Printer Friendly

Washington State plugs leaks; subadministrators help Bill Allen keep tabs on sprawling PC-LAN environment.


Like an onion, network security has many layers.

"The object of any network security program should be to grow a program in an orderly manner while you're still small," says Bill Allen. "Each layer is supported by what is below it, and each level supports the layers above."

Allen is data security manager for the Department of Social and Health Services for the State of Washington.

When he took over the position, DSHS had a good security system based on centralized mainframe control.

But DSHS's reach extends far beyond Olympia (the state capital) into every corner of Washington. Allen realized today's proliferation of LANs and stand-alone PCs was just the start of a trend.

From 35 in operation today, he projects by 1995 there will be 500 LANs serving over 14,000 employees in DSHS.

The largest department in state government, DSHS has 25 divisions ranging from food stamps and aid to families with dependent children to vocational rehabilitation and medical assistance.

Easing the Pain

The decentralization of DSHS makes Allen's job of providing network security difficult. But he found a way to ease the pain by setting up a system of sub-administrators.

In each division, he works with three types of sub-administrators. These are local department people whose responsibilities include accessing data on Unisys 1190 and 2200 mainframes and IBM, managing Novell LANs, and managing the Mapper (data reporting) technology on the mainframe.

In general, he provides assistance to departmental managers who then carry out programs on the local level.

DSHS is migrating to a System 370 environment. Today, some LANs are connected to the Unisys, others to an Amdahl or IBM.

Now it is more necessary to sell security at the local level. Department-level workers control the LAN.

Top management sees security differently than the data processor, who in turn sees it differently than a user in the field who forgot her password.

With LogOn codes ranging from eight to 12 characters, it's not difficult to see how codes can be forgotten. LogOn identifies the person to any system in the network.

The password, which tells who the user is and defines privileges on the system, is the user's responsibility.

This is a change from location security which, once anyone gets in, allows any user run of that terminal.

The new system allows a user access from any computer in the state to any other network for which the user is authorized.

It fits with the sub-administrator (SA) concept. The SA assigns, person by person, access to data. The SA also is responsible for removing authorization, but there are backup systems in place.

"We are tied to our personnel department's files. When people leave their jobs, we remove their security." That alone tightens a major security flaw in many networks.

Allen has a staff of three--including himself--to insure security, so Allen wants to automate as much as possible.

So far, the incremental cost to the state is zero. "It's just a changeover."

He sees the cost running perhaps as much as $100,000 out of DSHS's multi-billion dollar budget. Half of that will go to OTS 1100 software that allows him to appoint SAs. There will be an IBM security package as well.

Most of the rest will go to a training budget over the next two years.

"Remember, I'm simply maximizing the use of agency resources and funds by inviting user participation to carry out the plan."

The new system has gotten a positive response from the field. The SA gets a greater level of control. SAs are empowered to add users and change IDs at their level, something that formerly was done in Olympia.

Along with the added power, SAs get activity reports on who is accessing their data and who isn't.

When completed, security will be on a continuum from none to extreme, depending on the project and division.

Seeking Loopholes

Allen also plans to go into applications security, reviewing new programs before they are implemented, for security loopholes. "The auditor can't just be an enforcer. It's better if you can get assistance finding chinks in the armor before you start to use it."

In addition, he is working with the State Highway Patrol and the Department of Information Services on joint security projects.

"Everyone found out that working together helps us all."

DSHS has experienced little fraud, but "just because it is not detected doesn't mean it isn't there," he notes.

Two minor instances have been uncovered. The one, involving an employee wandering into unauthorized files, was referred for prosecution. The other is an active case.

The advantages of the new system are not all security-related. Over 300 transactions now are defined and listed by organization. All are being reviewed. "We will have a standard transaction set that will have a number. The number can be used without anyone knowing what it is, and the acronym can't accidentally be assigned as a code."

A three year plan is underway to oversee the changes in administrative security.

"We had a good plan in place," Allen concludes.

"But the new distributed environment is prompting us to make changes. And they seem to be beneficial at every level."
COPYRIGHT 1991 Nelson Publishing
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1991 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:local area network
Author:Harter, Curt
Publication:Communications News
Date:Jan 1, 1991
Previous Article:Bob Black of Exxon retires.
Next Article:ISDN deployment and the CPE marketplace.

Related Articles
SHIVA'S LANROVER WINS PCLAN MAGAZINE'S "BEST BUY" AWARD FOR REMOTE ACCESS; LanRover Wins on Extensive Capabilities, Security Features and Ease-of-Use.

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters