Large Scale Password Management With Hitachi ID Password Manager

Transcription

1 Large Scale Password Management With Hitachi ID Password Manager 2015 Hitachi ID Systems, Inc. All rights reserved.

2 As users access ever more systems and applications, they accumulate passwords and other authentication factors. Complexity that arises in managing multiple login technologies leads to IT support and security problems: high help desk call volumes, written passwords, lost or stolen OTP tokens and smart cards, etc. Effective password management addresses these problems by helping users to manage all of their authentication factors in an integrated manner. Passwords are synchronized, so there are fewer to remember. Self-service allows users to reset their own forgotten or locked out passwords or PINs and unlock PCs with encrypted disks. A single process is used to enroll security questions, mobile phone numbers and biometric samples. The entire solution is made available from full screen or mobile phone web browsers, phone calls or PC login screens. Contents 1 Introduction 1 2 Business Drivers: IT Support for Passwords and PINs 2 3 Technical Challenges: Hard-To-Support Passwords Locked Out Users Cached Credentials Replication Delays Forgotten Passwords for Full Disk Encryption Mobile, Disconnected Users Managing PKI Passwords Hitachi ID Password Manager Features Password Synchronization Self-service Password Reset Self-Service, Anywhere: Supporting Mobile Users and Encrypted Disks Assisted Password Reset Password Policy Enforcement Password Expiration / Aging Enforcement Preventing Password Reuse Solution Architecture 10 6 Self-Service: Access and Authentication Access For Locked Out Users i

3 6.2 Authenticating Users Without Passwords Authentication Chains User Enrollment: Maximizing Adoption 18 8 Telephony Integration 19 9 Managing PKI Certificate Passwords Support for Mobile, Disconnected Users Overcoming Active Directory Replication Delays Built-in Single Sign-on Technology Return on Investment Platform Support Rapid Deployment Hitachi ID Systems, Inc. All rights reserved.

4 1 Introduction This white paper describes self-service management of authentication factors in general and Hitachi ID Password Manager in particular. It shows how product features and best practices address business problems. Hitachi ID Password Manager is solution for managing all of a user s authentication factors. This lowers IT support cost and improves security through: Password synchronization: Helping users to maintain a single, strong password across multiple systems and applications. Single sign-on: Automatically signing users into applications. Password policy enforcement: Ensuring that new passwords are hard to guess, are changed frequently and that old passwords are not reused. Self-service password and PIN reset: Enabling users who have forgotten their password, forgotten the PIN for their hardware token or smart card or who have triggered an intruder lockout to authenticate themselves and resolve their problem from any location, using any device, without calling the help desk. Cryptographic key recovery: Allowing users who forgot the password that activates their PC at boot time to resolve their problem without speaking to a support analyst. Assisted password and PIN reset: Streamlining IT support calls to resolve login problems Hitachi ID Systems, Inc. All rights reserved. 1

5 Large Scale Password Management With Hitachi ID Password Manager 2 Business Drivers: IT Support for Passwords and PINs Users who must manage multiple passwords to corporate systems and applications have usability, security and cost problems. Users have too many passwords. Each password may expire on a different schedule, be changed with a different user interface and be subject to different rules about password composition and reuse. Some systems are able to force users to select hard-to-guess passwords, while others are not. Some systems require that users change their passwords periodically, while others cannot enforce expiration. Users have trouble choosing hard-to-guess passwords. Users have trouble remembering passwords, because they have too many of them or because they chose a new password at the end of the day or week, and didn t have an opportunity to use it a few times before going home. These problems drive users to choose trivial passwords, to avoid changing their passwords and to write down their passwords. All of these behaviors can compromise network security. When users do comply with policy and regularly change their passwords to new, hard-to-guess values, they tend to forget their passwords and must call the help desk. Password and login problems are the top incident type at most IT help desks, frequently accounting for 25% or more of total call volume. In addition to the above security and support cost problems, users simply don t like memorizing and typing passwords. Password management is a nuisance that contributes to a negative perception of IT service. Despite all these problems, passwords will continue to be needed for years to come: 1. Passwords are significantly less expensive to deploy and support than other technologies. 2. Other authentication technologies, such as biometrics, smart cards and hardware tokens, are typically used along with a password or PIN. i.e., something you have (smart card, token) or something you are (biometric) plus something you know (password, PIN). 3. Passwords are an important backup to other authentication technologies: (a) Hardware devices can be lost or stolen or simply left at home. (b) Some devices from which users need to access corporate systems, such as smart phones and home PCs, may not support more advanced authentication methods. Since passwords are not going away and remain difficult for users to manage, solutions are needed to help users more effectively manage their passwords Hitachi ID Systems, Inc. All rights reserved. 2

6 Large Scale Password Management With Hitachi ID Password Manager 3 Technical Challenges: Hard-To-Support Passwords Enabling synchronization and self-service reset for passwords on centralized servers is reasonably straightforward. Technical problems arise, however, with locked out users, mobile users, cached credentials and PKI. 3.1 Locked Out Users Users often forget their initial network login password or inadvertently trigger an intruder lockout. These users should be able to get assistance, reset their network or local password, clear intruder lockouts and get back to work. Since these users have a problem with their workstation login, they cannot access a conventional web browser or client/server application with which to resolve their problem. The problem these users face is how to get to a user interface, so that they can fix their login problem and subsequently access their own workstation desktop. This problem is especially acute for mobile users, who use cached domain passwords to sign into their workstation and who may not be attached to the corporate network when they experience a forgotten password problem. 3.2 Cached Credentials Windows workstations cache user passwords typically the primary password a user types at the login screen, which was authenticated against Active Directory. This is done for two reasons: 1. To enable users to log into their workstation while detached from the network (example: traveling laptop). 2. To automatically sign the user into resources, such as shared file and print services, without having to ask the user to retype his password. When a user changes his password using the network client software on the workstation (e.g,. ctrl-alt-del method), the network client automatically updates its cached password. On the other hand, if a user is logged into his workstation and simultaneously his password is reset elsewhere on the network for example by the help desk or by the user himself on a second concurrently logged in workstation, then the cached password on the workstation will not change it will simply be wrong. Similarly, if the user forgets his password and it is reset on the network while his PC is disconnected (e.g., remote), the new password will not be copied to the workstation until it is re-attached to the network. An invalid, cached password causes several problems: 1. If the user s PC is not attached to the network when his password changes, the user will be unable to use the new password on his PC until he re-attaches to the network Hitachi ID Systems, Inc. All rights reserved. 3

