Eberhard Haug, CISO, DB Schenker, tells us how it – a world-leading global logistics provider – centralised Identity Access Management (IAM) for over 300,000 DB Schenker employees, contractors, partners and customers worldwide. The company wanted to extend its Identity and Access Management (IAM) infrastructure to secure employee access and take advantage of the cloud, and it found the answer in Ping Identity’s offering.
Ping Identity, the Intelligent Identity solution for the enterprise, has centralised Identity Access Management (IAM) for over 300,000 DB Schenker employees, contractors, partners and customers. The successful project, conducted in partnership with iC Consult, streamlined the management of critical security policies and enhanced secure access and authentication to business applications.
DB Schenker is one of the world’s leading global logistics providers, with 2,100 locations and more than 76,900 employees across the world. The company supports the exchange of goods through land transport, worldwide air and ocean freight. After identifying the need for a more secure and modern authentication service, DB Schenker saw an opportunity to accelerate a Digital Transformation initiative and provide more streamlined access to resources for its workforce, partners and customers.
“The goal was to extend our existing Identity and Access Management (IAM) infrastructure to secure employee access and take advantage of the cloud,” said James Naughton, Head of Identity Management at DB Schenker. “In the past, we needed to invest significant time and resources to develop integrations, but now we simply configure the system and can deliver technically complete interaction in 30 minutes, decreasing effort by 75%.”
Working closely with iC Consult, IAM consultant and systems integrator, DB Schenker used Ping Identity to provide the authentication and authorisation capabilities needed to deliver a consolidated and centralised identity management service. The project utilised PingFederate, PingAccess, PingID, PingOne and PingDirectory, impacted over 300,000 identities and involved the migration of 50 business applications to the new authentication service.
“DB Schenker’s identity team can now centrally manage critical security policies and control access and authentication to their applications,” said Naughton. “The addition of FIDO2-enabled risk-based two-step authentication allows us to provide an even higher level of security for access to the DB Schenker IT landscape, creating peace of mind for both our team, partners and customers.”
“This is only the beginning of the identity journey for DB Schenker,” said Emma Maslen, VP and General Manager of Ping Identity, EMEA & APAC. “We will continue to seek new ways to push the boundaries of identity and provide MFA to every employee to improve workforce productivity.”
Eberhard Haug, CISO, DB Schenker, tells us more about Ping Identity’s offering, its benefits and how it has improved the organisation’s identity management capabilities.
Can you describe a typical day in the life of a CISO at DB Schenker?
DB Schenker is one of the world’s leading global logistics providers – we support industry and trade in the global exchange of goods through land transport, worldwide air and ocean freight, contract logistics and supply chain management. DB Schenker never sleeps and neither does the requirement of IT security.
My day generally starts with checking emails and messages, followed by reviewing our central IT security reports for intrusion detection and IT security incidents. I then spend a lot of time in meetings. As the IT security organisation within DB Schenker is global, I schedule my meetings accordingly: in the mornings I meet with colleagues in the APAC (Asia-Pacific) region, during the middle of the day with colleagues in EMEA (Europe, the Middle East and Africa) and in the afternoons with colleagues in the Americas. These meetings focus mainly on regional projects, customer audits and supporting customers Request for Quotations (RFQs). In between meetings I steer and manage the DB Schenker IT Security Program.
The DB Schenker IT Security Program was established a few years ago to build up the overall IT security capabilities and improve the IT security architecture by aligning it to our overall IT security strategy. The target is to improve the overall security of our complete supply chain, which is very important when providing critical services to our customers and partners, especially the global ones.
Can you explain how the project streamlined the management of critical security policies and enhanced secure access and authentication to business applications?
We started developing our Identity and Access Management solution over 10 years ago. This gave us a strong platform to deliver integrations for applications deployed in our network. With the change to consuming Software-as-a-Service and using the cloud, we identified limitations in our capabilities. After trying a couple of open source solutions, we decided we needed a more mature, feature rich solution. We set out to create a central strong and risk-based authentication service. James Naughton, Head of Identity Management, lead the project to select and implement this solution. After selecting Ping Identity as our preferred supplier, we were able to use Ping’s capabilities to implement our own modern web-based security policies. Our policies combine web-based single sign-on capabilities, with risk-based Multi-Factor Authentication.
We utilise device and location information from an authentication request, combined with the security level of the target business application for which access is being requested. Depending on the calculated risk, we then decide which level of authentication is required to allow this request. Once the user completed the authentication, or the risk is calculated as being ‘acceptable’, the user is allowed to access the requested business application.
How has Ping Identity’s technology offering improved the organisation’s identity management capabilities?
With Ping, we have a partner which is driving improvements within the Identity and Access Management field, in collaboration with other IT providers. Its technology stack has given us an irreplaceable foundation to increase our efficiency, security and usability.
Prior to using Ping Identity’s products, we utilised a combination of open source and purchased products. We were relying on three major technologies for authentication and authorisation: for access management we relied heavily on our central LDAP directory; and for identity management we used proprietary web services or messaging sent to a middleware allowing for custom integrations. Needless to say, the effort of integrating systems was high.
With the introduction of the authentication service, we shifted our focus to delivering standards-based integrations. For access management, OpenID Connect and SAML became standard, while SCIM (System for Cross-domain Identity Management) is our preferred technology for identity management. This change has allowed us to significantly increase our integration efficiencies by reducing the time to integrate a new system by more than 70%.
With the introduction of multi-factor and risk-based authentication for access to our business applications, we increased our security. The release of passwordless authentication (using FIDO2) allowed us to maintain the security while significantly improving user experience.
As one of the world’s leading global logistics providers, how important is having secure business practices in place across the organisation?
‘We advance businesses and lives by shaping the way our world connects’.
Logistics is more than just moving packages from point to point, it’s about delivering solutions that benefit the people for which they are designed for. Of course, in our modern world, IT plays a critical part in allowing business to take place. It is therefore essential that the IT and the business practises are aligned. Only then are we able to deliver on our promises.
Our vision is to ensure that we not only deliver solutions, but we do so securely. To realise this, we need to be aware of all components within the supply chain and how they interact.
With the knowledge of the supply chain and its security requirements, we can not only deliver the security demanded from our customers and partners; we can drive the change to improve our business and IT security practices.
What are some of the common cybersecurity challenges you face in the logistics industry?
Generally, they’re not much different to any other sector: ransomware, phishing, scamming, identity theft, espionage. Our users are just like in any other business; often our weakest link.
Being a part of the supply chain means we have a complex environment, consisting of many distributed components: multiple providers (e.g. Software-as-a-Service, Platform-as-a-Service, Infrastructure-as-a-Service), different systems (including legacy), diverse user types who do not necessarily work directly with computers, and varied use cases. How do we secure these components and their interactions? There is no single solution to this, rather it is combination of many small factors specifically tailored to the requirements of the different components. Some of these factors include: well defined and communicated security policies, extensive user training, regular threat analysis and penetration testing and the use of secure technologies with well-designed user interfaces.
How have your workforce, partners and customers benefitted from this implementation?
Unlike many other companies, DB Schenker maintains all user profiles within a single Identity and Access Management ecosystem (employees (workforce), contractors, partners, robots, and things). This has developed as a response to the complex demands posed by our business and has only been possible to realise due to the flexibility of Ping Identity’s technology stack. Having a single solution brings with it many benefits for both users and administrators, the single largest being secure single sign-on.
We have been able to realise single sign-on not just within our own company but with many of our partners and customers. This is known as identity federation and it allows entitled DB Schenker users to access our partners’ systems using their own DB Schenker profile. Using our central authentication authority, we are able to enforce, after risk assessment, that the correct authentication methods are used as demanded by our security policies. It also allows our users to have a seamless experience as they do not need to have multiple user, password and MFA combinations for different business applications.
Resulting from the demands of having all users in a single system, each of the different user groups have benefitted with additional features being available, where this might not have been the focus using individual implementations. Customer-facing applications often focus on being user friendly and efficient, whereas employee-focused solutions deliver security. At DB Schenker, users have the best of both worlds; a solution which is user-friendly, efficient and has all of the security configurations required for employee access.
What’s in store for DB Schenker over the next 12 months and how has Ping Identity played a part in this?
Our next steps focus on consolidating what we already have by improving both usability and security and delivering these benefits for DB Schenker. We will continue to focus on maturing our passwordless offerings, with a long-term vision of removing passwords completely. For this to be achievable, we need to continue to integrate business applications with our Ping components. We will continue to develop our risk evaluation, to be able to detect and react on anomalies in user behaviour and we will bring this together as a key component of our Zero Trust architecture.
Ping Identity provides the technology for a critical component in our Zero Trust architecture, the user authentication and authorisation. We rely on the flexibility, quality and speed-to-market to be able to continue to secure the supply chain to support DB Schenker’s success in the logistics industry.Click below to share this article