Hitachi ID Password Manager Deployment Best Practices
Total Page:16
File Type:pdf, Size:1020Kb
Hitachi ID Password Manager Deployment Best Practices © 2020 Hitachi ID Systems, Inc. All rights reserved. Contents 1 Introduction 1 2 System objectives 3 3 Mission statement 4 4 Metrics 5 5 Stake-holders 6 6 Deployment and support team 8 7 Features and design 10 8 User access to the self-service UI 12 9 Formulating a uniform password policy 13 9.1 Strategy ............................................... 13 9.2 Suggested policy rules ....................................... 13 9.3 Where to enforce password policy ................................. 14 10 Equivalent credentials 15 11 Security questions 16 11.1 Security equivalence ........................................ 16 11.2 Memorable questions ........................................ 16 11.3 Other best practices ........................................ 16 11.4 Sample questions .......................................... 17 12 Augmenting security questions with a second factor 20 13 Infrastructure integrations 21 14 Hitachi ID Password Manager: technical architecture 23 14.1 Number and location of servers .................................. 23 14.2 Configuration of individual servers ................................. 23 14.3 Development, test and production environments ......................... 24 i Password Manager Deployment Best Practices 14.4 Proxy servers for hard-to-reach target systems ......................... 26 15 Hitachi ID Password Manager: server hardening 27 15.1 Overview ............................................... 27 15.2 Physical security .......................................... 28 15.3 Operating system access ...................................... 28 15.4 IIS configuration ........................................... 30 15.5 SQL Server configuration ...................................... 30 16 Hitachi ID Password Manager: BYOD access to on-premises credential management 31 17 Auto-discovery of user profiles and accounts 33 17.1 Selecting sources of profiles .................................... 33 17.2 Mapping login IDs to user profiles ................................. 33 18 User enrollment 35 19 Maximizing user adoption and ROI 38 19.1 Minimize password problems ................................... 38 19.2 User awareness ........................................... 38 19.3 Incentives for enrollment ...................................... 38 19.4 Automated reminders ........................................ 38 19.5 A call to IT support is not the right time to enroll ......................... 39 19.6 Charge-backs and manager feedback ............................... 39 19.7 Reduce SLA for help desk calls .................................. 39 19.8 Plan for user adoption ....................................... 39 20 Ongoing administration and support 40 20.1 Functional test ............................................ 40 20.1.1 Password changes .................................... 40 20.1.2 Enrollment ........................................ 40 20.1.3 Transparent password synchronization ........................ 40 20.1.4 Help desk logins ..................................... 40 20.1.5 Sending e-mails ..................................... 40 20.1.6 Creating call tracking system ticket ........................... 41 © 2020 Hitachi ID Systems, Inc. All rights reserved. Password Manager Deployment Best Practices 20.1.7 IVR (phone call) integration ............................... 41 20.1.8 Mobile access ...................................... 41 20.1.9 Off-site, Windows login screen access ......................... 41 20.1.10 Filesystem unlock .................................... 41 20.2 Changes to target system configuration .............................. 41 20.3 Monitor service health ....................................... 41 20.4 Monitor utilization .......................................... 42 21 Summary 43 © 2020 Hitachi ID Systems, Inc. All rights reserved. Password Manager Deployment Best Practices 1 Introduction The remainder of this document is organized as follows: • System objectives – what credential management systems are designed to do. • Mission statement – how organizations should structure their internal communication about priorities and objectives. • Metrics – how to measure the impact on the system. • Stake-holders – who to involve in design, implementation and ongoing support. • Deployment and support team – who the core individuals are that must build out and support the system and what their initial and long term commitment will be. • Features and design – what processes the system should automate. • User access to the self-service UI – how to ensure that users can resolve login problems wherever they may be, at any time and on any device in any state. • Formulating a uniform password policy – how to develop a set of password rules that work for every system and every user community. • Equivalent credentials – caution about weak links in security and how to avoid them. • Security questions – design considerations for enrolling security questions and using them to au- thenticate users who forgot their password. • Augmenting security questions with a second factor – how to improve security by front-ending security questions with a stronger, one-time-password credential. • Infrastructure integrations – what systems the credential management automation should integrate with. • Hitachi ID Password Manager: technical architecture – the runtime platform and network architec- ture on which Password Manager is deployed. • Password Manager: server hardening – how to lock down OS, DB and web servers to protect the system. • Password Manager: BYOD access to on-premises credential management – how to enable users to access self-service from their phones or tablets, which are typically not attached to the corporate network. • Auto-discovery of user profiles and accounts – how to minimize care and feeding of the system using auto-discovery. • User enrollment – inviting users to answer security questions; install smart phone apps; etc. • Maximizing user adoption and ROI – strategies to get users to enroll and to use the system to resolve login problems. © 2020 Hitachi ID Systems, Inc. All rights reserved. 1 Password Manager Deployment Best Practices • Ongoing administration and support – what can be expected in terms of long term care and feeding of the system. © 2020 Hitachi ID Systems, Inc. All rights reserved. 2 Hitachi ID Password Manager Deployment Best Practices 2 System objectives A credential management system should deliver three benefits: • Improved user service: Fewer credentials for users to remember and manage and simpler, quicker and more convenient resolution for login problems. • Lower IT support cost: Fewer help desk calls related to login problems such as forgotten passwords, intruder lockouts or tokens left at home. • Stronger security: Stronger and more consistent enforcement of policies around password composition, change fre- quency and reuse, as well as more reliable processes to authenticate users who experience a login problem, before assisting them. © 2020 Hitachi ID Systems, Inc. All rights reserved. 3 Hitachi ID Password Manager Deployment Best Practices 3 Mission statement A mission statement documented before the system is deployed is helpful for getting all stake-holders to cooperate. One way to formulate this mission statement is to capture the state of affairs before the system is deployed and the desired end state. Following is an example: Credential management system objectives Before After User service / SLA Users manage 8 different passwords, on With password synchronization, users will only have to manage 2 average. passwords. Only some passwords expire and they Users will be prompted to change all passwords at the same time. do so at different times Different systems enforce different A uniform password policy will supersede multiple, inconsistent password policy rules. rules. Users sometimes forget their pre-boot Enable self-service filesystem unlock via smart phone app. password. Users sometimes forget their OS login Enable self-service password reset from the PC login screen, with password, in some cases while off-site. VPN+WiFi integration to support users working outside the office. IT support cost 30% of total help desk call volume is due Password synchronization and self-service problem resolution to login problems. will reduce this call volume by at least 80%. 5% of total call volume is due to OTP Offer self-service PIN reset and emergency passcodes via token problems. smart-phone app. Help desk calls to resolve login problems Consolidate caller authentication, technician login, problem take 10 minutes to resolve, on average. resolution and ticket generation behind a single UI, to reduce call duration to 2 minutes. Security / authentication Users have too many passwords and Synchronization will eliminate the main user motivation for writing write them down. down passwords. Different systems and applications Implement a uniform policy with a superset of password enforce different password policies. composition, reuse and change frequency rules. Users calling the help desk are not Move most incidents to self-service and apply uniform reliably identified. authentication processes in both self-service and assisted-service contexts. Not all systems log password changes. Will record who changed passwords, on a central credential management system. Too many IT support staff have logins Support staff will reset passwords through an assisted-service with elevated rights, required to reset portal, eliminating the need for such