David van Rooyen, Invensys Principal Solutions Architect: “I can’t recommend SecurEnvoy highly enough for its simplicity, seamless integration, unbelievable customer service, keen interest in what their potential customers are doing, future developments and price position. With cost savings in the millions for a hassle free solution – it’s one less thing to keep me awake at night.”
Invensys is a FTSE100 engineering conglomerate made up principally of three companies: Invensys Rail, Invensys Controls and Invensys Operations Management. Historically each of these businesses ran independently and, within them, there were additional separate companies.
Today that has changed with the introduction of a global infrastructure services division, across all of the Invensys businesses, with everything managed from a universal perspective. Remote access is one aspect that it is looking at, as a lay function, with the ideal that everyone will one day utilise a single solution and architecture.
Derailed by Physical Tokens
Three years ago Invensys’ rail division, while it was operating independently, relied on a physical token based system to remotely authenticate its workforce. Even as an outsourced service, it was time consuming and expensive to operate, with the recurring issue of users not always having the physical token with them when remotely connecting.
The decision was taken to replace the incumbent system. The key criteria were to reduce the cost of physical tokens and condense the amount of time it took to deliver them to the users.
Fast Track To Remote Authentication
Having experienced the pain of physical tokens, Invensys Rail wanted a completely different approach while remaining secure.
Having evaluated the alternatives available, it chose SecurAccess. The solution, from SecurEnvoy, allows Invensys to provide its remote staff with industry standard two factor authentication without the pain and cost of deploying legacy hardware tokens. Each user’s phone, capable of receiving SMS texts – which today is virtually all mobile phones, is instantly turned into their authentication token.
This removes the cumbersome onus of deploying and managing physical tokens. David van Rooyen, principal solutions architect responsible globally for all Invensys’ telecommunications based infrastructure strategy – including its remote access strategy, explains, “Although not part of the decision team within Invensys Rail for selecting SecurAccess, those that were have explained that it ticked all the right boxes – it was inexpensive, simple and secure. In the last twelve months I’ve been evaluating all of our global remote access options to bring them together as one system and architecture. With a mix of single factor authentication, physical token two factor authentication and soft token two factor authentication across the various divisions and businesses you could say we’ve had the opportunity to trial all available options and make an informed choice. Three months ago the decision was taken to extend SecurAccess beyond Invensys Rail into other areas of the business.”
In addition to the experience gained when SecurAccess was first deployed at Invensys Rail, a further 100 users were piloted as part of this new migration stage. Using the feedback from this pilot, Invensys has been able to effortlessly and successfully extend the service to 150 users at Invensys Controls, another 550 users at Invensys Operations Management, with further roll-outs planned in the near future.
avid adds, “By rolling out SecurAccess in phases, it has helped us develop greater understanding of the process, how our users react to the change in working practice and, as importantly, identify sticking points that keep recurring. In our experience it’s been more about user education and communication as apposed to the challenge of actually migrating users across.”
SecurAccess fully integrates into Invensys’ Microsoft Active Directory so integration is simple and requires no schema changes. Using the existing user database an email is generated, complete with manuals attached – one explaining the registration process and the other explaining the remote authentication steps. This is then automatically sent to the users Invensys plans to migrate across. As additional database’s aren’t required, or created, it reduces costs and simplifies on-going support. David adds, “With each new roll-out we’ve been able to hone the message that users receive that clarifies exactly what’s happening, when and what we need them to do. Any element of the message that has caused confusion previously is corrected moving forwards.”
As software is not required on the users’ phones it eliminates complex testing, support and training issues. This is particularly relevant as phone interfaces are constantly changing with each new model. However, this was also an area where Invensys’ users required reassurance. David clarifies, “There were some concerns over the use of their personal mobile phone numbers. However, once we assured them that the number was purely to send their pass-code by text message, and that there weren’t any possible security breach risks, their fears and concerns were quickly alleviated. This is another example of how we’ve developed our user outreach.”
Invensys has a few users who, for personal reasons – such as poor mobile reception at home or other regular location, prefer to receive their message via email. SecurAccess is flexible enough to accommodate these individual requests seamlessly.
As well as saving Invensys time managing physical tokens, it is also realising substantial cost savings too. David confirms, “Provisioning a physical token for one of our users takes around ten days. Compare that with provisioning a soft token, which is five minutes, the man hour reduction is vast. However, even more than the man hour savings, there’s also the cost of the physical tokens and shipping them out, etc. As part of the process I’ve completed a full business analysis and the results are quite staggering – $8 per person per month for a physical token against just $2 per person per month for a soft token. When you replicate that across 15-20,000 users, the savings are in the millions.”
Down the Track
In April 2011 the ‘Global Soft Token VPN Solution’ was authorised by Invensys’ IT council to be deployed across all of its business groups. SecureAccess will be rolled out across Invensys as part of the single remote access solution, replacing all of its hardware tokens and moving all remote access across to two-factor authentication.
David concludes, “I can’t recommend SecurEnvoy highly enough for its simplicity, seamless integration, unbelievable customer service, keen interest in what their potential customers are doing, future developments and price position. With cost savings in the millions for a hassle free solution – it’s one less thing to keep me awake at night.”