As the US economy slowly gains traction, IT budgets are likely to remain flat or only have modest increases for 2013. As such, IT personnel will continue to look for ways to make the organization and infrastructure run more efficiently. CIOs will definitely focus on projects that provide a substantial return on investment and high visibility projects – those that have a significant impact on the most number of employees possible. Below are several areas we predict will be of particular interest to the technology departments in business, government, education and healthcare.
Employee Self Service
Any time a process is put in place that can eliminate calls to the help desk, it will result in a tremendous time savings. As such, the trend towards employee self-service will continue through 2013. HR departments started this trend decades ago when they allowed employees to look up benefits, vacation time remaining and other repetitive tasks without contact a representative. The trend is continuing in the IT group with tasks such as password reset and requesting access to distribution list, network shares and specific applications.
Self Service Reset Password applications have been around for several years now and continue to prove their value. Businesses and schools that have not already adopted this technology will do well to investigate in the coming year. Much like a banking website, end users enroll via a series of challenge questions and, should they forget their password, are able to reset directly from the network login screen or a website. This eliminates a call to the help desk and allows the employee to become productive immediately instead of waiting in the helpdesk phone queue. Two-factor authentication (2FA) enhances security in this area as well. Delivery of a one-time use PIN code via SMS or email insures the person resetting the password is the actual employee.
Another area of self-service involves employees who need access to distribution groups, network shares or applications they currently cannot access. Normally this involves a phone call to the help desk or a paper process requiring multiple signatures that end up in the IT group. Using workflow processes, the employees can initiate the request from a web page on the company intranet and, depending on the request, have it electronically routed to the individuals responsible for approval. In some scenarios, involvement from the IT department may not be necessary if an automated provisioning process is in place or may only need to perform the final step when notified via the workflow system.
Cloud Applications
As solutions like Gmail and Office 365 continue to gain traction in the corporate and education environments, being able to provision and de-provision accounts in a timely fashion becomes critical to controlling costs. While many companies have implemented Identity management solutions for Active Directory, implementing a seamless process to these cloud applications can be a challenge. Though both Google and Microsoft offer tools to synchronize AD with their respective products, they reportedly fall short in many areas and can make account management a tedious chore.
Many vendors offer advanced tools to allow for painless synchronization and management of accounts in these, and many other cloud applications. As most cloud solution providers invoice based on the number of active users in any given month, insuring that user accounts are decommissioned in a timely fashion can lead to incremental savings.
Security and Audit
As in past years, security of the network and providing accurate reporting to auditors will have a large impact on the IT department. Providing employees the access required to applications and network functional areas needed to perform their jobs, while insuring unnecessary accesses are never granted will continue to occupy a large portion of IT resources. IAM providers will continue to enhance solutions to provide automated and seamless interfaces to the myriad of applications in an average organization thereby reducing the overhead to maintain proper access rights.
Controlling the access rights properly when employees join an organization, change positions or leave, makes the audit process that much easier and insures compliance at all times. This will continue to be a driving force in the coming year, especially as the “bring your down device” (BYOD) concept surges.
About Tools4ever
Tools4ever distinguishes itself with a no-nonsense approach and a low total cost of ownership. In contrast to comparable identity and access management solutions, Tools4ever implements a complete solution in several days rather than weeks or months. Because of this approach, Tools4ever is the undisputed identity and access management market leader with more than five million managed users. Tools4ever supplies a variety of software products and integrated consultancy services involving identity management, such as user provisioning, role-based access control, password management, single sign on and access management. For more information, please visit www.tools4ever.com.
Friday, March 29, 2013
Friday, March 22, 2013
Five ways Hospitals can Improve Information Security
- Easily eliminate the security risk of shared accounts- Often times in hospitals, doctors and nurses use shared accounts with one set of credentials for everyone. This is especially common in Emergency Rooms where employees use one PC to access important information. To avoid spending valuable time logging into Windows and launching applications, one generic user account is often used, which is not secure since users can gain access to specific information. It is also makes it difficult when it comes to audits and compliance. Instead doctors and nurses will need their own credentials for each application, but requiring them to remember all new credentials for each of the applications can be difficult, and logging in and out is a time consuming process. A single sign on application will ease this process and allow the employees to only have to remember one set of credentials, making the process of eliminating shared accounts easy. Combining this with a smartcard is even more efficient. Once a user presents the smartcard to the reader, it is recognized by the SSO software and the user is automatically switched, logged in and the right applications are launched.
