Date post: | 21-Dec-2015 |
Category: |
Documents |
View: | 219 times |
Download: | 1 times |
Managing Password Insanity
Determining the best approach for your organization
© March 12, 2004 Novell Inc.2
Overview
•Business Context•Business Challenges•Password Policy•Common Approaches to Password Management & Benefits•Novell Nsure password management solutions•Customer Success Stories•ROI•Why Novell?
© March 12, 2004 Novell Inc.3
Compelling Questions
• How many passwords does your typical user have to remember?
• How much time are your users losing by logging and re-logging into the applications they need to effectively do business with your organization?
• How much time and money are you spending each year to reset forgotten passwords?
• How can you be sure that your passwords aren’t vulnerable
to attack?
• How many strategic IT opportunities have you missed because you are simply too busy handling password-related administration?
• How many of your users are writing down or sharing passwords because they have too many to remember?
© March 12, 2004 Novell Inc.4
Survey Question
What are your biggest concerns with regard to password management?
•Internal and external users too many passwords to remember
•Lack of strong passwords
•Lack of a strong enterprise password policy
•Help desk is overburdened with password-related calls
•Our organization has to comply with regulations like HIPAA and Sarbanes-Oxley
5
Employees B2BPartners Customers
Password Management
Business Context
Your business
6
The Business ChallengesUser ConvenienceHow do I reduce the number of passwords my users need to remember and use to log on to network systems?
SecurityHow do I eliminate the security risks of users writing down, sharing, or using weak or old passwords?
Cost ContainmentHow do I reduce the rising help desk costs caused by all the passwords my users have to remember?
Support Regulatory ComplianceHow do I comply with regulations such as HIPAA, Sarbanes-Oxley (North America) or the Data Protection Act (UK)?
7
Building the Business Case Internally
Chief Security Officer
Chief Information Security Officer
Need to reduce help desk costs
Need to put measures in place to comply with regulations such as Sarbanes-Oxley
Need to reduce the number of passwords employees have to remember
Need to allow remote or distributed users to work productively
Chief Information Officer/ IT Director
Need to reduce costs overall Need to put measures in place to comply with regulations such as Sarbanes-Oxley
Chief Finance Officer
VP of Finance
VP of Compliance
Need to provide better service to customersVP of Customer Care
What challenges he or she has to address:Contact:
VP of Partner Relations Need to strengthen business relationships with existing partners and create new opportunities
Need to reduce or eliminate password-related security risks
Need to ensure the appropriate level of security for specific systems or apps
Need to enforce corporate security policy
© March 12, 2004 Novell Inc.8
Survey Question
Which part of your organization is driving the decision for a password management solution in your organization?
•Chief Financial Officer (CFO) / Chief Security Officer (CSO)•Chief Information Officer (CIO)/ Information Technology (IT)•Business Units•Customers•Business Partners
© March 12, 2004 Novell Inc.9
Speak their Language
“I have a way for users to change or reset their passwords through a Web browser using secure LDAP and SSL with synchronization across all connected back-end systems through XML data interchange.”
“I have a ‘one-stop shop’ that allows employees & customers a secure way to manage their passwords across the entire enterprise, allowing them to remain productive without needing to call the help desk.”
What you say…
What they hear…
“I have a blah, blah, blah, blah Web blah, blah, blah LDAP and SSL blah, blah, blah, blah across all connected blah, blah, blah, blah.”
Put it in terms they’ll understand…
© March 12, 2004 Novell Inc.10
Comprehensive Password Management: From Policy Definition to Deployment
© March 12, 2004 Novell Inc.11
Setting Policy
What is a password policy?A set of rules—established at the executive level—that
govern the use and protection of passwords on all systems across the enterprise. The password policy is typically set or defined as part of a company’s overarching security policy.
Key components of a password policy:Standards—the compulsory requirements that must be met
Guidelines—the recommended practices when an exception to the
standards is encountered
Procedures—the step-by-step instructions on how to implement the
defined standards and guidelines
12
Administrative Controls
• Passwords may not be written down or posted on sticky notes attached to a monitor
• Passwords may not be shared with other people
• Passwords cannot be an existing piece of personal identification (i.e., cannot use Social Security Number)
Technical Controls
• Password must conform to a minimum of 6 and maximum of 20 characters in length
• Password must contain at least one (1) numeric character
• Passwords must be unique
• Passwords must be changed every 30 days
• Passwords must be stored in an encrypted data repository
Enforcement by Software Enforcement by People
Example of Policy – Standards
© March 12, 2004 Novell Inc.13
Managing Passwords
How does password management affect password policy?
