how password lifecycle management can save money and …media.govtech.net/digital_communities/quest...

WHITE PAPER

byDon Jones

Quest Software, Inc.

How Password Lifecycle Management

Can Save Money andImprove Security

White Paper: How Password Lifecycle Management Can Save Money and Improve Security 1

© 2010 Quest Software, Inc.

ALL RIGHTS RESERVED.

This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose without the written permission of Quest Software, Inc. (―Quest‖).

The information in this document is provided in connection with Quest products. No license, express or implied, by estoppel or otherwise, to any intellectual property right is granted by this document or in connection with the sale of Quest products. EXCEPT AS SET FORTH IN QUEST'S TERMS AND CONDITIONS AS SPECIFIED IN THE LICENSE AGREEMENT FOR THIS PRODUCT, QUEST ASSUMES NO LIABILITY WHATSOEVER AND DISCLAIMS ANY EXPRESS, IMPLIED OR STATUTORY WARRANTY RELATING TO ITS PRODUCTS INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. IN NO EVENT SHALL QUEST BE LIABLE FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, PUNITIVE, SPECIAL OR INCIDENTAL DAMAGES (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF PROFITS, BUSINESS INTERRUPTION OR LOSS OF INFORMATION) ARISING OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT, EVEN IF QUEST HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Quest makes no representations or warranties with respect to the accuracy or completeness of the contents of this document and reserves the right to make changes to specifications and product descriptions at any time without notice. Quest does not make any commitment to update the information contained in this document.

If you have any questions regarding your potential use of this material, contact:

Quest Software World Headquarters

LEGAL Dept

5 Polaris Way

Aliso Viejo, CA 92656

www.quest.com

E-mail: [email protected]

Refer to our Web site for regional and international office information.

Trademarks

Quest, Quest Software, the Quest Software logo, AccessManager, ActiveRoles, Aelita, Akonix, AppAssure, Benchmark Factory, Big Brother, BridgeAccess, BridgeAutoEscalate, BridgeSearch, BridgeTrak, BusinessInsight, ChangeAuditor, ChangeManager, Defender, DeployDirector, Desktop Authority, DirectoryAnalyzer, DirectoryTroubleshooter, DS Analyzer, DS Expert, Foglight, GPOADmin, Help Desk Authority, Imceda, IntelliProfile, InTrust, Invirtus, iToken, I/Watch, JClass, Jint, JProbe, LeccoTech, LiteSpeed, LiveReorg, LogADmin, MessageStats, Monosphere, MultSess, NBSpool, NetBase, NetControl, Npulse, NetPro, PassGo, PerformaSure, Point,Click,Done!, PowerGUI, Quest Central, Quest vToolkit, Quest vWorkSpace, ReportADmin, RestoreADmin, ScriptLogic, Security Lifecycle Map, SelfServiceADmin, SharePlex, Sitraka, SmartAlarm, Spotlight, SQL Navigator, SQL Watch, SQLab, Stat, StealthCollect, Storage Horizon, Tag and Follow, Toad, T.O.A.D., Toad World, vAutomator, vControl, vConverter, vFoglight, vOptimizer, vRanger, Vintela, Virtual DBA, VizionCore, Vizioncore vAutomation Suite, Vizioncore vBackup, Vizioncore vEssentials, Vizioncore vMigrator, Vizioncore vReplicator, WebDefender, Webthority, Xaffire, and XRT are trademarks and registered trademarks of Quest Software, Inc in the United States of America and other countries. Other trademarks and registered trademarks used in this guide are property of their respective owners.

Updated – February 2010

http://www.quest.com/

mailto:[email protected]


Contents Abstract ........................................................................................................................................................... 3

Introduction...................................................................................................................................................... 4

Benefits of Effective Password Lifecycle Management .................................................................................. 5

How Much Can You Save? .......................................................................................................................... 5

Choosing the Right Tools ............................................................................................................................ 6

The Best Password Management Model ..................................................................................................... 6

Features .................................................................................................................................................. 6

Savings .................................................................................................................................................... 7

Side Benefit: Better Security, Happier Users .......................................................................................... 7

Password Manager: Self-Service Password Resets ...................................................................................... 8

Password Synchronization Across Systems................................................................................................ 9

Identity Consolidation................................................................................................................................... 9

The Bottom Line ............................................................................................................................................ 10

Conclusion..................................................................................................................................................... 11

About the Author ........................................................................................................................................... 12


Abstract While stronger forms of authentication have been readily available for many years, passwords remain the most common form of network authentication. Passwords are easy, require little training, and present few technical challenges. However, passwords are also the least secure form of authentication, and can present one of the most expensive support burdens in an IT environment. This white paper explains how much ineffective password management costs organizations, and how much they can save by implementing effective password solutions like Quest Password Manager and ActiveRoles Quick Connect and technology strategies to actually reduce the number of passwords that must be managed.


