You want to introduce complex passwords with a view to improving information security. But the introduction of such stronger passwords, which also have to be changed regularly, leads to resistance among end-users. After all, they have to remember of multitude of password/username combinations. This results in non-secure situations – employees write down passwords on Post-Its – and many password reset requests to the helpdesk. Here are four simple solutions with which you can indeed introduce complex passwords into your organization, but without causing frustration among users.
1. Reduce the number of passwords with Single Sign On
Reduce the number of passwords and ensure that employees only have to remember one, complex password instead of dozens. Single Sign On ( SSO) offers the ability to do this. SSO lets employees log in just once, after which access is automatically granted to all applications and systems the user might open. So the staff-member doesn’t have to log in afresh for each application. And that saves an average of three to five logins with varying passwords each day.
Perhaps you want to do away with even this remaining password? In that case SSO can be deployed in combination with an access pass. The security card your employees use to gain access to the premises or for time and attendance, then replaces the final password/username combination. By presenting a card to or into a reader and if required, entering a PIN code, the user is automatically logged in. When the employee again presents the card to a reader, he or she is then logged out.
2. Automatic password synchronization
Would it not be ideal if the same password/username combination could be used for every application? The difficulty here is that the passwords almost always have an expiry date and need to be renewed regularly. And the expiry date is not the same for every application. For some applications a new password has to be set monthly, while other software might only require it once a year. It’s virtually impossible for users to reset a newly-introduced password in all the other required applications so that the password would then indeed be identical everywhere.
However you can actually automate this very well with solutions for password synchronization, which ensure that passwords are and remain synchronous in multiple systems. The newly-set password is then immediately intercepted and forwarded to all other applications.
3. Help users to create strong passwords
Employees often find it difficult to come up with complex passwords. Some applications insist that the password must contain an uppercase letter, a punctuation mark or a figure. Or that the password must differ from the old one by X percentage.
That’s why users need some help in creating new, strong passwords. Password creation tools assist users to produce their passwords. The established complexity rules are shown when users configure a new password, and they are notified whether the relevant requirements have been met.
4. Let users reset their passwords themselves
As mentioned earlier, the introduction of complex passwords leads to an increase in the number of password reset requests to the helpdesk. To ease the burden on the helpdesk it’s possible to let users reset their passwords themselves. Users identify themselves by correctly answering a number of personal questions (e.g. ‘What’s your mother’s maiden name?’) and can then reset their own passwords, without the intervention of the helpdesk.
A combination of these solutions means time-consuming registration procedures are a thing of the past and the helpdesk is relieved of the problems. Users benefit from maximum user-friendliness, while productivity rises.
For more information, please visit our website.
Friday, May 24, 2013
Thursday, May 16, 2013
Control Data and Applications Securely When Employees Come & Go
In today’s complex corporate and business network environments, controlling access to sensitive data is of utmost concern. The amount of security-related data stored across a network is immense for many organizations, and relating all this data to the user’s account information in Active Directory can be tricky and time consuming.
There are really three sides to proper data security. The first step is ensuring that new employee accounts are created with the proper access rights when an employee joins the organization. The second is making sure those access rights remain accurate during the employee’s tenure, and the third is revoking all access rights when the employee leaves.
Let’s take a more in-depth look at solutions for all three of these phases of data security.
Solutions
By using a role-based access control matrix in conjunction with an identity management solution, companies can ensure that accounts for new employees are always created with proper access rights.
The first step of this stage is to define the roles that employees should have in the organization. This is usually a combination of department, location and job title. While establishing the data access rights, group memberships and application requirements for each role can be time consuming, the end result will allow a template for both new employee creation and an audit point in the future.
Software applications are available that will allow the linking of a human resource system to Active Directory for automatic account creation with all proper rights. Additionally, if there are special requirements, a workflow system can easily be established to allow manager and system owners to process approvals before access is granted.
Access rights to data often tend to creep into multiple areas over an employees’ tenure with an organization. For example, rights are assigned to one employee for special projects while one employee is covering for another on leave or when an employee changes departments and responsibilities. The revocation of these special or historical rights occurs infrequently at best. Again, software solutions are available to analyze the rights of employees and make the information actionable. For the product to provide value, there are several items that should be considered as mandatory including the ability to detect:
The final step in the data security process is one that is often overlooked or not performed in a timely fashion: The termination of access rights to the network, data and all applications, including cloud-based solutions, must be accomplished immediately upon an employee’s termination.
Recently, a sales manager at a large organization that’s also a client of Tools4ever told a horror story about this very topic. A terminated sales rep had his network access revoked immediately upon departure, but the organization did not have a process in place to disable access in a timely manner to a cloud-based business intelligence application. The terminated employee realized the account was sill “live” and proceeded to download more than 10,000 records over the course of the next 30 days at a cost to the company of more than $6,000.
