4-page Case Study - Posted 9/6/2007
Views: 6510
Rate This Evidence:
Northwest Airlines Improves Remote Access with Easy-to-Manage Security Solution
Northwest Airlines (NWA), a major international carrier, wanted to improve security and provide its mobile work force better access to Web-based applications and e-mail. The need to remember multiple passwords and manually log off from shared client devices was a hindrance to employees and presented potential security risks. The company was also using a variety of tools and filters to try to provide secure connectivity, and it needed a solution that was less costly to operate and easier to manage. In response, NWA implemented Microsoft® Internet Security and Acceleration Server 2006. With the solution in place, employees now need only a single password to open e-mail and other critical applications, and idle connections close automatically. The company has also reduced IT costs by taking advantage of integrated security, connectivity, and management features.
Situation
 |
Using ISA Server 2006 allows us to access Web applications easily from home or, in the case of pilots and crews, from hotels. All they need is access to the Internet.  |
|
|
Wendy Lou
IT Security Architect
Northwest Airlines |
|
|
Northwest Airlines is one of the world’s largest airlines with 40,000 employees and hubs at Detroit, Minneapolis/St. Paul, Memphis, Tokyo, and Amsterdam. Northwest is a member of SkyTeam, an airline alliance that offers customers one of the world’s most extensive global networks. Northwest and its travel partners serve more than 1,000 cities in excess of 160 countries on six continents.
The airline’s mobile work force depends on remote access to e-mail and intranet applications for managing schedules and human resources information.
NWA served its remote users with a complex technology environment that was costly and difficult to manage. The airline published more than 60 Web applications that were remotely available to employees, and it provided remote access to e-mail for 14,000 workers. NWA personnel needed to access common business applications and more specialized tools. For example, employees typically check flight schedules, plan vacations, and review payroll information online. Unlike employees in other industries, however, many NWA employees seldom use corporate applications in a conventional office environment. A pilot’s “office” might be at home, an airport, or a hotel—anywhere there is an Internet connection. NWA employees also use a variety of client devices to get online. Some devices might belong to the individual, but employees can also log on from shared devices such as those found in airport kiosks or Internet cafes.
Maintaining tight security with remote access means enforcing strict authentication policies. NWA employees using their own devices needed to supply a physical token (a smart card) as well as a password. Connectivity also required the installation of client software so that employees could connect to the airline’s network through a virtual private network (VPN). Managing remote authentication was cumbersome for both users and administrators, who had to cope with issuing and managing tokens, installing client software, and assisting users. The cost and burden of supporting the authentication process indicated to Wendy Lou, IT Security Architect at Northwest AirlinesAirlines, that “NWA needed an easier way for people to securely access applications remotely.”
In addition to a more simplified authentication procedure, NWA wanted to reduce the number of passwords that employees needed for application access. According to Lou, “We have multiple applications, and everybody had too many passwords and too many logons. Our goal was to make it so that once an employee logs on to our intranet home page, he or she doesn’t have to log on again to use another application.” NWA also wanted an automatic timeout feature to safeguard both the network and remote users, who risked exposing personal information by forgetting to log off from shared devices.
The airline spent considerable resources on developing a filter to accomplish single sign on (SSO) and timeout, and it also purchased an off-the-shelf product. Costly and challenging to manage and support, the combined filters did not work well with multiple applications. Moreover, they were yet another piece of technology that had to be maintained and upgraded.
The airline also hoped to improve session management through the use of delegated authentication. In this scenario, user credentials would automatically be passed to servers such as IBM WebSphere Application Server and other application and Web servers that the airline uses. NWA wanted a solution that would integrate smoothly with existing technology, thereby providing easier administration, better security, and improved access to published Web applications.
Solution
To create a solution that integrated with existing technology, provided highly secure remote access to Web applications, and was easy to deploy, NWA turned to Microsoft® Internet Security and Acceleration (ISA) Server 2006. The airline had been introduced to ISA Server features in late 2003, when it began deploying Internet Security and Acceleration Server 2004.
Using ISA Server 2004 had helped the airline consolidate its servers at corporate headquarters in Minneapolis, and NWA was interested in implementing the next version, Internet Security and Acceleration Server 2006. The airline wanted to take advantage of the enhanced remote access and security features of ISA Server 2006, which integrated with its current technology infrastructure.
With ISA Server 2006 deployed, NWA is using some of its forward-proxy features, including enhanced built-in security filters and improved Web page load times through HTTP traffic compression and caching. However, the airline currently places more priority on features supporting remote access to published Web applications. NWA has integrated ISA Server 2006 with its Web applications and Microsoft Office Outlook® Web Access, a component of Microsoft Exchange Server 2003. Automatic timeout and SSO features have been a primary focus of the integration. NWA also integrated ISA Server 2006 with its authentication mechanisms, including the Active Directory® service.
NWA began implementing the beta version of ISA Server 2006 in April 2006 and servers were deployed in production in August 2006. In addition, NWA has implemented forms-based authentication, a feature of ISA Server 2006 that gives administrators the ability to customize the logon page. With the exception of Outlook Web Access, forms-based authentication was not available in earlier versions of ISA Server. In the past, NWA used basic authentication, which Lou describes as “just a little gray box that has a user ID and password on it.”