- No written down passwords-Hospitals would like to implement strong and complex passwords due to audits requirements. Implementing complex passwords though has major consequences for end users. Often if users have to remember several different and complex passwords, which also need to be changed once in a while, they will write them down and store them somewhere. This makes the applications and systems insecure since people can easily find out the credentials. With a single sign on solution doctors and nurses will not need to write down there credentials since they will only need to remember one combination of username and password. This will eliminate this security risk and give hospitals the possibility to easily implement complex passwords.
- Give employees correct access rights - To ensure security of the network and information in a hospital, employees need to be given the correct security permissions depending on their job roles. Ensuring that employees have the proper access rights will improve security. Doing so requires setting controls which can take the IT department months to implement. Using a role based access control solution can assist with this process. It will help the IT department easily populate the RBAC matrix and provide a simple overview of network resources available to an employee base on their job role.
- User provisioning - Often when employees leave employment at a hospital, the IT staff is not notified right away and the employees accounts are left open allowing ex-employees the ability to access information. This makes the systems and information not secure and can lead to serious problems. With an automated account management solution in place, the IT department can quickly and easily de provision accounts as soon as an employee leaves, to ensure security and easily comply with audit standards.
- Stored Information- With a single sign on solution information can be stored about who is logging into each application and what they are doing. This will allow the IT department to easily review who has access to what and if their applications and systems are secure. It will also allow them to easily comply with audit standards.
Friday, March 15, 2013
A Case Study on Self Service Password Resets
South County Hospital is a 100 bed acute care hospital located in
Wakefield, Rhode Island and has more than 1,200 employees. With a focus
on lean management, and an effort to make processes as efficient as
possible, the hospital began to look for ways to improve password
management and reduce the number of support calls to the help desk. The
help desk was averaging 20 to 25 password resets a month, each requiring
about half an hour to complete due to the arduous process of receiving
the call, placing a work order, resetting the password and then
contacting the users, most of whom are busy clinicians. By improving
this process, the hospital also wanted to enhance the user’s experience
so they did not have to wait on the process and could easily reset their
own passwords and get on with their jobs.
When looking for a vendor with a solution to their password management issues, Tools4ever was a front runner as South County had previous experience utilizing another of their products, RealLastLogon. Tools4ever’s Self Service Reset Password Manager (SSRPM) would be able to resolve all of the password reset issues in their environment and also integrate with their Outlook web access page, a top priority at the hospital. SSRPM would also be able integrate with Meditech, the hospital information system, to synchronize the password. Although the decision was made to have the integration done as a phase 2 task, the ability to do so in the future was a major consideration.
For more information, please visit our website.
When looking for a vendor with a solution to their password management issues, Tools4ever was a front runner as South County had previous experience utilizing another of their products, RealLastLogon. Tools4ever’s Self Service Reset Password Manager (SSRPM) would be able to resolve all of the password reset issues in their environment and also integrate with their Outlook web access page, a top priority at the hospital. SSRPM would also be able integrate with Meditech, the hospital information system, to synchronize the password. Although the decision was made to have the integration done as a phase 2 task, the ability to do so in the future was a major consideration.
Easily Customize and Integrate with Systems
At SSRPM was installed easily in South County’s environment and was able to integrate with all the applications at the hospital. SSRPM is now set up to work with three different applications at the hospital; Outlook Web Access for email, the standard Windows credential provider, when logging onto to the computer, as well as remote web access for people working outside the network. The hospital was even able to modify the security questions which users would be asked when resetting their passwords. “The ability to choose questions that have an answer that only the user would know yet are easy to remember is important” said Ken Hedglen, Information Technology Manager at South County Hospital.No Training Required
With SSRPM, users no longer need to spend precious time contacting the help desk and waiting for a reply to their password reset request. They are now able to answer a series of security questions and quickly reset their own password. The hospital also liked that they did not need to provide any training on the product due to it being self-explanatory. “Any system that we implement that we don’t hear anything about after the fact is good, because no news is good news when it comes to systems” said Hedglen. SSRPM has also been beneficial to the helpdesk as they can handle other types of work orders. “The helpdesk can now focus on more important issues rather than simple password resets and are much more productive” said Hedglen.For more information, please visit our website.
Friday, March 8, 2013
Time-Saving Healthcare IT Industry Trends
As the U.S. economy slowly improves, healthcare facility IT budgets are likely to remain flat or see only modest increases in 2013. This means IT departments will continue to look for ways to make their organizations and infrastructures run more efficiently. Below are several areas that will be of particular interest to the technology departments in the healthcare industry.
