The Essentials of Enterprise Password Management. FastPass Password Manager V 3.4 Enterprise & Service Provider Editions

Transcription

1 The Essentials of Enterprise Password Management FastPass Password Manager V 3.4 Enterprise & Service Provider Editions FastPassCorp 2012 FPC0 FastPassCorp Page 1 of 14

2 OVERVIEW When deciding on a new Password Management System, companies have asked us for advice on the most important criteria for choosing between different offerings and solution models. Our experience is that it is important to focus on the functions which determine the value of the particular business case, and which define future flexibility. The first pages illustrate the importance of specific features for your business case. We have in conversations with FastPass customers and users of other products learned that it is essential to focus on the Key Performance Indicator: The percentage self-service calls compared to total calls related to passwords. We have seen examples of no more than 20% and examples of more than 80%. If you want to reach more than 80% then focus on processes is the key! We have selected the functions which are important to all organizations and especially to larger organizations with many applications and many users working from different locations. In this document we have added a short description of FastPass Enterprise features related to the different headings. If you re considering alternative solutions to FastPass, then these are the areas where you should compare the quality. At the end of the document we have even a short description of the specific requirements for Managed Servicve Providers If you are looking for more information and inspiration, the National Institute of Standard and Technologies (NIST) have issued a draft document: Guide to Enterprise Password Management (Draft) Special Publication , where you can find recommendations regarding the use and management of Passwords. We consider the following topics to be the most critical ones: User authentication User registration Catch-22: The PC is locked Different passwords for different applications and security levels Service Desk tools Strong authentication All users anywhere Infrastructure and flexibility FastPassCorp Page 2 of 14

3 The basics: User authentication The most basic functionality in password self-service is the secure authentication of the user calling FastPass. The normal authentication in self-service solutions is challenge questions. When you decide for challenge questions you have a number of considerations to do: Are questions decided centrally with users giving the answers? Are questions decided centrally but with given answers (like personel number) what we describe as semi-personal questions Can users define their own questions? How many questions for enrolment? How many questions for authentication? The more options you have the better you can optimize user-friendliness and security to your needs In some organizations it might be important to avoid the enrolment process; but you still need a secure process. Then the use of a physical token might replace the question/answer model. In most cases all employees will today have a mobile phone, and you can then use the phone as a token by sending a code via SMS to the user, and ask him to enter this code. For special users with very high security requirements you might demand that another person makes a visual or audio identification of the user. You can then give the authentication user the privileges to give the user a code to use for authentication to FastPass. The above three models covers the three standard authentication methods: Something you remember Something you have Something you are Often we will require users to authentication with 2-factor authentication, often described as strong authentication. With FastPass you can combine any of the above methods to 2-factor or even 3-factor authentication. You can even make authentication profiles where a user only has to do singlefactor authentication on the domain but 2-factor authentication if he comes in from the external net! FastPassCorp Page 3 of 14

4 In large organizations you will typically have very different usergroups with access to information of varying sensitivity. You will then want to have different authentication to match the sensitivity of the systems. This requires the possibility to do different authentication profiles where you then can link different usergroups to different authentication profiles. Processes to support your business case The important question is: What does it take to make an end-user use password self-service? The answer is: Enrolment and service desk assistance!! A standard process for enrolment will be that the administrator sends a mail to all users asking them to enrol: Selecting questions and giving answers to the personal questions.( Enrolment might include more actions like mobile phone number and identifying other accounts). Many end-users will however wait with enrolment and forget, so you typically see an enrolment percentage of 30% or lower after first invitation round. The administrator will then manually start to send reminders; but give up after some time. At that time you might have reached 50%. When the users then need to use the system for password reset, a few users will have forgotten their answers. They have to call the service desk then, where they ask for a new password. They will get a new password, and then next time they forget, they will of course call the service desk again. Gradually the total number of actively enrolled end-users will fall: FastPassCorp Page 4 of 14

5 FastPass has automated processes to support an efficient enrolment process, where users are reminded until they enrol, or you force them to enrol!. Furthermore FastPass has an integrated process to support the service desk when called by users who have forgotten their answers to personal questions. In this case the service desk will give the user a code to re-enrol to FastPass, and then the user can reset the password himself. Next time the user will then use FastPass for self-service again. The unique FastPass processes are necessary to create and maintain a high self-service percentage without having to spend many administrative man hours to do the job! Furthermore it is of course a vital ingredient that all the user s passwords are covered by the solution. For every password system not covered, you give the user the expectation, that forgotten passwords still are to be solved by the service desk! User enrolment and registration When you need to get thousands of users enrolled into your Password Solution, you begin to realize the importance of an automated ongoing process. It is not just enough to send out an to all users. Based on our experience only between 5% and 20% of the users will take the time to register and enrol themselves into the system at first call. The consequence is that possibly 80%- 95% of your users will call the Service Desk. Alternatively, you may have to do a manual process, whereby your administrators need to remind users and their FastPassCorp Page 5 of 14

