Fixing Critical Security Vulnerabilities and Complying with Industry Standards for Payment Protection

BskyB uses the Enterprise TruRisk Platform and suite of integrated cloud solutions to secure its IT assets, safeguard customer information and streamline compliance more effectively and at lower cost.

corporate.sky.com

INDUSTRY: Publishing / Media

BUSINESS: BSkyB operates the most comprehensive multi-channel, multi-platform television service in the UK and Ireland, reaching more than 10 million households.

SCOPE: UK

SIZE: 23,000 employees

BUSINESS CHALLENGE: BSkyB needs to protect customer data and ensure Payment Card Industry Data Security Standard (PCI DSS) compliance with its acquiring banks. It must also protect its large and heterogeneous infrastructure from known and emerging vulnerabilities. Finally, as BSkyB continues to reach out to its customers over the internet, the company must protect web applications from security threats.

SOLUTION: Using the integrated solutions in the Qualys Security and Compliance Suite – including Qualys PCI Compliance, Qualys Web Application Scanning and Qualys Vulnerability Management - BSkyB is able to sustain PCI-DSS compliance and protect both its infrastructure and its web applications against evolving threats, effectively and at relatively low cost.

Founded in 1989, and trading as Sky, BSkyB operates the most comprehensive multi-channel, multi-platform television service in the UK and Ireland, reaching more than 10 million households. In addition to its residential subscription services, which include telephony and broadband, BSkyB operates businesses that provide commercial, advertising, and betting and gaming services.

BSkyB has an ongoing commitment to achieving the highest possible standards in customer data protection and maintaining compliance with industry regulations. As new security threats continue to emerge, BSkyB needs to ensure that its IT infrastructure remains secure at all times.

Securing Rapid Business Growth

BSkyB has a large – and rapidly growing – infrastructure. Beyond the systems required to manage and deliver content across dozens of television channels, and those required to manage its 10 million subscribers, the organisation needs to support the rapid growth of new services such as web streaming and mobile apps.

“We want the UK viewer to have the best choice across sports and entertainment; media content is the lifeblood of the business,” says Chris Meehan, Head of Information Security, BSkyB. “As the services we offer our customers proliferate, the security challenge is constantly growing.”

With thousands of internal and external applications and systems to protect, BSkyB must maintain a clear view of configurations, access rights and system vulnerabilities – especially for payment systems. The company selected the Enterprise TruRisk Platform and its integrated suite of solutions as its strategic platform for managing security and compliance. The suite includes Qualys Vulnerability Management (VM), Qualys PCI Compliance (PCI) and Qualys Web Application Scanning (WAS) enabling BSkyB to quickly respond to security threats and compliance issues across its infrastructure.

Why BskyB chose Qualys:

  • Compliance: Pre-built policies provide out-of-the-box support for major industry standards.
  • Flexibility: Qualys solutions are fully adaptable, enabling BSkyB to tailor scans and policies precisely.
  • Automation: The ability to automatically flag up the most urgent and important issues saves time and effort.

Focusing on the Most Critical Vulnerabilities

BSkyB uses Qualys Vulnerability Management (VM) to scan its applications, infrastructure and network. The company is currently scanning approximately 20,000 IP addresses, 100 of which are external addresses. “With Qualys VM, we can run scans, and then use the executive summary dashboard to clearly visualise the findings and adapt the information to the specific needs of different internal teams,” says Chris Meehan. “Essentially, we are slicing-and-dicing the scans for the relevant audience.”

Qualys VM helps BSkyB ensure that its broad range of operating systems – including multiple versions of Microsoft Windows and UNIX – are correctly patched and protected against vulnerabilities, and they can prioritize actions to fix the most urgent vulnerabilities first.

“Qualys VM is a great help in quickly sorting the wheat from the chaff, so that we can focus our resources on the most important issues,” comments Chris Meehan. “Thanks to the automation it provides and the clarity of the information it presents, we can manage a large and complex infrastructure without needing an army of people.”

Qualys also has an extremely aggressive development cycle, providing major new releases on a six-weekly basis and updating vulnerability signatures every four hours, helping to keep BSkyB protected against emerging threats.

Protecting the Payment Infrastructure

BSkyB is working through a major four-phase strategic programme to achieve and sustain compliance with industry regulations, including Payment Card Industry Data Security Standard (PCI DSS) compliance with its acquiring banks – the financial institutions that process payments on its behalf. PCI DSS provides an actionable framework for developing a robust account data security process – including preventing, detecting and reacting to security incidents.

BskyB uses Qualys PCI as a key tool to meet PCI DSS compliance, and it was a major factor in choosing the Qualys platform and suite of solutions. Chris Meehan recalls, “When we selected the solution, Qualys was the only PCI Council-accredited vendor, so it was the obvious choice.”

Built-in policies in Qualys PCI simplified and accelerated the deployment of the solution at BSkyB. “The Qualys policies come out of the box, but they are not set in stone, so we can adapt them to meet our individual needs,” comments Chris Meehan.

Within the Qualys VM portal, BSkyB can schedule and run regular PCI scans, then export the results into the Qualys PCI portal. It can also run ad-hoc scans directly from the latter solution. Qualys PCI enables BSkyB to promptly complete the PCI self-assessment questionnaire, and to conduct network and web-application security scans to efficiently identify and eliminate security vulnerabilities. Its auto-submission feature completes the compliance process, allowing BSkyB to easily submit compliance status to multiple acquiring banks.

“The reports we create with Qualys PCI are submitted as evidence to the QSA [Qualified Security Assessor],” says Chris Meehan. “PCI-DSS compliance is an ongoing process, rather than a one-time event, and Qualys PCI is a valuable solution for sustaining compliance at BSkyB. The integration of PCI scanning within the Enterprise TruRisk Platform gives us centralised control for the scans, saving time and effort.”

Extending Qualys to Protect Web Applications

BSkyB has also recently decided to deploy Qualys WAS, which detects and flags web-application vulnerabilities in the OWASP Top Ten, such as SQL injection, cross-site scripting (XSS) and URL redirection. The cost-effective solution scales to support a large number of web applications, while providing an intuitive user interface to simplify scanning.

“Following a pilot project last year, we saw the value in extending our application security tool-kit with Qualys WAS,” says Chris Meehan. “The key value is that it will give us an in-house capability, so that we don’t have to invest in third-party support for web application testing.”

Flexible and Automated

As BSkyB squares up to growing IT security threats, the Qualys suite of solutions helps by providing automated, policy-aware scanning that constantly evolves to protect against emerging vulnerabilities.

“Qualys PCI is an accredited solution that stays in line with the PCI-DSS requirements as they change,” comments Chris Meehan. “The other Qualys solutions included in the Qualys suite, such as Qualys VM and Qualys WAS, give us a clear view of our exposure and help us to make the right decisions at the right times.”

“As our infrastructure grows and as we build new services for our customers, the ability of the Enterprise TruRisk Platform to scale and meet our growing needs at any point in time is a powerful benefit.”
Chris Meehan

Head of Information Security, BSkyB

He concludes, “The two key benefits of the Qualys solutions are flexibility and automation. In terms of flexibility, we can run out-of-the-box scans against a number of compliance frameworks, and we can also tweak them to meet our precise needs. The automated highlighting of the most significant issues helps to reduce the number of man-hours we need to spend on maintaining compliance. As our infrastructure grows and as we build new services for our customers, the ability of the Enterprise TruRisk Platform to scale and meet our growing needs at any point in time is a powerful benefit.”