We've been tweeting, tweeing and twalking on Twitter (feel free to follow us) and it's been an interesting ride. Thanks to a tweet by Nishant Kaushik, my former illustrious colleague (still illustrious), I had the privilege of reading a recently released Oracle whitepaper about an Oracle Identity Manager implementation at Agilent.
The whitepaper talks about decreasing the cost of access requests and quarterly audits as the primary business driver behind the implementation. The other usual drivers of improved security and better compliance are either down or not on the list. While the emphasis on cost as a business driver is hardly new (it's still capitalism folks, regardless of what Obama says), what's interesting about Agilent versus a typical identity management implementation is the statement of what was NOT a business driver for them. Bob Horowitz from Agilent made a presentation to Silicon Valley chapter of ISSA in May 2008 and one of our staff was in attendance. Bob's presentation made a lasting impact because of one "simple" item: desacralization (yes, that's a word) of password resets.
To quote the presentation, "Password Management and Single Sign On don't rise to the top of Agilent's priority list. Password resets are not a significant Helpdesk issue. Yes, users have too many passwords. But security issues can be solved by recommending a tool to manage multiple passwords safely". WOW! The sacred cow, the holy grail, the justification of all justifications, the cost of contacting helpdesk to reset passwords, is NOT a significant business driver because...the real issue revolves around educating the users with a little bit of tools. Why, they must be drinking some special water over there in Santa Clara (Hawaii Deep Marine's Kona Nigari seawater mineral concentrate, $33.50 per 2oz) and I'd like to buy them another case because I absolutely agree.
How would someone manage multiple passwords safely without attempting an all-encompassing single sign-on solution? According to one of Bruce Schneier's more controversial posts, choosing a strong (complex) password, writing it down on a small piece of paper and then storing the piece of paper in your wallet is the way to go. Personally I prefer Bruce's other contribution to the challenge of managing multiple passwords: an Open Source (free as in beer) product PasswordSafe. PasswordSafe or KeePass are tools everyone at Identigral is asked to use when dealing with passwords at a customer site.
Open Source tools duly noted, they're not for all organizations. Another alternative is a class of products that falls under Enterprise Single Sign-On (ESSO) umbrella. The word "Enterprise" does not refer to a breadth or expense of implementation. It's a marketing label to differentiate capabilities from other classes of single sign-on products such as web SSO (often abbreviated as simply SSO since everything is on the web, right?) and federated SSO (often referred to as federation because it sounds sexier). In Enterprise SSO, applications that can participate in the single sign-on scheme can include desktop (client-server, thick, standalone) apps, mainframe apps with green screens as well as traditional web apps.
ESSO's advantage in terms of implementation cost vs other types of single sign-on technologies is that participating applications require no changes. ESSO is a client-side technology that has a footprint on the user's desktop. You can still have administrative policies and overrides as well as many other bells and whistles so it's far from being something that cannot be controlled once released into the wild. Managing the deployment to the desktop by administrator has long been addressed by Microsoft and countless 3rd parties. If you'd like to find out more about the magic of ESSO, you can watch the webinar by our ESSO partner Passlogix or come to a joint Identigral/Passlogix webinar in May (contact us for registration).
...and last but not least, if you want to solve that darn password reset issue, Passlogix has you covered at less than $10/user. Mention this blog and promo code "IDENTIGRALROCKS" and receive a WHOPPING discount. WHOPPING!
Bonus: Secret Q&A
Double Bonus for our readers outside US: What's in Your Wallet?
What's in your wallet?
by Deborah Volk on April 6th, 2009
Posted in Oracle Identity Manager, Identity Management, Business Perspective, Enterprise Single Sign-On, Passlogix v-GO Tagged with oim, agilent, business case, passwords
Leave a Comment
Access Management (19)
Ask Identigral (6)
Change Management (10)
Data Quality (4)
Identity Management (27)
Passlogix v-GO (3)
Sun OpenSSO (3)
Sun Role Manager (3)
11g 3rd bday JavaOne SAML academia accuracy active directory adapters administrative agilent ask identigral attestation audit bpel bpmn bpm business case cdi cloud computing connectors contextual search data masking data quality deployment dip entitlements federation gartner groups gtc guests insider threats insider threat java jca jms lifecycle limericks linux mashup mdm messaging migration nabaztag oaam oam oas obiee oc4j oel off-boarding ohs oid oif oim oow09 opensso operations osso ovd owsm passwords patching performance phi privileged accounts provisioning queues reconciliation risk rocks rogue accounts rsa10 semantics siem sim sjsds sod solaris suncle thermodynamics twitter virtual reality vpd waveset webinar whitepapers