Austria Card: secure authentication for a security specialist - Vasco
Austria Card: secure authentication for a security specialist - Vasco
Austria Card: secure authentication for a security specialist - Vasco
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
DIGIPASS BY VASCO<br />
<strong>Austria</strong> <strong>Card</strong> Case Study<br />
<strong>Austria</strong> <strong>Card</strong>: <strong>secure</strong> <strong>authentication</strong> <strong>for</strong> a <strong>security</strong><br />
<strong>specialist</strong><br />
Data <strong>security</strong> is an issue in every company; however, in some industries it may be more essential than in others. As a competence<br />
center <strong>for</strong> the development and production of chip cards <strong>for</strong> electronic payments and identification, <strong>Austria</strong> <strong>Card</strong> GmbH uses the<br />
highest <strong>security</strong> standards. To prevent unauthorized access, <strong>Austria</strong> <strong>Card</strong> <strong>secure</strong>d its corporate network with two-factor <strong>authentication</strong><br />
using VASCO’s VACMAN <strong>authentication</strong> software and DIGIPASS devices.<br />
About fifty employees make regular use of the remote access facilities to<br />
access <strong>Austria</strong> <strong>Card</strong>’s corporate network. It mainly concerns a mobile work<strong>for</strong>ce,<br />
so called road warriors, who need to access business critical data from hotel<br />
rooms or public hotspots. Additionally, other employees occasionally require<br />
remote access, <strong>for</strong> instance to access the production planning and the ERPsystem<br />
after hours from the home computer. Similarly, system administrators<br />
require <strong>secure</strong> access due to the nature of their activities. Furthermore, a<br />
number of suppliers and partners also use remote access to access <strong>Austria</strong><br />
<strong>Card</strong>’s systems <strong>for</strong> maintenance purposes.<br />
EXISTING SOLUTIONS WERE TOO COMPLEX<br />
The adequate protection of remote access requests has always been a high<br />
priority at <strong>Austria</strong> <strong>Card</strong>. However, the existing solution proved to be too complex<br />
and unstable when the number of users increased.<br />
“The solution used certificates which had to be stored on the end-user’s PC,”<br />
explains Thomas Höher, CISO at <strong>Austria</strong> <strong>Card</strong>. This was the main reason <strong>for</strong><br />
<strong>Austria</strong> <strong>Card</strong> to look <strong>for</strong> a new solution. “The use of certificates was too complex<br />
<strong>for</strong> our users. Furthermore, client software had to be installed on every PC. As<br />
this software was anchored deep into the system it affected the overall system<br />
in a negative way in certain situations.”<br />
Together with Technovisie, the sister company responsible <strong>for</strong> IT, the decision<br />
was taken to look <strong>for</strong> another solution to <strong>secure</strong> remote access to the network in<br />
a user-friendly way and as a result would be easily accepted by the end-users.<br />
A solution based on two-factor <strong>authentication</strong> using one-time password best<br />
met the requirements. Through joint development projects, <strong>Austria</strong> <strong>Card</strong> already<br />
had some contacts with VASCO. On top of that, the colleagues from Technovisie<br />
who were responsible <strong>for</strong> the implementation, already successfully employed<br />
and used DIGIPASS.<br />
The simplicity and stability of the solution, as well as the recommendations<br />
from the Belgian colleagues, were deciding factors <strong>for</strong> choosing the VASCO<br />
<strong>authentication</strong> solution which would work with the SSL VPN appliance from<br />
Juniper.<br />
ONE-TIME PASSWORDS ARE THE SOLUTION<br />
For <strong>secure</strong> remote access each employee or partner received a DIGIPASS.<br />
When they log-on the DIGIPASS generates a one-time password which is used<br />
<strong>for</strong> <strong>authentication</strong> and which is only valid <strong>for</strong> about half a minute. VACMAN<br />
Middleware, the <strong>authentication</strong> server at <strong>Austria</strong> <strong>Card</strong>, will check the credentials<br />
and allow or block the access to the Juniper appliance. A policy has been<br />
defined on the Juniper appliance to determine who can access what type of<br />
data and applications.<br />
When logging-on, the VASCO solution ensures that the user really is who he<br />
says he is. VACMAN Middleware is also used as the central user repository<br />
from where user access can quickly be blocked if needed. When this happens,<br />
the end-user will no longer be able to authenticate himself. As a result, all the<br />
permissions to use the network and the applications will become obsolete.<br />
The new remote access solution deployed by <strong>Austria</strong> <strong>Card</strong> is very easy to use<br />
<strong>for</strong> employees. Each time they log-on, they will have to generate a new onetime<br />
password at the push of the button. The solution requires no installation<br />
of software on PCs or laptops and it eliminates the cumbersome handling of<br />
certificates. Since there is no physical connection between the PC and the<br />
DIGIPASS, it is even impossible <strong>for</strong> hackers to manipulate the DIGIPASS when<br />
the PC has been compromised. Even a password which has been intercepted<br />
by a key logger is useless, considering the password can only be used once.<br />
OUTSTANDING USER ACCEPTANCE<br />
