Published: 01 Apr 2002
"I forgot my password. I'm locked out...again."
As password-related help desk calls continued to eat up support staff time and money at MFS Investment Management, the IT staff knew it had to find a cost-effective solution-quickly. The numbers -- 20 to 25 percent of all support calls per month -- were staggering, but typical of the problem for organizations across the country.
Greene wanted to lift the burden from the shoulders of his beleaguered support staff and distribute it among the users themselves. His solution was PasswordCourier, the self-service password management module of Courion's Identity Management Suite (www.courion.com).
Password Management Options
Password self-service reset and password synchronization products are offered in a wide range of options, as stand-alone products or as components of identity management suites and user provisioning packages. The following are among the solutions available:
Access360 offers password reset as part of its enRole solution, which provides policy-based, automated user provisioning to network resources for employees, partners and other parties.
Advanced Software Products Group's (www.aspg.com) ReACT provides password synchronization for multiple platforms, including OS/390, Novell NetWare and Windows NT/2000, as well as self-service reset through a browser or Windows client.
Avatier (www.avatier.com) last month released Password Station.NET, the first Microsoft .NET-based password reset product. The solution requires purchase of a separate Avatier product, Password Bouncer, to enforce strong password policy. Available for NT/2000 only, though the company says it plans to release a Unix version.
BMC Software's (www.bmc.com) Control-SA provides user provisioning and role-based access control. Through a Web interface, users can request changes to security entitlements and manage, synchronize and reset passwords.
Blockade Systems offers browser-based Web-Reset and Blockade Synchronization Services, which synchronizes passwords across multiple platforms, including NT/2000, iPlanet/Netscape Director Server, Netware, Unix, AS/400 and OS/390. Available as stand-alone products or as part of a full enterprise access control suite.
Courion's PasswordCourier (www.courion.com) offers password reset and synchronization across multiple platforms and systems, including NT/2000, Netware, OS/390 and Unix, as well as major databases and messaging systems. It's part of Courion's Identity Management Suite.
Entact's Entact! series of products provides central administration of user account privileges and roles, along with password reset and synchronization.
IBM Tivoli (www.tivoli.com) offers Identity Director, a policy-based identity management suite that includes self-service password reset and synchronization.
M-Tech Mercury Information Technology (www.psynch.com) offers P-Synch, which provides password reset and synchronization via multiple user interfaces. It provides a generic account for users who have forgotten their network passwords, and password synchronization for Windows NT server domain, Windows 2000 and Active Directory, Unix, OS/390/MVS and LDAP.
NetVision's (www.netvision.com) Synchronicity is designed for directory support. The product synchronizes password changes across multiple directories, including Novell NDS, Windows NT and Active Directory, Novell GroupWise, Lotus Notes and Microsoft Exchange, and iPlanet. Available as a stand-alone product or a component of policy management suite.
PentaSafe (www.pentasafe.com) offers VigilEnt User Manager/ Password Manager, which includes password synchronization and reset functions. Introduced last month, it runs on NT/2000 servers and deploys agent technology for password reset and synchronization across multiple platforms, including NT/2000, Unix, AS/400 midrange systems and
Proginet offers browser-based SecurPass-Reset for self-service on NT/2000, Netware, Unix, OS/390 and OS/400; and SecurPass-Sync for password synchronization for native NT security with IBM mainframes, AS/400, Novell and Unix systems. Security admins can revoke, resume and delete user accounts from a single point.
Waveset Technologies offers a Web-based self-service reset component in its Lighthouse identity management suite. The suite also provides password synchronization across Web and legacy systems.
Password-related help desk calls may cost as much as $30 a call, according to a Meta Group study. The cost of managing 2,800 NT users worldwide was more than MFS wanted to shoulder, especially during a recession. Greene is banking on PasswordCourier to cut password calls to 5 percent of the total per month by year's end-while continuing to enforce MFS's strong password policy. (While Greene wouldn't specify MFS's policy, an example is an eight-digit, mixed-case alphanumeric character string that's changed every 30 days.)