7 Large Scale Password Management With Hitachi ID Password Manager 2. If the user s PC is attached to the network and the user attempts to access a network resource (file server, print queue, etc.), the workstation may send an incorrect, cached password to the network resource, which will increment the user s number of invalid login attempts counter. Repeated connection attempts will trigger an intruder lockout. 3.3 Replication Delays Active Directory does not propagate cleared intruder lockout flags on an expedited schedule. This can create problems for remote users who inadvertently trigger a lockout and subsequently call a central help desk for assistance. The help desk will typically clear the user s lockout on a domain controller near the help desk. This lockout may take a long time (hours) to reach the domain controllers against which the user wishes to authenticate or which service network resources that the user wishes to access. This problem is especially acute in global organizations, with hundreds of domain controllers that employ a global IT support function. Note that AD password change replication is described here: Forgotten Passwords for Full Disk Encryption Organizations deploy full disk encryption (FDE) software to protect against data leakage in the event that a corporate laptop is lost or stolen. Users with FDE on their PCs normally have to type a password to unlock their hard disk, before they can boot up an operating system. This password is normally synchronized with the user s primary Windows password, so that the user only has to remember and type a single password at login. If a user forgets his hard disk encryption unlock password, the user will be unable to start their operating system or use their computer. This is a serious service disruption for the user and can contribute to significant support costs for the IT help desk. 3.5 Mobile, Disconnected Users Traveling users typically log into their workstations using cached Active Directory passwords. If they forget the cached password, technical support may be expensive, insecure or simply impossible: 1. Expensive: the user must physically bring (or mail) the laptop to a corporate location, the PC can re-authenticate to the AD domain and cache the user s newly reset password. 2. Insecure: alternately, the help desk can give the traveling user the login ID and password of an alternate login ID, which is defined on the user s PC (not a domain account), whose security will henceforth be compromised. 3. Impossible: the user is unable to bring his PC to the office and the help desk cannot or will not offer an alternate, local user ID Hitachi ID Systems, Inc. All rights reserved. 4

8 Large Scale Password Management With Hitachi ID Password Manager While the frequency of password reset incidents for traveling users is typically low, the cost per incident is much higher than for network-attached users. 3.6 Managing PKI Passwords Public key infrastructures typically deploy certificate files on PCs and smart cards. This enables users to access encrypted documents, send and receive encrypted and (with smart cards) perform multifactor authentication, even while disconnected from the corporate network. Certificate files are typically encrypted and decrypted using a user s personal password or smart card PIN. In other words, users have a PKI password, which is not necessarily stored on any server. Rather, this password is used to unlock the user s personal certificate file. This is true of both standards-based PKI, using x.509 certificates and proprietary PKI, using Lotus Notes ID files. PKI passwords, including Lotus Notes ID file passwords, are difficult for IT organizations to support because they cannot be administratively reset: 1. The PKI certificate may exist in multiple locations more or more PCs, network home directories, USB flash drives, smart cards, etc. 2. Some of these locations may be inaccessible to a password management server on the network. 3. The PKI certificate must be decrypted, using the current password, before it can be re-encrypted, with the new password. In other words, there is no notion of an administrative password reset, which does not rely on knowledge of the current password Hitachi ID Systems, Inc. All rights reserved. 5

9 Large Scale Password Management With Hitachi ID Password Manager 4 Password Manager Features Hitachi ID Password Manager is designed to reduce the cost and improve the security of password systems: 4.1 Password Synchronization Password synchronization is any process or technology that helps users to maintain a single password, subject to a single security policy, across multiple systems. Password synchronization is an effective mechanism for addressing password management problems on an enterprise network: Users with synchronized passwords tend to remember their passwords. Simpler password management means that users make significantly fewer password-related calls to the help desk. Users with just one or two passwords are much less likely to write down their passwords. There are two ways to implement password synchronization: Transparent password synchronization, where native password changes, that already take place on a common system (example: Active Directory) are automatically propagated through the password management system to other systems and applications. Web-based password synchronization, where users are asked to change all of their passwords at once, using a web application, instead of continuing to use native tools to change passwords. One of the core features of Hitachi ID Password Manager is password synchronization. Password Manager implements both transparent and web based password synchronization. 4.2 Self-service Password Reset Self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate method and repair their own problem, without calling the help desk. Users who have forgotten their password or triggered an intruder lockout may launch a self-service application using an extension to their workstation login prompt, using their own or another user s web browser or through a telephone call. Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token or by providing a biometric sample. Users can then either specify a new, unlocked password or ask that a randomly generated one be set Hitachi ID Systems, Inc. All rights reserved. 6

10 Self-service password reset expedites problem resolution for users after a problem has already occurred and reduces help desk call volume. It can also be used to ensure that password problems are only resolved after strong user authentication, eliminating an important weakness of many help desks: social engineering attacks. One of the core features of Password Manager from Hitachi ID Systems is self-service password reset. 4.3 Self-Service, Anywhere: Supporting Mobile Users and Encrypted Disks Hitachi ID Password Manager includes key features to assist mobile users: 1. notification to users about upcoming password expiry, since the notice displayed at the Windows login prompt is not shown to users away from the office. 2. Support for resetting forgotten encryption keys for users whose PCs are protected with full disk encryption. 3. Support for resetting forgotten passwords or PINs from the login prompt, even if the user is away from the office and is not physically attached to the Internet. 4.4 Assisted Password Reset Hitachi ID Password Manager includes an assisted password reset web portal, which allows IT support staff to help callers without having direct administrative access to target systems: Support staff sign into Password Manager with a web browser. Support staff can be authenticated using IDs and passwords internal to Password Manager or use pass-through authentication to an existing system. For example, support staff may sign into Password Manager using their Active Directory ID and password, with Password Manager validating the membership of each support technician in a designated AD security group and granting appropriate Password Manager privileges based on that group membership. From the Password Manager web interface, support staff can search for the caller s profile by login ID or full name. Support staff can be required to authenticate the caller for example by keying answers to some of the user s personal questions, which Password Manager can validate against its own back-end database or an external database, directory or web service. Note that the same, different or overlapping security questions can be used for assisted and selfservice authentication processes. Once both the support technician and caller have been authenticated, support staff can reset the caller s password, lock or unlock the caller s access to Password Manager or update the caller s profile. Assisted password resets may be configured to also expire the new password, requiring the user to change it on the next login Hitachi ID Systems, Inc. All rights reserved. 7