What is password management?The ability to securely manage the number of passwords internal and external users have to use and remember in order to conduct business with an organization.
Password management should serve to strengthen and enforce the organization’s password policy and not work against it.
© March 12, 2004 Novell Inc.14
Enterprise password management vs. system-specific password management
System by system password management (some weak, some strong) has distinct deficiencies:
• Not readily scalable from an administration perspective• Differences in password storage security• Different systems have different levels of password security enforcement• Users generally must manage a large number of passwords
This type of approach leads to severe inconsistencies in password administration and password policy enforcement.
© March 12, 2004 Novell Inc.15
Enterprise password management vs. system-specific password management
An enterprise password management approach allows enforcement of an organization’s password policy while also addressing business goals:
• Passwords can be stored more securely (redirection)• Password policy enforcement can be extended to systems that might not have the built-in capability to enforce stronger passwords (synchronization)• Users will only need to remember a reduced number of passwords across all systems (store-and-forward/ synchronization)• Integrated applications conform to the enterprise password policy providing enhanced security (hybrid)
© March 12, 2004 Novell Inc.16
Survey Question
In addressing password management for your organization, which capabilities are you looking for?
Synchronization
Self-service Password Reset
Single Sign-on
Password Redirection
Advanced Authentication (i.e. Biometrics)
17
Common approaches
Legacy Systems & Enterprise Business
Applications
Enterprise Business
Applications
Web-based Applications
Business Partner Systems
[Client-based Single Sign-on]
[Password Synchronization]
[Web Single Sign-on]
[Federated Authentication]
[Password Redirection]
LDAP Authentication Directory
Enterprise Business
Applications
[Self Service Password Reset]
Comprehensive Password Management
18
Password Synchronization
SAP
Mainframe
Win32
App 1 –SAP
Workstation
App 2 –Mainfra
me
App 3 –Win32
Username2 / Password
Username3 / Password
Username4 / Password
Network –OS
Username1 / Password NOS
Native Application API
Native Application API
Native Application API
Native Application API
Password changes detected
and distributed after being
checked against the password
policy
19
Password Synchronization – Advantages & Disadvantages
Advantages •Easy to remember one password – users don’t write passwords down•Passwords can be changed in any environment using local native tools and still be synchronized to all integrated applications•Failures have a small impact on users (only those changing password at time of failure)•Generally no user workstation modification required to implement
Disadvantages •User must login multiple times although the password is consistent•Usually a complex implementation•Not all systems will easily support bidirectional password synchronization•Passwords may not be compatible across systems and have the potential to be “dumbed down”•No support for adv. Auth.
20
Self-Service Password Reset / Password Distribution
SAP
Mainframe
Win32
App 1 –SAP
Workstation
App 2 –Mainfra
me
App 3 –Win32
Username2 / Password
Username3 / Password
Username4 / Password
PasswordSelf-Serve
Directory
Native Application API
Native Application API
Native Application API
Password changes detected and
distributed one-way after being checked
against the password policy
Challenge/
Response
mechanism for self-
service password
reset
21
Self-Service Password Reset – Advantages & Disadvantages
Advantages •Reduce help-desk costs associated with password resets•Help desk has capability to reset passwords on all systems•Spend less time on phone with the help desk to reset passwords•Easy to remember one password – users don’t write passwords down•Generally no user workstation modification required to implement•Failures have a small impact on users (only those changing pwd at time of failure)•Easier to implement than bidirectional password sync because the native password recovery problem is avoided
Disadvantages •Business Process Change: users must change passwords only in one place for it to work properly•No support for advanced authentication methods•Poorly planned implementations may increase Help Desk calls instead of reducing them•User must login multiple times although password is consistent
22
Client-based Single Sign-on
Back-end applications
SAP
Mainframe
Win32
App 1 –SAP
Workstation
App 2 –Mainfra
me
App 3 –Win32
Username2 / Password2
Network –eDirectory
Username1 / Password1
Username3 / Password3Username4 / Password4
Capture & ReplaySoftware
Directory
Minimal Human Logon ProcessNon-
IntegratedIdentities
UsernameA / PasswordA
External Systems
23
Client-based SSO – Advantages & Disadvantages
Advantages •Convenience•Reduction in password reset call volume•Aids roll-out of stronger password policies, due to requirement to remember fewer passwords•Centralized policy management/enforcement•Secure credential storage•No modification to back-end systems required•Support for advanced authentication•Integrates with systems not owned by the organization
Disadvantages •One key to the kingdom (can be overcome with various strong authentication methods)•Requires client on every desktop•Time and cost to deploy client-side software•Forgetting the “master” password incurs a huge cost in resets across many different systems
24
Web SSO Architecture
