The trouble was that Miami Beach had a centralized IT department that supported a decentralized and heterogeneous user base. With the staff and budget of a small city, Martinez had to support the entire city, everything from its fire and police departments, libraries, public works and parking, to code enforcement. Add it all up and it totaled to nearly 2,000 users with an equal number of end point devices that ranged from desktops in offices to laptops in police cruisers.
As Martinez saw it, the first thing he had to address was security. With so many users running so many disparate applications in so many varied locations, a small security hole could easily become a big problem.
“We had plenty of security layers in place already, but we needed more. What we wanted was a security profile that would lend itself to business continuity,” he said.
After Hurricanes Katrina and Rita, and going back earlier to the events of 9/11, business continuity has steadily crept higher on IT's to-do list. Most of the focus is on backup and remote disaster recovery, but what about those day-to-day interruptions?
Sasser, ILOVEYOU and Code Red were mini disasters for those hit by them. “Everyone's going to get hit with something,” Martinez said. “It's only a matter of time. We haven't suffered through anything major yet, but you never know what will happen tomorrow.”
As Martinez saw it, any interruption in computing services undermines the city's goals. “If you quantify the time spent recovering from malware, it's considerable. Lost productivity alone is significant. And then there's the lost resource of IT. We can't support users when we're recovering from an attack.”
Was there a way, he wondered, to plan for zero-day attacks just as you would for an unforeseen natural calamity?
As Martinez assessed the city's existing security and their options for upgrades, he concluded that traditional security vendors didn't measure up in terms of containment, mitigation, and continuity. They do a good job of identifying known threats and removing them once they are studied and understood, but the heuristics- and signature-based approach favored by large, traditional security companies fails to plan for the unknown.