White Papers Password Manager Product Literature Large Scale Password Managmement with Password Manager
Hitachi ID Facebook Page Hitachi ID Twitter Page Find us on Google+ Hitachi ID YouTube Page

Large Scale Password Management With Hitachi ID Password Manager

arrowAbstract
As users access ever more systems and applications, they accumulate passwords and other authentication factors. Complexity that arises in managing multiple login technologies leads to IT support and security problems: high help desk call volumes, written passwords, lost or stolen OTP tokens and smart cards, etc.

Effective password management addresses these problems by helping users to manage all of their authentication factors in an integrated manner. Passwords are synchronized, so there are fewer to remember. Self-service allows users to reset their own forgotten or locked out passwords or PINs and unlock PCs with encrypted disks. A single process is used to enroll security questions, mobile phone numbers and biometric samples. The entire solution is made available from full screen or mobile phone web browsers, phone calls or PC login screens.

Introduction

This white paper describes self-service management of authentication factors in general and Hitachi ID Password Manager in particular. It shows how product features and best practices address business problems.

Password Manager is solution for managing all of a user's authentication factors. This lowers IT support cost and improves security through:

Business Drivers: IT Support for Passwords and PINs

Users who must manage multiple passwords to corporate systems and applications have usability, security and cost problems.

Users have too many passwords. Each password may expire on a different schedule, be changed with a different user interface and be subject to different rules about password composition and reuse.

Some systems are able to force users to select hard-to-guess passwords, while others are not. Some systems require that users change their passwords periodically, while others cannot enforce expiration.

Users have trouble choosing hard-to-guess passwords.

Users have trouble remembering passwords, because they have too many of them or because they chose a new password at the end of the day or week, and didn't have an opportunity to use it a few times before going home.

These problems drive users to choose trivial passwords, to avoid changing their passwords and to write down their passwords. All of these behaviors can compromise network security.

When users do comply with policy and regularly change their passwords to new, hard-to-guess values, they tend to forget their passwords and must call the help desk.

Password and login problems are the top incident type at most IT help desks, frequently accounting for 25% or more of total call volume.

In addition to the above security and support cost problems, users simply don't like memorizing and typing passwords. Password management is a nuisance that contributes to a negative perception of IT service.

Despite all these problems, passwords will continue to be needed for years to come:

  1. Passwords are significantly less expensive to deploy and support than other technologies.
  2. Other authentication technologies, such as biometrics, smart cards and hardware tokens, are typically used along with a password or PIN. i.e., "something you have" (smart card, token) or "something you are" (biometric) plus "something you know" (password, PIN).
  3. Passwords are an important backup to other authentication technologies:
    1. Hardware devices can be lost or stolen or simply left at home.
    2. Some devices from which users need to access corporate systems, such as smart phones and home PCs, may not support more advanced authentication methods.

Since passwords are not going away and remain difficult for users to manage, solutions are needed to help users more effectively manage their passwords.


Technical Challenges: Hard-To-Support Passwords

Enabling synchronization and self-service reset for passwords on centralized servers is reasonably straightforward. Technical problems arise, however, with locked out users, mobile users, cached credentials and PKI.

Locked Out Users

Users often forget their initial network login password or inadvertently trigger an intruder lockout. These users should be able to get assistance, reset their network or local password, clear intruder lockouts and get back to work.

Since these users have a problem with their workstation login, they cannot access a conventional web browser or client/server application with which to resolve their problem. The problem these users face is how to get to a user interface, so that they can fix their login problem and subsequently access their own workstation desktop.

This problem is especially acute for mobile users, who use cached domain passwords to sign into their workstation and who may not be attached to the corporate network when they experience a forgotten password problem.

Cached Credentials

Windows workstations cache user passwords -- typically the primary password a user types at the login screen, which was authenticated against Active Directory. This is done for two reasons:

  1. To enable users to log into their workstation while detached from the network (example: traveling laptop).
  2. To automatically sign the user into resources, such as shared file and print services, without having to ask the user to retype his password.

