• No results found

Password Management Buyer s Guide. FastPass Password Manager V 3.3 Enterprise & Service Provider Editions

N/A
N/A
Protected

Academic year: 2021

Share "Password Management Buyer s Guide. FastPass Password Manager V 3.3 Enterprise & Service Provider Editions"

Copied!
11
0
0

Loading.... (view fulltext now)

Full text

(1)

FastPassCorp 2010.

Page 1

Password Management

Buyer’s Guide

FastPass Password Manager V 3.3

Enterprise & Service Provider Editions

©

Fast

PassCorp 2010

(2)

FastPassCorp 2010.

Page 2

Requirements for Password Management – including FastPass

functions and offerings.

This document has been produced by FastPassCorp to assist IT-organizations

considering implementation of a Password Management Solution.

The consideration and decision regarding implementation of Password Management will

normally be driven by the business case. In the business case the benefits will normally

be derived from:

Service Desk costs are reduced

End-user service is improved

Security is enhanced

Processes are standardised and automated

The costs of the Password Management process will depend on:

Implementation time of the solution

Purchase or subscription cost of the Software

Necessary add-on hardware and software

Ongoing operational cost to support the solution

It is important that the requirements of the Password Management System are fully

understood before implementation. To produce these requirements employees from the

following groups should be involved:

End-users

Service Desk

IT Security

ITIL skilled personnel

System Architects

Network administrators

Finance

FastPassCorp and our partners can assist you in formulating the requirements and

building the business case for Password Management with FastPass.

(3)

FastPassCorp 2010.

Page 3

The Following high-level requirements are important, and some crucial, for a successful

Password Management implementation:

End-user functionality and handling

The necessary functions for password reset / change and unlock have to be present.

The solution must be intuitive and easy to use for the user.

End-user accessibility The user must be able to access the password application from

anywhere.

Enrolment process Successful enrolment is key for productivity improvement from

password management. The aim should be more than 95% enrolled users.

Administration of users Administration must be powerful and efficient to simplify admin

overhead and keep IT support costs down

Authentication – strong authentication

It is essential that the organization can choose the authentication that meets the security demands. Strong authentication is a layered authentication approach relying on two or more authenticators to verify the identity of an originator or receiver of information.

Notification service Any attempts to misuse the Password Manager to gain access

to another users’ password must generate alerts.

Reporting Administrators and management need reports and action lists

to manage the Password reset process. Standard reports and data transfer to Service Desk tools are necessary.

Help Desk Functionality The Help Desk needs tools to identify end users and see the

status on end-user actions.

Technical In large and/or complex IT-systems it is important that the

Password Management System can fulfil demanding requirements for volume and availability

Software security certification

The Software must be proven to be secure by an independent third party verification authority.

Installation and Implementation

Installation and implementation must be simple and straightforward to secure low start-up costs.

Synchronization to other target systems

(4)

FastPassCorp 2010.

Page 4

Detailed list:

ID Requirements FastPass solution

EU End-user functionality and

handling

The user must have simple functions for password reset/change/unlock, and enrolment.

All easy-to-use with no training required.

EU1 User able to reset/unlock AD passwords without assistance from IT Service Desk

Users have a FastPass function available at the point of login – where the problem is!

The user dialogue is straightforward and requires no training or instruction.

EU2 User able to reset/unlock AD without assistance from IT Service Desk across a VPN connection

FastPass will work from different kinds of networks, as well outside the domain as inside

EU3 User able to reset/unlock AD without assistance from IT Service Desk in Citrix environment

There are a number of different solutions in a Citrix environment that will enable the users to reach FastPass.

EU4 User able to reset/unlock Active Directory password without

assistance from IT Service Desk with Outlook Webmail

FastPass can be accessed both inside and outside the LAN. FastPass is accessed through a Browser. You can insert a function key in OWA to access FastPass directly.

EU5 Different means for user authentication including strong authentication

FastPass has a built-in multi-authentication engine. This allows for multi-factor authentication.

(5)

FastPassCorp 2010.

Page 5

EU6 User able to enrol without training or

education

To ensure that all users enroll in the solution, FastPass offers two services, Discovery Services and Enrolment Services.

Discovery Services collects information of users (domains, group memberships etc.)

Enrolment Services invites users to enroll by mail or SMS. The invitation is sent automatically and invites users to enroll into FastPass. Users who are not enrolled within, say, one week will receive a reminder e-mail. The built-in scheduler fully automates the enrolment process.

The process is intuitive for the users. Furthermore there is a clear text helping the user. The administrator can taylormade the text to fit the individual needs.

