Blue Cross Blue Shield Vermont Advances Security with Cisco Partner Blue Spruce Technologies

January 10, 2007

In order to comply with the federal government's HIPAA (Health Insurance Portability & Accountability Act), Blue Cross Blue Shield (BCBS) of Vermont conducts regular reviews of its security infrastructure and hardware. As a result of its most recent review, the company planned to replace its security firewalls, but decided to expand the project to include the latest security technology that Cisco Systems® offers.

To accomplish this, Michael Porta, a network security professional hired by BCBS Vermont to oversee its network security, worked with the local Cisco account team, which arranged for him to meet with Blue Spruce Technologies, a Cisco Certified Partner with CCNA® certification, Security SE and IT Security Integration among its Cisco specializations.

"I needed a partner on this project that understood our needs and the HIPAA regulations, and could provide a solution and help ensure that everything would work together smoothly," says Porta. "Blue Spruce's technical knowledge was superior; I was very confident that we had made a good choice in working with them."

Blue Spruce Technologies is a security systems integrator headquartered in Greenland, New Hampshire. In working with clients, its goal is to help them reach business goals such as sales execution and managing the procurement process, but its special value proposition is that it goes much deeper than a product solution.

"We put real emphasis on our relationships with our clients," says Steve Pettit, president of Blue Spruce Technologies. "We put a lot of effort into understanding their business and the technical components that they have, and provide consultation across the whole connectivity plane."

The BCBS and Blue Spruce teams worked together to map out overall goals for the end-to-end integrated security strategy, and to help ensure that all of the Cisco security components would work together within the strategy. In addition to the new firewalls, BCBS wanted to authenticate users in a uniform manner, regardless of how they accessed the network. They also wanted to understand "the state of the user." This would provide them with information on the state of the machine that is connecting to the BCBS network. Specifically it would allow them to know that the software and applications present with the machine are compliant with the network and policies at the time of the connection.

"What BCBS wanted is beyond the notion of simply understanding who is on the network," says Pettit. "They want to know who is accessing what on their network, the kinds of applications that they are running, and to whom those applications are directed. All of this new security can create disparate management domains, and create a scenario where the complexity of the solution outweighs the benefits. Our job was to aggregate all of the pieces and bring cohesion to events management through the use of MARS (Security Monitoring, Analysis, and Response System) as well as unearthing the points of intersection and collaboration between the IT Security elements and the network. These included the use of ACS as the aggregate point of authentication for VPN and LAN access, and to combine the security attributes of CCA with those contained in CSA in a complimentary way.

Many things needed to be negotiated and agreed upon up front in order to put a plan in place, and perhaps most critical was the order that the components would be implemented. Each element needed to be implemented in a way that provided incremental value. Authentication was targeted as the cornerstone of the solution, and one that would be built upon over time. In addition to various Cisco products for the authentication solution, Blue Spruce also deployed Cisco Adaptive Security Appliance 5510 and 5520, Cisco Access Control Server (ACS), Cisco NAC Appliance, Cisco MARS, Cisco Security Agent, and several series of Cisco Catalyst® switches.

"When you are combining different pieces into one cohesive solution, it typically requires some high-level revision on certain products to make sure everything works smoothly together," says Ty Powers, security analyst with Blue Spruce. "We encountered a nuance in the ACS implementation in which we had to determine how best to make ACS talk to the initial directory. In the end, we accomplished exactly what we needed to."

And that kind of attention to detail and technical expertise make for a satisfied client. Porta says that the deployment itself was very smooth, thanks to Blue Spruce Technologies.

"Even though the deployment was very recent, the added overall security architecture makes me sleep better at night," says Porta. "It is going to make new applications easier to deploy and manage because I will be completely comfortable with the security aspects of the system."

Blue Spruce Technologies, which has built its business on network security and authentication, has noted an increased interest in security technology, and attributes it to a change in how businesses and organizations are dealing with network security. He says that a vulnerability problem used to mean buying a vulnerability scanner and that a virus outbreak meant purchasing antivirus software.

"Customers today are clearly not interested in purchasing point solutions for point problems," says Pettit. "They are taking a more systematic approach and looking at a broader IT strategy. Cisco security products serve that kind of vision."