting and testing functions over one by one the team were satisfied with the performance.
Yue pointed to further improvements to be made to the company"s data integrity. "We need to improve redundancy-so we"re setting up another data center to share the data and risk," he said.