Get Access Case Study


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Get Access Case Study

  1. 2. What’s Today About? <ul><li>What is egg? </li></ul><ul><li>The egg Internet architecture. </li></ul><ul><li>The egg security capability. </li></ul><ul><li>How getAccess delivers that for us. </li></ul><ul><li>Egg and getAccess today. </li></ul>
  2. 4. What Is Egg? <ul><li>Egg is the UK's leading online financial services brand. </li></ul><ul><li>Egg is 80 percent owned by Prudential plc and was launched in October 1998. </li></ul><ul><li>Egg targets the requirements of three key demographic groups totalling about 30% of the UK population: </li></ul><ul><ul><ul><li>Young professionals, </li></ul></ul></ul><ul><ul><ul><li>Affluent elderly of retirement or near-retirement age, </li></ul></ul></ul><ul><ul><ul><li>Busy younger members of the work force. </li></ul></ul></ul>
  3. 5. What Is Egg? <ul><li>The new direct venture initially offered savings accounts, residential mortgages and consumer loans at attractive rates. </li></ul><ul><li>Within 6 months of launch, egg had met its 5-year goal for savings deposits of £5 billion and had more than 500,000 customers. </li></ul><ul><li>Within 12 months, egg had £6.7 billion in savings deposits and more than 600,000 customers: </li></ul><ul><ul><ul><li>30 percent of customers using online banking services. </li></ul></ul></ul><ul><ul><ul><li>44 per cent shopping online through the egg portal. </li></ul></ul></ul>
  4. 10. Security in Four Parts. <ul><li>Network security. </li></ul><ul><ul><ul><li>Well understood, many products available. </li></ul></ul></ul><ul><li>Privacy. </li></ul><ul><ul><ul><li>Well understood, well abstracted, provided by SSL. </li></ul></ul></ul><ul><li>Application security. </li></ul><ul><ul><ul><li>Well understood, relies on good development process. </li></ul></ul></ul><ul><li>Authentication. </li></ul><ul><ul><ul><li>Inconsistent standards, inconsistently applied. </li></ul></ul></ul>
  5. 11. Conventional Wisdom. <ul><li>Depends on the client. </li></ul><ul><li>Depends on the service. </li></ul><ul><li>Permeates the whole architecture. </li></ul><ul><li>Included as a call to a security function. </li></ul>
  6. 15. What Are The Requirements? <ul><li>Secure. </li></ul><ul><li>Flexible. </li></ul><ul><li>Auditable. </li></ul><ul><li>Open. </li></ul><ul><li>Financially viable. </li></ul><ul><li>Scalable. </li></ul><ul><li>Available. </li></ul><ul><li>Robust. </li></ul><ul><li>Performant. </li></ul><ul><li>Continuous. </li></ul>
  7. 16. Secure, As a Requirement. <ul><li>Establishes an agreed level of trust in an identity. </li></ul><ul><li>Cannot be evaded, by users, by developers, by mistake. </li></ul><ul><li>Allows rapid repair of holes, when discovered. </li></ul>
  8. 17. Flexible, As a Requirement. <ul><li>Protects different types of service. </li></ul><ul><li>Protects different types of access device. </li></ul><ul><li>Capable of different methods of authentication. </li></ul><ul><li>Extensible to cover new methods of authentication. </li></ul>
  9. 18. Auditable, As a Requirement. <ul><li>Public companies get audited. </li></ul><ul><li>Audits drain resource that could be driving your business forward. </li></ul><ul><li>Audits should be quick, easy and cheap. </li></ul>
  10. 19. Open, As a Requirement. <ul><li>Able to integrate with other components: </li></ul><ul><ul><li>Presentation of screens, Vignette StoryServer. </li></ul></ul><ul><ul><ul><li>Consistent management of screen elements across all screens. </li></ul></ul></ul><ul><ul><ul><li>Management of offers and other information on authentication screens. </li></ul></ul></ul><ul><ul><li>BEA TopEnd and Oracle for authentication. </li></ul></ul><ul><ul><ul><li>Use of existing customer security data for authentication. </li></ul></ul></ul><ul><ul><ul><li>Use of existing platforms keeps cost down. </li></ul></ul></ul>
