Imprivata SSO: Enabling an Effective Password Policy. By Alan Sonnenberg Chief Security Officer, Imprivata, Inc.

Transcription

1 Imprivata SSO: Enabling an Effective Password Policy By Alan Sonnenberg Chief Security Officer, Imprivata, Inc. June 26, 2003

2 SSO: Enabling an Effective Password Policy 2 INTRODUCTION Security policies are essential to any enterprise s overall security program. Policies allow the organization to define its security goals and objectives while also providing a framework to assist organizations in determining the proper level of security for each facet of the business. The most effective policies are embraced by employees and become part of the fabric of everyday business. In my experience, the biggest challenge when implementing a security policy is the ability to do so without impacting productivity or creating the need for additional resources and administration. Because of this, many policies wind up gathering dust on the shelves of the Chief Security Officer (CSO) and Chief Information Officer (CIO), only to see the light of day at the next security audit. Traditionally, implementing an effective security policy often meant a certain degree of compromise in terms of user convenience. Though striking this balance is always a key factor, in recent years, several technologies have emerged that help security-conscious IT people deploy effective policy that is enforceable largely because it is non-intrusive to the user. For example, many readers may remember what it was like to write a policy statement like this one: All files and attachments must be scanned for viruses prior to use on the corporate network. Before real-time, anti-virus scanners for the desktop and gateways were available to automate this process, organizations would be lucky to achieve even moderate compliance with such a statement. That s because when employees are busy and under pressure to complete their work, they will not always take the secure path if there s a chance that it might impact productivity. I am far from defending this attitude, but experience tells me it is reality. In recent years however, new virus products have made scanning and signature updating completely transparent to the end user, and administrators can now set policies and update software on centralized servers. Technology has allowed us to implement the policy statement above with little or no impact to the business. One of the most difficult policies to implement is the password policy, because no other policy has a greater impact on the user community. For example, unlike an audit or anti-virus policy, the burden of implementing a password policy falls directly on the end user. Typically, the onus for creating, changing and maintaining passwords is on the user. Because of this, the effectiveness of a password policy depends upon the user s adherence to the policy. And since human beings inherently don t like to be told what to do, creating a reasonable password policy with proper user awareness and education is critical. With the advent of Single Sign-On (SSO) technology, organizations can overcome these impediments. This white paper discusses how organizations of all sizes can develop, implement and ensure the success of an effective password policy through the use of SSO.

3 SSO: Enabling an Effective Password Policy 3 THE PROBLEM WITH PASSWORDS The first thing to understand about passwords is what they can and cannot do. While passwords can provide a measure of security, no password no matter how strong its requirements can be a substitute for non-repudiated authentication. There are simply too many tools and techniques available on the network that can compromise a user s password. Therefore, security professionals must first dictate what assets need to be protected by a stronger form of authentication. That being said, passwords have been a fundamental part of computer security since the earliest days of data processing, offering a relatively simple and effective way to ensure that only authorized users can gain access to important business applications. As such, they will continue to be sufficient for most authentications. Passwords are perceived to have zero cost, but over the years, matters have become increasingly complicated. Corporate computing environments have become more complex. At the same time, the number of business applications has multiplied, leading to a corresponding increase in the number of passwords required to access them. The average user now has to remember seven to nine passwords that change as often as once every couple of months. It s no wonder then that even without attempting to implement an effective password policy passwords have become a nightmare for many organizations on many levels, with the following results: Users become frustrated as they try to keep all their passwords straight. Corporate help desk staffers have to respond to users calling every day seeking their forgotten passwords. According to Giga Information Group, more than 30% of all help desk costs are password-related. Budgets are squeezed as corporations get hit with high costs. A single help desk call can cost $25 or more, according to the META Group. Add to that the cost in lost productivity when workers are unable to access the applications they need to do their jobs. Security is compromised as users often resort to writing passwords down and leaving them in plain view where a nefarious person can find them and use them to gain unauthorized access. Organizations have to be able to solve these issues in a realistic manner if they hope to have an effective password policy that works for everyone.

4 SSO: Enabling an Effective Password Policy 4 THE EMERGENCE OF SSO As security professionals, we continuously balance security and usability. If our goal is an effective password policy, then the implementation of the policy needs to be as transparent as possible to the user while maintaining or reducing the resources required for password administration. Understanding the growing complexity of password management as well as the requirement for transparency to the user, some years ago vendors began developing products that would help make strong password policies easier to implement successfully. Many of these efforts have focused on SSO technology an approach to password management that makes it easier for users to adhere to password policies without compromising security. With enterprise SSO solutions, users need only one password or form of strong authentication to access their SSO-enabled applications, and administrators can easily implement more secure password policies. Let s take a look at what organizations should consider as they begin the process of establishing a password policy.

