BP turns its back on traditional IT security with internet access to company systems

Oil giant aims to provide 60% of employees and third-party users with secure access to corporate systems, including applications,...

Thousands of BP staff, almost 10% of the workforce, will access the oil producer's business applications via the public internet, rather than corporate intranets, by the end of 2004.

The BP programme, known as Radical Externalisation, follows an 18-month trial, currently involving 2,000 staff, to ascertain the viability of this type of network connectivity.

The approach is a radical departure from the standard means of giving users secure access to corporate systems through a private link or a secure virtual private network.

The idea BP has proposed is for staff to use a standard PC running an internet browser to connect to corporate applications in a similar manner to the way users connect to internet banking services.

Eventually BP hopes to have 60% of its internal users and business partners connecting to the company via the internet.

According to Paul Dorey, director of global security at BP, the internet is the most cost-effective and reliable way to provide network access. "We operate in 135 countries and the telco infrastructure is not consistent. We have found that the internet is more consistent than other networks," he said.

Dorey's aim is to simplify BP's network infrastructure, which not only has to support internal users, but also needs to enable access for up to 90,000 third-party businesses. BP is currently running 380 extranets to support third-party partners, and Dorey said, "It is much easier to support outsourcers, for example, if they link via the internet."

Dorey is a member of the Jericho Forum, the user group established by chief security officers in some of the world's largest businesses to tackle standardisation and flexibility in IT security.

The project undertaken by BP is similar in nature to that undertaken by fellow Jericho Forum member John Meakin, head of information security at Standard Chartered Bank.

Meakin is also looking at using the internet to provide access to secure banking applications in developing markets.

The network models proposed by Meakin and Dorey form the cornerstone of the Jericho Forum's main "embedded internet" strategy. The group plans to examine how such an approach could be improved to support global businesses in the future.

Drivers for BP

  • Significant operations in more than 135 countries
  • Many users are "on the road", and an increasing number work from home
  • The company makes much use of outsourcers and contractors
  • It has many joint ventures, often undertaken with competitors.

Extranet failings

  • Money could be wasted on hauling data
  • Barriers to legitimate third parties might be created
  • It may become hard to define what is inside or outside the corporate space.

Read more on IT risk management