  11. 20. Financially Viable. <ul><li>Exponential cost models must be avoided. </li></ul><ul><li>Minimal impact on design, development and operation. </li></ul><ul><li>Reasonable installation and licensing costs. </li></ul><ul><li>Cost-effective ongoing administration. </li></ul>
  12. 22. What Are The Requirements? <ul><li>Secure. </li></ul><ul><li>Flexible. </li></ul><ul><li>Auditable. </li></ul><ul><li>Open. </li></ul><ul><li>Financially viable. </li></ul><ul><li>Scalable. </li></ul><ul><li>Available. </li></ul><ul><li>Robust. </li></ul><ul><li>Performant. </li></ul><ul><li>Continuous. </li></ul>
  13. 26. What Are The Requirements? <ul><li>Secure. </li></ul><ul><li>Flexible. </li></ul><ul><li>Auditable. </li></ul><ul><li>Open. </li></ul><ul><li>Financially viable. </li></ul><ul><li>Scalable. </li></ul><ul><li>Available. </li></ul><ul><li>Robust. </li></ul><ul><li>Performant. </li></ul><ul><li>Continuous. </li></ul>
  14. 27. Importantly, It Does It Cheaper. <ul><li>The Gatekeeper Model saves money: </li></ul><ul><ul><li>In Design. </li></ul></ul><ul><ul><li>In Build. </li></ul></ul><ul><ul><li>In Test. </li></ul></ul><ul><ul><li>In Delivery. </li></ul></ul><ul><ul><li>In Operation. </li></ul></ul><ul><ul><li>In Quality Review. </li></ul></ul>
  15. 28. Importantly, It Does It Cheaper. <ul><li>Abstracting authentication from the application code allows it to be tested once, regardless of the number of services. </li></ul><ul><li>“We did it once, now we’ve re-used it over 1,000 times across 18 products” Iain Hunneybell, Head of System Architecture, egg. </li></ul>
  16. 29. Importantly, It Does It Cheaper. <ul><li>Audit changes from a full code review of all services, requiring developers or analysts with a detailed understanding of the possible loopholes or issues, to a simple check of a single list of those resources that are protected. </li></ul>
  17. 30. Importantly, It Does It Cheaper. <ul><li>Removing the burden of authentication from developers frees up around 10% additional resource. </li></ul><ul><li>Eliminating the need for developers to understand authentication reduces the training required and the level of skill. </li></ul>
  18. 32. We Chose Entrust Because... <ul><li>We liked their attitude. </li></ul><ul><li>The price was reasonable. </li></ul><ul><li>We liked the product. </li></ul><ul><li>They had a UK presence. </li></ul><ul><li>And... </li></ul>
  19. 33. We Chose Entrust Because... <ul><li>We were confident they could deliver: </li></ul><ul><ul><li>Security was a key component for egg card. </li></ul></ul><ul><ul><li>Egg was the first financial institution to launch a credit card with special features for internet-based e-commerce - and the acceptance rate for that card ranks first amongst all credit card introductions. </li></ul></ul><ul><ul><li>We now have over 1.3 million customers . </li></ul></ul>
  20. 36. Multi-Channel <ul><li>We now have getAccess protecting resources across 3 channels: </li></ul><ul><ul><li>Web. </li></ul></ul><ul><ul><li>WAP. </li></ul></ul><ul><ul><li>iDTV. </li></ul></ul><ul><li>getAccess protects services both at egg and at our partner organisations. </li></ul>
  21. 38. All in All... <ul><li>We chose getAccess for it’s concept model and entrust for their staff. </li></ul><ul><li>We’re impressed with: </li></ul><ul><ul><li>The product. </li></ul></ul><ul><ul><li>The flexibility. </li></ul></ul><ul><ul><li>The scalability. </li></ul></ul><ul><ul><li>The staff. </li></ul></ul>