When a user changes his password using the network client software on the workstation (e.g,. ctrl-alt-del method), the network client automatically updates its cached password.

On the other hand, if a user is logged into his workstation and simultaneously his password is reset elsewhere on the network -- for example by the help desk or by the user himself on a second concurrently logged in workstation, then the cached password on the workstation will not change -- it will simply be wrong.

Similarly, if the user forgets his password and it is reset on the network while his PC is disconnected (e.g., remote), the new password will not be copied to the workstation until it is re-attached to the network.

An invalid, cached password causes several problems:

  1. If the user's PC is not attached to the network when his password changes, the user will be unable to use the new password on his PC until he re-attaches to the network.
  2. If the user's PC is attached to the network and the user attempts to access a network resource (file server, print queue, etc.), the workstation may send an incorrect, cached password to the network resource, which will increment the user's "number of invalid login attempts" counter. Repeated connection attempts will trigger an intruder lockout.

Replication Delays

(1)Active Directory does not propagate cleared intruder lockout flags on an expedited schedule. This can create problems for remote users who inadvertently trigger a lockout and subsequently call a central help desk for assistance. The help desk will typically clear the user's lockout on a domain controller near the help desk. This lockout may take a long time (hours) to reach the domain controllers against which the user wishes to authenticate or which service network resources that the user wishes to access.

This problem is especially acute in global organizations, with hundreds of domain controllers that employ a global IT support function.

Note that AD password change replication is described here:

http://technet.microsoft.com/en-us/library/cc772726.aspx

Forgotten Passwords for Full Disk Encryption

Organizations deploy full disk encryption (FDE) software to protect against data leakage in the event that a corporate laptop is lost or stolen. Users with FDE on their PCs normally have to type a password to unlock their hard disk, before they can boot up an operating system. This password is normally synchronized with the user's primary Windows password, so that the user only has to remember and type a single password at login.

If a user forgets his hard disk encryption unlock password, the user will be unable to start their operating system or use their computer. This is a serious service disruption for the user and can contribute to significant support costs for the IT help desk.

Mobile, Disconnected Users

Traveling users typically log into their workstations using cached Active Directory passwords. If they forget the cached password, technical support may be expensive, insecure or simply impossible:

  1. Expensive: the user must physically bring (or mail) the laptop to a corporate location, the PC can re-authenticate to the AD domain and cache the user's newly reset password.
  2. Insecure: alternately, the help desk can give the traveling user the login ID and password of an alternate login ID, which is defined on the user's PC (not a domain account), whose security will henceforth be compromised.
  3. Impossible: the user is unable to bring his PC to the office and the help desk cannot or will not offer an alternate, local user ID.

While the frequency of password reset incidents for traveling users is typically low, the cost per incident is much higher than for network-attached users.

Managing PKI Passwords

Public key infrastructures typically deploy certificate files on PCs and smart cards. This enables users to access encrypted documents, send and receive encrypted e-mail and (with smart cards) perform multi-factor authentication, even while disconnected from the corporate network.

Certificate files are typically encrypted and decrypted using a user's personal password or smart card PIN. In other words, users have a "PKI password," which is not necessarily stored on any server. Rather, this password is used to unlock the user's personal certificate file.

This is true of both standards-based PKI, using x.509 certificates and proprietary PKI, using Lotus Notes ID files.

"PKI passwords," including Lotus Notes ID file passwords, are difficult for IT organizations to support because they cannot be administratively reset:

  1. The PKI certificate may exist in multiple locations -- more or more PCs, network home directories, USB flash drives, smart cards, etc.
  2. Some of these locations may be inaccessible to a password management server on the network.
  3. The PKI certificate must be decrypted, using the current password, before it can be re-encrypted, with the new password. In other words, there is no notion of an administrative password reset, which does not rely on knowledge of the current password.

Password Manager Features

Password Manager is designed to reduce the cost and improve the security of password systems:

Password Synchronization

Password synchronization is any process or technology that helps users to maintain a single password, subject to a single security policy, across multiple systems.

