4-page Case Study - Posted 6/13/2007
Views: 392
Rate This Evidence:
Major Japanese Municipal Principal Government Achieves Security Compliance at Nil Cost
In 2004, the local government of the City of Sapporo, Japan, established a security policy to define and control how the city maintained its information assets. With 12,000 users working in almost 870 departments and limited enforcement resources available in the form of staff and operational procedures, policy compliance proved difficult to achieve. By implementing a Server and Domain Isolation solution based on Microsoft® Windows® Internet Protocol Security (IPsec) and Active Directory®, the City of Sapporo was able to implement cost-effective end-point authentication to dynamically segment its Windows environment into more secure and isolated logical networks, without requiring costly changes to its network infrastructure or applications. The solution has improved information security and reduced the risk of unauthorized access to confidential data on the organization’s Intranet.
Situation
The City of Sapporo is the fifth largest city in Japan, with a population of approximately 1.9 million people. The Intranet maintained by the City contains highly sensitive and confidential information about the city and its citizens. With the deployment of highly connected networks and the growth of online information assets, the local government of Sapporo was faced with new security challenges. These risks to its networked infrastructure included costly virus attacks, rogue users and devices, and unauthorized access to sensitive information. The city wanted to provide its citizens and employees with even greater access to information, but at the same time increase its network security.
Concerns about such security risks led to the introduction of a new security policy in June 2004. The City of Sapporo tightened access to its Intranet. To comply with the policy, the Community Development and City Planning Bureau at City Hall, the bureau tasked with managing the City’s Intranet, needed to implement specific security measures. These included encrypting the communication traffic handling highly confidential citizen and personal data; blocking access from any unauthorized system; and preventing data-tampering as well as restricting access only to authorized computers.
The Information Technology Promotion Department (ITPD) in the Bureau was responsible for implementing and managing the security measures in each department. However, the department was faced with a number of policy implementation issues.
The City of Sapporo has approximately 12,000 users working in nearly 870 departments within City Hall. Within a mixed IT environment, many of its servers were running Microsoft® Windows® 2000 Server and Windows Server® 2003 and majority of the client terminals were running Microsoft® Windows® 2000 Professional SP4 and Windows® XP Professional SP2. Another issue was the lack of an integrated process for managing the IT assets of the City. The ITPD had only 59 staff, and it was difficult for them to maintain the large number of computers within each department at City Hall. In addition, the level of understanding of how to maintain confidentiality and security of sensitive data varied among staff members.
As well as being the target of external attacks, City Hall was vulnerable to the loss of sensitive information resulting from misuse and abuse by employees, supporting staff members, or contractors. Edge devices alone, such as firewalls, offered very limited protection against such internal threats.
“The most urgent challenge was to implement a security solution controlled under an integrated safety standard throughout the organization, rather than depending on the individual discretion of our employees,” says Mr. Kazuya Kawatani, IT Promotion Section, Information Technology Promotion Department, City of Sapporo.
Solution
Microsoft, working with the City of Sapporo to address these challenges, proposed a Server and Domain Isolation solution based on Windows Internet Protocol Security (IPsec) and Active Directory®. Server and Domain Isolation enables policy-driven logical network isolation, end-to-end authenticated communications, virtually tamper-proof data integrity, and data confidentiality, all without the City having to upgrade hardware and software or re-train its users.
 |
By utilizing our existing Windows environment and Active Directory, the Server and Domain Isolation solution enabled us to meet security compliance effectively with no additional hardware or software costs. |
 |
|
Mr. Kazuya Kawatani, IT Promotion Section, Information Technology Promotion Department, City of Sapporo |
|
|
Domains were classified into four groups: IPsec Essential Group (communication through IPsec authentication); IPsec Encrypting Group (communication enforced by IPsec encryption); Boundary Group (which allowed communication with non-IPsec hosts); and an Exemption Group (for non-IPsec applicable hosts). IPsec Group Policy was then created within Active Directory, and the isolation domains were established and isolated logically from the network.
With Server and Domain Isolation, all communications between domain managed computers and servers are authenticated using IPsec, as determined by the Group Policy in Active Directory. This helps to prevent employees or rogue users from gaining unauthorized access to internal servers containing sensitive data. Furthermore, optional data encryption is enforced for more confidential communications.
Prior to the establishment of the new security policy, the City had introduced a security system that controlled computer and user groups via Active Directory and authenticated computer access. The Active Directory service provided a single sign-on capability and a central repository for information for the entire infrastructure of the organization, vastly simplifying user and computer management and providing better access to networked resources.
All computers in the Active Directory are regarded as a group of “trusted computers.” By using Domain Isolation to logically separate them from the other networks based on policy rather than network topology, any access from “un-trusted” computers is restricted, protecting the Intranet from attacks and malware.
