Take control of your passwords

By on

The tight security at casinos needs to be extended to how the IT systems are used and accessed. John Sterlicchi reports on a case in point

Anyone who has seen the recent George Clooney/Brad Pitt thriller Ocean's 11 – and for that matter anyone who hasn't – knows that security must be the first order of business in the world of casinos.

Mohegan Sun, one of the nation's largest entertainment centers with nearly 11 million visitors a year, is no exception to that rule, but there are always new ways to make the operation even more secure.

For the people in charge of IT security at the casino, dining, hotel and nightlife complex, that meant investing in a product called Network Vault for Passwords, from Cyber-Ark, a company that has roots in the Israeli military security world.

Network Vault is Cyber-Ark's patented technology that enables customers to create safe havens that allow enterprises to protect and share information both over the internet between discrete enterprises, or manage critical information within a single network.

With the subset, Password Vault, Cyber-Ark provides what the company calls a "Safe Haven" within the enterprise, where administrative passwords, can be archived, transferred and shared – among IT staff, on-call administrators and local administrators in the field.

That was right on the money for Mohegan Sun, which spans some 240 acres along the Thames River in southeastern Connecticut. As webmaster Aaron Witko says: "It does away with the guy that's there in every operation, the one who knows every password."

This means no more panicking if "the guy" is unavailable when there is an emergency of some kind. Basically, passwords that were stored in people's heads are now locked away in a central repository and are available on an as-authorized basis.

"We have got 20 users who have the ability to create passwords, user names, and so on, for their specific applications as they want. This gives employees the opportunity to store both personal and work-related passwords," says network manager Gary Cherwinski. And to the relief of many, the network administrator is no longer God, he adds.

"One of the nice points about the product is that while the network administrator has the ability to provide access, you can block them from seeing your passwords, user names, documents, or whatever," he says.

Deployment is a breeze, according to Witko. The vault is actually an appliance that is deployed into the network in an area where it is not accessible to the general population.

"Once that was done, we then had to install the client that was unique to each user. That locks it down even more," he continues.

Another selling point for Mohegan Sun is the fact that Cyber-Ark is integrated with RSA Secure ID, which the organization uses.

The only slight problem Mohegan faced was with integration with Microsoft Office. While the product is integrated with Office XP, a couple of users were still using an earlier version – and there was no support for that version. Cherwinski says Cyber-Ark has promised that support will be available in a coming release very soon.

So far, Password Vault has been deployed among the networking personnel at Mohegan, but the plan is to open it up to the rest of the information systems organization and there will soon be upwards of 50 users.

With annual sales estimated at more than $1 billion, Mohegan Sun has a total of 14,000 employees and around 110 work with the IS division. Mohegan is so delighted with Password Vault, which was first installed last November, that it is going to add a second box to ensure high-availability backup and is beginning to dabble with a couple of products with similar concepts from Cyber-Ark. The company has already started to use Critical Document Vault.

"We have begun to store sensitive documentation about our network topology and configuration primarily because it gives us versioning control and we can delegate permission as to who can see what document," says Cherwinski.

The Critical Document Vault is handy because Mohegan – just like installations everywhere – had people go in and make changes to diagrams and configurations and not notify the network administrator or manager, explains Cherwinski. "Then you go in and look at the document again and it's been changed and it's not matching what you thought was there."

The Vault keeps a history of all the changes made and administrators can go back and see the document both in its original and all its changed forms. For instance, Mohegan has just added a T3 line. The original topology diagram is kept in the Vault, as is the altered version. Mohegan can select how long it wants to keep the original so that, if a mistake is made, "we can always go back and say: 'Here's what we started with and here's what it was prior to making these changes – where did we go wrong?'," says Cherwinski.

Keeping versions of source code secure is next on the agenda. Cyber-Ark has another product called Source Code Vault, and the plan is to see whether it interests Mohegan's developers, who write casino gaming-related applications, for instance.

"They are looking at specific platforms just for versioning control or their source code, and I think this might meet their model very cost-effectively," says Cherwinski.

Copyright © SC Magazine, US edition
Tags:

Most Read Articles

Log In

Username:
Password:
|  Forgot your password?