RR Donnelley Overview
Scope: Global
Business: Commercial printing
Size: 45,000 employees worldwide; about $4.8 billion in sales during 2003
Web site: www.rrdonnelley.com
The RR Donnelley Story
Business Problem
Cost-efficiently improve distributed network security management.
Operational Hurdle
Systematic, comprehensive vulnerability assessments were thwarted by complex applications, limited staffing and distributed operations.
Solution
RR Donnelley performs global security scanning with the on demand QualysGuard Enterprise vulnerability management service and QualysGuard Intranet Scanner.
Measuring and Scoring Vulnerability Data Strengthens IP Security
RR Donnelley is a mammoth commercial printer. The company was founded in 1864 and is the largest printer in North America. It has more than 600 locations worldwide, including manufacturing sites in North and South America, Europe and China. Printing solutions include forms and labels, direct mail, financial printing, print fulfillment, business communication outsourcing, logistics, online services, digital photography, and content and database management.
The scope and scale of RR Donnelley operations rely on applications and systems running on a global IP network. In 2002, RR Donnelley launched a corporate program to improve network security. A big goal was to transform vulnerability management from being haphazard and reactive into regular, systematic evaluations of enterprise security. The operational challenge was devising a cost-effective solution for audit and remediation that would compliment distributed responsibilities for global IT and security.
"Qualys helps management see how network security is getting better."
Sold on Simplicity of Self Service
RR Donnelley evaluated several solutions for assessing and fixing vulnerabilities. It sought to avoid complex infrastructure requirements of the usual software-based security applications. After a month of evaluations, RR Donnelley chose the Web-based QualysGuard on demand vulnerability management service from Qualys, Inc. Simplicity was the key selling point, according to Mark Iovinelli, Director of Technology Services in RR Donnelley Information Technology.
"We really liked the simplicity of self-service that Qualys' on demand model provides," says Iovinelli. "All other solutions required self-installation of separate scanning servers, buying a SQL license, getting the database administrator and server people involved, and other overhead. With Qualys, we just installed one appliance and turned it on."
Ioveneli says the QualysGuard solution required no training after deployment. "When we rolled it out, my conference-call presentation to remote security administrators consisted of four slides," he says. "At the end of the short call, I asked if there were any questions and there were none. The Web-based front end for QualysGuard was that simple."
The solution purchased by RR Donnelley included a QualysGuard Scanner appliance and a subscription for scanning 1,024 IP devices. Scans are done from inside the company IP network and include servers around the world. Since completing a major business acquisition in 2004, RR Donnelley has doubled the number of IPs scanned by QualysGuard to 2,048. It is adding new scanning capabilities for Europe and Asia.
Auditing Security Without Distraction
Iovenelli says prior to QualysGuard, convincing distributed business units to do regular security audits was a chore. "The business of RR Donnelley is getting ink on paper," he says, and managers avoid anything that's seen as a distraction from accomplishing that mission. "Using Qualys was easy to sell because every business unit could immediately put the vulnerability management service to work without requiring more internal resources."
The centralized, self-service model of QualysGuard also fit RR Donnelley's global organization management style, which distributes responsibility for IT operations to each business unit. "Qualys gives each business unit the information it needs to strengthen security," says Iovenelli. "We leave the methods of fixing vulnerabilities to their own discretion."
Vulnerability Data and Competition Spur Stronger Security
RR Donnelley uses QualysGuard to scan pre-set groups of servers once a week. The day after, remote administration teams get reports online that detail vulnerabilities in their respective business units. QualysGuard ranks the vulnerabilities and includes hotlinks to patches and other resources for remediation.
The real power of RR Donnelley's vulnerability management program stems from a monthly scorecard prepared by Iovenelli's centralized security group. The top line score is a value derived by adding the number of outstanding severe vulnerabilities in a region or business unit, divided by the number of servers scanned in that area. "Severe" vulnerabilities include those classified as Levels 4 and 5 by QualysGuard.
"The scorecard shows the average number of high vulnerabilities per region," says Iovenelli. "We're lowering the company-wide average with continued use of QualysGuard. Being able to see numbers for all business units and regions also helps gets competitive juices flowing between managers responsible for security in their domains."
While managers worldwide can compare the overall security score for their domain against others in RR Donnelley, the company restricts access for vulnerability details to managers and administrators in each respective business unit or region.
Visualization of Security Data Quantifies Progress for Security Management
RR Donnelley's use of the security scorecard has done more to improve security than anything before, according to Iovinelli.
By comparatively using vulnerability data from QualysGuard, the scorecard helps people quantify and measure how security at RR Donnelley is improving. "Qualys helps management see how network security is getting better," says Iovinelli. He notes that most managers like to quantify the value of their teams. "We use our Qualys scorecard to quantify this value."
Iovinelli stresses the importance of motivating people to use vulnerability data to help improve security. "All this technology is second place to people. If you can motivate people to focus on security, your company will be more secure."
He says fully automating patch management and remediation is difficult, a fact that underscores the importance of getting people engaged to improve security. "Security data from QualysGuard helps us motivate people to get the job done."