4-page Case Study - Posted 8/22/2008
Views: 380
Rate This Evidence:
Integrated Solution Eases Path to Increased Security for Leading Italian Bank
As the sixth-largest banking group in Italy, Banca Carige must maintain a constant focus on security. When the bank decided to implement strong, two-factor authentication based on smart cards, it needed a solution that would minimize the associated costs and complexity. Banca Carige met that need with Microsoft® Identity Lifecycle Manager 2007, which the bank is using to deploy and manage the smart cards for its 6,600 employees. Banca Carige was able to easily begin realizing the security benefits provided by smart cards, including the ability to store and manage both internal and third-party digital certificates on a single card. The solution supports the bank’s organizational structure and processes, integrates with existing IT assets, is highly reliable and easily managed, and can be built upon to improve security in new ways.
Situation
Banca Carige S.p.A., one of five banking and insurance companies in the Banca Carige Group, is one of Italy’s oldest banks, with more than 500 years of tradition. Head-quartered in Genoa, Italy, Banca Carige has more than 2 million customers, 6,600 employees, 641 branch offices, and 43 billion euros in total deposits.
 |
We chose Identity Lifecycle Manager 2007 because it was the only solution that met all our needs. |
 |
|
Daniele Balbo
Durector of Information and Communication Technology, Banca Carige |
|
|
As a financial institution, Banca Carige must maintain a constant focus on the security of its information. One key component of the bank’s security strategy is the improvement of its internal identity and access infra¬structure, which, until recently, relied on user names and passwords to authenticate employees. In 2007, to improve security, Banca Carige decided to implement strong, two-factor authentication based on smart cards containing digital certificates, and it began to look for a single solution that could meet all its needs.
“A strong, two-factor authentication will help us improve user accountability and will clearly be an increasingly important component of our security strategy,” says Bruno Lavagna, Chief Information Officer at Banca Carige Group. “We needed a single solution that could support two-factor authentication for all employees, as well as a small number of users who were already using third-party digital certificates to sign legal documents. Key solution requirements included a good balance between ease of use and increased security, as well as the flexibility to support our unique organizational structure and internal processes.”
Solution
Banca Carige met its needs by deploying Microsoft® Identity Lifecycle Manager 2007, a certificate and smart-card management solution that builds on the Active Directory® service and Certificate Services in Windows Server® 2003 to provide a single solution for implementing strong, two-factor authentica-tion across the bank’s 641 branch offices and for more than 6,600 employees. “We examined several options, including expanded use of our third-party certificate provider, but that option didn’t fully meet our requirements for flexibility and security,” says Daniele Balbo, Director of Information and Communication Technology Governance at Banca Carige. “We chose Identity Lifecycle Manager 2007 because it was the only solution that met all our needs.”
Implementation
Work to deploy Identity Lifecycle Manager 2007 began in the summer of 2007, when Banca Carige began working with Microsoft Services on a proof of concept to validate that the product could indeed meet all its needs. “From the very beginning of the project, Microsoft Services provided valuable assistance, helping us to find a solution that could also support the digital certificates for electronic signature provided by our third-party provider,” says Balbo. “Microsoft Services also helped us to define the right workflows for smart-card provisioning and management and to map them to the func-tionality of Identity Lifecycle Manager 2007.”
Full-scale deployment began in November 2007. As of June 2008, Banca Carige has deployed smart cards to about 400 users, including most employees in its corporate headquarters. The bank plans to deploy smart cards to 3,000 employees by the end of December 2008 and to 6,000 users by the end of March 2009. Deployment of the smart cards is being combined with the rollout of a new front-office solution based on the Windows® operating system.
“The overall implementation process will consist of two main phases,” says Balbo. “In phase one, which is almost completed, we’ll deploy smart cards to all users. Phase two is a planned, long-term effort to eliminate, wherever and whenever possible, user names and passwords to make the smart cards the only means of authentication for all users in the company.”
|
Identity Lifecycle Manager 2007 greatly simplifies the deployment and management of smart cards, enabling us to increase security with a minimum of added complexity and costs. |
|
|
Bruno Lavagna
Chief Information Officer, Banca Carige Group; |
|
|
Banca Carige is deploying Microsoft Office Communications Server 2007, which, when used with video cameras installed in each branch, will enable employees who forget their smart cards to enroll a temporary card. “If an employee forgets a smart card at home, a supervisor will give that employee a blank one,” says Balbo. “The employee will then use a kiosk at the branch to establish a video session with our central help desk, where the support representative will validate the person’s identity against a picture in our human resources system before enabling the temporary card for the day.”
Architecture
The smart cards used by Banca Carige are provided by Siemens. Identity Lifecycle Manager 2007 resides on two load-balanced server computers running the Windows Server 2003 operating system. Those servers are supported by a shared database cluster running Microsoft SQL Server® 2005 data management software, which provides storage services for other security-related applications as well, such as Rights Management Services for Windows Server 2003. Preexisting solution components that Identity Lifecycle Manager 2007 takes advantage of include the bank’s Active Directory–based infrastructure—consisting of one forest and two domains, with all users in the child domain—and a separate certificate authority server running Certificate Services in Windows Server 2003 and the Identity Lifecycle Manager 2007 snap-in. Identity Lifecycle Manager 2007 also will support Certificate Services in Windows Server 2008 as the bank’s needs evolve over time.