6 management to enrol. This could indeed compromise the business case for the entire project! Alternatively you can force users to enrol at log-in time. We have however still not seen any organization which are prepared to use this method as the one and only way to get users enrolled. The risk that the user community will react very negatively to this implementation method is high, and can be avoided by a more intelligent approach. FastPass offers an automatic process covering the complete enrolment process. With this automatic toolset provided you should aim for an enrolment percentage of not less than 90%. The critical components are: Automatic discovery of users Automatic invitation mail to new users Automatic and ongoing reminders, by mail or SMS(text) to users who have not yet enrolled Help Desk PIN-code can be issued to users calling the Help Desk without being enrolled. The users must then enrol before they can reset the password by themselves. Forced enrolment via NAG screen enforcing the users who have not yet enrolled You can define individual enrolment profiles for different user groups based on your knowledge of how you can get the fastest action! FastPassCorp Page 6 of 14

7 Catch-22: the PC is locked because of a forgotten password When a user has forgotten the password to the PC he is not able to logon. The user then calls the Service Desk, who will reset the password in Active Directory. Users can then use the new password given by the Service Desk - provided they re on the domain! If the user however is outside the domain, the Service Desk is not able to help him. The PC will remain unavailable until he s back in the office and attached to the domain. FastPass Enterprise solves both situations. A very small program at the PC allows the PC, via a browser, to connect to the FastPass portal and change Password in the AD. The user can then log-in when he is on the domain. The same action happens when he is on a remote net. In this case FastPass opens a hidden VPN connection, where the Password is synchronized back to the PC. The business benefit for the user and the company can be substantial, as this feature means that the user can keep working in the remote environment. Without this solution in place a complete journey might be lost when a PC password is forgotten. Different passwords for different applications and security levels Organizations like NIST for instance (FIPS PUB 199) recommend resources to be categorised as low impact, moderate impact or high impact, and the user should not share the same password between the different categories. In some organizations the single password concept - through password synchronization between applications with similar policies - is a good solution. FastPassCorp Page 7 of 14

8 The consequence for Password Management in the situation with multiple passwords is that the user must be able to reset different passwords for different applications. When a user has the tool to reset forgotten passwords, then the cost of multiple passwords due to high rate of resets - will be very limited. This makes it realistic to combine the demands from IT-security with the demands from the Service Desk when it comes to passwords and password resets. FastPass Enterprise allows administrators to choose between password synchronization and selective password reset (reset on each individual system). FastPass provides advanced configuration tools to tie your multi system requirements to different user groups with different profiles. As an example of that, if a company has Active Directory passwords and SAP passwords and wants different passwords due to different policies on those systems, then the user will simply select whichever system the password reset is targeted for. If a user has different user-ids for the different applications, FastPass ties the different user-ids together and can synchronize and reset with multiple passwords. For more information on differences between Single Sign-on and the FastPass solution, please visit our corporate web-site or contact FastPassCorp. FastPassCorp Page 8 of 14

9 Service Desk processes No matter what enrolment rate you have achieved, you should still expect users calling in to the Service Desk for assistance. In particular when users have forgotten their answers to the personal questions their only solution is to call the help desk. The Service Desk analyst needs to do user authentication before he can help the user with a forgotten password or a re-enrolment into FastPass. FastPass helps the Service Desk employee to verify the identity of the user through information being presented from Active Directory and even by presenting the personal answers! (FastPass can be configured with or without this possibility. In a Multi system environment and in synchronization environments, users call more when they meet technical difficulties in this more complex environment. The FastPass Help Desk Client provides specific information to support the Service Desk employee in performing his service to the user. If we give the user the password he is asking for we know for certain that he will call the service desk again next time he forgets the password. The result of this process is the gradual deterioration of the business case. This is why it is so important to bring the user back into FastPass!! As a Service Desk manager, you prefer to have one central overview on servicelevel and workload for the Service Desk. This overview is obtained from the Service Management tool in place. FastPass is easily integrated into any Service Management tool and provides out-of-box integration to several solutions. The net result for the Service Desk Manager is that all Password related calls which might slip past the Self-service Portal, will be handled quickly and efficiently, so that the business case for Password Management remains solid. Strong authentication FastPassCorp Page 9 of 14

