Our client is a global leader in metals and mining industry. This prestigious
corporation started as a family business in the United States. Over the
course of its history, the company experienced significant growth, conquering
new markets while pioneering new production techniques. This growth was
accompanied by mergers with other leading companies.
Today, the group is present in over 30 countries, and employs over 60
000 people across 200 sites. The growth of the group has necessitated
a harmonization of production processes across all levels. One of the
last areas to be harmonized was the IT system security, and more precisely,
access control.
The Production division includes 30 factories around the world. Each factory employs about 100 people. The factories are divided into 4 large regions: America, Australia, Brazil and Canada.
Each region had put its own access control system into place. Over time,
this lead to an overlap of systems:
One region used Active Directory groups and could only control menu options
Another one was based on Authorization Manager (AzMan) and had put in
place a complex role based access control (RBAC) system, intertwined with
the application code.
The other two regions have created internal solutions, also based on RBAC
principles, which meant a large volume of code that was difficult to maintain
The work had been done four times instead of once, leading to a significant
loss in productivity. The multiplication of security rules made control
impossible and causing concern over possible security breaches.
Maintenance was extremely cumbersome and daily management was difficult.
The multiplication of systems made the security somewhat transparent.
Finally, the different systems did not allow the introduction of sufficiently
detailed permissions that would respond to the real constraints of each
factory.
This situation pushed the Group to create a committee in charge of the
standardization of the access control system for the Production Division.
After a thorough study of the marketplace, our client chose Visual Guard.
It was necessary to respect the existing structures in each region to
reduce the resistance to this change, be that from the technical teams
or the users themselves.
Novalys put in place a validation program so that teams from each region
could evaluate the changes and benefits associated with Visual Guard.
The Novalys teams gave personal support to all teams for a pilot installation
project in each environment.
The technical specifications (language, technology used, architectural
constraints…) could then be identified and taken into account.
“We were all very impressed with the demo. The ease with which the
product is integrated into an application was astounding (I think that
three lines of code were involved). I can see that this will be a valuable
tool to add to our kits.” – Manager, United States.
It was necessary to create a uniform authentication solution. Moreover,
this authentication also needed to be as light as possible for the end
user, to limit the number of passwords they were required to memorize.
Visual Guard allows the reuse of Windows accounts or groups stored in
Active Directory. A native utility allows the declaration of an unlimited
number of accounts in the administration console at one time.
The employees each had a Windows account. This practice allows the reuse
of the existing accounts, without extra effort from the technical team.
This also meant that the automatic Single Sign-On mechanism could be used
for all the division’s applications.
The change had been completely invisible for the end users, who did not need to memorize a new password or learn a new authentication process. The old passwords were deleted, while at the same time improving the security.
It was also necessary to standardize the organization of access rights
across the entire Production Division. The Visual Guard console provides
a system of roles and permissions. They are centrally defined, and then
deployed in each factory. In this way, uniform access rights are managed
in one location. This greatly simplifies and lightens maintenance.
Visual Guard’s native deployment tool offers different options for
the security deployment. This allows for a lot of flexibility in the organization
of the security life cycle. In the case of our client, the standardization
had to leave room for the autonomy of each factory. The deployment tool
allowed the system to be adapted to suit these needs.
In comparison with all other solutions considered, Visual Guard brought an unparalleled improvement to productivity. In effect, the DynamicPermissions technology allows permission to be defined in a few clicks using a dedicated module, without adding any lines of code into the applications. These permissions are dynamically applied while the application is in production. All this minimizes the effort required to transition to a new access control system.
The ability to track any event in the application also worked in Visual Guard’s favor. Audit requirements have increased, and to conform to them requires a comprehensive vision of who does what at each site. From the Visual Guard administration console, dedicated interfaces allow the consultation of who has given a permission, who has done what in an application, and to create reports on the security rules as a whole.
Finally, the ease of management for the administrators was crucial: once the rules were defined, each factory manager had to be autonomous in the daily management of users and their access rights. Here again, Visual Guard offers a large amount of flexibility. According to the administrator’s level of technical knowledge, they can use the Winform console, which allows them to execute standard actions as well as more technical actions, or the WebConsole, which is designed for identity management by non-technical personnel. Visual Guard also has at its disposition a number of APIs, which give the possibility of creating fully personalized administration formulas when necessary.
For the Production Division, it was necessary to deploy in stages. Each
region had its own production rhythm which we had to respect.
The gradual implementation meant that there was a deeper transfer of knowledge
with the Canadian team. The tight collaboration with the teams from Novalys
was accompanied by a thorough analysis of the architecture and organizational
structure of the division.
Our team could therefore take in account our client’s specific technologies
on a case-by-case basis. Once the first sites were put into production,
the training and implementation began for the Brazilian and Australian
regions. The same process was put into place, allowing us to follow the
step-by-step securing of their applications, while accounting for specific
needs.
Integration with Active Directory meant that the authentication could
be standardized for all four regions in a way that was seamless for the
users. Furthermore, they could keep their old passwords.
On the technical side, the simple integration of Visual Guard lightened
the workload for the technical teams in all four regions, in spite of
the diversity of existing systems. The presence of the Novalys team for
technical support, training and needs analysis was critical in this process.
The access rights management offered by Visual Guard, with its dynamic
permissions, centralized roles and flexible deployment, enabled the creation
of centralized rights management, while conserving the autonomy of the
on-site teams.
Finally, the identity management tools available provide the greatest
simplification for the administrators or each site, regardless of their
technical knowledge.