Microsoft Windows Server 2003
Customer Solution Case Study

/ / Leading Smart Card Manufacturer Deploys Secure Badge Solution to Enhance Company Security
Overview
Country or Region: France
Industry: IT Security
Customer Profile
Gemplus International S.A. is the world leader in smart card IT security technologies. The company employs a more than 5,000 people worldwide.
Business Situation
Historically, the organisation managed user authentication using passwords. To increase efficiency and enhance security, it wanted to deploy a new smart card authentication system.
Solution
A new PKI (Public Key Infrastructure) and smart card authentication system built on Microsoft® Windows Server™ 2003.
Benefits
 Enhanced network security
 Secure remote network access
 Reduced helpdesk calls
 Users no longer remember multiple passwords
 Simple deployment to new locations / “Since the deployment of smart cards, the number of helpdesk calls has fallen dramatically and security has increased as a result.”
Anthony Der Krikorian, Secure IT Program Manager, Gemplus
Historically, Gemplus, the world’s leading provider of smart card solutions, used passwords to authenticate system users internally. To reduce costs, increase efficiency, and enhance application and network security, Gemplus decided to deploy its new authentication system, called “SafesITe,” based on smart card technology and Microsoft® Windows Server™ 2003. Gemplus employees now access corporate systems by inserting a smart card and typing a four-digit PIN code. Because they no longer need to remember multiple passwords, calls to the helpdesk have been reduced and the IT department has realised significant operational savings. Centralised management over user profiles, e-mail systems, Web servers, Wifi and the virtual private networks (VPN), greatly enhances security. Users can also access the corporate network securely from external Internet connections, increasing employee productivity and opportunities for remote working.

Situation

Gemplus is the world leader in smart card-based solutions. With regards to the IT security market, smart cards store and manage employee identity credentials. After inserting the card in a reader and typing the associated PIN code, it allows the user to perform network and PC logon, e-mail signing, document encryption, and more. Together the card and PIN enable “two-factor authentication” which offers far greater levels of security than passwords, which can be obtained and misused much more easily. There are also significant benefits for users, who no longer need to memorise a string of passwords to access different systems and applications.

Gemplus wanted to deploy the technology to authenticate users internally. As well as ensuring compliance with IT security legislation, this new approach aimed to reduce the costs and complexities associated with traditional password-managed network access.

Anthony Der Krikorian, Secure IT Program Manager, Gemplus, says: "Password technology could no longer meet our own internal security requirements. We couldn’t expect users to remember increasingly complex passwords and we could not change them often enough. We were also concerned that the cost of managing them was constantly rising.”

In addition to ensuring secure authentication, Gemplus is required to provide full protection for its Web servers, virtual private network (VPN), wireless network, and e-mail infrastructures. This was a further motivation for deploying the new smart card technology.

Der Krikorian says: “IT security is just as important for us as it is for our customers. That’s why we decided to build a state-of-the-art solution based on a Public Key Infrastructure to manage encryption and digital signatures It was a clear choice to use the same technologies we recommend to our clients.”

Many elements of the solution had already been developed under the brand name SafesITe. For the internal deployment, the technology became known as SafesITe for Gemplus.

Solution

Gemplus decided to build its new public key infrastructure based on the Microsoft® Windows Server TM 2003 Enterprise Edition operating system, a part of Microsoft Windows Server System™ integrated server software. Microsoft conducted research with Gemplus to build smart card authentication into the system. The resulting technology, known as “SmartCard Logon” supports smart card-based user authentication with no transfer of passwords or user information over the network.

Der Krikorian says: “For us, this is an outstanding application. It provides the highest levels of protection for all user data and ensures that access to the network remains secure.”

Numerous employees across the company were engaged to scope and design the new PKI. It was then deployed on Windows Server 2003, and on desktops running the Microsoft Windows® 2000 or Microsoft Windows XP operating systems.

Smart security badges give users access to company buildings and IT systems. They also act as identity cards to determine the user’s department, such as the marketing or accounting department. Moreover, employees can load cash on the cards for purchasing coffee or food in vending machines and company canteens.

Der Krikorian says: “Some of our people worked on the physical access controls for badges, while other focused on building a centralised directory of users, built on Active Directory® [directory service]. Internal specialists were also deployed to assign digital certificates to employees. Although our IT infrastructure is distributed across 54 physical sites, we were able to handle the deployment centrally using Active Directory, a key element of Windows Server 2003.”

With the technical aspects of the solution in place, new security procedures, such as registration for employees and sub-contractors, were defined and implemented. New procedures for blocked, lost, or stolen cards, and for requests for technical support, were also put in place.

The deployment of the new PKI was supported by Microsoft Certified Partners Steria and Exakis. While Exakis helped to share knowledge and prepare operational staff for the migration, Steria was involved with day-to-day support and for interfacing the PKI with e-mails.

Benefits

Microsoft Technologies Offer Clear Advantages over Open Source Competitors

Gemplus started building its PKI functionality in 2002. At that time, the company conducted some evaluations of open source technologies. Ultimately, Microsoft technology was chosen because competing technologies proved difficult to scale.

John Alvares, Chief Information Office (CIO) and Senior Vice President at Gemplus, says: “When we chose to deploy the Microsoft technology, there were not many other appropriate solutions available. What we where looking for had to be compatible with our SafesITe solution, available on the market, and capable of full integration with our existing architecture. Microsoft offered the best solution available on the market. As we were already working in an environment mainly based on Microsoft technology, the choice was obvious.”

Der Krikorian says: “The Microsoft Certificate Services platform, which is based on Windows Server 2003, is entirely stable, and future-proofed. It also offers a number of components that were ideally suited to our purposes, including a ‘templating’ system for presenting user authentication data.”

Centralised Infrastructure for Global Solution Deployments

Because the entire PKI is managed centrally using Active Directory, it can be easily extended to new locations and operational areas.

Der Krikorian says: “Once we have new hardware, such as card readers, in place, the SafesITe solution can be deployed to new areas of the business quickly and easily. This is because it uses native PKI resources provided with the centralised Windows Server 2003 operating system. This flexibility ensures we can extend the system as our requirements evolve.”

New Smart Cards Deliver Benefits for Users

Users at Gemplus need no longer remember complex passwords to access their applications and systems as the system is far more secure and this is the only way to log on to the system. Certificates are stored in the smart card and for more security are renewed every two years. Users are alerted one month before their certificate is due to expire, leading to them renew their certificate quickly and easily online while retaining the same physical smart card.

Der Krikorian says: “All the complexity associated with allocating, renewing, and remembering passwords has been eliminated. As a result, users enjoy fast, trouble-free access to their applications and data at all times.”

Enhanced Security Across the Operation

All Gemplus users now require a smart card to authenticate themselves and to access applications on the network. As a result, the overall security of IT systems has been significantly improved.

The new system provides a centralised directory of all user security certificates. This provides an up-to-date record of user profiles and access rights, ensuring that only authorised personnel log on to the network.

E-mail signature and encryption features within Microsoft Office Outlook® Web Access give Gemplus suppliers and providers a greater sense of security about the sensitive information they are sharing.

Der Krikorian says: “The security of our system has been enhanced considerably since the installation of our smart card–based PKI. In this regard, the SafesITe solution has surpassed the expectations of both internal and external users.”

Reduced Password Management Costs

The elimination of password-managed network access has significantly reduced IT management costs overall. This is largely because employees no longer forget passwords and place calls to the helpdesk.

Der Krikorian says: “The helpdesk used to be flooded with calls from employees who had forgotten their passwords, especially after holiday periods. Since the deployment of smart cards, the number of helpdesk calls has fallen dramatically, and security has increased as a result.”

External Access to the Corporate Network

The new badge provides secure access to the Gemplus network from any physical location. This has been achieved through remote access smart cards (RAS). Along with access to the corporate network using a VPN, Gemplus fitted smart card readers to portable computers. Now, only employees with smart cards can access their accounts from any Internet connection using Outlook Web Access.

Bruno Arabi, Project Manager, Steria, says: “Now, authorised users can connect with the Gemplus network no matter where they are. This provides new opportunities for remote working and ensures that employees remain productive wherever they are.”

Tested and Proven Solution Delivers Network Security for Customers

The SafesITe solution was easily deployed inside Gemplus, as it was originally designed to integrate and comply with existing legacy systems. Today SafesITe has been successfully deployed in many enterprises of different sizes, and with diverse security requirements.

Because the solution is fully compliant with Windows Server 2003, it is ideal for companies working with a Microsoft infrastructure. In addition, it can be deployed in heterogeneous IT environments and on a global scale, meeting the needs of the largest organisations.


Microsoft Windows Server 2003

The Microsoft Windows Server 2003 family helps organizations do more with less. Now you can: Run your IT infrastructure more efficiently; Build better applications faster; Deliver the best infrastructure for enhancing user productivity. And you can do all this faster, more securely, and at lower cost. For more information about Windows Server 2003, please visit: