FastPassCorp 2010.
Page 1
Password Management
Buyer’s Guide
FastPass Password Manager V 3.3
Enterprise & Service Provider Editions
©
Fast
PassCorp 2010
FastPassCorp 2010.
Page 2
Requirements for Password Management – including FastPass
functions and offerings.
This document has been produced by FastPassCorp to assist IT-organizations
considering implementation of a Password Management Solution.
The consideration and decision regarding implementation of Password Management will
normally be driven by the business case. In the business case the benefits will normally
be derived from:
Service Desk costs are reduced
End-user service is improved
Security is enhanced
Processes are standardised and automated
The costs of the Password Management process will depend on:
Implementation time of the solution
Purchase or subscription cost of the Software
Necessary add-on hardware and software
Ongoing operational cost to support the solution
It is important that the requirements of the Password Management System are fully
understood before implementation. To produce these requirements employees from the
following groups should be involved:
End-users
Service Desk
IT Security
ITIL skilled personnel
System Architects
Network administrators
Finance
FastPassCorp and our partners can assist you in formulating the requirements and
building the business case for Password Management with FastPass.
FastPassCorp 2010.
Page 3
The Following high-level requirements are important, and some crucial, for a successful
Password Management implementation:
End-user functionality and handling
The necessary functions for password reset / change and unlock have to be present.
The solution must be intuitive and easy to use for the user.
End-user accessibility The user must be able to access the password application from
anywhere.
Enrolment process Successful enrolment is key for productivity improvement from
password management. The aim should be more than 95% enrolled users.
Administration of users Administration must be powerful and efficient to simplify admin
overhead and keep IT support costs down
Authentication – strong authentication
It is essential that the organization can choose the authentication that meets the security demands. Strong authentication is a layered authentication approach relying on two or more authenticators to verify the identity of an originator or receiver of information.
Notification service Any attempts to misuse the Password Manager to gain access
to another users’ password must generate alerts.
Reporting Administrators and management need reports and action lists
to manage the Password reset process. Standard reports and data transfer to Service Desk tools are necessary.
Help Desk Functionality The Help Desk needs tools to identify end users and see the
status on end-user actions.
Technical In large and/or complex IT-systems it is important that the
Password Management System can fulfil demanding requirements for volume and availability
Software security certification
The Software must be proven to be secure by an independent third party verification authority.
Installation and Implementation
Installation and implementation must be simple and straightforward to secure low start-up costs.
Synchronization to other target systems
FastPassCorp 2010.
Page 4
Detailed list:
ID Requirements FastPass solution
EU End-user functionality and
handling
The user must have simple functions for password reset/change/unlock, and enrolment.
All easy-to-use with no training required.
EU1 User able to reset/unlock AD passwords without assistance from IT Service Desk
Users have a FastPass function available at the point of login – where the problem is!
The user dialogue is straightforward and requires no training or instruction.
EU2 User able to reset/unlock AD without assistance from IT Service Desk across a VPN connection
FastPass will work from different kinds of networks, as well outside the domain as inside
EU3 User able to reset/unlock AD without assistance from IT Service Desk in Citrix environment
There are a number of different solutions in a Citrix environment that will enable the users to reach FastPass.
EU4 User able to reset/unlock Active Directory password without
assistance from IT Service Desk with Outlook Webmail
FastPass can be accessed both inside and outside the LAN. FastPass is accessed through a Browser. You can insert a function key in OWA to access FastPass directly.
EU5 Different means for user authentication including strong authentication
FastPass has a built-in multi-authentication engine. This allows for multi-factor authentication.
FastPassCorp 2010.
Page 5
EU6 User able to enrol without training oreducation
To ensure that all users enroll in the solution, FastPass offers two services, Discovery Services and Enrolment Services.
Discovery Services collects information of users (domains, group memberships etc.)
Enrolment Services invites users to enroll by mail or SMS. The invitation is sent automatically and invites users to enroll into FastPass. Users who are not enrolled within, say, one week will receive a reminder e-mail. The built-in scheduler fully automates the enrolment process.
The process is intuitive for the users. Furthermore there is a clear text helping the user. The administrator can taylormade the text to fit the individual needs.