Password synchronization is an effective mechanism for addressing password management problems on an enterprise network:

There are two ways to implement password synchronization:

One of the core features of Password Manager is password synchronization.

Password Manager implements both transparent and web based password synchronization.

Self-service Password Reset

Self-service password reset is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate method and repair their own problem, without calling the help desk.

Users who have forgotten their password or triggered an intruder lockout may launch a self-service application using an extension to their workstation login prompt, using their own or another user's web browser or through a telephone call. Users establish their identity, without using their forgotten or disabled password, by answering a series of personal questions, using a hardware authentication token or by providing a biometric sample. Users can then either specify a new, unlocked password or ask that a randomly generated one be set.

Self-service password reset expedites problem resolution for users after a problem has already occurred and reduces help desk call volume. It can also be used to ensure that password problems are only resolved after strong user authentication, eliminating an important weakness of many help desks: social engineering attacks.

One of the core features of Password Manager from Hitachi ID Systems is self-service password reset.

Self-Service, Anywhere: Supporting Mobile Users and Encrypted Disks

Password Manager includes key features to assist mobile users:

  1. E-mail notification to users about upcoming password expiry, since the notice displayed at the Windows login prompt is not shown to users away from the office.
  2. Support for resetting forgotten encryption keys for users whose PCs are protected with full disk encryption.
  3. Support for resetting forgotten passwords or PINs from the login prompt, even if the user is away from the office and is not physically attached to the Internet.

Assisted Password Reset

Password Manager includes an assisted password reset web portal, which allows IT support staff to help callers without having direct administrative access to target systems:

Assisted password reset reduces the cost of password support calls and ensures that such calls are handled in a consistent, secure fashion.

Password Policy Enforcement

Password Manager is normally configured to enforce a uniform password policy across all systems, to ensure that any new password will be acceptable to every integrated system. This provides the most clear and understandable experience to users. Password Manager is configured such that it will never accept or attempt to propagate a password that will not meet this global password policy.

For instance, in the case of an organization that has both Windows Active Directory (AD) and z/OS passwords, where users may enter very long passwords on AD but only 8 characters on the (older) mainframe, Password Manager can require that passwords be exactly 8 characters long. Alternately, Password Manager can support longer passwords, but truncate them when it updates the mainframe. (Users generally prefer the preset length rule, as it is easier to understand than automatic truncation).

In general, systems enforce one of two types of password rules:

A global password policy is normally created by combining and strengthening the best-of-breed complexity requirements from each system affected by the policy. Password Manager then combines these with the most restrictive representational constraints. This forces users to select strong, secure passwords on every system.

The alternative, of defining different password policies for every target system or for groups of target systems, is considered to be user-unfriendly. To update their passwords, users must select a system, choose a password, wait for the password update to complete, possibly re-authenticate, choose another system, choose a different password, etc. Users must then remember multiple passwords and will continue to experience many password problems. It has been shown that users with many passwords have a strong tendency to write down their passwords.

Password Expiration / Aging Enforcement

To enforce password expiration and to get users to trigger web-based password synchronization, Password Manager is configured to detect upcoming password expiration on individual systems (e.g., Windows, AD, LDAP, etc.) or based on the last time a user changed his passwords using Password Manager and to remind users to change their passwords using the Password Manager web UI.

Password expiration is normally configured so that users change their passwords with Password Manager web portal on a shorter expiry interval than the native password expiry on any system. This way, Password Manager prompts users to change passwords before any other system does and users are never prompted to change expired passwords by other systems or applications.

Early notification of upcoming password expiration is a viable alternative to transparent password synchronization, especially in cases where it is impossible to trigger synchronization from the primary login system that users most often use.

Users can be notified of upcoming password expiration by e-mail. Alternately, a small client program can be triggered at user login time, which checks whether the user currently logging in is on the list of "soon to expire" users and -- if so -- opens the user's default web browser to a URL that asks the user to change his passwords.

The same small program can be used to make the password change mandatory, by opening a kiosk-mode web browser to the password change web portal and requiring the user to change passwords before they can close this browser and access their desktop.

