forcdan - Fotolia
IT security monitoring at golf club lets IT ops play through
ClubCorp took stock of its IT security strategy last year, which led to freedom from grunt work and renewed focus for the IT ops team.
DevOps has prompted convergence between IT roles in many enterprises, but an increased separation of responsibilities has streamlined IT operations for one company.
ClubCorp, a Dallas-based firm that operates more than 200 country clubs and golf clubs throughout the United States, is on the second year of a three-year plan to overhaul its IT security and improve its Payment Card Industry compliance. Among its first moves in 2017 was the deployment of IT security monitoring tools and services from Alert Logic.
"We had a number of different tools providing security information, but we didn't have a strong correlation tool to take data points from all the existing applications we had and identify what was really going on," said Zach Vinduska, vice president of IT infrastructure and security at ClubCorp. "Alert Logic let us clear the mud off our windows so we could see what we were doing."
At the same time, ClubCorp began a move from two data centers it owned to multiple cloud service providers, including Oracle, AWS, Azure and Google, and reorganized its IT security and infrastructure operations department under Vinduska.
But alignment under one manager doesn't necessarily merge IT security and infrastructure operations responsibilities -- in fact, it's quite the opposite. ClubCorp's IT security group has its own budget and procures IT security tools, which previously fell to the IT infrastructure team. ClubCorp also brought in a liaison from Alert Logic to head a security operations center and transferred most day-to-day security work away from IT infrastructure administrators to IT security staff.
"Security leans on infrastructure for implementation and execution of their plan," Vinduska said. "But [the security team] has to be its own power to solve our challenges."
Automated security tools turn IT ops into BigShots
After ClubCorp's initial IT security monitoring assessment, the company considered security tools for multi-cloud use in eight different categories, from identity and access management to intrusion detection and patch management. The software refresh helped automate and streamline IT security operations, which lightened the workload for IT ops staff.
Trend Micro's Deep Security tool, for example, has a feature called virtual patching, which recognizes that enterprises may not be able to deploy security patches -- even security-critical patches -- on Day One, Vinduska said. While IT teams test patches to ensure quality, the virtual patching feature mimics the ways the patch changes the behavior of the system to shore up security until IT security teams apply the patch.
"It'll block application activity without you putting the patch on," Vinduska said. "That way, you don't have to have downtime to patch a system and troubleshoot it."
Now freed from day-to-day security operations grunt work, IT infrastructure admins at ClubCorp have time to build the infrastructure for an application rollout based on a joint venture launched in December of 2018 with BigShots Golf, which makes a golf simulator game and scoring app.
Zach VinduskaVice president of IT infrastructure and security, ClubCorp
"IT ops still keeps security in mind, but they're focused on changes to our point-of-sale operations and the way we provide technology to our customers," Vinduska said. "That covers everything from where wireless access points are located to how we configure firewalls to accommodate different types of [network] activity."
Alert Logic IT security monitoring watches user behavior in the new environments as they're rolled out, and Trend Micro intrusion detection and vulnerability management will play a role, as well, Vinduska said.
While ClubCorp is now heavily invested in cloud and automated software-defined infrastructure, it only dabbles in DevOps. It hasn't yet tackled secure-by-design approaches to application development that have gained popularity elsewhere in the industry.
"We prefer to purchase SaaS products in which our only responsibility is modifications to configurations," Vinduska said. "Whenever we can, we're going to be looking at off-the-shelf [apps]."