Introduction Passwords are the most common form of network authentication. Like most elements of a technology infrastructure, passwords have a lifecycle: they are created, and typically last for 60 to 90 days before they must be changed. In order to make passwords as effective and secure as possible, most organizations implement policies that control how passwords are formatted ; common policies include requiring a mix of characters (letters, numbers, and symbols), requiring a minimum password length (eight characters is a common requirement), and so forth.

The goal of password lifecycle management is to adminster this lifecycle more effectively. Users may forget their passwords, or mistype them enough times to lock themselves out, especially when they have multiple passwords on different systems. Therefore, users sometimes write down their passwords, introducing security risks. A well-designed password lifecycle management solution reduces costs and risks by:

Making it easier for administrators—or ideally, the end users—to reset passwords and unlock user accounts

Making it easier for organizations to implement strong password policies


Benefits of Effective Password Lifecycle Management Numerous analysts have examined ―best-in-class‖ companies to determine the benefits of effective user provisioning and password management strategies. The goal of password management is to minimize downtime and maintain user productivity, since users are completely non-productive until password-change requests are complete. The best companies provision new employees and handle 92 percent of their password change requests within four hours. In fact, some 81 percent of the best companies handle password change requests in under an hour. Less than half of the companies falling within the industry norm achieve this level of performance; about a quarter of these organizations require more than four hours to service a password change request. The result: one-fifth lower user productivity.

Clearly, effective password management can improve productivity—but what does it cost? The best companies achieve better productivity by using intuitive and highly integrated password management tools. These tools are obviously not free, so there’s a concern that the costs might outweigh any benefit. After all, we’re talking about passwords here—how much money can really be saved?

How Much Can You Save?

Passwords are often seen as a ―free‖ form of authentication, because unlike smart cards, security tokens, or biometrics, they don’t require any add-on hardware or software. But are there hidden costs?

Fortunately, calculating the cost of passwords is pretty straightforward. The main cost is maintenance: When users forget their passwords, they typically have to call a help desk and request a password reset. That takes time for both the users and the help desk, and while the requests are being processed, the users cannot be productive.

The table below is designed to help calculate the cost of passwords, and provides sample values drawn from industry standards. For an online version that allows you to fill in your own values, visit http://www.quest.com/common/registration.aspx?requestdefid=19850.

Factor Average Value Your Value

Number of users 1,000

Average salary of help desk technician $55,000

Average fully-burdened salary of help desk technician

$63,250

Average salary of typical employee $50,000

Average fully-burdened salary of typical employee

$57,500

Number of work hours per year 2,080

Average fully-burdened hourly salary of help desk technician

$30

Average fully-burdened hourly salary of typical employee

$28

Average number of password resets or account unlocks per user, per year

2.5

Total number of passwords used by each user

4

Cost of help desk support per password reset or account unlock

$20

http://www.quest.com/common/registration.aspx?requestdefid=19850


Based on the industry numbers, a 1,000-user company will process 2,500 password reset or account unlock requests per year, at a cost of $20 each, for a total cost of $50,000. That’s about the cost of a single full-time help desk technician! In a company of 5,000 users, the cost is a staggering $250,000. Without a doubt, this presents an opportunity to save money.

Here’s another way to look at it: most help desk call centers spend about a third of their time handling password resets and account unlocks. If you could eliminate a third of your help desk’s call volume, how much money would you save?

Choosing the Right Tools

A well-designed password lifecycle management solution helps by:

1. Enabling users to quickly handle their own password reset and account unlock incidents, without help desk intervention

2. Synchronizing passwords across systems 3. Reducing the total number of passwords that users have to manage

The objective is to reduce the number of incidents that cause downtime, and then the actual downtime attributed to the remaining incidents.

The Best Password Management Model

The Internet provides the perfect model for self-service password management: user-selected security questions, each with answers that come from users’ own personal knowledge of themselves. The traditional ―mother’s maiden name‖ is a good example, but users might also select other questions to answer:

In what city were you born? What is your spouse’s middle name? What street did you grow up on?

