Building a Security Plan from Scratch: Kodak Alaris

Posted on March 16, 2016 by David Needle

Companies don’t often have the luxury of starting over when it comes to security, because there is usually legacy infrastructure to consider. As companies consider a move to the cloud, they're getting more flexibility, but even that typically takes a hybrid approach, moving some operations gradually off-premises while still keeping considerable infrastructure on-premises.

Kodak Alaris, however, had a chance to do something different. The company is employing a hybrid cloud strategy, but has been able to take a fresh look and essentially start over when building out its infrastructure and security. That’s because Kodak Alaris is a new company spun out on its own from parent Eastman Kodak.

I had an interesting chat about this recently with Kodak Alaris CIO John Milazzo who says “it’s been a fascinating undertaking” for the company that has operations in 35 countries and 72 locations.

The process of going independent began a few years ago, and Milazzo said his main focus was on “the big things” deciding on what network, ERP system and other big-ticket items the company was going to deploy. But in the past year, the security strategy has been more in the forefront as Kodak Alaris builds out a new security infrastructure as an independent company.

“We hired a security manager and now we’re asking the big questions, like ‘What does our security profile look like?’ And planning for disaster recovery and business continuity,” he said.

While most companies won’t have this kind of blank-slate opportunity, I do think the kind of checklist reassessment Kodak Alaris is doing can be useful to established companies. For example, Milazzo and his team concluded Kodak’s security was actually too locked down for what it needed. “Some things they do are simply too strict and even tighter than what some banks do,” he said.

Of course Milazzo says there’s a high priority on protecting data, physical hardware and risk management. Part of the assessment has included hiring a firm to do threat and vulnerability testing to see what’s needed.

“The service pokes at the system and sees what can get in. It’s basically white hat hacking,” says Milazzo.

By starting fresh, Milazzo says he’s been able to avoid the legacy scenario where it can be hard to justify the cost of moving to something new. The typical enterprise deploys over 30 distinct security products, according to industry estimates, but Milazzo wants to avoid that.

“We want the biggest bang for the buck with the fewest products,” he said. Part of that also includes leveraging partners like Microsoft and using some of the tools they offer. Kodak Alaris has a hybrid cloud strategy that includes moving apps and workloads to Microsoft’s Azure cloud, while also maintaining significant workloads on-premises. However, the company decided the spam filters for Office 365 weren’t strong enough, so it added a layer to make sure users couldn’t send or receive executable files.

As far as specific security concerns, Milazzo says malware is high on his list because it can get in via social engineering such as a phony email to an employee. “Next thing you know you’re infected and something’s crawling in your network,” he said.

As an additional line of defense Kodak Alaris purchased a product that sends out spoof email that, for example, looks like it’s from Amazon and says a package has been delivered.

“It was interesting to see the number of people who clicked through that,” says Milazzo. When that happens, they are prompted immediately to take a quick training on email security and not clicking on links from senders you can’t be sure of.

“When you hear stories like the CFO who gets an email sent in the company’s format asking for a wire transfer of funds and it’s totally bogus, that’s scary,” he said.

Mobile Security

Mobile is another area that’s had a big impact on security. “It’s a can of worms. Everyone has their own favorite device, and even the secretarial staff wants to be able to get their email on their phone. But we have to make sure that’s protected and be able to act if the device is lost or stolen,” says Milazzo.

After consulting his staff, Kodak Alaris is rethinking its BYOD policy and making some changes specific to email. Now there is password-protected software you have to log into to get to email on your phone or tablet. “It’s stronger than the 4-digit iPhone password and if you lose the phone, we’re able to eliminate the data remotely,” he says.

While this is a one-time opportunity to fully evaluate and reset security, assessment is ongoing, says Milazzo, because it’s “a more aggressive world out there and we have to anticipate new threats.”

Contributors

David Needle

,

cloud security

View More Blogs

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.