EnterSpace for Security Suite in Telecom — Wireless, Wireline, Cable and Internet Services--Run-time security decisioning including authentication support, coarse-to-fine-grained authorization, and federated attribute retrieval: improve access & security at the SAME time.

Information Technology is a prime driver of the telecommunications industry. Most large telecom firms have deployed scores of applications to support customers, employees and partners. Generally, each application has its own security framework creating very expensive security headaches. Industry consolidation has only increased the complexity of the problems, as disparate systems must be integrated. In addition, whereas telecom firms used to deal with user populations in the thousands or tens-of-thousands; with the Internet, Web Services and the business drivers for self-care; user communities can quickly reach the millions. Given these present day realities, a new enterprise product is needed for next generation access management and authorization. The EnterSpace Decisioning Service (EsDS) for Security is this tool.

Every Request for a Secured Resource Is Individually Authorized — While many solutions exist within the access management and authorization space for the telecom industry, most lack true real-time functionality. Those who need-to-know are identified statically and saved in an access-control-list (ACL) by a human administrator. The result is that the security model is only as current as the ACL, leading to coarse or poorly controlled security models and holes in the enterprise's security posture. As user community size increases and the number of secured resources under management continues to grow, maintenance of ACL's becomes progressively more prohibitive.

Many telecom companies have responded by “batching” updates to the ACL to minimize the volatility, but unfortunately this means that security decisions are only as accurate as the ACL is current. Traditional ACL driven models are inherently out of date, in that what is being saved is the RESULT of a security policy being applied to user-specific information. Therefore, the ACL is only as current as the moment it was created. The inability of this model to provide security implementations that accurately reflect “right-now” information has prevented enterprises from sharing with customers, employees, partners and vendors all the information they might have a legitimate need-to-know — in effect, it has built walls that limit relationships and productivity. The EsDS for Security makes a real-time decision for every request to allow fine-grained, context-sensitive access decisions that are based upon CURRENT user information and security policies. It is time to tear down the walls between the enterprise and its users.

For Example — There are really two separate areas where the EsDS for Security can impact the telecom industry. The first is internal — telecom companies are unusual in the business world, in that they are both producers/manufacturers and retailers. They maintain a direct relationship with millions of customers, with no wholesalers, distributors, etc. to manage the customer interaction. As a result, most large telecom providers maintain call centers, where legions of customer service representatives (CSR's) mediate between the needs of consumers and the operational systems that manage service. Each of these customer service representatives, generally has to utilize multiple systems during their normal workday, comprising customer care/billing, service provisioning, trouble ticketing, promotion, etc. In most cases these systems have been individually developed, and a separate userid and password is utilized for each. In addition, call center environments have a very high rate of turnover in the employee base (frequently as high as 10% per month), which compounds the administrative task of creating/removing/updating user identities, passwords and privileges for the operational systems.

Assume a telecom company has a call center with 5000 employees. Each employee must have access to 5 different systems during the course of performing their job function. This means that each employee must maintain 5 userids and 5 passwords at all times. It also means that the employee will generally spend on the order of 10 minutes of unproductive time “logging in” to all those systems each time they sit down to work — generally twice per day. This can easily add up to 20+ minutes of unproductive time per user, per day — a substantial sum. Couple this with the cost of lost productivity due to forgotten passwords and the administrative cost of establishing/maintaining identities and passwords in each system, and the business case for implementing the EsDS for Security is apparent. With the software tool, each user needs only one identity and password, and once their identity is established they are allowed to access all the elements of the various systems for which they have a legitimate business need.

The second area where the EsDS for Security can play in Telecom is in the direct customer-facing systems. CRM (customer relationship management) is a common buzzword in the industry, and customer self-care is the brass ring. When customers can directly manage their own account, customer satisfaction levels go up. At the same time costs are reduced in that there is no need to pay a CSR to be the go-between from customer to system. The downside in customer self-care is that very few identity/access management models are capable of handling the number of users and access requests that a large telecom company needs. Telecom providers frequently have a customer base numbering in the millions of subscribers — traditional security models simply cannot cope with user populations this size. The EsDS for Security, however, is designed with precisely these types of needs in mind. The software tool provides fine-grained access controls, complete auditability of customer actions, and simultaneously manages millions of users across multiple systems.

Security Policies Centrally and Easily Administered; Enterprise-Wide — With Jericho Systems, security is a function brought to the enterprise level. Currently, security is managed on an application-by-application basis. From the ground up, the EsDS for Security is built for distributed administration of the security policies, allowing the owners of the resources being managed to directly control the policies defining access throughout the enterprise. This is a substantial change from traditional security models, where access controls are maintained both by the programmers who implement the code that checks the ACL, and by the security groups who maintain the ACL's themselves. The requirements of the resource owners are thus at least two steps removed from the decision, and the ability to effect change in the security policy is frequently inhibited by programmer availability. With our software tool, policy changes can be implemented by the resource owners directly, in real-time, and will be reflected upon the very next request for the secured resource. In addition, the GUI for the management of security policies is built for the non-technical, but business-savvy administrator.

