1. Managing Password Insanity
Determining the best approach for your organization

2. Overview Business Context Business Challenges Password Policy
Common Approaches to Password Management & Benefits
Novell Nsure password management solutions
Customer Success Stories
ROI
Why Novell?
Introduce key presentation sections [modify as appropriate].

3. Compelling Questions
How many passwords does your typical user have to remember?
How much time are your users losing by logging and re-logging into the applications they need to effectively do business with your organization?
How much time and money are you spending each year to reset forgotten passwords?
How can you be sure that your passwords aren’t vulnerable to attack?
How many strategic IT opportunities have you missed because you are simply too busy handling password-related administration?
How many of your users are writing down or sharing passwords because they have too many to remember?
Today’s complex, demanding business environments are forcing organizations to ask some tough questions. Here are a few examples. How many of these apply to your business?:
How many passwords does your typical user have to remember? According to a study conducted by Secure Enterprise magazine in 2003, the average user has 11 passwords to remember.
How many applications do you add each year that require a login?
How much time and money are you spending each year to reset forgotten passwords? According to analyst house, Gartner, it costs an organization between $25-$50 each time a user calls the help desk to reset a lost or forgotten password.
How many strategic IT opportunities have you missed because you are simply too busy handling password-related administration?
How much time are your users losing by logging and re-logging into the applications they need to effectively do business with your organization?
How many of your users are writing down or sharing passwords because they have too many to remember? According to a study conducted by Secure Enterprise magazine in 2003, approximately 55% of users write down at least one password, and approximately 9% write down all of their passwords?
All of these questions – and the keys to resolving them – really come back to a single concept: password management.

4. Survey Question
What are your biggest concerns with regard to password management?
Internal and external users too many passwords to remember
Lack of strong passwords
Lack of a strong enterprise password policy
Help desk is overburdened with password-related calls
Our organization has to comply with regulations like HIPAA and Sarbanes-Oxley

5. Business Context Your business Employees Partners B2B Customers
Password
Management
Let’s take a moment to examine why technology has failed to meet business needs. There are 3 primary forces at play here:
Business requirements are changing. Employees are seeking greater access to your company’s information – regardless of where it resides – and easier ways to access that information.
Customers and trading partners want to conduct business with you electronically, which requires a level of interoperability that may not even exist in your organization today. And opening your network to the world creates a long list of serious security issues.
And of course, there’s always the competitive urgency to continually improve efficiency, service and productivity.
To remain competitive, enterprises need to provide their employees, customers and partners with secure access to applications and services. This presents a challenge because of the large and rapidly growing number of applications and services, and the enormous and expanding user base. A major component of this challenge is “password inflation”—meaning that users must remember a continuously increasing number of passwords to access the tools they need. Password management creates a number of challenges for the organization. We’ll talk about those in more detail later on.

6. The Business Challenges
User Convenience
How do I reduce the number of passwords my users need to remember and use to log on to network systems?
Security
How do I eliminate the security risks of users writing down, sharing, or using weak or old passwords?
Cost Containment
How do I reduce the rising help desk costs caused by all the passwords my users have to remember?
Your success depends on providing your employees, customers and partners with the applications and services they need to do business with your organization. But as the number of applications and services grows, your users are forced to remember more passwords to access the tools they need. This situation presents a number of challenges that touch all levels of an organization:
User Convenience - How do I reduce the number of passwords my users need to remember and use to log on to network systems?
Security – How do I eliminate the security risks caused by all the passwords my users have to remember?
Cost – How do I reduce the rising help desk costs associated with password management?
Novell has a solution to help organizations address these challenges, depending on your main driver(s) and existing infrastructure.
Support Regulatory Compliance
How do I comply with regulations such as HIPAA, Sarbanes-Oxley (North America) or the Data Protection Act (UK)?

7. Building the Business Case Internally
Contact:
What challenges he or she has to address:
Chief Security Officer
Chief Information Security Officer
Need to reduce or eliminate password-related security risks
Need to ensure the appropriate level of security for specific systems or apps
Need to enforce corporate security policy
Chief Information Officer/ IT Director
Need to reduce help desk costs
Need to put measures in place to comply with regulations such as Sarbanes- Oxley
Need to reduce the number of passwords employees have to remember
Need to allow remote or distributed users to work productively
Chief Finance Officer
VP of Finance
VP of Compliance
Need to reduce costs overall
Need to put measures in place to comply with regulations such as Sarbanes-Oxley
It’s important to understand what types of challenges different levels of the organization are trying to address. With this knowledge, you can position your password management solution as strategic to helping them address their needs.
VP of Customer Care
Need to provide better service to customers
VP of Partner Relations
Need to strengthen business relationships with existing partners and create new opportunities

8. Survey Question
Which part of your organization is driving the decision for a password management solution in your organization?
Chief Financial Officer (CFO) / Chief Security Officer (CSO)
Chief Information Officer (CIO)/ Information Technology (IT)
Business Units
Customers
Business Partners

9. Speak their Language What you say… What they hear…
“I have a way for users to change or reset their passwords through a Web browser using secure LDAP and SSL with synchronization across all connected back-end systems through XML data interchange.”
What they hear…
“I have a blah, blah, blah, blah Web blah, blah, blah LDAP and SSL blah, blah, blah, blah across all connected blah, blah, blah, blah.”
Password management is typically viewed as an IT function. But embarking on any sort of password management deployment requires convincing other members of the organization that such a solution is strategic to the enterprise. Frame password management in the context of other people’s problems in the organization, so you (IT) get traction within other areas of the company. Password management relates to SOX, which makes it compelling to the levels of management concerned with regulatory compliance (typically the VP-level); improperly managing passwords can also result in costly administration, which is compelling to the finance guys and the IT Directors, etc.
Put it in terms they’ll understand…
“I have a ‘one-stop shop’ that allows employees & customers a secure way to manage their passwords across the entire enterprise, allowing them to remain productive without needing to call the help desk.”

