From the Ashes of the Phoenix
- From CIO Digest, July 2009 Issue (Download This Entire Issue in PDF)
Recently given renewed popularity via J. K. Rowling’s Harry Potter and the Order of the Phoenix, the fifth book in the sevenpart Harry Potter series, the phoenix is a mythical bird from Greek antiquity that is purported to have a 500 to 1,000 year lifecycle that culminates when both bird and nest burst into flame and are reduced to ashes. But this is not the end to the phoenix; an egg arises from the ashes and the phoenix is reborn.
When the Sands Hotel was demolished in 1995 to make room for The Venetian, and more recently The Palazzo, the foundation was laid–in an ironic way–for the rise of the phoenix. Among the ashes was Steve Vollmer, who has spent the past 13 years of his career helping the “phoenix”–the Las Vegas Sands Corporation–to rise from the ashes and to soar to the apex of its market space.
Working in IT wasn’t in Vollmer’s career plans when he completed his undergraduate degree in computer science; rather than entering the rapidly expanding and promising field of IT, he decided to become a flight instructor and corporate pilot. However, when he found that he was missing too much of the lives of his children, he took a job at the Bally’s Reno as a PC coordinator and never looked back. Indeed, he jokes that “outside of the few terrifying moments” during takeoff, landing, and unexpected turbulence, IT is much more exciting and interesting than being a pilot.
The pillars of IT success
The success of the Las Vegas Sands is closely aligned to the effectiveness of the IT department in addressing core business issues. With this always in purview, Vollmer, the vice president of IT and chief technology officer, explains there are essentially three basic IT pillars on which his team focuses.
The first is the opening of new properties, which has happened at a relentless pace for the past decade. All of the IT systems, infrastructure, processes, and policies must be in place from day one. The second is the ongoing management of existing systems. “We obviously must keep our bread and butter up and running,” Vollmer notes. The final pillar is the requirement to maintain gaming licenses. Compliance reporting and enforcement playa significant role here according to Vollmer.
Taking no chances on compliance
When the Las Vegas Sands went public in December 2004, the compliance requirements on the IT organization increased dramatically. In addition to regulations from the State of Nevada Gaming Control Board, Vollmer and his team now had to ensure compliance with the Sarbanes-Oxley Act, and compliance reporting began to consume valuable staff time. “Keeping up with all of the different tasks and responsibilities of generating reports for auditors became a time-intensive process,” remembers Michael Brunnmeier, corporate IT network manager. “We suddenly found ourselves spending more time working on compliance-related reports than our jobs, and it was time to automate the processes with the correct set of tools.”
The emergence of Payment Card Industry (PCI) standards exacerbated the situation. “We needed to know where our data resided and the policies associated with its retention,” Vollmer says. “Rapid growth in the PCI standard, which expanded from about 25 check-list questions a year or two ago to more than 250 today, created additional requirements for us. We needed tools that would help prove the location of the data and whether encryption was applied when it was in transit.”
Winning at data loss prevention
Because of the nature of its business, the Las Vegas Sands possesses information—both data at rest and in motion—that is critical to its success. “It is virtually impossible to put a number on some of the information we protect—our player database being our most important asset,” Vollmer says. “In addition to Nevada statutes, protecting customer information is simply the right thing to do, and we need to always ’remain on our toes’.”
As they initiated a search for a data loss prevention solution, Vollmer and his team conducted a comprehensive analysis of possible technology solutions. They structured the evaluation process around a proof-of-concept bakeoff of three different technologies that included Symantec Data Loss Prevention.
At the end of the day, they found Symantec Data Loss Prevention performed the best. Specifically, it aligned with the business requirements of the Las Vegas Sands, enabling the business versus inhibiting it. Brunnmeier explains: “One of the competing solutions locked down the endpoint and crippled end-user productivity. However, Symantec Data Loss Prevention, rather than building up a wall, allows the user to continue to do their work by following the data.” In addition, as part of the proof of concept, Brunnmeier indicates the other solutions either overlooked certain issues or had inherent limitations, whereas Symantec Data Loss Prevention “stood up to the rigors of the team’s testing.”
Having selected Symantec Data Loss Prevention, the team embarked on its implementation, though they elected to roll out the Symantec solution in increments, starting with storage systems, then the network, and eventually endpoints. “We opted to implement the solution in stages in order to ensure that we get each piece ‘right’ before moving to the next stage,” Brunnmeier notes.
The definition of policies for enforcement was a critical part of this process, which accounted for both data in motion and data at rest. Regardless, policy definition was not a finite project for the team, as there is a need to continue adding and modifying policies based on the observed behavior of users.
To address the development and ongoing evaluation of policies, the Las Vegas Sands formed a Data Council with representatives from HR, IT, legal, and corporate security. “I know most other organizations prefer to define the policies and procedures before deployment,” reports Cynthia Mayes, director of IT compliance and security at the Las Vegas Sands. “However, our chief objective was to get the solution up and running and to build a policy-and-procedural framework that adhered to all of our regulatory requirements, all while we were actively monitoring.”
Policy enforcement is a two-pronged approach for Vollmer and his team. Violation of business-critical data policies, on the one hand, results in an automatic action whereby data is encrypted or stopped in transit and notification of the violation is sent to relevant result of the data loss prevention solution implementation. Previously, one full-time employee (FTE) spent two weeks or more twice a year compiling a report for Sarbanes-Oxley auditors. Now, these reports can be generated in real time, thereby allowing Vollmer to reallocate the time that one FTE spent building reports to other more business-critical initiatives.