11 All transactions IT support login, user profile lookup, successful or failed password reset and more may trigger s to the user, to the support technician or to a third party, such as a security officer. The same events can also trigger automatic creation, update or closure of tickets in an incident management system. Since only a single, simple web interface is used, an assisted password reset is normally completed in 1 2 minutes. The right of one user to reset another user s password may be global (e.g., global IT support team) or based on the requester/recipient relationship (e.g., departmental or regional IT support can only assist in-scope users). Moreover, which passwords a given user can reset can be controlled by policy. At no point in the process does an IT support technician require administrative access to the systems where passwords are being reset. Instead, Password Manager uses its own credentials to sign into target systems and these are encrypted in an internal Password Manager database. Assisted password reset reduces the cost of password support calls and ensures that such calls are handled in a consistent, secure fashion. 4.5 Password Policy Enforcement Hitachi ID Password Manager is normally configured to enforce a uniform password policy across all systems, to ensure that any new password will be acceptable to every integrated system. This provides the most clear and understandable experience to users. Password Manager is configured such that it will never accept or attempt to propagate a password that will not meet this global password policy. For instance, in the case of an organization that has both Windows Active Directory (AD) and z/os passwords, where users may enter very long passwords on AD but only 8 characters on the (older) mainframe, Password Manager can require that passwords be exactly 8 characters long. Alternately, Password Manager can support longer passwords, but truncate them when it updates the mainframe. (Users generally prefer the preset length rule, as it is easier to understand than automatic truncation). In general, systems enforce one of two types of password rules: Complexity requirements ensure that users do not select easily-guessed passwords. Example rules are: disallowing any permutation of the user s login ID, password history, requiring mixed letters and digits, forbidding dictionary words, etc. Representational constraints limit what can be physically stored in a password field on a given system. Usually there are just two such rules: maximum length and allowable character set. A global password policy is normally created by combining and strengthening the best-of-breed complexity requirements from each system affected by the policy. Password Manager then combines these with the most restrictive representational constraints. This forces users to select strong, secure passwords on every system. The alternative, of defining different password policies for every target system or for groups of target systems, is considered to be user-unfriendly. To update their passwords, users must select a system, choose 2015 Hitachi ID Systems, Inc. All rights reserved. 8

12 a password, wait for the password update to complete, possibly re-authenticate, choose another system, choose a different password, etc. Users must then remember multiple passwords and will continue to experience many password problems. It has been shown that users with many passwords have a strong tendency to write down their passwords. 4.6 Password Expiration / Aging Enforcement To enforce password expiration and to get users to trigger web-based password synchronization, Hitachi ID Password Manager is configured to detect upcoming password expiration on individual systems (e.g., Windows, AD, LDAP, etc.) or based on the last time a user changed his passwords using Password Manager and to remind users to change their passwords using the Password Manager web UI. Password expiration is normally configured so that users change their passwords with Password Manager web portal on a shorter expiry interval than the native password expiry on any system. This way, Password Manager prompts users to change passwords before any other system does and users are never prompted to change expired passwords by other systems or applications. Early notification of upcoming password expiration is a viable alternative to transparent password synchronization, especially in cases where it is impossible to trigger synchronization from the primary login system that users most often use. Users can be notified of upcoming password expiration by . Alternately, a small client program can be triggered at user login time, which checks whether the user currently logging in is on the list of soon to expire users and if so opens the user s default web browser to a URL that asks the user to change his passwords. The same small program can be used to make the password change mandatory, by opening a kiosk-mode web browser to the password change web portal and requiring the user to change passwords before they can close this browser and access their desktop. 4.7 Preventing Password Reuse In Hitachi ID Password Manager, password history is infinite by default. Unless specifically allowed, users are prevented from reusing passwords at all. Where password reuse is allowed, it is based on a time interval, rather than the number of intervening password changes. Password history is stored in a one-way, non-reversible hash (SHA-1 plus 64-bit random salt) Hitachi ID Systems, Inc. All rights reserved. 9

13 5 Solution Architecture Hitachi ID Password Manager is designed for: Security: Password Manager is installed on hardened servers. All sensitive data is encrypted in storage and transit. Strong authentication and access controls protect business processes. Scalability: Multiple Password Manager servers can be installed, using a built-in data replication facility. Workload can be distributed using any load-balancing technology (IP, DNS, etc.). The end result is a multimaster, distributed architecture that is very easy to setup, as replication is handled at the application layer. Performance: Password Manager uses a normalized, relational and indexed database back end. All access to the database is via stored procedures, which help to minimize communication overhead between the application and database. All Password Manager code is native code, which provides a 2x to 10x performance advantage as compared to Java or.net Openness: Open standards are used for inbound integration (SOAP) and outbound communications (SOAP, SMTP, HTTP, etc.). Flexibility: Both the Password Manager user interface and all functionality can be customized to meet enterprise requirements. Low TCO: Password Manager is easy to set up and requires minimal ongoing administration. Figure 1 on Page 11 illustrates the Password Manager network architecture: Users normally access Password Manager using HTTPS from a web browser. Multiple Password Manager servers may be load balanced using either an IP-level device (e.g., Cisco Local Director, F5 Big/IP) or simply using DNS round-robin distribution. Users may call an IVR (interactive voice response) system with a telephone and be authenticated either using touch-tone input of personal information or using a voice print. Authenticated users may initiate a password reset. Password Manager connects to most target systems using their native APIs (application programming interfaces) and protocols and thus requires no software to be installed locally on those systems. Local agents are provided and recommended for Unix servers and z/os mainframes. Use of these agents improves transaction security, speed and concurrency Hitachi ID Systems, Inc. All rights reserved. 10