10. Comprehensive Password Management: From Policy Definition to Deployment

11. Setting Policy What is a password policy?
A set of rules—established at the executive level—that govern the use and protection of passwords on all systems across the enterprise. The password policy is typically set or defined as part of a company’s overarching security policy.
Key components of a password policy:
Standards—the compulsory requirements that must be met
Guidelines—the recommended practices when an exception to the
standards is encountered
Procedures—the step-by-step instructions on how to implement the
defined standards and guidelines
A good password policy has the following components:
Standards – means to ensure that the policy is carried out in a uniform manner
Guidelines – a set of best practices to follow when an exception to the standards or procedures occur
Procedures – step-by-step set of instructions to achieve the configuration necessary to enforce the standard
An example of a password policy standard might be the following:
“Passwords must be at least 6 characters in length and must contain at least 1 numeric character.”
Unfortunately, not all systems are capable of enforcing such a standard, and exceptions to this standard are bound to occur. In these cases, this is where a guideline may be applied. A guideline is a set of best practices to be used when exceptions to standards are found. Guidelines are generally handled on a case by case basis, but having a set of guidelines allows an organization to approach a problem with consistency.
An example of a password policy guideline for those systems that cannot enforce the standard might be the following:
“For systems that cannot enforce a password with at least 1 numeric character, the length of the password must be increased to a minimum of 10 characters.”
After standards and guidelines are created and documented to support the password policy, procedures must be developed. The following is an example of a password procedure for the standard defined above:
Open application’s administration console
Click to the password management settings
Set the minimum number of characters to 6
Check box to force numeric characters
Set value of minimum number of numeric characters to 1

12. Administrative Controls
Example of Policy – Standards
Technical Controls
Administrative Controls
Password must conform to a minimum of 6 and maximum of 20 characters in length
Password must contain at least one (1) numeric character
Passwords must be unique
Passwords must be changed every 30 days
Passwords must be stored in an encrypted data repository
Passwords may not be written down or posted on sticky notes attached to a monitor
Passwords may not be shared with other people
Passwords cannot be an existing piece of personal identification (i.e., cannot use Social Security Number)
A good password policy has the following components:
Standards – means to ensure that the policy is carried out in a uniform manner
Procedures – step-by-step set of instructions to achieve the configuration necessary to enforce the standard
Guidelines – a set of best practices to follow when an exception to the standards or procedures occur
Password Policy is only one type of policy that may apply to an organization:
Depending upon how an organization creates its security policy, there may be an overarching “authentication policy” that dictates how users can be identified and authenticated. A password policy would be one example of how a user can authenticate, and there may be other policies like a “proximity device policy”, a “token authentication policy”, and/or a “biometric authentication policy” to define other authentication mechanisms that may be used to provide access to sensitive data.
For the purposes of this presentation, we are focusing on the password policy, password management, and architectures that can be used to enhance them. We will not be discussing other forms of authentication.
Enforcement by Software
Enforcement by People

13. Managing Passwords What is password management?
The ability to securely manage the number of passwords internal and external users have to use and remember in order to conduct business with an organization.
How does password management affect password policy?
Password management should serve to strengthen and enforce the organization’s password policy and not work against it.
Password management is different from password policy. Password management pertains to the user experience in using passwords within an organization. How many passwords does the user have to remember? Is there a way to reduce the number of passwords a user does have to remember? Do users have a mechanism for self-help for forgotten passwords?
Password management is very much focused on the user-experience and ease of use for the people who need access to systems and resources. Taken to an extreme, password management has the ability to compromise an organization’s stated password policy. Providing access to information and resources is about identifying the risks and mitigating them. Thus, password management should serve to strengthen and enforce the stated password policy instead of working against it.
Password management should also including an auditing component to ensure the password policy is being enforced. A good auditing infrastructure will also notify people when the password management components themselves are being modified by someone.

14. Enterprise password management vs. system-specific password management
System by system password management (some weak, some strong) has distinct deficiencies:
Not readily scalable from an administration perspective
Differences in password storage security
Different systems have different levels of password security enforcement
Users generally must manage a large number of passwords
This type of approach leads to severe inconsistencies in password administration and password policy enforcement.
Password management used to apply individually to each system deployed in an organization. For most organizations, the number of systems deployed has increased steadily over the years, and the number of passwords needing to be remembered by users has also increased. This leads to a cumbersome method of password management on behalf of both administrators and users.
Users generally must remember a larger number of passwords each with a different set of requirements and complexity. This means people are more likely to write down passwords and store them in a place where they can be easily discovered. Administrators are also responsible for maintaining all of the back-end systems, dealing with different password storage capabilities, and trying to maintain consistency across systems that have varying degrees of configuration and enforcement.
When password management is left at the individual system level, the probability of security (and the password policy) being violated is high. This poses the next question of “How does an organization think about password management from an enterprise level?”.

15. Enterprise password management vs. system-specific password management
An enterprise password management approach allows enforcement of an organization’s password policy while also addressing business goals:
Passwords can be stored more securely (redirection)
Password policy enforcement can be extended to systems that might not have the built-in capability to enforce stronger passwords (synchronization)
Users will only need to remember a reduced number of passwords across all systems (store-and-forward/ synchronization)
Integrated applications conform to the enterprise password policy providing enhanced security (hybrid)
By looking beyond individual systems and attempting to integrate the individual silos into a more cohesive, logical structure, an organization can provide users with a good user experience while still maintaining the password policy needed by the organization. In the next section of this session, we will discuss the various approaches and architectures for enterprise password management to show how an organization can “get to the next level” of password management.

16. Survey Question
In addressing password management for your organization, which capabilities are you looking for?
Synchronization
Self-service Password Reset
Single Sign-on
Password Redirection
Advanced Authentication (i.e. Biometrics)

17. Common approaches Comprehensive Password Management
[Self Service Password Reset]
[Web Single Sign-on]
Web-based Applications
Enterprise Business Applications
[Password Synchronization]
[Federated Authentication]
Enterprise Business Applications
Business Partner Systems
[Client-based Single Sign-on]
[Password Redirection]
Legacy Systems & Enterprise Business Applications
The utopia of “comprehensive password management” is something that most organizations strive toward. It’s important to realize that “comprehensive password management” can take several forms. For some organizations, one of the common approaches listed in this diagram will fit the bill. But many organizations end up deploying a combination of these options for internal and external users to access a myriad of server-based, Web-based and legacy systems and applications. The options can be defined as follows:
Password Synchronization – password is “synchronized” across all connected back-end systems and applications
Self-Service Password Reset – allows users to reset their own passwords without having to call the help desk
Client-based Single Sign-on – provide users a single password for critical systems and applications, requiring them to log in once
Web Single Sign-on – provide users a single password for access to an organization’s (or partners’) Web-based systems and affiliated Web sites
Password Redirection - allows applications to authenticate against an external source (i.e., against a directory via LDAP) instead of looking to its own local security database, which may be far less secure
LDAP Authentication Directory
Comprehensive Password Management

