Signify have outstanding reputation for delivering secure, reliable and flexible two-factor authentication which is quick and easy to deploy.
Contact information
Address
Endeavour House
Chivers Way
Histon
Cambridgeshire
CB24 9ZR
Telephone: +44 (0)1223 472 572
Email: info@signify.net
Website: www.signify.net
Case Studies
Secure remote access for Lovells
Signify provides flexible strong authentication for legal clients and staff
Lovells is one of the world’ s leading international law firms, with over three thousand people operating from 26 offices in Europe, Asia and the United States, advising many of the world’s largest corporations, financial institutions and government organisations. With such a global reach, the firm’s professionals need immediate access to information and resources, while at the same time, the firm needs to be reassured that the data is highly secure. Initially, Lovells ran and managed RSA token-based authentication servers inhouse but as demand for 24x7 nonstop access grew, this was proving time consuming and demanded more specialist skills and resources, and the decision was made to outsource RSA SecurID operations.
Alleviate IT strain by outsourcing: “We look to focus our resources on
core business applications and see the benefit in outsourcing specific IT processes and management functions to specialists, if they can prove their reliability and trustworthiness,” said Stuart Robbins, Information Security Analyst. “Signify’s thoroughness was impressive and they managed the migration from our in-house RSA ACE systems to their service very smoothly and quickly.”
Convenient, cost effective system: “Our users want an easy to use system that is always available, while our IT department need a highly secure and reliable solution that is simple to deploy, manage and scale; and that’s what Signify gives us” commented Warner Beekmeyer, Network Security Manager. “The automation of token logistics saves us real time and cost,” added Stuart Robbins.
Easy IT Management: Since the initial migration of a few hundred staff and tokens in 2006, demand has grown rapidly and Signify now authenticates more than 1500 users worldwide including staff and partners as well as third party clients and advisors using the Extranet services. From a technical perspective, Lovells’ Citrix and Extranet servers are configured to communicate with Signify’s ‘in the cloud’ Authentication Service over encrypted connections, while Lovells’ IT and HR administrators can manage every aspect of the service via the Signify Identity Management Centre (IMC) web
portal. “The Signify managed service has provided us with a secure, fault resilient and easy-to-use remote access service and has freed up our in-house IT teams to focus on other key challenges,” said Warner Beekmeyer.
Simple administration and role delegation: “We can enforce our corporate security policy, add or remove users and delegate management responsibility to local administrators thanks to Signify’s powerful IMC," said Stuart Robbins. "The reporting tools provide all the service visibility and usage information we need, as the IMC lets us track and trace every token.”
Looking to the future: Lovells is now looking at other ways it can extend the use of the Signify service, including securing WiFi access points
within its main global offices and providing secure but token-less authentication of contractors third-party and other temporary users, using Signify’s Passcode OnDemand service.
By potentially extending this mobile phone-based service to all staff on a short term ‘In Case of Emergency’ basis, Signify may even be able to help Lovells Disaster Recovery planning and minimise any interruption to business caused by major incidents or disasters whether due to extreme climate, transport disruption or terrorist threats.
Lovells Case Study_FINAL.pdf 1.13 MB
Kier Group plc Kicks the Password Habit
Identity Management Security outsourced using the Signify Managed Authentication Service As a leading international building and civil engineering contractor, Kier Group plc employs 7000 people worldwide and has an annual turnover in excess of £1.4bn. Kier Group’s growth has been achieved organically and by acquisition. This has led to the existence of many autonomous companies, all with their own systems and security.
The business case?
Critical to Kier’s success is the secure access it provides staff who are working remotely, often with limited IT infrastructure, to project information held on central servers. Kier recognised that their old system of a basic managed dial service from BT, with user authentication based on standard passwords, was becoming increasingly vulnerable, difficult to manage and would no longer scale-up to the challenge.
The solution?
