Managing Password Insanity
Determining the best approach for your organization
Overview
•Business
Context
•Business Challenges
•Password Policy
•Common Approaches to Password
Management & Benefits
•Novell Nsure password management
solutions
•Customer Success Stories
•ROI
•Why Novell?
2
© March 12, 2004 Novell Inc.
Compelling Questions
• How many passwords does your typical user have to remember?
• How much time are your users losing by logging and re-logging into the
applications they need to effectively do business with your
organization?
• How much time and money are you spending each year to reset
forgotten passwords?
• How can you be sure that your passwords aren’t vulnerable to attack?
• How many strategic IT opportunities have you missed because you are
simply too busy handling password-related administration?
• How many of your users are writing down or sharing passwords
because they have too many to remember?
3
© March 12, 2004 Novell Inc.
Survey Question
What are your biggest concerns with regard to
password management?
•Internal and external users too many passwords to remember
•Lack of strong passwords
•Lack of a strong enterprise password policy
•Help desk is overburdened with password-related calls
•Our organization has to comply with regulations like HIPAA and
Sarbanes-Oxley
4
© March 12, 2004 Novell Inc.
Business Context
Your business
Employees
Partners
Password
Management
5
B2B
Customers
The Business Challenges
User Convenience
How do I reduce the number of passwords my users need to
remember and use to log on to network systems?
Security
How do I eliminate the security risks of users writing down,
sharing, or using weak or old passwords?
Cost Containment
How do I reduce the rising help desk costs caused by all the
passwords my users have to remember?
Support Regulatory Compliance
How do I comply with regulations such as HIPAA, Sarbanes-Oxley
(North America) or the Data Protection Act (UK)?
6
Building the Business Case Internally
Contact:
What challenges he or she has to address:
Chief Security Officer
Chief Information Security
Officer
Need to reduce or eliminate password-related security risks
Chief Information Officer/ IT
Director
Need to reduce help desk costs
Need to ensure the appropriate level of security for specific systems or apps
Need to enforce corporate security policy
Need to put measures in place to comply with regulations such as SarbanesOxley
Need to reduce the number of passwords employees have to remember
Need to allow remote or distributed users to work productively
Chief Finance Officer
VP of Finance
VP of Compliance
Need to reduce costs overall
Need to put measures in place to comply with regulations such as
Sarbanes-Oxley
VP of Customer Care
Need to provide better service to customers
VP of Partner Relations
Need to strengthen business relationships with existing partners and
create new opportunities
7
Survey Question
Which part of your organization is driving the
decision for a password management solution in
your organization?
•Chief Financial Officer (CFO) / Chief Security Officer (CSO)
•Chief Information Officer (CIO)/ Information Technology (IT)
•Business Units
•Customers
•Business Partners
8
© March 12, 2004 Novell Inc.
Speak their Language
What you say…
“I have a way for users to change or reset their passwords through a
Web browser using secure LDAP and SSL with synchronization across all
connected back-end systems through XML data interchange.”
What they hear…
“I have a blah, blah, blah, blah Web blah, blah, blah LDAP and
SSL blah, blah, blah, blah across all connected blah, blah, blah,
blah.”
Put it in terms they’ll understand…
“I have a ‘one-stop shop’ that allows employees & customers a secure
way to manage their passwords across the entire enterprise, allowing
them to remain productive without needing to call the help desk.”
9
© March 12, 2004 Novell Inc.
Comprehensive Password Management: From
Policy Definition to Deployment
10
© March 12, 2004 Novell Inc.
Setting Policy
What is a password policy?
A set of rules—established at the executive level—that govern the
use and protection of passwords on all systems across the
enterprise. The password policy is typically set or defined as part of
a company’s overarching security policy.
Key components of a password policy:
Standards—the compulsory requirements that must be met
Guidelines—the recommended practices when an exception to the
standards is encountered
Procedures—the step-by-step instructions on how to implement the
defined standards and guidelines
11
© March 12, 2004 Novell Inc.
Example of Policy – Standards
Technical Controls
•
Password must conform to a minimum
of 6 and maximum of 20 characters in
length
•
Password must contain at least one (1)
numeric character
•
Passwords must be unique
•
Passwords must be changed every 30
days
•
Passwords must be stored in an
encrypted data repository
Enforcement by Software
12
Administrative Controls
•
Passwords may not be written down
or posted on sticky notes attached to
a monitor
•
Passwords may not be shared with
other people
•
Passwords cannot be an existing
piece of personal identification (i.e.,
cannot use Social Security Number)
Enforcement by People
Managing Passwords
What is password management?