Preventing Password Reuse

In Password Manager, password history is "infinite" by default. Unless specifically allowed, users are prevented from reusing passwords at all. Where password reuse is allowed, it is based on a time interval, rather than the number of intervening password changes. Password history is stored in a one-way, non-reversible hash (SHA-1 plus 64-bit random salt).

Solution Architecture

Password Manager is designed for:

Figure [link] illustrates the Password Manager network architecture:

figure

    Network architecture diagram (2)

Self-Service: Access and Authentication

Access For Locked Out Users

(3) When users forget their primary password or trigger an intruder lockout, they are in a Catch-22 situation: they cannot log into their computer and open a web browser but cannot open a web browser to fix their password and make it possible to log in.

Password Manager includes a variety of mechanisms to address the problem of users locked out of their PC login screen. Each of these approaches has its own strengths and weaknesses, as described below:

  Option Pros Cons
  Do nothing: users continue to call the help desk.

  • Inexpensive, nothing to deploy.

  • The help desk continues to field a high password reset call volume.
  • No solution for local passwords or mobile users.
  Ask a neighbor: Use someone else's web browser to access self-service password reset.

  • Inexpensive, no client software to deploy.

  • Users may be working alone or at odd hours.
  • No solution for local passwords or mobile users.
  • Wastes time for two users, rather than one.
  • May violate a security policy in some organizations.
  Secure kiosk account (SKA): Sign into any PC with a generic ID such as "help" and no password. This launches a kiosk-mode web browser directed to the password reset web page.

  • Simple, inexpensive deployment, with no client software component.
  • Users can reset both local and network passwords.

  • Introduces a "generic" account on the network, which may violate policy, no matter how well it is locked down.
  • One user can trigger an intruder lockout on the "help" account, denying service to other users who require a password reset.
  • Does not help mobile users.
  Personalized SKA: Same as the domain-wide SKA above, but the universal "help" account is replaced with one personal account per user. For example, each user's "help" account could have their employee number for a login ID and a combination of their SSN and date of birth for a password.

  • Eliminates the "guest" account on the domain, which does not have a password.

  • Requires creation of thousands of additional domain accounts.
  • Requires ongoing creation and deletion of domain accounts.
  • These new accounts are special -- their passwords do not expire and would likely not meet strength rules.
  Local SKA: Same as the domain-wide SKA above, but the "help" account is created on each computer, rather than on the domain.

  • Eliminates the "guest" account on the domain.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).

  • Requires a small footprint on each computer (the local "help" account.)
  Telephone password reset: Users call an automated system, identify themselves using touch-tone input of a numeric identifier, authenticate with touch-tone input of answers to security questions or with voice print biometrics and select a new password.

  • Simple deployment of centralized infrastructure.
  • No client software impact.
  • May leverage an existing IVR system.
  • Helpful for remote users who need assistance connecting to the corporate VPN.

  • New physical infrastructure is usually required.
  • Users generally don't like to "talk to a machine" so adoption rates are lower than with a web portal.
  • Does not help mobile users who forgot their cached domain password.
  • Does not help unlock PINs on smart cards.
  Physical kiosks: Deploy physical Intranet kiosks at each office location.

  • Eliminates generic or guest accounts.
  • May be used by multiple applications that are suitable for physically-present but unauthenticated users (e.g., phone directory lookup, badge management, etc.).

  • Costly to deploy -- hardware at many locations.
  • Does not help mobile users who forgot their cached domain password.
  • Users may prefer to call the help desk, rather than walking over to a physical kiosk.
  GINA DLL: Windows XP: Install a GINA DLL on user computers, which adds a "reset my password" button to the login screen.

  • User friendly, intuitive access to self-service.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).
  • Works on Windows Terminal Server and Citrix Presentation Manager.

  • Requires intrusive software to be installed on every computer.
  • Broken installation or out-of-order un-installation will render the computer inoperable (i.e., "brick the PC").
  GINA Extension Service: Similar to the GINA DLL, but uses a sophisticated service infrastructure to modify the UI of the native GINA, rather than installing a GINA DLL.