A good password management system will allow the organization to determine which questions are available, as well as the number users must answer correctly in order to be positively identified. This flexibility makes the solution suitable for a wide variety of environments. Security can be enhanced even further by requiring strong authentication for self-service password reset functionality.

A more extensive solution will also provide password synchronization to applications, mainframes, and applications. This ―same sign-on‖ scenario automatically changes all passwords to match the one used in Active Directory.

In many case, organizations can actually eliminate a high number of non-Windows password by enabling systems, applications, and platforms to participate as ―full citizens‖ in Active Directory, delivering true Active Directory-based single sign-on. Technologies exist that can extend this type of single sign-on to to non-Windows systems, including Solaris, System z, , AIX, OpenVMS, Linux, HP-UX, Java , Mac OS X, SAP, Siebel, and a number of standards-based application. This eliminates multiple passwords entirely in many cases, enabling users to maintain a single, consistent password across all of these systems.

Features

Achieving effective password management requires a strong and well-designed feature set:

Secure, self-service password reset and account unlock. This technology is ubiquitous on the Internet. Most online banking sites, for example, require you to provide answers to selected ―security questions‖ when you enroll; by later providing correct answers to those questions, the site can identify you and reset your password if you forget it.

Enforce strong password policies. A self-service, intuitive user interface can help users choose easier-to-remember (but hard-to-guess) passwords. This means users experience less frustration and productivity loss and you spend less time on password management. These solutions can


also augment native password capabilities to force users to select passwords that meet security requirements.

Synchronize disparate passwords. A good password reset solution will also synchronize passwords to multiple systems or directories. This means that when users reset or change their passwords, that change goes into effect on all synchronized systems.

Eliminate passwords altogether. Of course no amount of automation or security can deliver the same economic, security, and efficiency benefits of eliminating multiple passwords altogether. For this reason, the ideal solution is to remove the need for passwords entirely—consolidating around a pre-determined ideal.

Savings

A well-designed password management solution can reduce the number of password reset and account unlock incidents by about 75 percent—just 625 incidents per year instead of 2,500 per 1,000 users. That reduction comes largely from reducing the number of passwords users have to remember from four to one. And 100 percent of the remaining 625 incidents can be handled through end user self-service, in about three minutes. Each incident will cost about $1.40 in user productivity, for an annual cost of about $864—more than $49,000 in savings.

Side Benefit: Better Security, Happier Users

Users hate waiting on the phone to talk to the help desk, and that is the biggest reason that passwords are often of poor quality, easily guessed, and generally less secure than they could be. Here’s the typical end-user reasoning:

I don’t like calling the help desk. If I have a hard password, I’ll forget it and have to call the help desk. I’ll make an easy password. The system won’t accept an easy password. I’ll make a harder password, but I’ll write it down or try to game the system into accepting a

complex-looking, but easier-to-remember, password.

Self-service password management systems eliminate this problem because users know they won’t ever have to call the help desk. They are more comfortable selecting more complex passwords, and don’t feel the need to write them down. By synchronizing passwords and integrating systems with Active Directory, the system also reduces the number of passwords the user needs to remember—again, making users feel more confident and eliminating the need to write down passwords.

A self-service password management solution also helps improve user productivity for users who are on a different schedule than your help desk or those calling during off-hours, By giving users access to an automated, 24x7x365 password reset and account unlock interface, they can continue to be productive, rather than be locked out until the help desk opens up in the morning.


Password Manager: Self-Service Password Resets Quest Password Manager helps eliminate help desk calls for password resets and account unlocks. Instead, users who forget their passwords can use a ―forgot my password‖ button that optionally installs directly into the standard Windows authentication dialog.

Users are then directed to an intuitive interface where they can reset their passwords. Users who are logged on can visit this same interface to manage their security questions, as well as change all of their system passwords from a single screen. New users who are not yet registered with the system can provide a predetermined passcode, which allows them to enroll in the self-service system for use during future incidents.


Password Synchronization Across Systems

Quest also provides the other piece of the puzzle: password synchronization. While this doesn’t actually reduce the total number of passwords that users have, it does reduce the number of passwords they have to manage. When users change their passwords through the simple self-service interface, synchronization technology automatically pushes the new password out to their other systems. By keeping passwords consistent across the enterprise, users have to remember fewer passwords. While this isn’t quite the same as a more robust single sign-on or identity consolidation solution, password synchronization does help significantly lower the costs of password management and simplify access for your users.