18. Password Synchronization
Workstation
Username1 / Password
NOS
Native Application API
Network – OS
Username2 / Password
SAP
Password changes detected and distributed after being checked against the password policy
Native Application API
App 1 –
SAP
Username3 / Password
Mainframe
Native Application API
App 2 –
Mainframe
The concept of password synchronization is pretty straightforward. In this architecture, the applications are accessed through their native client interfaces. Thus, a Novell client might be used to access the Network file and print services. The SAP application may be used to access Human Resource or financial information. A TN3270 application could be used to access the mainframe. However, when a change is made to the password through any one of these native interfaces, the password change is detected, captured, and distributed to all of the systems integrated in this architecture. Thus, if the password is changed to the file and print infrastructure through the Novell client, the change is captured, and the new password is passed to the SAP system, the mainframe, and the Win32 infrastructure. If the password is changed on the mainframe, the change is captured, and the new password is passed to the other integrated systems. This is known in some circles as “bidirectional password synchronization”.
With the password synchronization architecture, the user may have to remember a number of different usernames for disparate applications; however, the password will be the same for all integrated systems. This is one example of “single sign-on” by some people’s definition. The advantage to this solution is that no modifications need to be made on the client side to facilitate the password synchronization; it is all done on the back-end through integration software. The user also only needs to remember a single password to access all integrated services, which makes customer service advocates extremely happy.
There are, unfortunately, some serious disadvantages to this approach. Some of them are so severe that it even breaks the architecture. The first (and foremost) disadvantage is the password must be capable of being intercepted at the time it is changed, or the password must be stored in a recoverable format so the password is known and can be distributed to the other integrated systems. Secure applications store passwords in a format that cannot be read, and sometimes once the password is stored the original clear-text cannot be retrieved. This method of secure storage is different from application to application, and more often than not, this method of storage is not compatible between applications. So the encrypted form of the password cannot be simply shuttled between applications and be expected to work. The password has to known in clear-text form so that it can be stored in the appropriate way within each application. So if the password is stored in the mainframe in a manner where the password is not originally known and cannot be recovered, there is no way to synchronize that password to the other systems. This is the main issue with bidirectional password synchronization.
The other serious disadvantage to this approach is that more often than not passwords themselves are not compatible from system to system. One application may support only 6 character passwords. If this system was integrated with other systems, then a 6 character password would be required for all systems. Not all password policies are created equal, and using password synchronization forces a single password policy to be applied to all connected systems. This single password policy ends up being the lowest common denominator (i.e., least secure) between the systems. It can, in effect, “dumb-down” the password between systems.
Username4 / Password
Win32
App 3 –
Win32
Native Application API

19. Password Synchronization – Advantages & Disadvantages
Easy to remember one password – users don’t write passwords down
Passwords can be changed in any environment using local native tools and still be synchronized to all integrated applications
Failures have a small impact on users (only those changing password at time of failure)
Generally no user workstation modification required to implement
Disadvantages
User must login multiple times although the password is consistent
Usually a complex implementation
Not all systems will easily support bidirectional password synchronization
Passwords may not be compatible across systems and have the potential to be “dumbed down”
No support for adv. Auth.
With the password synchronization architecture, the user may have to remember a number of different usernames for disparate applications; however, the password will be the same for all integrated systems. This is one example of “single sign-on” by some people’s definition. The advantage to this solution is that no modifications need to be made on the client side to facilitate the password synchronization; it is all done on the back-end through integration software. The user also only needs to remember a single password to access all integrated services, which makes customer service advocates extremely happy.
There are, unfortunately, some serious disadvantages to this approach. Some of them are so severe that it even breaks the architecture. The first (and foremost) disadvantage is the password must be capable of being intercepted at the time it is changed, or the password must be stored in a recoverable format so the password is known and can be distributed to the other integrated systems. Secure applications store passwords in a format that cannot be read, and sometimes once the password is stored the original clear-text cannot be retrieved. This method of secure storage is different from application to application, and more often than not, this method of storage is not compatible between applications. So the encrypted form of the password cannot be simply shuttled between applications and be expected to work. The password has to known in clear-text form so that it can be stored in the appropriate way within each application. So if the password is stored in the mainframe in a manner where the password is not originally known and cannot be recovered, there is no way to synchronize that password to the other systems. This is the main issue with bidirectional password synchronization.
The other serious disadvantage to this approach is that more often than not passwords themselves are not compatible from system to system. One application may support only 6 character passwords. If this system was integrated with other systems, then a 6 character password would be required for all systems. Not all password policies are created equal, and using password synchronization forces a single password policy to be applied to all connected systems. This single password policy ends up being the lowest common denominator (i.e., least secure) between the systems. It can, in effect, “dumb-down” the password between systems.

20. Self-Service Password Reset / Password Distribution
Workstation
Password changes detected and distributed one-way after being checked against the password policy
Challenge/Response mechanism for self-service password reset
Directory
Password
Self-Serve
Username2 / Password
SAP
Native Application API
App 1 –
SAP
Username3 / Password
Mainframe
Native Application API
App 2 –
Mainframe
Password distribution is a variation of the password synchronization architecture because it provides a one-way synchronization from a centralized data source to the integrated applications. Most password distribution systems also come with a facility for self-service password reset. Self-service password reset is usually a set of challenge/response questions the user has set up prior to forgetting a password. When the password is forgotten, the user can go to the reset page, answer the challenges originally set up, and reset the password. This reset password is then distributed to all of the other integrated systems so the user can access all applications without having to call the Help Desk, for example.
The password distribution approach avoids the complication of the native password recovery problem. The only password that needs to be detected and synchronized is the password in the self-service system. This facilitates easier integration of applications into a larger, more manageable infrastructure. However, the main drawback is that the password needs to be changed in this master system, or it is not synchronized across the infrastructure. A sloppy implementation of this approach can lead to passwords being different across integrated systems resulting in more Help Desk calls instead of less.
Username4 / Password
Win32
App 3 –
Win32
Native Application API

21. Self-Service Password Reset – Advantages & Disadvantages
Reduce help-desk costs associated with password resets
Help desk has capability to reset passwords on all systems
Spend less time on phone with the help desk to reset passwords
Easy to remember one password – users don’t write passwords down
Generally no user workstation modification required to implement
Failures have a small impact on users (only those changing pwd at time of failure)
Easier to implement than bidirectional password sync because the native password recovery problem is avoided
Disadvantages
Business Process Change: users must change passwords only in one place for it to work properly
No support for advanced authentication methods
Poorly planned implementations may increase Help Desk calls instead of reducing them
User must login multiple times although password is consistent
The password distribution approach avoids the complication of the native password recovery problem. The only password that needs to be detected and synchronized is the password in the self-service system. This facilitates easier integration of applications into a larger, more manageable infrastructure. However, the main drawback is that the password needs to be changed in this master system, or it is not synchronized across the infrastructure. A sloppy implementation of this approach can lead to passwords being different across integrated systems resulting in more Help Desk calls instead of less.