EU7 Clear, detailed guidance to users advising how to enrol and reset password

On every page a short description of what the user should do helps the user move forward. FastPass is a very intuitive solution that requires no end-user training at all.

EU8 Easy and individual language adaption

The FastPass user interface selects language

depending on the language setting in Internet Explorer. FastPass currently supports eight different languages:

English Spanish French German Dutch Swedish Danish Norwegian

Other languages are added per request.

EU9 Application guidance for user FastPass has a clear and descriptive guidance for all functions. Administrator can however change the text to suit individual organizational needs.

EU10 Meaningful challenge questions FastPass is delivered with a standard set of challenge

questions. The questions can be changed by Security officers and administrators to match the requirements from each organization.

EU11 Look and feel of user interface must

be modifiable to customer’ standard portal look.

The customer can change the look and feel of the end-user GUI to make password reset an integral part of the corporate intranet or self service portal.

AC End-user accessibility The user must be able to access the password

application from his favoured platforms.

AC1 User able to reset password from her own PC, even when the Password to the PC is forgotten.

(6)

FastPassCorp 2010.

Page 6

AC2 User able to reset Password from a

WEB browser from secured network

FastPass is a browser-based application and has no need for any software on the client. If the company wants to use windows login feature mentioned above then an MSI file needs to be deployed. This could be done via group policy or any software distribution tools available.

AC3 User able to reset Password from a WEB browser from unsecured network (outside)

Administrator can define the authentication process depending on the network. FastPass is a browser application and has a solid gateway architecture that allows for advanced deployments.

AC4 User able to reset password from mobile devices with Internet browsers

FastPass is designed for use with smart phones and has support for Windows Mobile, Blackberry, Symbian and iPhone devices.

AC 5 User able to get the local cached

Domain Password updated, even when the user is not on the LAN

FastPass lets the user reset the password remotely and then FastPass establishes a secure connection to the server and forces an update of the locally cached password

Enrolment process Successful enrolment is key for productivity

improvement from a password management solution.

EN1 Flexible process defined by Administrator

Administrator defines the enrolment processes and ties them with the User-groups. The process defines when invitation will be sent and when and how many

reminders will be sent to the user (and notification to administrators and managers)

EN2 Administrator defined mail invitation Administrator writes the invitation mails including a link to FastPass enrolment pages.

EN3 Automatic mail-reminder process Any number of reminders can be sent to each user with different text and different dates or time intervals. This is a fully automated process.

EN4 Automatic invitation of new users When a new user is activated in AD and discovered by FastPass, the invitation process is invoked

automatically for the user.

EN5 Helpdesk PIN for handling of non-enrolled users

If a user that has not yet enrolled into FastPass calls the Service Desk with a password problem, the Service Desk issues a one-time PIN code, which can be used for verification of the user so that he can enrol. When the user then is enrolled, he can reset his password. In this way he will only call the Service Desk this one time and the process sustained.

EN6 Negative reminders For non-enrolled users a NAG function can be enforced. The NAG function will regularly on the PC prompt the user for FastPass enrolment!

Administration of users Administration of users and handling of user processes

must be simple and intuitive for the administrator

AD1 Efficient insertion of users in Password Manager

Administrator selects AD groups to be registered in FastPass

(7)

FastPassCorp 2010.

Page 7

AD3 Automatic deletion of users FastPass Discovery Service will on regular intervals

identify all deleted/exposed users in the selected AD groups, and delete them from FastPass

AD4 Specific deletion of users by administrator

Administrator can at any point in time delete a user in FastPass

AD5 Administration of user authentication process

Administrators define the desired authentication processes. Each Group is then tied with an authentication profile.

FastPass is delivered with standard authentication profiles to be used straight away.

AD6 Password changes must be subject to profile in AD

Before resetting or changing the password in AD, FastPass controls the user setting in AD and will always respect this setting.

AD7 New passwords must adhere to Password policy in AD

Password rules for length, complexity etc. will be respected by FastPass

AD8 Temporary exclusion of users Administrator can exclude users from FastPass even though his AD-group is included

Authentication – strong authentication

It is essential that the organization can choose the authentication that meets the security demands. Strong Authentication is a layered authentication approach relying on two or more methods of authentication to establish the security layer that is demanded and ensure proper identification of users.

AU1 Number of challenge questions to be defined by administrator

Number of challenge questions for enrolment is set by the Administrator

AU2 2-Factor authentication based on IP-address and Challenge questions

Administrator defines the IP-address range valid for domain-users, and FastPass combines the location with the challenge answers.