Self-Service Applications for End Users
Healthcare facilities will likely be looking for time-saving ways to eliminate end-user calls to the IT help desk, and so we’ll likely see an uptick in self-service applications for IT end users.
Self-service reset password applications have been around for several years now and continue to prove their value. End users enroll via a series of challenge questions and, should they forget their password, are able to reset directly from the network login screen or website. This eliminates a call to the help desk, and allows the employee to become productive immediately instead of waiting on the help desk phone queue.
South County Hospital in Rhode Island recently realized the benefits of a self-service reset password application. Its help desk averaged 20 to 25 password reset requests a month, each requiring about 30 minutes to complete because of the arduous process of receiving the call, placing a work order, resetting the password and then contacting the users, most of whom were busy clinicians. Once the self-service application was put in place, users no longer spent precious time contacting the help desk and waiting for a reply.
In addition, two-factor authentication (2FA) enhances security in this area. Delivery of a one-time use PIN code via SMS or email ensures the person resetting the password is the actual employee who has rights to the system and the ability to request password changes.
Another area of self-service involves employees who need access to distribution groups, network shares or applications they currently cannot access. Traditionally, this requires that the end user contact the helpdesk or initiate a tedious paper process requiring multiple signatures. By using workflow processes, the employees can easily initiate the request from a Web page on the company Intranet and, depending on the request, have it electronically routed to the individuals responsible for approval. If an automated provisioning process is in place, involvement from the IT department may not be necessary, or they may only need to perform the final step when notified via the workflow system.
Cloud Applications in the Healthcare Industry
As solutions like Gmail and Office 365 continue to gain traction in healthcare, the ability to provision and de-provision accounts in a timely fashion becomes critical to controlling costs. While many health systems have implemented identity management solutions for Active Directory, implementing a seamless process to these cloud applications can be a challenge. Though both Google and Microsoft offer tools to synchronize AD with their respective products, they reportedly fall short in many areas and can make account management a tedious chore.
Many vendors now offer advanced tools that allow for easy synchronization and management of accounts in these, and many other, healthcare cloud applications. As most cloud solution providers invoice based on the number of active users in any given month, ensuring that user accounts are decommissioned in a timely fashion can lead to incremental savings.
Use of Single Sign On
In hospitals and healthcare settings, work station computers are often used by several people, meaning restricted information can be viewed by unauthorized individuals if accounts are not securely managed.
Yet, clinicians frequently share a common user name and password with peers to avoid wasting time switching between user profiles.
With several users logged into one machine, it is impossible to track how each employee is using the system. Therefore, shared accounts are being eliminated, leaving employees with the task of having to remember several credentials. Often, these credentials need to contain special characters that are difficult to remember and that need to be changed frequently, which leads to employees being locked out of their accounts.
Single sign on software will continue to be a trend in 2013 because of its ability to alleviate this issue. It is a tool that enables end users to log in just once, after which access is granted automatically to all of their authorized network applications and resources. In addition, other solutions can be paired with single sign on, such as fast user switching, which allows users to log in and out with a badge or pass card.
By reducing the amount of time required to log in, clinicians can easily and securely access patient information as they quickly move from room to room. It is even possible to integrate “Follow Me,” which allows users who have opened applications on Citrix and/or Terminal Server to continue their work on another computer. Overall, clinicians will be able to focus less on signing in and more on caring for patients.
Security and Audit of the Healthcare Industry
As in past years, ensuring security of the network and providing accurate reporting to auditors will have a large impact on the IT department, both in time and money. The IT department needs to provide employees with the correct access rights required to applications and network functional areas, while also ensuring unnecessary access is never granted. This process will continue to occupy a large portion of IT resources. Providence Hospital in South Carolina was one such hospital that needed to reform its process. According to hospital leaders, they had more demands on the department and weren’t getting any additional staff because of economic factors. As such, hospital employees needed to work smarter and employ tools to help create more efficiency.
By automating its account management, the assignment of group privileges and permissions to individual users can now easily be completed with a Web form. The application also creates the appropriate Exchange mailbox and creates a home folder for the employee on the appropriate share drive. By ensuring the proper access rights, it makes the audit process that much easier and ensures compliance at all times.
For more information on our solutions, please visit our webpage.
Self-Service Applications for End Users
Healthcare facilities will likely be looking for time-saving ways to eliminate end-user calls to the IT help desk, and so we’ll likely see an uptick in self-service applications for IT end users.
