When problems with user tokens started cropping up, Hudson Advisors LLC, a commercial mortgage servicer and real estate asset manager, decided it was time to look at a whole new user authentication system to control network access.
Hudson Advisors has replaced its outdated two-factor user authentication system with RSA Security Inc.s RSA Sign-On Manager 4.5 using RSA SecurID tokens.
The new system not only did away with the token problems Hudson Advisors was encountering, but has also allowed the company to quickly decrease password reset costs by leveraging the IntelliAccess password reset capability in the new version.
RSA Sign-On Manager 4.5, which was selected by Hudson Advisors after a six-week bake-off among several products, has also helped lower audit compliance costs, according to Mark Lynd, global chief technology officer and vice president of technology for the company.
“Our biggest concern is that we have just over 1,200 users in offices around the world that log in to up to 14 systems in a given day. Ensuring that all users have long passwords that were secure using numerics, alpha and special characters was pretty impossible to maintain,” Lynd said.
Hudson Advisors couldnt get by with fewer applications. At the same time, it had to demonstrate risk mitigation to external auditors and customers by requiring strong passwords—which meant placing an onerous burden on Hudson Advisors employees.
“Also, when we had new employees or employees leave, we had a difficult situation,” Lynd said. “We turned to SSO [single sign-on] because it was a good fit for our organization. We wanted to streamline on- and off-boarding [of employees], and we got help passing our yearly audits.”
Audit compliance turned out to be a big cost-saver for Lynd and his staff when they started using RSA Sign-On Manager 4.5 to demonstrate effective access controls, not just for federal and state regulators, but also for mortgage and financial industry rating agencies such as The McGraw Hill Cos. Inc.s Standard & Poors and Fitch Inc.s Fitch Ratings.
“We wanted an SSO solution that would allow us to go to custom applications, of which we have several, [as well as] third-party applications like Oracle [Corp.s] ERP and Hyperion, and Web-based applications,” Lynd said. “That was one of the main things we looked for in our bake-off; not all the products out there are able to support all these types of applications at this point.”
Lynd related one example of why Hudson Advisors selected RSA Sign-On Manager 4.5. “We have a .Net application that is an investor portal. One of the things we saw with SSO products and Web apps—and that [RSA Sign-On Manager] 4.5 specifically addressed—is that when you end your session, many Web apps take you back to the sign-in screen,” he said. “Since the SSO product knows the sign-in screen, it automatically re-authenticates the user, even though they are trying to exit the application.”
RSA Sign-On Manager 4.5 can be trained to recognize when a user is exiting a Web application and therefore knows not to authenticate the user to the application.
Next Page: Costs and payoff of implementing RSA Sign-On Manager.
Costs, Payoff of Implementing
RSA Sign-On Manager”>
One of the oldest complaints often made against SSO products is that they are costly and difficult to implement.
Implementing RSA Sign-On Manager wasnt a cakewalk, but it was easier than Lynd and his staff thought it would be, he said.
“Our application group, which deals with traditional client/server, third-party and Web apps, and the infrastructure group, did separate testing and then conferenced together on the final product pick,” Lynd said.
“Our implementation was up, and we had sign-on templates for nearly 20 applications done in just about two weeks—creating the templates was much easier than we thought it would be.”
The payoff has been improved user productivity, reduced support costs and an improved ability of IT to respond to external audit and report requests.
Lynds team gauged user sign-in time at offices around the world. Based on these observations, they determined that the average user spent between 5 and 7 minutes logging in, Lynd said. Because the company bills by the hour, each employee minute can be valued.
“With 1,200 employees, that number grows pretty quickly,” Lynd said.
In addition, RSA Sign-On Manager 4.5s IntelliAccess feature, which allows users to gain access to protected resources by answering a set of personal questions correctly, means that Hudson Advisors has significantly reduced help desk calls for password resets while maintaining secure access.
Lynd also noted that the support provided by RSA and Hudson Advisors technology implementation partner, Dynetech Corp., was a key factor in the success of the SSO project.
“Unlike some other vendors we tried to work with, when we had problems and we went to RSA, both the local office as well as RSA corporate worked hard to solve the problems,” Lynd said.
Hudson Advisors is counting on this continued support, Lynd said, to ensure the success of the firms plans to further expand the use of SSO.
Labs Technical Director Cameron Sturdevant can be reached at cameron_sturdevant@ziffdavis.com.
Case file
- Company Hudson Advisors
- Location Based in Dallas; more than 30 offices worldwide
- Problem Token problems in two-factor authentication system prompted a general re-evaluation of the companys user authentication methodology
- Solution RSA Sign-On Manager 4.5
- Tools Microsoft Corp.s Systems Management Server and Active Directory, RSA key fob tokens
- Whats next RSA Sign-On Manager 4.5 rollout to Hudson Advisor offices in Asia Source: eWEEK Labs reporting
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.