Managing Password Insanity Determining the best approach for your organization.

Managing Password Insanity

Determining the best approach for your organization

© March 12, 2004 Novell Inc.2

Overview

•Business Context•Business Challenges•Password Policy•Common Approaches to Password Management & Benefits•Novell Nsure password management solutions•Customer Success Stories•ROI•Why Novell?


Compelling Questions

• How many passwords does your typical user have to remember?

• How much time are your users losing by logging and re-logging into the applications they need to effectively do business with your organization?

• How much time and money are you spending each year to reset forgotten passwords?

• How can you be sure that your passwords aren’t vulnerable

to attack?

• How many strategic IT opportunities have you missed because you are simply too busy handling password-related administration?

• How many of your users are writing down or sharing passwords because they have too many to remember?


Survey Question

What are your biggest concerns with regard to password management?

•Internal and external users too many passwords to remember

•Lack of strong passwords

•Lack of a strong enterprise password policy

•Help desk is overburdened with password-related calls

•Our organization has to comply with regulations like HIPAA and Sarbanes-Oxley

5

Employees B2BPartners Customers

Password Management

Business Context

Your business

6

The Business ChallengesUser ConvenienceHow do I reduce the number of passwords my users need to remember and use to log on to network systems?

SecurityHow do I eliminate the security risks of users writing down, sharing, or using weak or old passwords?

Cost ContainmentHow do I reduce the rising help desk costs caused by all the passwords my users have to remember?

Support Regulatory ComplianceHow do I comply with regulations such as HIPAA, Sarbanes-Oxley (North America) or the Data Protection Act (UK)?

7

Building the Business Case Internally

Chief Security Officer

Chief Information Security Officer

Need to reduce help desk costs

Need to put measures in place to comply with regulations such as Sarbanes-Oxley

Need to reduce the number of passwords employees have to remember

Need to allow remote or distributed users to work productively

Chief Information Officer/ IT Director

Need to reduce costs overall Need to put measures in place to comply with regulations such as Sarbanes-Oxley

Chief Finance Officer

VP of Finance

VP of Compliance

Need to provide better service to customersVP of Customer Care

What challenges he or she has to address:Contact:

VP of Partner Relations Need to strengthen business relationships with existing partners and create new opportunities

Need to reduce or eliminate password-related security risks

Need to ensure the appropriate level of security for specific systems or apps

Need to enforce corporate security policy


Survey Question

Which part of your organization is driving the decision for a password management solution in your organization?

•Chief Financial Officer (CFO) / Chief Security Officer (CSO)•Chief Information Officer (CIO)/ Information Technology (IT)•Business Units•Customers•Business Partners


Speak their Language

“I have a way for users to change or reset their passwords through a Web browser using secure LDAP and SSL with synchronization across all connected back-end systems through XML data interchange.”

“I have a ‘one-stop shop’ that allows employees & customers a secure way to manage their passwords across the entire enterprise, allowing them to remain productive without needing to call the help desk.”

What you say…

What they hear…

“I have a blah, blah, blah, blah Web blah, blah, blah LDAP and SSL blah, blah, blah, blah across all connected blah, blah, blah, blah.”

Put it in terms they’ll understand…


Comprehensive Password Management: From Policy Definition to Deployment


Setting Policy

What is a password policy?A set of rules—established at the executive level—that

govern the use and protection of passwords on all systems across the enterprise. The password policy is typically set or defined as part of a company’s overarching security policy.

Key components of a password policy:Standards—the compulsory requirements that must be met

Guidelines—the recommended practices when an exception to the

standards is encountered

Procedures—the step-by-step instructions on how to implement the

defined standards and guidelines

12

Administrative Controls

• Passwords may not be written down or posted on sticky notes attached to a monitor

• Passwords may not be shared with other people

• Passwords cannot be an existing piece of personal identification (i.e., cannot use Social Security Number)

Technical Controls

• Password must conform to a minimum of 6 and maximum of 20 characters in length

• Password must contain at least one (1) numeric character

• Passwords must be unique

• Passwords must be changed every 30 days

• Passwords must be stored in an encrypted data repository

Enforcement by Software Enforcement by People

Example of Policy – Standards


Managing Passwords

How does password management affect password policy?

What is password management?The ability to securely manage the number of passwords internal and external users have to use and remember in order to conduct business with an organization.