Back-end Web
applications
Username2 / Password2
Distributed Users
Username3 / Password3
Username4 / Password4
Access Manageme
nt Infrastructu
re
Directory
Internet Portal Interface – one username &
password
25
Federated Authentication Architecture
Back-end Web
applications
Username2 / Password2Distributed Users
Username3 / Password3
Username4 / Password4
UsernameA / PasswordA
3rd Party Systems
Internet Portal Interface – one username &
password
Access Management Infrastructur
e
Directory
26
Web SSO/ Federated Authentication – Advantages & Disadvantages
Advantages •Convenience•Reduction in password reset call volume•No need to synchronize passwords—less deployment effort•Centralized policy management/enforcement•Secure credential storage•No client required
Disadvantages •One key to the kingdom (Can be overcome with certificates or tokens)•Does not integrate with legacy applications•Requires aggressive access management control infrastructure as a foundation
27
Password/LDAP Redirection
SAP
Mainframe
Win32
App 1 –SAP
Workstation
App 2 –Mainfra
me
App 3 –Win32
Username / Password
Username / Password
Username / Password
Network –OS
Username / Password NOS
Native Application API
Native Application API
Native Application API
Native Application API
Central Store of Authentication
Credentials
LDAP Directory
Username / Password
Username / Password
Username / Passw
ord
Usern
ame /
Pass
word
LDAP
LDAP
LDAP
LDAP
28
Password/LDAP Redirection – Advantages & Disadvantages
Advantages •Password is stored more securely than most identity information stores•User credential information for many disparate applications will reuse the same object on the network leading to easier administration•Leverages common Internet standard protocols (LDAP) instead of proprietary protocols•A standard set of API’s for authentication and authorization can be developed and deployed
Disadvantages •Requires the end application to be LDAP aware•User must login multiple times although password is consistent•Raises issue of directory availability in the enterprise because the credential is no longer local to the application
29
Advantages and DisadvantagesPassword RedirectionWeb Single Sign-on and
Federated AuthenticationClient-based Single Sign-onPassword Self-Service and
Password DistributionPassword SynchronizationApproach
• Requires the end application to be LDAP aware
•User must login multiple times although password is consistent
•Raises issue of directory availability in the enterprise because the credential is no longer local to the application
•One key to the kingdom (Can be overcome with certificates or tokens)
•Does not integrate with legacy applications
•Requires aggressive access management control infrastructure as a foundation
•One key to the kingdom (can be overcome with various strong authentication methods)•Requires client on every desktop•Time and cost to deploy client-side software• Forgetting the “master” password incurs a huge cost in resets across many different systems
• Business Process Change: users must change passwords only in one place for it to work properly• No support for advanced authentication methods• Poorly planned implementations may increase Help Desk calls instead of reducing them• User must login multiple times although password is consistent
• User must login multiple times although the password is consistent• Usually a complex implementation• Not all systems will easily support bidirectional password synchronization•Passwords may not be compatible across systems and have the potential to be “dumbed down”• No support for adv. Auth.
Disa
dva
ntag
es
•Convenience
•Reduction in password reset call volume
•No need to synchronize passwords—less deployment effort
•Centralized policy management/ enforcement
•Secure credential storage
•No client required
•Convenience
•Reduction in password reset call volume
•Aids roll-out of stronger password policies, due to requirement to remember fewer passwords
•Centralized policy management/enforcement
•Secure credential storage
•No modification to back-end systems required
•Support for advanced authentication
• Integrates with systems not owned by the organization
• Reduce help-desk costs associated with password resets• Help desk has capability to reset passwords on all systems• Spend less time on phone with the help desk to reset passwords• Easy to remember one password – users don’t write passwords down• Generally no user workstation modification required to implement• Failures have a small impact on users (only those changing pwd at time of failure)•Easier to implement than bidirectional password sync because the native password recovery problem is avoided
• Easy to remember one password – users don’t write passwords down
• Passwords can be changed in any environment using local native tools and still be synchronized to all integrated applications
• Failures have a small impact on users (only those changing pwd at time of failure)
• Generally no user workstation modification required to implement
Ad
van
tages
•Password is stored more securely than most identity information stores• User credential information for many disparate applications will reuse the same object on the network leading to easier administration•Leverages common Internet standard protocols (LDAP) instead of proprietary protocols• A standard set of API’s for authentication and authorization can be developed and deployed
30
Hybrid Solution
One Size Does Not Fit AllThe best approach to the password management problem will most likely not rely on a single approach or architecture. To mitigate the disadvantages of one solution use a complementary approach.
