PDF

swipe to navigate

Metrics

Before deploying a credential management system, it is useful to identify and start recording metrics. Once the system is deployed, continuing measurement of the same metrics will show its impact.

Following are some relevant metrics:

  1. Number of systems that maintain their own, distinct password, rather than leveraging Kerberos, LDAP, SAML, etc. to externalize authentication.
  2. Number of distinct passwords an average user must remember and manage.
  3. Average number of login prompts faced by a user, during a work day.
  4. Number of systems (with their own passwords) able to enforce password complexity rules consistent with enterprise policy.
  5. Password change frequency -- required versus actually enforced.
  6. Help desk call volumes related to login problems:
    1. Forgotten passwords, per system, per month.
    2. Intruder lockouts, per system, per month.
    3. Filesystem lockouts (forgotten pre-boot password), monthly.
    4. Token problems (left at home, lost, stolen, forgot PIN), monthly.
    5. Forgotten passwords by users off-site, monthly. This is different than forgotten passwords per system because it refers to users who cannot unlock their PC until they bring it back to the office -- an especially disruptive type of problem.

Stake-holders

A credential management system has many integrations, each of which has an owner: endpoint devices, servers, applications, incident tracking systems, e-mail infrastructure, VPN, VoIP or other telephony systems and multi-factor authentication platforms. It impacts security, IT support and audit.

It is important to get buy-in from every stake-holder early in the project, to avoid objections, delays and implementation risk.

An authoritative sponsor is essential to get buy-in from a diverse group of stake-holders. Because of the large number of interested parties, it is almost inevitable that somebody will raise objections, try to change priorities or alter previously agreed-to designs. Too many interruptions like this will derail the project. A high profile business sponsor reduces these risks.

The following stake-holders should be engaged as early as possible when deploying the system and should sign off on objectives as described in (1):

  • Project Sponsor:
    Provide mandate and budget for the project. Ensure cooperation from other stake-holders.

  • Project Manager:
    Ensure the project is managed effectively by providing and coordinating Hitachi ID Systems customer resources.

  • Network Architect:
    Develop and approve network-level design documents. Place servers on the network and specify integrations, for example with VPNs, SSL concentrators, reverse web proxies, etc.

  • IAM application administrator:
    Responsible for ongoing configuration, administration, enhancement and upgrades to Password Manager, post production deployment. Assists in implementation of the system prior to moving to production, in order to gain maximum familiarity with the software and configuration.

  • Credential management application administrator:
    Responsible for ongoing configuration, administration, enhancement and upgrades to Password Manager, post production deployment. Assists in implementation of the system prior to moving to production, in order to gain maximum familiarity with the software and configuration.

  • Security Officer:
    Review, document and approve any changes that impact corporate security, including policies, authentication processes, SIEM integration, VPN integrations, any service or generic accounts, etc.

  • Auditor:
    Define audit requirements, such as data retention, periodic review of user privileges, etc. Periodically review activity on the system.

  • IT support manager:
    Often fund the system, to reduce call volumes and head count. Provide integration details and support for ticketing system. Define user-support processes.

  • System administrators: (for every integrated system)
    Provide integration details for each target system, provide service accounts and test IDs and verify correct operation. Assist with troubleshooting integrations.

  • Human resources representative:
    Represent the HR function, including providing data feeds and feedback about issues of confidentiality.

  • Intranet manager:
    Provide user interface standards, including sample HTML, CSS and JS, to ensure that Password Manager matches enterprise standards.

  • Network operations:
    Support deployment of servers, including hardware, VMs, OS images, DNS names, network routes, TLS certificates and/or termination, load balancing and system health monitoring.

  • Desktop support:
    Deploy client-side code and policies that allow/block execution of same.

PDF

Comment via LinkedIn