As director of security for Burlington Northern Santa Fe, Rick Perry is responsible for managing some 45,000 user-identification profiles—38,000 for employees and 7,000 that are a mix of external users and additional staff access files.
“Some are contractors. Some people have access to multiple servers. Some people have more than one ID,” explained Perry, adding, “It’s the detritus from mergers.” As its name connotes, BNSF is the amalgam of seven merged railroad companies, including Great Northern and the Atchison Topeka & Santa Fe.
As if securing profile data didn’t pose enough of an IT challenge, Perry is also challenged by the fact that many of the railroad’s employees don’t have desks or computers but all need access to the company’s mainframe computers. But identity management software is now helping him conquer many of the tech challenges, and just as importantly, providing great data security while increasing employee productivity.
Who’s checking in?
Perry’s top tech challenge has been the diversity of the BNSF workforce—everyone from systems engineers to locomotive engineers—all of whom have varying levels of PC experience and need.
At the most basic level, train crews were using a telephone to input work hours via the phone keypad—essentially, the phone was a faux IVR interface to a corporate database that replaced the old-fashioned punch-card time clocks (faux IVR because it’s not really voice response but a Touch-Tone response).
For security reasons, Perry didn’t want employees using social security numbers or birth date for login access, so he had a system developed for creating personal identification numbers (PINs), similar to the PIN required to access a bank’s automated teller. Employees must change the PIN every three months. The procedure is similar for office workers, although they use a Web-based interface to access the data.
Perry realized he needed an easy system for both sets of users to update passwords without reaching out to the help desk staff.
At the same time, Perry’s security team was wrestling with the issue of providing Web access to external customers for bill paying and shipment progress tracking.
“We had started to conduct more sensitive transactions over the Web,” explained Perry, “and realized we were going to have to manage a whole new group of users who were going to be much more dynamic than our internal work force.”
Tackling identity management
Perry started looking for software that would automate at least part of this ongoing security challenge. He found it in the niche of identity management—also known as user provisioning, led by companies as big as BMC, Computer Associates, and IBM, and some as small as Baltimore Technologies, Entrust, Netegrity, Oblix, RSA Security, and Waveset.
Within the identity management software, users have profiles that set forth access privileges. When a major change or reorganization takes place (such as a merger), the application automates the majority of the grunt work.
One touted advantage for tech leaders is the self-service capability offered by these software packages, which let users reset passwords themselves, trimming the need for IT intervention. The software offerings are also designed to let departmental supervisors set up profiles for their users, not only to offload IT, but also because supervisors know better than IT who should have access to what.
Perry chose Waveset’s Lighthouse software for several reasons, the most important of which was its flexibility.
“Some of the other products we looked at [from bigger companies] were very costly and unwieldy. A lot of them required that we conform to their processes. Lighthouse has a feeling of being more flexible, and easier to adapt to our environment. It was lightweight, but not in a bad way.”
In addition, the software could be integrated to both BNSF’s back-end and Web-based systems, comprising everything from mainframes, Windows NT servers, and AIX servers.
Yet the application price isn’t lightweight. According to Waveset, the software cost starts at $250,000.
An ongoing challenge
Initially, it took three and four months, in a phased approach, to get all the internal systems set up, with the NT systems tackled first because they house the e-mail system and are used the most, Perry said. The mainframe was next because it was the most standardized, and the AIX servers came last. Yet some challenges lay ahead, noted Perry.
One challenge is the overlaying standard policies on all the systems.
“In the past, our AIX servers had been administered by the engineers,” Perry said. When moved into a central IT group, Perry’s team realized the profiles had been defined differently when they were set up.
“It took some work to get things in line, but to gain the efficiencies of the software, we needed the standardization. Now everything is being handled the same way.”
Yet to come is provisioning for the external customers, for whom Perry hopes to have at least the initial sign-on capabilities available by the end of this year.
“We’ve been delayed because we are looking at authorization and authentication issues that Waveset doesn’t deal with today,” he explained.
Still, the security leader’s optimistic about his department’s ability to be more responsive to internal and external customers when the effort is completed. Installing the Web-based system has cut the average 48-hour turnaround time of user provisioning to 24 hours, even though it might “bubble up when there’s a bulge of users,” he acknowledged.
Even though that’s a small thing, the solution has enabled Perry to redeploy some staff that was responsible for the provisioning activity.
On the qualitative side, Perry believes he’s more responsive to both employees and customers today.
“If Waveset doesn’t work, it’s not that the railroad doesn’t run. But efficiency and ease of doing business are two corporate initiatives for BNSF, and this is an opportunity for us to increase productivity and improve service,” he said.