James Tower is a full-service Internet marketing e-commerce solutions provider with offices in North Mankato, Minnesota; Milwaukee, Wisconsin; and Omaha, Nebraska. The company offers customized and innovative business solutions—from strategy and branding and email marketing campaigns to web site design, development, and hosting—for higher education and small, medium, and Fortune 500 companies across the United States. To support Internet retailing, online recruitment, and other technology-based marketing services for its more than 300 customers, James Tower has a centralized data center in North Mankato with 400 servers and 140 desktops.
High cost to manually keep pace with compliance and business growth requirements
James Tower hosts more than 7,000 domains that receive approximately 30 billion hits annually. Many of these sites engage in e-commerce activities and collect customer credit card information. Consequently, they must comply with the Payment Card Industry Data Security Standard (PCI DSS), which requires organizations to protect cardholder data. Noncompliance with PCI DSS can result in fines of up to $100,000 per incident when cardholder data is compromised; $25,000 per incident if data has not yet been compromised.
“To keep our customer sites compliant with PCI and other security requirements, we were spending a huge amount of time and money manually auditing and applying patches to all of our hosted systems,” says John Phelps, vice president of customer relations at James Tower. “Compliance issues aside, business growth alone was making it increasingly difficult to ensure appropriate security measures across all of our systems.”
Manually keeping all 400 servers and 140 desktops up to date with security patches had become far too inefficient, inaccurate, and risky. Consequently, James Tower began searching for a solution that would audit all of the company’s systems and desktops and automatically apply new updates and security patches as needed.
Much more than automated patch management
At first, the company evaluated standard patch management tools, such as Microsoft Windows Server Update Services and features of the RedHat network, but these options were not cross-platform compatible, nor did they support remediation. James Tower selected McAfee Policy Auditor and McAfee Remediation Manager because they met these requirements, and more. Using software agents at each node, Policy Auditor identifies all of the company’s desktops and servers; provides a detailed inventory of managed systems and the applications, operating systems, and services running on them; and conducts a comprehensive audit of each system for compliance with predefined policies.
“Lots of tools push patches to servers and desktops, but McAfee Policy Auditor does much more than automated patch management,” says Phelps. “It enables us to structure proactive action plans around security policy and ensure that those plans are maintained.”
Consistent security measures across systems and environments
McAfee Policy Auditor and McAfee Remediation Manager enable James Tower to implement security patches consistently across all its servers, regardless of where they are in the development life cycle. “Our strategy is to test a pack of patches, then roll them out to development, beta, staging, and production servers in succession,” explains Jeff Kruger, hosting manager at James Tower. “It’s critical that we know exactly what is in these ActionPacks, as we call them, and that they are applied identically from server to server. McAfee Policy Auditor is our guarantee that no additional modifications are thrown in along the way.”
"With McAfee for policy compliance, we spend less time worrying about how to deploy security measures and more time researching and understanding what those measures should be to best protect our customers."John Phelps
Vice President, Customer Relations, James Tower
Reduced time to audit, remediate, build, and maintain servers
“Best of all, McAfee Policy Auditor performs audits in very little time,” says Kruger. “And accurate profiling with up-to-date virus information and patches means less time spent remediating security issues.” Policy Auditor’s centralized, consolidated dashboard and built-in reporting capabilities—for instance, to show which systems have received which patches—also accelerate security risk management decision making.
Furthermore, adding Policy Auditor has resulted in a dramatic decrease in the time it takes James Tower to build a new server for a customer or maintain existing servers. “Over time, our standard server build times had been increasing—more settings needed to be changed, more security holes plugged, and more software required on each system,” notes Kruger.
Thanks to the flexibility and magnitude of changes that can be remotely deployed using Policy Auditor—from system profiling to applications, settings, and service maintenance—the time to build a new server has been cut dramatically. According to Kruger, “With McAfee Remediation Manager, we can push to any system in minutes what would normally have taken hours or even days.”
Preventing network intrusions and exceeding PCI compliance
To help further secure its network and prevent malicious intrusions, James Tower also implemented McAfee Network Security Platform (formerly McAfee IntruShield® Network Intrusion Prevention System). A single rack-mountable, plug-and-play management appliance centrally manages Network Security Platform sensors and policies across the company’s network, proactively blocking attacks in real time, even on unpatched systems.
Network Security Platform’s built-in features, such as host quarantine, integrated network access control, an internal firewall, and encrypted threat protection, enable James Tower to meet and even exceed PCI DSS requirements and prevent a cardholder data breach. Rapidly shrinking malware development times mean the company’s vulnerable systems may be attacked much sooner than the one-month PCI DSS security patch release-to-deployment allotment window. Rather than risking deployment of untested patches on production servers, James Tower relies on Network Security Platform to provide a “virtual shield” that stops attacks before they ever reach the company’s vulnerable servers. This approach allows time to test and deploy recommended patches, using Policy Auditor, while remaining compliant with PCI DSS.
Proactive, layered approach to SRM
Using McAfee Policy Auditor and McAfee Remediation Manager with McAfee Network Security Platform together gives James Tower a proactive, layered approach to manage compliance and protect its customers’ customers. “Our customers need to know that they have in us a partner that will allow them to securely sell their products online now and in the future, as they grow and their security needs change,” says Phelps. “Using McAfee security risk management solutions helps us provide that assurance. With McAfee for policy compliance, we spend less time worrying about how to deploy security measures and more time researching and understanding what those measures should be to best protect our customers.”