280 likes | 451 Views
Password Management. Using Directories to Cut Costs, Improve Productivity and Reduce Risk. Guy Huntington, President HVL Derek Small, President Nulli Secundus. The Issue. Password management is both expensive and a key area of risk for any enterprise
E N D
Password Management Using Directories to Cut Costs, Improve Productivity and Reduce Risk Guy Huntington, President HVL Derek Small, President Nulli Secundus
The Issue • Password management is both expensive and a key area of risk for any enterprise • Lost password management can occupy as much as 20-50% of a help desk’s activities • At a company we recently visited, 20 people were solely engaged in handling lost passwords
Managing Passwords Is Complicated • Password policies may require regular changes every 3-4 months • Passwords may not be reusable for a certain period of time • Enforcement must occur that passwords have a certain syntax • Policies may require the password never travel in the clear
Managing Passwords Is Expensive • Many packages require yet another database of usernames and passwords separate from the other data stores of user information • The help desk takes the brunt of trying to placate frustrated users while enforcing password policies • Synchronizing passwords between systems is expensive, often done manually
Passwords Are Potentially Risk Prone • The frequency of password change forces many users to write them down beside their computer • The syntax of the password may be prone to quick guessing by password cracking programs, malicious persons or co-workers • Lack of single sign on means systems may be out of synch in password updating causing potential security lapses
Browsers Cache Username and Password • The browser will supply username and password from the cache to the authenticating system during the session • This negates re-authentication efforts for timing out the user and forcing legitimate re-authentication • It also increases risk of masquerading attacks from an unattended computer
Password Storage Is a Potential Problem • Password storage systems may be physically insecure and thus prone to an attack • Password storage may not use encryption and thus be prone to electronic attack even if physically secure • Hashing keys may be stored with a management password that itself is more prone to cracking than the hash, thus reducing the effective strength of the hash
Password Transmission Is Also a Problem • A password may be physically and electronically secure during storage but prone to an attack during transmission • Man in the middle attacks may decipher passwords if sent in the clear • It’s getting more complicated with the proliferation of wireless devices requiring password based authentication
Authentication & Trust • Authentication is the key to our knowledge, transaction, network and information system doors • While other authentication methods such as smartcards, certificates and biometrics are growing, passwords will remain as the most common method of creating the first stage of trust
Leveraging Your Infrastructure You need to leverage infrastructure to create a a modern password strategy which: • Reduces risk • Reduces costs • Improves productivity • Is easy to use • Can scale across applications
Directories Are Critical • Directories are optimized for fast reads, rather than databases which are better for writes • They’re excellent then for handling front-end authentication which requires lots of fast reads of usernames, passwords and other authentication schemes
Directories Are Critical • Unlike databases, directories also have a standard for storing information – LDAP • Therefore, you can point your many different systems to a common information store for fast reads and lookups such as username and password
SSO and Directories • The user community is frustrated by having too many passwords and usernames to remember • Directories can act as an authentication hub for NOS’s, ERP’s, HRIS’s, data warehouses, portals and other legacy and back office applications
Username Challenges • Something as simple in concept as username can create so much grief in enterprise management • It’s complicated because people’s names change, different systems require different syntax, globalization requires international character sets and there are so many different systems requiring usernames within the same corporation
Authoritative Username • Who and what is the authoritative source for the username? • With system integration being an imperative, new ways of handling username are required
Directories and Username • Directories can store a global ID for the person which can be mapped to their common name and format for different systems • This is usually approved by HR or the HRIS and then applied to other systems via the directory
Passwords & Directories • Initial passwords can be created by the NOS, placed in the directory and then modified by the user • The password can be stored in encrypted form within the directory
Passwords & Directories • Password management features such as notification three days in advance before a password will expire, etc. can be managed from a central directory
Lost Passwords & Directories • Users can be prompted to store challenge phrases in the directory in case they forget their password • This too can be stored in encrypted form
Lost Passwords & Directories • Using web based form authentication, the user can self-serve themselves when they forget a password via the form and the directory • This avoids calls to the help desk and therefore reduces costs while improving productivity
Password Security & Directories • There’s a number of tools to ensure passwords never travel in the clear • Within the directory, hashing algorithms can be used to ensure security
Password Security & Directories • Between the user, the web server and directory you can secure transmission by using Secure Socket Layers (SSL), Transport Layer Security (TLS), or IPSec
Middleware • Directories such as iPlanet provide a number of rich features for advance notification of password expiration, etc. • Directories however are not by nature end user friendly and intuitive • You need to use middleware tools providing end user ease of use while integrating the directory with your multiple authentication, authorization methods, back-office and network systems
Oblix • Oblix provides a rich set of end user and management tools to provide basic, form, certification and biometric authentication schemes • It’s easy to configure a lost password management feature for the end user via the intranet or extranet • Self-serve password management thus becomes a powerful cost and time saving possibility
Oblix • Oblix enables the administrator to determine who has view, modify and notify privileges for the password and username attributes • You can thus integrate auditing and notification features to the help desk, the user’s manager, the HRIS, etc, whenever any change to the username or password occurs • Oblix has API plugins for working with common NOS’s such as NT/2000, etc.
Directories & HRIS’s • Often the HRIS, such as PeopleSoft and SAP, will be the authoritative source for username • The username can be created within the HRIS, then populated to the directory and picked up by other application systems from the directory • Providing a common centralized password management system for NOS’s and HRIS/ERP’s is a big step towards the concept of single sign on
The Result? By carefully considering a ldap directory solution for basic authentication, you can: • Significantly reduce costs • Improve productivity • Implement a single sign on solution for the major systems • Provide a unified central password management point • Reduce risk
I’d Like to Learn More on How to Implement This… Guy Huntington, HVL: • guy@hvl.net • www.hvl.net • 604-921-6797 Derek Small, Nulli Secundus • derek@nulli.com • www.nulli.com • 403-270-0657