  • User friendly, intuitive access to self-service.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).
  • More robust, fault-tolerant installation process than the GINA DLL.

  • Requires software to be installed on every computer.
  • Does not work on Citrix Presentation Server or Windows Terminal Server -- only works on personal computers.
  Credential Provider: The equivalent of a GINA DLL, but for the login infrastructure on Windows Vista/7/8.

  • User friendly, intuitive access to self-service.
  • Can be configured to assist mobile users who forgot their cached domain password (by automatically establishing a temporary VPN connection).
  • Works on Windows Terminal Server and Citrix Presentation Manager.
  • More robust infrastructure than GINA DLLs on Windows XP.

  • Deployment of intrusive software to every workstation.

 

No other product or vendor supports as many options for assisting users locked out of their PC login screen.

Authenticating Users Without Passwords

(4)Users may authenticate into Password Manager as follows:

Authentication Chains

Password Manager includes a mechanism for authenticating users called authentication chains. This mechanism works by defining sequences of steps that can be used to authenticate a user and defining how the authentication process proceeds from one step to the next.

Authentication chains allow Password Manager to:

  1. Offer a user multiple authentication mechanisms. For example, type a password, answer security questions, use a token, etc.
  2. Combine authentication mechanisms. For example, a user may be asked to type a password and answer a subset of the security questions in his profile.
  3. Select an authentication mechanism based on context. For example, require a user with elevated privileges or a user attached via VPN to satisfy a more robust process than an unprivileged user connected to the corporate network.

Authentication chains allow Password Manager to implement flexible login processes. For example, mobile phones can be used as an authentication factor:

  1. During enrollment, users are asked to identify their mobile phone provider and enter their mobile phone number.
  2. At authentication time, a user is sent a random PIN via SMS, which he must enter correctly and within a short time window. This establishes that the user is in possession of his phone.
  3. A second authentication step is to ask the user to answer a few security questions, which supports the user's claimed identity through something he knows.

User Enrollment: Maximizing Adoption

In many organizations, deployment of a password management system requires a user enrollment process. Users may have to provide personal data such as answers to authentication questions (which can subsequently be used to authenticate users who forgot their passwords or triggered a lockout). Users may be asked to attach their non-standard IDs to their profiles. Users may have to provide biometric samples, likewise used for non-password authentication in the event of a future password problem. Finally, users may simply be asked to review and agree to some corporate policy, for example regarding password sharing or writing down their password.

If enrollment is required, it is helpful for the password management system to automate the process by identifying users who must be enrolled, inviting and reminding them to enroll, provide a strongly authenticated enrollment user interface, etc.

Password Manager includes built-in infrastructure to securely and automatically manage the user enrollment process:

The enrollment system in Password Manager includes schedule controls. For example, the maximum number of invitations to send daily can be limited, as can the frequency of invitations per user. Days-of-week during which to send invitations are identified as are holidays during which no invitations should be sent.

Telephony Integration

A popular option for extending password reset services to locked out users is to extend this service over a telephone, using an integrated voice response (IVR) system.

Users who forget their passwords can dial an IVR system with any telephone and initiate a password reset. Authentication using either touch-tone entry of personal secret information or using voice print verification is supported. Existing IVR systems can be extended using a Password Manager remote API or Hitachi ID Telephone Password Manager -- a turn-key IVR system specifically designed for password resets.

Overview:

Telephone Password Manager is a turn-key telephone user interface bundled with the Password Manager credential management solution. It enables organizations to quickly and inexpensively offer self-service password reset, PIN reset and disk unlock to users over a telephone, without having to configure a complex IVR system.

Features:

Telephone Password Manager supports self-service management of authentication factors (credentials) and recovery of disk encryption keys over a telephone with:

Benefits:

Telephone Password Manager lowers IT support costs and improves user service by enabling mobile, remote or locked out users to resolve problems with their password, hardware token or encrypted hard disk on their own, without calling the help desk.