Password management should serve to strengthen and enforce the organization’s password policy and not work against it.


Enterprise password management vs. system-specific password management

System by system password management (some weak, some strong) has distinct deficiencies:

• Not readily scalable from an administration perspective• Differences in password storage security• Different systems have different levels of password security enforcement• Users generally must manage a large number of passwords

This type of approach leads to severe inconsistencies in password administration and password policy enforcement.


Enterprise password management vs. system-specific password management

An enterprise password management approach allows enforcement of an organization’s password policy while also addressing business goals:

• Passwords can be stored more securely (redirection)• Password policy enforcement can be extended to systems that might not have the built-in capability to enforce stronger passwords (synchronization)• Users will only need to remember a reduced number of passwords across all systems (store-and-forward/ synchronization)• Integrated applications conform to the enterprise password policy providing enhanced security (hybrid)


Survey Question

In addressing password management for your organization, which capabilities are you looking for?

Synchronization

Self-service Password Reset

Single Sign-on

Password Redirection

Advanced Authentication (i.e. Biometrics)

17

Common approaches

Legacy Systems & Enterprise Business

Applications

Enterprise Business

Applications

Web-based Applications

Business Partner Systems

[Client-based Single Sign-on]

[Password Synchronization]

[Web Single Sign-on]

[Federated Authentication]

[Password Redirection]

LDAP Authentication Directory

Enterprise Business

Applications

[Self Service Password Reset]

Comprehensive Password Management

18

Password Synchronization

SAP

Mainframe

Win32

App 1 –SAP

Workstation

App 2 –Mainfra

me

App 3 –Win32

Username2 / Password



Network –OS

Username1 / Password NOS

Native Application API




Password changes detected

and distributed after being

checked against the password

policy

19

Password Synchronization – Advantages & Disadvantages

Advantages •Easy to remember one password – users don’t write passwords down•Passwords can be changed in any environment using local native tools and still be synchronized to all integrated applications•Failures have a small impact on users (only those changing password at time of failure)•Generally no user workstation modification required to implement

Disadvantages •User must login multiple times although the password is consistent•Usually a complex implementation•Not all systems will easily support bidirectional password synchronization•Passwords may not be compatible across systems and have the potential to be “dumbed down”•No support for adv. Auth.

20

Self-Service Password Reset / Password Distribution

SAP

Mainframe

Win32

App 1 –SAP

Workstation

App 2 –Mainfra

me

App 3 –Win32




PasswordSelf-Serve

Directory




Password changes detected and

distributed one-way after being checked

against the password policy

Challenge/

Response

mechanism for self-

service password

reset

21

Self-Service Password Reset – Advantages & Disadvantages

Advantages •Reduce help-desk costs associated with password resets•Help desk has capability to reset passwords on all systems•Spend less time on phone with the help desk to reset passwords•Easy to remember one password – users don’t write passwords down•Generally no user workstation modification required to implement•Failures have a small impact on users (only those changing pwd at time of failure)•Easier to implement than bidirectional password sync because the native password recovery problem is avoided

Disadvantages •Business Process Change: users must change passwords only in one place for it to work properly•No support for advanced authentication methods•Poorly planned implementations may increase Help Desk calls instead of reducing them•User must login multiple times although password is consistent

22

Client-based Single Sign-on

Back-end applications

SAP

Mainframe

Win32

App 1 –SAP

Workstation

App 2 –Mainfra

me

App 3 –Win32

Username2 / Password2

Network –eDirectory


Username3 / Password3Username4 / Password4

Capture & ReplaySoftware

Directory

Minimal Human Logon ProcessNon-

IntegratedIdentities

UsernameA / PasswordA

External Systems

23

Client-based SSO – Advantages & Disadvantages

Advantages •Convenience•Reduction in password reset call volume•Aids roll-out of stronger password policies, due to requirement to remember fewer passwords•Centralized policy management/enforcement•Secure credential storage•No modification to back-end systems required•Support for advanced authentication•Integrates with systems not owned by the organization

Disadvantages •One key to the kingdom (can be overcome with various strong authentication methods)•Requires client on every desktop•Time and cost to deploy client-side software•Forgetting the “master” password incurs a huge cost in resets across many different systems