14 IVR server VPN server TCP/IP + AES Various Protocols Secure Native Protocol HTTPS Reverse web proxy system Load balancer Notifications and invitations Incident mgmt system Validate pw Tickets HR SQL DB Hitachi ID server System of record Native password change AD, Unix, OS/390, LDAP, AS400 Load balancer Password synch trigger systems SQL DB Replication Firewall Hitachi ID server Firewall Target systems with local agent: OS/390, unix, older RSA Proxy server (if needed) Data center A Data center B Web services Target systems with remote agent: AD, SQL, SAP, Notes, etc Target Systems Cloud-hosted, SaaS apps Remote Remote data data center center Figure 1: Network architecture diagram 2015 Hitachi ID Systems, Inc. All rights reserved. 11

15 A local agent is mandatory on older RSA SecurID servers (version 7.x and later exposes a remote API). Where target systems are remote and communication with them is slow, insecure or both, a Password Manager proxy server may be co-located with the target system in the remote location. In this case, servers in the main Password Manager server cluster initiate fast, secure connections to the remote proxies, which decode these transactions and forward them to target systems locally, using native, slow and/or insecure protocols. Password Manager can look up and update user profile data in an existing system, including HR databases (ODBC), directories (LDAP) and meta-directories (e.g., WMI to Microsoft ILM). Password Manager can send s to users asking them to register or to notify them of events impacting their profiles. Over 312 events can trigger notification. Password Manager can create tickets on most common incident management systems, either recording completed activity or requesting assistance (security events, user service follow-up, etc.). Over 312 events can trigger ticket generation. Binary integrations are available for 20 help desk applications and open integration is possible using mail, ODBC, SQL and web services Hitachi ID Systems, Inc. All rights reserved. 12

16 6 Self-Service: Access and Authentication 6.1 Access For Locked Out Users When users forget their primary password or trigger an intruder lockout, they are in a Catch-22 situation: they cannot log into their computer and open a web browser but cannot open a web browser to fix their password and make it possible to log in. Hitachi ID Password Manager includes a variety of mechanisms to address the problem of users locked out of their PC login screen. Each of these approaches has its own strengths and weaknesses, as described below: Option Pros Cons 1 Do nothing: users continue to call the help desk. Inexpensive, nothing to deploy. The help desk continues to field a high password reset call volume. No solution for local passwords or mobile users. 2 Ask a neighbor: Use someone else s web browser to access self-service password reset. 3 Secure kiosk account (SKA): Sign into any PC with a generic ID such as help and no password. This launches a kiosk-mode web browser directed to the password reset web page. Inexpensive, no client software to deploy. Simple, inexpensive deployment, with no client software component. Users can reset both local and network passwords. Users may be working alone or at odd hours. No solution for local passwords or mobile users. Wastes time for two users, rather than one. May violate a security policy in some organizations. Introduces a generic account on the network, which may violate policy, no matter how well it is locked down. One user can trigger an intruder lockout on the help account, denying service to other users who require a password reset. Does not help mobile users Hitachi ID Systems, Inc. All rights reserved. 13

17 Option Pros Cons 4 Personalized SKA: Same as the domain-wide SKA above, but the universal help account is replaced with one personal account per user. For example, each user s help account could have their employee number for a login ID and a combination of their SSN and date of birth for a password. Eliminates the guest account on the domain, which does not have a password. Requires creation of thousands of additional domain accounts. Requires ongoing creation and deletion of domain accounts. These new accounts are special their passwords do not expire and would likely not meet strength rules. 5 Local SKA: Same as the domain-wide SKA above, but the help account is created on each computer, rather than on the domain. 6 Telephone password reset: Users call an automated system, identify themselves using touch-tone input of a numeric identifier, authenticate with touch-tone input of answers to security questions or with voice print biometrics and select a new password. 8 Physical kiosks: Deploy physical Intranet kiosks at each office location. Eliminates the guest account on the domain. Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). Simple deployment of centralized infrastructure. No client software impact. May leverage an existing IVR system. Helpful for remote users who need assistance connecting to the corporate VPN. Eliminates generic or guest accounts. May be used by multiple applications that are suitable for physically-present but unauthenticated users (e.g., phone directory lookup, badge management, etc.). Requires a small footprint on each computer (the local help account.) New physical infrastructure is usually required. Users generally don t like to talk to a machine so adoption rates are lower than with a web portal. Does not help mobile users who forgot their cached domain password. Does not help unlock PINs on smart cards. Costly to deploy hardware at many locations. Does not help mobile users who forgot their cached domain password. Users may prefer to call the help desk, rather than walking over to a physical kiosk Hitachi ID Systems, Inc. All rights reserved. 14

18 Option Pros Cons 9 GINA DLL: Windows XP: Install a GINA DLL on user computers, which adds a reset my password button to the login screen. User friendly, intuitive access to self-service. Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). Works on Windows Terminal Server and Citrix Presentation Manager. Requires intrusive software to be installed on every computer. Broken installation or out-of-order un-installation will render the computer inoperable (i.e., brick the PC ). 10 GINA Extension Service: Similar to the GINA DLL, but uses a sophisticated service infrastructure to modify the UI of the native GINA, rather than installing a GINA DLL. 11 Credential Provider: The equivalent of a GINA DLL, but for the login infrastructure on Windows Vista/7/8. User friendly, intuitive access to self-service. Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). More robust, fault-tolerant installation process than the GINA DLL. User friendly, intuitive access to self-service. Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection). Works on Windows Terminal Server and Citrix Presentation Manager. More robust infrastructure than GINA DLLs on Windows XP. Requires software to be installed on every computer. Does not work on Citrix Presentation Server or Windows Terminal Server only works on personal computers. Deployment of intrusive software to every workstation. No other product or vendor supports as many options for assisting users locked out of their PC login screen. 6.2 Authenticating Users Without Passwords Users may authenticate into Hitachi ID Password Manager as follows: 2015 Hitachi ID Systems, Inc. All rights reserved. 15

