When the Royal College of Physicians (RCP) took the decision to entirely re-architect its web infrastructure nationally, it got a little more than it bargained for. As well as a new e-learning portal, the initial stage of the project involved enhancing its membership website so doctors taking medical examinations could enroll and pay for their exams and receive the dreaded results all from one online facility.
But the requirement for the RCP’s 21,000 members to make an online credit card payment when enrolling, forced the organisation to confront the emergent Payment Card Industry Data Security Standard (PCI DSS), the stringent compliance standard designed to protect credit card transactions and data from theft or inappropriate use.
“PCI compliance was a strict requirement from the bank, so we were caught slightly on the hop,” explains Christopher Venning, IT network manager at the RCP. “And when the revised version of PCI came out late last year, it included additional stringent requirements from the original version,” he adds.
Of particular concern for Venning, was the standard’s attention to web application security. This is addressed via a range of measures that are currently bracketed under ‘best practice’ guidelines, which are due to become mandatory in 2008. With a total of 14 websites to roll out, successfully implementing these measures was to prove no easy task, as Venning discovered.
“We needed to find a manageable way to ensure compliance, while also making sure that all of our web properties were highly secure,” says Venning. Despite assessing a number of options, however, Venning and his team could not identify an easily manageable architecture. “Any way we sliced it, we would have to manage three layers: the network firewall, web application firewall, in addition to our network devices. There would have been so much kit it would have been ridiculous and the PCI requirements of managing that kit meant it would be fairly onerous to do patching or anything else; so we wanted something that was straightforward.”
As the taxing complexity of the task became clear, Venning sought out the advice of Richard Agar, solutions consultant at network consultancy Matrix Communications, who recommended NC-1100 Application Gateway (AG). Provided by application security provider NetContinuum, the NC-1100 AG is a single appliance that combines best-in-breed application firewall technology with full-load balancing and traffic management.
An intrusion prevention solution, the application gateway profiles the web application to learn what constitutes “good behaviour”, explains Agar. “Once we understand what we would expect to see within that application, we don’t need to know that unexpected behaviour actually represents something bad: we just need to know it’s unexpected and we block it. So as new vulnerabilities are discovered within application code and exploits start to be used for those vulnerabilities, the application is already protected.”
With the implementation of an application gateway dedicated to its live web traffic, RCP’s web applications are protected from a range of threats, including buffer overflows, SQL injections, forms tampering, and cookie and session stealing, among others. Furthermore, with an additional NC-1100 appliance in place, Venning has been able to provide for a fail-over strategy, with increased redundancy and high availability. Most importantly however, all the RCP’s sites passed their independent PCI audits with a clean bill of health.