GTAA gets its security strategy off the ground

TORONTO — Sometimes security can be a tough sell, even at an airport.

The latest terminal at Toronto’s Pearson International Airport will open for business on April 6, but ensuring that its security measures will stand up to scrutiny was a project that spanned more than four years of construction,

according to the man that oversaw the process.

The Greater Toronto Airports Authority‘s Gary Long is more concerned with network security than metal detectors and X-ray machines. Long, the GTAA’s general manager of information technology, said he had to convince his organization’s decision makers that the former can be just as important as the latter.

With physical security, “”because you can see it, it is something that everybody is aware of. IT security issues don’t get the same attention. It was a real eye-opener for me to see what the challenge was going to be,”” said Long, who addressed a group of IT professionals at the IT Security and Governance conference in Toronto on Thursday. “”I hate to say it, but security is still not a big issue (for management) until something breaks.””

Long is responsible for the IT portion of a $4.4-billion development that encompasses Terminal 1 as well as a move from a “”landlord model”” to an “”open standards and common use”” vision for the airport.

The work on Pearson’s Terminal 1, which is designed to replace two older terminals, started just after the Y2K crisis, said Long. Many people assumed that the hard work was over and that any potential disasters had been averted, he said. But the IT component of the terminal project involved not only security measures but a wireless network, a major upgrade of desktop and servers, and IP telephony (something new to the airport) across 1,800 hectares with dozens of buildings.

Airports are routinely full of people that don’t work for either the airport or for any of the airlines. Not just passengers but food service workers, clean-up crews, retail employees. The same is true for airports under construction, said Long. There are contractors, consultants, vendors. Where possible, they were provided Internet access outside the airport’s firewall to prevent potential security breaches. All security measures were tested first in a staging area, according to Long, before being deployed in the terminal.

Convincing management that IT security is an essential investment is not an easy proposition in any industry, according to Chris Rouland, vice-president of XForce, the R&D arm for Atlanta-based Internet Security Systems Inc.

“”One of the challenges on presenting IT security value is the fact that it’s difficult to show the return on investment,”” he said. One way to get around that is to provide numbers on the cost of an outage caused by exploited network vulnerabilities.

Rouland said he heard an alternative strategy at a recent user conference: let management spend the minimum on security, then show them the number of attacks on the corporate network as a result.

The key to getting management to recognize the importance of security is explain it to them in terms they are familiar with, said Long. “” They are not going to be particularly excited about (the technology), but if you talk to them about risk. . . . Risk can impact brand management.””

Brand management in turn affects customer satisfaction, which will have an impact on the bottom line. One reality that has brought attention to security issues is the Sarbanes-Oxley Act, said Long. The 2002 act is designed to curb corporate reporting fraud in American companies. Canadian companies that are listed on any U.S. stock exchanges also have to comply.

A basic guiding principal behind the terminal’s IT infrastructure was to use only name vendors that are based in North America, said Long — no start-ups, no companies that could conceivably go out of business and no longer be able to provide support.

Last year, the GTAA said it has chosen HP Canada to install a wireless infrastructure in Terminal 1. Wireless access will be limited to official airport applications like baggage handling for now, but the airport is trying to determine how it can safely deploy a WiFi network for passengers, according to Long.

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+