Identity & Access Management, Secure Infrastructure Management, Strategy & Governance, Secure Cloud Services Success Stories

Success Stories

CSS recognizes the importance of managing security knowledge—that is, creating, capturing, and disseminating ideas, experience, and methodologies. We carefully scrub this knowledge to remove client-confidential information while preserving essential lessons learned. The following projects demonstrate how CSS has enabled our clients to accomplish precise business objectives and help to illustrate how we can provide similar benefits to your organization.

Twice a year CSS participates in a Customer Satisfaction (CSAT) survey sponsored by Microsoft. The CSAT index is a benefit that gives Microsoft Partners access to market research services for surveying and measuring customer satisfaction with Partners’ services and solutions.

Click here to view CSS’ current Customer Satisfaction Report.

Financial Services

Client
US Insurance Company

Fortune 500
Over 35,000 Employees
Over 30,000 independent Agents & Brokers
Over 10 million auto insurance policies issued

Description

The client needed to deploy a Public Key Infrastructure (PKI) environment to support secure business transactions with consumers via the intranet. CSS designed and deployed a PKI to meet their requirements. During the course of the engagement CSS also made several extranet security improvements, including SSL hardening (vs. man-in-the-middle attacks), web-based authentication, physical access and information systems identification with LDAP authorization services requiring Kerberos integration across the enterprise.

Client
Global Financial Service Company

Fortune 50
Assets of $1.5 trillion
Operations in 50 countries
Investment & Private banking, Securities & Treasury Services

Description

The client required an enterprise wide security infrastructure to protect trading operations for 15,000 users in the investment and securities divisions. CSS researched and analyzed a multitude of potential solutions matching each solution against the business requirements. After a comprehensive study CSS architected a secure systems framework, deploying 70 security severs (KDC) world-wide over four continents, supporting Solaris, HP/UX, AIX, and Windows platforms.

Manufacturing

Client

Global manufacturer

Over 7,000 employees globally
Distribution facilities in ten countries
Serving customers in over 30 countries around the world

Description

The customer’s IT department needed to improve secure access to its corporate network and improve data and asset protection.This project resulted from the company experiencing a significant security breach in its infrastructure, leading to sensitive data leakage from the accounts of the executive team within its organization. The breach was so severe that it threatened the company’s ability to compete in a global market. The project implementation needed to occur quickly considering the situation at hand. It would be necessary to build a new PKI, ensure co-existence with the customer’s current system during the transition, and implement new functionalities which were not available previously. CSS implemented the following Microsoft solutions as part of an iterative process to secure the customer’s environment and mitigate risk by doing the following:

Active Directory Certificate Services: CSS assessed the existing PKI infrastructure and made necessary changes to the customer’s existing one (based on best practices) in parallel to operating its existing PKI environment. This enhanced PKI now meets the necessary security requirements needed for smartcard login and ensures that the ongoing certificate requirements of the organization can be met.
Active Directory: CSS worked with the customer to ensure that the Active Directory infrastructure was prepared correctly to allow for an enterprise rollout of smartcards. CSS further worked with the customer to identify exception cases where the hardware/software was not smartcard aware and implement a way for certificates to be used in order to provide the proper level of security now required.
Smartcards: CSS engaged another Microsoft Partner, Gemalto, for the procurement of .NET smartcards. A smartcard solution will provide stronger protection for user authentication, providing employees’ security certificates and private keys to be stored on a tamper-resistant smartcard rather than on an employee’s hard disk. Applications using the file system can be assured that file-based data is secured by access control lists associated with the public-key tokens of on-card assemblies.
Forefront Identity Manager (FIM): Multiple competitive products for card management were considered, including other competitive solutions. The customer felt very comfortable with its decision to use FIM CM, knowing that CSS would be implementing the solution, and it continued to build on top of the other Microsoft product stack to further ingrain Microsoft into the fabric of its identity management infrastructure.

Client
Global Automotive Manufacturer

Global Fortune 50
Over 300 Consolidated subsidiaries worldwide
Over 140,000 employees

Description

The client required automated notification of user account expirations for over 300 business critical applications. Microsoft Active Directory (AD) was leveraged as the central authentication and authorization repository for user applications. The solution required extracting user account expiration information from Active Directory and placing it in a location that could be queried. Microsoft Identity Integration Server MIIS was selected and deployed. Utilizing MIIS Metaverse various pieces of information were extracted from AD and the application and placed into a SQL table for reporting..

