Biometric logical access strengthens secure systems at the Department of Agriculture, Forestry & Fisheries.
A recent Ernst & Young report confirmed that the greatest security threat to organisations comes from current or ex employees. With a wave of retrenchments flowing from the economic downturn, over 75% of the companies surveyed in Ernst & Young’s 2009 Global Information Security Study expressed concern that disgruntled employees could sabotage their employers’ systems. Despite this, just a quarter of organisations were taking steps to improve security around their physical and logical assets.
One government organisation ahead of the game is the Department of Agriculture, Forestry & Fisheries, which, earlier this year, became one of the first government departments in the country to implement a converged biometric physical and logical access system. The Budgets and Reporting Directorate at the Department’s Head Office in Pretoria is responsible for managing the organisation’s financial system control functions including the logons to PCs and secure applications used by the finance, HR and supply chain management directorates.
In order to ensure that its applications are secure, the Department – as in the case of all government organisations – applies a strict password management policy for all staff who log onto its computer systems.
For years, managing these passwords had been a thorn in the system controller’s side. With logon credentials for the government’s transversal systems, including BAS, Persal and LOGIS, changing every 15 to 30 days, the incidence of forgotten passwords was significant, resulting in lockouts and associated downtime. Resetting forgotten credentials placed an unnecessary administration burden on the relevant helpdesks, distracting the technical support team from more pressing tasks.
An audit of password procedures and risks revealed a number of significant security concerns. Not only was staff writing their passwords down, but the close proximity of workstations to each other meant it was relatively easy for users to borrow or use each other’s login IDs and passwords. By removing the need for logon credentials to be recalled or typed the Department will enhance access security and reduce password misuse.
Frailties in the physical access control system securing the workspace used by many key system users, raised a secondary concern – that non-authorised individuals could gain access to the area. Following an RFQ process in 2008, the Department commissioned Praxis IT Solutions to implement a secure sign-on solution to replace the need for passwords to be entered manually.
Praxis proposed that the Department implement a logical access, biometrics fingerprint secure password management solution. The product SecureSignOn was used, a secure password management solution developed in South Africa by SuperVision Biometric Systems and Sybu Data.
The initial phase of the project saw a biometric solution, which operates with the Sagem MSO1300 desktop fingerprint reader, installed on more than 100 PCs. This replaced all passwords, from the initial PC log on to credentials for each application with a fingerprint logon. To resolve the access control need, Sagem MA520 biometric terminals running SuperVision’s physical access control software were installed at the entrance and exit doors leading to the workspace for LOGIS users.
As all SuperVision software applications are fully integrated, this ensured that the Department was able to deploy a truly converged access control policy through which staff could only log onto their PCs if they had first been authenticated at the physical access point. Similarly, when staff left the building their PCs would automatically be logged off when they passed through the door.
The Department was impressed that the implemented solution was able to integrate with most of the applications used, including the emulator and disconnected logins with no custom scripting or development. Active Directory is used as the primary authentication engine, eliminating the need to build a separate repository to store credentials and other data needed to validate users’ logon requests.
The solution’s automated password change facility allows the system to automatically generate new strong passwords when old ones expire reducing the likelihood of passwords being hacked by guesswork or brute-force. With users not even knowing the password, there is no chance that Post-It notes with confidential logon credentials will be left lying around the office.
As well as enhancing security, the solution – SecureSignOn significantly reduced lockouts stemming from confusion over which password goes with which application, and has virtually eliminated password complaints for enabled applications. Furthermore, time masking rules applied to the physical access control solution mean that staff could only be granted access to their workspace during designated office hours, eliminating the opportunity for people to be in work areas when not properly supervised.
According to Praxis IT Solutions CEO, Wikus Engelbrecht, having a single point of take on for PC and physical security systems is a significant value add insofar that access rights can now be removed centrally in the event of staff leaving the organisation. The entire solution strengthens the Department’s application security and more importantly, adds a level of non-repudiation to the process. Fingers (unlike passwords) cannot be transferred between individuals creating a stronger, more accountable environment. A further advantage is that it is a homegrown South African solution, which is consequently able to quickly and proactively react to the changing local market.
Engelbrecht says that he sees the usefulness of this system for many other departments and organisations. “It is the first of its kind in the country and solves many of the security issues that trouble large organisations. This solution directly addresses problems which are typical headaches for organisations such as the lack of integration between physical and logical access control, user problems of having to remember multiple passwords, ensuring users create strong passwords, managing forgotten passwords, and the impossibility of controlling borrowed passwords.”
Security and access control can be streamlined and automated, says Engelbrecht, alleviating some of the current challenges these departments feel. “When you come to work all you have to remember to bring with you is your finger.”
Government – Department of Agriculture, Forestry & Fisheries.
Scale of project
Phase one of a broader project entailed installing secure sign on solution on over 100 PC and providing physical access control to one work area.
SuperVision PC Log On and Secure Sign On Modules operating in conjunction with Sagem MSO1300 fingerprint readers for desktop and application access and SuperVision Physical Access Control Module in conjunction with Sagem MA520 terminals for physical access control.
Securing physical access to work areas to restrict access to authorised staff only; Restricting access to PCs and applications to enhance security while removing the requirement for staff to remember passwords, thus improving efficiency and reducing opportunity cost of re-issuing logon credentials.
For more information contact Charlie Stewart, SuperVision Biometric Systems, +27 (0)21 913 6075, www.supervision.co.za
© Technews Publishing (Pty) Ltd | All Rights Reserved