Fresno, recognized as an All American City, is a full-service charter city operating under a strong mayor form of government. There are seven Council Members and an appointed city Attorney and City Clerk. The City Manager, who is appointed by the Mayor, is responsible for appointing all other department heads in 13 different departments including General Services, Police, Airports, Fire, Parks, Transportation, and Public Utilities. The City operates two airports (Fresno Yosemite International services most major cities), a bus system, and water, wastewater and solid waste utilities.
Over the years, the technology team for the City of Fresno had evolved a multi-layered security solution aligned with the local government’s overall infrastructure plans. A few months ago, the City’s finance department added a new requirement. They wanted to offer constituents the ability to make online payments for utility bills and other City services such as reserving park facilities.
Handling credit card information would potentially introduce liability risks. To prevent unauthorized access to credit card data, the City needed a payment-card industry (PCI)- compliant security solution designed to restrict access and avoid data breaches or theft.
Budget constraints made a virtual server solution the best choice for the City’s credit card payment system. “Our virtualization initiative continues to expand,” said Bryon Horn, IT manager for the City of Fresno. “It is much cheaper to spin up a virtual machine, compared to purchasing a new physical server. Our VMware ESX servers give us a cost-effective, scalable platform for new services like the online payment option for the finance department.”
The virtualized data center made it possible to cost-effectively deliver the new service, but only if IT could introduce a PCI-compliant security solution to mitigate liability issues and protect citizens’ privacy. Additionally, it was becoming cumbersome to manage security solutions from different vendors. IT needed a solution that would help them consolidate both the functionality and the number of vendors in the data center.
Prior to the PCI-compliance requirement being raised by finance, IT had been looking at introducing log monitoring and file integrity management capabilities to boost overall data center security. They found one solution that could provide all of the features that were on their wish list: Trend Micro Deep Security.
The City of Fresno was already protected by Trend Micro™ Smart Protection Suite solutions for endpoints, messaging, and Internet gateways. Powered by the Trend Micro™ Smart Protection™ Network infrastructure, these integrated solutions also gave the City the benefit of in-the-cloud reputation checking. This extra layer of protection blocked many threats even before they touched systems and networks in the City offices and sites in Fresno.
“We have had great success with our other Trend Micro solutions, and Deep Security immediately seemed like the best way for us to address PCI compliance and the other capabilities we needed—such as file integrity management and event logging—without adding another vendor,” said Jeremy Mello, network systems specialist for the City of Fresno. “Deep Security also gave us virtual patch management, which enables immediate protection from zero-day threats before system patches are available from software vendors.”
Initially, the City deployed Deep Security at its demilitarized zone (DMZ), as an Internet-facing defense. “Putting Deep Security on the systems at our DMZ is the best place for us to start—this is where we are the most exposed to the outside,” said Mello.
“We introduced PCI compliance policies and rules that protect data on the web-facing servers that are used for online payments. Later, we can phase in Deep Security to protect other servers. Deep Security integrates very smoothly into our VMware environment—‘VMware Ready’ is a nice feature and the integration with VMware also means fewer consoles for us.”
During the deployment, the City of Fresno took advantage of the PCI compliance templates provided with Deep Security. “We started with the PCI security profiles in Deep Security, and modified those to our needs,” said Mello. “That really helped a lot, since I did the deployment on my own with just phone-in support.”
“We take advantage of the deep packet inspection rules, and virtual patching,” said Bryon Horn, IT manager for the City of Fresno. “The overall deployment, while it has required that we learn a lot of features and rules, has actually given us a pretty intuitive solution. It is obvious that Trend Micro put a lot of time and effort into the design of the Deep Security console and the ability to have a unified console over virtualized and physical servers. It’s a great approach, and one of the reasons that I have full confidence in Trend Micro products.”
Today, Deep Security saves time for the City of Fresno’s IT staff. “Since deploying Deep Security, we don’t have to scramble to deal with every new vulnerability that pops up,” explained Mello. “With the rules in place, the protection is transparent and kept up to date automatically. It gives us real peace of mind that even zero-day threats are taken care of, before patches are available. Deep Security’s virtual patching also protects us from legacy vulnerabilities—those that are not patchable or that the vendor will never fix. Deep Security discovers the holes and protects us until we can replace those older systems.”
Reach out to [email protected] to get more information on Trend Micro