Benefits
By deploying Identity Lifecycle Manager 2007, Banca Carige was able to easily begin realizing the security benefits provided by strong, two-factor authentication, with the added advantage of being able to support both internal and third-party digital certifi-cates on a single smart card. The bank’s use of Microsoft software has yielded a solution that supports its organizational structure and processes, integrates with existing IT assets, and is highly reliable and easily managed. Furthermore, Banca Carige now has a solu-tion that it can build upon in the future to further improve information security.
Increased Security
The implementation of strong, two-factor authentication based on smart cards will help Banca Carige increase security. By requiring the combination of two factors, one of which is something the user has (that is, the smart card itself) and the other is something the user knows (that is, the PIN), the authentica-tion mechanism is more secure than simple user names and passwords alone. “Two-factor authentication based on smart cards is more secure than user names and pass¬words,” says Lavagna. “However, the complexity of deploying, managing, and maintaining a smart-card solution can be challenging, especially on an enterprise level. Identity Lifecycle Manager 2007 greatly simplifies the deployment and management of smart cards, enabling us to increase security with a minimum of added complexity and costs.”
Two Certificates on One Card
The ability to store and manage two digital certificates—one for network logon and the other for digitally signing legal documents—on one card is another benefit stemming from the bank’s decision to use Identity Lifecycle Manager 2007. Although all 6,000 users will eventually use smart cards for access to net-work resources, a much smaller number will use their smart cards for both purposes. “Support for multiple certificates from differ-ent certificate authorities on one card is a key benefit of Identity Lifecycle Manager 2007,” says Balbo. “Without that capability, some users would have needed two cards, and we would have to maintain a separate solution for a relatively small number of users.”
Flexible Workflow Customization
Using Identity Lifecycle Manager 2007, Banca Carige was able to easily integrate smart cards into its IT infrastructure, customizing the provisioning and manage¬ment of the digital certificates on those cards in a way that supports the company’s internal structure, processes, and workflows. Features of Identity Lifecycle Manager 2007 that were especially useful included delegated request and approval, and a self-service portal for resetting and unblocking smart-card PINs. “It’s not always easy to change our internal processes, so we need a solution flexible enough to accommodate them,” says Balbo. “We were able to easily configure Identity Lifecycle Manager 2007 to support our own workflows.”
|
With Identity Lifecycle Manager 2007 deployed, it will be relatively simple to implement new network services based on smart-card authentication. |
|
|
Bruno Lavagna
Chief Information Officer, Banca Carige Group |
|
|
Foundation for Additional Security Services
The implementation of Identity Lifecycle Manager 2007 has also put a number of additional security enhancements easily within the bank’s reach. Thanks to the tight integration of Identity Lifecycle Manager 2007 with the Windows Server platform, Banca Carige can easily extend its use of strong, two-factor authentication to areas such as logging on to its Windows domain, virtual private network authentication, and wireless LAN security—just a few of many applications that can take advantage of the existing work that Banca Carige has done so far. “With Identity Lifecycle Manager 2007 deployed, it will be relatively simple to implement new network services based on smart-card authentication,” says Lavagna. “One area we’re considering is installing wireless networking in our branches.”
Ease of Management
Banca Carige will be able to easily manage its new solution, thanks to the portal function-ality provided by Identity Lifecycle Manager 2007, which provides tools for IT profession-als to administer the entire certificate and smart-card life cycle—from card enrollment to certificate retirement, revocation, and audit. Integrated features for automated inventory management and auditing will help the bank to further reduce the administrative burden of supporting strong, two-factor authentica¬tion. “Now that we’re into the deployment phase, there’s not a lot of ongoing technical effort,” says Balbo. “When deployment is complete, we’ll be able to manage the solution with one person.”
Other Benefits
Other benefits provided by the bank’s decision to use Identity Lifecycle Manager 2007 include:
- High availability. By taking advantage of features such as load balancing and clustering, Banca Carige was able to implement a solution that will deliver the superior availability needed for enterprise-wide identity and access management.
- Integration with existing IT infrastructure. Identity Lifecycle Manager 2007 enabled Banca Carige to minimize the cost of deploying, managing, and maintaining a certificate-based infrastructure by taking advantage of—and integrating with—existing IT assets, such as Active Directory and Certificate Services in Windows Server 2003.
- Rapid implementation. By taking advan¬tage of Microsoft Services expertise in applying the capabilities of Identity Lifecycle Manager 2007, Banca Carige was able to begin deploying its new security solution in only a few months.
Microsoft Server Product Portfolio
For more information about the Microsoft server product portfolio, go to: www.microsoft.com/servers/default.mspx