Client
Global Automotive Supplier

Over $25 billion in revenue
171,000 employees
Operates in 36 countries
Over 150 manufacturing sites

Description

Due to compliance requirements the client needed to replace their existing Public Key Infrastructure (PKI) and build a global enterprise wide PKI that would meet both the business requirements of today and address their future needs. CSS segmented the PKI into two components, one publicly facing and one for internal applications. The segmentation of the PKI’s allowed the client to utilize the Microsoft Certification Authority (CA) this allowed for significant cost savings. The internal PKI segment enabled the client to operate an Encrypted File System (EFS) on desktop and laptops computers for 60,000 users in over 30 different countries.

Telecommunications

Client
Global Telecom Company

301,840 employees
Over $100 billion in revenue
Over 60 million wireless customers
One of the largest network backbones in the world

Description

The client had a very large development team comprised of several groups writing applications for various network-based operations, each group had a custom approach to application security. The applications spanned diverse requirements:

UNIX and Windows workstations
Authentication and encryption strengths
Diverse development technologies
Client/server and web applications

Their custom approach led to unnecessary administration overhead. Policy and password management were ineffective and costly. Subject to the security policy of each department, users were setting their passwords to the lowest common denominator. Users needed to remember multiple passwords and thus tended to write them down. Each department used a different security infrastructure. Many point solutions, poorly integrated with one another, had been deployed. The primary driver for a cohesive security infrastructure was password change management.

CSS architected an authentication system that centralized user registration and administration to one primary security server with several secondary security servers. Disparate security mechanisms (point solutions) were reduced or eliminated. The company now has a consistent security policy control vehicle throughout the company.

Our consultants provided development and integration expertise. The security toolkits allowed for authentication and encryption of sensitive data throughout the company’s heterogeneous network for client/server and web-based applications. These APIs are now available to the company’s geographically dispersed intranet development community.

The solution improved the company’s security posture while lowering administration and technology costs. The new single application security toolkit allowed the company to secure its wide base of applications. Now, developers need only one interface to secure applications across the entire company, improving productivity and consistency. The new best-of-breed approach includes industry-standard authentication and encryption technologies.

Custom application methods were reduced significantly. This decreased maintenance costs and reduced delivery times. The use of point solutions was reduced, freeing up capital. The solution’s increased flexibility allowed the application infrastructure group to be more responsive.

Registration and password management became streamlined across subnets and diverse applications. Helpdesk costs were reduced significantly, allowing resources to be applied to other areas.

Client
Wireless Telecom Company

Fortune 200
International wireless phone service provider
20 mm+ subscribers

Description

The client required application security integration for an enterprise CRM and allow for secure B2C communication. The engagement required CSS to consolidate directory services and also allow for cross platform authentication. CSS designed a cross platform authentication system utilizing a GSSAPI (Kerberos) interface connecting HP/UX 10-11, NextStep, Mac & Windows 3.11, 95, 2000 platforms. CSS deployed nine security servers (KDC) across the country.

http://www.css-security.com/success-stories/#

Manufacturing

Client
Automotive Equipment Manufacturer

Fortune 500
Over $12 billion in revenue
61,000 employees
Operates in 125 countries

Description

The client was faced with creating an infrastructure design that would enable them to identify the services that support key business systems. Having then identified these systems, apply targeted information security improvements to the environment comprising each “business system” commensurate with that system’s importance to the enterprise. CSS assisted the customer in the creation of business system centric security zones.

The client was also faced with management and security of a diverse mobile workforce. CSS assisted the customer in efforts to design and implement improvements to remote systems management, and workstation security.

Client
Automotive Equipment Manufacturer

Over $9 billion in revenue
Over 57,000 employees
Operates in 46 countries
8,000 distributors

Description

The customer wished to improve overall systems security and required a well grounded and engineered authentication and authorization directory. CSS designed and implemented a secure enterprise-wide Windows 2003 Active Directory environment. In addition, they required an automated systems management tool to manage their client/server environment to inventory machines and manage software updates. CSS thoroughly assessed their environment and designed a solution incorporating Microsoft’s System Management Services (SMS). The deployment was a tremendous success.

Retail

Client
Large US-Based Retailer

29,000 employees
Over $15 billion in revenue
Over 400 retail stores
Operate 137 factories around the world

Description

The customer was interested in improving overall security by creating business system centric security zones, which could be managed as a unit and represent a single, well-managed and monitored attack surface.

