A security breach almost always motivates a government department to re-examine its overall architecture. In other words, security professionals must decide if the status quo is good enough.
After the New Mexico Human Services Department (HSD) discovered a series of security breaches spanning several years, officials saw that wholesale changes would be of value. The department isolated its network immediately after the security breaches were found and late last year virtualized almost its entire IT environment.
The HSD also installed a management interface, called HyTrust Appliance, that works alongside the department’s virtual infrastructure to meet compliance and security goals. The software interface provides controls and detailed audit logs for all aspects of the department’s system.
Systems group supervisor Gurusimran Khalsa was hired in 2009 after the HSD discovered that hackers had repeatedly breached its child support enforcement website between 2006 and 2008. Khalsa was brought in to meet the department’s goal of 90 percent virtualization and maintain a level of security consistent with an air-gapped system, meaning it’s isolated.
“There’s a lot of information dealing with personal health and personal information, so we definitely have an obligation to keep that secure,” Khalsa said.
Khalsa had to quickly find a control solution because there was very little virtualization in place as recently as 2009. There were initial concerns that switching to a virtual environment might create security vulnerabilities the HSD didn’t want to face again. What’s more, the department still had to meet compliance standards and reduce costs with the constraints of a tight budget.
But those concerns have largely dissipated as the department blew past its 90 percent virtualization target. “We’ve well exceeded that. We went from 15 to 16 racks of equipment to three, and one is half full,” Khalsa said of the department’s on-site infrastructure. The remaining equipment includes EMC storage and Dell servers running VMware and HyTrust Appliance.
Besides the improved security, cost savings was one of the biggest benefits of virtualization.
“That was what we sold it on, but there are so many other benefits to virtualization,” Khalsa said. With less equipment, the infrastructure is easier to manage and is more flexible and much faster to install, he said. Upkeep processes like virus scans and backups can be done on the fly without disrupting the system, he said.
HyTrust Appliance provides granular controls across a large environment, said company founder Eric Chiu. The package includes detailed audit logs, policy labels, scalability, compliance standards and automated security policies. Another feature — two-factor authentication — is a must-have for agencies such as New Mexico’s Human Services Department, Chiu said.
Khalsa said the HSD was the first department in the state to virtualize and is still the most virtualized. “We’ve tried to share that with other state departments, but there’s not a lot of cooperation and collaboration between state IT departments. It’s been mostly informal,” he said.
Still, Khalsa said there has been some discussion recently about modeling the New Mexico Human Services Department’s virtualization and security projects in at least one other state agency.