Take 2 or more! Mix and match!
To mitigate Password Synchronization’s disadvantage of multiple user logins, add the Client-based Single Sign-On approach to your enterprise password management strategy. Using the two together will also address Client-based Single Sign-On’s disadvantage of someone forgetting the “master” password.
31
Employees B2BPartners Customers
Increase security
Reduce password-related administrative cost
Improve user and help desk productivity
Enhance end user’s experience
Password Management
Password Management Benefits
Your business
32
Novell Nsure password management solutionsThe Novell password management solution, one of the key Novell Nsure secure identity management solutions, enables secure password management for users inside and outside your organization.
The solutions:• enhance the end user’s experience• mitigate security risks• reduce password-related administrative costs• leverage your existing business processes,
policies and infrastructure
Novell Nsure password management solutions combine our client-based single sign-on (SSO), Web SSO, self-service password reset and synchronization, federated authentication and professional services capabilities.
33
Novell Nsure password management solutions
Client-based Single Sign-on
Password Synchronization
Web Single Sign-on
Federated Authenticatio
n
[Novell Nsure SecureLogin]
[Novell Nsure Identity Manager]
[Novell iChain]
[Novell iChain]
Comprehensive Password Management
[Novell eDirectory]
Password Redirection
Self-Service Password Reset
[Novell Nsure Identity
Manager]
© March 12, 2004 Novell Inc.34
Novell Nsure case study:
ApproachCustomer situation
• High employee turnover in retail business creates high costs to bring on new employees
• Paper-based open enrollment process
• 30,000 employees needed network accounts
Business results
• Network access for employees with single ID and password
• Automated benefits election process without adding new staff
• Reduced HR administrative work by 85 percent
1 2 3
RadioShack
• Create central repository for user information, based on PeopleSoft
• Provide secure Web access for 30,000 employees, based on identity
• Automate benefits election process
© March 12, 2004 Novell Inc.35
Novell Nsure case study:
Approach
Customer situation
• Security issues with multiple passwords for 13,000 global employees
• Increasing password-related helpdesk calls
• Decreasing employee productivity
• Create single, centralized directory for user information
• Establish secure password management
• Track access to corporate systems
Business results
• Single ID and password for each employee
• Increased security
• Reduced helpdesk calls
• Improved employee productivity
1 2 3
Standard Life
© March 12, 2004 Novell Inc.36
ROI: Help Desk & Productivity Savings
Help Desk Savings
2,268 hoursHours wasted by employees per year
189Hours wasted by employees per month
450Average number of password-related calls per month
25.2 minutesAverage duration of password-related call to the help desk
Productivity Savings
$202,500Cost per year for password-related calls to the help desk
$16,875Cost per month for password-related calls to the help desk
$37.50Average cost per password-related call to the help desk
450Average number of password-related calls per month
10,000Number of Users
© March 12, 2004 Novell Inc.37
Best-of-Breed Solutions
“After implementing and evaluating competitive solutions from Novell, Computer Associates and Courion, Network Computing/Secure Enterprise gave Novell the Editor's Choice award. The robustness and flexibility in its supported target systems, password and account management make this suite, a perfect fit…."-Network Computing
October 2003
© March 12, 2004 Novell Inc.38
Competitive Advantages of Novell Nsure password management solutions
• breadth of the Novell password management offering
• built on a solid identity management foundation
• comprehensive and modular solutions • leverages your existing business processes,
policies and infrastructure • poised to support your evolving business
needs
differentiators
39
Novell
Secu
re Identi
ty M
anagem
en
tSolu
tion S
uit
eBuilding Solutions on top of the Foundation
ResourceManagement
SingleSign-On
Web AccessControl
IdentitySolutions
PortalsProvisioning
NotificationsMonitoringAccess Management& Auditing
Secure Logging& Auditing
Identity Management
Federated Authenticatio
n
Role Based AccessControl
FederatedIdentity Integration Meta-Directory
Role BasedAdmin
DelegatedAdmin
Workflow SelfService
Event Policy
Directory Service
PasswordSynchronizatio
n
40
To learn more…
• To learn more about Novell Nsure password management solutions, visit:
www.novell.com/passwordmanagement
© March 12, 2004 Novell Inc.41
Evaluation Survey
Based on what you’ve seen today, would you like a Novell representative to contact you to discuss the optimal password management solution for your organization?
Please have someone contact me
Please have someone contact me in three to six months
I’m undecided.
© March 12, 2004 Novell Inc.42