PasswordCourier is typical of self-service reset products in enforcing an organization's strong password requirements while obligating the user to authenticate by answering customized challenge questions. Failure of any product to support MFS's strong password policy would have been a "showstopper," says Greene.
Password reset is just one component of identity management, an emerging IT/security market that includes a range of products and services that help admins manage user access. While password reset tools are a cost-effective solution for harried help desks, they don't address the problem of multiple passwords for multiple applications. Enter password synchronization, which aligns user passwords across multiple systems and applications. Users only have to remember one password. "By installing password synchronization, 50 to 70 percent of password reset problems [are eliminated] in the first place," says Kevin Bohan, CTO of Proginet, developer of the SecurPass password reset and synchronization suite.
The caveat? Although users have a single password, they still have to log on to each system or application. Single sign-on (SSO) technology is the next step up in the identity management hierarchy. Although SSO employs synchronization, it gives users access to multiple applications and systems through one-time logons. When a user launches a new application, SSO resolves the password authentication in the background.
Mike GreenMFS Investment Management
So why doesn't everyone just deploy SSO instead of password synchronization? The complexity and cost associated with deploying SSO have retarded widespread deployment. SSO requires costly additional infrastructure, such as authentication servers and client software. Also, SSO is more difficult and expensive to maintain. "A lot of folks feel burned from the promise of single sign-on," says Pete Lindstrom, director of security research at Hurwitz Group, an IT market research firm. "The idea of automating the reset help desk is head and shoulders over other security [products] when it comes to ROI and strengthening security."
In addition to overhead, SSO presents a "single key to the kingdom" security risk. Therefore, passwords must be very strong and expire frequently. This means users are more likely to forget their passwords and call the help desk.
Of course, there's no reason why self-service reset can't be used in conjunction with either synchronization or SSO. This is exactly what many organizations are trying to accomplish. Consequently, many vendors offer identity management solutions that run the gamut from cost-effective password management to complex enterprise authorization solutions.
Passwords Made Easier
Among the various identity management options, password reset software is the least invasive to an enterprise's existing infrastructure. Such tools usually integrate with an organization's directories, help desk and security systems via native APIs. Solutions typically consist of server-side software and modules that connect to various operating platforms, such as Windows NT/2000 and Novell Netware (www.novell.com). Users authenticate to corporate directories or databases using personal challenge/response questions; some reset tools also interoperate with third-party authentication products, such as digital tokens.
Courion, for example, deploys interfaces known as Password Management Modules (PMMs) that perform password reset and synchronization functions, as well as enforce password policies on the supported OSes and applications. The PMMs run on NT/2000 servers-known as the Courion Service Platform-and utilize NOS calls to perform password changes on NT/2000 and Netware systems. For OS/390 and Unix platforms, the modules interact with agent software.
Another password reset product is Blockade Systems Corp.'s Web-Reset, a Web-based tool that runs on an NT server. After the user logs on via a browser, a Blockade API on the server performs the reset operations. The API enables integration with third-party databases.
Blockade's password reset works in two modes. As a stand-alone on NT, it directly resets NT/2000 and Active Directory passwords. Or, it connects with the Blockade IP Connector server, which allows password resets through IBM host-based OS/ 390 security tools such as RACF, ACF2 and Computer Associates' Top Secret (www.ca.com). It's also possible for one Web-Reset server to reset two or more platforms, such as OS/390 users and NT domain users. The IP Connector also provides integration with Blockade Synchronization Services.
M-Tech Mercury Information Technology's P-Synch manages passwords for more than 60 platforms through server-based software and pre-built agents. User access is available via browser, Windows client or telephone. (Telephone access, or interactive voice response, lets users authenticate themselves and reset passwords using a telephone's keypad.)
