The business case for enterprise password managementDate: Feb 08, 2011
Spyro Malaspinas discusses the importance of enterprise password management and how your business can benefit from implementing good identity management practices.
Video sections include:
- What is identity management? (0:26)
- Thoughts on identity management (1:16)
- How identity management works (1:57)
- IdM: Password; a security slant (2:33)
- What is the cost of poor password management (4:03)
- IdM: Real ROI... In a nutshell (5:41)
About the author:
Spyro Malaspinas is the Director of Compliance at Brightline CPAs & Associates, Inc.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
The business case for enterprise password management
Spyro Malaspinas: Identity management system identifies
individuals and system controls or
access to resources within that system, by associating user rights and
restrictions with each identified individual. Really what this is, is a
repository that can be used for a variety of applications, platforms,
systems, appliances that you have in your organization. So you don't have
to manage multiple user repositories. For anyone that has differing
applications that run multiple operating systems, you'll quickly find that
without an LDAP or without an identifying solution like Active Directory,
you're going to be in a situation where you're managing multiple users from
multiple platforms. The user provisioning and administration process can be
very burdensome, boring and it's prone to a lot of mistakes. A couple of
quotes I found on the web, from the security perspective. Weak, stale, and
shared passwords often times are considered to be the biggest threat of
enterprise by experts.
If you think about password changing and password complexity, a lot of
these things are nuisances to employees for the most part. If they're too
complex they'll write down their passwords. If they have to change them too
often they'll forget them or simply append a one or a subsequent letter on
to them. So they're easily guessed. These things are consistently being
troublesome to a lot of enterprises I work with today. I'm sure enterprises
you guys work within your own. IDM, how's it work. IDM's central user
administration for many devices. Again, just about any off the shelf
application you can find that is robust and enterprise size. What we call
LDAP aware, which is a light weight directory access protocol.
Which is simply a protocol that allows applications, operating systems, and appliances, to query the IDM for authentication as well as authorization. IDM's password is a security slant. Just to give you a kind of idea of how big of a problem passwords are. According to SIR 80% of all security attacks that they investigate are password related in some way, shape of form. Vulnerability is a password base solution and it stems from the following. One I mentioned, humans are not perfect, cannot be relied upon. They write password down; they'll share them with their neighbors. Second, other more job related processes compete for their intention. Rather than insuring that our security administrator password is secure, they'll share those because they have other burning issues. One of the things that I've seen that work well in the past is true factor authentication. Which can be used in concert with IDM. To prevent that especially with the administrator level access. For user level access it can become a little to costly. Certain insiders and outsiders are intentionally seeking ways to compromise the solution.
So really the passwords have consistently been deemed the weakest link, and
they'll go after those. Pets names, cousins, birthdates, things like that.
What are the costs of poor password management? This will lend itself to
making the ROI cost to some degree, for you organization. Again these are
examples of large enterprises that have been queried to say, "hey what
percent of your help desk tickets are related to passwords?" In this
particular case it was 40%, these numbers are pulled from Gartner. A fairly
reliable source. Each year companies spend $200 to $300 per user in an
attempt to maintain a secure passwords. Now, that number can vary wildly.
I've quarried a few of my clients, and the number was, around that number,
I saw some much lower and some much higher. It's usually depending upon the
size, but more importantly how many applications does that organization
maintain. They maintain five; well you're not going to see that high
number. They maintain 200 like some of the organizations I work with. That
number could be a $1000. Those are the organizations that can really
benefit from an IDM. The more applications and platforms that you have the
stronger the argument will be for getting an IDM in place. Some simple math
you can do if you are arguing. If IDM has been a priority for you, some
simple math you can do to help boost your argument.
How many calls per quarter your help desk received, and how many of those
are password related? Are they categorized through your ticketing system?
Most ticketing systems will be able to spit out a report and say 30% of all
of your calls were help desk related. What does it cost to run your help
desk per quarter? You can run some simple math and fairly quickly and
roughly, determine an ROI of some case. IDM and ROI in a nutshell. These
numbers were taken from actually an Oracle and a third-party organization
that pulled these numbers. These are some of the benefits. Again, there's
many more benefits to an IDM, but these are some of the larger more
First off, improved application development. Rather than writing your own
administration stack for user repositories. Well, you have one you can call
through now through protocols and well documented procedures that are
provided by the vendors. It was estimated that you're
going to save about $15 grand for every application. For every application
that you write in house that uses their own user repository. What ever
you're paying your developers to both write and review and subsequently
make changes to that. You can expect to save about 15 K per application.
From an IT efficiency stand point you're going to be able to, for merges
and acquisitions for example, when you are looking at acquisition targets
it's going to be less burdensome from an operations standpoint. I
consistently see that organizations are looking at balance sheets. They
don't look at IT infrastructure. When they don't pay attention to that they
can find themselves taking two to three times as long to try to integrate a
lot of technologies that they're acquiring through this acquisition. Faster
user account activation. I see this myself all the time.
Every time I step into a new client. In order to get access to the systems
I need it can take a week, two weeks, sometimes two-and-a-half weeks. To get
comprehensive access to all the systems I need and they're paying us high
dollars. If you're paying a contractor $100-$150, $200 an hour, well do the
math on that. You do 40 hours a week; you're talking between 4 and 8-K per
week just to get this user provision. When they leave you need to remove
access within a relatively simply, minimal amount of time. Let's expand
that number by how many contractors and employees you take on each quarter.
The number gets pretty alarming. With IDM if you centralize your user
repositories you only have to create one user name and one password, so
that all your applications theoretically can use that and leverage that
Reduced compliance cost. Again, as I mentioned earlier there is queries
constantly from the compliance groups to the operations to the security
groups for reports. Often times it keeps them from doing more strategic
type work. Rather than just providing paperwork and evidentiary trails for
compliance. You can now give them read only access to these IDM tools,
where they can actually pull their own queries, do their own reports.
Everybody is happier for the better but better than that for compliance it
really helps them monitor. Compliance is an ongoing thing rather than a
point in time. If you approach compliance point in time you're going to
fail and every year you're going to find yourself at a point where you need
to remediate, and you have less and less time. And you have less and less
dollars to fulfill that goal. A lot of management do not understand. How are
we compliant last year, we're not compliant this year. Well, you need to
manage that. Monitor that just like you're maintaining your car. You get
oil changes every 3,000 to 5,000 miles. When need to do the same thing with
your IT environment to make sure everything is not just up but it's running
properly. These numbers again are rough numbers. They vary between the
organization based upon the complexity of the applications that you're using,
as well as the complexity of the environment.