Guaranteeing security and efficiency
By doubling its size in four years, Barclays France has proved that its offer appeals to its corporate and wealthy, private customers. However, this success comes with its own challenges. The bank’s chief security officer, Bertrand Dunoyer de Segonzac, had concluded that application access security procedures were no longer suitable.
Barclays France’s ever-growing staff was finding it difficult to implement its rigorous security rules. Applications were increasing in number, with very diverse technologies. Cases of forgotten passwords and incorrect password attempts were frequent since there were as many passwords as applications. The helpdesk was, therefore, overburdened, resulting in a very high cost in terms of assistance and loss of productivity. At the same time, a strict security policy was reinforced: for instance, complex passwords were to be renewed every month, and workstations locked after 3 incorrect password attempts. Paradoxically, this multiplicity of passwords hampered information system security: users jotted down their passwords.
So, the security department worked out a proposal to remedy this situation. But then how was it going to convince the management to invest on a security project, especially on a lowly issue such as passwords? The solution was to come from users themselves. “When polled about their work environment, the employees requested that the general management of Barclays find a solution to their password problems” says Bertrand Dunoyer de Segonzac. “I was then given the green light for a radical yet realistic solution: doing away with passwords in the entire bank.”
Eliminating passwords… securely
In practice, the bank decided that the “zero passwords” project would be implemented using two complementary solutions. Firstly, users would access their PC with a biometric solution so they no longer needed to remember the numerous passwords. Secondly, once authenticated, a single sign-on (SSO) application would enter the passwords on their behalf, thus allowing them access all their applications. Access to the bank’s applications would, therefore, be protected with only one, simple but secure authentication method: presenting one’s finger to a biometric reader. Apart from security and ease of use, this combination brings in an extra advantage to the bank in terms of image and innovation.
Choosing a solution
After a call for tender to three security-solution providers, Barclays France chose Evidian’s Enterprise SSO. “We liked the responsiveness of Evidian’s technical teams. Their solution was the only one that enabled us to deploy SSO and biometrics from only one screen, which simplifies management. Moreover, Evidian provides an effective backup tool in case of biometric system failure”, explains Bertrand Dunoyer de Segonzac.
During a pilot phase, the Barclays France team tested its main applications to ensure that the Enterprise SSO solution could enter passwords automatically. It saw that its applications could be quickly integrated despite their diversity: Lotus Notes, client/server, web, applications in terminal mode on OS/400 and Unix, etc., without any impact on the applications themselves.
The functional and legal aspects were equally critical. “France’s public regulator CNIL is very vigilant about the use of fingerprints; so a well-argued file must be presented. In particular, biometric data should not be centralized, but must be stored on the PC or an external device”, says Bertrand Dunoyer de Segonzac.
The biometrics solution provider was chosen after a one-month pilot phase, based on design and reliability criteria.
The project team created different scenarios at the pre-deployment stage: cases of employees moving from one terminal to the other, use of mobile terminals, protection of USB ports and switchover to a backup site, etc. It was necessary to devote several minutes to start-up so users could learn how to use the solution. Therefore, training sessions made it possible to save time and avoid problems.
The project team chose to deploy the solution on a department-by-department basis, making a formal assessment after each installation. The teams at the Paris headquarters were the first to use the solution, followed by the sites in the provinces. It was thus possible to discover some unexpected issues and to take them into account during future deployments. “The installation itself is light. The diversity of cases was much larger than we had expected, but the Evidian tool was able to cope with them easily. Moreover, the project revealed some pre-existing issues”, explains Bertrand Dunoyer de Segonzac.
Biometrics-based SSO has quickly become part of day-to-day habits, and users are the first to promote the solution among their colleagues not yet equipped with the solution. Meanwhile, the IT department has noticed a significant fall in helpdesk workload. Barclays France has shown that it is possible to combine design, productivity and security. What’s more, the success of this project has contributed to the choice of Evidian’s Enterprise SSO by Barclays Wealth in the UK.
§ Over 120 sales outlets throughout France.
§ 170,000 customers.
§ 1,500 employees, including 500 bank advisors.
§ 40 applications.
§ 30% decrease in helpdesk calls.
For more information >>> http://www.evidian.com/finance.htm