New York City Department of Information Technology and Telecommunications (DoITT) oversees the use of technology in city government operations. DoITT supports approximately 150,000 city employees spread across more than 100 agencies, offices, boards, and commissions. The agency is responsible for the management and improvement of IT infrastructure and service delivery within New York City government — from networks to mobile apps and data centers to datasets — for the city’s eight million residents.
How to Cut Costs Yet Provide Greater Security Across City Agencies?
“How do you ensure that all the city agencies have the tools and ability to adequately secure their environments and keep customers’ data safe?” asks Dan Srebnick, associate commissioner, IT security, for New York City. “And how do you do so in a way that controls cost? We couldn’t do just one or the other; we needed a way to satisfactorily answer both of these questions.”
Srebnick and his team examined current and forecasted expenditures for “baseline security” at each of the various city government organizations. “We conservatively estimated that spending for standard desktop and server protection—antivirus, antispyware, host intrusion prevention, and so on—would total $40 million over the next five years,” says Srebnick. “We knew we needed to reduce that dollar figure without sacrificing availability. We also needed to expand our tool set to protect city agencies beyond what they can afford on their own.”
Need for Greater Visibility and Control in a Highly Distributed IT Environment
In addition to cutting costs while increasing protection, DoITT hoped to centralize management of IT security, yet maintain its highly distributed, federated IT environment. “DoITT has the responsibility to keep all the city agencies secure, but that’s not possible without access or visibility into each agency’s environment,” explains Srebnick. “We wanted to gain more visibility and control as well as remove some of the security burden from individual agencies.”
Previously, a plethora of security solutions protected New York City government agencies. Approximately two-thirds of the agencies used McAfee solutions for endpoint protection—each with their own McAfee ePolicy Orchestrator (McAfee ePO) management console—but the other third used a number of different vendors’ solutions. For vulnerability management, endpoint encryption, and other areas of security functionality, silos of McAfee and non-McAfee solutions were deployed here and there.
Answer: Consolidation and Standardization with McAfee ELA
“Clearly some form of consolidation and standardization was required to reach our cost savings and IT security goals,” says Srebnick. “McAfee was the vendor of choice because of its breadth of security solutions, reputation, and our previous experience with the company.”
As a result, NYC DoITT negotiated an enterprise license agreement (ELA) with McAfee for the design, support, and deployment of an extensive and integrated endpoint, network, and data security solution for all of its agencies. McAfee solutions covered by the ELA are available to all New York City government agencies, no matter how large or small.
“By consolidating with McAfee, we conservatively estimate savings of $18 million over what we would have spent during those five years. And that doesn’t take into account the availability of new capabilities—data loss prevention, encryption, and more—that would have created demand for more spending.”Dan Srebnick
Associate Commissioner, IT Security New York City
Leveraging the Cloud and Deploying in Phases
A key component of the ELA is McAfee Securityas - a-Service (SaaS) available through a private cloud to all city government agencies. Phase one of deployment provides 24/7 endpoint security through the McAfee cloud. Currently, McAfee SaaS endpoint protection has been rolled out to more than 22,000 endpoints in more than half of the city’s agencies, including very large agencies such as the Department of Health and Mental Hygiene. By the end of the year, DoITT expects almost 100,000 desktops to be protected by McAfee managed services in the cloud.
Phase two, already underway, deploys McAfee Vulnerability Manager across various agencies. Once McAfee Vulnerability Manager software agents are installed, the agency must regularly scan all of its technology assets and remediate or notify the DoITT immediately whenever vulnerabilities are detected.
Next, DoITT will deploy McAfee Network Security Platform appliances and sensors to detect and prevent intrusions on the network core and McAfee Total Protection for Data, including encryption and data loss prevention. Future deployment phases will include the remaining McAfee solutions covered by the ELA, such as McAfee MOVE. McAfee MOVE will play a key role in an initiative to reduce the number of DoITT data centers from 50 to just a few. “One of the cornerstones of the data center consolidation project is replacing as much physical infrastructure with virtual infrastructure as possible, so McAfee MOVE is an essential part of our strategy,” says Srebnick.
Cost Savings Greater than $18 Million
“By consolidating with McAfee, we conservatively estimate a savings of $18 million over what we would have spent during those five years,” says Srebnick. “And that doesn’t take into account the availability of new capabilities—data loss prevention, encryption, and more—that would have created demand for more spending. We view our ELA with McAfee as paying for itself in terms of dollars as well as increased capabilities and avoidance of data breaches or other security incidents.” With consolidation and cost savings accomplished, the agency was now free to concentrate on the next initiative: central management.
Dramatically Increased Visibility and Control with Central Management
NYC DoITT is in the process of enabling one central McAfee ePO console to manage security across all 100,000 endpoints. “With central management, we finally have widespread visibility,” says Srebnick. “We have a better understanding of our assets, where they are, and how they are being used, and direct insight into the security profile of each node. We have the ability to look at security events on a city-wide, holistic basis, in a way that we never could have before.”
With help from McAfee Professional Services, DoITT is also creating a security command center (SOC) where the central McAfee ePO management console will reside. “The security command center will be the eyes and analytical brain that integrates McAfee solutions with other vendors’ solutions and our own security information management system and collects, drills down, and analyzes all our security data on a daily, real-time basis to help us stay proactive,” explains Srebnick. “This is truly a tremendous capability that we have gained through our partnership with McAfee.”
Offloading IT Security Burden from City Agencies
In addition to giving the DoITT much greater visibility, using IT security services managed in the McAfee cloud helps remove a large burden for many city agencies. “They no longer have to concern themselves with protecting their endpoints because McAfee is doing it for them,” says Srebnick. “Instead, they are freed up to focus on more productive tasks.” In the smaller city agencies, where IT personnel typically wear many hats, such freedom is especially valuable.
Former Skeptics Now Believers
“Some of the most vociferous objectors to consolidating with McAfee have become the biggest fans since implementation,” says Srebnick. “As a rule, IT folks are hesitant to give up local control, but they have to admit that moving to McAfee has helped offload mundane security tasks. The competence of the McAfee team and McAfee solutions has made believers out of the skeptics.”
Srebnick also notes that he has a real sense of satisfaction when he comes in to work on a Monday morning and sees that another large agency with 6,000 desktops has been migrated without a hitch. The head of IT at one large city agency asked Srebnick when his particular agency would be migrated from its existing, non-McAfee endpoint protection solution, only to be told that the migration had already happened; it had gone so smoothly, it went unnoticed.
Saving Taxpayer Dollars and Increasing Return on Investment
Savings through vendor consolidation is a hot topic these days, but few have consolidated to the extent that the New York City Department of IT and Telecommunications has. DoITT took the initiative and accomplished what other organizations are still just talking about. Treating dozens of city agencies as one business enterprise, DoITT took a coordinated approach that would enable it to protect all aspects of its business as efficiently and cost effectively as possible, as well as allow its ‘functional departments’ to focus more on their core competencies—fixing potholes, keeping streets safe, working toward better public health and education, and so on.
“Consolidation and centralization with McAfee made sense from cost, security, and efficiency of delivery perspectives,” says Srebnick. “So we forged ahead. As a result, we are saving taxpayer dollars and reaping a better return on our investment.”