CSS assisted the customer in arriving at a design, which met their business and technical requirements.

Financial Services

Client
Large National Bank

One of the 20 largest commercial banks in the U.S
Current assets of $68 billion
Over 725 branches
More than 13,000 employees

Description

The bank needed to radically improve the management and delivery of its marketing campaigns to ATMs dispersed throughout the United States. The current processes required extensive and excessive amounts of personnel resources and multiple work load cycles in order to ensure successful distribution of marketing campaigns. Further, only 100 ATMs could be scheduled per day because of the man-hours required to implement, manage, and remediate distributions. Disruptions in the distribution of the campaigns and software to the ATMs were experienced due to large file sizes and unreliable networks that the files were being delivered over.

The bank could not easily or readily support the deployment of software updates, application updates, or service packs. This caused a lack of standardization, limited features, and functionalities requested by the business. Additionally, under the current technology platform, the bank was forced to manage failures manually. When an incident occurred with an ATM crashing, coming down, etc., a technician needed to be dispatched to bring the machine back online. This resulted in lost revenue and inconvenience to the ATM users.

CSS designed and deployed a new ATM device management infrastructure solely based on the Microsoft System Center stack, specifically, Microsoft System Center Configuration Manager (SCCM) 2007 R2, System Center Operation Manager (SCOM) 2007 R2, SharePoint 2007, and Active Directory (AD).

CSS needed to reengineer the client’s ATM management and software distribution processes such that the bank could leverage the full capabilities of the technology.

Reengineering the process unleashed synergies between process and technology through automation, easing the effort to execute the process, reducing defects due to manual activities, while enabling the delivery of additional business benefits. CSS aligned the process with the capabilities of the technology in order to drive efficiencies, repeatability, and scalability. Our solution connected the business process to the technology and allowed the technology to drive process efficiencies and cost savings to the organization. The bank is now able to apply the same process for all ATMs, regardless of the platform, requiring no manual setup procedures. The client is now able to design and distribute more elaborate marketing campaigns, moving seamlessly though different environments, catapulting them ahead of their competition and establishing them as leader in their field.

Client
Regional Bank

Over $17 billion in assets
Leader in online mortgage origination processing
Over $18 billion annually in new mortgages
Top 20 US mortgage lenders

Description

The client needed a complete overhaul of IT infrastructure and needed help determining a course of action that was consistent with their business requirements and would allow for their IT professionals to learn new skills through the course of the engagement. CSS developed a plan for an application and infrastructure migration from NT4 to Windows 2003, making Active Directory the directory of record for the enterprise. The client praised CSS for a flawless migration, but was most impressed with the attention that CSS paid to knowledge transfer and helping to educate the entire team on how to operate the new system.

Telecommunications

Client
Global Telecom Company

Over 8,500 employees
Operating revenue over 1.1 trillion yen
Headquarters: Japan
Domestic and international services

Description

The client’s goal was to create a competitive advantage using information security to promote, differentiate and strengthen the client’s brand and their position of trust in the market. The client had already spent significant time and effort using conventional compliance and assessment-based approaches. While those efforts produced very good security, they did not generate sufficient organizational motivation and innovation.

A very different approach was called for, and CSS answered that call. In a very short period of time, CSS developed a strategy based on the client’s culture, capabilities and objectives. The initial objective was to embed information security improvement in the organization’s DNA, then leverage that capability and the resulting improvements, into market expansion and stronger branding. The foundation of the strategy was based on the application of quality management disciplines and techniques to information security management (the genesis of Security as a Dimension of Quality.™)

While the client was intimately familiar with quality management disciplines, the application to information security on a large scale had never been attempted by any organization. These were untested waters, and not for the faint of heart. As with any company serious about quality, a significant and long-term commitment of the entire organization was required. But history made it clear that a commitment to quality paid, so the path was set, and we quickly moved from strategy and concept to execution. Over several years, CSS helped refine the concepts, articulate and promote the strategy, and develop and test the supporting elements. Execution rested on three major reinforcing pillars: participation, continuous incremental improvement, and market expansion.

Participation was centered around small teams, ultimately involving virtually every employee. Each team, aided by advisors and mentors, was responsible for identifying opportunities for security improvement, developing improvement plans, metrics, measurements and reporting to gauge progress, and executing their plan (the origin of Security Kaizen™). It quickly became clear that there was a wealth of untapped skill and knowledge, and programs were instituted to recognize and promote exceptional efforts. The result was greater interest and motivation across the entire organization, increased innovation, and gains in operational efficiencies.

