4-page Case Study - Posted 2/7/2008
Views: 964
Rate This Evidence:
Government Agency Uses New Easy Solution to Improve Remote Access and Security
Sociale Verzekeringsbank (SVB) administers social security and other benefits to citizens of the Netherlands. Some of the organization’s 3,500 employees work from Dutch embassies in other countries. To access the SVB network remotely, some SVB employees had relied on a virtual private network (VPN) solution, which did not integrate well with the SVB IT infrastructure. Additionally, connection to a specific VPN application for remote administration was manual and time-consuming, and the solution was not secure enough. In June 2007, SVB implemented Microsoft® Intelligent Application Gateway 2007, a security product that simplifies remote access. SVB now has easier remote access, improved security, and centralized IT administration. As a result, SVB has streamlined IT management and can deliver new applications to remote users faster than before.
Situation
 |
Because we know that IAG 2007 will help us present new applications to remote users through an SSL VPN portal, we no longer worry about security.  |
|
|
Edwin Strijland
IT Specialist
SVB |
|
|
Sociale Verzekeringsbank (SVB), headquartered in Amstelveen, the Netherlands, is the public implementing body for social insurance in the Netherlands. The organization, which has 3,500 employees, administers social security and other benefits to citizens. SVB pays out approximately €29 billion (U.S. $40.7 billion) to more than 4.8 million customers annually.
Although the majority of SVB employees work from offices throughout the Netherlands, a growing number of the company’s workers need to access corporate e-mail and documents from remote computers, including devices that run Windows Mobile® 5.0 for Pocket PC.
In addition, about 40 employees work in countries that have high numbers of Dutch citizens, such as Morocco, Turkey, Spain, and Surinam. These employees work from Dutch embassies or hotels in these countries, updating and processing documents for insurance beneficiaries.
Until recently, all SVB users, including some SVB IT employees, accessed the corporate network from Web browsers through a virtual private network (VPN) connection. Once in the network, employees can use proprietary applications such as a portal application through which they access their Microsoft® Exchange Server 2003 e-mail using Microsoft Office Outlook® Web Access. Employees also used the portal to access and download corporate documents through an HTML-based application.
However, because of stringent new corporate security demands, employees were no longer allowed to access and download documents through this application. “These documents have confidential customer information and may not be seen by the public,” says Strijland. As a result, SVB needed to use this portal to publish Microsoft Office 2003 and other applications, through Windows Server® 2003 Terminal Services.
However, that proved to be challenging. The organization had experienced implementation difficulties with the third-party VPN solution it was using, because it was positioned more as a network appliance instead of an application appliance. SVB IT administrators struggled with the process of publishing new applications through this appliance, and the company needed external expertise to customize applications to integrate with the VPN appliance.
The VPN solution also had problems associated with the security of the remote administration process. For example, the IP tunnel used in the remote administration solution was found to be unsafe. In addition, the process of connecting through this solution was time-consuming and not user-friendly. “We were spending too much time on that process,” says Edwin Strijland, IT Specialist, SVB. “First, we had to create a tunnel, and then we had to use a manual process to make a connection to specific servers or computers.”
For these reasons, effective endpoint security and easier application publishing and administration were increasingly critical for SVB. As a result, the company decided to look for a new solution.
Solution
|
With IAG 2007, it is easier for remote employees to get onto the network and start working right away. Connecting remotely is a smooth and fast process. |
|
|
Edwin Strijland
IT Specialist
SVB |
|
|
In May 2007, SVB learned about Microsoft Intelligent Application Gateway (IAG) 2007, a new solution that simplifies remote access. IAG 2007, part of the Microsoft Forefront™ line of business security products, provides Secure Sockets Layer (SSL) virtual private network functionality, a Web application firewall, and endpoint security management capabilities.
SVB implemented IAG 2007 in June 2007, temporarily using the solution alongside its existing VPN appliance. B-able, a Microsoft partner based in the Netherlands, advised SVB to use a security appliance from Network Engines, a Microsoft Gold Certified Partner based in Canton, Massachusetts. The appliance supports IAG 2007, giving SVB a reliable way to provide strong, secure access to its core applications.
SVB also implemented Microsoft Internet Security and Acceleration (ISA) Server 2006, which integrates with IAG 2007 to provide remote users with browser-based access to corporate applications without the need for client installation and provisioning.
SVB published Microsoft Outlook Mobile Access through ISA 2006, so remote employees can access e-mail and other files on their devices that run Windows Mobile® 5.0 for Pocket PC. SVB used the Kerberos Constrained Delegation feature of ISA 2006, which enhances authentication security by eliminating the need for users to provide credentials twice. SVB administrators can use this technology to synchronize these devices through the IAG 2007 solution.
SVB also implemented the Terminal Services feature of Windows Server 2003, which gives users the ability to access documents on remote computers over a network and provides administrators with remote administration capabilities.
The organization also used the IAG 2007 Intelligent Application Optimizer for Terminal Services, which provides additional functional controls over user actions such as local printing. The Optimizer features support for Windows-based logon scripts.
