LVM Insurance has consolidated
user authentication beyond system boundaries. On all Clients, the
users now log-on using Smart Card, whether the operating system
used is Linux or Windows.
by Jan Schulze, freelance journalist
The LVM Insurance company in Germany uses the strategy, where practical,
to use open-source solutions. Maximum flexibility with minimum dependence
on single providers, is the motto. As a result, for years now, Linux
is the operating system of choice. Currently LVM employs Ubuntu
10.04 LTS (Long Term Support) by Canonical. Around 10,000 systems
are being operated in this way by the insurance company. Accordingly,
user management based on the open standard LDAP. Here, LVM uses
the IBM Tivoli Directory Server. Since 2002, users have logged onto
Linux clients using a Smart Card. This very secure method of user
authentication should now be extended at the request of the security
officer, the internal audit and also of the Board of Directors to
the parallel-running Windows world.
Windows in many special cases
Daniel Timmerhindrick, responsible for the security of application
systems in the area of IT Infrastructure with LVM, explains: "In
addition to the Linux clients, we operate approximately 1000 Windows
workstations, currently still using Windows XP. These are used where
Ubuntu isn't practical." In this Windows environment, authentication
is performed against an Active Directory, the user logged on with
their username and password to their computers. "Besides this,
Windows is often being used on workstations used by specialists",
said Timmerhindrick. The security of these computers no longer conforms
to the safety guidelines of LVM.
 |
| „Besides
this, Windows is often being used on workstations
used by specialists.", said Daniel Timmerhindrick.
|
|
|
|
not only leave our existing processes unchanged, but wanted also
the Windows systems as little changed as possible." Moreover,
the Smart Cards of the Windows users should not be issued via the
Active Directory, but on Linux using the existing internal PKI.
It was also requested that the existing Smart Cards continue to
be used. They are not only for Linux users to log on to computers,
but can also be used by all the employees as access control and
payment cards. The solution was found by the LVM in the Viennese
software house Comtarsia IT-Services GmbH, that has a suitable standard
solution. This solution promised to cover the needs of LVM Insurance
with minimal effort.
Middleware instead of Windows Customization
After the project team had carried out an analysis of the actual
state of the LVM-Client-IT, those in charge with the project sounded
out the market. An available open source solution was discarded
because the effort to adapt to the needs would have been too great.
Among commercial providers, the Comtarsia concept seemed to best
meet LVM's needs.
The solution consists mainly of four components: A client processes
the user log-on in the workstation. Over a middleware, the log-on
client communicates with the Smart Card that contains the certificate.
The client calculates a session password and passes it together
with the certificate to a proxy server, which verifies the validity
of the certificate using the data stored in the LDAP and certificate-mapping
to determine the user name. In the final step, an agent adds the
temporary password for the user in the Active Directory. The client
concludes the registration to the Windows domain. Thus, no adjustments
are necessary in the Active Directory.
The
Company
With over 3.1 million customers, 2.7 billion euro
premiums as well as capital assets of more than 13.5
billion euro, LVM Insurance is among the leading 20
direct insurance groups in Germany. Customer service
is being offered by 2,200 LVM delegates and their
staff of 4,200 in country-wide LVM service offices,
supported by over 3,000 of their staff from the company's
headquarters in Münster. The group of companies
has a comprehensive range of products for private
and commercial customers. Via LVM's own bank, the
Augsburger Aktienbank AG and the LVM cooperation partner
HKK Erste Gesundheit, Aachen Bausparkasse and Federated
Investors Inc., offer further insurance and financial
services. On the IT side, LVM Versicherung follows
a clear open-source strategy to avoid dependence on
single suppliers. This includes ensuring that the
bulk of desktop computers is operated by the open-source
Linux operating system and in-house software development
consistentally uses Java's independent platform. |
|
|
|
An important request from LVM was that the already existing Smart
Cards in the Linux-world also work with Windows. These are based
on Starcos (Smart Card Chip Operating System). An upgrade to JCOP
(Java Card Open Platform) should be considered in the solution.
Comtarsia presented for this request a middleware that handles
the communication with the chip-card. This middleware is available
for both Starcos and for JCOP. Using this intermediate layer,
the cards being issued under Linux can be used also on Windows
as requested by LVM.
use with Windows 8 will also be possible once the
new version is officially launched.
Successful test installation
Already, at the test installation that Comtarsia implemented at
the request of LVM most of the insurance company's requirements
have been met. Because of this, the project team decided to introduce
this solution into the Windows authentication. For the pilot phase,
those responsible chose individual users from all departments. Thus,
it could be ensured that responses were representative of the entire
company. The same devices were used as a card-reader which have
already proven themselves in the Linux environment. Thus, the necessary
Windows drivers could be rolled out early.
During the pilot phase it became clear that in some places even
more detailed functional enhacements were necessary. This way the
process of LVM provides that the user will be notified when their
certificates are about to expire. "Communication with Comtarsia
went very well," recalls Timmerhindrick. "They were quick
to understand our needs and gave an accurate assessment of the necessary
time and effort needed." The roll-out phase began after all
necessary adjustments were made.
One problem was the question of how the card-reader should be distributed
to the Windows users. LVM IT wanted to avoid sneaker administration
in the classical sense. Here, the project team benefited in that
the IT of LVM is divided into three departments: While servers,
networks and the like from the "IT Infrastructure" are
being administrated by the “IT Infrastructure”, “IT
organization” is responsible for in-house software development.
The data-processing center is under the care of "DV-service".
For the distribution of the card reader all areas of IT put their
expertise together from previous rollouts that made it possible
to keep the schedule.
In the foyer, an information booth was set up, where employees could
pick up the card reader. Additionally, users received a flyer in
which the installation and operation were thoroughly explained.
Which cards work?
A further challenge was simple in nature, as Timmerhindrick explains:
"The Smart Card chip of Windows users on the employee ID's
has never been in use. Access and payment functions are integrated
on cards with RFID. We didn't know if a card had been personalized
in the past and if so, whether the employee in question still knew
his PIN."
Instead of speaking to employees individually, the IT department
used information booths for this purpose. “The exchange rate
has been lower than initially feared, perhaps 10 to 15 percent of
the Smart Cards had to be renewed." said Timmerhindrick.
Just eight months after the initial planning, the authentication
solution for Windows clients could be put into use. In general,
Timmerhindrick is very satisfied with the progress of the project:
"There were no serious difficulties in the project, all hurdles
were quickly mastered. Our solution provider quickly understood
our requirements and showed himself to be very flexible in the project."
From LVM's perspective, the investment return plays no role and
has not been determined. "For security projects this is always
very difficult to put into numbers..." said Timmerhindrick.
"Because Windows is often used by our management, additional
security was very necessary." 
| -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
Project thumbnail
User: LVM Insurance
Branch: Insurance
Project type: User authentication
Products in use: Comtarsia SignOn Proxy, Comtarsia SignOn Agent, Comtarsia LogOn Client, Comtarsia Smart-Card Middleware
System environment: Linux, Windows, LDAP, Active Directory
Time and effort: --
Challenge: Extension of the authentication Smart Card from an existing Linux to a Windows environment with as little interference as possible with Microsoft's infrastructure.
Result: Successfully introduced.
Stage of Project: Productive, time-frame approximately 10 months.
Involved suppliers: Comtarsia IT Services GmbH
Contact person: Daniel Timmerhindrick, LVM Versicherung
|
| -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
|
