: Whirlpool Cleans Up With Single Sign-On"> When, last year, users began logging on to an average of six or seven applications eachentering different password and user name combinations each timecalls to Whirlpools outsourced call center for password resets began skyrocketing. Those calls cost the company millions of dollars annually. To regain control, Haney developed a strategy last year built around a combined reduced-sign-on/single-sign-on approach. Haney decided that all Web-enabled applications and applications with LDAP support would be tied to IBMs Tivoli Access Manager.Whirlpool is expanding use of single sign-on, migrating SAPs R/3 and MySAP Enterprise Portal modules as well as Siebel Call Center from Siebel Systems Inc. to Access Manager. Once the migration, which will happen during the course of this year, is completed, users will be able to log in to the portal via a Web browser. One user name and password will give users access to any enterprise applications that authenticate to the LDAP server. Those applications include IBMs Lotus Software divisions Notes e-mail, WebSphere Portal applications, the WebSphere portal itself, SAP portals and Siebel Call Center. Each session is secured via HTTP over Secure Sockets Layer. Currently, employees working remotely use VPNs (virtual private networks) to access company applications such as e-mail. Once Access Manager is fully deployed, Haney said, hell migrate from VPN technology by using a combination of reverse proxy servers and Access Manager components, which will control and monitor security. Employees will be able to use any Web browser to securely log on to a Whirlpool portal with a user name and password combination to gain access to enterprise applications. Haney is also deploying the IBM Tivoli Identity Manager to handle password provisioning and password resets. Identity Manager will allow Whirlpool to use the same naming convention for all user names and to synchronize passwords across all applications. This capability will allow users to use one set of passwords and user names, even when accessing Whirlpools mainframe-based legacy applications. Because those applications dont authenticate to his LDAP directoryand because Haney was reluctant to redesign them to support LDAPhe chose not to include applications that are not Web-enabled in his single-sign-on strategy. End users will continue to sign on to each legacy application separately. They will, however, be able to access legacy applications using the same user name and password combination used to log on to Web-based systems. The password synchronization capability is already up and running in North America and is expected to be available to Whirlpools European users by summer. While reducing the number of password resets is his top priority, Haney also plans to tie the identity management system to Whirlpools human resources applications. Once that is accomplished, user accounts will be automatically provisioned when a new employee starts working at any of Whirlpools 300 offices worldwide. Just as important, employees will be deleted when they leave the company. Not that single sign-on is a security cure-all. In fact, as Haney acknowledges, single-sign-on systems could increase vulnerability by providing hackers with a single point of access to password information. But Haney said he does not feel single sign-on puts his enterprise applications at a significantly increased risk for security breaches. A full-blown security and privacy program at Whirlpool, as well as a global security education program, probably help allay Haneys fears. A chief privacy office with a staff of six deals strictly with security policies and with enforcing those policies on a global basis. For example, all passwords are changed every 30 days. And the portal times out all applications once a computer has been idle for a certain amount of time. Still, Haney is savvy enough to know that when it comes to security, there are no silver bullets. "Single sign-on compromises security, but, likewise, having too many passwords compromises security as well," he said. "Theres probably a higher risk of someone walking into our offices and flipping up a keyboard to see if passwords are written underneath it. If someone wants to access our apps, they will, regardless of whether were doing single sign-on or not." Senior Writer Anne Chen can be reached at email@example.com.
Tivoli Access Manager is used to define the policies stored in an IBM SecureWay LDAP Server for application authentication. The policies exist to authenticate Whirlpools employees worldwide as well as all its suppliers, consumers and trading partners. Using the security policy manager, for example, Haney can set different application timeout rules for different users, depending on whether a user is internal or external to Whirlpool.