These logical boundaries are enforced by end-point authentication policies that are created, distributed, and managed centrally using Active Directory Group Policy and existing Active Directory-based credentials. This resulted in a zero-touch deployment experience for City IT administrators and an unchanged experience for the 12,000 end-users.
The design and planning of this solution was developed after close discussion with the ITPD. Towards the end of the design stage, the Intranet maintenance vendor for the city, Sapporo Information Network Co. Ltd (SNET), became involved and reviewed the actual maintenance and operation of the network.
The City of Sapporo completed a successful pilot test of the Server and Domain Isolation solution, and prepared the deployment with the aim of completing roll out by the end of 2007. To ensure a smooth implementation, the department used a phased implementation approach to identify and solve any potential problems at an early stage. Step one involved testing IPsec policy without affecting the network, by deploying IPsec policy within a boundary group that was allowed to communicate with non-IPsec hosts.
Step two deployed IPsec authentication within a pilot segment. The actual Server and Domain Isolation solution was implemented, and communication within IPsec Essential Groups was only possible after successful IPsec authentication, while communication with any non-IPsec hosts was blocked.
Step three deployed IPsec encryption within another pilot segment. As part of this phase, IPsec authentication and encryption were applied for access to the City servers that handled highly sensitive information. Finally, after repeating steps two and three to identify and solve operational issues, IPsec authentication and encryption were deployed in all segments throughout the entire City system.
By following a phased implementation approach, potential problems in the real operational environment were identified early on. “The implementation went smoothly. We are confident that we are able to solve all problems because of the support from Microsoft and SNET,” says Mr. Haruo Oikawa, Data Management System Section, IT Promotion Section, ITPD, City of Sapporo.
By leveraging the existing Active Directory membership and Group Policy settings, everything the City needed to create a more secure isolated network was already available on its computers running Windows 2000 Professional SP4, Windows 2000 Server, Windows XP Professional, and Windows Server 2003 operating systems.
As part of a layered defense approach, Server and Domain Isolation compliments other host and network-based security technologies used by the City—including antivirus, anti-spyware, firewalls, and intrusion detection systems—to enable greater resiliency in the presence of Intranet network security threats.
Benefits
The City of Sapporo successfully implemented the first steps in an integrated procedure to effectively manage its information assets. The solution enables City Hall to improve security, enhance the value of existing applications, and reduce costs. At the same time, the solution supports existing usability, protects confidential data, and increases confidence and flexibility in application of information assets.
|
“This solution does not involve any change to the work conducted by our users. This means our staff members can continue to use the Intranet without noticing any change.”
|
|
|
Mr. Kazuya Kawatani, IT Promotion Section, Information Technology Promotion Department, City of Sapporo |
|
|
Improves Security
By dynamically segmenting their Windows environment into more secure and isolated logical networks based on policy, the City of Sapporo improved security by creating an additional layer of protection that can be easily maintained and updated.
Enhances Value and Reduces IT Costs
The Server and Domain Isolation solution utilizes the existing investments of the City of Sapporo and eliminates the need for expensive network infrastructure upgrades or changes to existing applications.
“For a large organization such as ours, cost is the primary concern in finding an effective security solution. Therefore, it was great news that by utilizing our existing Windows environment and Active Directory, the Server and Domain Isolation solution enabled us to meet security compliance effectively with no additional costs,” says Mr. Kawatani.
Protects Confidential Data
The solution provides secure, authenticated, end-to-end network communications for the City of Sapporo. As Mr. Oikawa says, “We saw the effectiveness of the isolation safeguards even in the early stages of testing when we received an inquiry from another department saying that they could not access the server.”
Supports Existing Systems
Zero-touch deployment and an unchanged user experience means no additional end-user training is required, and there is no need for IT administrators to manually install new software during deployment. “This solution does not involve any change to the work conducted by our users. It means our staff members can continue to use the Intranet without noticing any changes,” says Mr. Kawatani.
Increases Confidence
City of Sapporo IT Managers have increased confidence, knowing that critical network communications are authenticated and occur only between known, managed computers connecting to their network. “The Server and Domain Isolation solution was the only solution that could solve all our challenges, including those relating to technology, operations, and costs,” says Mr Kawatani. The Microsoft Windows IPsec and Active Directory-based solution allows the City of Sapporo more flexibility in making information available to employees and citizens, without sacrificing security.
Windows Server 2003
The Windows Server 2003 family helps organizations do more with less. Now you can run your IT infrastructure more efficiently, build better applications faster, and deliver the best infrastructure for enhancing user productivity. And you can do all this faster, more securely, and at lower cost. For more information about Windows Server 2003, please visit: www.microsoft.com/windowsserver2003
For more information about Server and Domain Isolation, please visit: http://www.microsoft.com/sdisolation
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to: http://www.microsoft.com/
For more information about City of Sapporo, Japan products and services, visit the Web site at: www.city.sapporo.jp/city/english/
MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Document published May 2007