EU7 Clear, detailed guidance to users advising how to enrol and reset password
On every page a short description of what the user should do helps the user move forward. FastPass is a very intuitive solution that requires no end-user training at all.
EU8 Easy and individual language adaption
The FastPass user interface selects language
depending on the language setting in Internet Explorer. FastPass currently supports eight different languages:
English Spanish French German Dutch Swedish Danish Norwegian
Other languages are added per request.
EU9 Application guidance for user FastPass has a clear and descriptive guidance for all functions. Administrator can however change the text to suit individual organizational needs.
EU10 Meaningful challenge questions FastPass is delivered with a standard set of challenge
questions. The questions can be changed by Security officers and administrators to match the requirements from each organization.
EU11 Look and feel of user interface must
be modifiable to customer’ standard portal look.
The customer can change the look and feel of the end-user GUI to make password reset an integral part of the corporate intranet or self service portal.
AC End-user accessibility The user must be able to access the password
application from his favoured platforms.
AC1 User able to reset password from her own PC, even when the Password to the PC is forgotten.
FastPassCorp 2010.
Page 6
AC2 User able to reset Password from aWEB browser from secured network
FastPass is a browser-based application and has no need for any software on the client. If the company wants to use windows login feature mentioned above then an MSI file needs to be deployed. This could be done via group policy or any software distribution tools available.
AC3 User able to reset Password from a WEB browser from unsecured network (outside)
Administrator can define the authentication process depending on the network. FastPass is a browser application and has a solid gateway architecture that allows for advanced deployments.
AC4 User able to reset password from mobile devices with Internet browsers
FastPass is designed for use with smart phones and has support for Windows Mobile, Blackberry, Symbian and iPhone devices.
AC 5 User able to get the local cached
Domain Password updated, even when the user is not on the LAN
FastPass lets the user reset the password remotely and then FastPass establishes a secure connection to the server and forces an update of the locally cached password
Enrolment process Successful enrolment is key for productivity
improvement from a password management solution.
EN1 Flexible process defined by Administrator
Administrator defines the enrolment processes and ties them with the User-groups. The process defines when invitation will be sent and when and how many
reminders will be sent to the user (and notification to administrators and managers)
EN2 Administrator defined mail invitation Administrator writes the invitation mails including a link to FastPass enrolment pages.
EN3 Automatic mail-reminder process Any number of reminders can be sent to each user with different text and different dates or time intervals. This is a fully automated process.
EN4 Automatic invitation of new users When a new user is activated in AD and discovered by FastPass, the invitation process is invoked
automatically for the user.
EN5 Helpdesk PIN for handling of non-enrolled users
If a user that has not yet enrolled into FastPass calls the Service Desk with a password problem, the Service Desk issues a one-time PIN code, which can be used for verification of the user so that he can enrol. When the user then is enrolled, he can reset his password. In this way he will only call the Service Desk this one time and the process sustained.
EN6 Negative reminders For non-enrolled users a NAG function can be enforced. The NAG function will regularly on the PC prompt the user for FastPass enrolment!
Administration of users Administration of users and handling of user processes
must be simple and intuitive for the administrator
AD1 Efficient insertion of users in Password Manager
Administrator selects AD groups to be registered in FastPass
FastPassCorp 2010.
Page 7
AD3 Automatic deletion of users FastPass Discovery Service will on regular intervalsidentify all deleted/exposed users in the selected AD groups, and delete them from FastPass
AD4 Specific deletion of users by administrator
Administrator can at any point in time delete a user in FastPass
AD5 Administration of user authentication process
Administrators define the desired authentication processes. Each Group is then tied with an authentication profile.
FastPass is delivered with standard authentication profiles to be used straight away.
AD6 Password changes must be subject to profile in AD
Before resetting or changing the password in AD, FastPass controls the user setting in AD and will always respect this setting.
AD7 New passwords must adhere to Password policy in AD
Password rules for length, complexity etc. will be respected by FastPass
AD8 Temporary exclusion of users Administrator can exclude users from FastPass even though his AD-group is included
Authentication – strong authentication
It is essential that the organization can choose the authentication that meets the security demands. Strong Authentication is a layered authentication approach relying on two or more methods of authentication to establish the security layer that is demanded and ensure proper identification of users.
