For a FTSE 100 engineering company employing thousands of workers globally, authenticating access used to be a challenge. With a new soft token system, the company has been able to roll out security across its entire business.
Invensys is a FTSE100 engineering conglomerate made up principally of three companies: Invensys Rail, Invensys Controls and Invensys Operations Management. Historically, each of these businesses ran independently and, within them, there were additional separate companies.
Today that has changed with the introduction of a global infrastructure services division across all of the Invensys businesses, with everything managed from a universal perspective. Remote access is one aspect that it is looking at, as a lay function, with the ideal that everyone will one day utilise a single solution and architecture.
Derailed by physical tokens
Three years ago, Invensys Rail was operating independently and relied on a physical token-based system to remotely authenticate its workforce. Even as an outsourced service, it was time-consuming and expensive to operate, with the recurring issue of users not always having the physical token with them when remotely connecting.
The decision was taken to replace the incumbent system. The key criteria were to reduce the cost of physical tokens and condense the amount of time it took to deliver them to the users. Having experienced the pain of physical tokens, Invensys Rail wanted a completely different approach while remaining secure.
Following an evaluation of the potential solutions on the market, the company chose SecurAccess from SecurEnvoy. The system allows Invensys to provide its remote staff with industry-standard two factor authentication without the pain and cost of deploying legacy hardware tokens. Any mobile phone capable of receiving SMS texts – which today is virtually all handsets - is instantly turned into the user’s authentication token. This removes the cumbersome requirment of deploying and managing physical tokens.
David van Rooyen, principal solutions architect responsible globally for all Invensys’ telecommunications-based infrastructure strategy – including its remote access strategy - says: “In the last twelve months I’ve been evaluating all of our global remote access options to bring them together as one system and architecture. With a mix of single factor authentication, physical token two factor authentication and soft token two factor authentication across the various divisions and businesses, you could say we’ve had the opportunity to trial all available options and make an informed choice. Three months ago, the decision was taken to extend SecurAccess beyond Invensys Rail into other areas of the business.”
Although not part of the decision team within Invensys Rail that originally selected the solution, van Rooyen notes that those involved have explained that it ticked all the right boxes: “It was inexpensive, simple and secure.”
In addition to the experience gained when SecurAccess was first deployed at Invensys Rail, a further 100 users were piloted as part of this new migration stage. Using the feedback from this pilot, Invensys has been able to effortlessly and successfully extend the service to 150 users at Invensys Controls, another 550 users at Invensys Operations Management, with further roll-outs planned in the near future.
Van Rooyen adds: “By rolling out SecurAccess in phases, it has helped us develop greater understanding of the process, how our users react to the change in working practice and, as importantly, identify sticking points that keep recurring. In our experience it’s been more about user education and communication as opposed to the challenge of actually migrating users across.”
Switching without pain points
SecurAccess fully integrates into Invensys’ Microsoft Active Directory so integration is simple and requires no schema changes. Using the existing user database, an email is generated complete with manuals attached – one explaining the registration process and the other explaining the remote authentication steps. This is then automatically sent to the users Invensys plans to migrate across.
As additional databases are not required or created, this process reduces costs and simplifies on-going support. Van Rooyen says: “With each new roll-out, we’ve been able to hone the message that users receive that clarifies exactly what’s happening, when and what we need them to do. Any element of the message that has caused confusion previously is corrected moving forwards.”
As software is not required on the users’ phones, complex testing, support and training issues are eliminated. This is particularly relevant as phone interfaces are constantly changing with each new model. However, this was also an area where Invensys’ users required reassurance.
Says van Rooyen: “There were some concerns over the use of their personal mobile phone numbers. However, once we assured them that the number was purely to send their passcode by text message, and that there weren’t any possible security breach risks, their fears and concerns were quickly alleviated. This is another example of how we’ve developed our user outreach.”
Invensys has a few users who for personal reasons - such as poor mobile reception at home or other regular location - prefer to receive their message via email. SecurAccess is flexible enough to accommodate these individual requests seamlessly.
Cost savings are just the ticket
As well as saving Invensys time managing physical tokens, it is also realising substantial cost savings, too. “Provisioning a physical token for one of our users takes around ten days. Compare that with provisioning a soft token, which is five minutes, the man hour reduction is vast. However, even more than the man hour savings, there’s also the cost of the physical tokens and shipping them out, etc,” says van Rooyen.
He adds that, “as part of the process, I’ve completed a full business analysis and the results are quite staggering - $8 per person per month for a physical token against just $2 per person per month for a soft token. When you replicate that across 15,000 to 20,000 users - the savings are in the millions.”
In April 2011 the Global Soft Token VPN Solution was authorised by Invensys’ IT council to be deployed across all of its business groups. SecureAccess will be rolled out across Invensys as part of the single remote access solution, replacing all of its hardware tokens and moving all remote access across to two-factor authentication.
Van Rooyen concludes: “I can’t recommend SecurEnvoy highly enough for its simplicity, seamless integration, unbelievable customer service, keen interest in what their potential customers are doing, future developments and price position. With cost savings in the millions for a hassle free solution - it’s one less thing to keep me awake at night.”