New Trends in System Password Management
WHEN IT COMES TO identity and access management (IAM), one of the cornerstones remains the password. In the past several years, many large and mid-sized companies have adopted password management (PM) solutions that have allowed users to self-manage their passwords. Some companies, however, are implementing a more sophisticated version of PM, enterprise single sign-on (ESSO).
In recent years, most high-quality PM solutions have relied on challenge questions to help automatically authenticate end users who want to reset a password. Other security benefits typically include central IT management of password characteristics and expiration times.
The cost savings of a password management system are significant. Up to 75 percent of help-desk calls are from employees who forgot or who need to reset their password, says Sally Hudson, a research director in IDC’s Security Products and Services group. Eliminating those calls can free help-desk staff to deal with more important issues.
One organization using ESSO is Hilton Grand Vacations Company, the timeshare division of Hilton Hotels Corp. The Orlando-based firm implemented an ESSO solution from Lexington, Massachusetts-based Imprivata last summer. For Rich Jackson, the firm’s vice president of technology operations, a major concern was how the new software would work with his firm’s many legacy applications, some of which were 15 to 20 years old, and their varying password policies.
He says the implementation process pleasantly surprised him. With the help of one engineer from product reseller Tribridge of Tampa, Florida, Hilton rolled out ESSO to about 3,000 desktops in less than 40 hours. The system has also been easy for end users to adjust to. “It walks users through a series of security questions, and, after the first sign-on, it logs into each application and the new software takes over.”
The new system is helping with security compliance. “It logs who accesses what when. In some cases, we can use the system to show how we require strong passwords,” he says.
The reduction in help-desk calls is generating savings. The system cost about $100,000, he says, with about $15,000 annually in maintenance. But he estimates that help-desk calls have dropped by about 2,000 monthly, to about 5,500. “That’s about $40,000 saved annually.”
One risk of such systems is that the single password could end up in the wrong hands, giving an unauthorized user access to numerous applications. “Someone could write it down,” says Butler Group Senior Research Analyst Andrew Kellett. As with all ID management systems, it’s important to maintain controls, he says.
Imprivata allays some of these concerns. “It’s highly granular,” says Jackson. “We were able to assign rights to each application according to each employee.”
In at least one case, Jackson says he felt the new system added to security risks. He was concerned that if one employee were to leave his or her seat, another might be able to sit in that person’s place, potentially accessing a sensitive application. Jackson countered this by having Windows automatically log off after a very brief period of inactivity.