RSA SecurID was the preferred solution and Kier evaluated the costs and overheads of managing an in-house RSA SecurID system against a fully managed service. The unanimous decision was taken to choose Signify’s managed service. Implemented for more than 1,000 executives, engineers and site workers, Signify now supports remote access from the UK and worldwide. Users have secure sign-on to a wide variety of systems and services including web based email, IPSEC VPN and Kier specialist industry applications. Terry Walker, Kier Group IT Director said “The decision to choose the Signify managed service was pretty simple. Their focus in this area offered all the features that we needed and delivered a 24 x 7 service for far less than the real in-house cost”. that the solution they chose had to offer fully integrated management of the entire token lifecycle. “The Identity Management Centre (IMC) is superb. It gives us all the central security policy control we need from HQ while allowing us to delegate the day to-day user management to local administrators at each site who know who should be allowed access and who should be switched off.” commented Walker.
Measuring ROI…
The benefits to Kier have been numerous. The Signify IMC has enabled Kier to centralise the distribution of tokens and lets their administrators quickly switch user accounts on and off should the need arise. The IMC gives them secure web browser access to a full audit trail showing who has access to the systems and when they have been connected. None of this was possible with their original dial-up, password based system.
Flexibility, control and cost– key decision drivers
One of the key drivers in considering Signify for secure authentication was to separate out the provision of remote access from the authentication process. Kier regularly review suppliers and it was important to ensure that they retained the option of changing access suppliers
without the overhead of also changing the authentication method as well. Walker explained, “With an in-house authentication service we realised we would need to train our already overstretched IT team on new technology, and we’d have the logistical burden of rolling out security devices to a widespread user base and also the need to provide those users with ongoing 24x7 support. It would have been a challenge for us to offer this when we should be concentrating on ‘our day job’.” “It’s ideal because users can be granted access to one or several of our remote access services, and they use their single, secure Signify ID to log in at all points. It reduces their stress because they don’t have to remember different passwords to access different systems, and it vastly improves our position from an auditing and security standpoint.“ explained Walker.
Centralised policy, delegated administration
With Kier centrally maintaining its security policy but delegating user management to its subsidiaries, it became apparent
In Summary
Outsourcing authentication and identity management to Signify means Kier have found they have not had to recruit people with skills in this area. This not only keeps costs down but their existing IT staff are able to focus on the applications that are core to their business without the burden and headache of rolling out security devices to a widespread and remote user base. “Signify has provided us with a complete identity management service rather than just another authenticationproduct”, said Walker.
Kier Group_Case_Study_FINAL.pdf 418.28 kB
Signify oils the wheels of authentication for Vopak
Vopak uses strong authentication provided by Signify for secure remote access
With a history dating back almost four centuries, Royal Vopak is the world’s largest independent tank terminal operator specialising in the storage and handling of liquid and gaseous chemical and oil products. Vopak operates 80 terminals in 32 countries with a storage capacity of more than 26 million cubic metres serving the major shipping routes.
The company is headquartered in The Netherlands but is a truly international organisation reaching across Europe, Middle East and Africa, Asia, China and the Americas. With more than 3,500 employees spread across the globe operating from different sites and often on the move, good communications and anytime, anywhere access to corporate resources and information is a priority. For Lambert Caljouw, Enterprise Architect
at Vopak, strong authentication using two-factor authentication (2FA) was essential, requiring two distinct proofs of identity before granting access. The other decision taken by Lambert Caljouw was to outsource this specialist function.
Recognising outsourced expertise:
“Vopak is not an IT company and our strategy is to focus on our core business and outsource specific services to companies that can deliver reliable, flexible and efficient services,” says
Lambert Caljouw. For its 2FA services, Vopak selected Cambridge-based Signify to provide hosted token-based authentication service that avoids any up-front hardware or software costs and handles all the deployment and management.
Simple passwords are not enough:
For Vopak, like other high-value international businesses, providing remote
access can not compromise security. In particular, Vopak always recognised that simple password access to potentially sensitive data and resources was not tenable. If someone’s username and password are hijacked, that person’s entire digital identity is vulnerable and the attacker instantly acquires all of the victim’s access privileges.