5 SSO: Enabling an Effective Password Policy 5 SIX IMPERATIVES OF AN EFFECTIVE PASSWORD POLICY There s no reason to reinvent the wheel when developing an effective password policy. The best way to start is by taking an existing policy developed by security experts and modifying it to the organization s unique needs. Fortunately, the SANS (SysAdmin, Audit, Network, Security) Institute, a cooperative research and education organization for security professionals, auditors, system administrators, and network administrators, offers just such a policy template at: Using this policy as a guideline, organizations can begin crafting their own strong password policies to meet their individual requirements. Although the specifics of strong password policies will necessarily vary from one organization to another, I d like to highlight the characteristics that can have the most direct impact on the effectiveness of the policy. Use strong passwords What makes a strong password is its length and how it is comprised. Rules that govern strong passwords typically include that the password be at least 8 characters (7 or 14 for NT) both alpha and numeric- that includes no dictionary words, no obvious user associations, such as birth dates, family or pet names, social security numbers, and so on. Ask any concerned executive how strong passwords should be, and they re likely to reply, As strong as possible! Like them, most of us would also instinctively prefer passwords that ensure the highest level of security for our IT resources. But, as many organizations have discovered, while strong password policies do increase security, they also often decrease usability in the process. The longer, more complex, and less familiar a password is, the harder it is for the user to remember it. Organizations need to understand that if they are going to implement an effective password policy enterprise-wide, they will be dealing with multiple operating systems and applications, each of which has different rules regarding password length and composition. Without the aid of a technology such as SSO, this can quickly become unwieldy for both users and administrators. If there are 12 systems, the user will have to keep track of and change 12 strong, hard-toremember passwords of different compositions. Likewise, the system administrator will have to set, maintain, and understand password policy on all of the 12 systems with their varying rules. Without SSO to automate and enforce the password policy implementation, the helpdesk will quickly be swamped with additional password-related calls and end users will become frustrated. Change passwords frequently The more frequently a password is changed, the lower the likelihood that it will be compromised, stolen and misused. Most security experts agree that passwords should be changed no less than every 90 days. While this policy increases security, it places a heavy and unrealistic burden on the user. Imagine the challenge of trying to memorize a new set of 10 to 12 passwords all at different intervals! This is often the point at which users begin scribbling passwords down on sticky notes and scraps of paper thereby increasing the security risk.

6 SSO: Enabling an Effective Password Policy 6 To achieve their objectives, security officials therefore need to strike the right balance between security and usability. Without a technology like SSO in place, a heavy if not impossible burden is placed on users. Further, if an SSO solution is automating the password change policy behind the scenes, then even daily password changes can be made without an additional burden on the help desk or the user. Conduct regular audits To properly enforce an effective password policy, it s essential that administrators regularly check the organization s and each user s compliance. Some application environments include functionality for creating and maintaining strong passwords, which can lessen the administrative auditing burden by preventing the use of weak passwords. But many systems particularly older ones don t support this level of enforcement. Most security experts recommend password auditing of these types of systems on a nightly basis. Because most companies have a heterogeneous mixture of operating systems, regular auditing to find weak passwords can significantly increase the burden on administrators. SSO technology provides a single, primary authentication event that can be easily audited and tracked against password policy. Since application password logins are automated, application-specific policies can be adhered to without direct user action (or inaction). Do not reuse passwords For some users, the solution to frequent password changes is simply to recycle the same three or four passwords over and over again. While this approach is definitely easier for users to remember, most policies prohibit reuse. Every time a password changes, it should be new and unique and the old password must be abandoned forever. Of course, this makes the passwords more difficult for users to remember. Protect passwords as secret information Users need to understand the importance of protecting passwords and how to keep them secret. A password must never be written down in a way that makes it obvious and available to the wrong people. They should never be ed or stored electronically without sufficient encryption. Some policies may even require that passwords never be spoken over the phone or revealed to anyone in a conversation. SSO technology can help to keep user credentials private and secret. By using a central credential store, an SSO solution protects users credentials securely and makes them available only to the appropriate users in a secure manner. With SSO, because the user has only one password, application passwords never need to be written down or revealed because they are no longer used in the normal daily workflow of the user. Match policy rules to each user s security level There is no such thing as one size fits all for security. Even if an organization has a single password policy, levels of security should be tailored to the roles of each group in the company. For example, a system administrator who has access to everything on a network will usually have a privileged password, which may dictate that it be changed more frequently than the password of an average end-user. And in many cases, a system administrator may even be required to use a token or smart card to access certain systems. An executive may need to authenticate using a finger biometric to access confidential company data. It is important that security policies are crafted with this flexibility in mind.

