London-based Carphone Warehouse Group PLC is Europe’s independent mobile communications retailer. The company operates across 10 markets and employs over 8,000 people in more than 1200 stores and via online outlets throughout Europe. Its UK market share is over 22 percent. The Carphone Warehouse operates in other European markets as The Phone House, including Belgium, France, Germany, Ireland, the Netherlands, Portugal, Spain, Sweden and Switzerland.
Since 1989, the core business has been to provide reliable and innovative mobile communication products and services – accompanied by a commitment to the highest levels of customer support. Consistent with that philosophy, the company seeks to constantly arm its large workforce with productivity tools that give them maximum business mobility and agility, while simultaneously protecting corporate assets by securing dynamic communication and the company’s IT infrastructure.
Employees and partners require direct access to leading computing applications, online and retail sales and inventory data, and secure email. HID Global meets those stringent criteria with easy-to-use token authentication that verifies employees and partners are who they say they are for streamlined remote access to network systems and services.
The Carphone Warehouse was looking for a digital identity solution that would reduce the administration time for managing thousands of distributed token users
Secure remote access solution
Finding an easy-to-use and cost-effective secure remote access solution with its leading position among mobile phone and telecom retailers, The Carphone Warehouse is in constant pursuit of solutions that maintain its competitive edge and innovation. The previous ‘dial-up’ remote access system that was in place for many years had proven to be costly to the company due to mounting traditional phone line expenses, and frustrating to users due to limited bandwidth for supporting access and transfer of large files.
Also, the sheer magnitude and complexity of managing systems for a diverse and distributed workforce to remotely connect to IT systems presents a daunting infrastructure challenge, and led to a desire for a solution that would not require the installation of client software on user PC’s and laptops across the various corporate offices and 1200 store locations.
Unauthorised access and malicious activity
Acknowledging the unacceptable risk posed by weak and insecure static passwords (username-password) for the enterprise, the company sought a better way of validating the identity of users prior to granting mobile access. In addition to guard against unauthorised access and malicious activity, The Carphone Warehouse was looking for a digital identity solution that would reduce the administration time for managing thousands of distributed token users, and that would enable the company to know with certainty who is accessing the network from any location, at any time.
Those employees include management teams responsible for driving business at corporate, regional and branch levels as well as IT-focused staff – all of whom are users requiring fast and seamless access to databases, secure email, the Internet, sales applications, company data, and systems.
Juniper Networks Secure Socket Layer VPN solution
The Carphone Warehouse chose a Juniper Networks Secure Socket Layer VPN solution with Citrix server-based computing as a more secure and more accessible solution for employees and partners
The Carphone Warehouse decided to deploy a Virtual Private Network (VPN) in combination with strong token-based authentication of users to meet its remote access needs. They specifically chose a Juniper Networks Secure Socket Layer (SSL) VPN solution with Citrix server-based computing, over a traditional IPSec VPN, as a more secure and more accessible solution for employees and partners.
Unlike IPSec VPN’s, the web-based interface of the SSL VPN, coupled with strong security from HID Global, truly enabled employees to connect from any company office, retail store locations, from home, and the growing number of hotspots and web cafes. Remote users log-on to the system using HID Global’s Tokens with any PC or computing device through a web browser – and are transparently authenticated at the backend with HID Global’s 4TRESSTM AAA Server for remote access software.
After thorough piloting and evaluation, The Carphone Warehouse came to the conclusion that other solutions on the market for strong authentication were less efficient and costlier due to dual administration requirements.
Remote access integration with Microsoft Active Directory
In contrast, with HID Global there is no need for the addition of a separate user database for managing digital identities on top of the existing corporate systems. HID Global’s 4TRESS AAA Server for remote access integration with Microsoft Active Directory met The Carphone Warehouse’s requirements for centralised management, a single point of administration, and streamlined provisioning of user accounts – and also supported the planned migration from Windows 2000 to Active Directory. As a major consumer retailer, the company has a large number of external users made up of manufacturers, vendors, and IT product suppliers.
Authentication ‘On-the-Go’ is made possible with HID Global’s Keychain Token that solves the problem of weak static passwords in a portable strong authentication device
The Carphone Warehouse simply adds those third party individuals into Active Directory, based upon a designated role that defines what content and applications they can access. From the user perspective, authentication ‘On-the-Go’ is made possible with HID Global’s Keychain Token that solves the problem of weak static passwords in a portable strong authentication device.
Two-factor authentication for one-time-use password
HID Global two-factor authentication validates employee identity via something the user has (the token) and something the user knows (their PIN code) in order to produce a secure one-time-use password.
As its dynamic password solution, The Carphone Warehouse chose the compact form-factor that conveniently attaches to the user’s keychain. Unlike other keyfob tokens on the market, the user simply types their PIN into the trusted pin-pad on the device itself – instead of sending the sensitive PIN credential over the network.
ActivIdentity offers the advanced security benefits of challenge/response and synchronous authentication with a patented three-variable algorithm: time, event, and secret key.