24

Web SSO Architecture

Back-end Web

applications


Distributed Users



Access Manageme

nt Infrastructu

re

Directory

Internet Portal Interface – one username &

password

25

Federated Authentication Architecture

Back-end Web

applications

Username2 / Password2Distributed Users



UsernameA / PasswordA

3rd Party Systems

Internet Portal Interface – one username &

password

Access Management Infrastructur

e

Directory

26

Web SSO/ Federated Authentication – Advantages & Disadvantages

Advantages •Convenience•Reduction in password reset call volume•No need to synchronize passwords—less deployment effort•Centralized policy management/enforcement•Secure credential storage•No client required

Disadvantages •One key to the kingdom (Can be overcome with certificates or tokens)•Does not integrate with legacy applications•Requires aggressive access management control infrastructure as a foundation

27

Password/LDAP Redirection

SAP

Mainframe

Win32

App 1 –SAP

Workstation

App 2 –Mainfra

me

App 3 –Win32

Username / Password

Username / Password

Username / Password

Network –OS

Username / Password NOS





Central Store of Authentication

Credentials

LDAP Directory

Username / Password

Username / Password

Username / Passw

ord

Usern

ame /

Pass

word

LDAP

LDAP

LDAP

LDAP

28

Password/LDAP Redirection – Advantages & Disadvantages

Advantages •Password is stored more securely than most identity information stores•User credential information for many disparate applications will reuse the same object on the network leading to easier administration•Leverages common Internet standard protocols (LDAP) instead of proprietary protocols•A standard set of API’s for authentication and authorization can be developed and deployed

Disadvantages •Requires the end application to be LDAP aware•User must login multiple times although password is consistent•Raises issue of directory availability in the enterprise because the credential is no longer local to the application

29

Advantages and DisadvantagesPassword RedirectionWeb Single Sign-on and

Federated AuthenticationClient-based Single Sign-onPassword Self-Service and

Password DistributionPassword SynchronizationApproach

• Requires the end application to be LDAP aware

•User must login multiple times although password is consistent

•Raises issue of directory availability in the enterprise because the credential is no longer local to the application

•One key to the kingdom (Can be overcome with certificates or tokens)

•Does not integrate with legacy applications

•Requires aggressive access management control infrastructure as a foundation

•One key to the kingdom (can be overcome with various strong authentication methods)•Requires client on every desktop•Time and cost to deploy client-side software• Forgetting the “master” password incurs a huge cost in resets across many different systems

• Business Process Change: users must change passwords only in one place for it to work properly• No support for advanced authentication methods• Poorly planned implementations may increase Help Desk calls instead of reducing them• User must login multiple times although password is consistent

• User must login multiple times although the password is consistent• Usually a complex implementation• Not all systems will easily support bidirectional password synchronization•Passwords may not be compatible across systems and have the potential to be “dumbed down”• No support for adv. Auth.

Disa

dva

ntag

es

•Convenience

•Reduction in password reset call volume

•No need to synchronize passwords—less deployment effort

•Centralized policy management/ enforcement

•Secure credential storage

•No client required

•Convenience

•Reduction in password reset call volume

•Aids roll-out of stronger password policies, due to requirement to remember fewer passwords

•Centralized policy management/enforcement

•Secure credential storage

•No modification to back-end systems required

•Support for advanced authentication

• Integrates with systems not owned by the organization

• Reduce help-desk costs associated with password resets• Help desk has capability to reset passwords on all systems• Spend less time on phone with the help desk to reset passwords• Easy to remember one password – users don’t write passwords down• Generally no user workstation modification required to implement• Failures have a small impact on users (only those changing pwd at time of failure)•Easier to implement than bidirectional password sync because the native password recovery problem is avoided

• Easy to remember one password – users don’t write passwords down

• Passwords can be changed in any environment using local native tools and still be synchronized to all integrated applications

• Failures have a small impact on users (only those changing pwd at time of failure)

• Generally no user workstation modification required to implement

Ad

van

tages

•Password is stored more securely than most identity information stores• User credential information for many disparate applications will reuse the same object on the network leading to easier administration•Leverages common Internet standard protocols (LDAP) instead of proprietary protocols• A standard set of API’s for authentication and authorization can be developed and deployed

30

Hybrid Solution

One Size Does Not Fit AllThe best approach to the password management problem will most likely not rely on a single approach or architecture. To mitigate the disadvantages of one solution use a complementary approach.

