Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2013
May 14-17, 2013 at Munich, Germany
We will have three keynotes this morning and the start will be given by Peter boy from British telecom head of identity services. Floor is yours Morning. Thank you very much. Yeah. I think a few people probably stayed a bit late in the bar last night. Haven't quite made it here so far. I dunno if it's called the graveyard shift or is that the one that happens after lunch?
However, I said, I'd give a presentation around how we deal with our customers and keep them safe. So I think for us, it's always been a question of balance. So from a security professionals perspective, we always want to secure the order and the transaction journeys from the people who create the portals in our organization. They want zero touch on the order and transaction journeys. So it's actually a balance. And for the past number of years, the guys who create the portals have actually won the battle.
So there's been a lot of focus on us, not actually touching the order journeys at all with any security encumbrance. So basically what that means is that, you know, we exposed our portals and our customers to a degree of risk. And as I say, the traditional has, the tradition was, was that balance actually swung towards that way.
However, in the last few years, last couple of years, I would say specifically in the last 12 to 18 months, we've seen a huge increase in the desire to actually secure the order journeys and a transaction journey. So the, the balance is actually swinging the other way. Okay.
So, and why is that? Well, you know, we all know that, you know, we live in an online world, so we interact with multiple service providers on a daily basis. We probably interact with more and more on a daily basis moving forward. And of course that leads to some behaviors, both for us and for our customers around how they manage their credentials, how they manage their, their online life basically. And it does create opportunities for hackers and the bad guys to exploit that situation. So we recognize that it's an issue for us.
We have multiple portals, we have had multiple portals and we need to, we need to find a way to make that journey both more secure and more reliable and more meaningful to our consumers. So there's some facts I think are true for everyone.
You know, we do more online. I do more online on today than I did 12 months ago. And that's a fact, therefore I have more accounts with more service providers and I'll have more by this time next year. And we're certainly being encouraged by we're being encouraged generally to do even more online, but we're, we're actually also being encouraged by our governments in some cases to do more online. And there's a major initiative in the UK underway under the banner of digital by design. And one of the, one of the tenants of that is the UK identity assurance scheme.
So to interact with government services, you have to go through an identity provider, a trusted identity provider. So in effect, the UK government is actually divesting its identity responsibilities to, to some companies in the public sector.
So, you know, if that's the first time ever that that's happened, I think it is. It's obviously happening in the us and it's happening elsewhere in Europe, but it is aimed at streamlining the online pro the online process now. So another fact, and I guess we can all hold our hands up to this or not as security professions where we all reuse passwords, or we all reuse password themes, or we always rely on the password reset journey. I do a public combination of all three, but it is becoming increasingly different, difficult to remember what password I've used for what particular service.
And again, that limits my ability to transact online securely. So it has to be a solution for that. And as a result of that, many of us have had our details stolen.
I guess, if you haven't, you could be considered to be lucky. You know, I've seen some stats would say that perhaps 15 to 20% of us have at some point had our data compromised. So as a service provider, how do we react?
You know, how do we plan for the future and how do we retain our customers? How do we make them feel safe when they're transacting with us? So it really is all about the brand.
So for us, in, in, in BT, everybody's telecom, the UK, it really is all about the brand. And we now, it's an interesting conundrum here because we don't retain customers because we're good at security. We retain customers because we sell things that customers wanna buy.
However, if we're not good at security customers won't wanna buy those things from us. So in that sense, it really is all about the brand. And thankfully, you know, we, we have a certain amount of strength in our brand that we've built up over a number of years and it's certainly not to be underestimated. So one of the factors that perhaps has contributed to that trust is for example, our involvement in the, the London Olympic games of last year.
So we were a major provi provider of service to, to the Olympics we provided most of well, pretty much all in fact, all of the telecoms infrastructure for the Olympics last year. And pretty late in the day, we were also asked by LOCOG to take on management of the London 2012 website, which in itself, as you can imagine, was a huge challenge.
So, you know, that it was a classic case of over provisioning. We certainly focused ourselves in on the Olympics.
As a, as an event, we had a team of 150 professional security professionals dedicated to the, to Olympics itself. And thankfully for us, it turned out to be a huge success. There were massive amounts of data, obviously, as you can see there almost 40 billion page views on the Olympic site, 450 million visits at 1.4, five terabytes of data transferred.
So the, the issue there is with that amount of tra of traffic, that's coming into your website, a lot of it's good traffic, but actually some of it is also bad traffic. Okay. So we were aware of the fact that, you know, obviously as a partner to the Olympics, we were high profile target, and we had to put the infrastructure in place. Tightly would protect us from those targeted attacks.
So we, we did see at least one activism campaign every day of the Olympics, you know, from the very first from the opening ceremony, we were, we were attacked on a regular basis. So there were 212 million malicious attempts that we actually blocked onto the 2012 website, you know, huge amounts of, of, of data 11,000 malicious requests per second. So you can imagine, so an event of this size actually does attract an awful lot of tension from, from the bad guys as well. We delivered a huge amount of text in terms of website pages delivered.
