How FedEx improved security, eased access

Delivering packages to customers in a timely fashion takes more than a good shipping label.

Delivering packages to customers in a timely fashion takes more than a good shipping label.

In the case of FedEx, employees often need special IDs to make deliveries, such as the Secure Identification Display Area (SIDA) badges required to access restricted airport areas. For years, FedEx relied on 121 security administrators to manually provision and deprovision SIDA badges as well as proximity cards for parking-lot access and photo IDs for building access.

The system helped prevent security breaches, but FedEx's process for retrieving badges and disabling access for inactive or terminated employees "wasn't centralized and easy to audit," says Denise Wood, FedEx's CISO. The result, she says, were gaps in deprovisioning that not only posed a security threat, but could have required FedEx to re-badge approximately 60,000 employees in the event of an audit.

"When people leave a large company, it can be difficult to get all of their accounts closed in a timely fashion," says James Quin, a lead analyst with Info-Tech Research Group. "In a lot of cases, you end up with ghost accounts-accounts that exist on the system that nobody is assigned to anymore, and those are big security holes."

So FedEx developed an identity management (IdM) intranet application that automates the badge-management process, boosts regulatory compliance and cuts costs, all with a single card.

An employee simply submits a request to obtain a badge and, depending on the person's job function, the system automatically selects from 12 badge designs, puts the individual's photo on the badge and then forwards it to FedEx's human resources department, where it's printed and shipped to the employee. Managers are automatically notified of the need to review or approve an employee request, and approvals are logged for seven years, in compliance with government regulations.

By using a single card, FedEx's IdM system has reduced processing time for facility-access requests from three weeks to real time and eliminated more than 23,000 annual man hours, or $1.2 million, in card-administration cost. Within six months of deployment, Wood says, FedEx "completely eliminated an outsourced provider for password management," a third-party contract worth $500,000.

An IdM system "isn't an easy solution to implement," warns Quin. The project came with a $277,000 price tag and must combine databases from multiple departments with competing priorities. To foster teamwork, Wood held monthly meetings with senior-level executives from affected departments to pinpoint mutually beneficial opportunities and ensure transparency. The meetings helped Wood build a strong business case for the project. Offering refreshments didn't hurt either.

The Company: FedEx Memphis, Tenn.

A $35.5 billion logistics-services company with a broad portfolio of transportation, e-commerce and business services. The company boasts more than 275,000 employees and contractors.

How they saved: By combining three cards into one, the identity management (IdM) system reduces the time it takes to issue badges from three weeks to real time. Automating badge requests has also eliminated 23,000 annual man hours, or $1.2 million, worth of administrative tasks.

Tools used: FedEx's IdM system. The facility-access portion of the system debuted in September 2007. The badge-management component followed in January 2009.

Group Development: Rather than burden IT with creating thousands of new badge-management applications, FedEx set up a brand new infrastructure integrating the databases of disparate departments-including corporate security, human resources and information security-to ensure a seamless, single card-provisioning process.

Build a Business Case: To justify the nearly $277,000 project, FedEx developed a value scorecard that tracks productivity gains and cost savings, such as eliminated third-party contracts.

Cindy Waxer is a freelance writer based in Canada.

Read more about office applications in CIO's Office Applications Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags Applications | Office ApplicationsapplicationsIdentity Management systemsecurityFedExsoftwareID badges

More about FedExIDAISO

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Cindy Waxer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts