• featured customer

    The Beaumanoir Group in France secures privileged accounts with the YubiKey

    Retailer lowers cybersecurity risk with flexible, modern authentication and the multi-protocol YubiKey
    Retail
    Privileged Access
    POS systems

    The Beaumanoir Group (“Beaumanoir”) is a textile group with more than 3,000 stores and 15,000 employees across France, but also Switzerland, Spain, Portugal and Italy. Beaumanoir operates under well-established brand names such as Cache-Cache, Bonobo, Bréal, Morgan, La Halle, Caroll and online-only through Sarenza.

    As France’s largest textile group continues to expand its portfolio of brands and move its historic retail brands online, it’s placing more emphasis on reducing the risk of cyber attacks. Globally, the retail and wholesale industry is the most targeted industry for phishing attacks. While Beaumanoir felt that protections were in place for opportunistic attacks, they were concerned about targeted phishing and malware attacks being on the rise and wished to raise the bar for security to protect sensitive data.

    The Beaumanoir Group protects against targeted cyber attacks with phishing-resistant MFA and the YubiKey

    François Kayser, IT Domain Director, Infrastructures Flow and Security, felt that multi-factor authentication (MFA) was the only certain way to significantly lower the risk of targeted attacks. “There are many challenges in my day-to-day work,” notes François Kayser. “But one of my main tasks is ensuring access to information systems is secure.” 

    At first, the IT security team rolled out one-time passcode (OTP) solutions installed on work or personal smartphones which generate a random passcode for two-factor authentication. However, like many organizations, Beaumanoir realized mobile-based authentication was not appropriate for users who did not have work phones or for situations that required more versatility or high-assurance security. 

    At Les Assises de la Sécurité conference in 2019, François Kayser met with Yubico and learned about the YubiKey, a hardware security key that provides phishing-resistant MFA, with multi-protocol support including FIDO U2F, FIDO2/WebAuthn, PIV/Smart Card and OTP. After evaluation, the team decided the YubiKey offered the flexibility and versatility needed to secure privileged user access and to help protect a number of its more vulnerable point-of-sale (POS) systems.

    “There are a lot of opportunistic attacks, and we have detection and protection systems against those, but for attacks that are more targeted, we need to lower risk with regard to external access. This led us to MFA and the YubiKey.”
    François KayserIT Domain Director, Infrastructure Flow and Security

    The YubiKey offers portable and trusted security for privileged users across devices, apps and platforms

    In his role, François Kayser has to support access to corporate IT systems such as email and Microsoft Office 365 resources, as well as privileged access to data, devices or systems operated by technical administrators, network system administrators, developers and Software-as-a-Service (SaaS) application system admins. 

    Beaumanoir leverages public key infrastructure (PKI) to provide high-assurance authentication to on-premise workstations, but this solution on its own lacked flexibility for remote and cloud-based administrator access. For this, Beaumanoir chose the YubiKey 5C NFC, which can support PKI across a wider range of devices and cloud-based applications through both Smart Card and FIDO2/WebAuthn standards. François Kayser, who is constantly on the go, chose to use the ultra-small YubiKey 5 Nano, which is designed to securely stay in the USB port of his laptop.

    With the benefit of hindsight, François Kayser notes that the YubiKey was ultimately more cost-effective than the alternative solution for privileged access which is purchasing work phones to support OTP for administrators. The total cost of enterprise mobility can be as high as $1,840 per owned device, including the cost of purchasing devices, recurring service costs, enterprise device management software and security software, not to mention the cost of device replacement or support. In a Total Economic Impact (TEI) study conducted by Forrester Consulting, the YubiKey demonstrated a net present value (NPV) of $3.2 million and an ROI of 203% over three years.

    “We use the YubiKey when we have administrator access that requires MFA and when MFA cannot be provided by a mobile phone, whether that concerns on-prem or SaaS applications,” says François Kayser. “The advantage of the YubiKey is its versatility and the ability to do both OTP and also store certificates on the key.”

    Beaumanoir uses the YubiKey to store the authentication certificates generated by their PKI to support remote privileged access via VPN to secure systems. The YubiKey’s hardware design enables the secrets to be stored on a separate secure chip built into the YubiKey, so it cannot be copied or stolen, offering the highest level of security and a portable root of trust for access to on-premise and cloud-based systems. 

    The process of moving certificates from a TPM chip in shared workstations to the Yubikey was “relatively simple,” according to François Kayser, with very little documentation needed to onboard users to their YubiKeys.

    Deploying the YubiKey to secure POS systems

    As a retail group, Beaumanoir places a high priority on its POS system(s) security to ensure transactions and customer data are kept safely. In addition to physical security precautions and other controls, Beaumanoir runs filtering based on the output IP of its networking technology. However, a limited number of stores and POS systems were outside the MPLS network, relying only on username and password for access. 

    Beaumanoir deployed the YubiKey 5C NFC to secure access to these POS systems, introducing a second factor to the authentication process.

    “The advantage of the YubiKey is its versatility and the ability to do both OTP and also store certificates on the key.”
    François KayserIT Domain Director, Infrastructure Flow and Security

    Beaumanoir and Yubico – Building a modern cybersecurity approach for the present and future

    The high availability of sensitive data makes the retail and hospitality industry a lucrative target for cyber attacks including phishing, ransomware and data theft. In fact, 69% of retail organizations report being attacked by ransomware in a single year. It is therefore essential that the retail sector globally lowers cybersecurity risk by adopting modern, strong authentication. The YubiKey provides Beaumanoir with highest-assurance, phishing-resistant MFA to both protect privileged access and allow a frictionless solution for POS systems.  

    Sources