THE SOLUTION
Intercede partner, CertiPath demonstrated the optimum solution to the energy provider with their combination of a logical access system and credential management, using MyID.
The solution offered a facility-wide PACs system for employees to access the facilities they were approved to with a smart card. That same smart card would also enable employees to access their corporate systems and networks securely, whether working from an office or remotely.
Fundamental to the solution was public key infrastructure (PKI), delivering best practice strong authentication that minimises the cybersecurity threat posed to the energy provider and adheres to the standards set by U.S. Government.
This meant that MyID would issue a credential to each employee’s smart card. Cryptographically protected, at the point of authentication an employee would present their smart card to a smart card reader and a crypto-backed handshake would occur between the private key on the smart card and a public key from the energy provider’s certificate authority. The employee would also be required to enter a PIN for two-factor authentication.
For access into secure buildings, employees would simply use their smart card on an external door reader and be granted access.
For the lifecycle management of employees’ smart cards, a small number of system administrators and system operators have access to MyID. MyID is used by system admins to set security policies, define user groups and associated access rights, and access the system’s audit and reporting functionality. System operators are also able to login to MyID to revoke and replace employee smart cards, issue new smart cards, and update existing smart cards should an employee’s personal details or role change.
The deployment of MyID has meant the energy provider has a robust, centralised system to issue and lifecycle manage their employees’ smart cards, ensuring organisation-wide use of strong multi-factor authentication to access digital systems and mitigating the threat of hackers through social engineering and phishing. Fundamentally the energy provider knows that only the right people are able to access their facilities, systems and networks.