Customer Solution Case Study
/ Shoe Manufacturer Improves Access, Enhances Security with Identity and Access Management
Overview
Country or Region: Denmark
Industry: Manufacturing—Clothing and clothing accessories
Customer Profile
Based in Bredebro, Denmark, ECCO is a shoe manufacturer with locations in 91 countries. ECCO has 16,000 employees, and produces and sells more than 17 million pairs of shoes each year.
Business Situation
ECCO sought a solution that would help it to better manage software licenses and user rights. It also wanted a security-enhanced solution for publishing critical applications to remote employees.
Solution
ECCO implemented business-ready security solutions from Microsoft and Omada to manage user identities across its network and automate its licensing management and access processes.
Benefits
· Streamlined provisioning process
· Increased internal compliance
· Reduced software licensing costs
· Minimized unauthorized access / “By enabling information transparency and by keeping better track of software licenses, we have enabled a robust identity and access management environment.”
Lise Støy Rodil, Global IT Governance Consultant, ECCO
ECCO is a family-owned shoe manufacturer based in Bredebro, Denmark, that sells more than 17 million pairs of shoes each year. The company relied on disparate systems and manual processes to manage software licenses and user rights for its 3,000 computers. Its provisioning process was time-consuming and costly; ECCO found it challenging to manage appropriate user access and comply with internal security policies. To unify identity management processes and improve remote access solutions, ECCO teamed with Microsoft® Gold Certified Partner Omada and implemented identity and access management solutions from Microsoft. As a result, ECCO has streamlined the provisioning process, improved compliance, reduced software licensing costs, and enhanced security.
Situation
Since its humble beginnings in 1963, family-owned shoemaker ECCO has grown to be a world-renown manufacturer of men’s, women’s, and children’s shoes. The Bredebro, Denmark–based company sells shoes in more than 91 countries, and it owns the entire value chain, including tanneries, factories, and more than 800 retail stores. Approximately 16,000 employees produce and sell more than 17 million pairs of shoes each year.
The global IT department at ECCO plays a critical role in supporting business operations. Aided by local IT and support staff at the company’s regional locations, the IT department manages more than 3,000 desktop and portable computers and 280 servers. The company used the Active Directory® service in Windows Server® 2003 and Microsoft® Systems Management Server 2003 to distribute software to employees across the organization. However, ECCO relied on manual processes to add software packages to the individual computers. As a result of having such disparate processes and data, the company found it challenging to easily provision user access rights to business information and safeguard its systems and data from unauthorized access and security threats. At the same time, ECCO saw an opportunity to improve compliance with its internal security policies.
Managing software licenses and user rights for ECCO employees was time-consuming for the IT department, with often inaccurate and costly results. For example, responding to an urgent software or access request could take one day, and provisioning a computer for a new employee could take as long as two weeks. And, because of the manual processes the company used, errors were sometimes introduced, such as improper user rights being granted or incorrect software being installed. “IT administration costs grew in the absence of a system that was unified—it was impossible to efficiently manage licenses and user rights with a manual system,” Explains Lise Støy Rodil, Global IT Governance Consultant at ECCO. At the same time, the company realized that it was paying more for software licenses than it needed to because of employees having software that they no longer needed.
In addition, when employees moved to other departments or locations, they would often take their computer with them, and IT staff would often add software and user rights without withdrawing those the employee no longer needed, resulting in users potentially having access to business systems or sensitive data unnecessarily. “We saw the danger with granting access rights and not properly withdrawing them,” Rodil says. Even worse, the company found it challenging to ensure that all software licenses were withdrawn from a computer and access to the corporate network shut off when an employee left the company—leaving the company at risk to unauthorized access.
