1 / 28

Password Management

Password Management. Using Directories to Cut Costs, Improve Productivity and Reduce Risk. Guy Huntington, President HVL Derek Small, President Nulli Secundus. The Issue. Password management is both expensive and a key area of risk for any enterprise

Download Presentation

Password Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Password Management Using Directories to Cut Costs, Improve Productivity and Reduce Risk Guy Huntington, President HVL Derek Small, President Nulli Secundus

  2. The Issue • Password management is both expensive and a key area of risk for any enterprise • Lost password management can occupy as much as 20-50% of a help desk’s activities • At a company we recently visited, 20 people were solely engaged in handling lost passwords

  3. Managing Passwords Is Complicated • Password policies may require regular changes every 3-4 months • Passwords may not be reusable for a certain period of time • Enforcement must occur that passwords have a certain syntax • Policies may require the password never travel in the clear

  4. Managing Passwords Is Expensive • Many packages require yet another database of usernames and passwords separate from the other data stores of user information • The help desk takes the brunt of trying to placate frustrated users while enforcing password policies • Synchronizing passwords between systems is expensive, often done manually

  5. Passwords Are Potentially Risk Prone • The frequency of password change forces many users to write them down beside their computer • The syntax of the password may be prone to quick guessing by password cracking programs, malicious persons or co-workers • Lack of single sign on means systems may be out of synch in password updating causing potential security lapses

  6. Browsers Cache Username and Password • The browser will supply username and password from the cache to the authenticating system during the session • This negates re-authentication efforts for timing out the user and forcing legitimate re-authentication • It also increases risk of masquerading attacks from an unattended computer

  7. Password Storage Is a Potential Problem • Password storage systems may be physically insecure and thus prone to an attack • Password storage may not use encryption and thus be prone to electronic attack even if physically secure • Hashing keys may be stored with a management password that itself is more prone to cracking than the hash, thus reducing the effective strength of the hash

  8. Password Transmission Is Also a Problem • A password may be physically and electronically secure during storage but prone to an attack during transmission • Man in the middle attacks may decipher passwords if sent in the clear • It’s getting more complicated with the proliferation of wireless devices requiring password based authentication

  9. Authentication & Trust • Authentication is the key to our knowledge, transaction, network and information system doors • While other authentication methods such as smartcards, certificates and biometrics are growing, passwords will remain as the most common method of creating the first stage of trust

  10. Leveraging Your Infrastructure You need to leverage infrastructure to create a a modern password strategy which: • Reduces risk • Reduces costs • Improves productivity • Is easy to use • Can scale across applications

  11. Directories Are Critical • Directories are optimized for fast reads, rather than databases which are better for writes • They’re excellent then for handling front-end authentication which requires lots of fast reads of usernames, passwords and other authentication schemes

  12. Directories Are Critical • Unlike databases, directories also have a standard for storing information – LDAP • Therefore, you can point your many different systems to a common information store for fast reads and lookups such as username and password

  13. SSO and Directories • The user community is frustrated by having too many passwords and usernames to remember • Directories can act as an authentication hub for NOS’s, ERP’s, HRIS’s, data warehouses, portals and other legacy and back office applications

  14. Username Challenges • Something as simple in concept as username can create so much grief in enterprise management • It’s complicated because people’s names change, different systems require different syntax, globalization requires international character sets and there are so many different systems requiring usernames within the same corporation

  15. Authoritative Username • Who and what is the authoritative source for the username? • With system integration being an imperative, new ways of handling username are required

  16. Directories and Username • Directories can store a global ID for the person which can be mapped to their common name and format for different systems • This is usually approved by HR or the HRIS and then applied to other systems via the directory

  17. Passwords & Directories • Initial passwords can be created by the NOS, placed in the directory and then modified by the user • The password can be stored in encrypted form within the directory

  18. Passwords & Directories • Password management features such as notification three days in advance before a password will expire, etc. can be managed from a central directory

  19. Lost Passwords & Directories • Users can be prompted to store challenge phrases in the directory in case they forget their password • This too can be stored in encrypted form

  20. Lost Passwords & Directories • Using web based form authentication, the user can self-serve themselves when they forget a password via the form and the directory • This avoids calls to the help desk and therefore reduces costs while improving productivity

  21. Password Security & Directories • There’s a number of tools to ensure passwords never travel in the clear • Within the directory, hashing algorithms can be used to ensure security

  22. Password Security & Directories • Between the user, the web server and directory you can secure transmission by using Secure Socket Layers (SSL), Transport Layer Security (TLS), or IPSec

  23. Middleware • Directories such as iPlanet provide a number of rich features for advance notification of password expiration, etc. • Directories however are not by nature end user friendly and intuitive • You need to use middleware tools providing end user ease of use while integrating the directory with your multiple authentication, authorization methods, back-office and network systems

  24. Oblix • Oblix provides a rich set of end user and management tools to provide basic, form, certification and biometric authentication schemes • It’s easy to configure a lost password management feature for the end user via the intranet or extranet • Self-serve password management thus becomes a powerful cost and time saving possibility

  25. Oblix • Oblix enables the administrator to determine who has view, modify and notify privileges for the password and username attributes • You can thus integrate auditing and notification features to the help desk, the user’s manager, the HRIS, etc, whenever any change to the username or password occurs • Oblix has API plugins for working with common NOS’s such as NT/2000, etc.

  26. Directories & HRIS’s • Often the HRIS, such as PeopleSoft and SAP, will be the authoritative source for username • The username can be created within the HRIS, then populated to the directory and picked up by other application systems from the directory • Providing a common centralized password management system for NOS’s and HRIS/ERP’s is a big step towards the concept of single sign on

  27. The Result? By carefully considering a ldap directory solution for basic authentication, you can: • Significantly reduce costs • Improve productivity • Implement a single sign on solution for the major systems • Provide a unified central password management point • Reduce risk

  28. I’d Like to Learn More on How to Implement This… Guy Huntington, HVL: • guy@hvl.net • www.hvl.net • 604-921-6797 Derek Small, Nulli Secundus • derek@nulli.com • www.nulli.com • 403-270-0657

More Related