Telephone Password Manager can improve the security of IT support processes by authenticating users with biometric voice-print verification prior to offering services such as password or PIN reset.

Telephone Password Manager supports self-service management of authentication factors (credentials) and recovery of disk encryption keys over a telephone with:

Managing PKI Certificate Passwords

PKI standards generally relate to certificate format and use, not to the administration of certificates -- issuance, delivery to users, installation on PCs and smart cards and revocation. Unfortunately, a major cost of PKI is exactly these processes of managing certificates.

Password Manager includes a significant and mature infrastructure for managing (provision, manage passwords and other attributes, deliver to users and revoke) PKI certificates.

Of necessity, this infrastructure combines a general facility, related to business process and certificate storage with a set of platform-specific bindings, for individual PKI/certificate authority products. Currently, Hitachi ID Systems provides a platform binding for Lotus Notes ID files, which is by far the most widely deployed (though not necessarily standards-based) PKI infrastructure today:

Lotus Notes actually uses two separate passwords for each user:

Hitachi ID Systems is working on bindings between the general-purpose PKI administration infrastructure in Password Manager and other PKI products, from Microsoft, Entrust, Verisign, GeoTrust and other PKI vendors. Unfortunately, none of these PKI products is currently widely deployed and customer demand for integrations is therefore limited.

Support for Mobile, Disconnected Users

Password Manager offers a unique set of technologies, collectively referred to as "Self-Service, Anywhere." Using these technologies, users can resolve problems with their passwords, smart cards, tokens or full disk encryption software both at the office and mobile, from any endpoint device.

Self-Service, Anywhere automates problem resolution in a number of technically challenging and business-critical scenarios:

Mobile users warned of password expiry

Problem

Solution

Business impact
Mobile users are not notified by Windows when their passwords are about to expire. Users who infrequently connect their laptop to the office network, instead checking e-mail with a solution such as Outlook Web Access, suffer regular password expiry and require frequent password resets.

Password Manager sends users e-mails warning of imminent password expiry. Users change passwords using a web browser. An ActiveX control refreshes the password on their laptop.

Fewer login problems that cause a work interruption. Lower IT call volume and support cost.

 

Reset forgotten, cached password while away from the office

Problem

Solution

Business impact
Laptop users sometimes change their password before leaving the office and may forget the new password when they need to use it while not attached to the corporate network. Without a technical solution, the IT help desk cannot resolve these users' problem until they return to the office. User laptops are rendered inoperable until they return to the office.

A Password Manager client software component allows users who forgot their primary, cached Windows password and cannot sign into their PC to connect to the Internet over a WiFi hotspot or using an air-card. Users locked out out of their PC login screen can also establish a temporary Internet connection using their home Internet connection or a hotel Ethernet service. Once the user's laptop is on the Internet, Password Manager establishes a temporary VPN connection and launches a kiosk-mode (full screen, locked down) web browser. The user steps through a self-service password reset process and Password Manager uses an ActiveX component to reset the locally cached password to the same new value as was set on the network back at the office.

Forgotten passwords are a major work disruption for mobile users, since they cannot be resolved until the user visits the office. Password Manager allows users to re-enable their laptop in minutes.

 

Unlock encrypted hard disk

Problem

Solution

Business impact
Organizations deploy full disk encryption (FDE) software to protect against data leakage in the event that a corporate laptop is lost or stolen. Users with FDE on their PCs normally have to type a password to unlock their hard disk, before they can boot up an operating system. This password is normally synchronized with the user's primary Windows password, so that the user only has to remember and type a single password at login.

If a user forgets his hard disk encryption unlock password, the user will be unable to start their operating system or use their computer. This is a serious service disruption for the user and can contribute to significant support costs for the IT help desk.

Most FDE packages include a key recovery process at the PC boot prompt. This normally involves a challenge/response process between the FDE software, the user, an IT support analyst and a key recovery server. Password Manager can front-end this process using an integrated telephony option, so that users can perform key recovery 24x7, from any location, using their telephone and without talking to a human help desk technician.

