Transcription of Hitachi ID Password Manager
1 Hitachi ID Password Manager Deployment Best Practices 2016 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1. 2 System objectives 3. 3 Mission statement 4. 4 Metrics 5. 5 Stake-holders 6. 6 Deployment and support team 8. 7 Features and design 10. 8 User access to the self-service UI 12. 9 Formulating a uniform Password policy 13. Strategy .. 13. Suggested policy rules .. 13. Where to enforce Password policy .. 14. 10 Equivalent credentials 15. 11 Security questions 16. Security equivalence .. 16. Memorable questions .. 16. Other best practices .. 16. Sample questions .. 17. 12 Augmenting security questions with a second factor 20.
2 13 Infrastructure integrations 21. 14 Hitachi ID Password Manager : technical architecture 23. Number and location of servers .. 23. Configuration of individual servers .. 23. Development, test and production environments .. 24. i Password Manager Deployment Best Practices Proxy servers for hard-to-reach target systems .. 25. 15 Hitachi ID Password Manager : server hardening 27. Overview .. 27. Physical security .. 28. Operating system access .. 28. IIS configuration .. 30. SQL Server configuration .. 30. 16 Hitachi ID Password Manager : BYOD access to on-premise credential management 31. 17 Auto-discovery of user profiles and accounts 33. Selecting sources of profiles.
3 33. Mapping login IDs to user profiles .. 33. 18 User enrollment 35. 19 Maximizing user adoption and ROI 38. Minimize Password problems .. 38. User awareness .. 38. Incentives for enrollment .. 38. Automated reminders .. 38. A call to IT support is not the right time to enroll .. 39. Charge-backs and Manager feedback .. 39. Reduce SLA for help desk calls .. 39. Plan for user adoption .. 39. 20 Ongoing administration and support 40. Functional test .. 40. Password changes .. 40. Enrollment .. 40. Transparent Password synchronization .. 40. Help desk logins .. 40. Sending e-mails .. 40. Creating call tracking system ticket .. 41. 2016 Hitachi ID Systems, Inc.
4 All rights reserved. Password Manager Deployment Best Practices IVR (phone call) integration .. 41. Mobile access .. 41. Off-site, Windows login screen access .. 41. Filesystem unlock .. 41. Changes to target system configuration .. 41. Monitor service health .. 41. Monitor utilization .. 42. 21 Summary 43. 2016 Hitachi ID Systems, Inc. All rights reserved. Password Manager Deployment Best Practices 1 Introduction This document outlines best practices for designing, installing and rolling out Hitachi ID Password Manager to manage credentials for on-premise and SaaS systems and applications. The remainder of this document is organized as follows: System objectives what credential management systems are designed to do.
5 Mission statement how organizations should structure their internal communication about priorities and objectives. Metrics how to measure the impact on the system. Stake-holders who to involve in design, implementation and ongoing support. Deployment and support team who the core individuals are that must build out and support the system and what their initial and long term commitment will be. Features and design what processes the system should automate. User access to the self-service UI how to ensure that users can resolve login problems wherever they may be, at any time and on any device in any state. Formulating a uniform Password policy how to develop a set of Password rules that work for every system and every user community.
6 Equivalent credentials caution about weak links in security and how to avoid them. Security questions design considerations for enrolling security questions and using them to au- thenticate users who forgot their Password . Augmenting security questions with a second factor how to improve security by front-ending security questions with a stronger, one-time- Password credential. Infrastructure integrations what systems the credential management automation should integrate with. Password Manager : technical architecture the runtime platform and network architecture on which Password Manager is deployed. Password Manager : server hardening how to lock down OS, DB and web servers to protect the system.
7 Password Manager : BYOD access to on-premise credential management how to enable users to access self-service from their phones or tablets, which are typically not attached to the corporate network. Auto-discovery of user profiles and accounts how to minimize care and feeding of the system using auto-discovery. User enrollment inviting users to answer security questions; install smart phone apps; etc. 2016 Hitachi ID Systems, Inc. All rights reserved. 1. Password Manager Deployment Best Practices Maximizing user adoption and ROI strategies to get users to enroll and to use the system to resolve login problems. Ongoing administration and support what can be expected in terms of long term care and feeding of the system.
8 2016 Hitachi ID Systems, Inc. All rights reserved. 2. Hitachi ID Password Manager Deployment Best Practices 2 System objectives A credential management system should deliver three benefits: Improved user service: Fewer credentials for users to remember and manage and simpler, quicker and more convenient resolution for login problems. Lower IT support cost: Fewer help desk calls related to login problems such as forgotten passwords, intruder lockouts or tokens left at home. Stronger security: Stronger and more consistent enforcement of policies around Password composition, change fre- quency and reuse, as well as more reliable processes to authenticate users who experience a login problem, before assisting them.
9 2016 Hitachi ID Systems, Inc. All rights reserved. 3. Hitachi ID Password Manager Deployment Best Practices 3 Mission statement A mission statement documented before the system is deployed is helpful for getting all stake-holders to cooperate. One way to formulate this mission statement is to capture the state of affairs before the system is deployed and the desired end state. Following is an example: Credential management system objectives Before After User service / SLA. Users manage 8 different passwords, on With Password synchronization, users will only have to manage 2. average. passwords. Only some passwords expire and they Users will be prompted to change all passwords at the same time.
10 Do so at different times Different systems enforce different A uniform Password policy will supersede multiple, inconsistent Password policy rules. rules. Users sometimes forget their pre-boot Enable self-service filesystem unlock via smart phone app. Password . Users sometimes forget their OS login Enable self-service Password reset from the PC login screen, with Password , in some cases while off-site. VPN+WiFi integration to support users working outside the office. IT support cost 30% of total help desk call volume is due Password synchronization and self-service problem resolution to login problems. will reduce this call volume by at least 80%. 5% of total call volume is due to OTP Offer self-service PIN reset and emergency passcodes via token problems.