Easy to use, anytime access:
So far, over 500 Vopak employees from around the world have been issued with small RSA SecurID tokens from Signify – usually carried on a key ring – that produces a new unique one-time passcode (OTP) every 60 seconds. By using this, along with their known username and secret PIN, Vopak staff can identify themselves and gain immediate access to authorised resources. This ranges from giving senior executives and account managers anywhere, anytime access to their email, to providing in-house and third-party IT support teams with access facilities for remote service and maintenance.
Hassle free and reliable managed
service: Signify’s Identity Management Centre (IMC) web portal allows users to manage their own accounts and gives Vopak administrators the ability to enforce security policy, add or remove users and delegate management responsibility to regional or departmental managers, as well as providing the reporting tools to track each token and monitor usage information.
And for Lambert Caljouw, a good managed service is one that needs no
managing and delivers a reliable 24x7 service. “With our previous provider,
some of the tokens would run out of synchronization that could cause
problems. Because the support staff is not round-the-clock, a forgotten password or a lost token would often cause significant delays in sorting it out. Signify handles everything from dispatching devices and rights administration to handling lost tokens or forgotten passwords. It’s a no-hassle solution and if a user does lose a token, Signify provides them with emergency access by delivering a onetime passcode to a mobile phone, PDA or PC by SMS or email.”
Expanded application for business benefits:
The benefits of these secure remote access services are also accelerating
Vopak’s plans to roll out further services. For example, staff working at storage terminals and offices in the Netherlands can use the same Signify token to access business applications and documents from their home PCs or laptops. This is achieved through a Citrix Access Gateway giving users access as if they were sitting at
their desks in the office.
Increased efficiency and flexibility:
“Having full remote access to local resources increases efficiency and flexibility while also providing Vopak staff with a better work/life balance,” says Lambert Caljouw. “We are now looking to replicate the solution in other regions by allowing local secure
Practical option for global organisations:
“The demand for more remote access and flexible working is highlighting the problems of using simple static passwords for user authentication,” said Dave Abraham, CEO of Signify. “Vopak is one of a growing number of major global organisations that is reaping the benefits deploying two-factor authentication through a managed service to deliver a wide range of services without up-front investment or ongoing in-house expertise and support.” For Vopak, having a trouble-free service means that it can focus on doing what it does best – fulfilling a crucial part of the energy supply chain for businesses all around the world.
Vopak_Case_Study_FINAL.pdf 928.64 kB
Calderdale & Kirklees Careers see bright future for 2FA
Signify’s strong authentication saves time and money
Calderdale & Kirklees Careers has been providing a wide range of careers services to young people and adults since 1995. Its key objective is to reduce the numbers classified as not in education, employment or training (NEET) in the area. Its professionally trained careers advisers work at every educational establishment and it is essential that they have immediate and reliable access to details about the people they are working to help, along with up-to-date information on education, training and job
opportunities. And because of the personal nature of information held on its client database, this access must be totally secure.
Calderdale & Kirklees Carriers had been providing remote access through an ISDN connection. This was a point-to-point connection, so security was not a problem. But it was an extremely expensive solution, with each of the 46 schools and colleges requiring a leased line costing £1,000 a year. Not only that, it lacked flexibility because staff could only get remote access while working at one of the established sites.
Alleviate IT strain by outsourcing:
Calderdale & Kirklees Careers turned to independent IT specialist Dataplex for help. It was immediately clear that getting rid of ISDN and using the internet connections at the schools and colleges would drive down costs. Of course, this made security an issue and to ensure that sensitive data could not be compromised it was decided that strong authentication would be essential. Not having the internal resources needed to set up, manage and deal with the logistics of a two-factor authentication solution, was a major reason for selecting Signify’s managed service. No additional internal staff or training were needed because Signify handles everything from the logistics of despatching devices and rights administration to handling lost devices and forgotten passwords. Dropping the ISDN lines meant an
immediate 50% saving. Including all of the costs of deploying and running the Signify service, plus the small fee for using the internet connections at Calderdale & Kirklees Careers has seen a saving of around 30% of the total cost of providing this essential remote access.
Cut costs and enable greater flexibility: “The new solution has certainly significantly brought down our costs,” said Andrews. “But it has also provided us with far more flexibility through the added advantage of anytime, anywhere access to anything the user is authenticated to access. This is invaluable. For example, when one of our senior managers was in Budapest
and some very important work needed to be done, he was able work as if he was at his desk just using his laptop and a wireless connection. So it’s not just our careers advisers that are using Signify it is anyone on the move or working from home.”
Effortless, cost-effective IT Management: The changeover from ISDN lines to secure access from anywhere with an internet connection proved to be seamless and has
continued to work without any problems. Today over 100 tokens are in regular use. All upgrades and changes are handled centrally through Signify’s Identity Management Centre(IMC). This enables the internal IT helpdesk at Calderdale and Kirklees to easily manage the issue of tokens, handle user problems and enforce security policy. Reporting tools are also provided to track each token and monitor usage information.
Expanded application and improved services: The system was implemented over three years ago and has proved so cost effective and easy to use that it has recently been expanded to include others working within the remit of the Connexions contract. This includes people employed directly by the local authorities, who are now able to access the client database securely. “We thought this would be complicated, but just like the initial implementation it was simple. Authenticated external users are now accessing our database through Signify. It is not only saving money but it has helped to improve the service we deliver.” Andrews concluded
Calder&Kirklees_Case_Study_FINAL.pdf 954.53 kB
Southwark Borough Council shows the way for secure remote access
Signify provides two-factor authentication for secure access to sensitive information
The London Borough of Southwark is one of the busiest and most demanding metropolitan authorities in the country. Southwark sits close to the prosperity of the Cities of London and Westminster but has all the social and economic challenges presented by a dense inner city area with a population of over 250,000. With a staff of some 5,500 people, Southwark
Borough Council has embarked on ambitious social and physical regeneration programmes, together with initiatives aimed at reducing crime and improving educational standards, health, housing and he environment.
The importance of flexible working: Key to delivering high quality, cost-effective services is Southwark’s strong commitment to harnessing technology to provide flexible working and speed up bureaucratic processes and ‘paperwork’. And with staff working around the Borough out of some 190 different sites and offices, the benefits to both the Council and its staff of being able to access information and resources securely from anywhere and at anytime was clear.
Alleviate IT strain by outsourcing: The first remote access initiative in Southwark was pioneered by the Social Services department and gave council staff remote access to client files using dial-up and ISDN connections. The nature of the application presented a big challenge; with sensitive personal information involved, security could not be compromised. That’s when Southwark and its IT solutions provider Serco, turned to Cambridge-based Signify to provide a secure user identification and authentication solution.
Secure access to sensitive information: “Working from home or in the field, we could not rely on staff using simple passwords to log into personal client files,” said Richard Heap, Business Partnership Manager at Southwark Borough Council. “The trouble with static passwords is that many people simply write them down or use something easy to remember such as the name of a child or pet and that is easily compromised. It was vital that we provided a secure two-factor authentication alternative.”
Easy to use, instant access: Two-factor authentication involves something ‘you know’ along with something ‘you have’. In the case of Southwark staff, this is a small RSA SecurID token from Signify – usually carried on a key ring – that produces a new unique one-time passcode (OTP) every 60 seconds. By using this, along with their known user name and secret PIN, Southwark staff could safely gain immediate access to the information they required.
The Social Services department is still a major user, particularly as it has recently moved to full electronic case recording. This means all forms and reports are filled in and filed electronically. But instead of social workers having to head back to the office and work late to do the electronic ‘paperwork’, they can easily do the work on the move or from home.
Expanded application for improved services: The Social Services system proved successful and inspired Southwark to drive ahead with other remote access applications. In fact, today Southwark has some 740 registered Signify users and the old dial-up and ISDN technology has been replaced by broadband and a powerful CISCO Virtual Private Network (VPN). Other applications range from providing executives access to email through a simple web browser on a home PC to delivering a full set of applications to a Southwark-managed laptop using a VPN client and Citrix Access Gateway. This effectively gives users the same desktop look and feel and access to authorised applications as if they were sitting at their desks in the office.
