Self-serve passwords more secure: Optus
Replacing manual staff password management with a self-service reset at Optus has reduced the inherent security risk of staff sharing passwords, according to Siva Sivasubramanian, Optus' head of information security.
Sivasubramanian told the audience at the CA World Expo 2011 in Sydney today that internally, Optus was required to perform 1500 domain password resets manually every month. This would require a staff member to call up the helpdesk and have a support officer manually reset their password if they forgot it or lost it. According to Sivasubramanian, this cost Optus $300,000, or the equivalent of 4500 person days per year or 20.5 full-time employees.
The ongoing operational cost wasn't the main issue, though, because the length of time that it took for support staff to resolve password problems would often lead to Optus employees sharing their passwords with one another.
"This opens up an avenue for bad behaviour. Guys will be able to share a password, or the managers or local team leaders will force them to use someone else's password so as to get the ball rolling, and it therefore creates an avenue of bad behaviour," he said. "It is no longer an operational problem; it's a thin end of the wedge for a security problem."
Optus ultimately opted to implement a self-service password reset system built on CA Identity Manager. The system had full Windows integration, which meant that when a user locked themselves out of their desktop, they were able to reset their own password after answering a number of personal questions to verify their identity.
It took 90 days in total to deploy, and was a "quick and painless" implementation, according to Sivasubramanian.
"We implemented this to about 10,000 workstations, and we have seen about 60 per cent call reduction right away; we are trying to work towards 90 per cent," he said.
Staff satisfaction had increased and productivity losses had fallen because "people are no longer whinging and raving about being locked out", he said.
"They are able to simply just go [into it], click on a link [and] a few seconds later they are back into business," he added. "Password control is shifted back to the human being, rather than back to helpdesk, which is usually perceived as being unhelpful."
The self-service had to be simple, he said, because otherwise people would be less likely to adopt it.
"It is people, they need to be brought on with you. Security is ultimately a culture, it's a mindset," he said. "Actual security is the responsibility of every individual in the company."
Responsibility that is only made more important in a telecommunications company.
"If anybody wants to attack a country at a cyber level, bring them down to their knees, the easiest thing that they need to do is to bring down or degrade the services of a carrier by 25 per cent," he said. "And that will have a knock-on effect, and almost everything will come to a grinding halt."
Sharing passwords between staff is not just a security problem faced by Optus; in February, the privacy commissioner Timothy Pilgrim found that staff at Vodafone stores had been sharing log-ins that provided access to personal customer information. At the time, Vodafone said it had strengthened data security, with tighter log-in identification and authentication processes, more frequent password resets and less approved access points for stores and dealers.