With these new capabilities, employees can use a single sign on to quickly and easily log on to a VPN and gain access to Web-based applications, such as a corporate Intranet, on the SVB corporate network. SVB administrators can now publish Microsoft Office 2003 applications for employees.
The solution also gives IT administrators the ability to enforce compliance with application and information usage guidelines. It does this through a customized remote access policy based on device, user, application, or other criteria.
In September 2007, SVB began using IAG 2007 as its sole solution for managing remote access and to help protect the private social security information of 4.8 million Dutch customers.
Benefits
With Microsoft Intelligent Application Gateway 2007, SVB has a solution that provides employees with easy remote access to corporate applications. The organization now has improved remote access security that is centrally managed. Additionally, SVB administrators have streamlined IT management capabilities and can provide new applications to remote employees more quickly.
|
It used to take months for us to add a new application, because we had to hire external expertise to assist us. Now it only takes a few weeks, because of IAG 2007. |
|
|
Edwin Strijland
IT Specialist
SVB |
|
|
Fast, Secure, Easy Access
IAG 2007 gives SVB employees easy remote access to Outlook Web Access and the applications they rely on. For example, it provides users with a single logon to quickly access the network from wherever they are working. “With IAG 2007, it is easier for remote employees to get onto the network and start working right away,” says Strijland. “Connecting remotely to terminal servers is a smooth and fast process.”
Also, the IAG Intelligent Application Optimizer for Terminal Services makes the formerly frustrating manual sign-on process automatic for IT employees needing to access the solution for remote administration purposes. “It previously took a full minute to log on to the SVB network. It only takes a few seconds with the IAG 2007 solution, and we can gain easy access to the information we need,” says Strijland. “IT employees can just turn on their computers and not have to worry about authenticating over and over.”
Integrated, Improved Security
The IAG 2007 Intelligent Application Optimizer for Terminal Services also provides SVB with improved remote-access security. By using central terminal servers, remote users can access and edit files stored on corporate file shares. “Our remote employees can securely access all the documents and data they need through a single portal link,” says Strijland. “Because we know that IAG 2007 will help us present new applications to remote users through an SSL VPN portal, we no longer worry about security.”
SVB IT administrators can automatically configure application access based on the user account, user group membership, or security state of the specific computer that the user is connecting from.
In addition, IAG 2007 features technology that clears the browser cache after each session termination, without requiring user intervention. The product also offers security capabilities such as an integrated event logger that records user activities and sends administrators alerts about security events. The solution also contains technology that helps protect server computers from Internet-based attacks. “These IAG 2007 features provide us with much stronger security,” says Strijland.
Centralized, Efficient IT Management
SVB IT administrators now have centralized IT management capabilities with IAG 2007, because the product integrates with the organization’s Active Directory® service. “Our identity management solution is also connected to Active Directory, so overall remote administration is much more centralized than before,” says Strijland. “We can use the same security groups and user accounts for all users now.”
With the ability to centrally manage remote access and security through IAG 2007, SVB IT department employees have a less complex, more streamlined process for IT administration. “With IAG 2007, everything is easier for us to control,” says Strijland. In particular, SVB administrators find it easier to configure remote access policies and to get statistics and reporting information about how much time our users spend on specific applications.
Faster Application Availability
Now that they have improved security and easier IT management, SVB administrators can deliver new applications to remote users much faster. “It used to take months for us to add a new application, because we had to hire external expertise to assist us,” says Strijland. “Now it only takes a few weeks, because of IAG 2007. With this solution, we will definitely be able to implement more applications and deliver them to remote users much faster,” he says. With the deployment of IAG 2007, SVB estimates a productivity increase of 10 percent for IT staff members that administer and implement remote access and Internet solutions.
In fact, SVB plans to publish a new application for users that contains confidential customer data. “Because of the easily managed endpoint security capabilities in IAG 2007, we will be able to do that,” says Strijland.
Partner Involvement
B-able, a Microsoft partner and software solution provider based in the Netherlands, specializes in IT security management solutions. B-able is a certified reseller of Microsoft Intelligent Application Gateway (IAG) 2007 and Network Engines appliances.
For More Information
For more information about Microsoft products and services, call the Microsoft Sales Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Information Centre at (877) 568-2495. Customers who are deaf or hard-of-hearing can reach Microsoft text telephone (TTY/TDD) services at (800) 892-5234 in the United States or (905) 568-9641 in Canada. Outside the 50 United States and Canada, please contact your local Microsoft subsidiary. To access information using the World Wide Web, go to:
www.microsoft.com
For more information about B-able products and services, visit the Web site at:
www.b-able.nl
For more information about Sociale Verzekeringsbank products and services, visit the Web site at:
www.svb.nl
Microsoft Forefront Product Portfolio
The Microsoft Forefront comprehensive line of business security products provides greater protection and control through integration with your existing IT infrastructure and through simplified deployment, management, and analysis. Forefront is a comprehensive solution that helps provide protection for the client operating system, application servers, and the network edge.
For more information about the Forefront product portfolio, go to:
www.microsoft.com/forefront
This case study is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
Document published February 2008
