ChevronTexaco has embarked on a multimillion-pound project
to improve security by replacing passwords used to access company
networks with smartcards and smart tokens.
The multinational oil company will complete the replacement for its
70,000 employees worldwide by the of the year.
The introduction of Schlumberger smartcards and RSA smart tokens,
which was sanctioned as a priority by ChevronTexaco's board of
directors, will significantly improve the security of the company's
internal information and slash the cost of helpdesk support.
The company typically has to reset between 2,000 and 4,000
passwords a month.
"Passwords are easy to crack. Using off-the-shelf software we found
we could crack passwords within hours for weak passwords or days
for more complex ones. The executive committee understood there was
a problem. We did not have to sell the idea too hard," said Edmund
Yee, who is responsible for major projects at the ChevronTexaco IT
Company.
One of the challenges that faced ChevronTexaco was the need to
develop a secure log-on system that would be capable of working in
remote parts of the world that could only be networked through
low-capacity satellite data links, Yee said.
"It is a very challenging project. It touches a lot of our
infrastructure. We have to make sure applications will work with it
and that information and security policies are in line," said
Yee.
The company worked with Schlumberger and RSA Security to develop a
smartcard management system that could provide new employees with
network access, control the issue of digital signatures, and
control access to ChevronTexaco's applications.
IT staff also had to work with suppliers to re-write and modify
applications to replace password access with access through
smartcards and smart tokens.
ChevronTexaco's own staff will be issued with Schlumberger 32k Java
smartcards fitted with a proximity sensor to allow them to log on
to desktop PCs equipped with a remote card reader.
The company will issue RSA secure tokens, which generate one-time
passcodes for business partners and staff who need to access its
system through their own computer equipment.