The ability to securely manage the number of passwords internal
and external users have to use and remember in order to conduct
business with an organization.
How does password management affect password
policy?
Password management should serve to strengthen and enforce
the organization’s password policy and not work against it.
13
© March 12, 2004 Novell Inc.
Enterprise password management vs.
system-specific password management
System by system password management (some weak, some
strong) has distinct deficiencies:
• Not readily scalable from an administration perspective
• Differences in password storage security
• Different systems have different levels of password security
enforcement
• Users generally must manage a large number of passwords
This type of approach leads to severe inconsistencies in
password administration and password policy enforcement.
14
© March 12, 2004 Novell Inc.
Enterprise password management vs.
system-specific password management
An enterprise password management
approach allows enforcement of an
organization’s password policy while also
addressing business goals:
• Passwords can be stored more securely (redirection)
• Password policy enforcement can be extended to
systems that might not have the built-in capability to
enforce stronger passwords (synchronization)
• Users will only need to remember a reduced number
of passwords across all systems (store-and-forward/
synchronization)
• Integrated applications conform to the enterprise
password policy providing enhanced security (hybrid)
15
© March 12, 2004 Novell Inc.
Survey Question
In addressing password management for your
organization, which capabilities are you
looking for?
Synchronization
Self-service Password Reset
Single Sign-on
Password Redirection
Advanced Authentication (i.e. Biometrics)
16
© March 12, 2004 Novell Inc.
Common approaches
[Self Service
Password Reset]
[Password
Synchronization]
Enterprise Business
Applications
[Web Single Sign-on]
Web-based
Applications
Enterprise Business
Applications
Business Partner
Systems
[Client-based
Single Sign-on]
[Password Redirection]
LDAP
Authentication
Directory
Legacy Systems & Enterprise
Business Applications
17
[Federated
Authentication]
Comprehensive Password
Management
Password Synchronization
Workstation
NOS
Network –
OS
SAP
App 1 –
SAP
Mainframe
App 2 –
Mainframe
Win32
App 3 –
Win32
18
Password
changes
detected and
distributed
after being
checked
against the
password
policy
Password Synchronization – Advantages &
Disadvantages
Advantages
•Easy to remember one password – users don’t write passwords down
•Passwords can be changed in any environment using local native tools
and still be synchronized to all integrated applications
•Failures have a small impact on users (only those changing password
at time of failure)
•Generally no user workstation modification required to implement
Disadvantages
•User must login multiple times although the password is consistent
•Usually a complex implementation
•Not all systems will easily support bidirectional password
synchronization
•Passwords may not be compatible across systems and have the
potential to be “dumbed down”
•No support for adv. Auth.
19
Self-Service Password Reset / Password
Distribution
Workstation
Directory
Password
Self-Serve
SAP
App 1 –
SAP
Mainframe
App 2 –
Mainframe
Win32
App 3 –
Win32
20
Password changes
detected and
distributed one-way
after being checked
against the password
policy
Self-Service Password Reset – Advantages
& Disadvantages
Advantages
•Reduce help-desk costs associated with password resets
•Help desk has capability to reset passwords on all systems
•Spend less time on phone with the help desk to reset passwords
•Easy to remember one password – users don’t write passwords down
•Generally no user workstation modification required to implement
•Failures have a small impact on users (only those changing pwd at
time of failure)
•Easier to implement than bidirectional password sync because the
native password recovery problem is avoided
Disadvantages
•Business Process Change: users must change passwords only in one
place for it to work properly
•No support for advanced authentication methods
•Poorly planned implementations may increase Help Desk calls instead
of reducing them
•User must login multiple times although password is consistent
21
Client-based Single Sign-on
Workstation
Back-end
applications
Directory
Network –
eDirectory
SAP
App 1 –
SAP
Mainframe
Capture & Replay
Software
App 2 –
Mainframe
Win32
App 3 –
Win32
Minimal Human Logon Process
22
External Systems
Non-Integrated
Identities
Client-based SSO – Advantages &
Disadvantages
Advantages
•Convenience
•Reduction in password reset call volume
•Aids roll-out of stronger password policies, due to requirement to
remember fewer passwords
•Centralized policy management/enforcement
•Secure credential storage
•No modification to back-end systems required
•Support for advanced authentication
•Integrates with systems not owned by the organization
Disadvantages
•One key to the kingdom (can be overcome with various strong
authentication methods)
•Requires client on every desktop
•Time and cost to deploy client-side software
•Forgetting the “master” password incurs a huge cost in resets across
many different systems
23
Web SSO Architecture