To provide even greater flexibility, the Council is also trialling a mobile broadband solution using T Mobile 3G cards. This means that work can be done literally on the move. For example, the Home Improvement teams can travel around to residents in the borough and file assessments and maintenance requests instantly. While all registered users currently have a RSA SecurID token, Signify also provides a token-less Passcode OnDemand Service for less frequent users, Passcode OnDemand delivers a one-time passcode on request to a mobile phone, PDA or email box by SMS or email.
Hassle free hosted service: “Delivering a 24x7 two-factor authentication service takes much more than simply running some servers; you need to mix policy, procedures, logistics and support to keep remote users happy and working productively around the clock,” says Richard Heap. “Using Signify’s managed service means that they handle everything from dispatching devices and rights administration to handling lost tokens or forgotten passwords. It’s simply a no-hassle solution.” Signify’s Identity Management Centre (IMC) web portal allows users to manage their own accounts and gives Richard Heap and his team the ability to enforce security policy, add or remove users and delegate management responsibility to departmental managers, as well as providing the reporting tools to track each token and monitor usage information.
Looking to the future: “We still have many more plans for deploying remote access applications,” says Richard Heap. “In addition to enhancing our services and improving business efficiency and productivity, the ability to provide more flexible working arrangements for hard-working staff is proving extremely valuable and popular.” Reflecting the shift to flexible working patterns, next year the Council is moving into new offices that will have 1,800 desks for 2,100 staff. “It does not make sense for everyone to have a desk if more people are working away from the office,” says Richard Heap.
A viable choice for public authorities:
“Southwark is a great showcase for demonstrating the potential of secure remote access for public authorities,” says Dave Abraham, CEO at Signify. “We are working closely with Serco, who provide outsourced and managed IT solutions to major private and public sector organisations, to meet the growing demand for more flexible and secure home and mobile working. Other customers include The London Borough of Tower Hamlets, Walsall Housing Group and Wales and West Utilities. “The good news is that more public sector organisations are realising that passwords are not enough and the two-factor message is getting through,” concludes Abraham.
Southwark_Case_Study_FINAL.pdf 878.28 kB
Whitepapers
Why strong authentication is essential for Citrix® remote access
The popularity for Citrix® remote access systems is due to the increased demand from our users to provide Anywhere Access to our most sensitive business systems. We need to allow our trusted users to connect to our core business applications from any convenient computing device across any public Internet or wireless link, and Citrix technology is making this much easier to deliver. However, this new Anywhere Access approach puts the Identity of our users at the centre of our security model, with the critical question being: ‘Is each remote user really who they claim to be?’
For many organisations rolling out VPNs, Web Portals and Extranets, the classic ‘username and password’ combination is all that stands between their most sensitive business information and hostile prying eyes. Static passwords can provide only ‘weak authentication’ of a user’s identity. They must be re-used every time the user logs in and can be easily snooped, phished, cracked or guessed by an attacker. If the password can be acquired by snooping the user’s network connection or installing a simple keyboard logging device or Trojan software on the user’s machine, then the password can be reused by the
attacker time and time again. Once someone’s username and password has been hijacked, that person’s entire digital identity is vulnerable and the attacker instantly acquires all the privileges of his/her victim. All this can happen without the victim being aware that their password has been compromised and, if the attacker is careful, no-one may ever know that the attack has happened. With the weak authentication provided by standard passwords you can never be really sure that a user is who they claim to be.
Stronger forms of authentication credentials that a user can present to rigorously
validate their identity can take many forms: a one-time passcode, a token,
smartcard, biometric or any combination of these factors.
Typically a user must present two different forms of credential:
• Something the user knows: a secret PIN or passwordplus
• Something the user has: a unique token, smartcard, mobile phone, PDA or other uncloneable device
Despite the claims of the various manufacturers – there’s no one form of strong authentication credential that is ideal for all users and applications.
Why Strong Authentication is Essential for Citrix Remote Access .pdf 181.62 kB
Why strong authentication is essential to secure SSL VPN’s
The popularity for SSL VPN systems is due to the increased demand from our users to provide Anywhere Access to our most sensitive business systems. We need to allow our trusted users to connect to our core business applications from any convenient computing device across any public Internet or wireless link, and SSL VPN technology is making this much easier to deliver.
