Identifying and Managing Risk for Internet-Based Gaming

We all know that online gaming is coming to the United States, and is partially here via WAN-connected tribal casinos, online poker that is available in multiple countries around the world, and U.S.-based casinos that are opening up wireless integration opportunities for the playing purposes of their consumers. As with any move from a brick and mortar scenario to the Internet, IT security and maintenance of that security become more important to casinos. Understanding the risks involved before you make the move, as well as developing a risk management strategy and program to continue to manage the risks, including adding controls to limit or remove risks, will provide value to your organization and operational efficiency.

What are your Business Risks?

First, do you know your business security risks? Have they been identified from multiple levels? What’s an acceptable risk for you? What is totally not acceptable? How do you manage risk in your environment? Do you know where and how to reduce your risk? How will you identify and report on the risk levels in your organization? Your risks may include loss of player personal information, credit card information, critical casino operational information, malware such as Trojans hidden in your systems, hijacked player sessions, and critical data loss or leakage. You should also consider the risk of reputation should your systems be attacked.

High-Level Technical Risks for Internet-Based Gaming Systems

There are also technical risks that should be understood, while controls to manage risks should be in place. Some high-level examples of the risks and controls you should consider are in Figure 1 and Figure 2 below. For “Application Security” below, I’m focused on the security of delivery or supporting applications -- not so much the actual gaming applications, which you’ll need to meet the appropriate regulatory requirements for your area.

Figure 1 - High-Level Risks to Internet-Based Gaming Systems

High-Level Controls for Internet-Based Gaming Systems

There are a few examples of the controls (Figure 2) you can put in place to protect against the risks identified above. However, in addition to technical controls, ensure you also have the policies, processes, including incident management, and training as part of your controls and risk management program and strategy. From a high level, some of the types of risk controls that you should have in place are as follows: 

Figure 2- High-Level Controls for Internet-Based Gaming Systems

You’ll need to dig much deeper then these high-level examples I’ve shown to have a good grasp on your risks. A risk-based gap analysis should provide you with a view of your risks, controls you have or need to put in place, as well as help you define a strategy and roadmap to get the risks to an acceptable level.