22. Client-based Single Sign-on
Workstation
Back-end applications
Username1 / Password1
Directory
Network –
eDirectory
Username2 / Password2
SAP
App 1 –
SAP
Username3 / Password3
Mainframe
Capture & Replay
Software
Username4 / Password4
UsernameA / PasswordA
App 2 –
Mainframe
The Enterprise/Client-based Single Sign-On approach provides what is generally called a “Capture and Replay” or “Store and Forward” to password management, and it facilitates the user experience nirvana of “authenticate once and access all applications”. Each individual application maintains its own security database and functions just as would normally function out of the box on the back-end. It is the magic on the front-end that makes this solution work.
The Enterprise Single Sign-On architecture allows the user to authenticate to an application one time. Once the user has successfully authenticated, the Enterprise SSO software captures the information and securely stores it for future use. The next time the user attempts to access the application, the Enterprise SSO software detects the application that is being launched, realizes it has credentials stored for the application, and posts the known credentials to the application on behalf of the user. This process is repeated for every application the user might access.
Top-of-the-line Enterprise SSO software will integrate with a directory to allow the user’s stored credentials to be accessed from any workstation on the network. This prevents a workstation focused solution that would require a user to access applications from the same piece of hardware every time. By storing credentials in a directory, the user can login to any workstation that has access to that directory (and also has the Enterprise SSO software installed) and still realize the SSO experience.
The greatest advantage to the Enterprise SSO solution is that just about any application can be integrated into the SSO solution, and it does NOT require any modifications to the back-end systems to achieve. Thus, both new and legacy applications can be easily integrated without incurring a large cost for application modification. Also, the systems being integrated into the SSO experience need not be controlled by a single organization. Good Enterprise SSO software will allow a user the SSO experience to both organization specific applications (HR System, Mainframe access, etc.) and Internet based sites (Yahoo, brokerage accounts, on-line banking, etc.).
The largest drawback to this approach is that the Enterprise SSO software must be installed and maintained on every workstation a user might use to access network services. This could include both business and personal machines. This maintenance should be coupled with an application management solution to reduce the administrative costs of maintaining another application on the desktop. This option also supports advanced authentication. This means you can lock down workstations if they have been idle for a given period of time, if a user has walked away from the workstation, or if a user has removed their authentication device. This forces new users to re-authenticate to the workstation to access corporate resources. It also provides an extra level of security depending on the sensitivity of data being accessed.
Win32
App 3 –
Win32
Non-Integrated
Identities
Minimal Human Logon Process
External Systems

23. Client-based SSO – Advantages & Disadvantages
Convenience
Reduction in password reset call volume
Aids roll-out of stronger password policies, due to requirement to remember fewer passwords
Centralized policy management/enforcement
Secure credential storage
No modification to back-end systems required
Support for advanced authentication
Integrates with systems not owned by the organization
Disadvantages
One key to the kingdom (can be overcome with various strong authentication methods)
Requires client on every desktop
Time and cost to deploy client-side software
Forgetting the “master” password incurs a huge cost in resets across many different systems
The greatest advantage to the Enterprise SSO solution is that just about any application can be integrated into the SSO solution, and it does NOT require any modifications to the back-end systems to achieve. Thus, both new and legacy applications can be easily integrated without incurring a large cost for application modification. Also, the systems being integrated into the SSO experience need not be controlled by a single organization. Good Enterprise SSO software will allow a user the SSO experience to both organization specific applications (HR System, Mainframe access, etc.) and Internet based sites (Yahoo, brokerage accounts, on-line banking, etc.).
The largest drawback to this approach is that the Enterprise SSO software must be installed and maintained on every workstation a user might use to access network services. This could include both business and personal machines. This maintenance should be coupled with an application management solution to reduce the administrative costs of maintaining another application on the desktop. This option also supports advanced authentication. This means you can lock down workstations if they have been idle for a given period of time, if a user has walked away from the workstation, or if a user has removed their authentication device. This forces new users to re-authenticate to the workstation to access corporate resources. It also provides an extra level of security depending on the sensitivity of data being accessed.

24. Back-end Web applications Access Management Infrastructure
Web SSO Architecture
Back-end Web applications
Internet
Portal Interface – one username & password
Username2 / Password2
Distributed Users
Username3 / Password3
Access Management Infrastructure
Directory
Username4 / Password4
The Web SSO Architecture provides a similar service to the Enterprise Single-Sign On Architecture; however, all of the applications being accessed by the end user are Web-based. By using an intermediary access management control infrastructure (proxy-based or agent-based), an organization can provide single-sign on to its back-end Web infrastructure even if the credentials are different for each application.
With this approach the user attempts to access a Web-based application or resource via a browser. The access management control infrastructure intercepts the request, processes credential information by validating it against an external source (usually a directory), and posts the appropriate credentials (if different) to the requested application on behalf of the user. The back-end web applications generally maintain their own local security databases, and the access management control system is simply posting the necessary information to the web server after validating the user.
This type of architecture is dependent upon the organization controlling all of the back-end web services and implementing the access management control system. The greatest benefit of this approach versus Client-based Single Sign-on is that no client software is required on the user’s workstation to facilitate the single-sign on. Only a web browser must be maintained either at a workstation, or from any Web-enabled device.

