Canadian telecommunications company TELUS has heeded the convergence call and is issuing 32,000 credentials for secure physical access to facilities and logical access to computer networks.
“The project began in late 2005 as an IT project for logical access,” says Stephen Pedersen, manager of security development for TELUS. But it soon became clear that it made sense to add physical access control to the same ID, and what were two projects collapsed into one.
All told there are three technologies on the card: an HID Global proximity coil for legacy access control; an iClass contactless smart card chip for new access control systems; and a contact chip from Gemalto for logical access. The smart card is personalized with the employees name and picture for photo identification.
“Secure network login was the driving factor behind the initiative,” Pedersen says. The company has employees login with user names and password when onsite, but they use different types of tokens for remote access. The new solution eliminates the need to issue two different credentials for logical and physical access.
TELUS expects the new IDs will reduce help desk costs for password resets. “The PIN doesn’t have to be as complex as a password, users are accustomed to a bank card pin therefore we anticipate help desk costs will drop substantially,” he says.
Providing the back-end system for TELUS’ deployment is ActivIdentity Corp. “TELUS is using the company’s ActivClient software and a smart card with a digital certificate for network login, web applications access and remote access. TELUS also uses ActivID Card Management System, 4TRESS AAA Server and SecureLogin solution,” Pedersen says. The ActivClient software works with the ActivID Card Management System and helps TELUS with the initial badging, the card lifecycle and the provisioning of certificates.
“TELUS went with ActivIdentity after looking at different vendors and proofs of concepts for the credential,” Pedersen says. “Some of the other products we looked at were proprietary and weren’t based on Java Card technology.”
TELUS is still in the process of rolling out the card and the infrastructure to use it. Pedersen says the logical access piece should be activated by the end of the year, though some users are already using the card for remote access.
“When fully deployed employees will use the smart card for entry into the building and for a variety of logical access functions too,” Pedersen says. TELUS has a Microsoft Windows XP and 2003 network infrastructure. When logging on the computer the system will prompt the employee to insert his smart card and enter a PIN.
“Once this is done the user will be logged in and the secure storage area and the card will be unlocked and the certificates made available to the necessary applications,” Pedersen says. Since TELUS also deployed a single sign-on system, the user doesn’t have to separately login to different applications. The smart card also enables users to login remotely using a virtual private network too.
“In an offline mode the smart card works in a similar manner, a Windows cached credential,” Pedersen says. The user can login without the credential, using a user name and password, but they can also use the smart card and PIN.
Though successful, the project has not been without its issues. If they were going to do the project over again, Pedersen suggests he would reduce the integration points for the credential.
“Getting the new cards into the hands of employees has been a challenge,” Pedersen says. “Logistics around collecting photos and distributing cards is often overlooked,” he says.
“Initially, TELUS was going to do road shows, stopping at different facilities around Canada and enrolling employees,” Pedersen says. This proved cost prohibitive so the company is centrally issuing the IDs and then having employees activate them when logging on to the system. There are no logical credentials on the card until the employee activates it.