10 When a user wants to reset his password via Self-service, the password reset solution will authenticate the user as the first step. The authentication must correspond to the security level of the applications which the user can access. If the user has access to critical business systems, the authentication should be at least as strong as the authentication for the application. FastPass allows the administrator to define different profiles for different groups of staff members, in order to provide both the required security level and also provide user convenience. Authentication of users should not be stricter than necessary; hence the need for dynamic authentication profiles. FastPass will combine three different methods for Self-service authentication: Your location (IP-address) Something you remember (Private challenge questions) Something you have (Mobile phone) The administrator can define different profiles ranging from one method to all three methods for very secure users or critical applications. In FastPass the administrator configures profiles that dynamically determine the authentication of the user. If a user is on a secure net then it may be OK to authenticate with just challenge questions; but if the same user is on the external net, an authentication profile could be configured to demand both challenge questions and an SMS-pin code to securely authenticate the user. For users with very high authentication requirements, you can even configure FastPass to require that a Help Desk PIN is used as part of the process of validating the user. In this way the Service Desk staff member can demand a personal presentation before issuing the PIN-code. With regards to the challenge questions, you can decide what challenge questions, and how many, a user must answer correctly to be authenticated in different situations and/or locations. FastPassCorp Page 10 of 14

11 All users anywhere In today s business environment organizations have many different types of users and devices accessing systems and business applications from different locations. Most users have PCs owned by the domain; but there are external users (like external consultants) who have access to some resources on the ITsystem. FastPass supports all users in the different situations. The situation for a domain user is that a forgotten password means that he can t access the PC in which case he uses the PC-client component of FastPass. For an external user the PC password and the domain password are different, so he can access his PC locally, but he can t get on the company network. The FastPass windows client will enable users to access FastPass remotely, even if he s outside the domain. If a domain-pc does not have the windows client installed, then the user can access FastPass through a browser on another device, from where he can reset the password. With access to FastPass, via a link on the organization s intranet or extranet, the external consultant can get access to FastPass Self-service and reset the password on AD. Then he can immediately log-on to the network again. A user might even reset the password from a mobile device (Smartphone, ipad etc.) using a mobile browser. FastPassCorp Page 11 of 14

12 Overview: FastPass Enterprise Internal net External net Domain user YES YES External user YES YES Infrastructure and flexibility One of the most compelling features of FastPass is that it is in essence an addon to your existing Windows Server environment. As a web-based self-service solution for users already in AD, this is part of your server environment utilizing user data, group memberships and policies already in place. This means, from an implementation point of view, that it s really fast to implement. From an operational point of view this is also very important. You do not add yet another system to operate. With just a few hours of admin training, Windows Server professionals can be up to speed with FastPass. Larger organizations may have complex environments with several domains and even a forest structure which is supported by FastPass Enterprise. But even smaller organizations may have a need for a multi-domain solution. If your company is buying another company, or has internal and external user groups, then you may have a need to support more domains. Also, if you re in the process of upgrading from Windows Server 2003 to 2008 then it can be very useful to let the users have two accounts for a period of time and have FastPass synchronize the passwords. A flexible browser based solution will not only ease deployment of the solution, but also give you the opportunity to let password self-service become a feature on your intranet with the same look and feel and visual elements that your users are familiar with. Multi language is important to many organizations working overseas. This will avoid end user training for the solution, and will also allow the end users to handle challenge questions in their native language, avoiding confusion for the users. Special Managed Service Provider (MSP) requirements MSPs have a fixed agenda for efficiency in operations to give better service and lower costs to their customers. One af the consequences is the demand for multi- FastPassCorp Page 12 of 14

13 tenant solutions, meaning that many customers can share the same resources, and still be handled individually. With FastPass the MSP can have many customers sharing the central FastPass installation meaning reduced installation and implementation efforts and much lower operating costs, than with a solution where each customer has his own FastPass installation. The logical view: The infrastructure view: FastPassCorp Page 13 of 14

14 The illustration above shows how FastPass can reset passwords for user repositories on the MSP s domain as well as on user repositories outside the domain, where FastPass gateway technology is being used. For MSPs with distributed service desks it is of crucial importance that all service desks around the globe can handle users from different customers but even from different FastPass implementations, if the MSP has multiple FastPass implementation e.g. on different continents. The FastPass Help Desk client for MSPs has the ability to serve different FastPass implementations and thereby giving the MSP the ultimate flexibility in sharing service desk resources. This will lead to direct cost savings and improved service levels for all involved FastPassCorp Page 14 of 14