Home
Premium
NEW

How lack of Password Management Solutions Frustrates Users_ Increases Administration Headaches and adds to Help Desk Costs

W
Shared by: LTrunk3487
Categories
Tags
-
Stats
views:
73
posted:
9/5/2008
language:
English
pages:
9
Document Sample
scope of work template 
							OVERVIEW
Finding the right password for the right IT environment can be time-consuming, confusing, and a drag on a user’s workplace productivity no matter if they’re an employee, or an external partner, contractor, or customer. Recreating passwords when they expire is an even greater challenge. But worst of all is the combination of issues associated with finding and regularly recreating passwords on a multitude of applications all across the corporate network. Think about your computing environment. Do you use centralized management tools to consolidate passwords for all your applications? If not, how many passwords are your users regularly creating, storing, and using on a daily basis? Two? Ten? Dozens? Are your external users like partners, contractors, and customers also suffering from password overload? As the number of passwords a user is required to maintain increases, so does the amount of time required to manage and maintain those passwords. That non-productive time is taken away from the amount of time each user has to complete their work tasks on a daily basis. Exacerbating this problem are the password policies typically put in place by an organization’s security organization. Highly complex passwords are often required that mandate nonsensical character strings that are difficult to memorize. Passwords must be changed on a regular basis, which means employees need to re-invent them every few months. For unrelated systems, those passwords can expire on different days and different times, requiring users to constantly be on the lookout for soon-to-expire passwords. Without a system in place to manage this nightmare, the count and complexity of application passwords will ultimately frustrate your users and increase your costs of support. For large environments with many segregated applications and authentication mechanisms, the issues of un-automated password management can grow to become a substantial productivity loss. That productivity loss directly impacts a business’ agility and ultimately their bottom line.

OVERVIEW ........................................................................................................................................ i What Is Password Management and Why Should You Care?.........................................................1 The Cost of Doing Nothing..................................................................................................2 The Pain of Unmanaged Passwords.................................................................................................2 Password Bloat and Sticky Notes on the Monitor ...............................................................3 Password Policies and Application Insecurity.....................................................................3 User Dissatisfaction and “Wasted Time” ............................................................................4 User Self-Service and Help Desk Overutilization ...............................................................5 Passwords, Identity, and Compliance ..................................................................................5 Tools Exist to Assist with Password Management ..........................................................................6

i

What Is Password Management and Why Should You Care?
Passwords are a required component of any computing environment, but they needn’t be painful. Using the correct tools available today, the problems of password management can be reduced to barely a blip on the task list of all users both internal and external. Tools that manage password management are primarily responsible with taking much of this pain away from the user. These tools are designed to assist with the administration of a user’s password, primarily by creating for the user a centralized store of credentials and profiles. Within that centralized store, an individual can aggregate multiple passwords across multiple applications under a single “master” password. As Figure 1 shows, this master password is then used as the point of synchronization to the passwords on other systems.

Figure 1: Password management tools provide a centralized store for passwords and enable synchronization between a master password and individual system passwords.

By creating this centralized credential store for users, their responsibilities for password management and maintenance can be limited to the single master password. Any further passwords required by that user are then handled by the toolset itself. This frees users from the pain—and the organization from the productivity loss—of the password nightmare.

1

The Cost of Doing Nothing The safety of an organization’s data requires vigilant security. Ensuring passwords are current and properly created is critical to the assurance of that security. When passwords are widespread and complicated for users to manage, a cost is incurred by the enterprise. By doing nothing to assist users with the management and maintenance of their credentials, the organization incurs an unnecessary set of liabilities that impact: • User productivity. When users are required to maintain large numbers of individual usernames and passwords for computing resources, a level of overhead is added to each individual user. That overhead is paid in terms of lost productivity. Environment security. The more restrictive the password policy, the more difficult those passwords are to crack. At the same time, more complex passwords mean more difficult passwords to remember. When passwords are difficult to remember, insecure alternative storage methods are used such as writing them down. This has the unintended tendency to reduce the overall security of the environment. Help Desk. Concurrently, when the management of passwords is challenging, an additional cost is placed on the Help Desk. That cost relates to the amount of time spent performing password management activities on behalf of the user. An opportunity cost is paid relating to other environment problems that could have been resolved by trained Help Desk personnel.