AU3 2-Factor authentication with SMS PIN-code and Challenge questions

FastPass can send a PIN Code to the user via SMS, which they must enter before answering the Challenge questions. The User’s Cell number is looked up from AD.

AU4 2-Factor authentication with Help Desk Pin code and Challenge questions

A qualified person at the Service Desk can verify a user’s identity before handing over a PIN. The user must enter the PIN before answering the Challenge questions.

AU5 Authentication process to be decided based on user’ present network (secure or unsecure network)

FastPass allows administrators to define different profiles depending on the user’s network.

AU6 Authentication profile is defined for each user group

(8)

FastPassCorp 2010.

Page 8

Notification service Any attempts to misuse the Password Manager to gain

access to other users’ password must generate alerts

N1 Information to user when the user has performed an operation in the Password Manager

FastPass forwards a notification mail when events occur. For instance if a password has been reset has been performed, and email is sent to the user. Another example is when a password reset was attempted

but failed.

Se more in Reporting items

Reporting Administrators and management need reports and

action lists to manage the Passwords. Standard reports and data transfer to Service Desk products are necessary.

R1 All incidents to be transferred to Service Desk tool of the customer’s choice

FastPass can transfer information about password reset/change/unlock as records to Service Desk tools. Import setup to be done by customer.

Records can be forwarded real-time or as batch. Integration with SD-tools meaning that a “create problem” ticket & “close problem” ticket will

automatically be generated. This will get the data into this system automatically and take advantage of the reporting facilities available in the Service Desk system.

R2 Provide daily, monthly, yearly data on number of password resets/unlocks by user

Reporting is provided from the Administration Client.

R3 Log of incidents with full data content to be transferred to standard

reporting tools (like EXCEL)

FastPass can deliver data in XML or CSV format real-time or on defined real-time intervals.

R4 Provide details of real time exception through notification (e.g. multiple failed resets, detection of potential unauthorised access) to ICT professionals (i.e. alerting)

FastPass notification Service offers live notification to registered contacts in the groups: Administrative Contacts, Technical Contacts and Service Desk Manager Contacts and to Users (or their Managers if available in AD). Live notifications can be sent by e-mail or SMS or to third-party alerting or Service Desk tools.

Service Desk Functionality The Service Desk needs tools to identify end-users

and see the status on end-user actions.

S1 Service Desk personnel can unlock end users accounts.

In the web-based HelpDesk client, the Service Desk user can unlock users in either FastPass or AD

S2 View user enrolment data for verification of user identity.

(9)

FastPassCorp 2010.

Page 9

the user’s identity – potentially for other purposes than just password resets and account unlocks.

S3 View Audit Report An audit report for the user is available, stating the user’s actions and the systems actions for that user.

S4 Provide information on users synchronization requests

The Service Desk analyst has the ability to see the user’s latest transactions and their status.

S5 Helpdesk PIN for handling of non-enrolled users

If a user, which is not yet enrolled into FastPass, calls the Service Desk with a password problem, the Service Desk issues a one-time PIN code, which can be used for verification of the user so that he can enrol. When the user then is enrolled, he can reset his password. In this way he will only call the Service Desk this one time and the process sustained.

S6 Reset Password The HelpDesk client allows the Service Desk analyst to generate and set the users password directly in

FastPass.

Technical Answers to technical environment and specifications

T1 Solution is Secure LDAP Complaint Yes

T2 Solution is SSL LDAP Complaint Yes

T3 Support for Multiple AD domains Yes

T4 Support for Multi Forrest Yes

T5 Support for Multi Organization Yes

T6 Software requirements for FastPass Server

FastPass back-end resides on

Microsoft Windows Server 2003 (32 bit and 64 bit) Microsoft Windows Server 2008 (32 bit and 64 bit)

T7 Support for client component to reset password, when PC is locked caused by forgotten password

For Windows XP, FastPass has a GINA-extension. This feature is also available for Windows VISTA and Windows 7.

The client component can be deployed through a group policy or by any available SW distribution tools.

T8 Secure communications All communication from clients to server and between server components are SSL and https based.

T9 Very High Data security All user data (challenge questions and answers) are hashed and encrypted by 128bit key.

This can be configured by FastPass admin.

T10 User data only in AD FastPass use data in AD (user-id, name, password, mobile and other) but does not require any changes to AD schema. FastPass does NOT store the user passwords.

All other FastPass data are stored in AD extension (ADAM / ADLDS). No special or additional databases are needed.

T11 Scalability FastPass has been tested for more than 100.000 users.

(10)

FastPassCorp 2010.

Page 10

2003/2008 server – virtual or physical.

T13 Fail-over technology available to handle single point of failure of hardware and software

You can configure FastPass to handle single point of failure.

