How BT justified investing in Web SSO

Learn how British Telecom (BT) made the case for adding better password management to its Web security infrastructure and convinced staff developers to use its framework.

Single sign-on (SSO) sounds like security nirvana when you're having to deal with more than 150,000 internal users, plus a massive group of external partners and customers - the user base BT has to support for its web applications. Its online applications infrastructure currently handles more than 40 million transactions a day and more than 8 million users.

At that scale, password management problems become acute and finding some sort of automated solution becomes imperative.

"It was all built around how many passwords users were having to remember," Alec Cartwright, BT's architect for authentication authorisation and identity infrastructures, explained at the 2008 CA World conference in Las Vegas. "Most users had tens, but in our worst case, one poor guy had over 100 passwords, and most of those changed on a 30 day cycle. He was spending a significant amount of his time every month coping with the password change cycle."

The conventional way of dealing with that problem is via self-service password management online, but that wasn't a readily available option. "The capability to do password resets on the Web was very limited," Cartwright recalled.

When BT began investigating better password and security management options in 1999, the need was apparent but translating it into fiscal terms was much more difficult. Technology selection was relatively straightforward - BT selected CA's SiteMinder Web Access Manager - but making the numbers work was harder.

"We didn't base the business case on single sign-on. It was very difficult to quantify how much BT would save by people not having to type in passwords lots of times."

Comprehensively solving the problem could save 15 minutes per user on a rough estimate, but "that doesn't equate to much of a saving".

Cartwright also didn't want to merge the project with a broader identity management rollout. "It is a major infrastructure project in its own right -- it's not worth trying to combine it with an identity management rollout as well."

A more viable approach was to focus on the reduced development effort required for BT's ever-growing set of applications, which number more than 2500 and continue to grow. That development expense could be quantified much more readily.

"We save around 4.5 million pounds a year by running this online infrastructure," Cartwright said. "After the initial deployment, we then defined it as a reusable capability. Now it's a case of just turning the handle on the sausage machine to integrate more and more applications."

While that sounds impressive in theory, persuading disparate development groups to use site-wide was a time-consuming task despite eventually mandating its use.

"We started off with a carrot, so we found some friendly developers and we went through the story of SSO and reducing passwords. The carrot worked on the first four or five apps but then it started getting a bit difficult so we moved to a stick basis where people were told 'you must do it this way'.

"We had to move to the stick because people said 'I don't trust SiteMinder, it takes control away from my coding'. But most people when they've done it once or twice say 'it's OK, it works'."

Documenting the available APIs and setting a standard integration approach helped convince developers and also reduces ongoing training costs. "We put it down in a book so we don't have to keep explaining it to all the new developers."

"We do occasionally have people who fight it, but we enforce it and we get more and more reuse on a regular basis." While the improvements are measurable, this kind of rollout is both time-consuming (as the start date suggests) and cost-intensive. "These things take a lot of time, because some of the web sites are really, really sensitive," Cartwright said.

BT had an initial development team of nine, which has now expanded to 22 and includes support functions.

One key strategy to minimise maintenance has been using out-of-the-box technologies whenever possible.

"We don't write any custom code on top. That has made life very easy. When we do an upgrade, there's not a lot of work for us to do. We haven't got to cope with recompilation or redevelopment around an authentication scheme."

BT runs a total of 24 policy servers, all identically configured. "We work with clusters of three policy servers in each site," Cartwright said. That way, even if one server is taken down for maintenance, there's still resilience within the site. "In five-and-a-half years of running, we've never been without some policy servers and applications have always been able to authenticate."


Read more on Security policy and user awareness