Customer Solution Case Study
/ / IT Security Specialist Deploys Secure Badge Solution to Enhance Company Security
Overview
Country or Region: France
Industry: IT Security
Customer Profile
Gemplus International is the world leader in smart card IT security technologies. The company employs more than 5,000 people worldwide.
Business Situation
Historically, the organisation managed user authentication using passwords. To increase efficiency and enhance security, it wanted to deploy a new smart card authentication system.
Solution
Gemplus implemented a new PKI infrastructure and smart card authentication system built on Microsoft® Windows Server™ 2003.
Benefits
n Enhanced network security
n Secure remote network access
n Reduced helpdesk calls
n Reduced number of passwords
n Simple deployment to new locations / “Since the deployment of smart cards, the number of helpdesk calls has fallen dramatically, and security has increased as a result.”
Anthony Der Krikorian, SecureIT Program Manager, Gemplus
Historically, leading IT security solutions provider Gemplus used passwords to authenticate system users internally. To reduce costs, increase efficiency, and enhance security, it decided to deploy a new authentication system, called SafesITe, based on smart card technology and Microsoft® Windows Server™ 2003. Users now access corporate systems by inserting a smart card and typing a four-digit PIN code. Because users no longer need to remember multiple passwords, calls to the helpdesk have been reduced, and the IT department has realised significant operational savings. Centralised management over user profiles, e-mail systems, Web servers, Wifi, and the virtual private network (VPN) greatly enhances security. Users can also access the corporate network securely from external Internet connections, increasing employee productivity and opportunities for remote working.
Situation
Gemplus is a leading provider of IT security solutions, including smart cards for user authentication. This technology stores the credentials of a system user and requires that a PIN code is entered to identify and authenticate them for access to secure networks. It offers far greater levels of security than passwords, which can be obtained and misused much more easily. There are also significant benefits for users, who no longer need to memorise a string of passwords to access different systems and applications.
As a leading provider of smart cards, Gemplus wanted to deploy the technology to authenticate users internally. As well as ensuring compliance with IT security legislation, this new approach aimed to reduce the costs and complexities associated with traditional password-controlled network access.
Anthony Der Krikorian, SecureIT Program Manager, Gemplus, says: "Password technology could no longer meet our own internal security requirements. We couldn’t expect users to remember increasingly complex passwords, and we could not change them often enough. We were also concerned that the cost of managing them was constantly rising.”
In addition to ensuring secure authentication, Gemplus is required to provide full protection for its Web servers, virtual private network (VPN), wireless network, and e-mail infrastructures. This was a further motivation for deploying the new smart card technology.
Der Krikorian says: “IT security is just as important for us as it is for our customers. That’s why we decided to build a state-of-the-art solution based on a public key infrastructure (PKI) to manage encryption and digital signatures, and smart cards for authentication. It was a clear choice to use the same technologies we recommend to our clients.”
Many elements of the solution had already been developed under the brand name SafesITe. For the internal deployment, the technology became known as SafesITe for Gemplus.
Solution
Gemplus decided to build its new PKI infrastructure on the Microsoft® Windows Server™ 2003 operating system, part of Microsoft Windows Server System™ integrated server software. Microsoft conducted research with Gemplus to enable smart card authentication into the system. The resulting technology, known as “SmartCard Logon,” supports authentication with a Kerberos ticket encrypted with the smart card certificate.
Der Krikorian says: “For us, this is an outstanding application. It provides the highest levels of protection for all user data and ensures that access to the network remains secure.”
Numerous employees across the company were engaged to scope and design the new PKI infrastructure. It was then deployed on Windows Server 2003, and on desktops running on the Microsoft Windows® 2000 or the Microsoft Windows XP operating systems.
Security “badges” give users access to company systems. They also act as identity cards to determine the user’s access to different areas, such as the marketing or accounting. department. These badges also give employees access to vending machines throughout the company.
Der Krikorian says: “Some of our people worked on the physical access controls for badges, while others focused on building a centralised directory of users built on Active Directory® [directory service]. Internal specialists were also deployed to assign digital certificates to employees. Although our IT infrastructure is distributed across 54 physical sites, we were able to handle the deployment centrally using Active Directory, a key element of Windows Server 2003.”
With the technical aspects of the solution in place, new security procedures, such as registration for employees and sub-contractors, were defined and implemented. New procedures for blocked, lost, or stolen cards, and for requests for technical support, were also put in place.
The deployment of the new PKI infrastructure was supported by Microsoft Certified Partners Steria and Exakis. While Exakis helped to share knowledge and prepare operational staff for the migration, Steria was involved with day-to-day support and for interfacing the PKI with e-mails.
Benefits
Microsoft Technologies Offer Clear Advantages Over Open Source Competitors
Gemplus started building its PKI functionality in 2002. At that time, the company conducted some evaluations of open source technologies. Ultimately, Microsoft technology was chosen because competing technologies proved difficult to scale.
John Alvares, Chief Information Office (CIO), Senior Vice President, Gemplus, says: “When we chose to deploy the Microsoft technology, there were not many other appropriate solutions available. What we were looking for had to be compatible with our SafesITe solution, available on the market, and capable of full integration with our existing architecture. Microsoft offered the best solution available on the market. As we were already working in an environment mainly based on Microsoft technology, the choice was obvious.”
Der Krikorian says: “The Microsoft Certificate Services platform, which is based on Windows Server 2003, is entirely stable, manufacturable, and future-proofed. It also offers a number of components that were ideally suited to our purposes, including a ‘templating’ system for presenting user authentication data.”
Centralised Infrastructure for Global Solution Deployments
Because the entire PKI infrastructure is managed centrally using Active Directory, it can be easily extended to new locations and operational areas.
Der Krikorian says: “Once we have new hardware, such as card readers, in place, the SafesITe solution can be deployed to new areas of the business quickly and easily. This is because it uses native PKI resources provided with the centralised Windows Server 2003 operating system. This flexibility ensures we can extend the system as our requirements evolve.”
New Smart Cards Deliver Benefits for Users
Users at Gemplus need no longer remember complex passwords to access their applications and systems as the system is far more secure. Certificates are stored in the smart card and for added security are renewed every two years. Users are alerted one month before their certificate is due to expire, leading to them renewing their certificate quickly and easily online, while retaining the same physical smart card.
Der Krikorian says: “All the complexity associated with allocating, renewing, and remembering passwords has been eliminated. As a result, users enjoy fast, trouble-free access to their applications and data at all times.”
Enhanced Security Across the Operation
All Gemplus users now require a smart card to authenticate themselves and access applications on the network. As a result, the overall security of IT systems has been significantly increased.
The new system provides a centralised directory of all user security certificates. This provides an up-to-date record of user profiles and access rights, ensuring that only authorised personnel log on to the network.
E-mail signature and encryption features within Microsoft Office Outlook® Web Access give Gemplus suppliers and providers a greater sense of security about the sensitive information they are sharing.
Der Krikorian says: “The security of our system has been enhanced considerably since the installation of our PKI infrastructure. In this regard, the new solution has surpassed the expectations of both internal and external clients.”
Reduced Password Management Costs
The elimination of password-controlled network access has significantly reduced IT management costs overall. This is largely because employees no longer forget passwords and place calls to the helpdesk.
Der Krikorian says: “The helpdesk used to be flooded with calls from employees who had forgotten their passwords, especially after holiday periods. Since the deployment of smart cards, the number of helpdesk calls has fallen dramatically, and security has increased as a result.”
External Access to the Corporate Network
The new badge provides secure access to the Gemplus network from any physical location. Along with access to the corporate network using a VPN, Gemplus fitted smart card readers to portable computers. Now, only employees with smartcards can access their accounts from any Internet connection using Outlook Web Access.
Bruno Arabi, Project Manager, Steria, says: “Now, authorised users can connect with the Gemplus network no matter where they are. This provides new opportunities for remote working and ensures that employees remain productive wherever they are.”
Tried and Tested Solution Delivers Network Security for Customers
The SafesITe solution created and tested internally by Gemplus is now commercially available and can be deployed at all companies with a requirement to secure their IT systems.
Because the solution is fully compliant with Windows Server 2003, it is ideal for companies working with a Microsoft infrastructure. In addition, it can be deployed in heterogeneous IT environments and on a global scale, meeting the needs of the largest organisations.
Windows Server 2003
Microsoft Windows Server 2003
The Microsoft Windows Server 2003 family helps organizations do more with less. Now you can: Run your IT infrastructure more efficiently; Build better applications faster; Deliver the best infrastructure for enhancing user productivity. And you can do all this faster, more securely, and at lower cost.
For more information about Windows Server 2003, please visit:
www.microsoft.com/windowsserver2003