When residents of Nova Scotia, New Brunswick, Newfoundland and Labrador and Prince Edward Island buy lottery tickets, they cross their fingers and hope they’ll be the ones to beat the odds.
And while it might be the luck of the draw that turns that $2 investment into $2 million, it’s not just chance that keeps the whole system transparent and trustworthy.
For that, the Atlantic Lottery Corp., which manages the gaming business for the eastern provinces, relies on software from Tripwire, a Portland, Ore.-based vendor of configuration audit and control software.
Paul Leger, IT security delivery analyst for the Atlantic Lottery, said the organization is planning an upgrade to the recently released Tripwire Enterprise 6.0. Atlantic Lottery, which has an IT shop of 60 to 70 employees serving a staff of about 600, has been using Tripwire software for the past seven years. At the moment, the organization is using the software for network devices and for servers. Once it implements 6.0, it will run across the corporation’s databases as well.
“We started using it for change auditing but in the beginning when we first had it going we didn’t have a process,” Leger said. “That’s why it didn’t take off at first.”
Once processes and policies were put in place, the tool became invaluable in protecting against unauthorized changes and enforcing the change management process, he said.
“If you’re trying to implement change control and you don’t have a way to detect it, you’re just running blind; you’re just on the honour system,” he said. “This is a way to electrify the fence and see what’s going on and enforce the change management system.”
Leading the horses to water, so to speak, was easy enough. Getting them to drink was another thing.
“We went from a shop where we didn’t have any change management process at one point, so when you go from that scenario to an actual control change environment you still get a couple of employees who will still think the old way,” he said.
Eventually, the benefits of using the software to control changes, especially in the organization’s testing environment, became clear. For one thing, unauthorized changes can cause huge delays in the process of testing systems before they can be launched.
“It’s an evolving process, because it takes a while for a company that’s not used to it to move over,” he said. “I’d say we’re 95 per cent there now, but it has taken a couple of years to go there.”
There is also the matter of conforming to legislation, said Leger.
“We’re part of an interprovincial lottery corporation and we’re mandated by this interprovincial lottery to meet certain standards,” he said. “We have an audit every year by external auditors and they will audit us against these standards to meet compliance.”
Rob Warmack, vice-president, product marketing and communications at Tripwire, said configuration management is coming into its own both as a tool to maximize resources and meet compliance regulations.
“It’s getting recognized as a huge time and resource waster because a lot of the time spent chasing down regulations, investigating security outages, availability issues, failed provisioning and software distribution has all to do with changes that occur in the IT infrastructure unbeknownst to IT,” he said. “In most case it’s as innocuous as an administrator is pushing out a patch, it gets to a server, and doesn’t work as expected, but while they’re at the server they decide they’re going to make this other change as well. Those are all unauthorized changes, and from an operational standpoint in and of itself that one change might not have an impact, but the next time changes are pushed onto that server it could fail.”
Auditors don’t take too kindly to what the industry refers to as “configuration drift,” he said.
“They’re saying if you’ve got the ability for an administrator to come in and make any kind of change, maybe that could be fraudulent. Maybe that might be interfering with confidentiality of information; maybe it’s a security thing,” Warmack said.
Tripwire estimates organizations with low maturity in configuration management and control spend about 50 per cent of their time dealing with the consequences of drifting infrastructure.
The key, he said, is to have a tool that provides a view of the entire IT infrastructure, meaning network devices, servers, middleware, applications and directories.
New in Enterprise 6.0 is support for SQL Server 2000/2005, as well as for Enhanced Active directory, HP-UX 11i servers and network device OS updates. As well, it offers automatic filtering of change, more ITSM tool integrations and more report templates.
“Instead of having isolated audit trails and logs and these different silos, we aggregate that into one view,” he said.
As well, users can now define their own policies to define their change configuration management rules. Tripwire then reconciles the changes it discovers with those policies.
“At the simplest end it may be a maintenance window where they prescribe times during the day that are the only times changes can be administered, or maybe there’s a defined set of users that can touch this,” he said. “We can also say here are changes that were tested, we push those out and if they don’t match those tests they’re unauthorized.”