25. Back-end Web applications Access Management Infrastructure
Federated Authentication Architecture
Back-end Web applications
Internet
Portal Interface – one username & password
Distributed Users
Username2 / Password2
Username3 / Password3
Access Management Infrastructure
Directory
Username4 / Password4
The Federated Authentication architecture is an extension of the Web Single Sign- on architecture except it provides the ability to authenticate to applications that are not controlled by the organization. There is generally some sort of trust relationship set up between organizations supporting federated authentication, and this architecture is most often seen in B2B type situations, although it is gaining more acceptance in the B2C space with the advent of the Liberty Alliance.
Federated authentication is still in the early stages of development as an authentication technology. One example of federated authentication technology is being developed by the Liberty Alliance. For more information on federated identities, its related technologies, and how the Liberty Alliance is championing it, please refer to the Liberty Alliance web site at
UsernameA / PasswordA
3rd Party Systems

26. Web SSO/ Federated Authentication – Advantages & Disadvantages
Convenience
Reduction in password reset call volume
No need to synchronize passwords—less deployment effort
Centralized policy management/enforcement
Secure credential storage
No client required
Disadvantages
One key to the kingdom (Can be overcome with certificates or tokens)
Does not integrate with legacy applications
Requires aggressive access management control infrastructure as a foundation
This type of architecture is dependent upon the organization controlling all of the back-end web services and implementing the access management control system. The greatest benefit of this approach versus Client-based Single Sign-on is that no client software is required on the user’s workstation to facilitate the single-sign on. Only a web browser must be maintained either at a workstation, or from any Web-enabled device.

27. Password/LDAP Redirection
Workstation
Username / Password
NOS
Network – OS
Native Application API
Username / Password
Central Store of Authentication Credentials
LDAP
Username / Password
SAP
Username / Password
Native Application API
LDAP
App 1 –
SAP
Username / Password
Username / Password
LDAP Directory
Mainframe
LDAP
Native Application API
App 2 –
Mainframe
The Password Redirection architecture leverages a centralized directory of authentication credentials that are used by all integrated applications. Applications no longer use their own local security databases. Instead, applications make LDAP calls against a central directory in an attempt to authenticate a user. Every application is effectively using the same credential set, and the same username and password can be utilized by every application in the infrastructure.
Users would still authenticate multiple times to the infrastructure, and they would use the native client utilities to authenticate. However, they would only need to remember one username and one password for all applications. It would just have to be used multiple times. From an administration perspective, only one repository of user information needs to be maintained instead of administering many different silos of identity data across disparate applications. No modifications need to be made to the user environment, either. All modifications are made to back-end systems to use a different security database. Also, the LDAP directory generally has stronger password storage features, better password policy capabilities, and will increase the security of an organization.
The main drawbacks to this approach are not all applications can be redirected in this way (specifically many legacy applications). Also, it may require some development on the organization’s part to retrofit deployed applications to this model.
Username / Password
LDAP
Username / Password
Win32
App 3 –
Win32
Native Application API

28. Password/LDAP Redirection – Advantages & Disadvantages
Password is stored more securely than most identity information stores
User credential information for many disparate applications will reuse the same object on the network leading to easier administration
Leverages common Internet standard protocols (LDAP) instead of proprietary protocols
A standard set of API’s for authentication and authorization can be developed and deployed
Disadvantages
Requires the end application to be LDAP aware
User must login multiple times although password is consistent
Raises issue of directory availability in the enterprise because the credential is no longer local to the application
Users would still authenticate multiple times to the infrastructure, and they would use the native client utilities to authenticate. However, they would only need to remember one username and one password for all applications. It would just have to be used multiple times. From an administration perspective, only one repository of user information needs to be maintained instead of administering many different silos of identity data across disparate applications. No modifications need to be made to the user environment, either. All modifications are made to back-end systems to use a different security database. Also, the LDAP directory generally has stronger password storage features, better password policy capabilities, and will increase the security of an organization.
The main drawbacks to this approach are not all applications can be redirected in this way (specifically many legacy applications). Also, it may require some development on the organization’s part to retrofit deployed applications to this model.

29. Advantages and Disadvantages
Approach
Password Synchronization
Password Self-Service and Password Distribution
Client-based Single Sign-on
Web Single Sign-on and Federated Authentication
Password Redirection
Convenience
Reduction in password reset call volume
No need to synchronize passwords—less deployment effort
Centralized policy management/ enforcement
Secure credential storage
No client required
Reduction in password reset call volume
Aids roll-out of stronger password policies, due to requirement to remember fewer passwords
Centralized policy management/enforcement
Secure credential storage
No modification to back- end systems required
Support for advanced authentication
Integrates with systems not owned by the organization
• Reduce help-desk costs associated with password resets
• Help desk has capability to reset passwords on all systems
• Spend less time on phone with the help desk to reset passwords
Easy to remember one password – users don’t write passwords down
Generally no user workstation modification required to implement
Failures have a small impact on users (only those changing pwd at time of failure)
Easier to implement than bidirectional password sync because the native password recovery problem is avoided
• Easy to remember one password – users don’t write passwords down
• Passwords can be changed in any environment using local native tools and still be synchronized to all integrated applications
• Failures have a small impact on users (only those changing pwd at time of failure)
• Generally no user workstation modification required to implement
Advantages
Password is stored more securely than most identity information stores
User credential information for many disparate applications will reuse the same object on the network leading to easier administration
Leverages common Internet standard protocols (LDAP) instead of proprietary protocols
A standard set of API’s for authentication and authorization can be developed and deployed
This is a summary slide that incorporates all the advantages and disadvantages from the 5 architectures in one place. It can be easily used to compare and contrast the approaches instead of having to analyze data across multiple slides.
• User must login multiple times although the password is consistent
Usually a complex implementation
Not all systems will easily support bidirectional password synchronization
Passwords may not be compatible across systems and have the potential to be “dumbed down”
• No support for adv. Auth.
• Business Process Change: users must change passwords only in one place for it to work properly
No support for advanced authentication methods
Poorly planned implementations may increase Help Desk calls instead of reducing them
User must login multiple times although password is consistent
One key to the kingdom (can be overcome with various strong authentication methods)
Requires client on every desktop
Time and cost to deploy client-side software
Forgetting the “master” password incurs a huge cost in resets across many different systems
One key to the kingdom (Can be overcome with certificates or tokens)
Does not integrate with legacy applications
Requires aggressive access management control infrastructure as a foundation
Requires the end application to be LDAP aware
User must login multiple times although password is consistent
Raises issue of directory availability in the enterprise because the credential is no longer local to the application
Disadvantages

30. Hybrid Solution One Size Does Not Fit All
The best approach to the password management problem will most likely not rely on a single approach or architecture. To mitigate the disadvantages of one solution use a complementary approach.
Take 2 or more! Mix and match!
To mitigate Password Synchronization’s disadvantage of multiple user logins, add the Client-based Single Sign-On approach to your enterprise password management strategy. Using the two together will also address Client-based Single Sign-On’s disadvantage of someone forgetting the “master” password.
In order to fully address an organization’s business problems, more than one approach to enterprise password management will generally be used. This is called the “hybrid” solution. This is generally done to mitigate the disadvantages of a single approach and drive the balance between user convenience and security. More often than not, an organization may deploy 3-5 of the approaches to solve the problem—not just one or two, although that may be the starting point.