Take 2 or more! Mix and match!

To mitigate Password Synchronization’s disadvantage of multiple user logins, add the Client-based Single Sign-On approach to your enterprise password management strategy. Using the two together will also address Client-based Single Sign-On’s disadvantage of someone forgetting the “master” password.

31

Employees B2BPartners Customers

Increase security

Reduce password-related administrative cost

Improve user and help desk productivity

Enhance end user’s experience

Password Management

Password Management Benefits

Your business

32

Novell Nsure password management solutionsThe Novell password management solution, one of the key Novell Nsure secure identity management solutions, enables secure password management for users inside and outside your organization.

The solutions:• enhance the end user’s experience• mitigate security risks• reduce password-related administrative costs• leverage your existing business processes,

policies and infrastructure

Novell Nsure password management solutions combine our client-based single sign-on (SSO), Web SSO, self-service password reset and synchronization, federated authentication and professional services capabilities.

33

Novell Nsure password management solutions

Client-based Single Sign-on

Password Synchronization

Web Single Sign-on

Federated Authenticatio

n

[Novell Nsure SecureLogin]

[Novell Nsure Identity Manager]

[Novell iChain]

[Novell iChain]

Comprehensive Password Management

[Novell eDirectory]

Password Redirection

Self-Service Password Reset

[Novell Nsure Identity

Manager]


Novell Nsure case study:

ApproachCustomer situation

• High employee turnover in retail business creates high costs to bring on new employees

• Paper-based open enrollment process

• 30,000 employees needed network accounts

Business results

• Network access for employees with single ID and password

• Automated benefits election process without adding new staff

• Reduced HR administrative work by 85 percent

1 2 3

RadioShack

• Create central repository for user information, based on PeopleSoft

• Provide secure Web access for 30,000 employees, based on identity

• Automate benefits election process


Novell Nsure case study:

Approach

Customer situation

• Security issues with multiple passwords for 13,000 global employees

• Increasing password-related helpdesk calls

• Decreasing employee productivity

• Create single, centralized directory for user information

• Establish secure password management

• Track access to corporate systems

Business results

• Single ID and password for each employee

• Increased security

• Reduced helpdesk calls

• Improved employee productivity

1 2 3

Standard Life


ROI: Help Desk & Productivity Savings

Help Desk Savings

2,268 hoursHours wasted by employees per year

189Hours wasted by employees per month

450Average number of password-related calls per month

25.2 minutesAverage duration of password-related call to the help desk

Productivity Savings

$202,500Cost per year for password-related calls to the help desk

$16,875Cost per month for password-related calls to the help desk

$37.50Average cost per password-related call to the help desk

450Average number of password-related calls per month

10,000Number of Users


Best-of-Breed Solutions

“After implementing and evaluating competitive solutions from Novell, Computer Associates and Courion, Network Computing/Secure Enterprise gave Novell the Editor's Choice award. The robustness and flexibility in its supported target systems, password and account management make this suite, a perfect fit…."-Network Computing

October 2003


Competitive Advantages of Novell Nsure password management solutions

• breadth of the Novell password management offering

• built on a solid identity management foundation

• comprehensive and modular solutions • leverages your existing business processes,

policies and infrastructure • poised to support your evolving business

needs

differentiators

39

Novell

Secu

re Identi

ty M

anagem

en

tSolu

tion S

uit

eBuilding Solutions on top of the Foundation

ResourceManagement

SingleSign-On

Web AccessControl

IdentitySolutions

PortalsProvisioning

NotificationsMonitoringAccess Management& Auditing

Secure Logging& Auditing

Identity Management

Federated Authenticatio

n

Role Based AccessControl

FederatedIdentity Integration Meta-Directory

Role BasedAdmin

DelegatedAdmin

Workflow SelfService

Event Policy

Directory Service

PasswordSynchronizatio

n

40

To learn more…

• To learn more about Novell Nsure password management solutions, visit:

www.novell.com/passwordmanagement


Evaluation Survey

Based on what you’ve seen today, would you like a Novell representative to contact you to discuss the optimal password management solution for your organization?

Please have someone contact me

Please have someone contact me in three to six months

I’m undecided.


Date post:	21-Dec-2015
Category:	Documents
View:	219 times
Download:	1 times

Managing Password Insanity Determining the best approach for your organization.

Documents