Beyond reduced IT risk, Vollmer and his team see productivity gains occurring as a result of the data loss prevention solution implementation. Previously, one full-time employee (FTE) spent two weeks or more twice a year compiling a report for Sarbanes-Oxley auditors. Now, these reports can be generated in real time, thereby allowing Vollmer to reallocate the time that one FTE spent building reports to other more business-critical initiatives.
Finding the ace in the hole for endpoint security
At the same time Vollmer and his team tackled the business issue of data loss prevention, they also looked at endpoint security. “We were migrating away from our existing solution in the United States because of some gaps in security coverage, and we needed something quickly,” says Michael Stewart, IT operations manager. For its IT infrastructure in the People’s Republic of China (PRC), the Las Vegas Sands relied on Symantec AntiVirus for endpoint security. And when Vollmer and his team compared both solutions, they discovered the solution in the PRC—particularly after it was upgraded to Symantec Endpoint Protection—was simply more robust and caught more viruses and spyware than the other solution.
Once the decision had been made to standardize endpoint security across the company to Symantec Endpoint Protection, Stewart and his team embarked—almost in real time—on a project to migrate all remaining client endpoints and data center endpoints to Endpoint Protection. “We kicked the migration project off on a Friday, worked over the weekend with the teams from Symantec, Dell, and Xcend Group, and had the migration completed by the subsequent Thursday,” recalls Stewart. “I truly didn’t think they could do it,” Vollmer quips, “but was proven wrong. I was quite impressed at the successful execution.” With the migration in the United States complete, Endpoint Protection protects a total of 8,500 client and more than 300 data center endpoints.
While the team currently only uses the antivirus and antispyware features of Endpoint Protection, they plan to leverage application and device control in the future. “We currently have locked down all USB usage,” Vollmer explains, “but we will be able to give access to certain users who require access because of productivity requirements using the device control functionality in Endpoint Protection in conjunction with the monitoring, discovery, and enforcement capabilities of Symantec Data Loss Prevention.”
Rolling “snake eyes” in endpoint management
End user service requests were draining valuable IT resources. “We must maintain a helpdesk staff of 15 to 20 staff around the clock to manage all of the IT issues,” Stewart explains. Hence, the IT team needed a solution that would deliver optimal uptime while automating the management of helpdesk tickets. Further, the previous solution did not provide a software inventory on each endpoint device; as a result, Stewart and his team had to manually maintain a software inventory list of each endpoint on a Microsoft Excel spreadsheet.
Beyond being a time-consuming process, the approach was inaccurate and expended valuable IT helpdesk time and resources. Specifically, Vollmer and his team wanted to automate inventory management by pairing Microsoft Active Directory with each user profile. “Knowing the location of the PC, the identity of the user, and the history of issues that have occurred on that machine would streamline the IT resolution process,” Brunnmeier says. “We previously spent a lot of valuable time walking across the buildings—and all of them are large facilities—to provide support to end users.”
After a 30-day proof of concept, Vollmer and his team opted to implement Altiris Helpdesk Solution, Asset Management Solution, and Inventory Solution with the help of Symantec Partner Xcend Group. The solution also included Dell Optiplex desktops with Intel vPro Technology. “We essentially created a configuration management database with Asset Management Solution,” Stewart reports. “We can now manage the lifecycle of each endpoint; determine how long it has been on the network, in what capacity, and what resources and applications are installed on it; and verify if we need to upgrade the resources to improve its performance,” Brunnmeier adds. The endpoint management solution is currently deployed within the Las Vegas properties, though Vollmer and his team expect to roll it out across the remainder of Las Vegas Sands’ properties later this year.
|< Previous Page||Page||5||of||5|
The IT helpdesk is already seeing measurable results. As helpdesk staff can use Helpdesk Solution to remotely diagnose and remediate user systems, first-call resolution has improved from 75 to 85 percent, translating into improved productivity for both the helpdesk and the end user. In addition, Stewart reports substantial labor productivity gains for his helpdesk staff of 24 FTEs who no longer need to spend an average of three hours each week walking across the property to remediate end-user machines.
The next-generation endpoint management solution is delivering tangible value in other areas as well. Stewart cites a recent situation involving a software upgrade for about 185 different machines that would have required five IT technicians to spend approximately one month to complete, including valuable time walking across the facilities to retrieve machines and even travel to other locations. With Asset Management Solution, however, one technician was able to complete the upgrade remotely in a week and a half.
Never to rest on their laurels, Stewart and his team are also adding Altiris Workflow Solution, with initial workflows for software deployment and requests for hardware and application support. As these are currently manual processes, Stewart estimates the time savings resulting from the automation of both processes to be the equivalent of one FTE.
Leadership: check the egos and titles at the door
When asked to comment on his lengthy tenure at the Las Vegas Sands and the success he and his team have achieved, Vollmer immediately answers that it is the result of his “check the egos and title at the door” management approach. “We have a very close-knit IT family,” he says. “My different IT leaders and I are only as good as the team behind us. One of my mentors pointed this out to me when I became an IT director a number of years ago, and I took his advice to heart.”
And actions speak louder than words for Vollmer. The recent opening of the Sands Casino Resort in Bethlehem, Pennsylvania is a perfect example. When assistance was needed to park cars, Vollmer happily jumped in and served as a parking valet for several hours until the backlog was cleared. “He isn’t afraid to roll up his sleeves and get his hands dirty,” Brunnmeier quips. “It was merely a typical day at the office for him.”
Patrick E. Spencer (Ph.D.) is the editor in chief for CIO Digest and the author of a book and various articles and reviews published by Continuum Books and Sage Publications, among others.