31. Password Management Benefits
Your business
Employees
Partners
B2B
Customers
Increase security
Reduce password-related administrative cost
Improve user and help desk productivity
Enhance end user’s experience
Password
Management
The benefits of password management are clear, and the right combination of approaches can help you address a number of password-related business issues you are facing:
Enhance Security (call out key points, based on the customers current challenges):
Enforces password policies and allows the establishment of different policies for different applications and services, requiring stronger passwords for more sensitive applications.
Immediately revokes access privileges when a user’s relationship is terminated. The administrator can shut off all access privileges across all systems with a single update, eliminating lingering access that could compromise security.
Reduces the number of passwords to reduce security risks associated with writing passwords on sticky notes and other vulnerable methods for remembering passwords.
Enhances security of legacy systems without requiring modification to those systems. As a result, the organization can incorporate its existing systems into their password management solution, leveraging their investments.
Locks down idle workstations to prevent unauthorized users from accessing corporate resources via unattended workstations. Lockdown can occur when the workstation is idle for a specified period of time or when the user removes an authentication device, such as a smart card, from the workstation.
Limits help desk administrator privileges, enabling the organization to permit technicians to reset passwords without granting unnecessary administrative privileges that would give them access to user resources or other parts of the system.
Encrypts communication across communication channels to prevent eavesdropping and theft of sensitive information.
Supports compliance with regulations and standards, facilitating conformance with government mandates and industry standards.
Supports strong authentication with such mechanisms as tokens, smart cards and biometrics to provide additional security for sensitive information and systems.
Reduce password-related administration costs
With the Novell approach, administrators centrally manage passwords based on the organization’s policy. Moreover, reducing the number of passwords users must remember also reduces password administration tasks, allowing the IT staff to focus on more strategic initiatives. While self-service capabilities allow users to securely reset their own passwords. In short, Novell password management solutions increase administrator productivity and slash the number of password-related help desk calls, reducing your administrative and support costs.
Users can be given the ability to securely reset forgotten passwords, over the Web if necessary, without administrator intervention. This self-service capability reduces the time users waste on forgotten passwords. It also reduces the number of password-related help desk calls, dramatically reducing support costs and enabling the organization to increase service levels without increasing IT staff.
Improve user and help desk productivity & Enhance end user’s experience
Novell password management solutions offer several methods for reducing the number of passwords users inside and outside the organization must remember:
Password synchronizationenables users to use a single password for all the applications and systems to which they require accesss, although they must still enter a user ID and password each time.
With single sign-on, one password provides access to all the resources a person is authorized to use--including client-based applications, Web-based applications and services from business partners’ Web sites.
Each method makes it easier and faster to get to resources, resulting in higher productivity and happier users.

32. Novell Nsure password management solutions
The Novell password management solution, one of the key Novell Nsure secure identity management solutions, enables secure password management for users inside and outside your organization.
The solutions:
enhance the end user’s experience
mitigate security risks
reduce password-related administrative costs
leverage your existing business processes, policies and infrastructure
Novell offers a comprehensive set of solutions that provide the capabilities we’ve discussed today. The technologies, in combination with the expertise of our consulting and technical support organizations, let you deploy a solution to securely and efficiently manage passwords across your organization so your employees, customers and partners get the resources they need without the associated security risks—all while substantially reducing password-related support costs.
Novell Nsure password management solutions combine our client-based single sign-on (SSO), Web SSO, self-service password reset and synchronization, federated authentication and professional services capabilities.

33. Novell Nsure password management solutions
[Novell Nsure Identity Manager]
[Novell iChain]
[Novell Nsure Identity Manager]
Web Single Sign-on
[Novell iChain]
Self-Service Password Reset
Password Synchronization
Federated Authentication
[Novell Nsure SecureLogin]
[Novell eDirectory]
Novell Nsure password management solutions combine our client-based single sign-on (SSO), Web SSO, self-service password reset and synchronization, federated authentication and professional services capabilities.
Novell is one of the few vendors in the marketplace that provides a set of comprehensive password management solutions. The breadth of our solutions allow you to address password-related challenges from fundamental issues like reducing the number of passwords your users need to remember to more complex challenges like providing your customers with single sign-on access to your Web site and your partners’ Web sites. Novell’s understanding of these business issues and proven expertise in solving them will ensure that you get a secure solution that enhances the user experience, reduces password-related costs and eliminates security holes.
Password Redirection
Client-based Single Sign-on
Comprehensive Password Management

