another area of the network; moving the VPN for one site from Cisco to Palo. Alto and establishing a VPN platform. An ad
Case Study
BAMA futureproofs its security environment and moves to a managed security services partnership with NTT Security Business overview As Norway’s largest private distributor of fruit and vegetables, BAMA is engaged in the wholesale trading of imported and locally-produced fresh produce in fruits, vegetables and flowers. Established in 1886, BAMA employs 2,300 people, has operating revenues of 15 billion NOK and works with 1,300 suppliers worldwide. Business issue BAMA takes security seriously, ever aware of the increased frequency and sophistication of potential attacks. With 1,300 suppliers based in almost every country in the world, BAMA knows that attacks can come from a wide range of sources. In 2015, the organization started a project to replace its existing firewall system as part of the company’s plans to re-establish and future-proof its security platform. A decision was made to migrate to a Palo Alto system and implementation was underway, when a key member of staff left the team. As a result, BAMA decided to temporarily halt the implementation and sought advice from NTT Security on the firewall implementation process and the underlying security infrastructure of the business. NTT Security had an existing consulting relationship with BAMA and it made good business sense to ask this incumbent partner to review security processes. “I had a great feeling about NTT Security from the outset. We explained the situation and immediately established a great trust with the team, who quickly
reassured me that they could step in to support us, identify any potential problems and suggest best practice solutions,” explained Rune Carlsen, Security Manager, BAMA. Identifying and overcoming challenges The NTT Security team was given access rights to the system and quickly established that, although the new firewall system was excellent, the underlying infrastructure needed some attention. The team recommended that BAMA should stop work on the implementation until all the identified problem areas had been resolved. Failure to do so would have left BAMA vulnerable to attack, and unable to maintain its security environment in the long term. “NTT Security provided us with a comprehensive analysis report that identified key areas of concern along with a well-documented list of priorities to enable us to move on with the firewall implementation in a planned, structured and cost-effective way,” commented Rune Carlsen.
“There are some aspects of the managed service that we could potentially do ourselves – but it would be totally impossible for us to provide the required level of service with a 24/7 analysis of all the traffic in our environment. And our service fee gives us access to a wide range of security experts at NTT Security with a broader range of skills than we have internally. There’s no doubt in my mind that a managed security service represents excellent value for money.” Rune Carlsen, Security Manager, BAMA
the VPN for one site from Cisco to Palo Alto and establishing a VPN platform. An additional recommendation was that BAMA should consider outsourcing some aspects of its security operations to a third party under a managed security services agreement.
NTT Security’s key recommendation was to re-establish the Palo Alto platform project, with a new structure, well-documented rules, clear lines of responsibility, and better communication both internally and externally. NTT Security collaborated with BAMA across all aspects of the project including re-establishing five firewalls with new rules and policies; creating a dual site environment with two firewalls at each site; creating a standalone firewall for another area of the network; moving
The project was completed successfully, with few challenges beyond convincing the Board and the business that a company’s security infrastructure is critical to the ongoing success of the organization. Using analysis from NTT Security to make a strong case to the Board, security is now embedded into every IT project – a step change for the business.
www.nttsecurity.com
Copyright© NTT Security 2017
Managed Security Services – outsourcing the day-to-day operations Managing the day-to-day tasks around system security can be reactive and time-consuming and often takes the IT Security team away from the strategic security projects needed to future-proof a business. BAMA was in this situation and, following the successful firewall platform project with NTT Security, decided to re-engage with the business under a managed security services agreement. Today, NTT Security offers a round-theclock service to BAMA to manage and maintain its IT Security systems. Daily tasks range from managing all devices on the network, handling all change requests, troubleshooting all firewallrelated security incidents, managing the relationship with Palo Alto, and identifying and reporting all incident alerts. In addition, the NTT Security team manages all reporting and analysis and makes proactive recommendations relating to IT Security. But a managed security service doesn’t mean that the client is no longer responsible for day-to-day operations – quite the opposite. The team at BAMA responds to all security alerts identified by NTT Security, and submits change requests via a portal. The key difference is that the BAMA IT Security team now has the bandwidth to focus on security strategy and not just troubleshooting. Managed Security Services bring a number of benefits Organizations like BAMA need the time and space to create a functioning and secure business environment and it’s easy to get sidetracked with day-to-day operations. Outsourcing to experts buys the time to work on IT strategy and gives access to both a global network of security professionals and the data they
gather on behalf of customers across the globe. “It would be impossible for us to deliver the security intelligence we get from the NTT Security team,” commented Rune Carlsen. “They can analyze everything that happens in the BAMA environment and correlate it with the trillions of lines of data they get from other customers across the globe. We’d simply never have access to that level of data and if we did, we’d never be able to analyze it ourselves.” A managed security service means that headcount at BAMA can be adjusted to take into account the workload managed by NTT Security. “There are some aspects of the managed service that we could potentially do ourselves – such as device management,” explained Rune Carlsen, “but it would be totally impossible for us to provide the required level of service with a 24/7 analysis of all the traffic in our environment. And our service fee gives us access to a wide range of security experts at NTT Security with a broader range of skills than we have internally. There’s no doubt in my mind that a managed security service represents excellent value for money.” You’ll get some challenges along the way There are some undoubted benefits to outsourcing to a third party, but as with all relationships, you need to be prepared for some challenges along the way. It’s how you deal with them that marks the sign of a great relationship. For several months, the BAMA team would submit change requests to NTT Security via a ticketing system, but felt that the process was time consuming and meant they had to explain the requested change in too much detail. What they
really needed was a team at NTT Security who fully understood the BAMA business environment – a team who would instinctively know what was required based on a more limited brief. “The change request process was really the only challenge we have had in the move towards a managed service, so we approached NTT Security and explained the situation. They immediately understood the problem, quickly issued an appendix to the contract and explained how they would handle the process for change requests. It was a swift resolution to the problem and we’re delighted with the steps they have taken,” explained Rune Carlsen. Security is firmly back on the agenda Following the successful completion of the firewall platform project and transition to a managed security services model, BAMA has seen a number of positive changes to its security set up. All new projects must have a security process added before the project starts; security problems are now quickly identified; the organization has the tools to provide a 100 percent accurate overview of security-related KPIs; the Managed Security Service provides an enormous amount of insightful data analysis; the Board is more receptive to investing in security; BAMA is able to confidently patch and perform changes in a live environment, and the organization is now running internal security and staff training programs. “We now have a clear focus, a strategy for security, a road map for changes and the support of the Board. We’ve achieved this in a very short time frame and it’s the support from partners like NTT Security that has made this possible for BAMA,” concluded Rune Carlsen.
About NTT Security NTT Security seamlessly delivers cyber resilience by enabling organizations to build high-performing and effective security and risk management programs, with controls that enable the increasingly connected world and digital economy to overcome constantly changing security challenges. Through the Full Security Life Cycle, we ensure that scarce resources are used effectively by providing the right mix of integrated consulting, managed, cloud, and hybrid services – delivered by local resources and leveraging our global capabilities. NTT Security is part of the NTT Group (Nippon Telegraph and Telephone Corporation), one of the largest information and communications technology (ICT) companies in the world. For more information, visit www.nttsecurity.com
www.nttsecurity.com
To learn more about NTT Security and our unique services for information security and risk management, please speak to your account representative or visit: www.nttsecurity.com for regional contact information.
Copyright© NTT Security 2017
2
