Case Study - Amcol

AMCOL International is a supplier of specialty minerals, providing products and technologies for a wide range of industrial and consumer-related markets worldwide. The company's products range from cat litter to specialized clay blends used in the casting of molten metals. On top of all that they operate transportation services.

Established in 1927, AMCOL today operates in more than 12 countries with over 1,200 employees. AMCOL, a public company, has consistently paid dividends to its shareholders since 1937.

The company has two iSeries servers, the main production 820 in the States with some 200 telnet users and a backup model 600 in the United Kingdom with around 75 telnet users. Both machines are connected to the internet with the main machine being the company's web server. It is regularly connected to, from our trucking system application vendor and other third party software vendors and service providers using EDI applications, ODBC, FTP and telnet. The main office machine in Illinois is fed directly with production data from the automated production environment.

Amcol's auditors and the IT department jointly started preparations for Sarbanes-Oxley compliance in early 2003 and chose to seek a third party solution for access control and auditing as they felt they didn't have enough expertise in the security area to implement a solution in-house. Three competing products were considered and after an in-depth study and checking out some references, they chose to go for Bsafe Information System's Bsafe/Global Security. Of the many criteria chosen to compare the products, usability was amongst the most important. Bill Gregory, the iSeries security administrator explained the importance of this. "Our administrators are largely non-programmers. Bsafe's product was particularly outstanding in its features and we found it to be the most user-friendly GUI by far".

The Amcol IT staff were initially concerned regarding the installation and implementation of the product. This was an application that could disrupt the operation of the production machine if implemented wrongly. Bill recalls requesting the vendor, Bsafe Information System to do the installation - something he planned for well in advance. "We arranged to download the latest version of their product from their website after which they would do the installation remotely. However, we started a little before time and decided to do the first steps of the installation ourselves. The process was outlined step by step in such a clear manner that we ended up not just downloading but fully installing the product even before we got the Bsafe guys on the phone".

He added "The product was running on warning mode immediately following installation. This way we had full logging and had time to make our permissions definitions, before switching to full protection. The Bsafe support guys guided us through the stages in a couple of training sessions and we then undertook the implementation process ourselves".

After going ‘live' with the product i.e. after implementing full protection, Bill was spending some 8 to 10 hours a week checking network traffic, and fine tuning permissions definitions. Today the ongoing time he needs to invest is much less. They have set up IDS alerts which let them know the moment an unauthorized access attempt occurs so have less need to constantly run inquiries. Bill notes "We normally experience a marked increase in invalid user and invalid password alerts on a Monday morning or after a holiday when our users have managed to forget their login details. We run a portion of the many reports every week".

They use the intuitive audit policy interface to review and update audit control definitions. The Bsafe Audit comes in whenever there is a need to check out specific activity or to debug certain situations like connection problems. "We've been surprised on more than one occasion to discover that the profile being used in a connection was different to what we thought, something we wouldn't have been able to do without Bsafe" says Bill. "The login/logout event alone gives us a superb monitoring tool for database and other kinds of access".

The permissions restrictions are in force on both machines. When Amcol wishes to permit external access, for example to the vendor of their trucking system for software updates, they open up the Bsafe network permissions for that user then close them down again immediately after the required update is complete.

When asked about support Bill has no hesitations. "The product documentation has been excellent both in the on-line help and in the various learning aids available" he says. "Whenever we have experienced problems the vendor has been right there for us, by phone and mail. The support we've received has been incredible".