34. Novell Nsure case study:
RadioShack 1
Customer situation 2
Approach 3
Business results
Create central repository for user information, based on PeopleSoft
Provide secure Web access for 30,000 employees, based on identity
Automate benefits election process
Network access for employees with single ID and password
Automated benefits election process without adding new staff
Reduced HR administrative work by 85 percent
High employee turnover in retail business creates high costs to bring on new employees
Paper-based open enrollment process
30,000 employees needed network accounts
Novell Nsure Success Story
Overview
RadioShack Corporation is the nation’s most trusted consumer electronics specialty retailer of wireless communications, electronic parts, batteries and accessories as well as other digital technology products and services. With more than 7,000 stores nationwide, it is estimated that 94 percent of all Americans live or work within five minutes of a RadioShack store or dealer.
Challenge
In the retail industry, high employee turnover is the nature of the business, and often leads to higher costs. With 30,000 employees and the typical high turnover rates of the retail industry, RadioShack needed to minimize the cost of bringing on new employees. Its benefits election process was completely paper-based, with a significant number of election information packets mailed to employees each year. By putting this process online, the company sought to significantly cut costs associated with HR administration.
To automate its open enrollment process, RadioShack needed a way to automatically create and manage new network accounts for its 30,000 employees, giving them secure Internet access to benefit information.
Solution
RadioShack evaluated the PeopleSoft Directory Interface, but wanted a solution that would support its entire infrastructure, not just its open enrollment process. RadioShack selected a Novell Nsure solution consisting of Novell eDirectory, Novell DirXML and Novell iChain.
“From an architecture standpoint, we needed the central management of Novell eDirectory and the bi-directional update capabilities of Novell DirXML,” said Ron Cook, vice president of Strategy and Technical Operations for RadioShack. “A Novell Nsure solution gives us much more flexibility to extend secure identity management to many of our other applications.”
RadioShack engaged Novell consultants to create a single repository for user information by using DirXML to integrate user data from PeopleSoft to Novell eDirectory. Using eDirectory as the identity repository, RadioShack was able to automatically create network accounts for each of its 30,000 employees, giving them secure access to benefits information based on their identity. Today, when a change is made to data in either PeopleSoft or eDirectory, DirXML automatically synchronizes the change across both systems, eliminating the need for manual updating.
“A service that deals with sensitive personnel information requires security that is absolutely solid,” said Cook. “With Novell Nsure, we can confidently extend our benefits process to the Web knowing the right people will have access to the right information when they need it.”
During the open enrollment period, employees used a single ID and password to access their online benefits application and make their selections. Novell consultants also created a custom password reset utility to help RadioShack avoid the cost of hiring additional support staff. If employees forget a password, they have a self-service application to reset their password without having to call for support.
“With the help of Novell, we had our benefits election application running and fully tested well ahead of our open enrollment schedule,” said Cook. “We had a seamless rollout and received relatively few helpdesk calls during the entire six-week enrollment period.”
RadioShack uses Novell iChain to provide secure Web authentication for more than 2,000 franchise stores. Each of these stores relies on Answers Online, a suite of applications that store personnel rely on for information at their fingertips. Novell iChain provides secure access to information, improving the ability of salespeople to provide quick and accurate customer service.
Currently, RadioShack has an IT staff of four managing its entire Novell environment. With a single identity source in eDirectory, this team manages 30,000 employees and can keep pace with the volume during open enrollment and the addition of new employees. RadioShack also plans to leverage its secure identity management solution for other applications, such as its PBX phone system, to further reduce administrative time and costs.
“Our Novell solution is a foundational project in many ways,” said Cook. “It met our immediate needs of rolling out online benefits, but is really the foundation for a secure identity management solution throughout all our stores.”
Results
With a Novell Nsure solution, RadioShack automated its benefits election process without the need to hire extra staff to manage accounts or passwords. During its open enrollment period, the company’s HR department reduced manual data entry by 85 percent. Most important, the company has a scalable, secure identity management foundation to significantly reduce administrative time and costs throughout its enterprise.
“Before Novell Nsure, our benefits process was completely paper- based, with a significant number of election information packets mailed to new employees each year,” said Jana Freundlich, vice president of Compensation and Benefits for RadioShack. “By taking that process online, we’ve made it much faster and more convenient for our employees to make their selections and we have saved about 30 days of administrative work associated with annual open enrollment.”

35. Novell Nsure case study:
Standard Life 1
Customer situation 2
Approach 3
Business results
Security issues with multiple passwords for 13,000 global employees
Increasing password-related helpdesk calls
Decreasing employee productivity
Create single, centralized directory for user information
Establish secure password management
Track access to corporate systems
Single ID and password for each employee
Increased security
Reduced helpdesk calls
Improved employee productivity
Overview
Standard Life is Europe’s largest mutual life assurance company with assets under management in excess of £75 billion. It provides financial services to more than 5 million customers, and employs over 13,000 staff in offices throughout the United Kingdom, Republic of Ireland, Spain, Canada, Germany, Austria, Hong Kong, China and India.
Challenge
With more than 13,000 employees spread throughout the world, Standard Life faced several challenges relating to password management. Users were required to first log on to their workstations, then the mainframe system, and at times more than 10 separate applications. This led to users resorting to writing down passwords and displaying them, potentially jeopardizing company security.
Moreover, with so many passwords for users to recall, the IT helpdesk was continually bombarded with requests to reissue and reset passwords, increasing administration costs.
Standard Life wanted a secure, password management solution that would centralize management and reduce the number of password- related calls to the service desk. In addition, the company wanted to present a single point of authentication, enabling it to easily monitor both internal and external access to the system.
Solution
Following a thorough evaluation of various solutions, Standard Life selected Novell Nsure for its security, reliability and ease-of-use. The solution is delivered through best-of-breed products, including Novell eDirectory™, Novell SecureLogin and Novell BorderManager®.
“The Novell solution has increased our infrastructure security and improved our users’ productivity,” said Katie Holland IS Service Center project analyst, Standard Life. “We should have implemented Novell’s secure identity management solution sooner.”
Novell eDirectory, Novell’s premier directory service, stores Standard Life’s user identities and serves as the central access point for all applications and data. eDirectory allows the company to store millions of user identities in a single, centralized location.
Novell SecureLogin, another component of the secure identity management solution, enables secure and reliable password management. The directory-based, single sign-on solution encrypts and stores authentication credentials in Novell SecretStore®, a secure repository located within eDirectory, so that users are only required to enter their username and password once, and are then able to easily maneuver from application to application. Currently, Standard Life has deployed SecureLogin to more than 7,000 users and plans for a companywide rollout within 2003.
“Users won’t need to rely on their memories to recall so many passwords —SecureLogin will do it for them,” said Holland. “The solution will also protect our system against unauthorized access by verifying users’ credentials through the directory, ensuring the utmost security.”
SecureLogin works in parallel with the company’s Customer Internet Access (CIA) project, which uses Lightweight Directory Access Protocol (LDAP) authentication to validate external users and grant secure access to its corporate systems, while offering a common interface. Novell BorderManager is then used as the firewall proxy and manages access to the Internet. Through the Novell secure identity management solution, the company is now able to track who is accessing its corporate systems and avoid costly security breaches.
Results
Standard Life has already witnessed significant results from the Novell Nsure solution. The company now has a secure password management system, enhancing internal and external user productivity and ultimately impacting its bottom line.
With only one password to recall, the service desk has seen a considerable reduction in password-related incidents and calls, which will enable the company to reallocate valuable IT resources.
“Novell products are strategic and important to our business. The Novell Nsure solution has met all our needs — it has improved business productivity and overall security,” said Philip Murray, Standard Life Information Service Center manager. “We are very pleased with the results.”