The point of this story: Imagine the costs if 20, 30 or 100 terminated employees did this very same thing in a short period of time.
When putting a process in place to handle terminated employees, the most common scenario is, once again, a link to the HR system. When an employee is terminated, a synchronization process needs to be in place to handle the decommissioning of accounts in all internal and external systems. If feasible, using web services or application programming interfaces (API’s) to automate the process will save time and money in the long run. Where not feasible, an email workflow process should be established whereby system owners are notified to terminate the account and positive feedback required to establish the work has been completed.
Summary
It is imperative that organizations implement the necessary security measures to insure that access to data, groups and applications are right sized for an employee during their tenure. Equally critical is the revocation of all account access when they depart. Failure to meet these criteria can lead to theft of secure data and costly access to external applications.
For more information on our Identity and Password Management solutions, please visit our website.
There are really three sides to proper data security. The first step is ensuring that new employee accounts are created with the proper access rights when an employee joins the organization. The second is making sure those access rights remain accurate during the employee’s tenure, and the third is revoking all access rights when the employee leaves.
Let’s take a more in-depth look at solutions for all three of these phases of data security.
Solutions
By using a role-based access control matrix in conjunction with an identity management solution, companies can ensure that accounts for new employees are always created with proper access rights.
The first step of this stage is to define the roles that employees should have in the organization. This is usually a combination of department, location and job title. While establishing the data access rights, group memberships and application requirements for each role can be time consuming, the end result will allow a template for both new employee creation and an audit point in the future.
Software applications are available that will allow the linking of a human resource system to Active Directory for automatic account creation with all proper rights. Additionally, if there are special requirements, a workflow system can easily be established to allow manager and system owners to process approvals before access is granted.
Access rights to data often tend to creep into multiple areas over an employees’ tenure with an organization. For example, rights are assigned to one employee for special projects while one employee is covering for another on leave or when an employee changes departments and responsibilities. The revocation of these special or historical rights occurs infrequently at best. Again, software solutions are available to analyze the rights of employees and make the information actionable. For the product to provide value, there are several items that should be considered as mandatory including the ability to detect:
- Direct access to a file/directory rather than access through a group membership;
- Access to a file/directory through multiple or nested group memberships;
- Groups and user accounts that are no longer present in Active Directory;
- Duplicate access privileges to a file/folder of a user or user group;
- Access to files/directories through a local or file system user account.
The final step in the data security process is one that is often overlooked or not performed in a timely fashion: The termination of access rights to the network, data and all applications, including cloud-based solutions, must be accomplished immediately upon an employee’s termination.
Recently, a sales manager at a large organization that’s also a client of Tools4ever told a horror story about this very topic. A terminated sales rep had his network access revoked immediately upon departure, but the organization did not have a process in place to disable access in a timely manner to a cloud-based business intelligence application. The terminated employee realized the account was sill “live” and proceeded to download more than 10,000 records over the course of the next 30 days at a cost to the company of more than $6,000.
The point of this story: Imagine the costs if 20, 30 or 100 terminated employees did this very same thing in a short period of time.
When putting a process in place to handle terminated employees, the most common scenario is, once again, a link to the HR system. When an employee is terminated, a synchronization process needs to be in place to handle the decommissioning of accounts in all internal and external systems. If feasible, using web services or application programming interfaces (API’s) to automate the process will save time and money in the long run. Where not feasible, an email workflow process should be established whereby system owners are notified to terminate the account and positive feedback required to establish the work has been completed.
Summary
It is imperative that organizations implement the necessary security measures to insure that access to data, groups and applications are right sized for an employee during their tenure. Equally critical is the revocation of all account access when they depart. Failure to meet these criteria can lead to theft of secure data and costly access to external applications.
For more information on our Identity and Password Management solutions, please visit our website.
Friday, May 10, 2013
From RBAC to CBAC: Claim Based Access Control
Many organizations that are in the process of defining the various different organizational roles for the purpose of Role Based Access Control (RBAC) will realize that this is a major or even unachievable undertaking. After all, mapping out all the roles for each department and job title is a time-consuming job. A consultant will have to check with every department to create an inventory of user privileges, formalize it and gain approval. Also, a high level of detail is to be avoided, as this would make it necessary to define as many roles as there are employees, which would undermine the value of automation.
To solve problems like these, Tools4ever has developed an Identity and Access Management solution that combines RBAC with Claim Based Access Control (CBAC). CBAC involves the assignment of access rights to applications and other services based on a so-called claim (proof of authenticity) through which a third party vouches for the authenticity of the person who is requesting access rights or a particular service.
In actual practice, this means that difficult scenarios, exceptions and doubts in the area of authorizations are handled by members in the organization rather than automatically assigned/revoked. To this end, Tools4ever offers a self-service portal which requests for access privileges can be delegated to the relevant manager or employee. Following their approval, the changes will be implemented across the network.
