Case Study: Mohegan Sun and the Future of Data SecurityBy Edward Cone | Posted 09-05-2006
Case Study: Mohegan Sun and the Future of Data Security
Every afternoon as he leaves the executive offices at the sprawling Mohegan Sun Casino and Hotel complex in Uncasville, Conn., chief information officer Dan Garrow hands his briefcase over to a security guard for inspection. Nobody thinks twice about itneither the uniformed hourly worker who diligently searches the case, nor the high-powered senior executive in his dark suit. "People are used to that kind thing here," says Garrow. "It's not a place where we get pushback on new security and privacy measures."
Mohegan Sun is a place where, after all, even a small transactionsay, a dealer changing a $20 bill for chips at a blackjack tablemust be monitored by a supervisor, who is watched by managers, all beneath the constant gaze of a network of digital cameras concealed throughout the enormous facility. The culture of surveillance and accountability is innate here at the world's second-largest casino, owned by the Mohegan Tribal Gaming Authority, with $1.4 billion in annual revenues. And it's as ubiquitous as the noise of the slot machines on the gaming floor.
But unlike most companies that treat physical security and information security as two distinct operations, Mohegan Sun recognizes the two as one and the same. "Data security and customer privacy are layers of the overall security operation," says Garrow. The partnership between his shop and the traditional security apparatus feels natural, he says. "We work hand in hand with the security guys. There is a lot of cooperation between the departments and department heads."
The casino operation at the heart of Mohegan Sun collects an enormous amount of data from its customers, some 3 million of whom have volunteered their identifying informationnames, addresses, e-mails and suchin order to join its affinity-and-rewards program. About three-quarters of Mohegan Sun's gaming business comes from "carded play," that is, people using Player's Club cards to track their credits and debits.
But collecting data on customers' gambling habits is a delicate issue, particularly in a business where expectations of privacy are so strong that Las Vegas could turn "What happens here, stays here," into a marketing slogan. That's why Mohegan Sun's customer data, along with a growing number of detailed profiles on high rollers and the Social Security numbers and tax forms required by law to be filed for big winners, is kept in a nearby data center that is protected like money in a bank: behind three checkpoints, each requiring a card-key for entry, behind steel doors with magnetic locks.
Though the organic relationship between physical and data security is critical to the casino's operations, Garrow is increasingly focused on technologies and processes that can safeguard information from purely technological threats. But Mohegan Sun, which has an IT budget of about $14 million per year (excluding the surveillance network and related costs) operates in a relatively small industry, in which equipment is often not up to date. Some routine processes are still done manually, and some key systems were last updated during the Reagan administration. It's a challenge familiar to many niche businesses, where a limited IT vendor pool can slow the pace of modernization.
: Culture Club">
Mohegan Sun, built in 1996 by the Mohegan Tribe along the Thames River in southeastern Connecticut, is a relatively low-key place, at least compared to the gaudier excesses of Las Vegas. Done up in a semi-understated Native American-themed décor, the complex includes a hotel tower with more than 1,200 rooms and a plush spa, two huge gaming floors known as the Casino of the Earth and the Casino of the Sky, a martini bar under a planetarium ceiling, a Michael Jordan's Steak House and several other restaurants, a small mall's worth of shops, and a 10,000-seat sports-and-entertainment arena.
Garrow, waxing philosophical beneath the artificial night of the planetarium ceiling, says the cultural bias toward guarding information runs even deeper at Mohegan Sun than it might at some other casinos. A member of the Mohawk Tribe himself, he points to the long, troubled history between Native Americans and the U.S. government, and the distrust it has engendered. "The privacy of members is a concern, and there is a reluctance to share information," he says.
The practical impact of this wary culture is extensive. "We want our customers to feel protected, and that includes their confidential information," says Joe Lavin, a former Connecticut state trooper who is the Mohegan Tribe's executive director of public safety. For that reason, he says, customer information is only shared with external authorities under subpoena.
There is a lot to protect. Some regulars literally attach themselves to slot machines and gaming tables by hooking their Player's Club cards to their belt loops with plastic cords; when they insert the cards in an electronic card-reader, they sit physically tethered to the gambling equipment, binding themselves to the business and keeping them from straying to the nearby Foxwoods Resort Casino, the world's largest, or to Atlantic City or elsewhere.
Once registered with the Player's Club, players log in with their identity cards to amass points and charge services, all of which are tracked and recorded. Employees who come and go through the checkpoints protecting that data are monitored on a wall-size screen in the security operations center. Garrow knows that data theft is more likely to occur if a hard drive goes missing than from some exotic hacking scheme, and that employees are at least as much of a threat to information security as outsiders. Thus the daily search of his bag, and the checkout procedures, which require signed authorization from a supervisor in order for any employee to remove a laptop or other gear from the premises.
For high rollers, the stakes are even greater. Currently, detailed information on the preferences of top customers is kept in the personal notebooks of the casino's hosts and player development staff, who have one-on-one relationships with them. "How secure is that?" muses Garrow. "If an employee leaves for a competitor, will they take that informationand the customerwith them?" To forestall that kind of loss, Garrow's staff is now trying to capture as much customer information as possible in centralized databases.
Working with Garrow to address these issues is Dave Todd, the vice president of security and surveillance, a former Philadelphia cop who spent several years working for Donald Trump in Atlantic City. Todd says information security is in part "a byproduct" of physical measures. For example, the network of 3,000 digital cameras that constantly monitors the facility collects thousands of hours of recordings. Records are usually kept for seven days, with as much as 250 terabytes of video data on hand at any given time.
