Biometric Logical Access strengthens secure systems at Department of Agriculture
The Department of Agriculture has become one of the first organisations in South Africa to implement a converged biometric physical and logical access system.
The Budgets and Reporting Directorate at the department's head office, in Pretoria, is responsible for managing the organisation's financial system control functions, including the logons to PCs and secure applications used by the finance, HR and supply chain management directorates.
In order to ensure its applications are secure, the department - as in the case of all government organisations - applies a strict password management policy for all staff who log onto its computer systems.
For years, managing these passwords had been a thorn in the system controller's side. With logon credentials for the government's transversal systems, including BAS, Persal and LOGIS, changing every 15 to 30 days, the incidence of forgotten passwords was significant, resulting in lockouts and associated downtime. Resetting forgotten credentials placed an unnecessary admin burden on the relevant helpdesks, distracting the technical support team from more pressing tasks.
An audit of password procedures and risks revealed a number of significant security concerns. Not only were staff writing their passwords down, but the close proximity of workstations to each other meant it was relatively easy for users to see each other's passwords when they were being entered.
Frailties in the physical access control system securing the workspace used by many key system users raised a secondary concern - that non-authorised individuals could gain access to the area.
Following an RFQ process in 2008, the department commissioned Praxis Computing to implement secure sign-on solution to replace the need for passwords to be entered manually.
Praxis proposed that the department implement SuperSignOn, a secure password management solution developed in South Africa by SuperVision Biometric Systems and Sybu Data.
The initial phase of the project saw a biometric solution, which operates with the Sagem MSO1300 desktop fingerprint reader, installed on more than 100 PCs. This replaced all passwords, from the initial PC logon to credentials for each application thereafter, with a fingerprint logon.
To resolve the access control need, Sagem MA500 biometric terminals running SuperVision's physical access control software were installed at the entrance and exit doors leading to the workspace for LOGIS users.
As all SuperVision software applications are fully integrated, this ensured the department was able to deploy a truly converged access control policy through which staff could only log onto their PCs if they had first been authenticated at the physical access point. Similarly, when staff left the building, their PCs would automatically be logged off when they passed through the door.
The department was particularly impressed that SuperSignOn was able to integrate with most of the applications used, including the emulator and disconnected logins with no custom scripting or development.
Active Directory is being used as the primary authentication engine, eliminating the need to build a separate repository to store credentials and other data needed to validate users' logon requests.
The solution's automated password change facility allows the system to automatically generate new strong passwords when old ones expire, reducing the likelihood of passwords being hacked by guesswork or brute-force. With users not even knowing the password, there is no chance that post-it notes with confidential logon credentials will be left lying around the office.
As well as enhancing security, SuperSignOn significantly reduced lockouts stemming from confusion over which password goes with which application, and has virtually eliminated password complaints for enabled applications.
Furthermore, time masking rules applied to the physical access control solution mean that staff could only be granted access to their workspace during designated office hours, eliminating the opportunity for people to be in work areas when not properly supervised.
According to Praxis' Wikus Englebrecht, having a single point of take on for PC and physical security systems is a significant value-add insofar as access rights can now be removed centrally in the event of staff leaving the organisation.
The entire solution strengthens the department's application security and, more importantly, adds a level of non-repudiation to the process. Fingers (unlike passwords) cannot be transferred between individuals creating a stronger, more accountable environment. A further advantage is that it is a home-grown South African solution, which is consequently able to quickly and proactively react to the changing local market.
Engelbrecht says he sees the usefulness of this system for many other departments.
“It is the first of its kind in the country and solves many of the security issues which trouble large organisations. This solution directly addresses problems which are typical headaches for organisations, such as the lack of integration between physical and logical access control, user problems of having to remember multiple passwords, ensuring users create strong passwords, managing forgotten passwords, and the impossibility of controlling borrowed passwords.”
Security and access control can be streamlined and automated, says Engelbrecht, alleviating some of the current challenges these departments feel. “When you come to work all you have to remember to bring with you is your finger!”
Please click here to see the table in this Praxis press release.