Take Control of Your Passwords
Find a Smart, Practical Approach to Effective Password Management
Written by Todd Swensen
Like it or not, passwords aren't going anywhere. And if your organization is like most, you still heavily depend on traditional user ID/password combinations as your primary authentication method, and most experts don't see that changing any time soon. Despite a number of obvious and well-known shortcomings, traditional passwords are still the most popular, practical way to protect most corporate assets and information.
But that doesn't mean passwords can't create almost as many problems as they solve—especially in large, complex and heterogeneous IT environments. The major issues aren't new, and virtually every IT professional is familiar with them. Every time you add a new system or application to your environment, you also add a new set of credentials. New credentials mean more passwords for end users to remember. And more passwords translate directly into all kinds of bad habits (like choosing weak passwords or writing passwords down), inefficient processes, more help desk calls and all kinds of compliance complications. Without a smart, comprehensive approach to password management that addresses these persistent problems, runaway passwords can lower productivity, create unnecessary work for your IT staff and compromise the security of your organization.
Approaches for Solving Password Management Problems
These password-related challenges are nearly universal, but the approaches and techniques organizations use to solve them are not. Depending on many different factors—including underlying IT infrastructures, specific compliance pressures and end user requirements—you can choose from a number of different approaches and technologies. All of them have their own unique advantages and drawbacks.
"Without a smart, comprehensive approach to password management, runaway passwords can lower productivity, create unnecessary work for your IT staff and compromise the security of your organization."
One common technique involves making password management part of a larger identity lifecycle management and user provisioning solution. This involves assigning users a single password that gets synchronized automatically across all the connected systems in the environment. Back-end synchronization definitely reduces the number of passwords users have to remember. It also provides the distinct advantage of being an integral part of a larger identity management and provisioning solution. However, traditional password synchronization also comes with some inherent limitations. For example, if you integrate a mainframe system into your identity management infrastructure that only supports six-character passwords, true password synchronization means all your other connected systems must also adopt this restriction for synchronization to take place. In other words, synchronized passwords are limited to the “lowest common denominator” of all your connected systems. This obviously hinders your ability to implement best practice password policies. Password synchronization can also be cost prohibitive if you don't already have a robust identity management or provisioning system in place. If you're starting from scratch, other approaches to password management will probably prove less costly and require less integration work.
Web Access Management (WAM)
Another popular password management approach involves using a Web Access Management (WAM) product like Novell Access Manager™ to provide authentication and authorization to Web applications through a secure Web portal. These WAM systems also typically work with a user provisioning tool like Novell Identity Manager to control who can access what resources through the portal. In this scenario, users enter a single user name and password to log in to a convenient, customized portal interface that grants appropriate, identity-based access to internal applications and resources. This can provide end users with an exceptionally seamless and unified Web-based experience that brings many types of applications together in one convenient location. However, WAM implementations are limited to Web-based resources. Users still have to remember (or write down) passwords for Internet e-mail accounts, traditional applications and other systems that are not supported by the portal environment.
Enterprise Single Sign-On (ESSO)
A third approach to password management creates a kind of intermediary between users and all the different systems, applications and resources to which they need access. Like effective password synchronization and Web access management implementations, enterprise single sign-on should work closely with your identity management system to determine appropriate access rights and provide up-to-date credentials. In a typical enterprise single sign-on scenario, users provide one set of credentials to the single sign-on (SSO) system when they log in to the network. Then, that system pulls the appropriate user names and passwords from the directory and automatically presents them to various single sign-on enabled applications on the user's behalf. This approach eliminates the “lowest common denominator” problem by making it possible to apply a different password policy to every system or application. This allows you to take full advantage of the strongest passwords each individual application can support.
Enterprise single sign-on can also extend single sign-on capabilities to a wider range of external applications and Web resources, make mandatory password changes transparent and automatic for both administrators and end users, and even hide an application's true password from end users. One criticism of enterprise single sign-on technology revolves around the need to single sign-on enable every application. In the past, this has often involved complicated and time-consuming scripting to make individual applications respond appropriately to requests from the enterprise single sign-on system.
Finding the Best Answer
Given all the various advantages and drawbacks, which of these three password management approaches can offer your organization the best, most complete and most cost effective password management option? The best answer probably involves some combination of all three. For example, you may want to use back-end synchronization to simplify password management across a few core systems, implement a Web access management product to deliver a unified portal environment for users and then extend those password management capabilities using an enterprise single sign-on implementation. As long as these different password management components and technologies can all tap into your identity management framework, they can work together to provide the best possible answer for dealing with password-related challenges.
Extending and Enhancing Password Management with Novell SecureLogin
Enterprise single sign-on—working closely with an identity management system like Novell Identity Manager—often provides the fastest and most cost-effective way to enhance and extend your existing password management infrastructure. Novell SecureLogin offers a number of unique advantages that make it an especially attractive option. First, it's designed specifically to integrate easily with existing identity management and access management infrastructures, so it can add value quickly without forcing you to rip and replace your existing synchronization or Web access management systems. Novell SecureLogin also simplifies and automates the process of enabling the complete spectrum of Web, Windows, Java, and terminal-based applications for single sign-on with a surprisingly flexible and intuitive point and click wizard, which eliminates the need for complicated scripting. Unlike traditional synchronization offerings, Novell SecureLogin allows you to link credentials for different clients of the same applications like Web and Windows Outlook clients. And finally, it includes audit-ready reporting capabilities that enhance your compliance efforts by making it easy to track and record all the systems and resources users access through the SSO system. These unique capabilities, and many others, make Novell SecureLogin an excellent addition to any identity-based system. And of course, Novell SecureLogin works especially well with other Novell password and identity lifecycle management products like Novell Identity Manager and Novell Access Manager.
Take Control of Your Runaway Passwords
Passwords always have been and will probably always be a fact of IT life. But with a smart, nuanced approach to password management that leverages the right combination of identity lifecycle management, password synchronization, Web access management and enterprise single sign-on technology, you can overcome the challenges of managing, controlling and supporting passwords. Novell is ready to make that process as smooth and cost effective as possible with products like Novell Identity Manager, Novell Access Manager and Novell SecureLogin. (See Figure 1.)