With its disparate systems and manual processes, ECCO lacked data transparency for its IT systems, resulting in some instances of non-compliance with its internal security policies. “We had homebuilt databases to manage requests and manage information for pushing out operating systems, and e-mails, phone calls, and other manual methods to handle identity management processes—it was unstructured,” says Rodil. “We had many different processes, in many different places, making it difficult to get a transparent view of information.” For instance, during a third-party audit of its IT systems, the company found former employees still active in their system. Also, ECCO did not always have accurate records to validate why an employee had specific rights and had to sift through e-mail messages and other documentation to confirm whether the access granted was appropriate.
“Looking at other products, everything fell short compared to Microsoft. Capabilities, integration, and scalability—Microsoft won hands-down.”Alex Mærsk, Microsoft Infrastructure Architect, ECCO
Besides the significant security challenges ECCO faced with its identity and license management processes, the company also wanted to reduce the number of unmanaged client computers—such as those belonging to external consultants—that could be used to access the corporate network directly through a virtual private network (VPN) connection. Furthermore, the company wanted to publish Microsoft Exchange Server services for its remote employees, but the conventional VPN solution that it used wasn’t sufficient and did not provide firewall protection at the application layer, leaving the corporate network exposed to Internet vulnerabilities.
ECCO sought an integrated, global solution for identity and license management that would help mitigate the risks inherent to manual, disconnected processes. In addition, it wanted to automate the distribution of software licenses and the granting of user rights so that it could efficiently deliver the software that workers need to do their jobs—and hopefully reduce IT administration costs and increase compliance with internal policies. Finally, the company required a more secure solution for publishing line-of-business and productivity applications to remote employees.
Solution
ECCO decided to build on its core infrastructure investment in Microsoft products and technologies to help address the security issues. It chose Microsoft business-ready security solutions to help mitigate IT risks while delivering the tools employees need to do their work. “Looking at other products, everything fell short compared to Microsoft. Capabilities, integration, and scalability—Microsoft won hands-down,” says Alex Mærsk, Microsoft Infrastructure Architect at ECCO.
Easy-to-Provision User Rights
In 2005, ECCO partnered with Omada, a Microsoft Gold Certified Partner specializing in advanced role-based access control and identity governance, to implement a license management and user-rights solution for approximately 2,500 users.
ECCO upgraded to Microsoft System Center Configuration Manager 2007 R2 for enhanced insight into, and management of, its IT infrastructure. Used in combination with Active Directory in Windows Server 2008, System Center Configuration Manager provides the ability to comprehensively assess, deploy, and update servers, client computers, and mobile devices across physical, virtual, distributed, and mobile environments.
On top of Active Directory and System Center Configuration Manager, ECCO implemented Microsoft Identity Lifecycle Manager 2007 to simplify identity management tasks. Identity Lifecycle Manager provides identity synchronization, certificate management, and user provisioning from a single solution. At the topmost layer, ECCO implemented the Omada modules for advanced role-based access control, identity governance, and self-service processes that integrate with the underlying Microsoft infrastructure to provide easy license management and role-based access rights in a single interface.
Enabling Appropriate, Security-Enhanced Access
Now, every time a user joins, transfers, or leaves the company, a corresponding process is prompted by Omada’s Advanced Role Engine which then creates, deletes, or moves the unique link between user identities, computer objects, and software licenses. This cues Active Directory and System Center Configuration Manager to install, reinstall, and withdraw software while also providing the IT department with statistics generated with live data from the Active Directory.
Also, instead of relying on disparate processes managed both globally and locally with manual methods that often lead to delays in provisioning software, users can select self-service options to request software. Once a request is approved by a manager, a process is initiated that delivers the software to the user’s computer in less than an hour. When an employee leaves the company, licenses are withdrawn and user rights turned off—helping to ensure that only authorized users can access critical business data.
Increasing Compliance with Accurate Data
Furthermore, ECCO can now take accurate inventories of its computers and software licenses. Previously, IT staff at the subsidiaries would do manual scans of the local infrastructure, calculating license costs in Microsoft Office Excel® spreadsheets. Now, internal audits are much easier: Managers can access compliance reports in Omada Compliance Reporting Center with information pulled from Identity Lifecycle Manager, Active Directory, and System Center Configuration Manager for an easy view of computers, users, and licenses.
