BP replaces local security solution with Cisco cloud service

Oil giant takes leap of faith to trust the cloud with its security, and sees 35 per cent cost savings as a result

Oil giant BP is reaping the rewards of its cloud-based security system from Cisco, and shared its experience of selecting and deploying the solution with delegates at the RSA Security Conference in London this week.

Robert Martin, manager of digital security services at BP explained that the main driver for change was the impending need to renew the licensing for BP's previous on-premise solution.

"Our old solution was subscription based and the licensing was coming up. I became infamous in BP as I claimed we should switch it off, it wasn't providing any security benefit. It had no anti-malware or scanning capability, it was just a pure URL filter."

The solution was failing to prevent malware infections, which were occurring regularly within BP's network.

Martin said that the majority of these were coming from web-based drive-by infections (where malware is served without the need for the user to click on anything on the infected page).

"Desktop based anti-virus struggles to keep up as its files need to be updated constantly with the latest definitions," said Martin.

It was obvious that incoming code needed to be scanned for malware, but Martin was reluctant to spend on more infrastructure, so turned to the cloud for options.

But first, he had to convince his board that the cloud could be trusted.

"When services are on-premise, there's the belief you have more control. So we had to convince the board we could trust the vendor, and that the services were reliable."

To do that, Martin ran proof-of-concept projects, but the board wanted a vendor they knew they could trust.

"We overcame that barrier by dealing with Cisco, a vendor that BP had an existing relationship with. And we knew we'd end up with better control than we had before, as we'd be managing the global solution centrally.

Martin chose Cisco's ScanSafe Cloud Web Security product.

He added that the previous regional system relied on local administrators rolling out changes in unison, leaving the possibility for human error, or for some changes to be forgotten or left out.

"We also explained that security is a big part of the vendor's business.

"We're in the business of pumping oil out of the ground, the vendor is in the business of security, so it's likely that they'll be better at it than us."

Another argument Martin had to win with the board was around cost and return on investment.

His CFO was unwilling to spend more on security, leaving Martin potentially hamstrung by the fact that the previous solution was very cheap.

"Our previous solution was adopted in the 1990s, so the price point we were working at was quite low.

"I had to make this work in the cloud at the same price or lower than the on-premise solution."

However, he said that he was able to show just on the license-fee savings that the solution could operate at the same cost.

Then there were additional savings coming from needing less infrastructure, lower support costs and experiencing better reliability. Overall the solution has saved the business around 35 per cent.

"And of course we'd be more secure, which the management usually gloss over, but by showing the cost savings, we got it [the business case] through," said Martin.

However, the additional security provided a further saving, as Martin could show that his team would no longer need to clean malware of a large volume of machines.

Deployment of the solution was made more simple by the fact that Martin did no need to tell the users about the project, since their experience would not be affected by the changes.

"One of the most complex parts of any security rollout is when I have to explain the potential ramifications to users.

"Since this solution was silent, I had a strong argument to say I don't need to panic the users that something's changed.

This helped Martin's team roll out the changes to 75,000 users in just 12 weeks, as there were no user feedback or opinions to deal with.

Now that he is working with the solution, Martin appreciates the immediate execution of any security policy changes he makes.

"Policy changes happen in one place, and I can push them out globally almost in real time – and I can have the confidence that it's consistent. It's better than local teams rolling it out in different places, vulnerable to human error."

On average the cloud-based solution blocks in the region of 30,000 malware hits per month.

These machines ultimately would otherwise have needed to be cleaned, so that cost saving has proven a return on investment that Martin says has gone down well with his board.

"This is a project that top management want to talk about, thanks to the cost savings it has made."

The system reports to a central location, meaning statistics can be compared for BP sites across the globe. This has had an impact on the assessment of training needs.

"We can compare how different regions are behaving, and how users' behaviours differ, which lets us know what sort of security awareness training we may need to roll out."