Inside the Celtics' infosecurity playbook
Though the Boston Celtics lost its latest face-off against the L.A. Lakers last month, there's no doubt the team has been on a high the last few years, winning a 17th NBA championship banner in 2008 along the way. The hot streak means more attention and, by extension, more potential threats to the organization's sensitive data.
So what's the biggest information security headache for an NBA franchise? In this Q&A, Jay Wessel, VP of technology for The Boston Celtics, gives a behind-the-scenes look at how Apple's MacBook Pro and Exchange-supported iPhone, cloud-based services and other tools changed the security landscape for an infrastructure often on the road and online.
CSO: When the team is on the road, what do you worry most about from a security standpoint? Hackers stealing playbook data?
Wessel: This might surprise you, but basketball play data is not that big a target. In the NBA almost everyone knows everything because all the scouts are a close-knit unit. There's really not much they can find on our computers about game strategy that they don't already have access to elsewhere. For me, it's the conventional business side of the house that's of most concern: the personal information, customer credit-card numbers from when they buy merchandise. The threat of hackers intercepting e-mail messages is also a big worry.
What types of e-mails cause you the most heartburn?
Wessel: Messages where trades and contract terms are being discussed between NBA officials, sponsorship proposals and contract talks. All of that goes back and forth by e-mail.
What are you doing on the technological side to mitigate the threat?
Wessel: Most of the coaching staff are traveling with Macs. We didn't switch to Macs for security purposes but because the coaching apps are a better fit for Apple machines. But the nice side-effect is that there's a lot less malware targeting Macs. Specifically, we use MacBook Pros that are anywhere from new to 2 years old. Safari and Firefox are the browsers in use.
A lot of security practitioners get pretty heated when someone suggests Apple products are more secure than Windows devices.
Wessel: I can understand that to some extent. I worry about researchers targeting Macs. I understand that as they gain popularity it's only a matter of time before hackers decide it's time to start attacking the Mac world. For some reason, though, the bad guys have continued to stay away for the most part.
Are there many iPhones being used for your business as opposed to the BlackBerry?
Wessel: There are a handful of iPhones and iPads in use. I'm pretty open if someone prefers an iPhone over a BlackBerry. It's much easier to deal with the iPhone than it is to try and fight their use. I'm not personally an iPhone guy, though a couple years ago I was a test case when the beta Exchange support for iPhone came out. We also find people who go back and forth, they have the iPhone because they love it and then a year later they decide it isn't working from a business perspective and they go back to the BlackBerry.
Describe the larger security strategy that makes it so you can allow the mix of consumer devices.
Wessel: Generally my goal on security is to centralize as much as possible so I'm not trying to work on end-user devices. The end user devices are harder because you have to get to them -- you have to arrange to meet up with the user or get the device some other way -- so central security gateways are important. Good antivirus (AV) runs on our Exchange server as well as the AV on the device level. Our approach is to focus on e-mails coming in and out. I use a cloud-based archiving, spam and AV service called Mimecast. They receive all my mail and filter it, scan for malware and archive the messages before forwarding them to the Exchange server in my infrastructure. It has simplified my internal security procedures. There are fewer false positives. I almost never have to look in the queues like I used to for wanted e-mails that get trapped in the spam filter, and. I only get user calls about e-mails caught in the filter once a month.
Does the team's success of recent years mean you're having to filter many more e-mails?
Wessel: With the Celts doing well, e-mail continues to explode. Everyone continues to communicate that way, from the coaches to everyone in between like the folks in marketing. But the numbers are still very manageable: We get hundreds of e-mails a day, not hundreds of thousands as some might think.
Obviously the organization spends a lot of time on the road. How much trouble are the hotel Internet access points?
Wessel: Hotel networks are better than they used to be but not good by any means. The Macs seem immune for now, but on all the mobile devices I run more security. It uses up more CPU but I have to do it.
How are your users when it comes to security awareness. Are they a big target for social engineering?
Wessel: Slowly, users are beginning to use their heads more. They've realized they shouldn't click on any link they come across.
You mentioned Mimecast as your tool for messaging security. Who are your other security providers?
Wessel: Trend Micro is running on the Exchange server. Trend was always my end-user security vendor but what we have on the server is relatively new for us. And while e-mail is our main concern we also have to worry about the infections users can get from Web browsing. So we use Palo Alto Networks for Web content and malware filtering.
Read more about data protection in CSOonline's Data Protection section.