Transcription

1 2009 Botz & Associates, Inc. All Rights Reserved Building a Strong Password Management System Reduce Costs and Tighten Security Patrick Botz

2 Agenda What s the problem? Calculating costs and return on investment Reducing costs Synchronizing Passwords Eliminating Passwords Getting Management Approval

3 What s the Problem? Problem High cost of managing identification and authentication required to access computing resources in distributed networks Solution Significantly reduce the cost of managing identification and authentication to computing resources

4 What Costs? Cost to Manage Identification and Authentication #People * (#userids/person)) * (average cost of a userid) Three Ways to Reduce Cost 1. Reduce the number of userids per person (i.e. eliminate userids) 2. Reduce the average cost of managing a single userid 3. Reduce the number of people that access computing resources

5 Practical Solution Reduce the average cost of managing a userid #People * (#userids/person)) * (average cost of a userid) The only practical approach to solve the problem!

6 Cost of Managing UserIDs Reduce the average cost of managing a userid Cost of Managing A userid Admin + HelpDesk + EndUser Administrative costs to create, delete, and change Help desk costs for handling end user identification and authentication problems (i.e. passwords) End user costs to change X number of passwords Y times per year, including calls to help desk

7 Calculate Costs and Return on Investment

8 Measuring ROI ROI = (Net Savings) / (Cost of Solution)

9 Measuring ROI ROI = (Net Savings) / (Cost of Solution) Savings = (Current Cost) (New Cost) Current Cost = Estimate time currently spent managing userids Administrative Time + Help Desk Time + End User Time New Cost = Estimate time spent to manage userids with selected solutions Administrative Time + Help Desk Time + End User Time Convert to $$$ using average salary for each set of users Net Savings = Savings (Cost of Solution)

10 Measuring ROI ROI = (Net Savings) / (Cost of Solution) Cost of Solution = Cost to Acquire + Cost to Implement + Cost to Use/Manage Cost to Acquire = Initial Licensing Costs of selected solution(s) + (1 time cost) + additional applications/products required by selected solution Cost to Implement = Planning, administrative time, initial data, etc.; AND Cost to Use/Manage = New Administrative Costs + Yearly maintenance fees new administrative costs not present in current solution

11 Measuring ROI ROI = (Net Savings) / (Cost of Solution)

12

13

14 ROI Calculator available at: ROI Calculator available at: Tools and Utilities

15 Reduce Costs

16 Focus On the Objective Reduce the average cost of managing a userid Most cost related to managing passwords associated with the userids! Create, Delete operations occur once per userid Password changes occurs multiple times for multiple people Sooner or later we all need help from the help desk Some need more help more often than others!

17 Reduce Costs Reduce the average cost of managing a userid Options for reducing the cost of managing passwords 1. Synchronize 2. Eliminate a. Kerberos b. Biometric Use one or more of these

18 Synchronize Passwords

19 Synchronization Solutions Passwords are the least effective mechanism Reduces costs / does not improve security Different ways to accomplish synchronization Best approach No caching or storing of passwords Inexpensive approaches Software only Users still enter userid/password More expensive approaches Appliances Eliminate prompts for passwords

20 Synchronization Solutions Many supported products IBM IBM i ISVs Cross platform ISVs Alternatives exist! Build your own IBM Lab Services / partners

21 Eliminate Passwords

22 Kerberos Authentication Extremely low cost! Shipped with IBM i (OS/400, i5/os) base OS IBM calls Kerberos Network Authentication Service Just configure it!

23 Configure Network Authentication Service (aka Kerberos)

24 Kerberos Authentication You already trust and use it! If your network uses a Windows domain Works on nearly all known platforms Plug-ins/wrappers available for some applications E.g. Lotus Notes Wrappers can possibly be built for specific Wrappers can possibly be built for specific applications

25 Kerberos Authentication For IBM i, also configure EIM Enterprise Identity Mapping Shipped with IBM i (OS/400, i5/os) If already configured, can be used with other solutions

26 Configure EIM

27 Biometric Authentication

28 Biometrics Add biometric authentication to Windows domain or local computer login Optionally, remove password field!

29

30 Biometrics 5250 Telnet Login Add biometric authentication to 5250 telnet login! Or in green screen application/transaction, Or AIX, or Linux, or mobile phone, or web application, etc

31

32 Mix and Match Technologies

33 Remember the Objective Reduce the cost of identification and authentication Technology is NOT the objective Use a combination of the best approaches Eliminate where possible (and cost effective) then synchronize passwords that you cannot or choose not to eliminate

34 Eliminate ALL Passwords and Prompts! Add biometric authentication to Windows domain and remove password field Configure Kerberos and EIM for i5/os If two-factor authentication required Add biometric authentication to 5250 telnet login in addition to configuring Kerberos Add Domino Kerberos or Biometric Plug-in Add Apache/WAS Kerberos and/or biometric plugin

35 Getting Management Approval

36 Management Approval Process 1. Determine current cost of userid and Password Use ROI calculator 2. Investigate and select technical option(s) 3. Determine cost to implement and manage technical options Use ROI calculator 4. If more to investigate go to 2 5. Take ROI calculation to management

37

38 Management Approval Process 1. Determine current cost of userid and Password Use ROI calculator 2. Investigate and select technical option(s) 3. Determine cost to implement and manage technical options Use ROI calculator 4. If more to investigate go to 2 5. Take ROI calculation to management

39 Investigate and Select Technology Kerberos Start with what you have Cheapest / Easiest Determine how many passwords you can easily eliminate Password Synchronization Start w/ IBM Lab Services or Lab Services Partner Look for solutions that provide ONLY what you need Beware all or nothing solutions