Self-service reset password applications have been around for several years now and continue to prove their value. End users enroll via a series of challenge questions and, should they forget their password, are able to reset directly from the network login screen or website. This eliminates a call to the help desk, and allows the employee to become productive immediately instead of waiting on the help desk phone queue.
South County Hospital in Rhode Island recently realized the benefits of a self-service reset password application. Its help desk averaged 20 to 25 password reset requests a month, each requiring about 30 minutes to complete because of the arduous process of receiving the call, placing a work order, resetting the password and then contacting the users, most of whom were busy clinicians. Once the self-service application was put in place, users no longer spent precious time contacting the help desk and waiting for a reply.
In addition, two-factor authentication (2FA) enhances security in this area. Delivery of a one-time use PIN code via SMS or email ensures the person resetting the password is the actual employee who has rights to the system and the ability to request password changes.
Another area of self-service involves employees who need access to distribution groups, network shares or applications they currently cannot access. Traditionally, this requires that the end user contact the helpdesk or initiate a tedious paper process requiring multiple signatures. By using workflow processes, the employees can easily initiate the request from a Web page on the company Intranet and, depending on the request, have it electronically routed to the individuals responsible for approval. If an automated provisioning process is in place, involvement from the IT department may not be necessary, or they may only need to perform the final step when notified via the workflow system.
Cloud Applications in the Healthcare Industry
As solutions like Gmail and Office 365 continue to gain traction in healthcare, the ability to provision and de-provision accounts in a timely fashion becomes critical to controlling costs. While many health systems have implemented identity management solutions for Active Directory, implementing a seamless process to these cloud applications can be a challenge. Though both Google and Microsoft offer tools to synchronize AD with their respective products, they reportedly fall short in many areas and can make account management a tedious chore.
Many vendors now offer advanced tools that allow for easy synchronization and management of accounts in these, and many other, healthcare cloud applications. As most cloud solution providers invoice based on the number of active users in any given month, ensuring that user accounts are decommissioned in a timely fashion can lead to incremental savings.
Use of Single Sign On
In hospitals and healthcare settings, work station computers are often used by several people, meaning restricted information can be viewed by unauthorized individuals if accounts are not securely managed.
Yet, clinicians frequently share a common user name and password with peers to avoid wasting time switching between user profiles.
With several users logged into one machine, it is impossible to track how each employee is using the system. Therefore, shared accounts are being eliminated, leaving employees with the task of having to remember several credentials. Often, these credentials need to contain special characters that are difficult to remember and that need to be changed frequently, which leads to employees being locked out of their accounts.
Single sign on software will continue to be a trend in 2013 because of its ability to alleviate this issue. It is a tool that enables end users to log in just once, after which access is granted automatically to all of their authorized network applications and resources. In addition, other solutions can be paired with single sign on, such as fast user switching, which allows users to log in and out with a badge or pass card.
By reducing the amount of time required to log in, clinicians can easily and securely access patient information as they quickly move from room to room. It is even possible to integrate “Follow Me,” which allows users who have opened applications on Citrix and/or Terminal Server to continue their work on another computer. Overall, clinicians will be able to focus less on signing in and more on caring for patients.
Security and Audit of the Healthcare Industry
As in past years, ensuring security of the network and providing accurate reporting to auditors will have a large impact on the IT department, both in time and money. The IT department needs to provide employees with the correct access rights required to applications and network functional areas, while also ensuring unnecessary access is never granted. This process will continue to occupy a large portion of IT resources. Providence Hospital in South Carolina was one such hospital that needed to reform its process. According to hospital leaders, they had more demands on the department and weren’t getting any additional staff because of economic factors. As such, hospital employees needed to work smarter and employ tools to help create more efficiency.
By automating its account management, the assignment of group privileges and permissions to individual users can now easily be completed with a Web form. The application also creates the appropriate Exchange mailbox and creates a home folder for the employee on the appropriate share drive. By ensuring the proper access rights, it makes the audit process that much easier and ensures compliance at all times.
For more information on our solutions, please visit our webpage.
Friday, March 1, 2013
Securing workstations from the risk of exposing sensitive data
Health care and security through single sign on and two-factor authentication
In hospitals and health care settings, work station computers are often used by several people, meaning restricted information can be viewed by unauthorized individuals if accounts are not securely managed.
Yet, clinicians frequently share a common user name and password with peers to avoid wasting time switching between users.
With several users logged into one machine, it is impossible to track how each employee is using the system in case there’s ever a need to construct an audit trail or to track how employees use the systems.