•

•

The Pain of Unmanaged Passwords
Considering the situation outlined earlier, it is easy to see the problems associated with unmanaged passwords. In an organization of any size, the pain of password management can be easily quantified by looking at the types of requests that are called into the Help Desk during any period of time. When a large number of Help Desk tickets relate to forgotten or otherwise mismanaged passwords, an easy conclusion can be drawn that users are having problems managing their credentials. Let’s take a look now at some of the issues associated with unmanaged passwords and how failing to implement centralized credential management tools can negatively impact an enterprise.

2

Password Bloat and Sticky Notes on the Monitor How many usernames and passwords should a particular user be required to keep and manage? Ten? Two? Only one? Obviously, by requiring the management of fewer credentials, users gain the advantage of efficiency. Reducing that number to only a single password minimizes the overhead required for users to manage their own identities associated with their network access. By doing this, the process of logging into systems for performing their daily work becomes less painful for users when they needn’t try to remember which username and password is required for entry into that system. There is another problem related to environment security: When users are required to manage large numbers of credentials, this invariably leads to those credentials being written down. Those notes are then stored in quasi-secured locations such as employee desks or sticky notes attached to monitors. This problem of writing down credentials is doubly problematic due to the physical location where they are stored. When “sticky notes on the monitor” become used as the tool for user management of passwords, it violates the separation of identity and authorization we discussed earlier. This action provides not only their password to any individual that may walk by but also the common knowledge of “who sits where” gives away the user associated with that password as well. Password Policies and Application Insecurity The social changes that occur in environments with complex password management requirements can also unexpectedly lead to application insecurity. In an unwelcome application of the law of unintended consequences, overburdening password policies in an environment can sometimes lead to an overall reduction in environment security. Let’s look at an example of where this might take place. Users within a particular organization are required to make use of six separate systems for their daily tasking. These systems can be Web systems. They can be client/server systems with applications local to the desktop. They can even be mainframe systems. All of these are in addition to the standard Microsoft Active Directory (AD) password required to log into their workstation. Within this organization, in an attempt to increase security, the security organization requires users to change each password every 90 days. This means that each of those seven passwords must change every three months. Depending on when access to that system was assigned or when the password was changed last, any of those seven passwords can require a change at any point during every 90-day sliding window. Thus, during the 12-weeks that make up any particular sliding window, a password change can be required every week and a half. For administrators, that is part of the standard operating procedure. For non-technical employees, this can become a hardship. The problem grows even more challenging when well-meaning security organizations require different passwords for each system. This requirement is in addition to complex passwords that cannot resemble dictionary words, must include special characters, and must be of sufficiently long length. When profile-based management systems are not in place to assist employees with this level of detail, it is virtually assured that users will resort to their own—less secure—systems of management.

3

User Dissatisfaction and “Wasted Time” From the perspective of the user, these extra steps necessary for accessing their applications and data are hurdles to “getting the job done” rather than true steps necessary for the preservation of data security. This has the impact of decreasing user satisfaction with the environment. It also impacts their level of satisfaction with IT, which is their representation of the groups causing their added pain. The problem is that overall user satisfaction with the job done by IT can relate directly to the amount of effort involved with performing activities that employees consider unrelated to their job. Thus, a critical component of any security policy implementation within the environment is in finding the correct balance of systems security and relative transparency to the user. Relating to our earlier example, the password policies laid down by corporate security can help with the overall security posture of the environment. But this works only when the user’s interface supports those policies in a way that minimizes the disturbance to the user. Password management tools enable this by providing a single location for the centralized management of all passwords. Users can manage the creation, storage, and update of individual system passwords through a single interface. In addition, that interface can be configured to automatically manage the regular update of passwords for the user. In situations in which high levels of password complexity are required, the interface can create highly secure passwords on behalf of the user. This reduces the overuse of common password workarounds that are easily cracked such as substituting the number “1” for the letter “i” or the number “0” for the letter “o.” Passwords created within the utility are stored utilizing highly secure encryption, preventing the password store itself from becoming a point of insecurity. Integrating the secure storage of individual system passwords within an organization’s centralized directory further enhances the user’s experience. Users are already required to login to the centralized directory—such as Microsoft AD or Lightweight Directory Access Protocol (LDAP) for UNIX—in order to make use of any resources in the environment. Attaching individual system accesses to this password means that the client agent can auto-login on the part of the user.