40 Management Approval Process 1. Determine current cost of userid and Password Use ROI calculator 2. Investigate and select technical option(s) 3. Determine cost to implement and manage technical options Use ROI calculator 4. If more to investigate go to 2 5. Take ROI calculation to management

41

42 Management Approval Process 1. Determine current cost of userid and Password Use ROI calculator 2. Investigate and select technical option(s) 3. Determine cost to implement and manage technical options Use ROI calculator 4. If more to investigate go to 2 5. Take ROI calculation to management

43 Investigate and Select Technology Password Synchronization Start w/ IBM Lab Services or Lab Services Partner Look for ISV solutions that provide ONLY what you need Beware all or nothing solutions Expensive and lock you in Biometric Authentication Enterprise solution required Built-in sensors not designed for enterprise access Solutions that support all platforms including IBM i (OS/400, i5/os) are available

44 Management Approval Process 1. Determine current cost of userid and Password Use ROI calculator 2. Investigate and select technical option(s) 3. Determine cost to implement and manage technical options Use ROI calculator 4. If more to investigate go to 2 5. Take ROI calculation to management

45 ROI Calculator available at: ROI Calculator available at: Tools and Utilities

46 Management Approval Process 1. Determine current cost of userid and Password Use ROI calculator 2. Investigate and select technical option(s) 3. Determine cost to implement and manage technical options Use ROI calculator 4. Take ROI calculation to management

47 Summary

48 Summary Improve security by decreasing risk and/or reducing cost! Password management is surprisingly large cost to IT and enterprise Calculate ROI for security solutions Look to password synchronization and elimination to reduce costs and improve security Work with management in terms of ROI

49 P a More Information Redbook Windows-based Single Signon and the EIM Framework on the iseries (SG ) select Enterprise Identity Mapping from the left-hand navigator pane: information about EIM on all IBM platforms, Windows, Linux, and Java IBM i Information Center, Security topic

50 P a More Information IBM Lab Services Redbook Windows-based Single Signon and the EIM Framework on the iseries (SG ) IBM i Information Center, Security topic

51 2009 Botz & Associates, Inc. All Rights Reserved. ABOUT THE SPEAKER Patrick Botz is the founder and president of Botz & Associates, Inc. He is also the president of Valid Technologies, LLC, whose product, VSSA, is a leading enterprise biometric authentication management solution. Prior to starting Botz & Associates, Pat served as the Lead Security Architect and Team Leader for the IBM, working on some of the most widely used midrange servers is the business world with a focus on authentication, authorization, auditing, and ease of use. Following his work primary focus on helping customers meet various industry regulations such as SOX, PCI DSS, and SAS 70. He additionally worked to help customers improve the effectiveness and efficiency of their current security management processes, assisting them with moving to exclusionary access control models, eliminating passwords in various environments, managing User IDs, implementing encryption, and auditing on various platforms. Pat is co-author of the book /Expert s Guide to OS/400 and i5/os Security/, and has published numerous articles in the trade press and IBM magazines. He is also a noted worldwide security conference speaker, presenting at various conferences and in webcasts including COMMON, IBM Technical Conference, various user groups, St. Cloud State University Security conference, and IBM Business Partner conferences. P.O. Box 7498 Rochester, MN Telephone: (507)

52 2009 Botz & Associates, Inc. All Rights Reserved. Trademark & Disclosure Statements The following terms and marks are trademarks of Botz & Associates, Inc.: is a trademark of Group8 Security, Inc. Other company, brand and product names are trademarks or registered trademarks of their respective holders. Information is provided AS IS without warranty of any kind. All examples described are presented as illustrations of how customers have used BAI recommendations, products or services and are the results they may have achieved. Actual results may vary by customer. Information concerning non-bai products or services was obtained from a supplier of these products, published announcement materials, or other publicly available sources and does not constitute an endorsement of such products by BAI. P.O. Box 7498 Rochester, MN Telephone: (507)

53 Contact Information Valid Technologies 3701 FAU Blvd, Ste. 210 Boca Raton, Florida Phone: Pat Botz Greg Faust Tom Secreto Jack Warner

54 2009 Botz & Associates, Inc. All Rights Reserved. CALCULATING RETURN ON INVESTMENT

55 Measuring ROI ROI = (Net Savings) / (Cost of Solution) Savings = (Current Cost) (New Cost) Net Savings = Savings (Cost of Solution) Current Cost to Manage = Administrative Time + Help Desk Time + End User Time Convert to $$$ using average salary for each set of users New Cost to Manage = Estimate how much time will spent given selected solutions Time required by Admins, Help Desk, End Users converted to $$$ Cost of Solution = Cost to Acquire + Cost to Implement + Cost to Use/Manage Cost to Acquire = Initial Licensing Costs of selected solution(s) + (1 time cost) Cost to Implement = Planning, administrative time, initial data, etc.; AND Cost of any additional applications/products required by selected solution Cost to Use/Manage = New Administrative Costs + Yearly maintenance fees Does solution introduce new administrative costs not present in current solution?

56 Measuring ROI ROI Depends on Real and Estimated Costs

57 Relative Total Solution Cost Password Elimination Centralized User Mgmt Cost to Acquire $0 Expensive Cost To Implement Inexpensive Expensive Cost To Manage Inexpensive Relatively Inexpensive Total Solution Cost Inexpensive Expensive Next Table

58 Password Elimination vs. Centralized User Management Relative Savings, Costs, and ROI Password Elimination Centralized User Mgmt Current Cost Of ID & Authn Same Same New Cost Of ID & Authn Savings = Current Cost New Cost Greater Smaller Less Greater Prev Table Total Solution Cost Less Greater Net Savings = Savings Total Solution Cost Smaller Greater ROI = Net Savings / (Cost of Solution) Solution)??