The Royal College of Nursing reduce capital and operational expenditure with next-generation remote access technology
Founded in 1916 as a professional organisation for trained nurses, the Royal College of Nursing (RCN) has evolved into a successful professional union. For almost a century the RCN has pioneered professional standards for nurses in education, practice and working conditions. Today, as the ‘voice of nursing’, the RCN has more than 400,000 members and a widespread workforce, many of whom work from home or at remote locations away from its headquarters in London
The aim of the project was to improve remote access security and compliance in an effort to protect against data loss, and to deliver a cost-effective and scalable solution that could be rolled out to a broader user base.
In 2010, a routine audit of the organisation’s IT infrastructure identified that additional levels of authentication were required regarding remote access. This would assist the RCN to comply with data protection regulations and security compliance standards, providing better control of network access and protecting confidential personal information of staff and members.
RCN network and telecoms manager, Geoff Lewis, explained: “One option we considered was the adoption of an RSA SecurID token-based system. However, with a need to improve our compliance and drive down cost, rolling this solution out to more than 950 users was cost prohibitive. We needed something more creative.”
Lewis engaged with Icomm Technologies, resulting in a solution consisting of SonicWall’s Aventail SSL Virtual Private Network (VPN), which encrypts data traffic; and strong two-factor tokenless user authentication using Swivel’s PINsafe system.
The team configured two Sonicwall Aventail appliances to provide fail-over as a replicated pair, co-located at separate data centres in Cardiff and London.
Instead of costly ID tokens, PINsafe users have a registered four-digit PIN and a random 10-digit security string that is different for each login session. Easy to read by the user, the string is displayed as a masked image using irregular fonts and randomised pattern backgrounds to prevent OCR and screen-crawler malware from capturing it. The string and the PIN are combined to generate a One-Time-Code to authenticate each login session. The security string can be delivered to the user in a variety of ways, using an existing mobile phone or internet technology.
For the RCN, users access the network remotely by clicking an ‘Aventail’ desktop icon and logging in to an SSL VPN form supplying their everyday log-in details. The user then inputs their ‘One-Time-Code’ for further authentication and immediate access.
Importantly, a dedicated token is not required.
Lewis said: “Fundamentally, we have generated real savings in terms of upfront investment and on-going support costs with a faultless solution that has future proofed the RCN’s progressive aspirations for growth, compliance and cost reduction. We no longer need to worry about further hardware expenditure if we want to scale the deployment of new remote users. Provisioning a new user is simply point and click through a central management dashboard linked to our Active Directory user database.
“The greater resilience and enhanced business continuity afforded by this truly next-generation approach has taken us a step well beyond current standards. Change management can often be a concern when deploying new methods or processes of working. However, calls to our helpdesk regarding remote access have dramatically reduced. This is testament to the very user-friendly approach the solution provides. Our relatively non-technical home-based members of staff have adapted to the new process very quickly.”