P-Synch also adds a feature to help users who have forgotten their network password and are unable to log on to the network via their accounts. Users can log on to a generic network account, called "Help" as a default, but they won't have network rights. Instead of starting the Windows shell, the account runs the user's default Web browser in "kiosk mode," devoid of navigation buttons. The user enters his ID and is authenticated by challenge questions and/or whatever authentication tools are normally required. The user then enters a new password, unlocks his account and returns to the network logon screen.
The first Microsoft .NET-based password reset product is Avatier's Password Station.NET (www.avatier.com). Launched last month, the product uses Microsoft tools and APIs to communicate with NT/2000 and .NET platforms. Microsoft's IIS Web server (version 5 or higher) is required.
Meeting Your Requirements
Given all these options, the first step in selecting a password reset tool is to determine your organization's requirements. Lindstrom says IT security managers should answer the following questions:
- How many passwords do users have to remember?
- Who performs password reset functions now-help desk, sysadmins, user-account support staff?
- How often do passwords need to be reset?
- How strong are the current password enforcement policies?
A number of factors determine if the feature set for a particular self-service solution meets an organization's functional and business requirements. Here's what to look for:
Flexible user access.
Password reset software generally lets users reset and change passwords from a browser, Win-dows client or telephone. Both PasswordCourier and P-Synch provide all three types of access. Other products, such as Blockade's Web-Reset, provide only browser access. Advanced Software Products Group's ReACT (www.aspg.com) only provides a Windows client.
As MFS's Greene notes, organizations aren't going to buy a reset solution if it means compromising their strong password policy. While stronger passwords reduce the chances that an intruder will guess or break them with a password-cracking tool, they're also harder to remember, especially if a user has several.
"Folks have been fooling themselves for years thinking strongly formatted passwords equal stronger security, but neglecting the human aspect of remembering strong passwords," says Hurwitz's Lindstrom.
The idea is to enforce strong passwords and at the same time reduce calls to the help desk, says Tom Rose, vice president of marketing at Courion. "If you tell companies the best way to stop costly intrusions is password strength, but then tell them it costs $20 to call the help desk to reset a forgotten password, and now with stronger passwords you're going to increase the calls even more, they don't want to hear that," Rose says.
Most products allow admins to set stringent password requirements based on a flexible set of rules. P-Synch, for example, offers rules that include minimum/maximum length, use of mixed alphanumeric digits and a maximum number of character pairs. As mentioned, products such as Web-Reset can leverage the password policies of host systems, such as OS/390. Avatier pitches a separate product, its Password Bouncer, as a companion to Password Station.NET to enforce strong passwords.
In addition to supporting authentication tools, such as tokens and biometrics -- either out of the box or through an SDK -- self-service reset solutions typically authenticate users through a series of challenge-response questions. These should be questions only the user is likely to answer correctly, such as the name of a childhood pet. Solutions often ship with a pre-built list of generic questions, which can be modified or discarded. Many products, including the password reset function of BMC Software's Control-SA (www.bmc.com), let users define their own authentication questions.
Pete LindstromDirector of Security Research, Hurwitz Group
To ensure that challenge questions provide strong user authentication-especially if the questions are the only authentication to the reset tool-reset solutions typically allow admins to define the number and type of questions that must be answered.
Authentication questions and answers, which are stored in user profiles, should be hashed or encrypted in enterprise databases. For instance, PasswordCourier provides TripleDES for encryption and MD5 for hashing to securely store and transmit all user profile information. "The last thing you would want is challenge-response information sitting exposed in a human resources database," said MFS's Greene.
Help desk integration. Since admins need to track password reset requests and transactions, an audit record of all transactions is necessary. PasswordCourier does this by generating a help desk trouble ticket that automatically fills in what platforms needed to be changed, the person's name, the machine's IP address, etc. If the user does have to call the help desk, the operator can refer to the ticket.
For diverse and heterogeneous enterprises, a password reset solution also has to be scalable across multiple platforms, such as mainframes, distributed systems and databases, as well as various applications, like e-mail and ERP. Products such as PasswordCourier and P-Synch include SDKs to let IT departments write their own password reset modules.
