Slide 1Background to the Problem:Password Reset User Support:Problem:Password Complexity: Sample CompanyPassword Complexity: Sample CompanyOrder of MagnitudeOrder of MagnitudeOrder of MagnitudePotential Solutions:Identity Management SoftwareLeverage a Unified Directory ServicePassword SynchronizationCase StudyCompany X Business RequirementsCompany X DecisionCompany X Project FinancialsGlobal ADGlobal ADGlobal ADFIMFIMFIMFIM & Global ADCurrent Process FlowFuture Process FlowMigration from the current to the future FIM and BPOS setupProduction SetupSlide 29Team: SuperBad CatsMSIT 458 – Dr. ChenAuthentication through Password ProtectionBackground to the Problem:•Companies require password protection on many important systems within their company•Various systems may have differing password requirements–Requiring users to create and recall different passwords for different systems•Various systems may be used only sparingly by certain users–Users may forget their password after a period of non-use•Companies often require a new password after a given period of time–Requiring users to create and recall different passwords for different systemsPassword Reset User Support:•Call support Metrics (authenticity and validation)–Time Spent on Resets–Quantity of Resets per Year–Cost per call–Why they call•Web-based password reset advantages (setup by users with challenge questions)–Confidentiality–Authenticity–Integrity–AvailabilityProblem:•Problems at the Company Level–Too many different passwords –Can’t remember passwords–Lack of Support–Too easy•Problems at the user level–Can't remember answers to challenge questions–Don't know the password complexity rulesIn Summary:Maintaining multiple passwords for a single user to access necessary systems results in excessive work time lost and cost to the companyPassword Complexity: Sample Company•Enforce password history 24 passwords remembered•Maximum password age 90 days•Minimum password age 1 days•Minimum password length 8 characters•Password Dictionary Blacklist "%Company Name%”•Password must meet complexity requirements Enabled (next slide)Password Complexity: Sample Company–Not contain the user's account name or parts of the user's full name that exceed two consecutive characters–Be at least eight characters in length–Contain characters from three of the following four categories:•English uppercase characters (A through Z)•English lowercase characters (a through z)•Base 10 digits (0 through 9)•Non-alphabetic characters (for example, !, $, #, %)–Complexity requirements are enforced when passwords are created or changed.Order of Magnitude By adding character complexity and length requirements, an administrator increases the amount of time a brute force attack will take on a system by orders of magnitude.This should be taken into consideration when setting up corporate passwords standards and requirements.Order of MagnitudeOrder of MagnitudePotential Solutions:•Identity Management Software •Leverage a unified Directory Service•Password Synchronization•Other Options:Single Sign, On, Biometric, RSA Token, Near Field Communication (NFC), RFID, Social MediaIdentity Management Software •IdM solutions provide automated creation, provisioning and projection of user accounts to a directory services solution.–Examples: Forefront Identity Mgr, Novell Identity Mgmt Solution, OracleLeverage a Unified Directory ServiceA unified directory service is a single location where all user objects reside. This streamlines the management and control of access and authorization.–Microsoft Active Directory–Active Directory Federation Services (ADFS)Password SynchronizationPCNS and other synchronization services leverage replication services and API’s to update and synchronize user passwords in unmanaged systems or environments–Password Change Notification Service (PCNS)Case StudyCompany X was looking into implementing a solution to improve their security while simplifying their password setup, maintenance and customer support. Here’s how they achieved this objective….Company X Business Requirements•Legacy domain was an older version of Active Directory •Company X is a typical enterprise company, with approximately 100k users.•The directory services would need to accommodate approximately 500k objects•Large number of Windows based clients in the current infrastructure•Integration capability with current communication technology being implementedCompany X Decision•There are many ways to select a Directory Services (DS) platform:–The reason for selecting Active Directory focused around the number of existing Windows based clients and the communication technology being implemented.•Company’s that sell DS products offer several different pricing models, and can vary in cost from as little as $500k, to upwards of $10 million.Company X Project Financials•Active Directory = $3.5 million amortized over a three year period•FIM = $4 million amortized over a three year period–Costs include Licensing and CALs for all users in the directory structure (licensing is per user)•Operating Costs (hosting & maintenance) = Approximately $400k per year.•Development/Implementation Costs (typically incurred during the first two years of the product life cycle) = $2.5 millionGlobal AD•Global AD provides the ability to have one set of credentials for all applications that leverage the resource.•Allows for centralized administration of the domain.•Reduces complexity for MIS mangers to administer user objectsGlobal AD•Current State–User population driven by a flat file feed processed once each week–Data not accurate nor timely–Infrequent action taken Internationally•Future State (Post-PeopleSoft Upgrade)–Clean, Timely Data–Processed twice daily–Improved securityGlobal AD•User Objects are the Global ID (7-digit number)•Currently leveraged for:–FIM–BPOS Email–Office Communicator–Sharepoint–POS System(Beta)–Reservation System(Beta)–Service Desk Ticketing System–Group Billing Project–Workforce Management System–Associate Learning Network–Company Benefits Application•Planned Applications:–BI System–Financial Applications…and more to comeFIM•FIM stands for Forefront Identity Manager•Allows for granular user object management through a GUI interface•Provides approval workflow and audit trail•User friendly and
View Full Document
Unlocking...