Patrolling an always-on network

Increased crime-fighting systems demand more effective enterprise security

Butch Johnstone looks back at the past year with a mixture of pride and concern when it comes to the issue of enterprise security.

A senior technical analyst at the Commonwealth of Virginia’s Department of Criminal Justice Services (DCJS), Johnstone helps manage the network of an agency that obtains and manages criminal data from 249 law enforcement agencies, 129 local governments, and three major state agencies in Virginia.

“It’s courts, cops, and jails,” Johnstone says of his agency’s wide-ranging responsibilities.

The increasing availability of broadband Internet connectivity, more powerful personal computers, and cheaper software have made it possible to get law enforcement and other state agencies better data and analysis tools faster. They now have real-time access to integrated crime and geospatial data such as street maps, census data, and political boundaries.

But those changes have greatly increased the need for enterprise security, especially when systems holding sensitive data on specific crimes — including sexual assault, domestic abuse, or property theft — are suddenly made accessible via the Internet, Johnstone says.

Web- and e-mail-borne threats are the most pressing, especially as more law enforcement and public safety personnel enjoy desktop Internet access, he said.

“After about 3 a.m., a public safety dispatcher has a lot of time on their hands,” Johnstone observes. That can lead to unintended mischief, like opening infected e-mail attachments or visiting Web pages that aren’t secure, he says.

“In the past, enterprise security was not a big concern,” Johnstone says. “Our enterprise applications were behind secure firewalls and everything was done over dial-up connections. You didn’t have this ‘always-on’ stuff.”

Johnstone and his staff spend about 10 percent to 15 percent of their time patching critical systems across the various agencies that the DCJS serves, he says.

The DCJS relies heavily on its perimeter defenses, including a Cisco Systems PIX firewall, as well as network and host-based IDSes.

With a mobile workforce that frequently connects to the Department’s Microsoft Exchange e-mail server from nonsecure computers on the road, the DCJS is also relying more on VPN technology for remote access, as opposed to dial-up connections. Host and desktop anti-virus software are also increasingly used to keep infections to a minimum.

Adding to the department’s difficulties, and echoing the complaints of many respondents to the 2004 InfoWorld Security Survey, budgetary and staff constraints mean that the DCJS can’t afford labs to test patches before deployment, Johnstone says.

Johnstone says Web application security is his top concern, especially with the move to share information between agencies and initiatives such as the Global Justice XML Data Dictionary, which is backed by the U.S. Department of Justice.

“I think in our instance, we’re confident we’re going to be attacked continuously, and security is going to be a big issue,” Johnstone says.

The trick is to strike a compromise between accessibility and security, with a focus on data security and business continuity rather than total prevention, according to Johnstone.

“I’m not sure we’re ahead,” Johnstone says of the battle with malicious hackers, spam, and viruses. “I think we’re keeping up. We’re slowly battening down the hatches. When we see something leaking, we’re going to tighten screws more.”