AU1 Number of challenge questions to be defined by administrator
Number of challenge questions for enrolment is set by the Administrator
AU2 2-Factor authentication based on IP-address and Challenge questions
Administrator defines the IP-address range valid for domain-users, and FastPass combines the location with the challenge answers.
AU3 2-Factor authentication with SMS PIN-code and Challenge questions
FastPass can send a PIN Code to the user via SMS, which they must enter before answering the Challenge questions. The User’s Cell number is looked up from AD.
AU4 2-Factor authentication with Help Desk Pin code and Challenge questions
A qualified person at the Service Desk can verify a user’s identity before handing over a PIN. The user must enter the PIN before answering the Challenge questions.
AU5 Authentication process to be decided based on user’ present network (secure or unsecure network)
FastPass allows administrators to define different profiles depending on the user’s network.
AU6 Authentication profile is defined for each user group
FastPassCorp 2010.
Page 8
Notification service Any attempts to misuse the Password Manager to gain
access to other users’ password must generate alerts
N1 Information to user when the user has performed an operation in the Password Manager
FastPass forwards a notification mail when events occur. For instance if a password has been reset has been performed, and email is sent to the user. Another example is when a password reset was attempted
but failed.
Se more in Reporting items
Reporting Administrators and management need reports and
action lists to manage the Passwords. Standard reports and data transfer to Service Desk products are necessary.
R1 All incidents to be transferred to Service Desk tool of the customer’s choice
FastPass can transfer information about password reset/change/unlock as records to Service Desk tools. Import setup to be done by customer.
Records can be forwarded real-time or as batch. Integration with SD-tools meaning that a “create problem” ticket & “close problem” ticket will
automatically be generated. This will get the data into this system automatically and take advantage of the reporting facilities available in the Service Desk system.
R2 Provide daily, monthly, yearly data on number of password resets/unlocks by user
Reporting is provided from the Administration Client.
R3 Log of incidents with full data content to be transferred to standard
reporting tools (like EXCEL)
FastPass can deliver data in XML or CSV format real-time or on defined real-time intervals.
R4 Provide details of real time exception through notification (e.g. multiple failed resets, detection of potential unauthorised access) to ICT professionals (i.e. alerting)
FastPass notification Service offers live notification to registered contacts in the groups: Administrative Contacts, Technical Contacts and Service Desk Manager Contacts and to Users (or their Managers if available in AD). Live notifications can be sent by e-mail or SMS or to third-party alerting or Service Desk tools.
Service Desk Functionality The Service Desk needs tools to identify end-users
and see the status on end-user actions.
S1 Service Desk personnel can unlock end users accounts.
In the web-based HelpDesk client, the Service Desk user can unlock users in either FastPass or AD
S2 View user enrolment data for verification of user identity.
FastPassCorp 2010.
Page 9
the user’s identity – potentially for other purposes than just password resets and account unlocks.
S3 View Audit Report An audit report for the user is available, stating the user’s actions and the systems actions for that user.
S4 Provide information on users synchronization requests
The Service Desk analyst has the ability to see the user’s latest transactions and their status.
S5 Helpdesk PIN for handling of non-enrolled users
If a user, which is not yet enrolled into FastPass, calls the Service Desk with a password problem, the Service Desk issues a one-time PIN code, which can be used for verification of the user so that he can enrol. When the user then is enrolled, he can reset his password. In this way he will only call the Service Desk this one time and the process sustained.
S6 Reset Password The HelpDesk client allows the Service Desk analyst to generate and set the users password directly in
FastPass.
Technical Answers to technical environment and specifications
T1 Solution is Secure LDAP Complaint Yes
T2 Solution is SSL LDAP Complaint Yes
T3 Support for Multiple AD domains Yes
T4 Support for Multi Forrest Yes
T5 Support for Multi Organization Yes
T6 Software requirements for FastPass Server
FastPass back-end resides on
Microsoft Windows Server 2003 (32 bit and 64 bit) Microsoft Windows Server 2008 (32 bit and 64 bit)
T7 Support for client component to reset password, when PC is locked caused by forgotten password
For Windows XP, FastPass has a GINA-extension. This feature is also available for Windows VISTA and Windows 7.