19 On the web portal: By typing their current password to a trusted system (e.g., Windows/AD, LDAP, RAC/F, etc). By answering security questions. Using a security token (e.g., SecurID pass-code). Using a smart card with PKI certificate. Using Windows-integrated authentication. Using a SAML or OAuth assertion issued by another server. By typing a PIN that was sent to their mobile phone via SMS. Using a telephone, calling an automated IVR system: By keying in numeric answers to a series of security questions (e.g., employee number, date of hire, driver s license number). By speaking one or more phrases, where the Password Manager server compares the new speech sample to one on record (biometric voice print verification) Using a telephone, calling an IT support technician: By answering a series of security questions, where the technician must type the answers into a web portal to authenticate the caller. 6.3 Authentication Chains Hitachi ID Password Manager includes a mechanism for authenticating users called authentication chains. This mechanism works by defining sequences of steps that can be used to authenticate a user and defining how the authentication process proceeds from one step to the next. Authentication chains allow Password Manager to: 1. Offer a user multiple authentication mechanisms. For example, type a password, answer security questions, use a token, etc. 2. Combine authentication mechanisms. For example, a user may be asked to type a password and answer a subset of the security questions in his profile. 3. Select an authentication mechanism based on context. For example, require a user with elevated privileges or a user attached via VPN to satisfy a more robust process than an unprivileged user connected to the corporate network. Authentication chains allow Password Manager to implement flexible login processes. For example, mobile phones can be used as an authentication factor: 1. During enrollment, users are asked to identify their mobile phone provider and enter their mobile phone number Hitachi ID Systems, Inc. All rights reserved. 16

20 2. At authentication time, a user is sent a random PIN via SMS, which he must enter correctly and within a short time window. This establishes that the user is in possession of his phone. 3. A second authentication step is to ask the user to answer a few security questions, which supports the user s claimed identity through something he knows Hitachi ID Systems, Inc. All rights reserved. 17

21 7 User Enrollment: Maximizing Adoption In many organizations, deployment of a password management system requires a user enrollment process. Users may have to provide personal data such as answers to authentication questions (which can subsequently be used to authenticate users who forgot their passwords or triggered a lockout). Users may be asked to attach their non-standard IDs to their profiles. Users may have to provide biometric samples, likewise used for non-password authentication in the event of a future password problem. Finally, users may simply be asked to review and agree to some corporate policy, for example regarding password sharing or writing down their password. If enrollment is required, it is helpful for the password management system to automate the process by identifying users who must be enrolled, inviting and reminding them to enroll, provide a strongly authenticated enrollment user interface, etc. Hitachi ID Password Manager includes built-in infrastructure to securely and automatically manage the user enrollment process: By monitoring one or more systems of record, Password Manager automatically creates new and removes old profile IDs. New users and existing users with incomplete profiles are automatically invited to complete their profiles (e.g., by answering security questions). Invitations to enroll may be ed to users. Users may be more forcefully reminded to enroll by having a web browser automatically open to the enrollment page when they log into the network. Users may be forced to enroll, by opening a kiosk-mode web browser to the enrollment page when they sign into the network, and blocking access to the Windows desktop until users complete their profile. This process is typically controlled by placing users into a mandatory enrollment AD group and attaching a suitable GPO to that group. To enroll, users must first authenticate. This is normally done by leveraging an existing strong authenticator such as a network password or a token. A single, integrated enrollment system supports collecting answers to security questions, mapping different login IDs, on different systems back to their owners and collecting biometric voice print samples. The enrollment system in Password Manager includes schedule controls. For example, the maximum number of invitations to send daily can be limited, as can the frequency of invitations per user. Days-ofweek during which to send invitations are identified as are holidays during which no invitations should be sent Hitachi ID Systems, Inc. All rights reserved. 18

22 8 Telephony Integration A popular option for extending password reset services to locked out users is to extend this service over a telephone, using an integrated voice response (IVR) system. Users who forget their passwords can dial an IVR system with any telephone and initiate a password reset. Authentication using either touch-tone entry of personal secret information or using voice print verification is supported. Existing IVR systems can be extended using a Hitachi ID Password Manager remote API or Hitachi ID Telephone Password Manager a turn-key IVR system specifically designed for password resets. Overview: Telephone Password Manager is a turn-key telephone user interface bundled with the Password Manager credential management solution. It enables organizations to quickly and inexpensively offer self-service password reset, PIN reset and disk unlock to users over a telephone, without having to configure a complex IVR system. Features: Telephone Password Manager supports self-service management of authentication factors (credentials) and recovery of disk encryption keys over a telephone with: User identification: Users who call Telephone Password Manager typically identify themselves by typing a personal identifier on a touch-tone telephone keypad. The identifier may be a pre-existing numerical ID, such as an employee number or a letters-to-digits mapping of an alpha-numeric ID, such as the user s network login ID. User authentication: Once identified, users must be authenticated. Telephone Password Manager supports authentication with a hardware token (e.g., RSA SecurID), by asking the user to key in answers to numeric security questions using a touch-tone telephone keypad on their phone (e.g., driver s license number, SSN, date of birth, etc.) or using an optional biometric voice verification module. Password reset: Once authenticated, users can initiate a password reset. This may be for one or all of their passwords and the new password may either be randomly generated and read out to the user or user-specified. New passwords may be set to expire after first use. PIN reset: Authenticated users can also use Telephone Password Manager to reset the PINs on their RSA SecurID tokens. A randomly-generated or a user-specified PIN may be used. Disk unlock: 2015 Hitachi ID Systems, Inc. All rights reserved. 19