The first step to reducing the risk of exposing sensitive data to those who shouldn’t have access is to create user accounts for every person that needs access. While this may seem like an easy task there are number of considerations to keep in mind. For example, it’s necessary to ensure accounts are created in a timely fashion and that proper access rights are given in the network, and that the account is disabled if the employee leaves.
But even with strict security requirements in place, users increasingly have to enter a separate combination of usernames and passwords for each application they wish to access. Taken daily, users can easily enter credentials for more than a dozen applications, producing even more issues. It takes time and opens up other security issues (passwords written on sticky notes stuck to the monitor or on pieces of paper slid under the keyboard for example, or overly simply passwords). Help desks also frequently field calls from users who’ve lost passwords, resulting in elevated support costs.
One practical and secure solution to this problem is the use of a Single Sign On (SSO) product. SSO allows each user to sign into the system once and thereafter be automatically logged into each of their applications on the computer without having to enter additional credentials.
Results from a survey in the health care market revealed some concerns though with SSO, including that the e-mail applications of the users might be available to others. Users expressed concern, being very protective of their e-mail and their personal information. Of course, this issue also can occur if users have shared accounts on the same computer and fail to completely close a browser when logged into an e-mail account.
The concern that information may be easily accessed by non-account owners in a SSO environment can easily be alleviated by using two factor authentication. Two-factor authentication asks a user to present a second form of identification in addition to their user name and password like a pass card, pin code or USB token to access the workstation. This ensures there is an added level of security of their e-mail and other accounts and means even if someone besides the account owner has possession of a password, they are unable to access the account without that second piece of information.
Using the two pieces, SSO and two-factor authentication, in conjunction solves HIPAA security problems for keeping electronic information safe while also addressing the users’ concerns of privacy for their accounts. The two-factor authentication also allows for fast user switching, thereby reducing time spent by clinicians waiting on their profile to load.
By utilizing automated solutions for identity and access management, the burden on the IT staff also can be decreased and overall system security will increase, allowing employees more time to focus on the real work at hand without having to worry about sharing access to systems or worrying about multiple password applications.
For more information, please visit our website.
In hospitals and health care settings, work station computers are often used by several people, meaning restricted information can be viewed by unauthorized individuals if accounts are not securely managed.
Yet, clinicians frequently share a common user name and password with peers to avoid wasting time switching between users.
With several users logged into one machine, it is impossible to track how each employee is using the system in case there’s ever a need to construct an audit trail or to track how employees use the systems.
The first step to reducing the risk of exposing sensitive data to those who shouldn’t have access is to create user accounts for every person that needs access. While this may seem like an easy task there are number of considerations to keep in mind. For example, it’s necessary to ensure accounts are created in a timely fashion and that proper access rights are given in the network, and that the account is disabled if the employee leaves.
But even with strict security requirements in place, users increasingly have to enter a separate combination of usernames and passwords for each application they wish to access. Taken daily, users can easily enter credentials for more than a dozen applications, producing even more issues. It takes time and opens up other security issues (passwords written on sticky notes stuck to the monitor or on pieces of paper slid under the keyboard for example, or overly simply passwords). Help desks also frequently field calls from users who’ve lost passwords, resulting in elevated support costs.
One practical and secure solution to this problem is the use of a Single Sign On (SSO) product. SSO allows each user to sign into the system once and thereafter be automatically logged into each of their applications on the computer without having to enter additional credentials.
Results from a survey in the health care market revealed some concerns though with SSO, including that the e-mail applications of the users might be available to others. Users expressed concern, being very protective of their e-mail and their personal information. Of course, this issue also can occur if users have shared accounts on the same computer and fail to completely close a browser when logged into an e-mail account.
The concern that information may be easily accessed by non-account owners in a SSO environment can easily be alleviated by using two factor authentication. Two-factor authentication asks a user to present a second form of identification in addition to their user name and password like a pass card, pin code or USB token to access the workstation. This ensures there is an added level of security of their e-mail and other accounts and means even if someone besides the account owner has possession of a password, they are unable to access the account without that second piece of information.
Using the two pieces, SSO and two-factor authentication, in conjunction solves HIPAA security problems for keeping electronic information safe while also addressing the users’ concerns of privacy for their accounts. The two-factor authentication also allows for fast user switching, thereby reducing time spent by clinicians waiting on their profile to load.
By utilizing automated solutions for identity and access management, the burden on the IT staff also can be decreased and overall system security will increase, allowing employees more time to focus on the real work at hand without having to worry about sharing access to systems or worrying about multiple password applications.