E-mail confirmation of a successful password reset can alert users if an intruder has gained unauthorized access. For example, an e-mail generated by PasswordCourier might inform a user that his passwords were changed on NT, Novell and IBM mainframe systems, with the message, "If this was not you, please notify security immediately." Also, some products, such as ReACT, provide automated alerts to IT personnel for events such as persistent reset failure or suspected brute-force attacks.
Communication between clients (particularly remote clients) and password servers should be secure. P-Synch and Blockade, among others, use SSL to protect such transactions.
Getting Users on Board
Self-service password reset means change for users, and most change meets with resistance. "It's not just a technical issue; there has to be an attempt to make password reset fit culturally in the organization," says Greene.
MFS is pilot-testing PasswordCourier before deploying it throughout its organization. After the pilot, Greene's staff will conduct an educational campaign in each department to instruct employees on the benefits of self-service password resets. The company is considering extending PasswordCourier to other systems, such as its IBM mainframe and RSA Security SecurID/ACE Server (www.rsasecurity.com).
IT administrators at Kimball International, a manufacturer of home and office furniture in Jasper, Ind., also had to overcome "cultural issues" when they deployed P-Synch to reduce the more than 3,000 password reset calls that swamped their help desk every month.
Support staff had to get the security department "to agree that a user answering questions in order to reset his password was secure enough," says John Morton, a Unix support administrator and member of Kimball's help desk team. Since the company was implementing password reset, but not synchronization, users had to get in the habit of using P-Synch to change their soon-to-expire passwords, in addition to changing it on a particular system.
Although Kimball's logon problems have dropped to a third of the pre-P-Synch days -- about 1,000 per month -- one problem still generates password-related support calls: users getting locked out if they fail to reboot after resetting their NT password. While the password is changed in the domain, the old password remains cached on the user's PC. If the user starts an application (such as printing) that uses this cached password, he may be prompted to authenticate when he normally wouldn't. "The user supplies the new password, but gets prompted to authenticate again and again," Morton explains. "At this point, the user may reboot, but will discover that his NT domain account is locked."
"Password management is hard to sell by itself," says John Pescatore, director of research at IT analyst firm Gartner Group. "So you see lots of vendors of other products, such as access management, directory security and user provisioning, moving into this space." User provisioning, which focuses on user account administration (e.g., adding and deleting employee logon credentials) has a direct tie-in with password management. Companies such as Waveset Technologies and Access360 are emerging players in the provisioning space.
At Oppenheimer Funds' data center in Englewood, Colo., the support staff initially deployed Access360 for account provisioning, and is now starting to use the product to reset passwords for about 2,500 users.
Users can log on to an intranet site, where they are prompted with questions to verify their identity before they can reset passwords, says Mike Hager, VP of network security and disaster recovery at the investment management firm. Supported platforms include Novell's Groupwise and NetWare, as well as NT. The average user has about 11 passwords-that means IT managers would conceivably have to manage 27,500 password changes every six months. "The loss in productivity [can be] tremendous," says Hager.
Mike GreeneMFS Investment Management
Waveset offers a Web-based self-service reset component in its Lighthouse identity management suite. It lets users reset passwords through a Web-based interface and can synchronize passwords across Web and legacy systems.
Entact's Entact! series of products provides centralized administration of user account privileges and roles, along with password reset and synchronization.
PentaSafe, a provider of assessment and policy management products, entered the password management fray last month with the introduction of VigilEnt User Manager/ Password Manager, which includes password synchronization and reset functions. The product runs on NT/2000 servers and clients for password reset and synchronization across multiple platforms, including NT/2000, Unix, AS/400 midrange systems and NetWare.
Progressive Insurance of Cleveland turned to automated password synchronization to manage the daunting task of aligning password changes for its 20,000 NT users. Sysadmins spent a considerable amount of time aligning user profile and ID information from one platform to another.