Efficiency gains strengthened the client’s competitive position, while innovation strengthened the client’s leadership position and stature. Both lead to the expansion of existing lines of business, the development of new lines of business, and revenue growth. The benefits of the program continue to help promote, differentiate and strengthen the client’s brand as a mark of trust.

Client
Global Telecom Company

301,840 employees
Over $100 billion in revenue
Over 60 million wireless customers
One of the largest network backbones in the world

Description

The client’s objective was to leverage their recent SOX compliance effort to improve the efficiency and effectiveness of IT security processes in order to support key company objectives, and to “operationalize” compliance by integrating it with day-to-day process management activities. While the SOX compliance effort had produced a great deal of documentation, there was no performance management system in place to measure and analyze process efficiency and effectiveness, and very little objective data on which to base process improvement decisions.

The focus of the project was vulnerability management and remediation processes. The primary objective of the project was to improve the operational efficiency and effectiveness of those processes by designing, developing and implementing a process performance management system, including metrics and measurements, and dashboards for graphically representing process performance. The underlying theme was Security as a Dimension of Quality™ using tools and techniques CSS has developed as part of Security Kaizen™.

A significant part of project was the design and development of the dashboards and the supporting metrics and measurements. Several dashboards were developed and deployed, each targeted at a different stakeholders. The primary stakeholders were executive management, operations management, and process owners and operators. The initial development proceeded top-down, with subsequent iterations to rapidly converge on an acceptable design based on stakeholder desires and technical feasibility.

A critical part of dashboard and metrics design was stakeholder input: what questions do they want answered, and how will they to use the information? Gathering and analyzing that “voice of the customer” in order to answer those questions was a key driver. Another critical part of the development effort involved ensuring that the data was necessary to answer those questions was available and accurate. As the team discovered, much of the previous reporting was based on data that was readily available, not the data that was needed, and that retrofitting an ill-designed process to collect the needed data can be very expensive.

The data analysis effort identified numerous potential improvements, both within the processes which were the focus of the project, and upstream and downstream processes, many of which crossed organizational boundaries. Of note, one of the most important and early improvement efforts was the scrubbing of data that was inaccurate and which hindered initial analysis. Beyond the obvious opportunities for performance improvements, that cross-functional perspective helped to focus and align discussion and decision-making across management boundaries, break down organizational silos, and reduce the risk of sub-optimization.

Financial Services

Client
Large National Bank

Fortune 500
One of the 10 largest commercial banks in the U.S
Current assets of $256 billion
Over 2,500 branches
More than 44,000 employees

Description

The client needed authentication to an outside service provider to obtain access to multiple applications hosted in “the cloud.”

One challenge CSS helped overcome was, ironically, the elimination of a password to get into the applications. In this case, the bank felt that the passwords individuals would choose would mirror their internal network passwords and create vulnerabilities for password leakage where they had not existed before. CSS addressed the client’s concerns by creating transparent authentication to the cloud service providers. CSS was able to implement custom protocols required by the cloud providers but then transition to standards based solutions such as SAML and WS-Federation. CSS worked closely with both the customer and the cloud service providers, in many cases helping the cloud service providers add SSO capabilities to their products.

The CSS solution was also seen as extremely valuable by the cloud service providers as it could be more secure, without having responsibility for passwords, allowing access through a trusted token with a user ID.

The client summed up the CSS cloud solution as “perfect” and “exactly what we needed.”

The client needed authentication to an outside service provider to obtain access to multiple applications hosted in “the cloud.”
One challenge CSS helped overcome was, ironically, the elimination of a password to get into the applications. In this case, the bank felt that the passwords individuals would choose would mirror their internal network passwords and create vulnerabilities for password leakage where they had not existed before. CSS addressed the client’s concerns by creating transparent authentication to the cloud service providers. CSS was able to implement custom protocols required by the cloud providers but then transition to standards based solutions such as SAML and WS-Federation. CSS worked closely with both the customer and the cloud service providers, in many cases helping the cloud service providers add SSO capabilities to their products.
The CSS solution was also seen as extremely valuable by the cloud service providers as it could be more secure, without having responsibility for passwords, allowing access through a trusted token with a user ID.