HVL 2001 Password Management Using Directories to Cut Costs, Improve Productivity and Reduce Risk...
-
Upload
clement-tate -
Category
Documents
-
view
218 -
download
1
Transcript of HVL 2001 Password Management Using Directories to Cut Costs, Improve Productivity and Reduce Risk...
HVL 2001
Password Management
Using Directories to Cut Costs, Improve Productivity and
Reduce Risk
Guy Huntington, President HVLDerek Small, President Nulli Secundus
HVL 2001
The Issue • Password management is both expensive and a key area of risk for any enterprise
• Lost password management can occupy as much as 20-50% of a help desk’s activities– At a company we recently visited,
20 people were solely engaged in handling lost passwords
HVL 2001
Managing Passwords Is Complicated
• Password policies may require regular changes every 3-4 months
• Passwords may not be reusable for a certain period of time
• Enforcement must occur that passwords have a certain syntax
• Policies may require the password never travel in the clear
HVL 2001
Managing Passwords Is
Expensive
• Many packages require yet another database of usernames and passwords separate from the other data stores of user information
• The help desk takes the brunt of trying to placate frustrated users while enforcing password policies
• Synchronizing passwords between systems is expensive, often done manually
HVL 2001
Passwords Are
Potentially Risk Prone
• The frequency of password change forces many users to write them down beside their computer
• The syntax of the password may be prone to quick guessing by password cracking programs, malicious persons or co-workers
• Lack of single sign on means systems may be out of synch in password updating causing potential security lapses
HVL 2001
Browsers Cache
Username and Password
• The browser will supply username and password from the cache to the authenticating system during the session
• This negates re-authentication efforts for timing out the user and forcing legitimate re-authentication
• It also increases risk of masquerading attacks from an unattended computer
HVL 2001
Password Storage Is a
Potential Problem
• Password storage systems may be physically insecure and thus prone to an attack
• Password storage may not use encryption and thus be prone to electronic attack even if physically secure
• Hashing keys may be stored with a management password that itself is more prone to cracking than the hash, thus reducing the effective strength of the hash
HVL 2001
Password Transmission
Is Also a Problem
• A password may be physically and electronically secure during storage but prone to an attack during transmission
• Man in the middle attacks may decipher passwords if sent in the clear
• It’s getting more complicated with the proliferation of wireless devices requiring password based authentication
HVL 2001
Authentication & Trust
• Authentication is the key to our knowledge, transaction, network and information system doors
• While other authentication methods such as smartcards, certificates and biometrics are growing, passwords will remain as the most common method of creating the first stage of trust
HVL 2001
Leveraging Your InfrastructureYou need to leverage infrastructure to create a a modern password strategy which:
Reduces riskReduces costsImproves productivityIs easy to useCan scale across applications
HVL 2001
• Directories are optimized for fast reads, rather than databases which are better for writes– They’re excellent then for
handling front-end authentication which requires lots of fast reads of usernames, passwords and other authentication schemes
Directories Are Critical
HVL 2001
Directories Are Critical
• Unlike databases, directories also have a standard for storing information – LDAP– Therefore, you can point your
many different systems to a common information store for fast reads and lookups such as username and password
HVL 2001
SSO and Directories
• The user community is frustrated by having too many passwords and usernames to remember
• Directories can act as an authentication hub for NOS’s, ERP’s, HRIS’s, data warehouses, portals and other legacy and back office applications
HVL 2001
Username Challenges• Something as simple in concept
as username can create so much grief in enterprise management
• It’s complicated because people’s names change, different systems require different syntax, globalization requires international character sets and there are so many different systems requiring usernames within the same corporation
HVL 2001
Authoritative Username• Who and what is the
authoritative source for the username?
• With system integration being an imperative, new ways of handling username are required
HVL 2001
Directories and Username
• Directories can store a global ID for the person which can be mapped to their common name and format for different systems
• This is usually approved by HR or the HRIS and then applied to other systems via the directory
HVL 2001
Passwords & Directories• Initial passwords can be
created by the NOS, placed in the directory and then modified by the user
• The password can be stored in encrypted form within the directory
HVL 2001
Passwords & Directories
• Password management features such as notification three days in advance before a password will expire, etc. can be managed from a central directory
HVL 2001
Lost Passwords & Directories
• Users can be prompted to store challenge phrases in the directory in case they forget their password
• This too can be stored in encrypted form
HVL 2001
• Using web based form authentication, the user can self-serve themselves when they forget a password via the form and the directory
• This avoids calls to the help desk and therefore reduces costs while improving productivity
Lost Passwords & Directories
HVL 2001
Password Security & Directories
• There’s a number of tools to ensure passwords never travel in the clear
• Within the directory, hashing algorithms can be used to ensure security
HVL 2001
Password Security & Directories
• Between the user, the web server and directory you can secure transmission by using Secure Socket Layers (SSL), Transport Layer Security (TLS), or IPSec
HVL 2001
Middleware• Directories such as iPlanet provide a
number of rich features for advance notification of password expiration, etc.
• Directories however are not by nature end user friendly and intuitive
• You need to use middleware tools providing end user ease of use while integrating the directory with your multiple authentication, authorization methods, back-office and network systems
HVL 2001
Oblix• Oblix provides a rich set of end user and
management tools to provide basic, form, certification and biometric authentication schemes
• It’s easy to configure a lost password management feature for the end user via the intranet or extranet
• Self-serve password management thus becomes a powerful cost and time saving possibility
HVL 2001
Oblix
• Oblix enables the administrator to determine who has view, modify and notify privileges for the password and username attributes
• You can thus integrate auditing and notification features to the help desk, the user’s manager, the HRIS, etc, whenever any change to the username or password occurs
• Oblix has API plugins for working with common NOS’s such as NT/2000, etc.
HVL 2001
Directories & HRIS’s• Often the HRIS, such as PeopleSoft and SAP,
will be the authoritative source for username• The username can be created within the HRIS,
then populated to the directory and picked up by other application systems from the directory
• Providing a common centralized password management system for NOS’s and HRIS/ERP’s is a big step towards the concept of single sign on
HVL 2001
The Result?By carefully considering a ldap directory solution for basic authentication, you can:
Significantly reduce costs Improve productivity Implement a single sign on solution for the
major systems Provide a unified central password
management point Reduce risk
HVL 2001
I’d Like to Learn More on How to Implement This…
Guy Huntington, HVL:• [email protected]• www.hvl.net• 604-921-6797Derek Small, Nulli Secundus• [email protected]• www.nulli.com• 403-270-0657