1FastPassCorp, Jesper Oestergaard, Director Business Development, jo@fastpasscorp.com

Self-Service Password Management

Made easy

Vivit Usergroup meeting: Chicago

May 24, 2011

”For your eyes only”

Agenda

• FastPassCorp

• Self-service

• The Password problem space

• The FastPass solution stack

• Some more nuggets

• Wrap-up

FastPassCorp A/S

• Founded as IT InterGroup in 2000:– Services in IT security

• Identity & Access Management – Sold to PriceWaterhouseCoopers June ’08

• Now FastPassCorp:– Independant Software Vendor (ISV)

• FastPassCorp first to introduce AD based password reset, november 2004

– Selling through a network of partners• Service Providers, Service Management

vendors & Partners, Desktop deployment partners

– Listed on Nasdaq OMX Copenhagen Exchange (First North) september 2007: [FASTPC]

jun okt

feb jun ok

tfe

b jun okt

feb-

110

50000100000150000200000250000300000350000400000450000500000

User license sold (V3)

Customer / partner examplesFastPass installations in 13 countries

- and – we’re partner with HP in the Enterprise Management Alliance Program..

”Gartner predicts that client self-service will account for 58 percent of all service interactions by 2010, due to their dramatic contribution to the reduction of cost of operating an IT environment”

Self-service

Do you consider Self-service important and an area to focus?

Self-service

Do you have a Self-service strategy?

What implications do you see and what are your main concerns?

In order to enable Self-service people need access

Self-service

A forgotten password leaves the user without access, so consider password self-service as part of your Self-service initiatives!

The Password Pain - Service Desk

(Aberdeen Group)

Calls to IT Service Desk

- Gartner analysts says that 20-50% of all Service Desk calls are for password reset

- Forrester suggests that the average cost for a single password reset could be as high as $100

- FastPassCorp research indicates anything from $25 - $147

The Password pain - user side

- Forgotten or a lost password will leave the user un-productive – and frustrated!

- Un-productivity can be extreemely costly – and so – a password reset needs severity 1

- So, what’s the price for a single password reset if the requirement basically is 24*7?

The average time to resolve a forgotten password request will vary from <½ hour to several days:

- 25% of industry norm companies takes >4 hours - 40% of industry norm companies takes <1 hour

The security issue

For a start – lets look at the nature of the password!

- Used for (secure!) Identification (authentication) of users

- Supposed to be private – ”For your eyes only”

- One of three Identification methodologies: ”something you know””something you have” ”something you are”

Jane45#jacobs§99124%

The security issue - continued

The password reset proces – a double sided who-is-who

- If passwords are ”for your eyes only” – what about person in the Service Desk (or the outsourced Service Desk)?

Fact: 60-80% of IT crimes are insiderjobs!

- Secure Identification of the user calling, and a secure password handover proces is a demand to accomodate compliancy initiatives ( Sarbanes Oxley act, ISO 27001 etc.)

Who is responsible??

FastPass Password Manager v3

• Utilizes the existing Microsoft infrastructure (AD,ADAM/ADLDS)

• Secure identification of users (multi-authentication engine)• Advanced notification services• Access from anywhere (XP, Vista, Windows 7, Browsers

(PC & mobile), Service Desk portals (Service Req. mgmt.)• Scalable to large and complex environments incl. MSP’s• SR/Incident forwarding to HP Service Manager• Automated enrolment Services• Enforces password policies• Multi-system reset for other platforms/systems (SAP,

AS/400, SQL, Generic connector etc.)• Web-services (SOA) application• Fast implementation (1-2 days on windows)

Secure identification

• Configurable Multi-factor authentifikation– Profile based, and the profile is determined dynamically.– Profile is based on attributes and status.

• Does the session come from a specific network (secure eller insecure).

• Is the user member of a specific group (Administrator or normal user)

• Has the user enrolled• Does the user have a mobile phone

– Personal questions (Challenge questions)– One-time pincode for the mobile phone

Easy enrollment

• Discovery Service– Collects users and groups– Is working almost like Hardware/Software Inventory solutions (Scanning,

Collecting, Storing)

• Enrollment Service– Invites users to enroll into FastPass Password Manager– Enables high enrollment rate and can also be used to inform/remind

about the presence– Scheduling of invitations– Operates on a time line where the ”offset” time can be a specific time or a

time relative to the discovery of a user– Invitations can be sent

by e-mail or SMS

Act

ion

1

Act

ion

2

0 1 2 3 4 5 6 7 8 0 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

Act

ion

3

Act

ion

4

Act

ion

5

High enrollment percentage is necessary to win

the productivity gains!

New NAG screen in

V 3.4!

Notification

16

Mail and/ or SMS notification at selected events to receivers

• Events examples– A password has been reset– A user has tried to enroll– A new user has been discovered

• Receivers (examples):– The user– The user’ manager– The administrator– The HelpDesk system

”Simple Sign-on”: 1 user / 1 password for all systems

Or selective reset per system if required!

FastPass Overview

Case: G4S Self-service portal

And integrated into Self-service portal

Self-service portal in Service Management solution

Demonstration

User Identification and Authentication 2.0

- Challenge / Response questions used by the Service Desk to identify users for other purposes

More Nuggets..

Access card self-service pin code retreival

Access card self-service pin code retreival

More Nuggets..

Are considering end-point encryption?

FastPass introduces self-service for retreival of bios passwords (end-point encrypted devices)

Supported systems: PGP & Checkpoint

What’s the value of Password Self-service?

Wrap-up