Imprivata SSO: Enabling an Effective Password Policy. By Alan Sonnenberg Chief Security Officer, Imprivata, Inc.



Similar documents
Enterprise Single Sign-On City Hospital Cures Password Pain. Stephen Furstenau Operations and Support Director Imprivata, Inc.

Choosing an SSO Solution Ten Smart Questions

The Benefits of an Industry Standard Platform for Enterprise Sign-On

Oracle Enterprise Single Sign-on Technical Guide An Oracle White Paper June 2009

Enabling Fast and Secure Clinician Workflows with One-Touch Desktop Roaming W H I T E P A P E R

An Oracle White Paper December Implementing Enterprise Single Sign-On in an Identity Management System

SCB Access Single Sign-On PC Secure Logon

Extranet Access Management Web Access Control for New Business Services

VoiceTrust Whitepaper. Employee Password Reset for the Enterprise IT Helpdesk

Cybersecurity and Secure Authentication with SAP Single Sign-On

managing SSO with shared credentials

Provide access control with innovative solutions from IBM.

When millions need access: Identity management in an increasingly connected world

Simplifying Security with Datakey Axis Single Sign-On. White Paper

WHITE PAPER. Smart Card Authentication for J2EE Applications Using Vintela SSO for Java (VSJ)

Service management White paper. Manage access control effectively across the enterprise with IBM solutions.

C21 Introduction to User Access

Allidm.com. SSO Introduction. Discovering IAM Solutions. Leading the IAM facebook/allidm

Extending Identity and Access Management

Passlogix Sign-On Platform

Cisco Software-as-a-Service (SaaS) Access Control

Integrating Hitachi ID Suite with WebSSO Systems

RSA SecurID Two-factor Authentication

EVALUATION GUIDE. Evaluating a Self-Service Password Reset Tool. Usability. The password reality

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

Endpoint Virtualization for Healthcare Providers

A Planning Guide for Electronic Prescriptions for Controlled Substances (EPCS)

Boost Healthcare Security and Patient Care with Imprivata Enhanced VDI

10 Hidden IT Risks That Might Threaten Your Business

Integration of Visitor Management with Access Control Systems

Softchoice Solution Guide: five things you need to know about single-sign on

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 10 Authentication and Account Management

How To Secure Your Store Data With Fortinet

Modern two-factor authentication: Easy. Affordable. Secure.

Implementing Transparent Security for Desktop Encryption Users

Linux Single Sign-on: Maximum Security, Minimum Cost

Multi-Factor Authentication Protecting Applications and Critical Data against Unauthorized Access

E l i m i n a t i n g Au t hentication Silos and Passw or d F a t i g u e w i t h Federated Identity a n d Ac c e s s

NADHIRA YASMIN ZULKAPLI ( )

WHITE PAPER. Let s do BI (Biometric Identification)

etoken Single Sign-On 3.0

Active Directory & Consolidation Project. Category: Enterprise IT Management Initiatives. State of Missouri

Seven Things To Consider When Evaluating Privileged Account Security Solutions

HIPAA Security Alert

Identity & Access Management in the Cloud: Fewer passwords, more productivity

10 Hidden IT Risks That Threaten Your Practice

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

IT ACCESS CONTROL POLICY

Enterprise effectiveness of digital certificates: Are they ready for prime-time?

Avoiding the Top 5 Vulnerability Management Mistakes

101 Things to Know About Single Sign On

Security management White paper. Develop effective user management to demonstrate compliance efforts and achieve business value.

Using Microsoft Active Directory in the Domino World

Top Eight Identity & Access Management Challenges with SaaS Applications. Okta White Paper

Multi-Factor Authentication

Compliance & SAP Security. Secure SAP applications based on state-of-the-art user & system concepts. Driving value with IT

IT Security Procedure

Five keys to a more secure data environment

Best Practices for Secure Remote Access. Aventail Technical White Paper

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

Server-based Password Synchronization: Managing Multiple Passwords

Entrust Secure Web Portal Solution. Livio Merlo Security Consultant September 25th, 2003

A HIGH-LEVEL GUIDE TO EFFECTIVE IDENTITY MANAGEMENT IN THE CLOUD

DirX Identity V8.5. Secure and flexible Password Management. Technical Data Sheet

Top 8 Identity and Access Management Challenges with Your SaaS Applications. Okta White paper

How to Implement Imprivata OneSign Single Sign-On and Authentication Management Successfully

Central Agency for Information Technology

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

20 Practical Tips on Single Sign-On and Strong Authentication from Healthcare IT Professionals

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Top 5 Reasons to Choose User-Friendly Strong Authentication

Regulatory Compliance Using Identity Management

Integrating Single Sign-on Across the Cloud By David Strom

Security management solutions White paper. Extend business reach with a robust security infrastructure.