4

User Self-Service and Help Desk Overutilization In environments that do not centralize and aggregate their credential stores using these tools, the burden of changing passwords when they are forgotten is unnecessarily placed on the Help Desk. Relating again to the earlier example, when numerous complex passwords are forced upon users, the likelihood of forgetting identity and credential information is high. Employees go on vacation. They may only use certain passwords a few times per year. Above all, users are human, which means they occasionally need assistance with remembering credential information in these situations. When environments don’t use password management tools, a user’s only recourse in this situation is a call to the Help Desk. This can drive users to place the onus of responsibility on the Help Desk for managing relatively unused password sets. Users who may use resources only rarely can “give up” on the process altogether and leverage the Help Desk for password management. With password management requests in unmanaged environments consuming a high level of overall Help Desk calls, this forces the reservation of additional staffing for what could be an unnecessary activity in a fully managed environment. Once an enterprise moves to the use of password management tools to assist in this process, they also can gain the benefits associated with user self-service. Many password management tools provide the ability for users to navigate to an interface whereby they can restore or replace forgotten passwords on their own. These tools make use of personally identifiable information (PII) separate from a password but that only the user would know as a secondary authentication for password restorations. The incorporation of password self-service tools in an enterprise environment can virtually eliminate calls to the Help Desk for password issues. Passwords, Identity, and Compliance But with all of these, simple password management is still not enough. Managing user’s identities through centralized and policy-driven Identity and Access Management solutions is key to scaling password management to the needs of the enterprise. That enterprise requires utilities that provide holistic management of identities and passwords with an eye towards security and meeting regulatory compliance. Notwithstanding the industry, virtually all companies fall under some form of compliance regulations that dictates how users should obtain access an organization’s data. Those same regulations require controls to be in place that securely monitor that use for later reporting. Sarbanes-Oxley, HIPAA, PCI, Basel II, and other privacy protection and confidentiality regulations mandate that an auditable control be in place to manage how users access their data. Only through the incorporation of integrated tools that augment simple password management with the suite of Identity and Access Management functionality can those needs truly be resolved.

5

Tools Exist to Assist with Password Management
An enterprise’s passwords and their management is a necessary activity for the users of any computing environment. The creation of policy ensuring the safety and security of an enterprise’s data is the responsibility of IT and corporate security. But when the needs of security intersect with the needs of the user, tools are critical to ensuring a good user experience. CA Identity Manager can be that tool. CA Identity Manager is an enterprise-scalable solution that provides an easy-to-use interface for users to manage the creation, update, and assignment of passwords. With it, users can create credential stores associated with their computing profile. That credential store, secured on-disk using best-in-class encryption, enables users to better manage their passwords without the need for “sticky notes on the monitor”. When credentials within that store are integrated with an enterprise’s directory services, the goal of SSO for all applications within the environment can be obtained. CA Identity Manager incorporates a suite of tools that connect applications to credential stores, while at the same time securely connecting those credential stores to users. CA Identity Manager enhances user productivity as well as reduces Help Desk burden by eliminating much of the pain associated with individual password management.

6
Shared by: Laura Trunk
Related docs
password
Views: 27  |  Downloads: 0
Employees Lack of Trust for Management
Views: 195  |  Downloads: 0
Password Synchronization
Views: 11  |  Downloads: 0
Lack of Intelligence
Views: 0  |  Downloads: 0
Password Reset
Views: 18  |  Downloads: 0
Mandatory AKO Password Changes
Views: 60  |  Downloads: 0
password-protected
Views: 38  |  Downloads: 0
Lack of capacity or lack of poli
Views: 3  |  Downloads: 0