She continues, “There was no place for us to put our logo, Help information, or links. It was a big problem; we had a lot of complaints from our users and our developers.” To compensate, the airline had used a third-party solution to support forms-based authentication. NWA replaced that ancillary tool with features built into ISA Server 2006, and the new logon page includes graphics and links to Help information about issues such as lost passwords.
The airline has also taken advantage of the delegated authentication capabilities inherent in ISA Server 2006 to provide smooth access to applications managed by IBM WebSphere Application Server and other Web and application servers that the airline uses. Because ISA Server 2006 can pass identity information to other servers, employees are able to access those servers’ applications without needing to log on to each one separately. In effect, with ISA Server 2006, once remote employees log on to NWA’s intranet home page, they are able to quickly access e-mail or open other necessary applications stored on different servers.
Benefits
By implementing a solution based on ISA Server 2006, Northwest Airlines simplified the administration of published Web applications, which helps reduce costs and improves security through enhanced authentication and management tools. With the scalable architecture, the airline can quickly adapt to fluctuating access demands by using Web publishing load balancing to easily deploy servers as needed. As a result, remote employees are benefiting from smooth access to vital Web applications. “For example, pilots are able to log on once to the intranet home page, check their schedules, and then book a flight to the scheduled airport,” explains Lou. “At the same time, pilots are able to check for important crew news or the weather conditions at the airports. This can all be done at home, a hotel, or any airport crew base.”
|
Because policies are shared by multiple servers, I need to make changes on only one, at one place. In the past, I had to make changes on each individual server. I don’t have to do that anymore. |
|
|
Wendy Lou
IT Security Architect
Northwest Airlines |
|
|
Easier-to-Manage, Streamlined Administration
Using ISA Server 2006, Northwest Airlines has cut costs and simplified administration by reducing its reliance on stand-alone security and management tools. By taking advantage of integrated features such as single sign-on access and forms-based authentication, the airline can more effectively manage highly secure access while reducing management overhead for thousands of tokens and security add-ons. NWA has already eliminated thousands of tokens issued to VPN users, simplifying maintenance and cutting hardware and administration costs.
The airline also benefited from streamlined server administration. Lou points out that the proxy server solution running ISA Server is easier to manage. She notes, “Because policies are shared by multiple servers, I need to make changes on only one, at one place. In the past, I had to make changes on each individual server. I don’t have to do that anymore.”
Future application deployment will also be simplified with automated deployment tools. For example, ISA Server 2006 has added a publishing wizard that simplifies configuration of Outlook Web Access. Wizards are available for other Microsoft server offerings, including Microsoft Office SharePoint® Server 2007.
With ISA Server 2006, NWA has experienced the benefits of operating a more streamlined technology environment. “ISA Server is easy to implement and very easy to support,” says Lou. “Reducing reliance on the third-party add-ons will actually make continued implementation much easier.”
Improved Security
Security and administration has also been improved with automated Web publishing tools and enhanced certificate administration, helping the airline integrate ISA Server 2006 with Web servers and the Microsoft Exchange Server environment. Better certificate administration has made it easier to authenticate users and manage access to multiple applications through the different client devices used by NWA employees. In addition, automatic timeout has helped ensure that whatever device is used, whether shared or privately owned, employee information and corporate data will protected.
Scalable Architecture
As Northwest Airlines continues to make changes to its operating environment, ISA Server 2006 has given the airline the flexibility to adapt quickly. Lou says, “As more applications have become Web based and remote access is increasingly required by our vendors and contractors, ISA Server has enabled us to publish Web applications easily and effectively.”
New features such as Web publishing load balancing make it easy for the airline to deploy more Web server farms as needed, while the ability to balance access demands helps ensure that remote employees receive continuous service. Adding new ISA Server computers to accommodate growth is also easily accomplished. Lou explains, “I feel pretty comfortable that if we need an additional server, we’ll just join it to the existing array. Because all of the configuration can be done quickly, I can add capacity very easily.”
Smoother Access for Remote Employees
ISA Server 2006 is helping to provide secure remote access to e-mail and intranet applications for more than 40,000 Northwest Airlines employees, suppliers, and vendors. Indeed, remote employees at Northwest Airlines have enjoyed quick, convenient access to vital information from nearly any location. Single sign-on access and the ability to use practically any device with a browser and Internet connection have helped employees stay connected. Lou says, “Using ISA Server 2006 has allowed us to access Web applications easily from home or, in the case of pilots and crews, from hotels. All they need is access to the Internet. I think that’s the biggest advantage for us.”
Lou continues, “The airline industry is a very competitive market. We need to be able to adapt to changes quickly and cost-effectively. With ISA Serve 2006, we can deploy Web applications easily, more securely, and with lower costs to meet the access requirements from our employees, vendors, suppliers, and partners.”
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
www.microsoft.com
For more information about Northwest Airlines products and services, call (800) 225-2525 or visit the Web site at:
www.nwa.com
Microsoft Forefront Product Portfolio
The Microsoft® Forefront™ comprehensive line of business security products provides greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis. Forefront is a comprehensive solution that helps provide protection for the client operating system, application servers, and the network edge.
For more information about the Forefront product portfolio, go to:
www.microsoft.com/forefront
This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Document published August 2007