Internet
Back-end Web
applications
Portal Interface – one
username & password
Distributed
Users
Access
Management
Infrastructure
24
Directory
Federated Authentication Architecture
Internet
Back-end Web
applications
Portal Interface – one
username & password
Distributed
Users
Access
Directory
Management
Infrastructure
3rd Party Systems
25
Web SSO/ Federated Authentication –
Advantages & Disadvantages
Advantages
•Convenience
•Reduction in password reset call volume
•No need to synchronize passwords—less deployment effort
•Centralized policy management/enforcement
•Secure credential storage
•No client required
Disadvantages
•One key to the kingdom (Can be overcome with certificates or tokens)
•Does not integrate with legacy applications
•Requires aggressive access management control infrastructure as a
foundation
26
Password/LDAP Redirection
Workstation
NOS
Network –
OS
Central Store of
Authentication
Credentials
SAP
App 1 –
SAP
Mainframe
App 2 –
Mainframe
App 3 –
Win32
27
Win32
LDAP
Directory
Password/LDAP Redirection – Advantages
& Disadvantages
Advantages
•Password is stored more securely than most identity information
stores
•User credential information for many disparate applications will reuse
the same object on the network leading to easier administration
•Leverages common Internet standard protocols (LDAP) instead of
proprietary protocols
•A standard set of API’s for authentication and authorization can be
developed and deployed
Disadvantages
•Requires the end application to be LDAP aware
•User must login multiple times although password is consistent
•Raises issue of directory availability in the enterprise because the
credential is no longer local to the application
28
Advantages and Disadvantages
Approach
Password Synchronization
• Easy to remember one
password – users don’t
write passwords down
Advantages
• Passwords can be
changed in any
environment using local
native tools and still be
synchronized to all
integrated applications
• Failures have a small
impact on users (only
those changing pwd at
time of failure)
• Generally no user
workstation modification
required to implement
Disadvantages
29
• User must login multiple
times although the
password is consistent
• Usually a complex
implementation
• Not all systems will
easily support bidirectional
password synchronization
•Passwords may not be
compatible across systems
and have the potential to
be “dumbed down”
• No support for adv. Auth.
Password Self-Service and
Password Distribution
• Reduce help-desk costs
associated with password
resets
• Help desk has capability to
reset passwords on all systems
• Spend less time on phone
with the help desk to reset
passwords
• Easy to remember one
password – users don’t write
passwords down
• Generally no user
workstation modification
required to implement
• Failures have a small impact
on users (only those changing
pwd at time of failure)
•Easier to implement than
bidirectional password sync
because the native password
recovery problem is avoided
• Business Process
Change: users must
change passwords only in
one place for it to work
properly
• No support for advanced
authentication methods
• Poorly planned
implementations may
increase Help Desk calls
instead of reducing them
• User must login multiple
times although password
is consistent
Client-based Single Sign-on
•Convenience
•Reduction in password
reset call volume
•Aids roll-out of stronger
password policies, due to
requirement to remember
fewer passwords
•Centralized policy
management/enforcement
•Secure credential storage
•No modification to backend systems required
•Support for advanced
authentication
• Integrates with systems
not owned by the
organization
•One key to the kingdom
(can be overcome with
various strong authentication
methods)
•Requires client on every
desktop
•Time and cost to deploy
client-side software
• Forgetting the “master”
password incurs a huge cost
in resets across many
different systems
Web Single Sign-on and
Federated Authentication
•Convenience
•Reduction in password
reset call volume
•No need to synchronize
passwords—less
deployment effort
•Centralized policy
management/
enforcement
•Secure credential
storage
•No client required
Password Redirection
•Password is stored more
securely than most identity
information stores
• User credential
information for many
disparate applications will
reuse the same object on
the network leading to
easier administration
•Leverages common
Internet standard protocols
(LDAP) instead of
proprietary protocols
• A standard set of API’s for
authentication and
authorization can be
developed and deployed
•One key to the
kingdom (Can be
overcome with
certificates or tokens)
• Requires the end
application to be LDAP aware
•Does not integrate with
legacy applications
•User must login multiple
times although password is
consistent
•Requires aggressive
access management
control infrastructure as
a foundation
•Raises issue of directory
availability in the enterprise
because the credential is no
longer local to the
application
Hybrid Solution
One Size Does Not Fit All
The best approach to the password management problem will most
likely not rely on a single approach or architecture. To mitigate the
disadvantages of one solution use a complementary approach.
Take 2 or more! Mix and match!