Quickly Leverage Current Enterprise Investments for Increased Security Functionality — The EsDS for Security is designed to quickly integrate with previously deployed technologies including; identity management and authentication mechanisms.

Secure, Detailed Logs Provide Single-Point Auditability — Each time a request is made, the EsDS for Security writes a detailed event log to a repository. This log contains ALL the information relevant to the decision, including the identity of the requestor, the resource the requestor tried to access, the version of the policy used to determine whether to grant the request, any/all data values used in making the decision and the resulting decision itself. This log can be written to almost any storage form, including WORM (Write Once, Read Many) devices for non-changeable audit logs, or a database for handling reporting and ad-hoc queries.

Real-Time Alarms Allow “Right-Now” Response to Inappropriate Requests — When a request is denied for any reason, the EsDS for Security provides a mechanism whereby an alarm condition may be delivered to a system responsible for notifying individuals or components to respond to the event. For example, assume an employee is attempting to access a secured resource that is highly sensitive: sensitive enough that any denied request should initiate an alarm. Within the tool’s security policy definition process, an option is available to cause an alarm condition to be raised upon denial. At run-time, when the user’s access attempt is denied, the EsDS for Security generates an alarm message which details the user’s identity, the resource requested, and the reasons for the denial; then delivers it to a system of your choice. This might be an SNMP interface to an enterprise management console, an alert to a paging system, or any other form of electronic notification.

Collaboration — While information has long been perceived as having value within the business environment, the true value is actually in the services and products that can be derived from it. And in order to do that, information must be shared among all the people and systems that have a part to play in bringing those services/ products to life. This collaborative process has been limited severely in the past by the inability to share information freely among the participants while maintaining security of the data itself. Like water in a lake, your data has enormous potential. The water realizes that potential only when it is put into motion to create energy. By enabling the sharing of information securely, the EsDS for Security helps put your data into motion to create business value.

TO SUMMARIZE: With the EsDS for Security, Telecom Companies Gain Numerous Solutions; Including:

• Real-Time Access Management with Sensitivity to the Decision Context — As every request for access causes the evaluation of the appropriate security policy against user and situational attributes; fluid conditions like time-of-day, strength of authentication, etc., can be factored into access management policies.
• Create, Modify and Implement Enterprise Security Policies in Seconds — Security policies are managed by a common infrastructure and immediately affect the entire user community.
• Consistent Security Policy Evaluation, Enterprise-Wide — For secured resources under management by the software tool, the human element is eliminated from the evaluation process to improve security and reduce administrative costs.
• Distribute Security Policy Administration to Subject-Matter-Experts — Whoever owns the resource (application, function within an application, physical door, etc.) can administer the security policy for the resource without the need of software engineers.
• Flexible and Scaleable — While the EsDS for Security is built to work at the enterprise level; the tool's deployment can be limited to areas where current security models are ineffective or costly. This allows for quick and flexible impact. Pick the lowest hanging fruit first; then scale as needed. Resources that function well with existing security models can work side-by-side with resources that make use of the Suite for access management and authorization.
• Single Point Auditability — A secure event log captures information about the entire session, forming a single point for auditability and compliance purposes.
• Generate Alarms and Alerts at the Time of Attempted Violation — No need to parse through log files to find security breaches.
• Web Services Security, Single-Sign-On and Single-Sign-Out — One tool for an enterprise solution.
• Access Portals for Secured Interactive Environments and Self-Care — Controlled, 1-to-1 access portals are quickly enabled.
• Physical Security Management — The tool can also be used to manage physical security with the same consistent, rules-based infrastructure.

Telecom Organizations’ ROI in Jericho Systems is Derived from:

• Increased Security, Access, Collaboration and REVENUE — through real-time authorization deriving permissions and entitlements at run-time increasing functionality and results.
• Decreased Costs — through minimized administration of security; lessen the administrative burden of security policies, access control lists, user groups and security audits.
• Decreased Costs — through increased productivity brought about by single-point auditability and real-time alarms and alerts.
• Decreased Costs/ Improved Revenue — from dramatically improved collaboration and self-care functionality.
• Decreased Costs — of software engineering. Externalizing security decisioning to a callable network service can drastically reduce code bases and thereby application development cycle times.

The EsDS for Security can perform hundreds of thousands of authorization decisions per second, for user communities and resources (items to be secured) in the tens-of-millions, in a real-time, parallel scaling, fault-tolerant environment.