Beyond building houses, homebuilders faced with IT security challenges too

housecloudJust as home builders across the country install state of the art security and anti-theft devices in many of the beautiful new homes they build, this consideration must extend to the personal and financial information of its homeowner customers stored on its or its subsidiaries servers. Because pre-loan and mortgage applications loan digs deeper into a person’s financial life than any other commercial form, it holds a treasure trove of information for hackers. Top 10 builder D.R. Horton found this out first hand last year.

But that issue is only one IT security concern home builders face. To meet demand of discerning potential buyers and invested homeowners, many builders provide a variety of online marketing value-adds including in-home options, access to warranty and maintenance databases, and other interactive and self-service promotions to best control and enhance the customer experience—all requiring independent users accessing the homebuilder’s network. And many of these are SaaS applications in which security is an additional responsibility—at times outside the enterprise control. On top of those concerns are all the internal reaching applications including everything from asset management to job costing, to contract/document archiving to scheduling to payroll, and much more.  And on top of that there are hundreds of contractors and suppliers that also require some degree of access to the network.

Yet, it is an industry that is still smarting from a considerable and prolonged downturn. Before the 2008 crash most IT dollars were spent in support of sales and marketing initiatives and general operations. In terms of security, little was done beyond malware and virus protection and firewall/perimeter defense. Current staffing situations and the perceived cost of security haven’t helped matters, but many are recognizing something has to be done…and looking at the cloud to solve some issues.

Home builders have always looked to do more with less (what industry hasn’t). However, considering the broad spectrum of risk and liability, compliance scrutiny and the consistent operational usage/access of their assets, creating an affordable and manageable means to control the flow of information, access to it and monitoring for threats, security-as-a-service is a prudent and effective way to protect the enterprise.

Home builders have a proven business model for outsourcing. They hire plumbers, electricians, HVAC specialists and roofers for their expertise in those areas. This formula should extend to security-as-a-service. Beyond the cost-effectiveness that a cloud-based enterprise security solution provides, there is the addition of specific expertise that most builders don’t possess in-house. Part of the cloud model is that organizations gain the experience and knowledge base of security analysts.  It’s easy to recognize a brute force attack on a network, but can the current IT team read between the lines…see the situational context of something that may look harmless (a failed login by a homeowner), but when analyzed in conjunction with other aspects (the IP origin is in Serbia, the log-ins happen at 4am) constitutes a more serious threat requiring immediate action.

To accomplish this without the cloud would require an investment in the millions: the capital expenditures in SIEM and log management software, the necessary servers to store and process the data, the ongoing maintenance and support. On top of that there are hundreds of thousands of dollars spent on configuration, months on deployment and considerably more on personnel and ongoing maintenance. Cloud-based SIEM and log management removes all the burdens, can be deployment immediately, and reduces the costs up to 90%. It is an enterprise-class answer without the enterprise-class hardships.

Assuming that most organizations have baseline security addressed—email and spam filters, antivirus/malware detectors, and firewall protection–there are two areas in which cloud-based security options not only upgrade any existing initiative, but create the internal efficiencies (precision budgeting, on-demand scalability and 24/7/365 coverage) that allow for markedly improved performance and expanded scope.

Monitor potential threats. The foundation of all security initiatives is to create holistic visibility to recognize elements that pose danger to any part of your IT landscape. This starts with the practice of continuous monitoring. The concept is simple enough—watch all incoming traffic and determine if it is friend or foe, harmful or safe. But the practice requires automation, workflow process and correlation analysis. Considering the various endpoints, multiple applications and data centers from various locations and various systems, this means logging and analyzing thousands or millions of events per day. Most companies that practice continuous monitoring store all the system logs and review them at a later time. Whereas this might satisfy some compliance regulations, if analysis is completed even a day or two later, the potential damage is already done. The true benchmark is achieving alerts in real time.

But real time means there must coordination and integrated collaboration with all the components of a security initiative. There must be some intelligence and process to correlate the various layers of activity and makes an instant determination based on context and adaptive behavior. By centralizing all the monitored data, the speed of analysis is not only streamlined and more accurate, but a company begins to move toward automated proactive defense. Better, faster data leads to better faster decisions and more intelligent alert triggers.

It comes down to better visibility—who is logging in? From where and when? What are they trying to access and what it’s the potential security impact on the activity.

To better illustrate, consider this scenario: Your window contractor is on site and recognizes that the sliding back doors delivered are not the Energy Star approved glass needed for LEED compliance. He takes out his tablet and logs in to your ERP to check the order. He’s got the right user name and password, but the problem is his tablet is not sanctioned by IT.  Whatever creepy crawly on his tablet from downloading a video of a skateboarding raccoon now potentially has access to your network. Unless continuous monitoring and rule-based provisioning captures any unsanctioned activity, this may cause slowdown, data leakage, or even breach.

However, through centralized and real time monitoring the spoofed account credentials that try to log in later that night recognize that the credentials are not from the tablet but from China. The system knows the likelihood of the contractor logging in from Petaluma earlier in the day and now from Beijing is remote…so the log is flagged and an alert is created that shuts down the port and freezes the user account.

Control User Access: Because of the wide variety of individuals who need to see certain slivers of data, homebuilders need to devise and implement a set of rules that partition their permissions…and the means to enforce and report on that access. Why would that window contractor need access to your Concur or Box account? Why would your community sales rep need to root around on your AS400 platform?  By simply providing users a log in and password to your network, they potentially have access to applications and data they shouldn’t.

Every user has a unique relationship to a company’s IT environment. This extends from employees to homeowners. Many companies use identity management to solve this issue. It creates the credential, the password authorization and provides the proverbial key to the network. Now lay on top of that the various access controls, which are typically the domain of an access management process: one that federates the appropriate applications and divvies up who, in fact, is allowed to access what sliver of data within those applications.

Again the cloud creates the cost-effective, resource-light (function-rich) strategy to apply and maintain the type of necessary control.  Besides enforcing the user account rules, applying a single sign on solution further prevents a user from seeing and accessing any unauthorized application while keeping administrative tabs on usage. For homebuilders involved in mortgages and loan facilitation, this is a cornerstone for compliance.

In this period of economic conservatism in the homebuilding industry, many of the jobs lost or fused during the recession are very slow to return. In most cases, IT is already spread very thin, but the challenges stemming from a decentralized corporate structure, expanded consumer value demand and escalating security threats, continue to increase the pressure to maintain smooth day to day operations. In this scenario, cloud-based security creates the resource relief, cost-control and necessary protection to reduce risk profiles, increase your customer service scores and streamline your internal efficiencies.

Tags: , , , , , , , ,