For security and flexibility reasons, KiKxxl has been using Linux for its servers and the thin clients of its employees since its foundation. The company provides call centre services for customers such as Telekom, Vodafone and Mobilcom/Debitel, who verify the IT security by means of regular audits. As a result of its rapid growth, KiKxxl was nearing the limits of its IT capacities in 2009, when it had around 500 employees. Overloaded administrators were barely able to keep supporting the corporate goals innovatively and were running the risk of losing control over the resources.
“We had reached a point, where it had become critical for the company”, said Head of IT Lars Hoeger. “IT pushed to its limits is a security risk.” Then an employee suggested using Univention Corporate Server (UCS) to manage the resources centrally. The “Univention Directory Manager” (UDM) identity and infrastructure management module included in the UCS management system makes it possible to control the users’ rights according to precisely defined regulations.
UCS creates transparency
The updates came just at the right time, as data privacy requirements became more stringent as of 2010. As a result, it is now necessary to keep clients separate in databases, on file servers and on backups. The user, rights and group administration and management functions in UCS provide the requisite complete transparency of the systems for authentication and authorisation rights. This requires all measures to be implemented in real time, processes documented and their compliance monitored.
UDM manages 6.200 right groups fully automatic
KiKxxl now boasts over 1,600 employees at four sites. With the aid of the UDM module from UCS, the IT department now has control over more than 140 servers and around 1,300 thin clients. Rights are no longer granted according to groups such as Management, Accounting or IT, as this concept required too many exceptions. Instead, it employs extremely granular user rights. Each important resource is represented by its own rights group. In this way, there are over 6,200 rights groups, of which approx. 6,000 groups for access to the file structure.
At this level, rights are assigned automatically not manually. All authorisation rights to KiKxxl systems are applied for electronically. The data privacy officer checks them and approves them directly. When employees leave or transfer to another client area, the actions of the HR department delete the authorisation rights automatically. The IT department programmed and integrated this along with verification mechanisms for whether the rules really are complied with based on the UCS management module UDM. Head of IT, Mr Hoeger, said, “All this was only possible because we were using the Open Source Univention server UCS.”
Since 2014, these rights also control the e-mail addresses to which a user can write. An “e-mail whitelisting” function, completely integrated in UCS and automated via the UCS management system, assigns different privileges. In 2015, “safe surfing” will contribute to minimizing the risks of simply opening websites. In certain sectors, the browser will be provided as a remote session by a central server. In addition, the KiKxxl IT department will be setting up “squid” proxy servers, where a site will represent a group which is either approved via “whitelisting” or not. In the same way as for the rights groups, the squid groups are also integrated in UCS and managed by the UCS management system.