How STERIS is using Cloud Technology to Protect Web Access

Presented By: Ed Pollock, CISSP-ISSMP, CISMCISOSTERIS Corporation“Enabling Business”

Overview

• A little about STERIS Corp• Why Care?• Challenge – Protecting Web Access• Lessons Learned

Background• Manufacturing company

• 3,000 internal users & 2,000 remote users

• Facilities in Americas, Europe, & Asia (60+)

• Centralized Internet access through Mentor, OH (until last year)

• Acquired 10 companies in the last 2 years

• Moving to breakouts at larger facilities

• Small IT team…very small IT Security team

Internet

New (9/13)New (8/13)New (2012)

New (2014)

Why Care

Protecting Internet Access

Why Care? - Reputation

Botnet Infections on Guest Network

Zero Issues from 3,000+ employees

Services now available to rate your security & your competition

Why Care? – Web Access Impacts Score

349 of 354 events related to protecting web access

Botnet Infections

Spam Propagation

Potentially Exploited

Why Care – if you need more reasons

Basic / 354 events Competitor

Advanced/ 2 events

• Customers starting to care about the security of their partners• Board of Directors are starting to care• Protecting your web access plays a major role

Core Network

Industry: Healthcare/Wellness

Challenge – Protecting Web Access

Layered Defense (2012)

• On Premise• Centralized• Effective (facility)• Ineffective (remote)• Expensive

Firewall

Intrusion Prevention System (x2)

URL Filtering/Reputation

Anti-Virus (host)

Patching/Rights Management

Evolving Layered Defense• Looked at new solutions in 2013

to combat evolving threats• Internet Breakouts changed my

plansFirewall

Intrusion Prevention System (x2)

URL Filtering/Reputation

Anti-Virus

Patching/Rights Management

Execution Analysis (sandboxing)

Anti-Bot (firewall)

Intrusion Prevention System (Host)

Application White Listing

Options When Internet Breakouts Meet Evolving Threats

On Premise• Capital some expense• Expensive to replicate same

level of protection across the enterprise

• Remote users?• Team does Policy, Reporting,

& Maintaining

Cloud• Expense vs Capital• Minimal equipment• Protects facility & remote

users• Team does Policy & Reporting

Hybrid• Capital/Expense• Standardization?• Protects facility & remote users• Staggered commitment

What are Cloud Solutions Providing?

IPS

Execution Analysis

ReputationAV

Third Party Intel

Traffic Analysis

Human Analysts

Protections

Community of Millions

URL Filtering

Reporting

Policy Management

Application Control

Management

Authentication

STERIS’s Approach

• Researched vendors – technology, integration, administration, locations, cost (talk to your research service)

• Pilot Cloud solutions for facilities & remote users• First sites going Cloud are supporting acquisitions• Expand out to remote users (XP was a driver)• Large sites getting Internet breakouts?• Primary & Disaster Recovery sites???

Research Pilot Acquisitions Remote Users Large Sites Primary &

DR Sites

Today

Lessons Learned

Lessons Learned - Location• Compare the vendor data center locations to your users (some sites tailor

to source IP)• Impact performance & user experience

Facility Vendor 1 Vendor 2

US (multiple)

Mexico

Canada

France

Finland

China

Lessons Learned - Speed

• Will it be slower?• Impact performance & experience?• Didn’t see it

Cloud Protections• URL Filter (dynamic)• AV• IPS• Sandboxing

Cloud Protections• URL Filter (dynamic)• AV• IPS• Sandboxing

Latency?

Latency?

Latency?

Lessons Learned - Compatibility

• Ran into issue that the IPS built into the VPN Client thought the Proxy Client was malicious

• Similar issue with the web filter built into the AV• Support quickly provided a fixed client

Cloud Service

Cloud Service

malicious

https

Lessons Learned – Authentication

• How does the user authenticate?– What devices do you need to support?– Add a client or is it built into something already?

• Do you want the user to enter their credentials?• Do you care if the user authenticates?

– What’s the “value add” for authentication?– “best” is the enemy of “better”

Lessons Learned – Management• Don’t assume managing the rules is the same as with on-prem devices• An acquisition site wanted admin access to the policy• How will you deploy & update the client for remote users? Involve your

Client team.• Reporting in the Cloud

– Considering moving to the Cloud– Does it meet your log retention requirements?

• Features change quickly in the Cloud (good & bad)

Lessons Learned – Cost• Don’t assume Cloud will cost less or more

Facility On-Prem Cloud 1 Cloud 2

Subscription x 2x 3x

Proxy $1,000 - -

Proxy Support $500 - -

IPS $1,000 - -

IPS Support $500 - -

Firewall same same $3,000

IT Support same same same

Value Add

Security Considerations

• Logs can be sensitive– What companies are your acquisition teams surfing?– Where are your executives surfing?

• Cloud companies could be nice targets– Surveillance?– Redirect?– Go after the Admin

• What country does the data reside?• Is your organization “risk adverse”• Good news…these are security companies that have a lot to

lose

Cloud Protection at Home

• You can have the same Cloud protection at home

• Free tool• Block by category• Anti-virus, Intrusion

Prevention, & reputation protections in the Cloud

http://www.k9webprotection.com/

Summary

• Protecting Web Access is Important• Look for opportunities for Cloud & On-Prem solutions• Lessons Learned• Location• Speed• Compatibility• Management• Cost• Security

• Protection at Home

Questions?

Ed Pollock epollock@steris.com