Transcription:

Imprivata SSO: Enabling an Effective Password Policy By Alan Sonnenberg Chief Security Officer, Imprivata, Inc. June 26, 2003

SSO: Enabling an Effective Password Policy 2 INTRODUCTION Security policies are essential to any enterprise s overall security program. Policies allow the organization to define its security goals and objectives while also providing a framework to assist organizations in determining the proper level of security for each facet of the business. The most effective policies are embraced by employees and become part of the fabric of everyday business. In my experience, the biggest challenge when implementing a security policy is the ability to do so without impacting productivity or creating the need for additional resources and administration. Because of this, many policies wind up gathering dust on the shelves of the Chief Security Officer (CSO) and Chief Information Officer (CIO), only to see the light of day at the next security audit. Traditionally, implementing an effective security policy often meant a certain degree of compromise in terms of user convenience. Though striking this balance is always a key factor, in recent years, several technologies have emerged that help security-conscious IT people deploy effective policy that is enforceable largely because it is non-intrusive to the user. For example, many readers may remember what it was like to write a policy statement like this one: All files and attachments must be scanned for viruses prior to use on the corporate network. Before real-time, anti-virus scanners for the desktop and email gateways were available to automate this process, organizations would be lucky to achieve even moderate compliance with such a statement. That s because when employees are busy and under pressure to complete their work, they will not always take the secure path if there s a chance that it might impact productivity. I am far from defending this attitude, but experience tells me it is reality. In recent years however, new virus products have made scanning and signature updating completely transparent to the end user, and administrators can now set policies and update software on centralized servers. Technology has allowed us to implement the policy statement above with little or no impact to the business. One of the most difficult policies to implement is the password policy, because no other policy has a greater impact on the user community. For example, unlike an audit or anti-virus policy, the burden of implementing a password policy falls directly on the end user. Typically, the onus for creating, changing and maintaining passwords is on the user. Because of this, the effectiveness of a password policy depends upon the user s adherence to the policy. And since human beings inherently don t like to be told what to do, creating a reasonable password policy with proper user awareness and education is critical. With the advent of Single Sign-On (SSO) technology, organizations can overcome these impediments. This white paper discusses how organizations of all sizes can develop, implement and ensure the success of an effective password policy through the use of SSO.

SSO: Enabling an Effective Password Policy 3 THE PROBLEM WITH PASSWORDS The first thing to understand about passwords is what they can and cannot do. While passwords can provide a measure of security, no password no matter how strong its requirements can be a substitute for non-repudiated authentication. There are simply too many tools and techniques available on the network that can compromise a user s password. Therefore, security professionals must first dictate what assets need to be protected by a stronger form of authentication. That being said, passwords have been a fundamental part of computer security since the earliest days of data processing, offering a relatively simple and effective way to ensure that only authorized users can gain access to important business applications. As such, they will continue to be sufficient for most authentications. Passwords are perceived to have zero cost, but over the years, matters have become increasingly complicated. Corporate computing environments have become more complex. At the same time, the number of business applications has multiplied, leading to a corresponding increase in the number of passwords required to access them. The average user now has to remember seven to nine passwords that change as often as once every couple of months. It s no wonder then that even without attempting to implement an effective password policy passwords have become a nightmare for many organizations on many levels, with the following results: Users become frustrated as they try to keep all their passwords straight. Corporate help desk staffers have to respond to users calling every day seeking their forgotten passwords. According to Giga Information Group, more than 30% of all help desk costs are password-related. Budgets are squeezed as corporations get hit with high costs. A single help desk call can cost $25 or more, according to the META Group. Add to that the cost in lost productivity when workers are unable to access the applications they need to do their jobs. Security is compromised as users often resort to writing passwords down and leaving them in plain view where a nefarious person can find them and use them to gain unauthorized access. Organizations have to be able to solve these issues in a realistic manner if they hope to have an effective password policy that works for everyone.

SSO: Enabling an Effective Password Policy 4 THE EMERGENCE OF SSO As security professionals, we continuously balance security and usability. If our goal is an effective password policy, then the implementation of the policy needs to be as transparent as possible to the user while maintaining or reducing the resources required for password administration. Understanding the growing complexity of password management as well as the requirement for transparency to the user, some years ago vendors began developing products that would help make strong password policies easier to implement successfully. Many of these efforts have focused on SSO technology an approach to password management that makes it easier for users to adhere to password policies without compromising security. With enterprise SSO solutions, users need only one password or form of strong authentication to access their SSO-enabled applications, and administrators can easily implement more secure password policies. Let s take a look at what organizations should consider as they begin the process of establishing a password policy.

