BUSINESS: Full range of airline services, including regular passenger transportation, charter flights, and aircraft maintenance.
BUSINESS CHALLENGE: Effectively maintain a high level of IT security and PCI compliance.
OPERATIONAL CHALLENGE: Czech Airlines needed to relieve the burden of routine vulnerability management tasks, so they could focus on more complex security and strategic initiatives.
Qualys Cloud Platform
WHY THEY CHOSE QUALYS:
- Automated on-demand security and vulnerability audits.
- Qualys is extremely easy to deploy, manage, and operate.
- Highly accurate vulnerability and configuration scans.
- Certified as an ASV under the PCI-DSS compliance programme.
- Insightful, actionable vulnerability reports, including detailed remedies.
Czech Airlines: Automating Compliance
This major airline sought to improve the way it manages IT vulnerabilities and its compliance to the Payment Card Industry Data Security Standard.
The Payment Card Industry Data Security Standard (PCI DSS) sets rigorous security mandates that apply to all payment card network members, merchants, and service providers — virtually any business that stores, processes, or transmits cardholder data. The mandates include having a secure network infrastructure and vulnerability management program, strong access control, regular monitoring and testing of applicable networks, as well as maintenance of an information security policy. Penalties can be substantial to those found to be not compliant.
“Qualys provides rapid, comprehensible, and consistent reporting concerning our vulnerability trends. Qualys’ accurate assessment data enables us to easily assess the effectiveness of our vulnerability remediation processes.”
Security and Technical Architect at Czech Airlines
While the regulatory mandates are straightforward, they can place significant operational burdens on regulated companies. That’s why the objective shouldn’t be just to attain regulatory compliance, but to do so in the most effective and efficient way possible. That was the goal of Tomas Fencl, security and technical architect at Czech Airlines. While Czech Airlines was working toward PCI DSS compliance, it wanted to build a more effective way to maintain a high level of compliance and to reduce risk to its IT infrastructure.
Czech Airlines maintains satellite offices around the globe, but its Prague headquarters is where the company’s prime network and many of its crucial applications reside, in particular those that manage credit card transactions for online ticket purchases. “When it comes to IT security, our priority is the Prague network that hosts our in-house core applications on about 60 servers,” says Fencl.
To manage the risks associated with software vulnerabilities and system misconfigurations and to prove compliance, Czech Airlines had been relying on a combination of open source vulnerability assessment tools and outsourcing its PCI DSS specific scans to an Approved Scanning Vendor (ASV). Unfortunately, relying on the ASV for quarterly scans didn’t provide the scan frequency that Fencl needed, and processing the scan assessment reports with the open source application proved awkward and time consuming. “The reports typically came as individual HTML files. We have developed parsing tools to track changes between the scans or pick them manually,” explains Fencl. “This consumed an enormous amount of time, as someone not only had to spend a day each month to actually run and manage the scans, but then an additional day or two to filter through the results so that false-positives could be eliminated and the reports properly prepared and distributed to our system administrators.”
As IT infrastructure grew, so did the need for sustainable risk and compliance management
“As our infrastructure grew, it became clear that we needed to be able to conduct more vulnerability scans, beyond those related to PCI-DSS, and to generate reports much more effectively,” Fencl says.
For those capabilities, and more, Czech Airlines turned to Qualys — because of its accuracy, automation, and ease-of-use. In addition to actionable vulnerability insight placed directly in the assessment results, the reports from Qualys also provide the information that security and business managers need to know about the state of compliance of their systems. Delivered as an on-demand service over the Web, Qualys makes deploying, maintaining, and updating vulnerability management servers and software all problems of the past for Czech Airlines.
“Another reason we chose Qualys is because it’s not a startup, it’s a proven and very established firm in the market,” Fencl says. He adds that he also has found Qualys to be the most ideal vulnerability assessment tool for the company’s mixed Windows and Unix environment.
Today, as a result of Qualys deployment, the company is able to conduct automated scans of its external Web-facing network, part of its internal network, and all of the PCI DSS governed systems — a rigorous and automated network assessment schedule, with different segments of the airline’s infrastructure being scanned periodically throughout each month.
“With the previous scanner, we were at the maximum capacity we could handle considering the size of our network,” says Fencl. Now, he and his team have the automated scans and reporting that run smoothly — and they no longer have to spend a day, or more, each month manually parsing scan results and deleting false positives from the reports. “Qualys provides much more detail about our vulnerabilities. It’s also much more accurate, so there are many fewer false positives,” he says. “We can now manage risk more efficiently, and maintain PCI DSS compliance ourselves – all at the same external cost we used to pay before."
Building on that success, Fencl plans to extend the number of systems evaluated by Qualys in the near future. “We’ve moved relatively aggressively in incorporating systems into Qualys evaluations, and plan to continue adding new systems as we go forward,” he says. In addition, to streamline efficiency even further, Fencl hopes to integrate Qualys assessment results with the company’s internal service desk and ticketing software. “While Qualys has helped us to manage risk and PCI DSS compliance more effectively, there’s much more we can do to continue to leverage its power,” he says.