To mitigate Password Synchronization’s disadvantage of multiple
user logins, add the Client-based Single Sign-On approach to your
enterprise password management strategy. Using the two together
will also address Client-based Single Sign-On’s disadvantage of
someone forgetting the “master” password.
30
Password Management Benefits
Your business
Employees
Partners
B2B
Customers
Increase security
Password
Management
Reduce password-related
administrative cost
Improve user and help desk
productivity
Enhance end user’s
experience
31
Novell Nsure password management
solutions
The Novell password management solution, one of the key
Novell Nsure secure identity management solutions, enables
secure password management for users inside and outside
your organization.
The solutions:
•
•
•
•
enhance the end user’s experience
mitigate security risks
reduce password-related administrative costs
leverage your existing business processes, policies
and infrastructure
Novell Nsure password management solutions combine our client-based
single sign-on (SSO), Web SSO, self-service password reset and
synchronization, federated authentication and professional services
capabilities.
32
Novell Nsure password management
solutions
[Novell Nsure
Identity Manager]
[Novell Nsure
Identity Manager]
Self-Service
Password Reset
[Novell iChain]
Web Single
Sign-on
Password
Synchronization
Federated
Authentication
[Novell Nsure
SecureLogin]
Client-based
Single Sign-on
33
[Novell iChain]
[Novell eDirectory]
Password
Redirection
Comprehensive Password
Management
Novell Nsure case study:
RadioShack
1
Customer situation
•
•
•
34
High employee
turnover in retail
business creates
high costs to bring
on new employees
2
Approach
•
Create central
repository for user
information, based
on PeopleSoft
•
Provide secure Web
access for 30,000
employees, based
on identity
Paper-based open
enrollment
process
30,000 employees
needed network
accounts
© March 12, 2004 Novell Inc.
•
Automate benefits
election process
3
Business results
•
Network access for
employees with
single ID and
password
•
Automated
benefits election
process without
adding new staff
•
Reduced HR
administrative
work by 85
percent
Novell Nsure case study:
Standard Life
1
Customer situation
•
•
•
35
Security issues with
multiple passwords
for 13,000 global
employees
Increasing
password-related
helpdesk calls
Decreasing
employee
productivity
© March 12, 2004 Novell Inc.
2
Approach
•
Create single,
centralized
directory for user
information
•
Establish secure
password
management
•
Track access to
corporate
systems
3
Business results
•
Single ID and
password for each
employee
•
Increased security
•
Reduced helpdesk
calls
•
Improved
employee
productivity
ROI: Help Desk & Productivity Savings
Help Desk Savings
Number of Users
10,000
Average number of password-related calls per month
450
Average cost per password-related call to the help desk
$37.50
Cost per month for password-related calls to the help
desk
$16,875
Cost per year for password-related calls to the help desk
$202,500
Productivity Savings
36
Average duration of password-related call to the help
desk
25.2 minutes
Average number of password-related calls per month
450
Hours wasted by employees per month
189
Hours wasted by employees per year
2,268 hours
© March 12, 2004 Novell Inc.
Best-of-Breed Solutions
“After implementing and evaluating competitive
solutions from Novell, Computer Associates and Courion,
Network Computing/Secure Enterprise gave Novell the
Editor's Choice award. The robustness and flexibility in
its supported target systems, password and account
management make this suite, a perfect fit…."
-Network Computing
October 2003
37
© March 12, 2004 Novell Inc.
Competitive Advantages of Novell Nsure
password management solutions
differentiators
38
•
breadth of the Novell password management
offering
•
built on a solid identity management foundation
•
comprehensive and modular solutions
•
leverages your existing business processes, policies
and infrastructure
•
poised to support your evolving business needs
© March 12, 2004 Novell Inc.
Novell Secure Identity Management
Solution Suite
Building Solutions on top of the Foundation
39
Identity
Solutions
Password
Synchronization
Provisioning
Web Access
Control
Access
Management
& Auditing
Role Based
Access
Control
Federated
Authentication
Identity
Management
Role Based
Admin
Delegated
Admin
Identity
Integration
Single
Sign-On
Secure Logging
& Auditing
Workflow
Monitoring
Self
Service
Federated
Directory Service
Resource
Management
Event
Portals
Notifications
Policy
Meta-Directory
To learn more…
• To learn more about Novell Nsure
password management solutions, visit:
www.novell.com/passwordmanagement
40
Evaluation Survey
Based on what you’ve seen today, would you like a
Novell representative to contact you to discuss the
optimal password management solution for your
organization?
Please have someone contact me
Please have someone contact me in three to six months
I’m undecided.
41
© March 12, 2004 Novell Inc.
42
© March 12, 2004 Novell Inc.