Key recovery is an essential IT support service for organizations that have deployed FDE. Password Manager lowers the IT support cost of key recovery by moving the process to a self-service model.

 

Smart card PIN reset

Problem

Solution

Business impact
Organizations deploy smart cards to strengthen their authentication processes. Users typically sign into their PC by inserting their smart card into a reader and typing a PIN. If users forget their PIN or leave their smart card at home, they cannot sign into their PC. PIN reset is a complex support process since the new PIN has to be physically installed on the user's smart card. This means that IT support may trigger a physical visit to the help desk.

Password Manager allows users to access a self-service web portal from anywhere, including from the locked out login screen of their laptop, even away from the office (even using WiFi, as described earlier). Once a user signs into the self-service portal, Password Manager can download an ActiveX component to the user's web browser, to communicate with the smart card and reset the forgotten PIN. Password Manager can also be used to assign a user a temporary login password (often a very long and random one) to be used in the event that a user left his smart card at home.

While forgotten PINs are infrequent -- PINs are not usually set to expire -- when they do happen, they are extremely disruptive. Assigning temporary passwords is just as important for users who left their smart card at home, which happens quite often.

 

Overcoming Active Directory Replication Delays

(4)Active Directory does not propagate cleared intruder lockout flags on an expedited schedule. This can create problems for remote users who inadvertently trigger a lockout and subsequently call a central help desk for assistance. The help desk will typically clear the user's lockout on a domain controller near the help desk. This lockout may take a long time (hours) to reach the domain controllers against which the user wishes to authenticate or which service network resources that the user wishes to access.

This problem is especially acute in global organizations, with hundreds of domain controllers that employ a global IT support function.

Note that AD password change replication is described here:

http://technet.microsoft.com/en-us/library/cc772726.aspx

Password Manager uniquely circumvents the problem of slow replication of cleared intruder lockouts between Active Directory domain controllers by automatically directing password resets and cleared intruder lockouts to a select set of domain controllers, which the user is most likely to access:

Built-in Single Sign-on Technology

Hitachi ID Login Manager, a module included with Password Manager, is an enterprise single sign-on solution. It automatically signs users into applications where the ID and/or passwords are the same ones users type to sign into Windows on their PC.

Login Manager leverages password synchronization instead of stored passwords. This means that it does not require a wallet and that users can continue to sign into their applications from devices other than their corporate PC -- such as a smart phone or tablet -- for which a single sign-on client may not be available.

Login Manager does not require scripting or a credential vault, so has a much lower total cost of ownership (TCO) than alternative single sign-on tools.

Login Manager automatically fills in application login IDs and passwords on behalf of users, streamlining the application sign-on process for users.

Login Manager works as follows:

The net impact of Login Manager is that login prompts for applications with well-known IDs and passwords that authenticate to AD or are synchronized with AD are automatically filled in. This is done without:

Login Manager is installed as a simple, self-contained MSI package. It does not require a schema extension to Active Directory.

The reduced sign-on process used by Login Manager has several advantages over traditional E-SSO techniques:

These advantages significantly reduce the cost and risk associated with deploying and managing Login Manager.

Return on Investment

(5) Deploying Password Manager saves money for three groups of people in an organization:

Example savings calculation

The following example illustrates how Password Manager reduces the cost of password management:

Monthly cost Initial Password Manager Savings
Users 3000 calls x 20 minutes x $40/hr 600 calls x 12 minutes x $40/hr  
= $40,000 = $4,800 $35,200
Help desk 3000 calls x 10 minutes x $40/h 600 calls x 2 minutes x $40/hr  
= $20,000 = $800 $19,200
Administrators 500 calls x 5 minutes x $40/hr  
= $1,670 0 $1,670
Monthly Total $61,670 $5,600 $56,070

 

To estimate the cost savings in your organization, try our on-line calculator at:

http://Hitachi-ID.com/password-manager/roi/

Platform Support

Password Manager can manage passwords on most systems directly. It includes built-in support for the following systems:

(6)

Directories:

Servers:

Databases:

Any LDAP, AD, NDS, eDirectory, NIS/NIS+.