23 Users with a full disk encryption program protecting their computer can use Telephone Password Manager to automate the key recovery process in the event that they forgot the password that unlocks their computer. Text to speech: Telephone Password Manager is normally configured to play.wav audio files as asks for user input. It also includes a text to speech mechanism that makes it easier to develop new navigation menus and defer new voice recordings. Speech to text: While text input into Telephone Password Manager is usually made with a touch-tone keypad, Telephone Password Manager can be configured to recognize small dictionaries of spoken words, so that users can make alphanumeric input by speaking the names of letters and digits. PBX integration: Telephone Password Manager can be directly integrated into an existing PBX system, by installing the appropriate (to that PBX system) Dialogic telephony board on each Telephone Password Manager server. VoIP integration: Telephone Password Manager can also be connected to a voice-over-ip network and configured to accept VoIP calls. Benefits: Telephone Password Manager lowers IT support costs and improves user service by enabling mobile, remote or locked out users to resolve problems with their password, hardware token or encrypted hard disk on their own, without calling the help desk. Telephone Password Manager can improve the security of IT support processes by authenticating users with biometric voice-print verification prior to offering services such as password or PIN reset. Telephone Password Manager supports self-service management of authentication factors (credentials) and recovery of disk encryption keys over a telephone with: User identification: Users who call Telephone Password Manager typically identify themselves by typing a personal identifier on a touch-tone telephone keypad. The identifier may be a pre-existing numerical ID, such as an employee number or a letters-to-digits mapping of an alpha-numeric ID, such as the user s network login ID. User authentication: Once identified, users must be authenticated. Telephone Password Manager supports authentication with a hardware token (e.g., RSA SecurID), by asking the user to key in answers to numeric security questions using a touch-tone telephone keypad on their phone (e.g., driver s license number, SSN, date of birth, etc.) or using an optional biometric voice verification module Hitachi ID Systems, Inc. All rights reserved. 20

24 Password reset: Once authenticated, users can initiate a password reset. This may be for one or all of their passwords and the new password may either be randomly generated and read out to the user or user-specified. New passwords may be set to expire after first use. PIN reset: Authenticated users can also use Telephone Password Manager to reset the PINs on their RSA SecurID tokens. A randomly-generated or a user-specified PIN may be used. Disk unlock: Users with a full disk encryption program protecting their computer can use Telephone Password Manager to automate the key recovery process in the event that they forgot the password that unlocks their computer. Text to speech: Telephone Password Manager is normally configured to play.wav audio files as asks for user input. It also includes a text to speech mechanism that makes it easier to develop new navigation menus and defer new voice recordings. Speech to text: While text input into Telephone Password Manager is usually made with a touch-tone keypad, Telephone Password Manager can be configured to recognize small dictionaries of spoken words, so that users can make alphanumeric input by speaking the names of letters and digits. PBX integration: Telephone Password Manager can be directly integrated into an existing PBX system, by installing the appropriate (to that PBX system) Dialogic telephony board on each Telephone Password Manager server. VoIP integration: Telephone Password Manager can also be connected to a voice-over-ip network and configured to accept VoIP calls Hitachi ID Systems, Inc. All rights reserved. 21

25 9 Managing PKI Certificate Passwords PKI standards generally relate to certificate format and use, not to the administration of certificates issuance, delivery to users, installation on PCs and smart cards and revocation. Unfortunately, a major cost of PKI is exactly these processes of managing certificates. Hitachi ID Password Manager includes a significant and mature infrastructure for managing (provision, manage passwords and other attributes, deliver to users and revoke) PKI certificates. Of necessity, this infrastructure combines a general facility, related to business process and certificate storage with a set of platform-specific bindings, for individual PKI/certificate authority products. Currently, Hitachi ID Systems provides a platform binding for Lotus Notes ID files, which is by far the most widely deployed (though not necessarily standards-based) PKI infrastructure today: Lotus Notes actually uses two separate passwords for each user: HTTPPassword hashes, stored on a Notes / Domino server. These are a straight-forward password hash in a field in an.nsf file on the server. Password Manager can be configured to verify, change and reset these passwords directly. Passwords used to encrypt ID files, typically stored on user workstations. These cannot be administratively reset. 1. Password Manager includes technology to help organizations both build out and maintain a repository of every user s ID file, along with a recoverably encrypted password for that ID file. 2. Password Manager simulates password resets on ID files by retrieving an ID file from the repository, opening it with a password from the repository, changing the password to a new value and delivering the new ID file to the user. 3. Both collection of ID files from users, to maintain the repository and delivery of updated ID files back to users, supports multiple mechanisms, including via file synchronization and a shared staging directory (no client software required) and via a Notes Extension DLL installed on user workstations (immediate and silent delivery and collection). Password Manager is the only product to automate not only ID file password resets, but also construction and maintenance of the ID file repository. Hitachi ID Systems is working on bindings between the general-purpose PKI administration infrastructure in Password Manager and other PKI products, from Microsoft, Entrust, Verisign, GeoTrust and other PKI vendors. Unfortunately, none of these PKI products is currently widely deployed and customer demand for integrations is therefore limited Hitachi ID Systems, Inc. All rights reserved. 22

26 10 Support for Mobile, Disconnected Users Hitachi ID Password Manager offers a unique set of technologies, collectively referred to as Self-Service, Anywhere. Using these technologies, users can resolve problems with their passwords, smart cards, tokens or full disk encryption software both at the office and mobile, from any endpoint device. Self-Service, Anywhere automates problem resolution in a number of technically challenging and businesscritical scenarios: Mobile users warned of password expiry Problem Solution Business impact Mobile users are not notified by Windows when their passwords are about to expire. Users who infrequently connect their laptop to the office network, instead checking with a solution such as Outlook Web Access, suffer regular password expiry and require frequent password resets. Password Manager sends users s warning of imminent password expiry. Users change passwords using a web browser. An ActiveX control refreshes the password on their laptop. Reset forgotten, cached password while away from the office Fewer login problems that cause a work interruption. Lower IT call volume and support cost Hitachi ID Systems, Inc. All rights reserved. 23

27 Problem Solution Business impact Laptop users sometimes change their password before leaving the office and may forget the new password when they need to use it while not attached to the corporate network. Without a technical solution, the IT help desk cannot resolve these users problem until they return to the office. User laptops are rendered inoperable until they return to the office. A Password Manager client software component allows users who forgot their primary, cached Windows password and cannot sign into their PC to connect to the Internet over a WiFi hotspot or using an air-card. Users locked out out of their PC login screen can also establish a temporary Internet connection using their home Internet connection or a hotel Ethernet service. Once the user s laptop is on the Internet, Password Manager establishes a temporary VPN connection and launches a kiosk-mode (full screen, locked down) web browser. The user steps through a self-service password reset process and Password Manager uses an ActiveX component to reset the locally cached password to the same new value as was set on the network back at the office. Forgotten passwords are a major work disruption for mobile users, since they cannot be resolved until the user visits the office. Password Manager allows users to re-enable their laptop in minutes. Unlock encrypted hard disk 2015 Hitachi ID Systems, Inc. All rights reserved. 24

