Invensys on Track with Soft Token Remote AccessSecurEnvoy 14/12/2011 Archive
Invensys is a FTSE100 engineering conglomerate made up principally of three companies: Invensys Rail, Invensys Controls and Invensys Operations Management. Historically each of these businesses ran independently and, within them, there were additional separate companies. Today that has changed with the introduction of a global infrastructure services division, across all of the Invensys businesses, with everything managed from a universal perspective.
Remote access is one aspect that it is looking at, as a lay function, with the
ideal that everyone will one day utilise a single solution and architecture.
Derailed by Physical Tokens
Three years ago Invensys’ rail division, while it was operating independently,
relied on a physical token based system to remotely authenticate its workforce.
Even as an outsourced service, it was time consuming and expensive to
operate, with the recurring issue of users not always having the physical token
with them when remotely connecting. The decision was taken to replace the
incumbent system. The key criteria were to reduce the cost of physical tokens
and condense the amount of time it took to deliver them to the users.
Fast Track To Remote Authentication
Having experienced the pain of physical tokens, Invensys Rail wanted a
completely different approach while remaining secure. Having evaluated the
alternatives available, it chose SecurAccess – the remote access solution, from SecurEnvoy. This allows Invensys to provide its remote staff with industry standard two factor
authentication without the pain and cost of deploying legacy hardware tokens.
Each user’s phone, capable of receiving SMS texts – which today is virtually
all mobile phones, is instantly turned into their authentication token – creating
tokenless® two factor authentication.
This removes the cumbersome onus of deploying and managing physical
tokens. David van Rooyen, principal solutions architect responsible globally
for all Invensys’ telecommunications based infrastructure strategy – including
its remote access strategy, explains, “SecurAccess ticked all the right boxes
– it was inexpensive, simple and secure.” In addition to the experience gained
when SecurAccess was first deployed at Invensys Rail, a further 100 users
were piloted as part of this new migration stage. Using the feedback from this
pilot, Invensys has been able to effortlessly and successfully extend the service
to 150 users at Invensys Controls, another 550 users at Invensys Operations
Management, with further roll-outs planned in the near future.
David adds, “By rolling out SecurAccess in phases, it has helped us develop
greater understanding of the process, how our users react to the change in
working practice and, as importantly, identify sticking points that keep recurring.
In our experience it’s been more about user education and communication as
apposed to the challenge of actually migrating users across.”
As software is not required on the users’ phones it eliminates complex testing,
support and training issues. This is particularly relevant as phone interfaces
are constantly changing with each new model. As well as saving Invensys
time managing physical tokens, it is also realising substantial cost savings
too. David confirms, “Provisioning a physical token for one of our users takes
around ten days compared with five minutes provisioning a soft token, so the
man hours are vastly reduced as well as the costs of shipping them out. I’ve
completed a full business analysis and found that $8 per person per month is
what it was costing for a physical token versus $2 per person per month for a
soft token. When you replicate that across 15-20,000 users, the savings are in
Down the Track
In April 2011 the ‘Global Soft Token VPN Solution’ was authorised by Invensys’
IT council to be deployed across all of its business groups and SecureAccess
rolled out across Invensys as part of the single remote access solution,
replacing all of its hardware tokens and moving all remote access across to
tokenless® two-factor authentication. David concludes, “I can’t recommend
SecurEnvoy highly enough for its simplicity, seamless integration, unbelievable
customer service, keen interest in what their potential customers are doing,
future developments and price position. With cost savings in the millions for a
hassle free solution – it’s one less thing to keep me awake at night.”