It starts with a four and ends of an eight, and there are lots of numbers in between. I couldn't possibly tell you what that number is, but it's very, very big. So events and experiences like that actually contribute to the brand and, and, you know, give our consumers some faith that we actually do manage this stuff pretty well.
Now, interestingly, the good thing for us is that I don't, it probably not as a direct result of Olympics, but our share price is done pretty well in the last 12 months. And we launched a product in the UK just last week called BT sport, which is which over which we'll deliver premier league soccer, bun's league soccer as well, and a bunch of other sports. And we're actually giving that away for free to our broadband customers. And now as a result of that, and it was last Thursday, we launched it. I also managed the, the authentication processes onto our bt.com Porwal.
And in the last week alone, we've seen a 30% increase in traffic on the bt.com Porwal as well. So all of that, you know, just adds to the fact that, you know, you need to build up that faith in your consumer base that you know what you're doing. So I think in terms of our overall strategy for improving the customer experience, well, you know, one is that we've gotta keep working on the brand and build that brand strength. Some things we did internally as well is that over the years, we've had mult multiple portals with multiple identity stores, multiple credentials for our customers.
We've consolidated those into, into a one, one ID for the, for access to BT services. And so we've, we've, we're also constantly working on securing the experience, but really in a seamless way for our consumers, for our consumers, we still want it to be a consistent experience, but we do want it to be low touch as far as security goes. And what we do is we do a lot of work in the background to make that happen. So the CU the consumer, isn't actually aware of a lot of the, the security checking and validating that we do.
So as a, as a customer, you know, we do ID verification checks when people register with us for the first time. And that actually does prevent a lot of fraud at the account setup time. We have our own product called UU, which we use for that. We use adaptive authentication techniques, such as device profiling, IP address, and geolocation profiling. And we do all that again in the background in certain ways, we are lucky because most of our customers, we actually provide broadband service to, we can track the end point of that service because we provide it as well ourselves.
And that gives us another level of assurance that the customer is who they claim to be. So, as I say, all of that is actually invisible to the consumer. So they continued to process their transactions in a normal way. But in the background, we are actually doing a lot of additional checking.
And I say, especially over the last 12 to 18 months, we've done a lot of this, but we're also interested in innovation. You'll have heard a lot over the last few days about the next generation of identity and, and where that's going.
So we do, we spend a lot of time innovating and thinking about, you know, where we're gonna be in three to five years in this space, I previously mentioned the identity assurance framework at the UK government are now mandating in the UK. They had an initial round of procurement for that service. And the companies that were chosen are actually on this list today.
So, you know, my own interpretation of that, and we were involved in the procurement process as well. Is that the model isn't yet mature enough for some of the big names to be involved in this? I think it will. Over the next 12 to 18 months, there are some big names in there. Verizon business are in there. PayPal are in there and the post office in the UK. But outside of that, not many of the UK high street brands are involved in the process.
But the experience for the user is that, you know, when they go to a government website, they get redirected to, to one of these identity providers, their credentials are passed through a series of Federation hubs, and they access the, the government services as a result. So, you know, for the first time ever, that's, that's mandated. So that's bound to drive some change in the world. Does it solve the problem that I, that I showed in the first slide?
Well, maybe, but I don't think it will today. I think as this model matures, as I say over the next probably 18 months to two years, we could well see a sea change in, in how identity operates. So what part do we play in that?
Well, you know, we have a choice, I guess in, in BT, we can choose to be one of the identity providers that you saw on the, on the previous list. And that's something we are considering, but we actually like to take it a little bit further in that we like to think about, you know, could we add value based on our brand and back to the brand strength again, could we actually add value to, to consumers?
So would, would consumers, for example, outside of our existing customer base, want to use be BT as their identity provider? Well, we think probably yes, because of the trusted brand scenario again, but maybe there are ideas around how you actually make this, you know, we protect consumers in a way that isn't really done today.
It's, you know, in many ways it's a single sign on Porwal, I guess, to most of the services that we interact with, but we feel that we can certainly make that intelligent and, and we can probably add some, some additional value to it. And one idea that we're working on today is the idea of a community authentication service.
So we, you know, we all use tokens, whether that's a, you know, a proper hard wired token or a soft token, we have multiple versions of those because we bank, you know, we have multiple bank accounts and probably each one of those needs a hard wired token for the banks themselves. That's an overhead because they have to do it for regulatory purposes to provide strong authentication onto their services. So they don't actually gain anything from that apart from regulatory compliance.
So we are, we're toying with the idea of saying, well, there are some, some service providers who would like to benefit from the, the, from a strong authentication token, but don't actually have the financial wherewithal to create that infrastructure themselves. So if there was a way that for me as a consumer, that I could choose, which token I wanted to use, there is perhaps a way for us to broker that engagement across the bank, for example, who owns a token and another company who might wanna consume that token service. So the bank gets paid for, for the use of the token.
And, you know, the, the other consuming service provider gets the benefit at much lower cost. So we're, we're looking at this as an idea as well, but it's all part of how we think that we might add value in the context of an identity provider service. So why is this important? So it's important for us for a number of reasons.
