Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS

Send to a friend Feedback

Identity management begins with the humble password

Before you can embark on a full-fledged identity management program, you'll need to automate password management. Fortunately, product choices abound.

By Julie Bort
Network World, 10/21/02

What's the secret password? Answering that question costs many IT departments upwards of $200 per user annually, IDC says. That's because passwords are a paradox: Good passwords are not easily cracked, but also are hard to remember. Yet passwords remain the most popular form of authentication — used by barebones security and sophisticated identity-management plans alike. Add to that the proliferation of them — for network access, e-mail, Web and legacy applications — and you can see why users report about one-third of help desk calls concern passwords.

Nancy Tripp, who manages Sun Trust Bank's Solution Center employee help desk, knows all about that. About a year ago, she recorded the number of password-related calls to the help desk at between 27% and 35%, depending on the network environment. "This was the area where we had the largest opportunity to gain some efficiencies," says Tripp, who is vice president of Solution Services for the Atlanta bank. 

To address the inefficiencies, Sun Trust last October installed Courion's PasswordCourier password-management software. From an intranet, employees now can reset their passwords for Windows NT, NetWare and IBM mainframe resource-access control facility systems. After a reset, the software synchronizes the password so that one grants access to all.

By March, employees were performing 37% of password resets via PasswordCourier for those systems, rather than calling the help desk, Tripp says.

Encouraged, Tripp tested a module in the summer that supports self-service resets for Microsoft's Active Directory. Sun Trust is in the process of an enterprisewide rollout of Active Directory, which some branches used previously. This new module also will support a higher number of concurrent users. Tripp says once it's implemented, even more employees will perform their own resets.

Other Sun Trust IT units have taken notice. In the summer, the bank's Information Security Services department began negotiations with Courion and other vendors over a broader identity management project, Tripp says.

At Syracuse University, password-provisioning software gets an A+ for easing the creation of thousands of new student accounts each semester, says Gary McGinnis, director of client services at the college.

Sun Trust is not an isolated case. Although password-management products began storming the market only about a year ago, many are already stable and mature, with vendors offering a plethora of features sure to mesh with any company's network, security plan or help desk system. With list prices starting at $15 per user — and strong competition making vendors eager to negotiate — password management is a nearly foolproof way to reduce help desk expenses, network executives say.

"How many resets do you do? How long does it take? What's the value of your service … in an hourly rate [as a percentage of a help desk professional's typical] $40,000 per year salary? You know you're spending X number of dollars and hours of a day on password resets. There's also the intangible payback — what is the [public relations] of better service?" says Gary McGinnis, director of client services for Syracuse University in New York.

Three from three

Three functions make up the basis of password management:

Self-service password reset, which lets users reset forgotten passwords by correctly answering "challenge questions" previously supplied — such as mother's maiden name. Similarly, most products support agent-assisted password resets in which the agent accesses the challenge questions if the user calls the help desk.

Password synchronization, which allows use of a single password for multiple systems. When one password is reset, all are updated automatically.

Password policy enforcement, which ensures new passwords follow not only operating system requirements (number of characters), but the network department's policies (such as restrictions on reusing the same password).

These functions can be found in three genres of enterprise-level software: point products, single sign-on tools and provisioning frameworks.

Password-management vendors implement the same features in vastly different ways.
When shopping for password-management products, don’t stop at functionality. Many tools sport similar features, but vary widely in construction.
Ask if a product uses its own database, relies on an existing source of user information, such as a directory or database, or does both.
Ask how the product stores answers to password-reset challenge questions. Some use an encrypted database.
If the product encrypts answers, ask how. Some use hash algorithms that dice and scramble challenge-question answers for high security, but require answers to match stored data precisely. Others use key-based methods that allow approximate matching to make data easier to recover.
Ask which client interfaces are supported and how. All support browsers for password resets. Some also support Windows and Unix screens, interactive voice response and e-mail.
Ask if and how the product uses agent technology. Some only use agents; some don’t use agents at all; others support both. The software’s placement in your network and possibly its security needs will differ if using an agent vs. other methods, such as HTTP or custom-coded interfaces into applications.
Ask about current and planned standards support. Most support Lightweight Directory Access Protocol as a directory, but few offer any form of XML as an output option. This could become important for sharing data with other applications, particularly an extranet via Web services. Today, most vendors share data the old-fashioned way — via APIs — offering their own plus many prefabricated ones for specific, popular applications.

