Keys to the kingdom

Single sign-on technologies can unlock enterprise security, notes Marc Boroditsky

Boroditsky: Basic password systems can be improved on

Terry Childs is the City of San Francisco’s disgruntled network manager who reset all administrative passwords to the routers for the city’s FibreWAN network, holding the city to ransom.

IT managers globally are working out how to prevent the same thing happening to them.

Complex corporate IT requires users to memorise more passwords. We have all experienced password frustration; Gartner estimates that 25 to 35 per cent of calls to IT helpdesks are password-related, at an estimated cost of £15 to £20 a call.

Aside from the lost productivity, excessive administrative overheads and user frustration, passwords can be a security risk.

Users often choose simple passwords that are easy to guess.

The US Sarbanes Oxley Act includes specific clauses on password security. Yet the problem does not lie with passwords themselves but how they are managed and deployed.

Enterprise single sign-on technologies (ESSO) let users sign in once with a single password and access all their applications, databases and systems, so they gain immediate access to corporate information in a more secure, controlled environment.

Quantifiable savings can be made in help desk costs. And there is simplified administration, improved enterprise security and greater user productivity, while complying with regulations on data protection, privacy and corporate governance.

ESSO has often been seen as too costly and labour-intensive, and one of the biggest criticisms of ESSO has been that it makes an organisation vulnerable to a single point of attack.

Yet since users do not need to remember each password, unique and complex alpha-numeric combinations of any length, case or format can be created for each application, database or account log-in.

The Terry Childs incident illustrated another problem, too: the insider threat.

Advanced ESSO software now includes shared and privileged user management capabilities. This enables all administrative passwords to be encrypted and stored in the enterprise’s central directory.

Administrators must check out a password from the directory in order to use it and can be approved or denied based upon the administrator’s role and manager’s approval within an identity management system.

If approved, the software will log the administrator on the network device and check the password back in automatically. The administrator never knows the password.

The software will also keep a history of passwords for each network device.
So if network devices must be restored from back-up, the then-current password can be retrieved.

This system of shared management capability would have prevented the San Francisco incident.

There is a need for an effective alternative to basic password systems that offers greater control and security around access to enterprise networks.

Marc Boroditsky is chief executive officer at Passlogix