Go (con)Figure!

Anti-virus software is missing entirely. Security patches are months behind. Spyware is alive and kicking, thanks to the electronic picture viewer that employee downloaded.

These scenarios are all too common: Network configuration is a slippery slope, whether a credit union has 1 or 100 machines on the network, many credit unions have told The Credit Union Journal.

In fact, compliance and security was an unforgiving "treadmill" before Ent Federal Credit Union implemented network configuration tools two years ago, according to Chris Marshall, director of Technical Services at the $2-billion CU.

"We felt that we were falling short internally, even though we felt we were meeting industry standards," said Marshall. "We wondered how we could continue at our size and growth rate with having automated configuration systems."

Ent now has a dashboard view of its network, from which technical staff can check compliance against Gramm-Leach-Bliley Act mandates and Microsoft hardening, or security, guidelines.

The dashboard, Configuresoft's Enterprise Configuration Manager (ECM), "gives us the ability-at a technology level-to validate that our processes and people are carrying out our security program," said Chad Lorenc, Ent's Information Security officer.

ECM collects data from ENT's Windows-based network of 100 servers and 250 PCs and stores it in one database.

Ent can thus see any red flags on a range of compliance matters related to assets, vulnerability, hard disc space and access, including software licensing and permission levels.

"ECM compares our security hardening templates against our Windows configuration registry to verify that the system is hardened to the expected policy level for compliance," Lorenc explained.

ECM then delivers a wealth of compliance and security patch reports, said Lorenc.

"We take a vulnerability assessment approach to security, whether we're hardening or patching our system," he continued. "The ECM reports help us assess our current risk status, and then we build a vulnerability assessment."

Out-of-line hardware and software can be automatically adjusted to meet Ent's configuration standards. Alternatively, when management collectively decides to alter the configuration, employees with the appropriate authority can make the changes across the CU, all without leaving ECM.

ECM addresses vulnerabilities by automatically finding and delivering security patches to the machines on Ent's network in conjunction with Microsoft's Software Update Service, said Joseph Masud, Ent's infrastructure administrator. Each new patch takes only a couple hours to distribute, he said.

And by using ECM to identify sudden changes in hard disc space, Ent has been able to minimize server downtime, added Marshall.

Even with the marked improvements in configuration management, Ent is looking forward to the day when ECM is better integrated with the CU's other hardware and software environments, particularly its Cisco platform, he said.

Ent's previous manual and disparate efforts to configure, patch and monitor were cumbersome and time-consuming, Lorenc continued.

For example, Ent used Microsoft scripting to configure network components, "but there was no way to generate reports to validate the changes," Lorenc said. "Our compliance efforts were really more of a spot-check or a sampling of machines."

"And we spent hundreds of hours every year distributing software patches, which were becoming increasingly hard to keep up with," added Marshall.

Compliance grew more complicated as Ent added third-party systems and applications, while at the same time trimming down its help desk staff, he said.

Based in Colorado Springs, Colo., Configuresoft provides systems management technology.

CUJ Resources

For additional information:

* Ent FCU at www.ent.com

* Configuresoft at www.configuresoft.com

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER