Case Study: Continental Secures Remote Access, Trims Costs
Sometimes the drive for better security can also bring cost savings.
Sometimes the drive for better security also begets cost savings. That’s what Continental Airlines Inc. found when it upgraded and consolidated dial-up technology for its remote workers.
Based in Houston, Continental Airlines is the country’s fifth-largest airline, and carries 55 million passengers per year. Of all its employees, 1,500 are also highly mobile, and work in 271 cities in 52 countries. To manage dial-up costs and network security, the IT department gives them dial-up software preprogrammed with local dial-in numbers.
Previously, that remote-connectivity system used a patchwork of software—sometimes also involving VPN clients—plus two telecommunications services: one domestic, one international. As that approach aged, however, Continental found it increasingly difficult to implement improved security, or to give users the faster connectivity they were demanding.
The system also cost Continental about $200,000 per month—more than it wanted to spend—and costs were climbing, thanks to employees’ increasing Internet use. On top of that all, users also found the interface confusing. “There were several different steps that the user had to do to connect, and you also had to know which one to use when and where,” says Stacey Thomas, senior manager of telecommunications at Continental.
Then, a couple of years ago, employees of Continental’s public Web site, Continental.com, referred a vendor they’d been in discussions with, Fiberlink Communications Corp., to the telecommunications department. “That’s how I got involved,” Thomas says. After evaluating Fiberlink, she went to her two then-current providers and asked if they could match the improved functionality or connectivity footprint. Neither could, so in late 2003 she began migrating Continental to Fiberlink’s software and dial-up network.
“One of the things I like about Fiberlink is they’ve aggregated solutions,” says Thomas, meaning they can build in other companies’ features, and partner with other companies to gain needed connectivity. For example, with her previous dial-up providers, “if they didn’t have a presence in a country, I was stuck. If they didn’t have a presence in a city, I was stuck.”
Today, any employee who needs remote access uses a Fiberlink software client. Before users can connect to Continental’s network remotely, however, the Fiberlink client does two things: it ensures the PC’s antivirus software is running and up to date, and it disables any instant messaging, since Continental’s security policy prohibits it—primarily for protection against viruses.
Besides logging employees onto the network, the Fiberlink client also passes a user’s credentials to the log-in server. “So basically my username doesn’t have to have be different for Fiberlink and my network,” says Thomas. During the log-in process, the Fiberlink client also pops up Continentals’ Cisco 3030 VPN client at the appropriate point, which makes logging on easier for users.
Looking back, Thomas says the Fiberlink rollout was straightforward, though finding all of her mobile users took some doing. She sent public e-mails, then sent a CD with the appropriate software to each mobile user. Users with older PCs encountered some difficulties. “With some of those we had to do some real handholding with users to get the client to install correctly and work,” she says. Overall, however, “we tested beforehand very thoroughly, and our standard desktop image worked well.”
Indeed, the move paid off, reducing Continental’s remote-connectivity costs by 66 percent. Much of the cost savings came simply because Fiberlink has more local access numbers in various cities and countries than Continental’s previous providers. “So the user is able to connect in more locations with a local phone call, versus a toll-free phone call. That’s a huge cost savings,” notes Thomas.
Now she can also see who’s using remote connectivity, and how, which lets her clamp down on abuse. For example, if someone is online for eight hours at a time, she e-mails them a warning. “Now I’m able to send e-mails that say, 'Hey guys, you know we pay for this, if you’re online and not using it, we’re getting charged, so disconnect,'” she notes. “So we’ve been able to educate users on more efficient use as well.” While Fiberlink can automatically log people off after a set amount of inactivity, “we haven’t gone that route.”
Currently, Continental is migrating to an SSL VPN for remote access, and will upgrade to Fiberlink’s Extend360 software, which will allow its users to connect to Fiberlink-compatible broadband and WiFi hotspots. Migrating to the new Fiberlink client should be easier than the last rollout, she says, since the existing client will just pull down the upgrade. To be safe, though, she’ll first roll it out to “a group of key technology users here in Houston first, just to make sure there’s no big, major hiccup.”
Thomas will also give some users a cellular card for their laptops, which she says currently performs at about 64 Kbits per second, versus 32 Kbits per second for dial-up. She expects the cellular connection speeds to improve significantly as Fiberlink builds in access to new, high-speed wireless EVDO networks.
While she’s happy with the software, one capability Thomas would like in the Fiberlink client is the ability to use a non-Fiberlink-supported hotspot. For example, if a user is in an airport with Sprint hotspots, she says it would be nice if they could pay by credit card to access it, if necessary, and go through the Fiberlink client to maintain the security controls.
Locking Down Endpoints to Prevent Virus Resurgence
Q&A: Securing Mobile Workers
Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.