For a maximum availability configuration contact your FastPass partner or FastPassCorp

T 14 Secure and Flexible Server

architecture

In deployment scenarios where there is a requirement to access get access from the DMZ, FastPass has a special thin-client component which is installed on the DMZ server. This feature enables secure deployment of FastPass in any type of environment.

Software security certification The Software must be proven robust from hostile

attacks.

SSC1 PCI-DSS compliancy FastPass has passed the PCI-DSS compliancy test

performed by PCI-DSS approved vendor nsense. A report is available on request.

Installation and Implementation Installation and implementation must be simple and

straightforward to secure low start-up costs.

II1 Lead times to implement the solution for Active Directory password resets

Installation and configuration on Active Directory is less than 1 day.

II2 Installation must be performed easily through installation wizard

FastPass installation - as download or from CD - takes app 30 minutes guided by installation wizards

II3 Hardware required to host the solution

The solution can be implemented either on a domain controller in the existing Windows Server environment. An additional Windows Server could be considered based on the security architecture and design. A standard Server with 2 GHz CPU, 512 MB RAM and 2 GB Disc space is required.

Most Customers today use a Virtual Server.

II4 Smooth integration with AD FastPass does not change or require changes to AD-schema

II5 Easy deployment to Windows Workstations

MSI files for Windows GINA extension and Windows7 is easily deployed via Group Policy

Password reset on other target systems

When users only have one password to remember they will be more satisfied and productive

SY1 Passwords must be synchronized from AD to target system when changed at AD with Password Manager

FastPass has a Synchronization module which is invoked when there are changes to AD passwords. This module decides to which target-system and user-id to send the changed password.

SY2 Passwords must be synchronized from AD to the target system when changed at AD with Standard

(11)

FastPassCorp 2010.

Page 11

Microsoft tools. send the changed password.

SY3 Synchronization must handle different user-id’s for the same user on

different systems

FastPass controls synchronization via a table, defining relationships between users on different systems.

SY4 Retries for failing sync to target systems

FastPass retries synchronization according to rules set by administrator

SY5 Reset & synchronization to SAP FastPass has connectors for SAP that can be used for password synchronization or reset on SAP only.

SY6 Reset & synchronization to AS400 FastPass has connectors for AS400 that can be used for password synchronization or reset on AS400 only.

SY7 Reset & synchronization to SQL FastPass has connectors for SQL that can be used for password synchronization or reset on SQL only.

SY8 Reset & synchronization to Oracle FastPass has connectors for Oracle that can be used for password synchronization or reset on Oracle only.

SY9 Reset & synchronization to customer specific systems & applications

FastPass has a Generic connector that allows customers or FastPass partners to develop custom connectors. The Generic connector is delivered with documentation and sample code and can be used to include almost any target system that is required.

SY10 Password Filtering for Password

alignment when target systems have different password models

FastPass 3.3 allows for Password modification, so the AD password can comply with the specifications of the Target system.

SY11 Individual Password reset and

change per Password System

FastPass 3.3 has a feature that allows for individual password reset on the different target systems that is part of the solution.

Ex.: Once the user is authenticated by FastPass the user can decide if a password reset should affect only AD, only SAP or both AD & SAP.

Password reset for end-point encryption

When users has software for endpoint encryption there is a need to also reset passwords on the endpoint encryption solution.

CR1 User Self-service for endpoint encryption protected devices.

References

Related documents

If you have forgotten the answers to your security questions and you don’t know your current password: Contact the IT Service Desk.. If you have forgotten the answers to your

Level 1 involves situations that Help Desk agents can handle directly, such as password resets, Microsoft Office software help, placing hardware service calls or assisting

However, account must be taken of certain states of manifestation which, being formless, are from that very fact supra-individual; if, therefore, we only distinguish between

As indicated in the same table, less resistant stainless grades can be passivated by adding sodium dichromate to the nitric acid bath to make the solution more oxidizing and capable

vCenter Server systems, vMA target 15 VI CLI vifpinit 22 vifs 17 without vi-fastpass 16 vi-admin insecure password 14 privileges 15 setting password 13, 14 vi-fastpass initialization

vCenter Server systems, vMA target 16 VI CLI vifpinit 24 vifs 19 without vi-fastpass 18 vi-admin insecure password 14 privileges 16 setting password 14 vi-fastpass initialization

This service is the focal point of ITIL service management functions, including Request Management, Change Management, Problem Management and Service Asset and

8. On the Specify Server Address page, type the address of the computer running Password Manager Service, which, in this scenario, is the administrator's computer. A warning