28 Problem Solution Business impact Organizations deploy full disk encryption (FDE) software to protect against data leakage in the event that a corporate laptop is lost or stolen. Users with FDE on their PCs normally have to type a password to unlock their hard disk, before they can boot up an operating system. This password is normally synchronized with the user s primary Windows password, so that the user only has to remember and type a single password at login. If a user forgets his hard disk encryption unlock password, the user will be unable to start their operating system or use their computer. This is a serious service disruption for the user and can contribute to significant support costs for the IT help desk. Most FDE packages include a key recovery process at the PC boot prompt. This normally involves a challenge/response process between the FDE software, the user, an IT support analyst and a key recovery server. Password Manager can front-end this process using an integrated telephony option, so that users can perform key recovery 24x7, from any location, using their telephone and without talking to a human help desk technician. Key recovery is an essential IT support service for organizations that have deployed FDE. Password Manager lowers the IT support cost of key recovery by moving the process to a self-service model. Smart card PIN reset Problem Solution Business impact Organizations deploy smart cards to strengthen their authentication processes. Users typically sign into their PC by inserting their smart card into a reader and typing a PIN. If users forget their PIN or leave their smart card at home, they cannot sign into their PC. PIN reset is a complex support process since the new PIN has to be physically installed on the user s smart card. This means that IT support may trigger a physical visit to the help desk. Password Manager allows users to access a self-service web portal from anywhere, including from the locked out login screen of their laptop, even away from the office (even using WiFi, as described earlier). Once a user signs into the self-service portal, Password Manager can download an ActiveX component to the user s web browser, to communicate with the smart card and reset the forgotten PIN. Password Manager can also be used to assign a user a temporary login password (often a very long and random one) to be used in the event that a user left his smart card at home. While forgotten PINs are infrequent PINs are not usually set to expire when they do happen, they are extremely disruptive. Assigning temporary passwords is just as important for users who left their smart card at home, which happens quite often Hitachi ID Systems, Inc. All rights reserved. 25

29 11 Overcoming Active Directory Replication Delays Please refer to Subsection 3.3 on Page 4 for an overview of the intruder lockout replication problem in Active Directory. Hitachi ID Password Manager uniquely circumvents the problem of slow replication of cleared intruder lockouts between Active Directory domain controllers by automatically directing password resets and cleared intruder lockouts to a select set of domain controllers, which the user is most likely to access: DCs on the user s home site, based on the user s home directory UNC and the IP address of the server that hosts this UNC. DCs on the user s current site, based on the user s web browser IP address (this only applies to self-service password reset). DCs mapped to either of these sites by an administrator-configured rule set. For example, at global or regional data centers Hitachi ID Systems, Inc. All rights reserved. 26

30 12 Built-in Single Sign-on Technology Hitachi ID Login Manager, a module included with Hitachi ID Password Manager, is an enterprise single sign-on solution. It automatically signs users into applications where the ID and/or password is the same as what the user typed to sign into Windows. Login Manager leverages password synchronization instead of stored passwords. This means that it does not require a wallet and that users can continue to sign into their applications from devices other than their corporate PC such as a smart phone or tablet for which a single sign-on client may not be available. Login Manager does not require scripting or a credential vault, so has a much lower total cost of ownership (TCO) than alternative single sign-on (E-SSO) products. Login Manager automatically fills in application login IDs and passwords on behalf of users, streamlining the application sign-on process for users. Login Manager works as follows: When users sign into their workstations, Login Manager acquires their network login ID and password from the Windows login process. Login Manager may (optionally) acquire additional login IDs (but not passwords) from the user s Active Directory profile. Login Manager monitors the Windows desktop for newly launched applications: It detects when the user types one of his known login IDs or his Windows password into an application dialog box, HTML form or mainframe terminal session. When this happens, the location of the matching input fields is stored on a local configuration file. Whenever Login Manager detects an application displaying a previously configured login screen, it automatically fills in the appropriate login ID and/or the current Windows password. The net impact of Login Manager is that login prompts for applications with well-known IDs and passwords that authenticate to AD or are synchronized with AD are automatically filled in. This is done without: Interfering with user access to applications from devices not equipped with the SSO software, such as their smart phones. Having to deploy a secure location in which to store application credentials. Writing scripts. Login Manager is installed as a simple, self-contained MSI package. It does not require a schema extension to Active Directory. The reduced sign-on process used by Login Manager has several advantages over traditional E-SSO techniques: 2015 Hitachi ID Systems, Inc. All rights reserved. 27

31 There is no global directory or database with user credentials: There is no target for a would-be attacker. There is no single point of failure which could cause a widespread disruption to users who wish to sign into applications. There is no need to enroll users by having them provide their passwords. There are no manually written scripts: No manual configuration is required. No infrastructure is required to distribute script files to PCs. Continued access to applications: Users sometimes need to sign into application from devices other than their work PC. Since passwords are synchronized and users know their own password, they can still sign in, even without the SSO software. In contrast, with other E-SSO products, users may not know their own application passwords. This disrupts application access using a smart phone, home PC, Internet kiosk, etc. These advantages significantly reduce the cost and risk associated with deploying and managing Login Manager Hitachi ID Systems, Inc. All rights reserved. 28

