Business Challenge
Authenticating a user's identity is vital to managing electronic access to sensitive information. A major pharmaceutical company was using one of the strongest types of authentication, known as two-factor, which employs a physical or software-based token along with a PIN number. But it was failing — or that was the perception among end-users. In reality, the existing solution worked well 90% of the time; but about 10% of the time, the service was down. These service outages adversely affected as many as 40,000 users, generating 4,000 support tickets per month and associated monthly support costs of $82,000. Because the system was critical, time was of the essence. The IT department needed to quickly implement a more reliable authentication solution for this component of their identity management approach.
The challenges facing the IT department were to:
- Overcome a growing perception at the company that two-factor authentication technology was not the correct solution to its authentication requirements
- Eliminate costly downtime associated with related service outages
- Identify and implement a solution that would meet multiple user, IT and business requirements, within a short timeframe
- Build an effective business case for replacing the existing solution with another two-factor authentication solution
Solution
Forsythe performed a Security Technology Assessment (STA) to understand the client's use of the authentication technology and to find a solution to the problem. Through the STA process, we were able to develop a thorough list of requirements for evaluating potential vendors. This process also allowed the client to understand the business, IT, and financial impact of available solutions.
Using the information gathered, Forsythe prepared an analysis that focused not only on technical and functional security risks, but also addressed their impact on the strategic and tactical needs of the organization. Forsythe then defined targeted recommendations intended to mitigate these risks.
The client issued a verbal Request for Information (RFI) to the top five vendors. Once the RFI was completed, each vendor was required to validate the RFI through a proof-of-concept exercise in Forsythe's Technology Evaluation Center. Over a three day period, the client was able to meet each vendor, ask questions, and see each technology demonstrated.
In addition, both the installation and integration with requested third-party technologies were clearly documented for the client's evaluation. To make a selection, the client scored each vendor against its specific technical requirements.
Results
The benefit of Forsythe's 35-plus years of IT-infrastructure experience combined with our expertise in Security and Identity Management can be measured in terms of time and cost savings for this client. Forsythe's recommendation and facilitation of an RFI and the vendor evaluation and selection process in the Technology Evaluation Center significantly reduced the selection period for this client.
Because the client was able to choose the vendor that best met its requirements, it selected a mid-range vendor which would not have been the obvious choice if they had been making a selection through a traditional procurement process. Incidentally, this choice brought an additional, unforeseen 60% savings to the client when the cost of the selected technology was compared to its nearest competitor.
Additional benefits of the identity management solution included the cost savings associated with a significant decrease in support tickets and an increased flexibility in reporting capabilities and token options.
Forsythe helped the IT department build an effective business case for implementing a new, two-factor authentication technology in place of one that was not performing to expectations. To further streamline the implementation and integration of the technology, Forsythe managed the deployment engineers for the project at the client's site, further reducing the total time that was required to successfully complete this critical project.