Password-management point products offer the most direct pain relief for the least cost — most start at $15 per user, but that tag can drop to as low as $1 for large companies — and are the best choice for the majority. While many compare feature by feature, most have a niche. For instance, Courion's PasswordCourier works with Remedy's help desk software to generate audit log entries or trouble tickets when a reset occurs. PentaSafe Security Technologies' VigilEnt User Manager supports the company's base intrusion-detection system and other modules. M-Tech Mercury Information Technology's P-Synch includes a large number of prefabricated application interfaces; Symark Software's PowerPassword supports only Unix systems.

Single sign-on tools, such as Computer Associates' eTrust Single Sign-on and Protocom Development Systems' SecureLogin, offer much the same feature set, but don't just synchronize passwords, they log the user on to multiple back-end systems. List prices are higher than point products, at about $80 per user.

Single sign-on is particularly useful when granting customers or partners access to multiple systems.

"Single sign-on is [a matter] of user experience," says Jonathan Penn, an analyst for Giga Information Group. Imagine a bank asking a customer to enter a password to access a checking account, again for the savings account, again for another account, he says. "Customers get peeved."

In this vein are Web authorization tools, such as Oblix's NetPoint. These bundle password management and single sign-on for Web applications — costing $15 per user or less. A company could choose a point product for employee password management, and a Web authorization tool for e-commerce sites.

Provisioning overkill

The third category, provisioning frameworks, essentially combine a workflow engine with password-management and account-authorization functions. They automate the creation and deletion of entire sets of accounts any given user would require. Examples of such products include Business Layers' eProvision and Waveset Technologies' Lighthouse.

Provisioning is overkill for companies needing mostly password management. A provisioning product characteristically requires considerable custom application integration and business re-engineering, so it can cost about $1 million to implement.

But provisioning might be appropriate for big password-management chores. For example, Syracuse University turned to Business Layers' eProvision software to handle the deluge of new student accounts — roughly 4,000 — it must create each semester. With provisioning, the IT department quickly can create the new accounts, customized to each student's course of study, while locking out thousands of exiting students or staff and temporarily suspending student accounts for reasons such as nonpayment, McGinnis says.

Companies developing full-bore provisioning schemes do not need point products, but those that start with basic password-management products easily can move to provisioning. All but the most narrowly focused point-product vendors offer add-ons for account-provisioning tasks: CA offers eTrust Admin; Courion, Account-Courier; and M-Tech, I.D. Synch.

Rather than have account management for each user under every circumstance, these often perform a subset of full-on provisioning. For instance, I.D. Synch specializes in hire/move/fire account management. That limits the project scope and, therefore, the costs.

Even if a move to provisioning would mean scrapping an installed password-management system, the lower cost of point products — coupled with their fast, high return on investment — negates financial risk, Giga's Penn says.

 "If you are a midsized or large company, you have more and more reasons to look at ‘identity management' and what provisioning offers," he says. "But, you could implement password management first and address your point of pain."

   Password management in practice

Related Links

In the spin cycle
Identity and password management are emerging, hot technologies.
Network World, 09/23/02

Plan on SAML for identity mgmt.
SAML is a tool to expand your identity management options.
Network World, 08/19/02.

Users wary of ID management complexity
Network executives take a look at access standards.
Network World, 07/22/02.

Breaking identity management news
Latest news and analysis from Network World.

Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.

Get Copyright Clearance
Request a reprint or permission to use this article.

To top

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.