Founded in 1964, Intelsat is the worldwide leader in fixed satellite services. Intelsat delivered video signals of the first moonwalk, provides the “hot line” that connects the White House and the Kremlin, and has transmitted live TV coverage of every Olympics since 1968. On a day-to-day basis, Intelsat supplies video, data, and voice connectivity in approximately 200 countries and territories for about 1,800 customers.
Depending on business requirements, the company augments a staff of 1,000 with 250 to 500 contractors. The IT group includes 60 people of which seven are dedicated to Intelsat’s somewhat unique security challenges. First, the company must manage its corporate security, which includes the satellite networks that serve customers. Intelsat also offers satellite ISP services. This requires a separate set of standards and service levels. Finally, the company handles work for the government, which demands a third subset of service levels and standards. “We have to secure and control a complex global environment with just seven people,” explains Vinny Duggal, Intelsat’s CISO. “So, we needed to simplify the management of our technology and partners to save time and budget. We accomplished this by standardizing on McAfee.”
A globally distributed environment complicates security efforts
Intelsat’s sales force travels the world, which means its computing environment does as well. “A global sales force definitely increases complexity,” Duggal continues. “We have to deal with many unknown applications and data files that they’re putting on their systems to make their jobs easier, as well as what they’re bringing back to the office with them in terms of potential threats."
Even less mobile employees can introduce threats inadvertently in day-to-day activities, in spite of their intentions to deal only with trusted sources. “We’ve done a good job on border security — hardening the perimeter,” remarks Duggal. “Now with McAfee, we’re focusing on the technical management of our internal security, including all the components we need to meet our compliance obligations such as SOX, HIPAA, DoD 8500-2, and PCI at some point.”
"We examined the cost of using individual vendors to provide the level of security we require, and found that we could save 75 percent by standardizing on McAfee. That’s quite a savings."Vinny Duggal
Chief Information Security Officer, Intelsat
Boosting internal security with overall intrusion prevention strategy
Intelsat relies on a significant population of temporary and contract staff. It is up to Duggal’s team to ensure that guest and contractor systems plugging into Intelsat’s networks are compliant with its information security policies, and that managed devices on the network are as well. “That’s our big issue — maintaining control of that environment,” Duggal notes. “Our headquarters is in Washington, D.C., but we need to ensure that our teleports and sales offices are almost identical to that core environment. We need to know who and what is plugging into our networks and whether they’re authorized.”
Intelsat is in the initial deployment phase of the host-based McAfee Network Access Control (NAC). This will help Intelsat control and ensure IT policy compliance for its managed devices. The NAC software ensures that AV, host firewall and other security products are enabled and up to date, which is a requirement for compliance. “From a strategic standpoint, our objectives are to keep security service levels high and, at the same time, simplify and consolidate what it takes to manage those service levels,” says Duggal. “McAfee NAC really supports those objectives.”
Throughout the next year and a half Intelsat will continue to build on the comprehensive intrusion prevention strategy. This will include the deployment of NAC appliances and add-on modules to intrusion prevention systems to help control unmanaged users around the globe. The effort will redefine the company’s IPS architecture and align it with Intelsat’s other intrusion prevention measures.
“Unmanaged device control is part of our overall intrusion prevention project,” Duggal elaborates. “The unmanaged device control capability is an add-on to the Network Security Platform appliance.”
This will be a big step forward for Intelsat. Often for contractors, some of whom work on proprietary flight networks, the company supplies a computer to make sure they’re using a computing environment that meets Intelsat standards. With steady contractor turnover, that means constantly moving and reimaging PCs, which is time consuming and expensive. McAfee NAC will automatically assess system health prior to a system gaining access to the network.
Intelsat has also deployed McAfee Vulnerability Manager (formerly McAfee Foundstone Enterprise), which constantly scans the company’s IT environment. Duggal relies on Vulnerability Manager to assess patch levels and determine what ancillary service may be running on servers or workstations that may jeopardize the company’s compliance efforts.
“We’ve allowed Vulnerability Manager to have hooks everywhere throughout Intelsat,” Duggal comments. “We’re running scans every minute of the day on different parts of our environment — about 5,000 nodes with two appliances. Because Intelsat is so dispersed we get a snapshot twice a month of all the different Intelsat segments.”
McAfee wins the bake-off
“We’ve been a McAfee shop for a long time,” Duggal says. “We had a bake-off a couple of years ago to make sure we had the right tools in place. And McAfee proved to be the right solution for us.”
McAfee’s central management components, especially McAfee ePolicy Orchestrator (ePO), were formidable competitive differentiators for Intelsat. “ePO is one of the best systems that we’ve seen for managing distributed services through one console,” Duggal notes. “It has allowed us to gain control of the systems we have no matter where they are.”
Duggal has relied heavily on ePO’s rogue system detection to mitigate the risk of non-compliant systems without having to do on-site assessments. ePO passively monitors a network for LAN connections, quickly establishes whether they are managed by ePO, and provides a range of policy-based responses. “Rogue system detection through ePO delivers some of the benefits of NAC,” says Duggal, “which is valuable as we complete our full rollout of NAC through Intelsat. We’ve reduced costs by utilizing McAfee tools in that way.”
McAfee delivers impressive savings
In September of 2008, Intelsat engaged McAfee Professional Services to fine-tune and reconfigure the various components of its McAfee solution, which included bringing all the company’s systems under the management of ePO. Duggal estimates that by using an integrated set of products from McAfee, Intelsat’s costs are substantially less than they would be if equivalent products were purchased from individual vendors. “We have a distributed environment with a range of security priorities,” explains Duggal. “We examined the cost of using individual vendors to provide the level of security we require, and found that we could save 75 percent by standardizing on McAfee. That’s quite a savings.”
Plus, with consolidation came greater efficiency — such as eliminating the burden of training staff on multiple systems and five different vendors. “There are a lot of constraints in this environment — we can’t just go out tomorrow and hire 10 people,” concludes Duggal. “But with McAfee, I can manage the entire server system and much of network access with 1½ FTE. We’re running more cost effectively today than we were a year ago. And we’ve added functionality and increased security with NAC, Policy Auditor, and rogue system detection. Most importantly we’ve started to lay the foundation of a comprehensive NAC solution.”