Thinking Strategically on GSA Gaming Standards Security
As the gaming industry moves further toward open-source Gaming Standards Association (GSA) standards for lowering costs and risks while increasing interoperability and marketing opportunities, it’s important to not just focus on point solutions to meet the standards for operations, but to identify opportunities to strategically increase security and interoperability.
By doing so, casino operators can find cost-effective, strategic solutions and provide preventive, built-in security as they move beyond securing the floor infrastructure and toward opportunities to integrate with wireless, mobility and additional network connectivity across the organization.
I’ll be writing about different areas in the following months to focus on this strategic approach. In this issue, I’m tackling, at a high level, some security design requirements to expand on the GSA’s minimum suggestions for networked gaming environment. As a reminder, here are the GSA’s minimum recommendations for security around network architecture:
|Small Network (<500 devices) GSA Minimum||Large Network (>500 devices) GSA Minimum|
Strategic Thinking: As a start, think strategically about your architecture and operations. Don’t get into the weeds yet on what’s the best product or tactical solutions. Focus instead on: What’s going to work for YOUR company, now and in the future, based on where you need to be in one, three or five years. It’s important to identify your requirements, beyond the minimum GSA above, prior to architecting and purchasing your equipment. Focus on thinking strategically, and don’t solve only for the problem you are faced with today. You should know these answers prior to starting your design or purchases:
- What’s your anticipated growth of the network due to increased floor space and new game requirements (like web-enabled technologies) for the next three-five years? Your investment should be able to handle your growth, but figure out what that’ll be and how you can increase capability and capacity without having to tear down everything and start from scratch.
- How much of the growth might need to take into account wireless devices crossing your firewalls, switches and network?
- How much will web-enabled technologies and the bandwidth needed for them impact you? Will your architecture and ultimate technologies be able to grow?
- Will you need specific firewalls geared toward mobility/wireless?
- Will new gaming technologies push the ability of your firewall and/or IPS and network to keep up with speeds necessary to keep player experience up to par? How will you identify those impacts now and in the future?
- How will you manage firewall and IDS/IPS rules across multiple firewalls and devices, and ensure that on-the-fly changes continue to meet security requirements?
- What sort of in-house change controls and approval processes will ensure that the state of your security posture doesn’t change due to a “need it now” firewall change?
- How often will you audit your security system configurations to meet your “gold standard,” and do you have a “gold standard” built?
- How will you audit and ensure that security is maintained consistently across network devices and core network systems? How often will that happen? Who will audit? And against what standard?
- Are there other compliance standards you’ll need to take into account and meet? For instance, will any credit card data cross these devices now (or in future)? Will you be able to maintain the compliance standards for security, including encryption, access controls, and logging and monitoring?
- Can you leverage current firewall management capabilities and will it be able to grow with you? Or, if purchasing new security systems, what sort of management console do you need, especially for multiple properties?
- Have you planned for ongoing security assessments and audits that might leverage current audits and assessments in your organization?
- What is the company security stance on “all-in-one” type security devices? Does your company have the stance that a firewall should only be that and not also have IDS/IPS services or DOS services? If using an “all-in-one” device for all services, where and how will you maintain security if that system is compromised?
- Will your wireless systems meet your security needs and be able to handle the traffic you might need over the next three-five years? Will your wireless devices have IPS built in?
- How will logging and monitoring be handled? Will you use a Security Information and Event Management (SIEM) tool to help you easily troubleshoot and identify critical security, network and system issues? Does your PCI security team already have one that you can utilize as well?
- For DMZs – Do you plan to do this physically or virtually? What configurations and controls, including audits, will you have in place to maintain the security? Will you separate out by site, service or type? Will this DMZ have to integrate with any other backend system, and what controls are in place to maintain security?
- Will you be using load balancers? If not, why not? Many of the load balancers out there have excellent layered and security controls that you can use as an extra layer of security -- including additional security options, stateless persistence and the ability to reduce bandwidth costs.
- Will any of your gaming networks have Internet access or allow outbound access? If so, what extra controls will be in place besides ACLS/rules? How often will you audit the controls and ACLS/rules? How will you know what traffic is OK and what’s not? How will you be able to secure and troubleshoot encrypted traffic?
- Do you know what ports and protocols will be strictly regulated? Will you have insight into the protocols, especially if you need to troubleshoot issues, have an incident (security or network) or need it for fraud detection?
These high-level strategic questions should be identified early when thinking about your design, your network, your equipment and management of the devices. While not totally inclusive of all you need, it should get you started on strategically planning the security around GSA guidelines.