Yokogawa Electric provides services for remotely maintaining systems deployed at customer sites worldwide. It chose Amazon Web Services (AWS) to optimize services delivery, and an F5 solution that works with a legacy scheme to ensure secure user authentication—while better accommodating mobile users.
IT service providers need data centers near their customers’ business locations if they are to maintain rapid response times. Service providers are also opening multiple sites around the world to fulfill the needs of globalized customer businesses. These customers tend to vary widely by locality and their IT needs must be addressed promptly.
Yokogawa Electric’s Lifecycle Performance Care Services provides diverse product-lifecycle solutions to maintain the measuring and plant-control systems used by Yokogawa Electric customers across the globe. Though most of these services are delivered from company-run data centers, Yokogawa Electric has started providing some via AWS to meet customer needs more quickly. These services include remotely monitoring customers’ systems for rapid post-downtime recovery, providing preventive maintenance, and strengthening operational support. Customers can also access data collected with AWS.
“Transitioning to multiple sites requires substantial investment in data centers and complicates management of the provided services,” explains Isao Morooka, Manager of the Solutions Planning and Development Department. Because of these issues, Yokogawa Electric began planning the migration of its services to the cloud in May 2015. “AWS lets us launch servers at strategic locations around the globe for limited investment and makes management of services much easier,” adds Morooka.
According to Takashi Noda, head of the development and operation section of the Solutions Planning and Development Department, more-secure user authentication was required to transition to cloud-based services. “In the past, we prevented unauthorized access with a combination of user ID-and password-based authentication—as well as restricting access to certain IP addresses. But customers wanted us to tighten security in a way that would better accommodate their mobile users, so we added two-factor authentication (2FA) with hardware authentication to get things ready to make that happen.”
Yokogawa Electric chose a combination of Cybertrust Device ID and F5 BIG-IP Access Policy Manager (APM) to fortify against unauthorized access, especially through mobile entry points. “We first considered 2FA using hardware tokens and smartphones, but they presented problems like needing to physically distribute tokens and what to do about customers who don’t have smartphones,” Noda explains. “Device ID is much easier to implement because we can distribute certificates over the network for installation on devices.”
Toshihiro Tagami of Cybertrust Japan explains, “AWS’s standard features aren’t enough because proper authentication using Device ID requires working with an online certificate status protocol (OCSP) server to validate certificates in real time. We suggested BIG-IP APM.” To meet this requirement, Cybertrust Japan proposed deploying BIG-IP APM Virtual Edition (VE) for its solid track record. The customer agreed and decided to implement the solution in October 2015.
Yokogawa Electric’s deployment of F5 products enabled the company to provide its customers worldwide coverage via the AWS platform, and robust security by using ID validation with OCSP for authentication. This arrangement has in turn prompted more and more users to move to cloud services—a further positive outcome.
Allows for quick system integration
For the system integration work, Yokogawa Electric turned to a vendor, recommended by Cybertrust, with extensive experience installing F5 products on the AWS platform. “For this project, we also had to work with the existing user authentication scheme,” recalls Takayuki Tanaka of Hitachi Systems. “But we completed the new system in a month, including the time it took to study the existing scheme.”
Provides highly perfected user authentication
When a device connects, BIG-IP APM checks its device ID and verifies its validity with the OSCP server. If the ID is valid, it then goes through the usual process of authenticating user credentials and the IP address. “We think it’s the most highly perfected user authentication solution available,” says Morooka. He believes IP address whitelisting could be relaxed for customer sites with device authentication. This would remove constraints on a device’s location, opening up possibilities for the use of mobile devices and enhancing user convenience.
Motivates customers to transition to cloud-based services
Yokogawa Electric began delivering services via AWS in April 2016, and 90 percent of its customers had transitioned within six months. Secure 2FA enabled by BIG-IP APM lowered the hurdle for them to switch to cloud-based services.