For more information, please visit our website.
Friday, February 22, 2013
Misconception Perception: Single Sign On Myths Debunked
Single sign On (SSO) allows end users to log in to accounts once with their credentials and thereafter enjoy immediate access to all of their applications and systems without being asked to log in again. This is extremely beneficial in reducing help desk calls since users only have to remember one password instead of many.
Though SSO can be beneficial to any company, many IT managers and security officers are skeptical about the implementation of an SSO solution. Their skepticism is the result of a number of preconceptions, which in many cases are misconceptions, about these identity and access management tools.
The following are the many incorrect common beliefs about SSO:
Implementing SSO Imposes Greater Pressure on Security
IT managers and security officers often believe that with one-time logging in to accounts security of information is immediately placed at risk. They assume that if an unauthorized person gets hold of that single log-in credential, that person will have access to all the account’s associated applications.
When using SSO, all the various access entries to applications are replaced by one access point. For example, the software allows users to use just one password for multiple accounts. Once the password is entered, all accounts are accessed. Though this does appear to constitute a risk, the log-in process is actually streamlined for the user. Having to remember just one password essentially does away with the risk that the user will scribble passwords on a piece of paper and place them under their keyboard (as is often the case) like they might if they have to remember 12 password and username combinations (the average number per user) that most users have without SSO.
This was often the case at Community Bank and Trust of Florida. Since the bank uses hundreds of different systems and applications that require complex passwords, users understandably had a difficult time remembering all of their user credentials. By implementing SSO at the bank, end users no longer have to use unsecure methods, such as writing down their passwords to remember them.
It is also possible to add extra security to the primary SSO log-in with a user card and pin code or an extra-strong password. Logging in with a card and pin code is an extremely secure authentication, and users also consider it to be very user-friendly.
An SSO Implementation is a Long, Drawn Out Project
This is often wrongly assumed because SSO implementation is part of a broader security policy. Other components might include introducing more complicated passwords, taking more care with authorizations and complying with standards imposed by the government.
Because SSO affects almost all end users and runs throughout the organization, some see implementation as taking a great deal of time to notify and prepare end users for the change. SSO brings with it a number of questions, such as:
•“How do I deal with people who have multiple log-ins on one application?”
• “What do I do if an application offered through SSO gets a new version?”
• “What happens if the application itself asks for a password to be reset?”
All these questions often cause SSO implementation to be shifted to the background. However, any potential complexity faced at implementation is no reason to postpone adding a SSO solution because it has long-lasting benefits once up and running. By starting small, say by making the top five applications available through SSO, a considerable time saving on the number of log-in actions can be achieved, justifying buying the solution.
For example, at Community Bank and Trust of Florida, an SSO solution was easily and quickly implemented to solve its password issues. It was even possible for the bank’s IT leaders to roll into production exactly what they did during their trial phase, which made their implementation process extremely convenient.
It’s Not Possible to Make Cloud Applications Accessible via SSO
Just as with all other applications, it is certainly possible to log in to cloud applications with SSO.
An SSO Implementation is Expensive
The nice thing about an SSO solution is that it’s often not necessary to set it up for all the people in an organization. SSO may be needed only for a select group of people who need to access many different applications, such as tellers. The advice here is to restrict implementations to the most critical applications and the employees who have to log in to a variety of different applications. This will control the implementation in terms of price and complexity, and offers an excellent springboard for any further growth and expansion in accordance with changing future needs.
An SSO Solution is Not Needed Because We Use Extremely Complex Passwords
Insisting on extremely complex passwords is one way to secure the network, but at the same time, it’s also one of the causes of insecure situations. This is because many end users have difficulty remembering their mandated passwords, certainly when they have to recall more than a dozen username and password combinations. Often, requiring the use of complex passwords leads to frequent help desk calls because employees tend to forget them more readily. A highly insecure and undesirable situation arises when end users write their passwords on notes and leave them lying around their computer.
Using SSO means employees only have to remember one password for all of their applications, meaning a simple solution to a complex problem, easier access to multiple accounts for all who need access to them, and fewer calls the help desk, ensuring IT staff are able to focus on more important priorities than password resets. For example, All Star Automotive in Louisiana was able to see a major reduction in time dealing with password issues by implementing an SSO solution. The IT manager at the automotive group said, “Users can now concentrate on their jobs rather than managing their own passwords.”
For more information, please visit our website.
Though SSO can be beneficial to any company, many IT managers and security officers are skeptical about the implementation of an SSO solution. Their skepticism is the result of a number of preconceptions, which in many cases are misconceptions, about these identity and access management tools.