The client component can be deployed through a group policy or by any available SW distribution tools.
T8 Secure communications All communication from clients to server and between server components are SSL and https based.
T9 Very High Data security All user data (challenge questions and answers) are hashed and encrypted by 128bit key.
This can be configured by FastPass admin.
T10 User data only in AD FastPass use data in AD (user-id, name, password, mobile and other) but does not require any changes to AD schema. FastPass does NOT store the user passwords.
All other FastPass data are stored in AD extension (ADAM / ADLDS). No special or additional databases are needed.
T11 Scalability FastPass has been tested for more than 100.000 users.
FastPassCorp 2010.
Page 10
2003/2008 server – virtual or physical.
T13 Fail-over technology available to handle single point of failure of hardware and software
You can configure FastPass to handle single point of failure.
For a maximum availability configuration contact your FastPass partner or FastPassCorp
T 14 Secure and Flexible Server
architecture
In deployment scenarios where there is a requirement to access get access from the DMZ, FastPass has a special thin-client component which is installed on the DMZ server. This feature enables secure deployment of FastPass in any type of environment.
Software security certification The Software must be proven robust from hostile
attacks.
SSC1 PCI-DSS compliancy FastPass has passed the PCI-DSS compliancy test
performed by PCI-DSS approved vendor nsense. A report is available on request.
Installation and Implementation Installation and implementation must be simple and
straightforward to secure low start-up costs.
II1 Lead times to implement the solution for Active Directory password resets
Installation and configuration on Active Directory is less than 1 day.
II2 Installation must be performed easily through installation wizard
FastPass installation - as download or from CD - takes app 30 minutes guided by installation wizards
II3 Hardware required to host the solution
The solution can be implemented either on a domain controller in the existing Windows Server environment. An additional Windows Server could be considered based on the security architecture and design. A standard Server with 2 GHz CPU, 512 MB RAM and 2 GB Disc space is required.
Most Customers today use a Virtual Server.
II4 Smooth integration with AD FastPass does not change or require changes to AD-schema
II5 Easy deployment to Windows Workstations
MSI files for Windows GINA extension and Windows7 is easily deployed via Group Policy
Password reset on other target systems
When users only have one password to remember they will be more satisfied and productive
SY1 Passwords must be synchronized from AD to target system when changed at AD with Password Manager
FastPass has a Synchronization module which is invoked when there are changes to AD passwords. This module decides to which target-system and user-id to send the changed password.
SY2 Passwords must be synchronized from AD to the target system when changed at AD with Standard
FastPassCorp 2010.
Page 11
Microsoft tools. send the changed password.
SY3 Synchronization must handle different user-id’s for the same user on
different systems
FastPass controls synchronization via a table, defining relationships between users on different systems.
SY4 Retries for failing sync to target systems
FastPass retries synchronization according to rules set by administrator
SY5 Reset & synchronization to SAP FastPass has connectors for SAP that can be used for password synchronization or reset on SAP only.
SY6 Reset & synchronization to AS400 FastPass has connectors for AS400 that can be used for password synchronization or reset on AS400 only.
SY7 Reset & synchronization to SQL FastPass has connectors for SQL that can be used for password synchronization or reset on SQL only.
SY8 Reset & synchronization to Oracle FastPass has connectors for Oracle that can be used for password synchronization or reset on Oracle only.
SY9 Reset & synchronization to customer specific systems & applications
FastPass has a Generic connector that allows customers or FastPass partners to develop custom connectors. The Generic connector is delivered with documentation and sample code and can be used to include almost any target system that is required.
SY10 Password Filtering for Password
alignment when target systems have different password models
FastPass 3.3 allows for Password modification, so the AD password can comply with the specifications of the Target system.
SY11 Individual Password reset and
change per Password System
FastPass 3.3 has a feature that allows for individual password reset on the different target systems that is part of the solution.
Ex.: Once the user is authenticated by FastPass the user can decide if a password reset should affect only AD, only SAP or both AD & SAP.
Password reset for end-point encryption
When users has software for endpoint encryption there is a need to also reset passwords on the endpoint encryption solution.
CR1 User Self-service for endpoint encryption protected devices.