: Ahead of the Game">
Not every company can claim the kind of inborn security culture found at Mohegan Sun. But a lot of companies are moving in that general direction, says Ted DeZabala, a principle in Deloitte & Touche's enterprise risk services group. Businesses are spending more time thinking about the physical control of information, and about the way information moves in and out of their organizations. "I don't want to say it's an obsession, but this is on the minds of very senior people," DeZabala says. Some organizations are even discussing combining the top-level jobs of information security and physical security officers, although that idea has yet to gain much traction.
As applied to information systems, physical security has traditionally been seen in terms of basic measures to forestall malicious behavior, and disaster-preparedness for events like floods or hurricanes.
Now, however, increasing attention is being paid to the tangible aspects of data security that go deeper into the work process, such as software that can tie information logged from sources such as ID badgessay, a worker's presence in a buildingto the things like PC or network log-in status. "If your ID shows you've left the building, but your computer is still turned on, the system can put those things together and log you out," says DeZabala. "Or if a person is not in the building, but their account has been logged into, it could be a security breach, and the software will notify the appropriate people."
But truly changing the organizational mindset will take some work. "We see companies spending a fair amount of energy on training as employees become aware of being monitored, or they have to go through more sequences to get to information they have accessed in the past," says DeZabala. "Companies need to communicate and tell people why it's happening."
At Mohegan Sun, that mindset is already pervasive. "A strong security culture is at the soul of what we do," says Todd Carden, a Traveler's Life & Annuity veteran who joined Garrow's team as information security manager about a year ago. "It's easy to link security to the physical processes, because it's all related to money. Any time we deal with client-related information, employees understand the importance of privacy and security," adds Carden. "It's easy to understand why someone who drops a lot of money would want only the appropriate people to see their records."
That widespread grasp of the core business value of privacy, he says, makes it easier for different groups within Mohegan Sun to identify gaps in security and cooperate on fixing them. For example, he was able to use a human-resources database to create a record of employees who leave the organization, and to share it with the physical security staff. The casino has now implemented processes that can terminate both physical and electronic access to its facilities and networks at the same time.
: Automating Security">
To the customer, Mohegan Sun seems like a pretty tech-forward kind of place. Player's Club cards can be read electronically by every machine and gaming table in the joint, each with its own card slot, and points and rewards can easily be checked via the Web by players who opt into the system. And although the customer doesn't see it, the database holding that information is kept secure in the process; users see a copy of their file that is pushed outside the company's firewall, not the original file housed in the casino's core systems.
Inside the IT shop, though, Garrow and his staff are playing catch-up as the small group of vendors serving the relatively small casino industrya list that includes Bally Technologies Inc., International Game Technology and Aristocrat Technologies Inc.modernizes its offerings. "The specialty vendors for gaming are not very large, and they have limited resources, so they tend to maintain the status quo," says Garrow. Mohegan Sun runs a collection of aging applications on IBM AS400 computers; some of the software has not been recompiled since the late 1980s. "At least we know it's stable," bright-sides Garrow, adding that hackers tend to be less interested in older systems, and probably lack the experience and equipment, such as tape drives, to do much with them in any case.
But the aging infrastructure has implications for both customer service and security. "The antiquated systems were not built with security in mind, and gaming applications are just now adopting the information-security model," says Carden. "This is such a specialized area that the principles of strong security architecture have been ignored, so it requires a lot of manual effort to segregate information and create checks and balances. The manual processes are pretty evolved, even if our applications are not."
Worker access to certain types of information requires two signatures, which must be validated by a supervisor. "It eats up a lot of man-hours to provision the system, given the lack of a unified identity management platform," says Carden. "Without a way to automate access provisioning for new hires, it's a nightmare for us, almost like the days of DOS. It doesn't mean we are not secure, but it is a challenge."
He pauses on the question of manual processes being in some ways more secure than electronic ones. "Any time you have an intensely manual system, you have ways to short cut," he says. "It becomes a management issue."
Progress is being made on the security front, however, says Garrow, who estimates that he is roughly halfway through planned upgrades to systems and processes (other systems with more generic functions, such as payroll and financial applications, are already updated). Monitoring tools display color-coded threats, such as attempts at unauthorized network entry, on a large screen at the network operations center, which is manned around the clock. And staffers now follow up on repeated log-in failures to see if someone is trying to break into the system. "We are being more proactive on suspicious events," says Garrow.
He's also working with vendors and adjusting internal procedures to control the display of personal information, such as Social Security numbers required on tax forms. "It used to be standard to display personal information onscreen, even when it was not needed. That's not a good practice," he says. "We are working to encrypt it, and display only when necessary."
Still to come is the big job of putting the huge slot-machine operation onto the IP network. "The gaming applications are the lifeblood of the place in terms of making money, but they have not evolved, security- wise," says Carden. "There is a lot of software customization to do."
In addition to hiring Carden as his go-to guy on information security, Garrow continues to push for more IT security staffersthe staff currently includes 130 full-time positionsand plans to keep increasing that number for the next several years. "We talk about this stuff all the timecustomer confidentiality, proper disposal of hard drives, the appropriate times to use e-mail," he says. "It's going to be a focus for a long time to come."
You can bet on that.