Case #5: Re-architecting an enterprise to avoid a
$30M PCI project
Business
Problem:
This global
transportation
company was paralyzed by PCI due to a long history of legacy
platforms, acquisitions, flat networks, cloud computing
environment, TPF mainframe systems, thousands of undocumented
firewalls rules, Unisys Mainframes to tele-type terminals in the
most remote corners of the globe. IT Security was never
designed into the enterprise and the impact PCI was going to
have on this company was a price tag of at least $30M.
Timeframe: 10 months on-site
Budget: $5.25M
Biggest Project
Risk: Putting the company in financial jeopardy at a time
the industry was hit hard by the recession and was financially
fragile with low cash reserves. This was the worst time to
have a project of this magnitude in destitute times.
Business Solution:
After
conduction a PCI assessment with the start of 750+ findings and
would climb to several thousand findings, it made no sense to
fix all the PCI issues identified. A future enterprise
environment was designed from the ground up incorporating not
only IT Security, but significant network architecture
enhancements that would become the future enterprise environment
for the company. All new firewalls, routers, switches were
placed into a future environment that complied with all the PCI
requirements and all PCI in-scope systems would become a part of
the environment. This would reduce the scope of thousands
of systems and drove down the cost of the project by millions.
The new future environment leverage the benefits of
virtualization, and segmented systems to limit PCI scope.
Many systems that were very old and did not make sense to
upgrade the source code since the end-of-life made the ROI
unfavorable. Instead, Web Application Firewalls were
placed in front of the applications to address the plethora of
vulnerability issues, which in turn fixed PCI vulnerability
scanning results and satisfied penetration testing. The
PCI in-scope systems needed to be carefully migrated into the
new future environment during countless outage windows to slowly
become PCI compliant. Leveraged a strategy to make
individual business units PCI compliant instead of waiting for
the entire enterprise to become PCI compliant. Client had
over 35 different business units and it was quicker to show
progress with the smaller business units while the main
enterprise was being remediated.
Business Results: The PCI project was a game-changer for the
company. It was the opportunity to migrate from legacy
systems to modern systems to meet the ever changing new demands
of the global transportation business. The project alone
saved approximately $25M, put the project completion date within
a reasonable time period and not years.
| |
2012 ConnectTech, LLC All rights reserved
Privacy Statement |
|
|
|
|
|