«Our users are happy they no longer have to deal with certificates,» says<br />
Thomas Höher. «The new solution is absolutely reliable and a huge relief <strong>for</strong> the<br />
employees. It brings us a real <strong>security</strong> improvement, since the previous solution<br />
was rather a one and half-factor <strong>authentication</strong> solution than a true two-factor<br />
<strong>authentication</strong> solution.»<br />
On the server-side, the VASCO solution is also very easy to maintain. The central<br />
<strong>authentication</strong> plat<strong>for</strong>m VACMAN verifies the <strong>authentication</strong> requests and<br />
provides central user administration. It requires little resources: at <strong>Austria</strong> <strong>Card</strong><br />
VACMAN Middleware runs on virtual Windows 2003 servers using VMware ESX.<br />
VACMAN supports Radius server as well as Novell e-directory already used by<br />
<strong>Austria</strong> <strong>Card</strong>. As a result the integration of the <strong>authentication</strong> solution into the<br />
existing environment went smoothly.<br />
«VACMAN was installed and configured within the hour. The entire<br />
implementation, including the integration with our Novell environment went<br />
Case Study
smoothly,» said Thomas Höher. «And when we needed help, we got it fast and<br />
to-the-point from VASCO.» “But also in daily use the system is easy to manage,”<br />
Thomas adds. «I can explain our remote access solution to an administrator in<br />
about two minutes.»<br />
Since the end of March 2010, the new solution is fully operational. As soon<br />
as the last DIGIPASS was handed out, we started planning the next project.<br />
As a member of the Lykos Group <strong>Austria</strong> <strong>Card</strong> is responsible <strong>for</strong> the planning<br />
of a company-wide project management system which needs to be remotely<br />
accessed by many employees. For this project <strong>Austria</strong> <strong>Card</strong> plans to link the<br />
Radius server of the Belgian sister company to its own remote access solution<br />
enabling employees to access both networks with a single <strong>authentication</strong> device.<br />
Employees from other involved companies in other countries, will be equipped<br />
with a DIGIPASS device to use the central project management system.<br />
About <strong>Austria</strong> <strong>Card</strong><br />
DIGIPASS BY VASCO<br />
<strong>Austria</strong> <strong>Card</strong> Case Study<br />
Objective<br />
The replacement of a complex, certificate-based <strong>authentication</strong> solution with a<br />
<strong>secure</strong> and user-friendly remote access solution.<br />
Challenge<br />
The new solution should not only be safe and user-friendly, it also had to<br />
support the planned introduction of a multi-site project management system.<br />
The <strong>authentication</strong> to multiple RADIUS servers should be possible with a single<br />
<strong>authentication</strong> device.<br />
Solution<br />
<strong>Austria</strong> <strong>Card</strong> chose the combination of VASCO’s VACMAN Middleware and<br />
DIGIPASS: a strong two-factor <strong>authentication</strong> solution using one-time passwords<br />
to <strong>secure</strong> remote access to the company’s network and resources.<br />
<strong>Austria</strong> <strong>Card</strong> GmbH is a member of the Lykos Group and subsidiary of the center <strong>for</strong> the development and production of chip cards <strong>for</strong> electronic payments and<br />
identification of the <strong>Austria</strong>n National Bank (OeNB). For future proof <strong>security</strong>, the company creates new procedures on topics such as e-payment and digital signature.<br />
The focus on payments and identification strengthens its expertise in the timely implementation of complex projects in an international context. Traditional core<br />
competencies such as card production, personalization and logistics under high <strong>security</strong> conditions are, in addition to the development of chip-based application<br />
software and operating systems, the pillars of sustainable success.<br />
About VASCO<br />
VASCO is a leading supplier of strong <strong>authentication</strong> and e-signature solutions and services specializing in Internet Security applications and transactions. VASCO has<br />
positioned itself as global software company <strong>for</strong> Internet Security and designs, develops, markets and supports patented DIGIPASS ® , DIGIPASS PLUS ® , VACMAN ® ,<br />
IDENTIKEY ® and aXsGUARD ® <strong>authentication</strong> products. VASCO’s prime markets are the financial sector, enterprise <strong>security</strong>, e-commerce and e-government.<br />
www.vasco.com<br />
BRUSSELS (Europe)<br />
phone: +32 2 609 97 00<br />
email: info-europe@vasco.com<br />
BOSTON (North America)<br />
phone: +1 508 366 3400<br />
email: info-usa@vasco.com<br />
SYDNEY (Pacific)<br />
phone: +61 2 8061 3700<br />
email: info-australia@vasco.com<br />
VACMAN ® , IDENTIKEY ® , aXsGUARD ® , and DIGIPASS ® are registered trademarks of VASCO Data Security. All trademarks or trade names are the property of their respective owners.<br />
VASCO reserves the right to make changes to specifications at any time and without notice. The in<strong>for</strong>mation furnished by VASCO in this document is believed to be accurate and reliable.<br />
However, VASCO may not be held liable <strong>for</strong> its use, nor <strong>for</strong> infringement of patents or other rights of third parties resulting from its use. © 2010 VASCO. All rights reserved.<br />
SINGAPORE (Asia)<br />
phone: +65 6323 0906<br />
email: info-asia@vasco.com<br />
Case Study