Case Study: Mohegan Sun and the Future of Data Security - ' Next Page'

To the customer, Mohegan Sun seems like a pretty tech-forward kind of place. Player's Club cards can be read electronically by every machine and gaming table in the joint, each with its own card slot, and points and rewards can easily be checked via the Web by players who opt into the system. And although the customer doesn't see it, the database holding that information is kept secure in the process; users see a copy of their file that is pushed outside the company's firewall, not the original file housed in the casino's core systems.

Inside the IT shop, though, Garrow and his staff are playing catch-up as the small group of vendors serving the relatively small casino industry—a list that includes Bally Technologies Inc., International Game Technology and Aristocrat Technologies Inc.—modernizes its offerings. "The specialty vendors for gaming are not very large, and they have limited resources, so they tend to maintain the status quo," says Garrow. Mohegan Sun runs a collection of aging applications on IBM AS400 computers; some of the software has not been recompiled since the late 1980s. "At least we know it's stable," bright-sides Garrow, adding that hackers tend to be less interested in older systems, and probably lack the experience and equipment, such as tape drives, to do much with them in any case.

But the aging infrastructure has implications for both customer service and security. "The antiquated systems were not built with security in mind, and gaming applications are just now adopting the information-security model," says Carden. "This is such a specialized area that the principles of strong security architecture have been ignored, so it requires a lot of manual effort to segregate information and create checks and balances. The manual processes are pretty evolved, even if our applications are not."

Worker access to certain types of information requires two signatures, which must be validated by a supervisor. "It eats up a lot of man-hours to provision the system, given the lack of a unified identity management platform," says Carden. "Without a way to automate access provisioning for new hires, it's a nightmare for us, almost like the days of DOS. It doesn't mean we are not secure, but it is a challenge."

He pauses on the question of manual processes being in some ways more secure than electronic ones. "Any time you have an intensely manual system, you have ways to short cut," he says. "It becomes a management issue."

Progress is being made on the security front, however, says Garrow, who estimates that he is roughly halfway through planned upgrades to systems and processes (other systems with more generic functions, such as payroll and financial applications, are already updated). Monitoring tools display color-coded threats, such as attempts at unauthorized network entry, on a large screen at the network operations center, which is manned around the clock. And staffers now follow up on repeated log-in failures to see if someone is trying to break into the system. "We are being more proactive on suspicious events," says Garrow.

He's also working with vendors and adjusting internal procedures to control the display of personal information, such as Social Security numbers required on tax forms. "It used to be standard to display personal information onscreen, even when it was not needed. That's not a good practice," he says. "We are working to encrypt it, and display only when necessary."

Still to come is the big job of putting the huge slot-machine operation onto the IP network. "The gaming applications are the lifeblood of the place in terms of making money, but they have not evolved, security- wise," says Carden. "There is a lot of software customization to do."

In addition to hiring Carden as his go-to guy on information security, Garrow continues to push for more IT security staffers—the staff currently includes 130 full-time positions—and plans to keep increasing that number for the next several years. "We talk about this stuff all the time—customer confidentiality, proper disposal of hard drives, the appropriate times to use e-mail," he says. "It's going to be a focus for a long time to come."

You can bet on that.

Sidebar: Candid Cameras at Mohegan Sun