BT and Identity Access Management

Seraphsailor · ‎14-07-2009

Found this to be interesting reading:

http://www.ca.com/files/SuccessStories/bt_ss.pdf

From what I can see all they have done at the moment is implement Single Sign On using the nominal username and password. Single sign on opens up the doors further for hackers or an internal attack with greated damage capability. BT need to move very quickly to stronger two factor authentication to further protect their systems. and enhance security ( and people only having access to systems in order to do their job). The quick win at the moment is in the self-service and the reduction of calls to their own support desks for aspects such as password resets. They have bypassed the more difficult aspects of detailed federation and the significant business process changes to implement root certification and the introduction of items such as smartcards, biometrics and the diversity impacts that will be felt by BT staff.

(If BT want to employ me as a security consultant on Identity and Access Management then I'm available)

Tracey · ‎21-07-2009

Hi Seraphsailor,

The authentication infrastructure that has been deployed by BT (which includes Single Sign On functionality), provides support for a range of authentication credentials such as One Time Tokens, X509 certificates and biometrics. use of the infrastructure allows BT to select the most appropriate credentials used for each application and it allows BT t expand the credentials used as the industry evolves. The infrastructure also support federation standards and BT has implemented a number of federation partnerships and we have been working with partners to expand our use of federation.

Beside the Authentication infrastructure, BT also has an active identity management programme looking to ensure that individuals only gain access to systems they need to do their job. A key element of this programme is the implementation of a role based access control infrastructure that supports the provision / de-provision of system accesses and the governance and compliance functions.

In implementation of the authentication and identity management infrastructures BT is committed to use of standards and is actively involved with various standards bodies.

Thanks

Tracey

BT Forum Moderator

If you like a post please click on the star image on the left-hand side of the post.
If someone answers your question correctly please let other Forum members know by clicking on Accept as Solution on the right-hand side of the answer post. Please also consider replying to the post stating that your question has been answered successfully.

Seraphsailor · ‎23-07-2009

Hi Tracey,

Good luck with the RBAC element of IAM as it's one of the more difficult areas (and for an enterprise co such as BT will/could be quite challenging) but once completed then the implementation of RBAC to support what systems one has access to and one's rights within those systems will pay dividends with associated enhanced security aspects. I'd be interested to know if BT are implementing (or using guidance from) the technical aspects of FIPS 201 across all divisions; or something else? (I'm available! - and used to work at Martlesham)

BTW: have you identified my local BT account management office?

Steve

Tracey · ‎23-07-2009

Hi Steve,

I sent you a private message with the details of your BT Local Business.

Thanks

Tracey

BT Forum Moderator

If you like a post please click on the star image on the left-hand side of the post.
If someone answers your question correctly please let other Forum members know by clicking on Accept as Solution on the right-hand side of the answer post. Please also consider replying to the post stating that your question has been answered successfully.