7 SSO: Enabling an Effective Password Policy 7 SSO can automate the password policy for all types of users, without introducing usability problems. SSO has the additional benefit of enabling an effective, easy-to- use password policy for everyone, including contractors, employees, and even the corner office. After reviewing the essential imperatives outlined above, many readers may conclude that the challenges of implementing and enforcing password policy are simply too great. But the alternative leaving one s mission-critical business applications and confidential communications vulnerable to sabotage, theft, or corruption is infinitely worse. SSO technology offers a way to significantly minimize the challenges and costs of implementing and enforcing an effective password policy.

8 SSO: Enabling an Effective Password Policy 8 HOW SSO MAKES EFFECTIVE PASSWORD POLICIES PRACTICAL Today several different types of SSO products aim to solve a similar problem by automating the process of presenting the user s credentials to the application. This SSO mechanism knows the requirements of the application and the user s credentials, the user need only remember one primary password to gain access to all SSOenabled applications. SSO solutions such as Imprivata OneSign deliver an array of valuable benefits, including: Stronger security. By relieving users of the need to memorize multiple passwords, SSO solutions make it easier for organizations to implement and enjoy the increased protection afforded by strong passwords. SSO also strengthens security by making it practical for organizations to change passwords more frequently. Simplified password administration. SSO solutions such as OneSign allow administrators to implement a straightforward password policy across all applications based on users primary authentication. To increase password security, OneSign can cycle application passwords behind the scenes and disable any user with one click. Reduced help desk costs. With fewer users calling to get their forgotten passwords, SSO reduces the total number of help desk calls and the resource costs associated with them. Increased user productivity. With SSO, users can gain more immediate access to the applications they need to do their work, and spend less time tracking down forgotten passwords or waiting for helpdesk personnel to resolve their request. In addition to these benefits common to most SSO solutions, Imprivata OneSign delivers added value in several ways: Ease of installation. Imprivata OneSign is an intelligent SSO appliance that installs quickly and easily on a network. Unlike other SSO solutions, it does not require costly and time-consuming changes to existing applications. Nor are any changes required to the ways users and administrators interact with applications. Ease of deployment. Imprivata OneSign supports multiple application environments, including Web, client/server, terminal emulators, and even legacy applications. System administrators can add or update SSO-enabled applications by running a browser-based Application Profile Generator. Centralized administration and control. Imprivata OneSign seamlessly integrates with existing infrastructure and established business processes. OneSign provides a simple, highly secure mechanism for encrypting, storing and delivering user credentials to applications. Imprivata OneSign imports and synchronizes user lists from existing directories. There is no additional directory to manage or integrate, and no changes to back-end applications are required. Redundant pairs ensure a hot failover unit is always ready to take over seamlessly. Audit logs help administrators to address compliance and regulatory requirements by recording what sessions were accessed by which users and when. By enabling stronger security and maximum usability, SSO has become the most essential enabling technology for implementing an effective password policy.

9 SSO: Enabling an Effective Password Policy 9 SOME FINAL THOUGHTS The two most salient pieces of advice I can give to anyone contemplating an effective password policy are these: don t go it alone, and don t create a policy that when implemented will be impossible to enforce. People are by nature resistant to any change that requires them to modify their own behavior. The way to avoid this conflict is by involving more people in the process of developing the policy. End users, executives, HR and Legal should all participate in defining what the policy is and how it will be enforced. Besides providing an opportunity to communicate to all constituencies the critical importance of security to the organization s ongoing success, these discussions will foster a stronger sense of ownership throughout the organization. The policy that emerges from this process will be one that not only strengthens security, but also is flexible, reasonable and tailored to the security needs of each type of user. Once all of these steps have been taken, the policy will, in very short order, become inculcated throughout the organization an automatic, intrinsic part of each user s daily work life, and a silent sentinel always on guard to protect the organization s most precious assets. Just testing you do not believe that for a minute. An effective security program is a never-ending process. It s essential to continuously test your policies, and to talk to end users and administrators to gauge its effectiveness. Finally, be a discriminating security consumer. Don t be sold on technology for its own sake. In today s era of limited budgets, it s important to pick and choose those solutions that will help you implement your security policy. An SSO solution such as Imprivata OneSign can mitigate some of the pitfalls associated with implementing a password policy, making it much easier for both users and administrators to willingly comply. Alan Sonnenberg is Chief Security Officer at Imprivata. He can be reached at alan.sonnenberg@imprivata.com ###