CBAC allows organizations to quickly and intelligently gain control over user access to network resources. All the decisions regarding the assignment of access rights are directly made by the responsible staff members.
For more information on Identity Management solutions, and other Tools4ever products, please visit our website.
Friday, May 3, 2013
South Jersey Healthcare uses Tools4ever
As a leader in providing quality identity and access management solutions, Tools4ever continues to be especially proficient in developing, implementing and automating user account management processes within the healthcare setting.
Tools4ever, the worldwide market leader in identity and access management solutions with more than five million user accounts, announced today that South Jersey Healthcare, based in Vineland, New Jersey, has implemented User Management Resource Administrator (UMRA) to standardize and streamline its user account management processes throughout the organization.
A nonprofit healthcare organization made up three major regional hospitals and more than 60 outpatient care locations, South Jersey Healthcare uses UMRA to assist with the standardization of account creation and management for the more than 6,000 employees, as well as to provide employees within the organization with the correct access rights to internal systems.
Before UMRA, South Jersey Healthcare employees entered account data using their own conventions - such as custom passwords and logins - which often led to error, confusion and lost productivity. Tools4ever's UMRA easily allows leaders at South Jersey Healthcare to customize electronic forms for account creation while not burdening the employees in charge of this task with elevated rights. Instead of free form data entry, UMRA's electronic templates have drop-down menus with information including department names, radio buttons with locations and addresses built in, as well as mandatory fields required to create an account.
"UMRA has helped clean up Active Directory to make it more consistent and useful for our entire organization," says Andrew Gahm, systems and security engineer at South Jersey Healthcare.
Departmental, IT and health system directors at South Jersey Healthcare now are assured that the information included in their account is accurate and correct, and the organization no longer needs to focus time on cleaning up messes or correcting account disparities from accounts that were not previously created correctly, says Gahm.
As a worldwide leader in identity and access management solutions, Tools4ever is especially proficient in developing, implementing and automating user account management processes within the healthcare setting. Tools4ever has carried out thousands of implementations for healthcare organization such as South Jersey Healthcare including South County Hospital in Wakefield, Rhode Island, CentraState Healthcare System in Freedom Township, New Jersey, and Providence Hospital, in Columbia, South Carolina.
"As hospital and healthcare leaders continue to be met with mandates and reform, solutions such as automated user account management will be increasingly vital to them and ever important as they seek new ways to not only manage data, but managing who has access to certain and specific data," says Dean Wiech, managing director of Tools4ever. "Tools like UMRA are powerful allies to IT leaders and organizational management as they allow for regular information audits to be conducted and even streamline the account creation and data management process."
For more information, please visit our website
Tools4ever, the worldwide market leader in identity and access management solutions with more than five million user accounts, announced today that South Jersey Healthcare, based in Vineland, New Jersey, has implemented User Management Resource Administrator (UMRA) to standardize and streamline its user account management processes throughout the organization.
A nonprofit healthcare organization made up three major regional hospitals and more than 60 outpatient care locations, South Jersey Healthcare uses UMRA to assist with the standardization of account creation and management for the more than 6,000 employees, as well as to provide employees within the organization with the correct access rights to internal systems.
Before UMRA, South Jersey Healthcare employees entered account data using their own conventions - such as custom passwords and logins - which often led to error, confusion and lost productivity. Tools4ever's UMRA easily allows leaders at South Jersey Healthcare to customize electronic forms for account creation while not burdening the employees in charge of this task with elevated rights. Instead of free form data entry, UMRA's electronic templates have drop-down menus with information including department names, radio buttons with locations and addresses built in, as well as mandatory fields required to create an account.
"UMRA has helped clean up Active Directory to make it more consistent and useful for our entire organization," says Andrew Gahm, systems and security engineer at South Jersey Healthcare.
Departmental, IT and health system directors at South Jersey Healthcare now are assured that the information included in their account is accurate and correct, and the organization no longer needs to focus time on cleaning up messes or correcting account disparities from accounts that were not previously created correctly, says Gahm.
As a worldwide leader in identity and access management solutions, Tools4ever is especially proficient in developing, implementing and automating user account management processes within the healthcare setting. Tools4ever has carried out thousands of implementations for healthcare organization such as South Jersey Healthcare including South County Hospital in Wakefield, Rhode Island, CentraState Healthcare System in Freedom Township, New Jersey, and Providence Hospital, in Columbia, South Carolina.
"As hospital and healthcare leaders continue to be met with mandates and reform, solutions such as automated user account management will be increasingly vital to them and ever important as they seek new ways to not only manage data, but managing who has access to certain and specific data," says Dean Wiech, managing director of Tools4ever. "Tools like UMRA are powerful allies to IT leaders and organizational management as they allow for regular information audits to be conducted and even streamline the account creation and data management process."
For more information, please visit our website
Subscribe to:
Posts (Atom)