By Bobby Simpson, CIO, Finley & Cook
Tribal casinos have some very unique technical challenges. When I took over management of IT at Finley & Cook, PLLC (F&C) about 15 years ago, I had to learn lots about the technology that helps Tribal gaming work, since F&C performs accounting services for many Tribes and their casinos across the nation.
The Problem
Before long, one of the firm’s partners asked me to tackle a pressing problem. She said, “F&C needs to remotely access our clients’ financial data without violating the NIGC regulations or standards adopted by the Tribe.” Since I had just completed some high-profile consulting engagements with large telecommunications operations like AT&T, I was very confident that I could quickly address her request. I couldn’t have been more wrong. Fifteen years later, I’m still working to improve technical solutions for this unique Tribal gaming challenge.
Why Is It Hard?
Simply put, Tribal gaming is different from every other technical environment in the world. The sovereignty of the nation, the nature of Class II gaming and the array of regulations all combine to create an IT system that is unlike any other. Each vendor has a distinct server environment, so adding remote access, while satisfying logging requirements, is different for Tribal casinos than other organizations. For that reason, typical remote access solutions such as Citrix or LogMeIn do not provide the necessary flexibility, automation or logging required to directly satisfy the needs.
What to Do?
There are a few different ways to tackle this technical challenge. For me, this challenge led to the creation of the GhostSentry product. Many casinos have come up with their own creative ways to handle vendor remote access. In general, though, there are three approaches that have been used over the years.
Option 1 – Trust
First, some choose to trust gaming vendors to self-track all of their access, providing reports back to the casino for audit purposes. It takes careful and diligent coordination with the vendor, but it is possible to keep an accurate record of the times that the gaming vendor requests and performs remote operations. IT will typically coordinate with the gaming commission to ensure that individual performing remote access is approved. This is a laborious process though, and a single mistake can lead to an audit finding.
Option 2 – Unplug
Other casinos, after giving up on the difficult job of manual coordination, choose the second option – unplug the vendor network completely in between remote operations. This method does help prevent the vendor from forgetting to ask for permission, and the related audit findings. Unfortunately, it also prevents crowd-favorite features such as wide-area ball call, and any wide-area progressive jackpots that the vendor may have. Constant connectivity between the casino and the vendor is required to make this work. By the way, this was very common ten years ago. Now it is very scarce, because constant connectivity makes more gaming money for the casino and saves lots of money on support.
Option 3 – Firewall
The most practical option for true compliance while maintaining wide-area operations is the network firewall. A firewall can be set to allow some network traffic, such as health monitoring or wide-area progressives, while blocking common remote access methods. Of course, when the gaming vendor needs access, rules need to be temporarily added to the firewall to facilitate the approved activity. Then when the activity is complete, the temporary rule must be deleted or disabled.
The Real Challenge
With all of the options presented here, the real challenge is tracking and logging the access. Enabling and disabling rules for remote access is a pain in many firewall products. Overall, though, it beats the “unplugging” solution, because it keeps the gaming vendors connected to the casino and allows the wide-area activities that drive revenue. With any of these approaches, the real work is writing down the access and keeping that log long enough to satisfy audit requirements.
Solutions
There are different spins on the firewall approach, such as using a VPN or remote access solution like Microsoft RDP Gateway, to approve access. After many years of development, my own product, the GhostSentry firewall, is now designed specifically to address the automation and logging required by Tribal casinos. The log is beautiful, is maintained automatically and is available any time for audit review. A spreadsheet or physical log is just as effective, though, if it is maintained well.
Takeaway – Consistency Is Key!
Whatever solution the casino puts in place, though, the key is consistency. If remote access automation through a product like GhostSentry is not an option, then adding personnel specifically assigned to track vendor activity may be helpful. In the end, keeping patrons happy with wide-area features, such as the eye-popping wide-area progressive jackpots, should more than make up for the cost of handling vendor access challenges. In other words, the rewards far outweigh the effort. Tackling the unique IT challenges of Tribal casinos leads to unique gains for the Tribal community, and opportunities for everyone.