How MBTA keeps its network secure, manageable - the Massachusetts Bay Transportation Authority's use of Security Integration's Security Bridge security software - Product Information - Cover Story

Communications News, Feb, 1996 by Carl Cederquist

The IS philosophy of the Massachusetts Bay Transportation Authority (MBTA) can be summed up in three words: keep it simple. MBTA stayed true to its philosophy when it came to securing the financial applications that run across its network. By bringing data security under one security blanket, MBTA's mix of mainframe and application security controls was transformed into an easily managed, centralized system.

To protect MBTA information systems, which 1,500 users across the greater metropolitan Boston area can access, MBTA implemented Computer Associates' ACF2 host security to control who can access the corporate mainframes and how they can access them. But when MBTA installed Dun & Bradstreet's E Series financial software for its general ledger, purchasing and accounts receivable applications, these applications added their own internal security systems to the mix.

Not only did these different layers of security complicate each user's access capabilities, they also posed the bigger administrative headache of having to learn multiple security systems.

MBTA chose an easier alternative, deciding to centralize all its security using Security Integration's Security Bridge software. All the security functions of the D&B software were integrated into the host security system. This approach was a godsend because we already knew the ins and outs of ACF2.

Faced with a growing user base and shrinking IS resources, security can now be administered quickly from a familiar setting. The Security Bridge also provides reports, information backup and archiving on a daily basis, creating one standardized system.

In addition to centralizing security, the new security software has enabled MBTA to enhance the security capabilities of D&B's native security functions. Normally, the D&B E Series software doesn't protect a screen's inquiry and update capability. Using the new security software, information is now protected from unauthorized changes. For example, users' access to general ledger screens can be restricted, protecting sensitive budget information from mistakes and possible foul play. Or department heads can be given view-only capabilities, enabling them to look at a budget proposal but not update it, while two or three major budget organizers can have the capability to update and finalize the entire budget.

The security software also provides more granularity in implementing security. For example, purchasing can be broken down not only by type of materials ordered, but by who ordered them and whether that person is a buyer, requisitioner or approver. This level of detail is particularly useful for auditing.

MBTA's network includes an IBM mainframe, several Digital VAX mid-range computers and multiple Novell NetWare LANS. Most of the systems are connected through an enterprise wide area network. MBTA's business and financial applications run under the mainframe's CICS environment, while desktop applications, such as word processing, spreadsheets and file transfer capabilities, run over the LAN. System administration is done from an IBM PC connected to both a LAN and the WAN, using Attachmate terminal emulation software to attach to the mainframe to run multiple sessions.

In a computing structure where users have several IDs and passwords to access the applications they need, it is not uncommon to see users' computers at MBTA peppered with sticky notes containing this easy-to-forget information. While this leaves the door wide open to security breaches, it seems unreasonlable to expect users to remember numerous passwords, especially when they are forced to change them every 30 to 60 days for security purposes.

The new security software put an end to the sticky note syndrome with its single sign-on capability which bypasses multiple sign-on screens. Previously, users had to sign into the network, then into CICS, then into the D&B software. Now users sign into CICS and can go directly into D&B's software.

With improved security, MBTA ensures that all data is protected and accessed only by authorized users. By tailoring security software to meet organizational needs, MBTA now has an easier, more secure and centralized working environment.