LuLu Group International has its head office in Abu Dhabi in the United Arab Emirates (UAE) and is active worldwide in more than 31 countries. Its main line of business is the retail sector and it currently operates 110 LuLu hypermarkets and supermarkets. In order to retrieve and store information, employees and partners log in to the corporate network. Previously, LuLu used a token-based system for such logins, but providing the tokens to partners was often a very cumbersome process. The group therefore switched to the tokenless SecurAccess solution. This makes use of existing mobile devices, with the passcodes required for user identification being sent to these devices by SMS, email or via Soft token App.
The 31,440 employees of LuLu Group International around the globe work with issues relating to the retail sector as well as with projects in the areas of import & export, trade, shipping, IT, travel & tourism and education. In order to ensure that the corporate structure remains streamlined and that communication is efficient, the group of companies is often an early adopter of new technologies. A recent example is the optimization of the supply chain. In this context, LuLu has established an automatic replenishment system together with mobile computers and “pick-to-voice” solutions, thus ensuring that its products are always available.
Token-based authentication under review
Over time, the employees, partners and vendors of the LuLu Group did not really consider the previously used token-based system for user authentication to be particularly innovative. The authorized users made use of hardware tokens from the manufacturer RSA Security to identify themselves when accessing the corporate network. However, the use of this system was associated with high TCO, such as the initial purchase of the tokens as well as the additional maintenance and replacement costs. Furthermore, sending the devices to partners was not always easy. Due to the international nature of the LuLu Group, the tokens were required around the world.
Saving costs by using already existing devices
As RSA Security provides no software in addition to the hardware tokens, the management of LuLu Group International embarked on the search for an alternative solution. The group’s IT partner, CodeGreen Systems – a provider of networking and security solutions – drew the company’s attention to the SecurAccess product from SecurEnvoy during this process. The characteristic feature of the two-factor authentication software is that it does not require a dedicated token, i.e. no additional components are required.
Instead, SecurAccess uses already existing devices such as mobile phones, laptops and tablets. One of the advantages with this is that users usually carry such devices with them anyway and are therefore also more careful with them than may be the case with hardware tokens. When logging in to the network, users permitted to access the system enter their personal login details, which consist of a username and a password, as well as a numeric code. Only the correct combination of these two factors allows access. The one-time passcode (OTP) is valid only once and consists of six digits. It can be sent to the user by SMS, email or voice call. The generation of the codes within a soft token app for smartphones is also possible. And the new SecurEnvoy server engine version 7.2 also provides a further authentication option – the One Swipe method. This works even when the user has no mobile phone reception or Internet connection. If the user wishes to identify themselves using One Swipe, they simply generate a QR code that is valid only once in the soft token app for smartphones. They then photograph this code using a webcam attached to a laptop, netbook or tablet and this enables them to be unambiguously identified.
Authentication codes sent by SMS, email and via Soft token App
It was precisely this diversity of passcode transmission channels that ultimately convinced the decision-makers at LuLu to choose SecurAccess. The installation of the solution was carried out by CodeGreen Systems without interrupting usual operations and without causing downtime. Since then, LuLu employees have been receiving their passcodes easily via the soft token app, email or SMS, depending on the device being used. Blackberry devices as well as iPhones and iPads are currently being used. In contrast, partners and vendors receive the access codes by email.
Optimised security provisions
In addition to the tokenless method of working, LuLu Group International also benefits from improved security. It became apparent that the previously used token-based solution from RSA Security had weakness in its integrated Dual EC DRBG pseudo-random number generator, enabling the encryption on which the solution is based to be vulnerable. However, SecurEnvoy uses a different approach. The seed record required for encryption is always separated into two parts. One half is a pre-programmed code, and the other is created using an individual characteristic of the end device being used, such as information about the SIM card or the CPU, that is sent back to the server when the user logs in. SecurAccess derives the second half of the seed record from this characteristic, so only half of the record is stored on the phone itself. Each time the user requests a passcode, the end device decodes the first seed record part and derives the second part as described above. The seed records thus produced are only known to the local security server; the end device has only one half of the entire record. So even if somebody hacks into the end device, they will not find enough information to be able to reconstruct the seed record completely. The company is thereby protected against data leakage.
“We are very satisfied with the SecurAccess solution, as we can now very rapidly set up remote access for our employees and partners,” comments Madhava MS Rao, Chief Information Officer at LuLu Group International. “We are therefore already planning an expansion of our user licenses after installation; we initially had a few difficulties with the passcode delivery by email. However, this was quickly resolved together with the experts from CodeGreen, our Security Partner, who were industrious all the way from PoC to deployment, roll-out and ongoing support. We have used the token-based and tokenless systems in parallel, until the RSA contract expired and all the users were migrated smoothly to the new systems without any service interruption. Since then we have been only using SecurAccess. This will also improve our CO2 footprint because no resources are wasted when using the physical tokens anymore”.
“As always, knowing the customer is the key and so is mapping their business requirements to a fine technical draft”, explains Anoop Ammunni, Business Manager Information Security at CodeGreen Systems. “However, in the case of LuLu Group International, the main challenge was to roll out the new solution in parallel with the to-be-discontinued RSA Token-based solution with zero interruption to the corporate resource access across group’s employees, partners and suppliers worldwide. And that’s where SecurEnvoy had a huge impact. SecurEnvoy’s automated roll out option as well as the user self-service portal have played a vital role. Needless to say the synergy between our technical team and LuLu Group International’s was imperative.”
Innovative thinking is one of the cornerstones of the success of LuLu Group International. The continuous reviewing of all the products and solutions in use is essential, regardless of the business area – whether supply chain management, building technology or IT security. An analysis of the previously used token-based authentication solution revealed that it was getting expensive and cumbersome to manage and operate as were growing with more and more users. The group saves money as a result of the switch to the tokenless SecurAccess alternative, as it uses existing mobile devices instead of dedicated tokens. Moreover, remote access can be provided to partners anywhere in the world via email, with employees receiving the access codes on their mobile devices via Soft token or SMS.