Credit union serves up secure solution; password technology system provides members with authenticated, 24/7 network access - Network Security - State Employees Credit Union

Communications News, June, 2003

More than 73,000 members. $530 million in assets. A fast-growing dial-in network where remote users can gain 24/7 access. A potential security nightmare.

That was the challenge facing the State Employees Credit Union (SECU) in Lansing, Mich., which, since its charter in 1952, has grown to become one of the leading credit unions in Michigan and the United States. With its burgeoning network, however, Mark Davis, SECU assistant vice president of data center operations, understood the dangers of unauthorized access, and wanted to be able to identify each individual user attempting to log on to the system.

"As far as remote dial-in, we were getting to the point where our network was too exposed and anybody would be able to get in," says Davis. "I realized that greater security would be needed as we basically just had someone dialing into a router to use NT security."

SECU underwent an exhaustive search to identify a cost-effective method to provide high-level security for its dial-in network.

When Davis spotted the CRYPTOCard RB-1 hardware token being utilized at an airport, he decided to research secure password technology (SPT) further. "SPT not only provides significantly greater network security than traditional static 'user-id password' systems," Davis says, "but was also cost effective."

Davis found that CRYPTOCard's CRYPTOAdmin plug-in server could be fully integrated with SECU's existing Cisco Secure ACS operating system in less than an hour, and that this installation would ensure that both local and remote users could securely gain access to the network from any location.

"The authentication server works together with our existing security applications to make it simple for all authorized users to safely connect with our Web-based network," Davis says. Remote users connect with the network through a firewall, remote or network access server, or VPN, while local users can log on via Windows NT, Windows 2000, Windows 98, Windows 95, UNIX logon or Web server access. Members can communicate via any combination of dial-up, Internet, ISDN, leased lines or VPN.

The server provides centralized authentication with decentralized administration, enabling SECU's network administrators to add or delete a new user in approximately two minutes. As a result, administrators can ensure new authorized users immediate network access, while preventing users who are no longer authorized from accessing the network.

"The system is good at keeping people in the appropriate areas," comments Davis. "I can set it up so that a specific user can only read specific areas of the network, and lost cards and unauthorized users can be locked out in a matter of minutes."

Additionally, as the server generates a one-time password for every log in, SECU's users can utilize the same user ID indefinitely. This eliminates the security-management costs associated with administrators having to reset complicated passwords or regularly change passwords to protect the network.

The server platform supports a variety of hardware and software tokens, as well as smart cards. SECU's 75,000 members chose the RB-1 calculator-style DES challenge-response token, featuring compact size and user-replaceable batteries, as well as customizable appearance and functions.

A user simply turns on the hardware token, and enters a PIN into the token's display. A one-time password will then appear in the token's display, and is then entered into the dial-up dialog box on the user's PC or laptop. The unique qualified response is only valid for the current log-on attempt, preventing would-be hackers from assuming the identity of a valid user by utilizing a guessed or stolen password. The user's credentials are then validated by the server, which runs the administrative database, and SECU can be certain that only authorized users gain access to its network.

The credit union paid a $1,500 fee for the server, and can add new users at anytime for about $50 each.

For more information from CRYPTOCard: www.rsleads.com/306cn-252