36. ROI: Help Desk & Productivity Savings
Help Desk Savings
2,268 hours
Hours wasted by employees per year
189
Hours wasted by employees per month
450
Average number of password-related calls per month
25.2 minutes
Average duration of password-related call to the help desk
Productivity Savings
$202,500
Cost per year for password-related calls to the help desk
$16,875
Cost per month for password-related calls to the help desk
$37.50
Average cost per password-related call to the help desk
10,000
Number of Users
Lack of an effective password management solution creates significant costs for an organization. Typically, those costs are a result of two factors—loss of user productivity and excessive time spent by help desk personnel resetting and managing users’ passwords.
When users forget their passwords, they call the help desk. According to Giga, nearly 30 percent of help desk calls are password related. Giga also estimates that each time end users call the help desk, it costs anywhere from $25 to $50 (for an average of $37.50).[1] Translation: if an organization with 10,000 users receives an average of 450 password-related calls per month, it can expect to spend between $135,000 and $270,000 a year resetting lost or forgotten passwords. [1]"Password Reset Software Can Help Reduce Helpdesk Costs,” Renee Woo, Giga, March 30, 2001
Help Desk Calculation*:
10,000 users
15% of users call the help desk monthly
30% of those calls are password-related
= 450 users call the help desk every month with password-related issues
$37.50 is the average cost per call (multiplied by 450 users calling the help desk)
= $16,875 for password-related calls per month (multiplied by 12 months in the year)
= $202,500 for password-related calls per year
*based on Giga calculations
With so many passwords to remember, it’s typical for users to spend an inordinate amount of time on the phone with the help desk to reset lost or forgotten passwords. Besides increasing support costs, this creates a productivity problem for end users and for the IT staff. According to analysts, the average duration of a password-related call to the help desk is 25.2 minutes. This means that in an organization with 10,000 users, people collectively waste 189 hours each month getting assistance with passwords. It also means that the IT staff is so busy managing passwords that they are not focusing on initiatives more strategic to the organization.
Productivity Calculation*:
450 users call the help desk every month with password-related issues (multiplied by 25.2 minutes per call)
25.2 minutes is the average duration of a password-related call to the help desk
= 189 hours wasted by employees per month (multiplied by 60 minutes per hour)
= 2,268 hours wasted by employees per year

37. Best-of-Breed Solutions
“After implementing and evaluating competitive solutions from Novell, Computer Associates and Courion, Network Computing/Secure Enterprise gave Novell the Editor's Choice award. The robustness and flexibility in its supported target systems, password and account management make this suite, a perfect fit…."
-Network Computing
October 2003
Full article is posted at: &pgno=1

38. Competitive Advantages of Novell Nsure password management solutions
differentiators
breadth of the Novell password management offering
built on a solid identity management foundation
comprehensive and modular solutions
leverages your existing business processes, policies and infrastructure
poised to support your evolving business needs
Breadth of Novell offering
The breadth of Novell’s password management solutions allows us to customize each solution based on your existing infrastructure, business processes and policies. Unlike other niche vendors that try to sell the same solution to every customer, Novell provides a complete set of alternatives—including single sign-on, password synchronization, password redirection and Web single sign-on capabilities. And with deep expertise in deploying password management solutions, Novell consultants can create a solution that combines these capabilities to enhance your users’ experience, reduce unnecessary administrative costs and protect organizational resources.
Built on a solid identity management foundation
Novell password management solutions are built on top of a strong identity management foundation. This means that a user’s role or relationship with the organization determines which systems and applications they can access. And, depending on the user’s role and the sensitivity of the information they access, organizations can implement stronger authentication policies/methods for specific users and applications (like biometrics, smart cards, etc).
Comprehensive and modular solution
By comprehensive we mean that it addresses all the needs associated with password management. It handles security inside and outside your organization – whether it’s people from the inside accessing internal and external resources, people from the outside trying to access internal applications or customers trying to conduct business with your or your business partners.
What we mean by modular is that you can implement different portions of the solution according to your business strategy or your business growth. For instance, you can begin by reducing the help desk call volume related to forgotten passwords, then you could work on a solution that makes it easy for your customer to access services on your site or your business partners’ sites. The solution can be broken down in whatever way matches your strategy, your budget and your needs as they evolve.
Next is that it leverages your existing infrastructure investments. Novell Nsure solutions can connect with any application, datastore or directory. Additionally, it’s completely cross-platform ... it will run on NetWare, Linux, Solaris, Windows 2000, Windows NT, Unix, AIX and so on. So with Novell you’ll actually be able to get more value out of your existing investments by carrying them into your evolving business processes.

39. Building Solutions on top of the Foundation
Novell Secure Identity Management
Solution Suite
Identity Solutions
Password
Synchronization
Web Access
Control
Single
Sign-On
Resource Management
Provisioning
Portals
Access Management
& Auditing
Role Based Access Control
Federated Authentication
Secure Logging
& Auditing
Monitoring
Notifications
Identity Management
Role Based
Admin
Delegated
Admin
Self
Service
Workflow
Event
Policy
Password management is a great entry point into deploying a larger secure identity management solution.
Secure Identity Management provides the foundation for secure administration and application of Identity across the enterprise. Novell’s SIM technologies enable robust access control and scalable administration through implementation of secure, efficiency-oriented management mechanisms and Integrated Identity. As part of its broad suite of SIM components, Novell includes additional technologies enabling the creation of powerful solutions including Self Service Password & Identity Management, Provisioning, Web Access Control and Secure Logging & Auditing. Due to the strength of Novell’s SIM technologies and their unique flexibility accommodating advanced customization, many additional solutions are possible.
Identity Integration
Federated
Meta-Directory
Directory Service

40. To learn more…
To learn more about Novell Nsure password management solutions, visit:

41. Evaluation Survey
Based on what you’ve seen today, would you like a Novell representative to contact you to discuss the optimal password management solution for your organization?
Please have someone contact me
Please have someone contact me in three to six months
I’m undecided.