The following are the many incorrect common beliefs about SSO:
Implementing SSO Imposes Greater Pressure on Security
IT managers and security officers often believe that with one-time logging in to accounts security of information is immediately placed at risk. They assume that if an unauthorized person gets hold of that single log-in credential, that person will have access to all the account’s associated applications.
When using SSO, all the various access entries to applications are replaced by one access point. For example, the software allows users to use just one password for multiple accounts. Once the password is entered, all accounts are accessed. Though this does appear to constitute a risk, the log-in process is actually streamlined for the user. Having to remember just one password essentially does away with the risk that the user will scribble passwords on a piece of paper and place them under their keyboard (as is often the case) like they might if they have to remember 12 password and username combinations (the average number per user) that most users have without SSO.
This was often the case at Community Bank and Trust of Florida. Since the bank uses hundreds of different systems and applications that require complex passwords, users understandably had a difficult time remembering all of their user credentials. By implementing SSO at the bank, end users no longer have to use unsecure methods, such as writing down their passwords to remember them.
It is also possible to add extra security to the primary SSO log-in with a user card and pin code or an extra-strong password. Logging in with a card and pin code is an extremely secure authentication, and users also consider it to be very user-friendly.
An SSO Implementation is a Long, Drawn Out Project
This is often wrongly assumed because SSO implementation is part of a broader security policy. Other components might include introducing more complicated passwords, taking more care with authorizations and complying with standards imposed by the government.
Because SSO affects almost all end users and runs throughout the organization, some see implementation as taking a great deal of time to notify and prepare end users for the change. SSO brings with it a number of questions, such as:
•“How do I deal with people who have multiple log-ins on one application?”
• “What do I do if an application offered through SSO gets a new version?”
• “What happens if the application itself asks for a password to be reset?”
All these questions often cause SSO implementation to be shifted to the background. However, any potential complexity faced at implementation is no reason to postpone adding a SSO solution because it has long-lasting benefits once up and running. By starting small, say by making the top five applications available through SSO, a considerable time saving on the number of log-in actions can be achieved, justifying buying the solution.
For example, at Community Bank and Trust of Florida, an SSO solution was easily and quickly implemented to solve its password issues. It was even possible for the bank’s IT leaders to roll into production exactly what they did during their trial phase, which made their implementation process extremely convenient.
It’s Not Possible to Make Cloud Applications Accessible via SSO
Just as with all other applications, it is certainly possible to log in to cloud applications with SSO.
An SSO Implementation is Expensive
The nice thing about an SSO solution is that it’s often not necessary to set it up for all the people in an organization. SSO may be needed only for a select group of people who need to access many different applications, such as tellers. The advice here is to restrict implementations to the most critical applications and the employees who have to log in to a variety of different applications. This will control the implementation in terms of price and complexity, and offers an excellent springboard for any further growth and expansion in accordance with changing future needs.
An SSO Solution is Not Needed Because We Use Extremely Complex Passwords
Insisting on extremely complex passwords is one way to secure the network, but at the same time, it’s also one of the causes of insecure situations. This is because many end users have difficulty remembering their mandated passwords, certainly when they have to recall more than a dozen username and password combinations. Often, requiring the use of complex passwords leads to frequent help desk calls because employees tend to forget them more readily. A highly insecure and undesirable situation arises when end users write their passwords on notes and leave them lying around their computer.
Using SSO means employees only have to remember one password for all of their applications, meaning a simple solution to a complex problem, easier access to multiple accounts for all who need access to them, and fewer calls the help desk, ensuring IT staff are able to focus on more important priorities than password resets. For example, All Star Automotive in Louisiana was able to see a major reduction in time dealing with password issues by implementing an SSO solution. The IT manager at the automotive group said, “Users can now concentrate on their jobs rather than managing their own passwords.”
For more information, please visit our website.
Friday, February 15, 2013
3 ways to use Identity & Access Management software for audits
HIPAA, Basel II, SarBox… and the list goes one. Organizations are evaluated for compliance with various standards, legislations and regulations. These evaluations are called audits and sooner or later, your organization will be one. If you are an IT manager and faced with an audit, you should be able to demonstrate you have your network fully under control. Among other things, this means that you:
- Must be able to demonstrate at any time who is allowed to do what in the network, and when network actions have been performed (authorizations and reporting). For instance, you should be able to indicate which employees are allowed to approve and pay invoices and who reset employee X’s password and when.
