In from the field: Complying with remote access rules

Network engineers at agricultural supplier Monsanto were in a bit of a conundrum. With new federal rules kicking into gear – specifically, Sarbanes-Oxley and its internal controls requirements – they needed to develop password and other policies for remote access to the corporate network.

But the remote-access system the company had been using for eight years, supplied by MCI, did not allow for that.

"It was based on MCI as the provider. User names and accounts were created on MCI's name space, so we didn't have the ability to change passwords or have any kind of password policy," says Dwight Wheeler, network manager at the St Louis, MO-based company.

Neither could Monsanto, which makes seeds, Roundup and other herbicides, always create or – probably more importantly – delete a user's account in a timely manner.

"When employees left, their network password would get deleted, but since we had another directory for remote-access passwords that didn't even exist in our network, often the user accounts and passwords wouldn't be deactivated," explains Scott Crosier, network engineer at the firm.

So Monsanto embarked on a project to redesign its remote-access system and bring authentication in-house. Now, MCI provides a Radius (Remote Authentication Dial-In User Service) proxy to Monsanto, which retains all of its user names and passwords and has deployed two-factor authentication from ActivCard for increased security.

"We certainly take information security very, very seriously. What we deal with mainly is intellectual property," says Scott. "Anything that we can do to make our data more secure, we certainly investigate. And, any time a company has remote access into their network, it's a huge security concern."

ActivCard's technology is key to addressing that concern, he adds. Monsanto has rolled out the vendor's soft tokens to about 5,000 of its 13,000 employees around the world. Those employees who connect to the corporate network remotely include scientists and researchers gathering data on farms, as well as sales employees.

Monsanto opted for soft tokens, which are integrated on employees' Windows-based laptops, instead of hard tokens in order to save a little money and also make it easier for the end user, says Crosier. "We thought the burden on our help desk would be a lot less."

After selecting a dial-in number via an integrated MCI access manager and establishing a modem connection, users are prompted for user name, password and soft-token PIN. They enter a PIN, which generates a one-time password. Once the password is validated, an internet connection is established, launching a Cisco VPN client for secure connection to the corporate network.

"By using a soft token, it's all integrated. They enter their pin one time and away they go," explains Crosier.

Monsanto evaluated half a dozen authentication providers and chose ActivCard because it could be integrated with the company's Active Directory structure and, even most importantly, because of its soft-token technology.

"A lot of other vendors' soft tokens were like a hard-token emulator that sits on the computer. A user would launch an application that looks like a hard token, they would key in their pin, which would display a one-time password that they would copy and paste into the authentication dialog boxes.

"ActivCard, on the other hand, has a simple client that recognizes the authentication windows, prompts a user for his pin and automatically fills out and submits authentication dialogs for Monsanto's applications. It made integrating with our software much easier and provided a much easier experience for the end user," notes Crosier.

ActivCard's soft tokens, which are combined with ActivCard AAA Server, can also run on Pocket PC or Palm-based PDAs or Java-enabled mobile phones, but Monsanto has very few cases in which PDAs or other mobile devices need remote access.

While Monsanto is currently using ActivCard technology only for remote access, it is evaluating the possibility of using it for some internal applications as well as possibly adding ActivCard's smartcard technology for use by system administrators.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.