32 13 Return on Investment Deploying Hitachi ID Password Manager saves money for three groups of people in an organization: Users: Password synchronization reduces the incidence of password problems. In most organizations, over 80% of problems are eliminated. Accordingly, users waste less time making unsuccessful attempts to log into systems. Support staff: Both password synchronization and self-service password resets eliminate calls to the help desk. Together, they normally reduce password-related call volume by over 90%. Once calls reach the help desk, they are resolved much more quickly, using a single tool that integrates caller authentication, multiple password resets and creation of problem tickets. Using a web browser, support staff can resolve password calls in 1-2 minutes. System administrators: Without Password Manager, most support organizations escalate some password calls to system administrators. This is done when the support organization does not have training or security clearance to reset passwords on the systems in question. Password Manager eliminates password problem escalation. Example savings calculation The following example illustrates how Password Manager reduces the cost of password management: users experience 3000 password problems per month. Users spend 10 minutes with a password problem before calling for help. The help desk takes 10 minutes to resolve password problems. 1/6 of calls are escalated from the help desk to system administrators. Password Manager eliminates 80% of password problems, and reduces problem resolution time 2 minutes. Monthly cost Initial Password Manager Savings Users 3000 calls 20 minutes $40/hr 600 calls 12 minutes $40/hr = $40,000 = $4,800 $35,200 Help desk 3000 calls 10 minutes $40/h 600 calls 2 minutes $40/hr = $20,000 = $800 $19,200 Administrators 500 calls 5 minutes $40/hr = $1,670 0 $1,670 Monthly Total $61,670 $5,600 $56, Hitachi ID Systems, Inc. All rights reserved. 29

33 To estimate the cost savings in your organization, try our on-line calculator at: Hitachi ID Systems, Inc. All rights reserved. 30

34 14 Platform Support Hitachi ID Password Manager can manage passwords on most systems directly. It includes built-in support for the following systems: Directories: Servers: Databases: Any LDAP, AD, NDS, edirectory, NIS/NIS+. Windows , Samba, NDS, SharePoint. Unix: Mainframes: Midrange: Linux, Solaris, AIX, HPUX, 24 more variants. z/os with RAC/F, ACF/2 or TopSecret. Oracle, Sybase, SQL Server, DB2/UDB, ODBC, Informix, Progress. iseries (OS400), OpenVMS. ERP: Collaboration: Tokens, Smart Cards: JDE, Oracle ebiz, PeopleSoft, SAP R/3, SAP ECC 6, Siebel, Business Objects. Lotus Notes, Exchange, GroupWise, BlackBerry ES. RSA SecurID, SafeWord, RADIUS, ActivIdentity, Schlumberger. WebSSO: Help Desk: HDD Encryption: CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager. BMC Remedy, BMC SDE, ServiceNow, HP Service Manager, CA Unicenter, Assyst, HEAT, Altiris, Clarify, Track-It!, RSA Envision, MS SCS Manager. SaaS: Miscellaneous: Extensible: Salesforce.com, WebEx, Google Apps, MS Office 365, Concur, AWS, vcloud, SOAP (generic). OLAP, Hyperion, ilearn, Caché, Success Factors, VMware vsphere. Cisco IOS, Juniper JUNOS, F5, ilo cards, DRAC cards, RSA cards, etc. McAfee, CheckPoint (PointSec), Microsoft (BitLocker), Symantec (PGP). SSH, Telnet, TN3270, HTTP(S), SQL, LDAP, command-line. Password Manager includes a number of flexible connectors, each of which is used to script integration with a common protocol or mechanism. These connectors allow organizations to quickly and inexpensively integrate Password Manager with custom and vertical market applications. The ability to quickly and inexpensively add integrations increases the value of the Password Manager system as a whole. There are flexible connectors to script interaction with: 2015 Hitachi ID Systems, Inc. All rights reserved. 31

35 API binding: Terminal emulation: Web services: Back end integration: Command-line: C, C++ Java, J2EE.NET COM, ActiveX MQ Series SSH Telnet TN3270, TN5250 Simulated browser SOAP WebRPC Pure HTTP(S) SQL Injection LDAP attributes Windows Power Shell Unix/Linux Organizations that wish to write a completely new connector to integrate with a custom or vertical market application may do so using whatever development environment they prefer (J2EE,.NET, Perl, etc.) and invoke it as either a command-line program or web service. If an organization develops their own integrations, an effort of between four hours and four days is typical. Alternately, Hitachi ID Systems offers fixed-cost custom integrations for a nominal fee Hitachi ID Systems, Inc. All rights reserved. 32

36 Large Scale Password Management With Hitachi ID Password Manager 15 Rapid Deployment Hitachi ID Systems solutions are optimized for rapid deployment this is a core design principle across all products in the Hitachi ID Identity and Access Management Suite. Rapid deployment is largely a feature of (a) including as many built-in features as possible and (b) making common use cases easier to configure. Hitachi ID Identity Manager minimizes deployment cost using a built-in request portal, a built-in approvals process and by enabling organizations to define categories of relationships, which then drive what one user can see of another, what changes one user can submit on behalf of another, who is invited to approve change requests and more. Hitachi ID Password Manager minimizes deployment cost using built-in processes for enrollment of security questions, login IDs, mobile phone numbers and voice biometrics. This is augmented by built-in processes to control the pace of user invitations. Hitachi ID Privileged Access Manager minimizes deployment cost using built-in processes for auto-discovery and automated classification of systems and accounts to be managed. It also includes a robust, built-in process for authorizing one-time access requests. All Hitachi ID Systems products include a rich set of over 120 connectors, built-in reports, a robust and translation-friendly web portal, and incident management system integration, multi-node database replication and more. These are all things that Hitachi ID Systems customers need not hand-craft, reducing project time and cost. Password Manager is designed for rapid deployment: No client software required, even for access to self-service password reset from the workstation login prompt. Automated discovery of every login ID on every target system, nightly. Self-service login ID reconciliation where login IDs on different systems are different and there is no pre-existing correlation data. A built-in identity cache that captures user profile data and eliminates the need to install or manage a database or directory before installing Password Manager. Built-in connectors for every common system and application eliminating the need for customers to develop their own connectors to common, off-the-shelf target systems. Remote connectors mean that Password Manager can manage users and passwords on systems without requiring the installation of intrusive local software on each target system. Flexible connectors enable organizations to integrate Password Manager with custom applications, vertical market software, application service providers (ASPs) and service bureaus quickly taking just 2 hours to 4 days per new target system.. 500, Street SE, Calgary AB Canada T2G 2J3 Tel: Fax: [email protected] Date: File: /pub/wp/documents/white/psynch/hipam-white-22.tex