"We were doing it [manually] in-house a couple of different ways," says Andrew Prayner, IT programming analyst with the insurance firm.
The company recently deployed Proginet's SecurPass-Sync to consolidate control of enterprise user profiles. One of the attractions was the product's ability to work seamlessly with Top Secret, Computer Associates' mainframe security tool that enforces strong passwords rules. "We were mainly looking at Proginet [to forge] better integration between NT/2000 and the MVS [mainframe]," says Prayner.
Administrators can now revoke, resume or delete user accounts from a single NT platform, and those changes, in turn, are propagated across the enterprise. The company is just coming out of pilot testing and plans to extend password synchronization to other platforms, including Lotus Notes and LDAP directories, Prayner says. Synchronization products, which usually don't require changes to the existing infrastructure, reside on a password synchronization server, typically an IIS Web server. Additional software is installed on every NT domain controller or workstation, usually via login script.
In addition to password synchronization, solutions often include the ability to propagate user account deletions, revocations and resumptions across disparate systems. Some products also offer strong reporting and audit capabilities.
Synchronization in Action
Progressive Insurance illustrates one of several types of environments in which password synchronization can be deployed. There are other models in which synchronization can bring passwords under control. Here are a couple of scenarios:
Internet portal. Given the cost and level of effort required to deploy SSO in an enterprise, some organizations choose password synchronization to simplify user access and ease the drain on IT staffs.
ALLTEL Information Services of Jacksonville, Fla., provides major lending institutions with a family of loan origination, secondary marketing, Internet, electronic transmission services and loan servicing products. When the company rolled out a new mortgage processing service to some 170 clients and business partners through an Internet portal, it had to provide 70,000 users with access to multiple computing platforms. Rather than deploying an SSO solution, ALLTEL is using Blockade Syn-chronization Services, a companion to Blockade's Web-Reset and part of its suite of identity management products.
"The new product brought along the complexity of needing authentication to multiple platforms," says Nancy Loveland, security operations manager at ALLTEL, but "true single sign-on is very complex and very costly."
With Blockade, the company is able to synchronize passwords and establish links between the user profiles on various platforms, from mainframes to distributed systems. Eventually, ALLTEL added a policy management application (which Loveland prefers not to name) that directs logon requests to the different systems. The policy management software does all of the heavy lifting to allow users to log on just once.
"As our product offering grew and the number of boxes a user had to traverse grew, we had to find a solution that would not require a user to sign on multiple times," Loveland explains. "This is when we decided to implement the policy manager."
Directory migration. Some organizations are deploying password synchronization to make directory migration smoother.
"We were running Windows NT and Novell's NDS on NetWare and were having all kinds of issues with people synchronizing passwords," says Brent Barton, a sysadmin at Public Employee Health Plan (PEHP) of Utah. "We were using utilities in Windows to manually sync passwords."
PEHP came across NetVision's Synchronicity (www.netvision.com) product by a fluke, not realizing at the time how it was going to benefit the organization in directory migration. "One of the IT support staff was searching for a video card driver and thought it was made by NetVision," says Barton.
Synchronicity is part of NetVision's Policy Management Suite and provides consolidation of multiple enterprise directories, such as Novell Network Directory Services (NDS) and Windows NT Active Directory. As the agency migrated from old versions of NDS to Active Directory, IT was able to automatically synchronize passwords and user permission rights for its 150 users.
What are users looking for in password reset and synchronization in the future? Courion's Rose says customers are starting to ask for Web portal functions for both B2B and B2C platforms.
Still, the biggest problem is coordinating user accounts on legacy systems, says Hurwitz's Lindstrom. Web access control vendors such as IBM Tivoli, Netegrity, and Entrust (www.entrust.com) are addressing business partner issues, he says.
"The iceberg under the water that people don't have a handle on is user accounts," said Lindstrom. "The key to all of this is mapping users to user accounts and aliases. In order to reset passwords, you have to know who owns the account."