Replacing manual staff password management with a self-service reset at Optus has reduced the inherent security risk of staff sharing passwords, according to Siva Sivasubramanian, Optus' head of information security.
Sivasubramanian told the audience at the CA World Expo 2011 in Sydney today that internally, Optus was required to perform 1500 domain password resets manually every month. This would require a staff member to call up the helpdesk and have a support officer manually reset their password if they forgot it or lost it. According to Sivasubramanian, this cost Optus $300,000, or the equivalent of 4500 person days per year or 20.5 full-time employees.
The ongoing operational cost wasn't the main issue, though, because the length of time that it took for support staff to resolve password problems would often lead to Optus employees sharing their passwords with one another.
"This opens up an avenue for bad behaviour. Guys will be able to share a password, or the managers or local team leaders will force them to use someone else's password so as to get the ball rolling, and it therefore creates an avenue of bad behaviour," he said. "It is no longer an operational problem; it's a thin end of the wedge for a security problem."
Optus ultimately opted to implement a self-service password reset system built on CA Identity Manager. The system had full Windows integration, which meant that when a user locked themselves out of their desktop, they were able to reset their own password after answering a number of personal questions to verify their identity.
It took 90 days in total to deploy, and was a "quick and painless" implementation, according to Sivasubramanian.
"We implemented this to about 10,000 workstations, and we have seen about 60 per cent call reduction right away; we are trying to work towards 90 per cent," he said.
Staff satisfaction had increased and productivity losses had fallen because "people are no longer whinging and raving about being locked out", he said.
"They are able to simply just go [into it], click on a link [and] a few seconds later they are back into business," he added. "Password control is shifted back to the human being, rather than back to helpdesk, which is usually perceived as being unhelpful."
The self-service had to be simple, he said, because otherwise people would be less likely to adopt it.
"It is people, they need to be brought on with you. Security is ultimately a culture, it's a mindset," he said. "Actual security is the responsibility of every individual in the company."
Responsibility that is only made more important in a telecommunications company.
"If anybody wants to attack a country at a cyber level, bring them down to their knees, the easiest thing that they need to do is to bring down or degrade the services of a carrier by 25 per cent," he said. "And that will have a knock-on effect, and almost everything will come to a grinding halt."
Sharing passwords between staff is not just a security problem faced by Optus; in February, the privacy commissioner Timothy Pilgrim found that staff at Vodafone stores had been sharing log-ins that provided access to personal customer information. At the time, Vodafone said it had strengthened data security, with tighter log-in identification and authentication processes, more frequent password resets and less approved access points for stores and dealers.
myne 
trippledes 
Linkedin 
RSS Feeds 
Newsletters 
Alerts
Why did they not go with a more modern solution like Password Reset PRO from www.sysoptools.com? They could have deployed the entire solution in weeks instead of months, and users could access self sevice from their mobile devices. If the CA device ever breaks, they will lose all their enrollments- not good! A solution like Password Reset PRO is redundant by design since it uses native Active Directory, no single points of failure. Plus it can be load balanced and art no extra cost.
Let's not forget that "old school" question / answer enrollments like the CA provides do not work well since users always forget the answers and the questions they chose. More modern self service systems use image IDs (like banking websites), are much easier to enroll yet more secure.
While they may have lowered help calls for domain password resets, they will indeed see an increase in help calls from users who forgot their self service enrollment logon (due to the old school questions / answer enrollment method). They essentially traded one set of help calls for another. Again, not good.