- Must have implemented a strong password policy.
The Identity & Access Management (IAM) solutions by Tools4ever provide you with additional support in legislative and regulatory compliance, to wit:
Who can do what?
Role Based Access Control (RBAC) is a technique for setting up authorization management in an organization and for providing insight into the questions of ‘who is and is not allowed to do what in the network’. With RBAC, authorizations are not assigned to individual staff members but to RBAC roles, which in turn comprise the employee’s department, title, location and cost center. RBAC reduces the chance of error because network actions and changes can only be performed by people who are authorized to do so based on their role/title.
Many organizations already use RBAC to a greater or lesser degree: discovery, project, implementation, population or management. Tools4ever assists dozens of organizations in setting up an RBAC authorization matrix. This is a hugely labor-intensive, complex and costly process. Tools4ever’s smart software makes it possible to automate the majority of the population of the RBAC authorization matrix.
Using UMRA, the so-called organizational roles - the way in which employees are designated in the HR system, particularly in terms of their title, department and cost center - are matched against the technical roles - applications and folders - present across the organization. Tools4ever can help organizations match their HR system and network, as well as analyze the current authorizations for each organizational role. This allows the organization to decide which HR attributes should be used for each role.
The result of this alignment could be, say, that 90% of a particular role, e.g. the role of nurse at the Cardiology department, involves particular authorizations. The logical step would then be to automatically assign all new employees in this role the same authorizations. By letting the majority govern the assignment of authorizations, a first step can be made towards populating the RBAC matrix in a very simple way. This approach can save you a great amount of time and money.
Strong password policy
Many laws and regulations require the implementation of a strong password policy (strong authorization). To achieve this, it is possible to activate the complexity rules in Windows Active Directory. However, you should first ask yourself whether this complexity is desirable for your organization, as this may have major consequences for your end users.
The default Windows Active Directory password complexity rules are often insufficient. Systems administrators need a more flexible solution that, among other things, makes it possible to determine individually, which rules are applied and when. For this type of scenario, Tools4ever offers Password Complexity Manager (PCM). PCM makes it possible to implement different security levels for different types of end users, based on their organizational roles and titles.
As mentioned, earlier, implementing a stricter password policy has major implications for end users as well as the organization as a whole. End users will need to remember more complex passwords and since most of them will have trouble in doing so, the helpdesk is bound to receive more password reset calls.
To reduce the number of password reset calls, Tools4ever offers Self Service Reset Password Management (SSRPM), which lets end users reset their passwords independently by providing answers to a series of simple, predefined questions.
A stricter password policy also has consequences for the productivity of employees. They will have to remember more complex passwords for all of their applications, and will be far from happy with the situation. For this reason, many organizations choose to implement a SSO solution to cater for the needs of their end users.
Our Enterprise Single Sign On Manager solution (E-SSOM) - allows end users to log in once, after which they are automatically assigned access to all applications and resources across the network, without having to log in again. E-SSOM functions as an additional software layer that handles all login processes and automatically enters the required credentials (automatic login). E-SSOM also ensures that, in addition to Active Directory, a strong password is automatically used for all the underlying applications.
For organizations that do not use SSO but nevertheless want to make sure their end users are less hindered by a stricter password policy, Password Synchronization Manager (PSM) is an eminently suitable solution. It allows end users to use a single password for each system or application. When an end user’s Active Directory password is reset, PSM ensures that all linked systems and applications receive and use the new password.
Two-factor authentication
When implementing a strong password policy is insufficient in itself (e.g. because end users end up jotting down their passwords), it is possible to use strong (two-factor) authentication. Rather than entering their user name and password, users will log in by holding a card against a card reader and entering a PIN code. This results in strong authentication, as two-factor authentication is based on something the user has (the card) and knows (the PIN code). In this set-up, the card ID is linked to the user’s Active Directory credentials.
It is also possible to implement strong authentication without having to purchase additional hardware. In this scenario, the use of smartphones takes on an important role. This is because smartphones offer various authentication capabilities, such as facial recognition (using the camera), voice recognition (using sound recordings) and geographical positioning (using GPS). This type of Low Cost Authentication is the latest trend in the field of authentication.
Automated logging
The solutions by Tools4ever ensure that all processes leave an audit trail. For each action, the system automatically logs who has performed which management activity at which moment. In this way, the organization can verify previous processes at any time and evaluate these retroactively. This is indispensable, as sound registration is a precondition for a successful audit.
For more information, please visit our website
Subscribe to:
Comments (Atom)