Identity management begins with the humble password

What's the secret password? Answering that question costs many IT departments upwards of $200 per user annually, IDC says. That's because passwords are a paradox: Good passwords are not easily cracked, but also are hard to remember. Yet passwords remain the most popular form of authentication — used by barebones security and sophisticated identity-management plans alike. Add to that the proliferation of them — for network access, e-mail, Web and legacy applications — and you can see why users report about one-third of help desk calls concern passwords.

Nancy Tripp, who manages Sun Trust Bank's Solution Center employee help desk, knows all about that. About a year ago, she recorded the number of password-related calls to the help desk at between 27% and 35%, depending on the network environment. "This was the area where we had the largest opportunity to gain some efficiencies," says Tripp, who is vice president of Solution Services for the Atlanta bank. 

Advertisement:

To address the inefficiencies, Sun Trust last October installed Courion's PasswordCourier password-management software. From an intranet, employees now can reset their passwords for Windows NT, NetWare and IBM mainframe resource-access control facility systems. After a reset, the software synchronizes the password so that one grants access to all.

By March, employees were performing 37% of password resets via PasswordCourier for those systems, rather than calling the help desk, Tripp says.

Encouraged, Tripp tested a module in the summer that supports self-service resets for Microsoft's Active Directory. Sun Trust is in the process of an enterprisewide rollout of Active Directory, which some branches used previously. This new module also will support a higher number of concurrent users. Tripp says once it's implemented, even more employees will perform their own resets.

Other Sun Trust IT units have taken notice. In the summer, the bank's Information Security Services department began negotiations with Courion and other vendors over a broader identity management project, Tripp says.

Sun Trust is not an isolated case. Although password-management products began storming the market only about a year ago, many are already stable and mature, with vendors offering a plethora of features sure to mesh with any company's network, security plan or help desk system. With list prices starting at $15 per user — and strong competition making vendors eager to negotiate — password management is a nearly foolproof way to reduce help desk expenses, network executives say.

"How many resets do you do? How long does it take? What's the value of your service … in an hourly rate [as a percentage of a help desk professional's typical] $40,000 per year salary? You know you're spending X number of dollars and hours of a day on password resets. There's also the intangible payback — what is the [public relations] of better service?" says Gary McGinnis, director of client services for Syracuse University in New York.

Three from three

Three functions make up the basis of password management:

• Self-service password reset, which lets users reset forgotten passwords by correctly answering "challenge questions" previously supplied — such as mother's maiden name. Similarly, most products support agent-assisted password resets in which the agent accesses the challenge questions if the user calls the help desk.

• Password synchronization, which allows use of a single password for multiple systems. When one password is reset, all are updated automatically.

• Password policy enforcement, which ensures new passwords follow not only operating system requirements (number of characters), but the network department's policies (such as restrictions on reusing the same password).

These functions can be found in three genres of enterprise-level software: point products, single sign-on tools and provisioning frameworks.

Password-management point products offer the most direct pain relief for the least cost — most start at $15 per user, but that tag can drop to as low as $1 for large companies — and are the best choice for the majority. While many compare feature by feature, most have a niche. For instance, Courion's PasswordCourier works with Remedy's help desk software to generate audit log entries or trouble tickets when a reset occurs. PentaSafe Security Technologies' VigilEnt User Manager supports the company's base intrusion-detection system and other modules. M-Tech Mercury Information Technology's P-Synch includes a large number of prefabricated application interfaces; Symark Software's PowerPassword supports only Unix systems.

Single sign-on tools, such as Computer Associates' eTrust Single Sign-on and Protocom Development Systems' SecureLogin, offer much the same feature set, but don't just synchronize passwords, they log the user on to multiple back-end systems. List prices are higher than point products, at about $80 per user.

Single sign-on is particularly useful when granting customers or partners access to multiple systems.

"Single sign-on is [a matter] of user experience," says Jonathan Penn, an analyst for Giga Information Group. Imagine a bank asking a customer to enter a password to access a checking account, again for the savings account, again for another account, he says. "Customers get peeved."

In this vein are Web authorization tools, such as Oblix's NetPoint. These bundle password management and single sign-on for Web applications — costing $15 per user or less. A company could choose a point product for employee password management, and a Web authorization tool for e-commerce sites.

Provisioning overkill

The third category, provisioning frameworks, essentially combine a workflow engine with password-management and account-authorization functions. They automate the creation and deletion of entire sets of accounts any given user would require. Examples of such products include Business Layers' eProvision and Waveset Technologies' Lighthouse.

Provisioning is overkill for companies needing mostly password management. A provisioning product characteristically requires considerable custom application integration and business re-engineering, so it can cost about $1 million to implement.

But provisioning might be appropriate for big password-management chores. For example, Syracuse University turned to Business Layers' eProvision software to handle the deluge of new student accounts — roughly 4,000 — it must create each semester. With provisioning, the IT department quickly can create the new accounts, customized to each student's course of study, while locking out thousands of exiting students or staff and temporarily suspending student accounts for reasons such as nonpayment, McGinnis says.

Companies developing full-bore provisioning schemes do not need point products, but those that start with basic password-management products easily can move to provisioning. All but the most narrowly focused point-product vendors offer add-ons for account-provisioning tasks: CA offers eTrust Admin; Courion, Account-Courier; and M-Tech, I.D. Synch.

Rather than have account management for each user under every circumstance, these often perform a subset of full-on provisioning. For instance, I.D. Synch specializes in hire/move/fire account management. That limits the project scope and, therefore, the costs.

Even if a move to provisioning would mean scrapping an installed password-management system, the lower cost of point products — coupled with their fast, high return on investment — negates financial risk, Giga's Penn says.

 "If you are a midsized or large company, you have more and more reasons to look at ‘identity management' and what provisioning offers," he says. "But, you could implement password management first and address your point of pain."

Password management in practice

In the spin cycle
Identity and password management are emerging, hot technologies.
Network World, 09/23/02

Plan on SAML for identity mgmt.
SAML is a tool to expand your identity management options.
Network World, 08/19/02.

Users wary of ID management complexity
Network executives take a look at access standards.
Network World, 07/22/02.

Breaking identity management news
Latest news and analysis from Network World.