AT&T’s Autonomic Security: Sign Up Now or Later

Steve Krapes knows it’s just a matter of time.

PDF Download

All it will take is a system outage, a security breach or a little budget tightening, and he’ll have them right where he wants them—as customers. Then, every manager of an AT&T business will come to him.

Krapes is the technical director of AT&T’s Common Security Platform (CSP), a project of AT&T Labs that provides a secure way for employees to access corporate applications and information services over the Web, with a single user account and password. The platform also serves a small number of AT&T’s largest Internet access customers, including Coca-Cola.

The system was deployed on a large scale in December 2001. It now typically handles 70,000 users daily. As of April, 450 applications were part of the platform and that number is growing 10% monthly. “It affects every AT&T employee,” says Krapes.

But there are holdouts. Krapes waits for them to show up because AT&T hasn’t mandated the use of his system. Managers of each of AT&T’s units are responsible for their own information systems. Before the CSP project started, there were more than 30 separate user login systems in place across the company.

CSP began as a skunk-works project (with no guidance or mandate from management) at AT&T Labs. And it still is nowhere near being a self-sustaining venture. “There’s no one managing this thing from a business side,” says Krapes. “We approach this from a security—versus a dollar—standpoint. It’s really about cost-avoidance. AT&T can’t afford the damage to its image from a serious breach of security.”

But there are some direct benefits to the AT&T businesses. They pay a flat fee to the labs, instead of running their own authorization application. And they don’t have to provide support.

“The units don’t need their own help desks,” says Krapes. Instead, he says, “we have four people who are the help desk for 140,000 users, handling forgotten passwords.” Most people now get their passwords from the Web, anyway, as a result of the service.

Almost all the work is done without human intervention. It is, to use the buzzword du jour, “autonomic.”

Just as your autonomic nervous system keeps your heart beating without you having to think about it, the hardware and software of the security system govern themselves (See the technology primer, “Autonomic Networks,” p. 96).

Built on top of IBM’s Tivoli Access Manager, the system handles most routine administrative tasks by itself. It sets up (and shuts down) accounts for users, whenever an employee is added to or deleted from the company’s payroll system. It helps forgetful users retrieve lost passwords. A third of its servers get automatically rebooted every day so they can run self-maintenance scripts. And every piece of hardware has two backups.

“We have an anal-retentive, ‘five nines’ mentality around here,” Krapes says, meaning the system should be unavailable only five minutes a year. “From a functionality standpoint, all my customers care about is availability.”

Getting here wasn’t easy. Tivoli’s developers helped Krapes’ team build pieces missing from its Policy Manager: automatic user provisioning, and much of the autonomic functionality of the system.

The team also worked on the stability of the underlying software as well. It took nearly a year and a half of coding and testing to get the system to the point where it was ready for wide use. “We wanted to test it to see if the system could run at maximum capacity (that is, millions of concurrent users) for a week,” he says.

And now it’s not just Krapes’ customers that will benefit; so will Tivoli’s. Tivoli is now rolling AT&T’s autonomics into its products.

And Krapes is happy about that. “We want to give them our code and get out of the software business,” he says.

That way, he can concentrate on hooking up his customers, one business at a time.