Windows 2000--2012, Samba, NDS, SharePoint.

Oracle, Sybase, SQL Server, DB2/UDB, ODBC, Informix.

Unix:

Mainframes:

Midrange:

Linux, Solaris, AIX, HPUX, 24 more variants.

z/OS with RAC/F, ACF/2 or TopSecret.

iSeries (OS400), OpenVMS.

ERP:

Collaboration:

Tokens, Smart Cards:

JDE, Oracle eBiz, PeopleSoft, SAP R/3, SAP ECC 6, Siebel, Business Objects.

Lotus Notes, Exchange, GroupWise, BlackBerry ES.

RSA SecurID, SafeWord, RADIUS, ActivIdentity, Schlumberger.

WebSSO:

Help Desk:

HDD Encryption:

CA Siteminder, IBM TAM, Oracle AM, RSA Access Manager.

BMC Remedy, BMC SDE, ServiceNow, HP Service Manager, CA Unicenter, Assyst, HEAT, Altiris, Clarify, Track-It!, RSA Envision, MS SCS Manager.

McAfee, CheckPoint, BitLocker, PGP.

SaaS:

Miscellaneous:

Extensible:

Salesforce.com, WebEx, Google Apps, MS Office 365, SOAP (generic).

OLAP, Hyperion, iLearn, Caché, Success Factors, VMWare vSphere. Cisco IOS, Juniper JUNOS, F5, iLO cards, DRAC cards, RSA cards, etc.

SSH, Telnet, TN3270, HTTP(S), SQL, LDAP, command-line.

 

(7)Password Manager includes a number of flexible connectors, each of which is used to script integration with a common protocol or mechanism. These connectors allow organizations to quickly and inexpensively integrate Password Manager with custom and vertical market applications. The ability to quickly and inexpensively add integrations increases the value of the Password Manager system as a whole.

There are flexible connectors to script interaction with:

API binding:

Terminal emulation:

Web services:

Back end integration:

Command-line:

  • C, C++
  • Java, J2EE
  • .NET
  • COM, ActiveX
  • MQ Series

  • SSH
  • Telnet
  • TN3270, TN5250
  • Simulated browser

  • SOAP
  • WebRPC
  • Pure HTTP(S)

  • SQL Injection
  • LDAP attributes

  • Windows
  • Power Shell
  • Unix/Linux

 

Organizations that wish to write a completely new connector to integrate with a custom or vertical market application may do so using whatever development environment they prefer (J2EE, .NET, Perl, etc.) and invoke it as either a command-line program or web service.

If Hitachi ID Systems customer develops their own integrations, an effort of between four hours and four days is typical. Alternately, Hitachi ID Systems offers fixed-cost custom integrations for a nominal fee.

Rapid Deployment

Hitachi ID Systems solutions are optimized for rapid deployment -- this is a core design principle across all products in the Hitachi ID Identity and Access Management Suite. Rapid deployment is largely a feature of (a) including as many built-in features as possible and (b) making common use cases easier to configure.

Hitachi ID Identity Manager minimizes deployment cost using a built-in request portal, a built-in approvals process and by enabling organizations to define categories of relationships, which then drive what one user can see of another, what changes one user can submit on behalf of another, who is invited to approve change requests and more.

Password Manager minimizes deployment cost using built-in processes for enrollment of security questions, login IDs, mobile phone numbers and voice biometrics. This is augmented by built-in processes to control the pace of user invitations.

Hitachi ID Privileged Access Manager minimizes deployment cost using built-in processes for auto-discovery and automated classification of systems and accounts to be managed. It also includes a robust, built-in process for authorizing one-time access requests.

All Hitachi ID Systems products include a rich set of over 110 connectors, built-in reports, a robust and translation-friendly web portal, e-mail and incident management system integration, multi-node database replication and more. These are all things that Hitachi ID Systems customers need not hand-craft, reducing project time and cost.

(8) Password Manager is designed for rapid deployment: