Review: Password Management: Grief Relief
With more users, partners, accounts, and platforms, password automation is becoming a necessity. We tested seven password-management products and granted our Tester's Choice to the one with outstanding policy creation and enforcement as well as extensive platform support.
When it comes to passwords, users are on overload--80 percent of Bank of America employees have six or more user ID-password combinations, and 28 percent have 12 or more, according to a Gartner case study conducted for BoA. Our reader poll for this article reveals that just 17 percent of respondents have SSO (single-sign-on) technology, while 53 percent require users to select strong passwords and change them regularly, typically every 90 days. Unless IT steps in, most users will continue to practice the Post-It method of password management. And really, who can blame them?
- Comparison of Avaya and ShoreTel Unified Communication Solutions
- Don't Get Stuck on Your Virtualization Journey: Where to Focus Next
- Strategy: Building and Enforcing an Endpoint Security Strategy
- 10 Emerging Threats Your Company May Not Know About
Yet sympathy and solutions are in short supply. Vendors design products that have differing identity-management systems and policy requirements. And we IT security pros often spend too much time developing complicated policies for accessing network resources that don't require considerable protection and devote too little time to shielding critical applications. Passwords also affect compliance. Section 404 of Sarbanes-Oxley addresses control of access privileges, for example. Auditors might ask for proof that users accessing sensitive systems are reliably authenticated and authorized. Can you attest to that, especially if you're one of the 32 percent of companies (see chart) that let users select any password? Clearly, better password management is essential.
Password management has a discernable ROI. It reduces the number of passwords an employee needs, ensures passwords are changed regularly, and allows self-authentication for users who forget a password or must reset one. BoA estimates it saved more than $1 million in 2004 by employing a "one-ID, one-password" system, which reduced password-related IT service-desk calls from 30 percent to 8 percent.
We challenged 30 password-management vendors to participate in product tests at our Secure Enterprise Real-World Labs® at Syracuse University. We wanted to evaluate products that provide software-based, enterprise-class password management, which we defined as able to deliver secure, self-service password resets and synchronization, and for which admins can define password policies, globally enforce and track requests/ approvals and provide an automated escalation process when needed. We set our sights high and asked for:
» a central GUI console for administration
» single sign-on support as well as transparent, automatic password synchronization across every system for which a user has a login ID
» password synchronization from a Web browser
» features for managing remote employees, such as those using dial-up, VPN and terminal services
» self-service password resets
» password-expiration notifications
» integration with token-managed systems
» an enterprise password policy enforcement admin tool
» audit trails and reporting on password resets
Not every product met every goal--notably, lower-ranked offerings lacked remote access and token integration--but none was so deficient that we felt it wouldn't be competitive. Our online features chart has a detailed breakdown of functionality.
Advanced Software Products Group (ASPG), Avatier, Courion, M-Tech Information Technology, Passlogix, Protocom and Quest Software accepted. Novell accepted but then decided it couldn't participate because of a product-revision conflict; that was OK with us because Novell resells Protocom's product. Then, during testing, Protocom was acquired by ActivCard, which changed its name to ActivIdentity, but was still eager to participate in our review. The offering is now called ActivIdentity SecureLogin Single Sign-On. For a list of no-shows click here.
We graded the products on administration (configuration, logging, auditing and reporting, notification and alerts), password management (policy configuration, enforcement, self-service and SSO), authentication, platform support and price.
Sell, Sell, Sell
A password-management system will make you popular with end users and can provide a quick ROI by lightening the load on the helpdesk, thereby greasing the skids for implementing identity management. Before you start issuing RFPs, however, you must make the sale to management. Get ready by compiling answers to some basic questions: How many passwords must users remember? Do highly paid sysadmins spend time on password resets? How often are password changes required, and how strong or weak are the current password-enforcement policies?
Internal politics can be a stumbling block. Put an emphasis on ease-of-use to help win over the masses. Coordinate with various IT teams to build consensus on the password-management product's design and implementation schedule among all network and systems admins charged with maintaining profiles/passwords on multiple network resources. And budget time to work with HR to validate all employee IDs and determine access levels.
Among the various identity-management options, password-management software is the least intrusive. The tools we tested typically integrate into existing directories and helpdesk systems using APIs. Server-side software and modules connect to various OSs, including Windows Server 2003, Novell NetWare and Unix.