LM – CAT OWA Implementation

Background
Leigh-Mardon’s origins as a printing company trace back to 1837 when John Sands & Co began business with the supply of specialist stationary and engraving of printing plates for secure documents.

With the discovery of gold in Victoria in 1848, Leigh-Mardon began supply of Australia's earliest security transaction documents on the Victorian goldfields.

1850 saw the beginning of a business relationship with the Bank Of New South Wales, that has now lasted for over 150 years.

The late 1980s and early 1990s brought the final divisions together under the paper making company AMCOR, which added the John Sands cheque printing business to its DataCard, Fortronics and Leigh-Mardon divisions.

In 1996, it became a wholly owned subsidiary of American Banknote Corporation, one of the largest private sector security printers in the world. Leigh-Mardon operates as an autonomous entity responsible for the Asia-Pacific region with an all-Australian management and Board of Directors.

Today, Leigh-Mardon is a high technology, security printing leader and payments instruments innovator with an unequalled range of services and expertise that call upon by a wide variety of organizations through out the world.

Problem Being Addressed
Leigh-Mardon’s sales force is distributed across the country where each sales person has a responsibility to a specific area and/or group of clients.

The sales tasks require frequent communication with Leigh-Mardon central server to receive and forward Emails and documents. Each sales person has its own company Email address.

Dealing with highly secured information and server, the regular OWA access was deemed not secure enough and a solution was required. Leigh-Mardon was looking for a secured, affordable and easy to use solution.

The Approach Taken

Leigh-Mardon has decided to take a pragmatic approach to selecting the security enabler.
It was recognized that the market standard for strong authentication is TFA OTP tools and a list of requirements was prepared based on the immediate needs and projected growth plans.

The requirements were:

Full OWA integration capability
TFA OTP token with time based algorithm to reduce the “phishing” risk
Take into account possible extension of the security to other areas such as additional servers and services
Ease of use
Costs, Hidden Costs
Tokens Management overheads
Support
Maintenance and tokens replacement
Ability to customize

Benefits
After checking the available solutions in the market such as hardware tokens (RSA,VASCO etc) it was decided to pick the CAT soft token. The main reasons were:

- The ability to manage more than one account on the same token. Taking into account the possibility that the OTP security would be used by Leigh-Mardon for its internal network and additional services, which would have meant additional hardware tokens for the sales person. Using the CAT there was no need to buy, carry, and manage a number of tokens for each sales person.
- Security. The CAT with its PIN protection is more secured than the low-level hardware tokens that have no PIN protection. Once the hardware token does have a PIN protection, the token costs are growing.
- Affordability. The CAT token was the only one that was free. By using the CAT solution there were no hidden costs or management overheads that could not be calculated in advance.
Evidence of Success
The CAT installation is a straightforward process on the OWA Server as well as on the Cellular phones. About 90 % of the personal Cellulars at Leigh-Mardon supported the CAT Download. The others have been upgraded or replaced by the owners through the cellular provider upgrade programs.

Initial issues regarding Cellular time synchronization were dealt with and the CAT tokens have been 100 % performing.

The main indexes for success:

- The easy process of acceptance of the CAT by the different users – there were no cases were the token was forgotten or unavailable, no misunderstandings and operating problems
- There were no Identity Stealing events
- There is a requirement to extend the CAT to protect other services such as Data Transfer facilities used by Leigh-Mardon

Things We Would Do Differently

It is most important to have the organization ready for assimilation of new technology.
In the case of integrating CAT into the existing OWA service, the implementation was going faster than planned and thus while some of the sales persons were ready and started to work soon as possible, others had to wait for Cellular upgrade and CAT installation.

For further information: http://www.megaas.co.nz