For that, Health Quest uses Novell's Identity Manager to create, modify and disable credentials for approximately 6,500 users accessing a variety of systems. "We use the identity management for our Windows environment -- Active Directory, electronic medical records, a physicians' portal, and even for our physical badge system," Sheidlower says, noting that employees use the badges not only for physical building access but also for logging into shared workstations. They swipe their cards, which in turn initiates a Novell SecureLogin SSO session.
"With SSO, and ID managers in general, all passwords under identity management are synchronized. So when a user changes a password in one system, it changes in all systems," Sheidlower says.
For enterprises venturing into the world of software-as-a-service (SaaS) delivery, finding a password-management tool can prove a little trickier, Cser notes.
"Synchronizing passwords or sending passwords to SaaS applications can be difficult, so we're seeing SaaS applications increasingly being able to use federated access controls or SAML," he says, referring to the Security Assertion Markup Language, an XML-based open standard for exchanging authentication data between identity and service providers.
"Alternatively," Cser says, "they're using an identity portal like Symplified, Ping Identity or Conformity [now IronStratus], or they use AD FS [Active Directory Federation Services], which supports SAML."
But the easiest and cheapest way to provide password management in a SaaS environment is to use an application that can grab passwords from the on-premise Active Directory repository, he says. If that's not possible due to security concerns or other issues, then he recommends that companies use AD FS or SAML. If none of these options work, then consider one of the identity-portal providers, Cser says.
This last option was the most feasible for Geezeo, says James Elwood, vice president of technology for the company, which provides online banking solutions for banks and credit unions.
Geezeo integrated Ping's PingFederate Internet SSO with a personal financial management service it sells to banks and credit unions. These organizations then integrate that service with their online customer banking tools, Elwood says.
"We had to find a simple way to get our banking customers SSO-enabled and connected with [personal financial management], which we had deployed on Amazon [Elastic Compute Cloud]," he says.
However, Geezeo was concerned that it would be impossible to build a homegrown system that would meet all of its needs, Elwood says.
"This is when we decided to find an existing password-management [or] SSO solution that was flexible enough to integrate with the various infrastructures of our customers. Ping Identity has a standards-based approach that provided us the most flexibility," he says.
With password management, Elwood says, "our goal was to synchronize passwords across platforms and applications."
Marrying Tools and Policy
No matter what type of password-management tool--standalone, integrated with an identity- and access-management suite or available through the cloud--a company chooses, it must also apply smart policies. And while an organization doesn't always need password-management tools to enforce policy, the ability to do so is often a fringe benefit of such deployments, says Ant Allan, a Gartner research vice president.
"We know that some applications don't provide a way to define password policy, and so there's no way for an organization to enforce paper policies on a per-target basis for those kinds of applications. That's where a password-management tool can have a benefit, with password changes managed centrally and policies enforced at that level before passwords get pushed down to the target systems," he says.
The Golden Rule for passwords, which Allan admits is a bit glib, is that they should be long and complex--but not too much so.
"The length and complexity of passwords creates what experts call password entropy, which is a measure of how hard it is to break a password through a cracking method. So if your goal is to provide a level of protection against automated attacks and brute-force guessing of passwords, you should avoid simple passwords that would be easy for hackers to guess," he explains.
"But once you get to a certain level of complexity, you don't get significantly more benefit against those kinds of attacks, but you do start getting problems with end users not being able to remember their passwords, and that has a number of impacts," Allan says.
"Aside from disenchanting people with security, you'll also get a higher level of calls for password resets," which is where password-management tools with self-service features came in handy, he says.
All that said, Allan suggests the following guidelines for password selection: Passwords should not contain semantic content. In other words, no words, no plain-language phrases, no names, no user IDs, no dates, no phone numbers, and so on. Passwords should include at least one lowercase and one uppercase letter and at least one number, punctuation mark or other special character.
One effective practice is called initialism, which asks users to construct passwords from the first letter of each word of a favorite phrase, song, poem or the like.
"It's really a matter of finding balance and being aware of what constraints you have within your systems," Allan says.
"For example, organizations using IBM mainframe systems, limited to eight-character passwords, would have to go through complexity rules. But within a Windows environment, where extremely long passwords are involved, you might enforce length, not complexity," he says.
[Read more practical advice in How to write good passwords]
Password expiration is another major consideration, and it's often used to comply with regulatory requirements or in accordance with standard practices, though Allan says those haven't necessarily been proven to be best practices. Ninety days seems to be the accepted expiration rule, and it's applied at Flagler, Health Quest and Partners.
"Driving to work, parking the car, changing the password--it's a part of life here," says Partners' Buonanno.
"With 80,000 users, every day almost 1,000 people get notices that it's time to change their passwords. So we're flipping 80,000 passwords every 90 days," she says.
Health Quest's Sheidlower has a word of caution for dealing with password expirations with SSO. "It's another little [lesson] that comes up when you're synchronizing passwords across multiple systems," he says. "If you're going to let your identity manager or Active Directory be the driver of passwords and you're going to have passwords expire every X days, then you have to make sure all the other systems it's managing don't expire their passwords sooner than X days because, depending on your setup, that could break the link among the different systems," Sheidlower says.
"And you never want a situation with SSO where you're trying to go through multiple layers and it hits one system that has an expired password and all the other systems don't know about that," he adds. "That'll break SSO for that user."
While password-management tools enable enhanced security, organizations shouldn't forget one other huge benefit: increased security awareness among users, Buonanno says.
"By doing this," she says, "we're bringing our users along so they now feel like they're a part of making Partners a more secure computing environment."
Ad Choices
Comments