However, this new Anywhere Access approach puts the Identity of our users at the centre of our security model, with the critical question being: ‘Is each remote user really who they claim to be?’
For many organisations rolling out SSL VPNs, the classic ‘username and password’ combination is
all that stands between their most sensitive business information and hostile prying eyes. Static
passwords can provide only ‘weak authentication’ of a user’s identity. They must be re-used every time the user logs in and can be easily snooped, phished, cracked or guessed by an attacker. If the password can be acquired by snooping the user’s network
connection or installing a simple keyboard logging device or Trojan software on the user’s machine, then the password can be reused by the attacker time and time again.
Once someone’s username and password has been hijacked, that person’s entire digital identity is vulnerable and the attacker instantly acquires all the privileges of his/her victim. All this can happen without the victim being aware that their password has been compromised and, if the attacker is careful, no-one may ever know that the attack has happened. With the weak authentication provided by standard passwords you can never be really sure that a user is who they claim to be.
Stronger forms of authentication credentials that a user can present to rigorously validate their identity can take many forms: a one-time passcode, a token, smartcard, biometric or any combination of these factors. Typically a user must present two different forms of credential:
• Something the user knows: a secret PIN or password plus
• Something the user has: a unique token, smartcard, mobile phone, PDA or other uncloneable device
Why_Strong_Authentication_is_Essential_for_SSL_VPNs.pdf 268.87 kB
Products
RSA SecurID from Signify
Signify delivers the market leading token based two-factor authentication system, RSA SecurID, as a fully hosted service. We make it easy to securely identify your users using token based authentication, with a service that reliably authenticates users 24 x 7. This allows you to quickly meet your security needs and comply with industry regulations.
RSA SecurID is an ideal solution for users who need to rely upon getting secure remote access from any computer.
RSA SecurID From Signify.pdf 770.88 kB
Signify Passcode Ondemand
Signify Passcode OnDemand delivers tokenless two-factor authentication by turning any mobile phone or Blackberry® into an authentication device. Our service makes it easy to securely identify users by confirming that they have their phone or Blackberry with them and as a fully hosted service we ensure that the service works securely and reliably for you.
Passcode OnDemand is ideal for users who need secure remote access but either don’t want to carry a token, or are infrequent users who may not look after a token as well as they look after their own phone.
Signify Passcode OnDemand.pdf 617.59 kB
Signify Software Tokens
Signify Software Tokens deliver market leading RSA two factor authentication by turning a smartphone (BlackBerry or Windows Mobile) into a strong authentication token. Our service makes it easy to securely identify users 24 x 7 by confirming they have their smartphone with them. As a fully hosted service we ensure that the service works securely and reliably.
Signify Software Tokens are ideal for users who need secure remote access from any computer, but don’t want to carry a token in addition to their other mobile devices.
Signify Software Tokens.pdf 984.08 kB
Signify ICE
Emergency situations, ranging from snow days to pandemics to terrorist attacks can put remote access solutions under extreme pressure. Remote access is essential in everyday business, but even more so when considered as a part of disaster recovery (DR) or business continuity management (BCM) planning. A major part of this planning is enabling staff, who don’t normally do so, to work from home.
Pressure arises from not only providing extended remote access in an emergency, but also the security controls around how your network is accessed – the last thing you want to do during such incidents is add to your risk by exposing your sensitive data and information to unauthorised user access.
Signify ICE, The In Case Of Emergency Service, enables you to respond to an incident and carry on with business as usual without the need to compromise your existing security stance.
Signify ICE.pdf 1.67 MB
Signify Overview
Since 2000, Signify has built an outstanding reputation for delivering secure, reliable and flexible two-factor authentication which is quick and easy to deploy. We have an extensive client base across many sectors including major multi-national corporations, small and medium sized businesses, professional services, central government and local authorities.
Signify’s Authentication Service
Signify’s fully hosted authentication service delivers a choice of token and tokenless authentication services, with flexible options to meet different needs, budgets and working patterns. This makes it easy for our customers to provide the appropriate form of authentication to suit each group of their users.
Signify Overview.pdf 477.81 kB