SSO: Enabling an Effective Password Policy 5 SIX IMPERATIVES OF AN EFFECTIVE PASSWORD POLICY There s no reason to reinvent the wheel when developing an effective password policy. The best way to start is by taking an existing policy developed by security experts and modifying it to the organization s unique needs. Fortunately, the SANS (SysAdmin, Audit, Network, Security) Institute, a cooperative research and education organization for security professionals, auditors, system administrators, and network administrators, offers just such a policy template at: http://www.sans.org/resources/policies/password_policy.pdf Using this policy as a guideline, organizations can begin crafting their own strong password policies to meet their individual requirements. Although the specifics of strong password policies will necessarily vary from one organization to another, I d like to highlight the characteristics that can have the most direct impact on the effectiveness of the policy. Use strong passwords What makes a strong password is its length and how it is comprised. Rules that govern strong passwords typically include that the password be at least 8 characters (7 or 14 for NT) both alpha and numeric- that includes no dictionary words, no obvious user associations, such as birth dates, family or pet names, social security numbers, and so on. Ask any concerned executive how strong passwords should be, and they re likely to reply, As strong as possible! Like them, most of us would also instinctively prefer passwords that ensure the highest level of security for our IT resources. But, as many organizations have discovered, while strong password policies do increase security, they also often decrease usability in the process. The longer, more complex, and less familiar a password is, the harder it is for the user to remember it. Organizations need to understand that if they are going to implement an effective password policy enterprise-wide, they will be dealing with multiple operating systems and applications, each of which has different rules regarding password length and composition. Without the aid of a technology such as SSO, this can quickly become unwieldy for both users and administrators. If there are 12 systems, the user will have to keep track of and change 12 strong, hard-toremember passwords of different compositions. Likewise, the system administrator will have to set, maintain, and understand password policy on all of the 12 systems with their varying rules. Without SSO to automate and enforce the password policy implementation, the helpdesk will quickly be swamped with additional password-related calls and end users will become frustrated. Change passwords frequently The more frequently a password is changed, the lower the likelihood that it will be compromised, stolen and misused. Most security experts agree that passwords should be changed no less than every 90 days. While this policy increases security, it places a heavy and unrealistic burden on the user. Imagine the challenge of trying to memorize a new set of 10 to 12 passwords all at different intervals! This is often the point at which users begin scribbling passwords down on sticky notes and scraps of paper thereby increasing the security risk.

SSO: Enabling an Effective Password Policy 6 To achieve their objectives, security officials therefore need to strike the right balance between security and usability. Without a technology like SSO in place, a heavy if not impossible burden is placed on users. Further, if an SSO solution is automating the password change policy behind the scenes, then even daily password changes can be made without an additional burden on the help desk or the user. Conduct regular audits To properly enforce an effective password policy, it s essential that administrators regularly check the organization s and each user s compliance. Some application environments include functionality for creating and maintaining strong passwords, which can lessen the administrative auditing burden by preventing the use of weak passwords. But many systems particularly older ones don t support this level of enforcement. Most security experts recommend password auditing of these types of systems on a nightly basis. Because most companies have a heterogeneous mixture of operating systems, regular auditing to find weak passwords can significantly increase the burden on administrators. SSO technology provides a single, primary authentication event that can be easily audited and tracked against password policy. Since application password logins are automated, application-specific policies can be adhered to without direct user action (or inaction). Do not reuse passwords For some users, the solution to frequent password changes is simply to recycle the same three or four passwords over and over again. While this approach is definitely easier for users to remember, most policies prohibit reuse. Every time a password changes, it should be new and unique and the old password must be abandoned forever. Of course, this makes the passwords more difficult for users to remember. Protect passwords as secret information Users need to understand the importance of protecting passwords and how to keep them secret. A password must never be written down in a way that makes it obvious and available to the wrong people. They should never be emailed or stored electronically without sufficient encryption. Some policies may even require that passwords never be spoken over the phone or revealed to anyone in a conversation. SSO technology can help to keep user credentials private and secret. By using a central credential store, an SSO solution protects users credentials securely and makes them available only to the appropriate users in a secure manner. With SSO, because the user has only one password, application passwords never need to be written down or revealed because they are no longer used in the normal daily workflow of the user. Match policy rules to each user s security level There is no such thing as one size fits all for security. Even if an organization has a single password policy, levels of security should be tailored to the roles of each group in the company. For example, a system administrator who has access to everything on a network will usually have a privileged password, which may dictate that it be changed more frequently than the password of an average end-user. And in many cases, a system administrator may even be required to use a token or smart card to access certain systems. An executive may need to authenticate using a finger biometric to access confidential company data. It is important that security policies are crafted with this flexibility in mind.