Identity Consolidation

To reduce the number of passwords through consolidation, Quest offers Quest Authentication Services, which enables Unix, Linux, Mac, SAP, Siebel, DB2, Oracle databases, and a number of standards-based applications to participate as ―full citizens‖ in Active Directory. Quest Single Sign-on for Java is available for Java applications. These powerful solutions can entirely eliminate the need for redundant, weak and cumbersome passwords on a large number of non-Windows systems by leveraging the Active Directory password to provide seamless access to a high number of non-Windows systems.


The Bottom Line We have cited $49,000 as the potential one-year savings per 1,000 users for an average company. Quest Password Manager with synchronization would cost that same company a list price of $19,000, with annual maintenance of $3,800 and an installation cost of about $300. The net first-year savings would therefore be about $25,900 for that 1,000-user company; subsequent years’ savings would be about $45,000 per year.

Changing the example to 5,000 users offers almost $230,000 in annual savings. The numbers add up quickly. But you don’t have to rely on this example—insert your own numbers at http://www.quest.com/requests/?RequestDefID=19850 and see what you’ll save.

Organization Size

Savings Provided

Cost of Quest Solutions Bottom Line Annual Savings

1000 users $49,000 First year: $23,100

Subsequent years: $3800

First year: $25,900

Subsequent years: $45,000

5000 users

$230,000

http://www.quest.com/requests/?RequestDefID=19850


Conclusion Nearly all major technology analysts recommend that companies implement a self-service password reset and account unlock solution. In addition, password synchronization is advised for companies whose users will need to maintain more than one password for at least two years, and when a more robust enterprise single sign-on or identity consolidation solution isn’t practical.

Nearly half of the industry’s best companies provide password reset and account unlock services in under an hour, providing them with significant cost savings and productivity improvements. You can move your organization into that group by implementing a self-service password reset and password synchronization system like Quest Password Manager and an identity consolidation solution such as Quest Authentication Services and Single Sign-on for Java. This can move you to the very top margin in terms of performance and productivity, enabling users to reset or unlock passwords entirely on their own, usually in fewer than five minutes.


About the Author Don Jones is a co-founder of Concentrated Technology (ConcentratedTech.com), a Microsoft Most Valuable Professional Award recipient, and the author of more than 30 books on information technology. His consulting practice specializes in making the connection between technology and business, helping businesses realize more value from their IT investment, and helping IT align more closely to business needs and values. Don has been an IT journalist for more than eight years, and is currently a contributing editor for Microsoft TechNet Magazine. He is also a sought-after speaker at industry conferences and symposia, including Connections conferences, Microsoft TechEd, TechMentor events, and others.

5 Polaris Way, Aliso Viejo, CA 92656 | PHONE 800.306.9329 | WEB www.quest.com | E-MAIL [email protected]

If you are located outside North America, you can find your local office information on our Web site

WHITE PAPER

About Quest Software, Inc.

Now more than ever, organizations need to work smart and improve efficiency. Quest Software

creates and supports smart systems management products—helping our customers solve

everyday IT challenges faster and easier. Visit www.quest.com for more information.

Contacting Quest Software

PHONE 800.306.9329 (United States and Canada)

If you are located outside North America, you can find your

local office information on our Web site.

E-MAIL [email protected]

MAIL Quest Software, Inc.

World Headquarters

5 Polaris Way

Aliso Viejo, CA 92656

USA

WEB SITE www.quest.com

Contacting Quest Support

Quest Support is available to customers who have a trial version of a Quest product or who

have purchased a commercial version and have a valid maintenance contract.

Quest Support provides around-the-clock coverage with SupportLink, our Web self-service.

Visit SupportLink at https://support.quest.com.

SupportLink gives users of Quest Software products the ability to:

• Search Quest’s online Knowledgebase

• Download the latest releases, documentation, and patches for Quest products

• Log support cases

• Manage existing support cases

View the Global Support Guide for a detailed explanation of support programs, online services,

contact information, and policies and procedures.

© 2009 Quest Software, Inc. ALL RIGHTS RESERVED.

Quest Software is a registered trademark of Quest Software, Inc. in the U.S.A. and/or other countries. All other trademarks and registered trademarks are property of their respective owners. WPW-PWLifecycle-Jones-US-MJ-20091214

how password lifecycle management can save money and …media.govtech.net/digital_communities/quest...

Documents