You know, we need to ensure that our customers are, are happy logging into our services. We want more of them to do that. So there's certainly the trust side of things, but we are seeing the encroachment of social IDs. There's no question about that. And we do have some aspects of our service that are actually exposed and authenticated using Facebook, for example. But I think there is a journey which hands over your Facebook ID to a BT ID in order to secure some of the transactions around ordering or registering for a service, but we're certainly aware of it.
And it could be a Google ID, or it could be a PayPal ID. Any of those could be used ultimately to authenticate onto a BT service. So the issue really then is that, you know, know an important thing for us is that, does that mean that we are dis intermediated from our customer base? So are our customers ex seeing someone else's experience before they get before they're authenticated onto our portals? And what does that journey look like?
You know, if we pass them on to another identity provider than ourselves, what do they see on that journey? You know, perhaps one of our competitors could offer them, you know, a pricing structure, which would actually be much more competitive potentially to the one that we've, that we are providing them with today. There are many regulating compliance aspects of it, and I'm not sure of the answer to those at the minute. And all of these are question marks for a reason, because the other big question for us is that do we take our brand strength and dominate the UK identity provider market?
So people almost come to BT by default to log into any other service providers potentially. I think, I think in terms of the relationship we have with 10 million consumer customers in the UK today, then we're in a pretty strong position to wanna do that. But the reason why all of these have question marks is that we haven't actually formulated our strategy on this. Yet we see it as a, as a potentially a game changer in, in how BT operates. It's sort of at that serious level. So we are taking our time.
We're spend a lot of time considering what the implications would be and what the opportunities would be for us. And I, my view is that, you know, we'll make a decision on that in the next 12 to 18 months. Thank you. Thank you very much, Peter, for these open words, very interesting insight into strategy options for BT.
So my, I mean, we have to have had this topic in a number of discussions yesterday as well. So do you think that there is a market for authentication or identity provisioning only? So if you don't have a service, so, I mean, if you have 10 million customers, these obviously are definitely candidates for using that identity also in other service context, but how about the others? So would you like to approach them with an identity service only separate from your other offerings?
Well, we could do, it's something we've talked about. And as I say, I think we, the, you know, the potential advantage of that would be that our brand's strength. So if you have to use an identity provider and that's the, you know, that's the key point is you have to choose someone to be your identity provider and it doesn't have to be one identity provider. You're gonna have multiple identity providers, but you have to, to choose one.
So I would say that, you know, our play on that would be the fact that we have that brand strength and people could welcome to us just for an identity provider service. So yeah, I could definitely see up in an option And in the UK, if I remember right, you don't have national ID cards, right? So this is No, it's, it's a bit of a source subject, national ID cards where I think one of the, one of the policy decisions that I think brought down our last government. So our current government have no ambition at all, at least openly around the creation of a national ID card.
But however, you know, they, because of the privacy aspect, etcetera of that. But I think the, there is benefit in, in the concept. I think the is the, the way that the UK government have chosen to do that is not to do it centerly as a government initiative, but to actually divest that to the public sector. So effectively it is almost an ID scheme, but provided by multiple service providers in the public sector, as opposed to in the, in the government sector. Is that going to be replaced by these federated identity services using, say for example, PayPal accounts?
Well, I mean, that's, that's the, the perspective. So the view is that that if you want to log onto a government service and, you know, transact for whichever service it is, you would actually go via PayPal or the post office or someone else. So effectively the government has divested its responsibilities in terms of authentication to someone else. They don't have to manage that overhead.
So they, but the question for the, the, for the, for us in industry at the minute is, is there money in it and how much risk is there in it? Because obviously, you know, we, we wouldn't do it if it wasn't commercially viable for Us.
Yeah, sure. Yeah. Or strategically the right Fit.
My, my, my idea was obviously yes, for, for, for governmental services, that makes sense. Right. Because the infrastructure is there, you don't have a national ID card.
So what, what, what could you use actually for, for providing secure authentication in that environment? That makes perfectly sense to me, but since you don't have a national ID card and other countries, like in Germany, for example, other services rely on the ID card authentication for subsequent delivery of any other credentials. Yeah. So you don't have that. So could it be that say you are able as a BT as to identify a new customer to be financially viable yeah. Through indirectly relying on his PayPal account?
Well, so we, you know, as part of our identity verification processes would be to actually troll some of your government records. So we actually do troll those records that are made available to us. And also some financial services records as well. So we combine them into an algorithm, which basically is a yes, no. Or maybe answer. Yeah. But in the context of a government identity assurance scheme, you know, they would set the boundaries for those yes. Nos and maybes, you know, in terms of the threshold.
But certainly, you know, we, it's something that could be done and, you know, it's proven that it can be done. I think what hasn't been proven yet are the commercial and the risk aspects of a net assurance. Yeah. There's still to be seen. So is this in this whole new federated step up authentication, different provider. Yeah. Yeah. World. This is still the risk picture is not yet clear enough. No.
And there, you know, there's a lot around, you know, whether who's liable. So are, is the identity provider liable for a fraudulent transaction? That's not clear to us at this point. Yeah. Still work to be done by just community. Thank you very much. Okay. Thank you.