How a global leader in the metals and mining industry secured its factories worldwide

The Company

Our client is a global leader in metals and mining industry. This prestigious corporation started as a family business in the United States. Over the course of its history, the company experienced significant growth, conquering new markets while pioneering new production techniques. This growth was accompanied by mergers with other leading companies.
Today, the group is present in over 30 countries, and employs over 60 000 people across 200 sites. The growth of the group has necessitated a harmonization of production processes across all levels. One of the last areas to be harmonized was the IT system security, and more precisely, access control.

The Need

The Production division includes 30 factories around the world. Each factory employs about 100 people. The factories are divided into 4 large regions: America, Australia, Brazil and Canada.

Each region had put its own access control system into place. Over time, this lead to an overlap of systems:
One region used Active Directory groups and could only control menu options Another one was based on Authorization Manager (AzMan) and had put in place a complex role based access control (RBAC) system, intertwined with the application code.
The other two regions have created internal solutions, also based on RBAC principles, which meant a large volume of code that was difficult to maintain The work had been done four times instead of once, leading to a significant loss in productivity. The multiplication of security rules made control impossible and causing concern over possible security breaches.
Maintenance was extremely cumbersome and daily management was difficult. The multiplication of systems made the security somewhat transparent. Finally, the different systems did not allow the introduction of sufficiently detailed permissions that would respond to the real constraints of each factory.

Choosing a Solution

This situation pushed the Group to create a committee in charge of the standardization of the access control system for the Production Division.
After a thorough study of the marketplace, our client chose Visual Guard. It was necessary to respect the existing structures in each region to reduce the resistance to this change, be that from the technical teams or the users themselves.

Novalys put in place a validation program so that teams from each region could evaluate the changes and benefits associated with Visual Guard. The Novalys teams gave personal support to all teams for a pilot installation project in each environment.
The technical specifications (language, technology used, architectural constraints…) could then be identified and taken into account.
“We were all very impressed with the demo. The ease with which the product is integrated into an application was astounding (I think that three lines of code were involved). I can see that this will be a valuable tool to add to our kits.” – Manager, United States.

It was necessary to create a uniform authentication solution. Moreover, this authentication also needed to be as light as possible for the end user, to limit the number of passwords they were required to memorize.
Visual Guard allows the reuse of Windows accounts or groups stored in Active Directory. A native utility allows the declaration of an unlimited number of accounts in the administration console at one time.
The employees each had a Windows account. This practice allows the reuse of the existing accounts, without extra effort from the technical team. This also meant that the automatic Single Sign-On mechanism could be used for all the division’s applications.

The change had been completely invisible for the end users, who did not need to memorize a new password or learn a new authentication process. The old passwords were deleted, while at the same time improving the security.

It was also necessary to standardize the organization of access rights across the entire Production Division. The Visual Guard console provides a system of roles and permissions. They are centrally defined, and then deployed in each factory. In this way, uniform access rights are managed in one location. This greatly simplifies and lightens maintenance.
Visual Guard’s native deployment tool offers different options for the security deployment. This allows for a lot of flexibility in the organization of the security life cycle. In the case of our client, the standardization had to leave room for the autonomy of each factory. The deployment tool allowed the system to be adapted to suit these needs.

In comparison with all other solutions considered, Visual Guard brought an unparalleled improvement to productivity. In effect, the DynamicPermissions technology allows permission to be defined in a few clicks using a dedicated module, without adding any lines of code into the applications. These permissions are dynamically applied while the application is in production. All this minimizes the effort required to transition to a new access control system.

The ability to track any event in the application also worked in Visual Guard’s favor. Audit requirements have increased, and to conform to them requires a comprehensive vision of who does what at each site. From the Visual Guard administration console, dedicated interfaces allow the consultation of who has given a permission, who has done what in an application, and to create reports on the security rules as a whole.

Finally, the ease of management for the administrators was crucial: once the rules were defined, each factory manager had to be autonomous in the daily management of users and their access rights. Here again, Visual Guard offers a large amount of flexibility. According to the administrator’s level of technical knowledge, they can use the Winform console, which allows them to execute standard actions as well as more technical actions, or the WebConsole, which is designed for identity management by non-technical personnel. Visual Guard also has at its disposition a number of APIs, which give the possibility of creating fully personalized administration formulas when necessary.

Gradual Implementation

For the Production Division, it was necessary to deploy in stages. Each region had its own production rhythm which we had to respect.
The gradual implementation meant that there was a deeper transfer of knowledge with the Canadian team. The tight collaboration with the teams from Novalys was accompanied by a thorough analysis of the architecture and organizational structure of the division.
Our team could therefore take in account our client’s specific technologies on a case-by-case basis. Once the first sites were put into production, the training and implementation began for the Brazilian and Australian regions. The same process was put into place, allowing us to follow the step-by-step securing of their applications, while accounting for specific needs.

The Results

Integration with Active Directory meant that the authentication could be standardized for all four regions in a way that was seamless for the users. Furthermore, they could keep their old passwords.
On the technical side, the simple integration of Visual Guard lightened the workload for the technical teams in all four regions, in spite of the diversity of existing systems. The presence of the Novalys team for technical support, training and needs analysis was critical in this process.
The access rights management offered by Visual Guard, with its dynamic permissions, centralized roles and flexible deployment, enabled the creation of centralized rights management, while conserving the autonomy of the on-site teams.
Finally, the identity management tools available provide the greatest simplification for the administrators or each site, regardless of their technical knowledge.