SSO: Enabling an Effective Password Policy 7 SSO can automate the password policy for all types of users, without introducing usability problems. SSO has the additional benefit of enabling an effective, easy-to- use password policy for everyone, including contractors, employees, and even the corner office. After reviewing the essential imperatives outlined above, many readers may conclude that the challenges of implementing and enforcing password policy are simply too great. But the alternative leaving one s mission-critical business applications and confidential communications vulnerable to sabotage, theft, or corruption is infinitely worse. SSO technology offers a way to significantly minimize the challenges and costs of implementing and enforcing an effective password policy.

SSO: Enabling an Effective Password Policy 8 HOW SSO MAKES EFFECTIVE PASSWORD POLICIES PRACTICAL Today several different types of SSO products aim to solve a similar problem by automating the process of presenting the user s credentials to the application. This SSO mechanism knows the requirements of the application and the user s credentials, the user need only remember one primary password to gain access to all SSOenabled applications. SSO solutions such as Imprivata OneSign deliver an array of valuable benefits, including: Stronger security. By relieving users of the need to memorize multiple passwords, SSO solutions make it easier for organizations to implement and enjoy the increased protection afforded by strong passwords. SSO also strengthens security by making it practical for organizations to change passwords more frequently. Simplified password administration. SSO solutions such as OneSign allow administrators to implement a straightforward password policy across all applications based on users primary authentication. To increase password security, OneSign can cycle application passwords behind the scenes and disable any user with one click. Reduced help desk costs. With fewer users calling to get their forgotten passwords, SSO reduces the total number of help desk calls and the resource costs associated with them. Increased user productivity. With SSO, users can gain more immediate access to the applications they need to do their work, and spend less time tracking down forgotten passwords or waiting for helpdesk personnel to resolve their request. In addition to these benefits common to most SSO solutions, Imprivata OneSign delivers added value in several ways: Ease of installation. Imprivata OneSign is an intelligent SSO appliance that installs quickly and easily on a network. Unlike other SSO solutions, it does not require costly and time-consuming changes to existing applications. Nor are any changes required to the ways users and administrators interact with applications. Ease of deployment. Imprivata OneSign supports multiple application environments, including Web, client/server, terminal emulators, and even legacy applications. System administrators can add or update SSO-enabled applications by running a browser-based Application Profile Generator. Centralized administration and control. Imprivata OneSign seamlessly integrates with existing infrastructure and established business processes. OneSign provides a simple, highly secure mechanism for encrypting, storing and delivering user credentials to applications. Imprivata OneSign imports and synchronizes user lists from existing directories. There is no additional directory to manage or integrate, and no changes to back-end applications are required. Redundant pairs ensure a hot failover unit is always ready to take over seamlessly. Audit logs help administrators to address compliance and regulatory requirements by recording what sessions were accessed by which users and when. By enabling stronger security and maximum usability, SSO has become the most essential enabling technology for implementing an effective password policy.

SSO: Enabling an Effective Password Policy 9 SOME FINAL THOUGHTS The two most salient pieces of advice I can give to anyone contemplating an effective password policy are these: don t go it alone, and don t create a policy that when implemented will be impossible to enforce. People are by nature resistant to any change that requires them to modify their own behavior. The way to avoid this conflict is by involving more people in the process of developing the policy. End users, executives, HR and Legal should all participate in defining what the policy is and how it will be enforced. Besides providing an opportunity to communicate to all constituencies the critical importance of security to the organization s ongoing success, these discussions will foster a stronger sense of ownership throughout the organization. The policy that emerges from this process will be one that not only strengthens security, but also is flexible, reasonable and tailored to the security needs of each type of user. Once all of these steps have been taken, the policy will, in very short order, become inculcated throughout the organization an automatic, intrinsic part of each user s daily work life, and a silent sentinel always on guard to protect the organization s most precious assets. Just testing you do not believe that for a minute. An effective security program is a never-ending process. It s essential to continuously test your policies, and to talk to end users and administrators to gauge its effectiveness. Finally, be a discriminating security consumer. Don t be sold on technology for its own sake. In today s era of limited budgets, it s important to pick and choose those solutions that will help you implement your security policy. An SSO solution such as Imprivata OneSign can mitigate some of the pitfalls associated with implementing a password policy, making it much easier for both users and administrators to willingly comply. Alan Sonnenberg is Chief Security Officer at Imprivata. He can be reached at alan.sonnenberg@imprivata.com ###

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information