WHAT IF YOU COULD rebuild your company’s security system from scratch, without the limitations of existing technical infrastructure and physical plant?

“We had an opportunity to work from a clean slate and designeverything new, from concrete floor to ceiling, and we took advantage of it and worked every angle.” — Louis Mazzio, CTO, Post & Schell

Louis Mazzio, chief technology officer at the Philadelphia-based law firm Post & Schell, recently got this unique opportunity when the firm built its new headquarters. To Mazzio, the move represented the chance not just to combine informational and physical security as an integrated entity, but also to bring Post & Schell’s protection to an entirely new level of effectiveness and efficiency.

“We wanted to get ahead of where we needed to be,” Mazzio says. “We had an opportunity to work from a clean slate and design everything new, from concrete floor to ceiling, and we took advantage of it and worked every angle.”

Mazzio did have some specific concerns — namely, trust and regulatory issues. Post & Schell serves clients in health care, insurance and other heavily regulated industries, making it essential that trust be established and maintained. This confidence comes complete with assurances that the clients’ private and sensitive information is not only well protected, but accessed only by the appropriate staff members of the firm. With the firm’s interest in health care law, the privacy regulations mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) were also of great concern.

“The impact of the HIPAA regulations started to hit us about a year prior to moving, and we added that to the scenarios of what we wanted in the new space,” Mazzio says.

Although Mazzio was delighted to have a blank slate to build a security system, he also recognized the risk that if he made the system too difficult or complicated, he’d reap a bitter harvest of user dissatisfaction and reduced productivity.

“We didn’t want a bunch of separate devices, such as elevator codes, keys and login authentication,” he says. “The last thing we wanted to do was stress the people who work here by giving them multiple security devices. We wanted to simplify.”

“Simplify” meant finding a way to protect physical and information assets in a single management package. Mazzio researched technology that would authenticate users, manage access and consolidate security.

“Only about three or four companies had the security we were looking for,” he says, “and they had to be willing to work with building management to make the solution work across all levels.” Mazzio was impressed with RSA Security’s ability to integrate the components of its RSA® Smart Badging Solution into his overall security strategy.

Prior to the move, access to Post & Schell’s computer systems and networks was regulated by a password policy through Microsoft®Windows® 2000 operating system. Yet with more than 300 employees spread across six offices, the firm’s IT department struggled to enforce periodic password changes.

With the RSA® Smart Badging Solution, employees enter the new building by swiping an identity badge—which acts as a proximity card—across a door lock reader. Once inside, employees need the badge to use the elevator and access file rooms or other areas that may contain sensitive materials. Without a badge, it’s nearly impossible to navigate the building. Visitors are initially restricted to public areas and cannot proceed without a temporary badge and visual clearance from firm personnel. In addition, Post & Schell is able to predetermine the areas a specific employee can enter. Paralegals who don’t need to get into File Room C, for example, can’t use their cards to gain access.

At each workstation, the badge is used to authenticate access to the network and applications such as time and billing, documents and databases, and e-mail. To log into these applications, employees insert their badge into a smart-card reader that’s connected to the computer and type in their PIN.

Employees have single sign-on access to all enterprise programs if the PIN matches the information stored on the card. Their computers are automatically locked when the card leaves the reader, prohibiting another person from using the machine under a false identity. Instead of a reusable password, the solution driven by RSA Security requires something staff members know (the PIN) and something they have (the badge) to get on the network — which gives Post & Schell strong two-factor authentication. As a result, the firm has a much more reliable level of security.

The RSA Security solution has been in place six months, and Mazzio says that he’s pleased with the results, particularly with regard to regulatory compliance and meeting clients’ standards. “We now exceed what HIPAAwants, and we also meet or exceed any client guidelines,” he says.

Post & Schell’s security investment pays off with the firm’s continued ability to superbly — and safely — serve its clients, Mazzio says.

“From a business perspective, our knowledge is our business, and we have to approach our intellectual assets—whether on paper or hard drive—as a hugely valuable asset to protect,” says Mazzio. “We need to be doing this.”

By Carol Hildebrand
Photograph by Andrea Artz

Top