As today's organizations deploy an ever-growing number of complex systems, password management problems choke help desk systems, cause expensive delays and lost productivity, and threaten to compromise security.
Identifying the cause of these problems, and resolving them, requires the involvement of many interested parties and much strategic planning. Organizations can use a number of software products to address these issues. Selecting the right one also involves taking a number of important factors into consideration.
The first step when selecting and deploying a password management product is to conduct a needs analysis. The needs analysis should identify the problems that a password management system must solve. These should be translated into requirements which the successful vendor must meet.
Following are the most common password management problems, and a brief description of password management functionalities that are required to solve them.
Users frequently have too many passwords on too many different systems. As a result, they either forget their passwords or violate security policy in an effort to remember them.
A password management system should allow users to manage every password from a single screen, and allow users to synchronize their passwords to a single, hard-to-guess password.
Users who forget their passwords waste time on:
Each problem incident may consume 20-30 minutes of user time. In many organizations, users experience this problem 2-4 times annually. In a large user population, this generates a huge volume of user problems and help desk calls.
A password management system should incorporate password synchronization, which helps users to remember their passwords and thus eliminate the majority of password-related problems. It should also include a password self-reset and help desk password reset facility, to speed up the resolution of remaining password problems at the help desk.
Users who forget their passwords call the help desk, and get service. These calls normally represent 20% to 30% of total help desk call volume.
In an effort to remember a large number of passwords, users may violate security policies by:
Password synchronization simplifies and automates the password change process while enforcing security procedures. A password policy engine should ensure that synchronized passwords are strong and changed regularly.
When new network systems are installed, users must be assigned new passwords. When many users are involved, creating new login IDs, assigning each of them an initial password, and securely communicating that password value to the user is a large undertaking.
This process is required in projects such as new OS deployments (for example, migrating to Windows 2000 Active Directory), new authentication services (for example, RADIUS servers supporting many firewalls), and new application deployments (for example, SAP or PeopleSoft deployments).
Password synchronization should allow administrators to assign existing users of new systems a random initial password. Users can then reset some or all of their passwords to a new, known value to gain access to new systems.