Enabling User Productivity with Security-Enhanced Connectivity
ECCO implemented Microsoft Internet Security and Acceleration (ISA) Server 2006 for network edge security and firewall protection at the application layer. With ISA Server 2006, the company can publish productivity software, such as Microsoft Office Outlook® Anywhere and Outlook Web Access, to give employees anywhere, anytime access to important tools. Whereas the previous firewall solution did not offer protection at the application layer, ISA Server 2006 does, which gives ECCO IT staff peace of mind that information remains secure and the corporate network protected from Internet-based threats. “ISA Server 2006 brought us out of the Stone Age in terms of firewall and network security,” says Mærsk.
The company also implemented Microsoft Intelligent Application Gateway (IAG) 2007 to deliver Secure Sockets Layer (SSL) VPN capabilities for remote access. With IAG 2007, ECCO can publish business-critical applications to the Internet and give employees two-factor-authenticated, browser-based access to information they need to do their jobs while away from the office. Currently, ECCO publishes SAP Enterprise Portal, remote desktop, and Omada self-service processes. The company plans to completely eliminate its conventional VPN solution for unmanaged client computers and only publish required applications and services with IAG 2007.
“In addition, we plan to continue to rollout technologies that help enhance identity and access management, such as the next generation of Microsoft Forefront security products,” says Rodil.
Benefits
By implementing solutions from Microsoft and solutions from Omada, ECCO is able to automate processes and streamline provisioning. At the same time, it is able to better manage its software licenses with less risk of unauthorized access, helping to improve internal compliance. In addition, the company is able to track its software with accurate data and reduce costs associated with software licensing. Furthermore, the company is able to deliver critical business applications over the Internet assuredly.
Automated Processes Streamline Provisioning
ECCO benefits from streamlined IT management resulting from the automated license and user rights management afforded by Omada and Microsoft business-ready security solutions. For instance, whereas it previously took days to provision a computer for an employee, it now takes about two hours, including application installation.
“We have more than 300 processes that trigger rights, access, and provisioning tasks running each week, helping to eliminate manual tasks. That’s time that IT staff can spend on more strategic tasks, while at the same time we’re ensuring that users have the software and access they need to do their jobs,” explains Rodil.
Better License Management Leads to Improved Compliance
With data from Active Directory and System Center Configuration Manager, ECCO can easily track which software licenses are provisioned to each user at the company. Also, using the Omada module for advanced role-based access control, which is built on Identity Lifecycle Manager, the company can automatically grant software licenses to users who have self-selected software and received managerial approval, and withdraw licenses from employees who no longer need access—all helping to increase the company’s compliance with internal security policies.
With business-ready security solutions, ECCO is confident that user data is accurate, thereby further improving compliance. Previously, with employees entering data into multiple systems, there was a higher probability of data entry errors. “With Identity Lifecycle Manager, the master data is correct in all of the connected systems, and you can rely on the information you have,” says Rodil.
Reduced Software Licensing Costs
Automated processes that simplify provisioning and improve the accuracy of user information and transparency of data all help ECCO better manage its software licenses and save on software licensing costs. “IT administrators and managers all have a unified view of the software licenses being used. By enabling information transparency and by keeping better track of software licenses, we have enabled a robust identity and access management environment,” says Rodil.
Enhanced Network Security
In addition to helping to ensure that only authorized users have access to business systems and data through improved license management, ECCO has also enhanced its network security by shoring up its protection against Internet-based attacks with ISA Server. As a result, the company can move servers out of its DMZ, a physical subset of its network that exposes services to the Internet, and into its internal local area network (LAN). By doing so, ECCO eliminates the need to manually update and manage the servers, which it can now do using System Center Configuration Manager. Plus, by eliminating servers in the DMZ, ECCO reduces the attack surface of its network.