Project Examples

CSS recognizes the importance of managing security knowledge—that is, creating, capturing, and disseminating ideas, experience, and methodologies. We carefully scrub this knowledge to remove client-confidential information while preserving essential lessons learned. The following projects demonstrate how CSS has enabled our clients to accomplish precise business objectives and help to illustrate how we can provide similar benefits to your organization.

Identity and Access Mgmt

Financial Services
Client
US Insurance Company

Fortune 500
Over 35,000 Employees
Over 30,000 independent Agents & Brokers
Over 10 million auto insurance policies issued
Description
The client needed to deploy a Public Key Infrastructure (PKI) environment to support secure business transactions with consumers via the intranet. CSS designed and deployed a PKI to meet their requirements. During the course of the engagement CSS also made several extranet security improvements, including SSL hardening (vs. man-in-the-middle attacks), web-based authentication, physical access and information systems identification with LDAP authorization services requiring Kerberos integration across the enterprise.
Client
Global Financial Service Company

Fortune 50
Assets of $1.5 trillion
Operations in 50 countries
Investment & Private banking, Securities & Treasury Services
Description
The client required an enterprise wide security infrastructure to protect trading operations for 15,000 users in the investment and securities divisions. CSS researched and analyzed a multitude of potential solutions matching each solution against the business requirements. After a comprehensive study CSS architected a secure systems framework, deploying 70 security severs (KDC) world-wide over four continents, supporting Solaris, HP/UX, AIX, and Windows platforms.
Manufacturing
Client
Global Automotive Manufacturer

Global Fortune 50
Over 300 Consolidated subsidiaries worldwide
Over 140,000 employees
Description
The client required automated notification of user account expirations for over 300 business critical applications. Microsoft Active Directory (AD) was leveraged as the central authentication and authorization repository for user applications. The solution required extracting user account expiration information from Active Directory and placing it in a location that could be queried. Microsoft Identity Integration Server MIIS was selected and deployed. Utilizing MIIS Metaverse various pieces of information were extracted from AD and the application and placed into a SQL table for reporting.
Client
Global Automotive Supplier

Over $25 billion in revenue
171,000 employees
Operates in 36 countries
Over 150 manufacturing sites
Description
Due to compliance requirements the client needed to replace their existing Public Key Infrastructure (PKI) and build a global enterprise wide PKI that would meet both the business requirements of today and address their future needs. CSS segmented the PKI into two components, one publicly facing and one for internal applications. The segmentation of the PKI’s allowed the client to utilize the Microsoft Certification Authority (CA) this allowed for significant cost savings. The internal PKI segment enabled the client to operate an Encrypted File System (EFS) on desktop and laptops computers for 60,000 users in over 30 different countries.
Telecommunications
Client
Global Telecom Company

301,840 employees
Over $100 billion in revenue
Over 60 million wireless customers
One of the largest network backbones in the world
Description
The client had a very large development team comprised of several groups writing applications for various network-based operations, each group had a custom approach to application security. The applications spanned diverse requirements:

UNIX and Windows workstations
Authentication and encryption strengths
Diverse development technologies
Client/server and web applications
Their custom approach led to unnecessary administration overhead. Policy and password management were ineffective and costly. Subject to the security policy of each department, users were setting their passwords to the lowest common denominator. Users needed to remember multiple passwords and thus tended to write them down. Each department used a different security infrastructure. Many point solutions, poorly integrated with one another, had been deployed. The primary driver for a cohesive security infrastructure was password change management.

CSS architected an authentication system that centralized user registration and administration to one primary security server with several secondary security servers. Disparate security mechanisms (point solutions) were reduced or eliminated. The company now has a consistent security policy control vehicle throughout the company.

Our consultants provided development and integration expertise. The security toolkits allowed for authentication and encryption of sensitive data throughout the company's heterogeneous network for client/server and web-based applications. These APIs are now available to the company's geographically dispersed intranet development community.

The solution improved the company's security posture while lowering administration and technology costs. The new single application security toolkit allowed the company to secure its wide base of applications. Now, developers need only one interface to secure applications across the entire company, improving productivity and consistency. The new best-of-breed approach includes industry-standard authentication and encryption technologies.

Custom application methods were reduced significantly. This decreased maintenance costs and reduced delivery times. The use of point solutions was reduced, freeing up capital. The solution's increased flexibility allowed the application infrastructure group to be more responsive.

Registration and password management became streamlined across subnets and diverse applications. Helpdesk costs were reduced significantly, allowing resources to be applied to other areas.
Client
Wireless Telecom Company

Fortune 200
International wireless phone service provider
20 mm+ subscribers
Description
The client required application security integration for an enterprise CRM and allow for secure B2C communication. The engagement required CSS to consolidate directory services and also allow for cross platform authentication. CSS designed a cross platform authentication system utilizing a GSSAPI (Kerberos) interface connecting HP/UX 10-11, NextStep, Mac & Windows 3.11, 95, 2000 platforms. CSS deployed nine security servers (KDC) across the country.

App and Platform Security

Manufacturing
Client
Automotive Equipment Manufacturer

Fortune 500
Over $12 billion in revenue
61,000 employees
Operates in 125 countries
Description
The client was faced with creating an infrastructure design that would enable them to identify the services that support key business systems. Having then identified these systems, apply targeted information security improvements to the environment comprising each "business system" commensurate with that system's importance to the enterprise. CSS assisted the customer in the creation of business system centric security zones.

The client was also faced with management and security of a diverse mobile workforce. CSS assisted the customer in efforts to design and implement improvements to remote systems management, and workstation security.
Client
Automotive Equipment Manufacturer

Over $9 billion in revenue
Over 57,000 employees
Operates in 46 countries
8,000 distributors
Description
The customer wished to improve overall systems security and required a well grounded and engineered authentication and authorization directory. CSS designed and implemented a secure enterprise-wide Windows 2003 Active Directory environment. In addition, they required an automated systems management tool to manage their client/server environment to inventory machines and manage software updates. CSS thoroughly assessed their environment and designed a solution incorporating Microsoft's System Management Services (SMS). The deployment was a tremendous success.
Retail
Client
Large US-Based Retailer

29,000 employees
Over $15 billion in revenue
Over 400 retail stores
Operate 137 factories around the world
Description
The customer was interested in improving overall security by creating business system centric security zones, which could be managed as a unit and represent a single, well-managed and monitored attack surface. CSS assisted the customer in arriving at a design, which met their business and technical requirements.
Financial Services
Client
Regional Bank

Over $17 billion in assets
Leader in online mortgage origination processing
Over $18 billion annually in new mortgages
Top 20 US mortgage lenders
Description
The client needed a complete overhaul of IT infrastructure and needed help determining a course of action that was consistent with their business requirements and would allow for their IT professionals to learn new skills through the course of the engagement. CSS developed a plan for an application and infrastructure migration from NT4 to Windows 2003, making Active Directory the directory of record for the enterprise. The client praised CSS for a flawless migration, but was most impressed with the attention that CSS paid to knowledge transfer and helping to educate the entire team on how to operate the new system.

Security Performance Mgmt

Telecommunications
Client
Global Telecom Company

Over 8,500 employees
Operating revenue over 1.1 trillion yen
Headquarters: Japan
Domestic and international services
Description
The client's goal was to create a competitive advantage using information security to promote, differentiate and strengthen the client's brand and their position of trust in the market. The client had already spent significant time and effort using conventional compliance and assessment-based approaches. While those efforts produced very good security, they did not generate sufficient organizational motivation and innovation.

A very different approach was called for, and CSS answered that call. In a very short period of time, CSS developed a strategy based on the client's culture, capabilities and objectives. The initial objective was to embed information security improvement in the organization's DNA, then leverage that capability and the resulting improvements, into market expansion and stronger branding. The foundation of the strategy was based on the application of quality management disciplines and techniques to information security management (the genesis of Security as a Dimension of Quality.™)

While the client was intimately familiar with quality management disciplines, the application to information security on a large scale had never been attempted by any organization. These were untested waters, and not for the faint of heart. As with any company serious about quality, a significant and long-term commitment of the entire organization was required. But history made it clear that a commitment to quality paid, so the path was set, and we quickly moved from strategy and concept to execution. Over several years, CSS helped refine the concepts, articulate and promote the strategy, and develop and test the supporting elements. Execution rested on three major reinforcing pillars: participation, continuous incremental improvement, and market expansion.

Participation was centered around small teams, ultimately involving virtually every employee. Each team, aided by advisors and mentors, was responsible for identifying opportunities for security improvement, developing improvement plans, metrics, measurements and reporting to gauge progress, and executing their plan (the origin of Security Kaizen™). It quickly became clear that there was a wealth of untapped skill and knowledge, and programs were instituted to recognize and promote exceptional efforts. The result was greater interest and motivation across the entire organization, increased innovation, and gains in operational efficiencies.

Efficiency gains strengthened the client's competitive position, while innovation strengthened the client's leadership position and stature. Both lead to the expansion of existing lines of business, the development of new lines of business, and revenue growth. The benefits of the program continue to help promote, differentiate and strengthen the client's brand as a mark of trust.
Client
Global Telecom Company

301,840 employees
Over $100 billion in revenue
Over 60 million wireless customers
One of the largest network backbones in the world
Description
The client's objective was to leverage their recent SOX compliance effort to improve the efficiency and effectiveness of IT security processes in order to support key company objectives, and to "operationalize" compliance by integrating it with day-to-day process management activities. While the SOX compliance effort had produced a great deal of documentation, there was no performance management system in place to measure and analyze process efficiency and effectiveness, and very little objective data on which to base process improvement decisions.

The focus of the project was vulnerability management and remediation processes. The primary objective of the project was to improve the operational efficiency and effectiveness of those processes by designing, developing and implementing a process performance management system, including metrics and measurements, and dashboards for graphically representing process performance. The underlying theme was Security as a Dimension of Quality™ using tools and techniques CSS has developed as part of Security Kaizen™.

A significant part of project was the design and development of the dashboards and the supporting metrics and measurements. Several dashboards were developed and deployed, each targeted at a different stakeholders. The primary stakeholders were executive management, operations management, and process owners and operators. The initial development proceeded top-down, with subsequent iterations to rapidly converge on an acceptable design based on stakeholder desires and technical feasibility.

A critical part of dashboard and metrics design was stakeholder input: what questions do they want answered, and how will they to use the information? Gathering and analyzing that "voice of the customer" in order to answer those questions was a key driver. Another critical part of the development effort involved ensuring that the data was necessary to answer those questions was available and accurate. As the team discovered, much of the previous reporting was based on data that was readily available, not the data that was needed, and that retrofitting an ill-designed process to collect the needed data can be very expensive.

The data analysis effort identified numerous potential improvements, both within the processes which were the focus of the project, and upstream and downstream processes, many of which crossed organizational boundaries. Of note, one of the most important and early improvement efforts was the scrubbing of data that was inaccurate and which hindered initial analysis. Beyond the obvious opportunities for performance improvements, that cross-functional perspective helped to focus and align discussion and decision-making across management boundaries, break down organizational silos, and reduce the risk of sub-optimization.