Getting Unstuck from the Password-on-a-Stickie Method

IBM's Tivoli Access Manager automatically manages numerous user names and passwords beneath the user's radar.

Rohm and Haas makes things stick. The glue that holds the first sheet of tissue paper to the roll, the stuff that keeps your candy bar wrapper snug on your chocolate, the chemicals in paint that keep it stuck to the wall.

There are good sticky things, and then there are the stickies stuck onto PC monitors with passwords jotted down.

The 17,000 employees at the specialty chemicals company—a company whose IT department is a firm believer in off-the-shelf software—until recently were laboring under the task of maintaining between 12 and 15 separate user names and passwords to access systems needed to do their jobs. The help desk, for its part, were handling 14,000 password-related calls per year.

To fix the problem, Rohm and Haas turned to IBMs Tivoli Access Manager for Enterprise Single Sign-on a few months back. At this point, Rohm and Haas has pushed the application out to 700 desktops, with plans to push it out to the rest of employees in the works.

Tivoli Access Manager automatically manages numerous user names and passwords beneath the users radar. Whenever a user is prompted for user ID and password, the application intercepts the request, automatically entering the information. It does so by relying on a central LDAP directory that also stores passwords in conjunction with a local "vault" of passwords.

Scott Megill, enterprise architect and program manager, said that the problem had been that the company was reaching a tipping point between the security imparted by passwords and the insecurity caused by insecure means of securing them—i.e., stickies on monitors.

"Passwords are supposed to secure data. But employees who have to juggle too many passwords resort to insecure ways to manage them," he said.

The companys reliance on off-the-shelf software had caused this situation, Megill said, given each applications distinct needs for authentication.

"Were not a heavy custom-application building kind of business," he said. "Therein comes the horrible problem of different authentication schemes, outside our network, where each requires a new user name and password.

"Weve had the dilemma over years of whether thats increasing or decreasing security, because people write them down or keep them in an Exchange file," he said. "I could walk through the office and [see a gallery of] Post-It notes with passwords."

When the company first started to look into an ID management solution about a year ago, Megill said he and his team looked at a "host of technologies."

/zimages/3/28571.gifClick here to read more about IBM software that aims to prevent online identity theft.

One solution the team seriously considered was federated services. Such a setup means that users can go out to a federated vendor—say, to Vanguards site, where employees 401(k) plans are administered, to check their plan allocations. When coming in through Rohm and Haas network, employees could get to their plans without the need for authentication.

But to go down that path, Megill said, meant that Rohm and Haas would have had to create trusted relationships between itself and all of its vendors. At this stage, that is a pricey scenario.

"It got more and more expensive, dealing with the other IT departments, contract and legal departments at other companies. [Federated services] just arent fully baked yet."

Instead, Megills team looked at the Tivoli software, which entails a client-side application with a server-side component. It has a small footprint—under a megabyte, Megill said. As such, Rohm and Haas could push it out using a standard desktop update process.

Now, the Tivoli application simply stores passwords for users, rather than going through the complex process of creating trusted relationships.

"If you go to a Web site and it brings up a prompt box for a user name and password, it watches for those, it looks in the password vault, and it puts it in for the user automatically," Megill said. "Its almost instantaneous for users."

There is a one-time enrollment required for each applications authentication data.

Initially, Rohm and Haas didnt want to take on the responsibility or liability for storing user passwords for, say, a users personal bank account, Megill said.

So the company restricted the number of sites that the application could be used for. Megill said that the company started with 40 essential sites, but another 40 popped up, with focused department applications in use, for example, or alternate application versions being used in another company in global corporation.

Megill said that after having it running for a few months, IT is receiving a "flood" of requests to get the application running for other sites and other locations. "Well offer it up for everything everybody wants to use it for, and then another will come up, and well white-list it," he said. That means that IT gets to sign off on all applications for whose passwords theyre liable and responsible, he said.

When his team had been looking at federated services, his team had ballparked $50,000 per federated partnership. As more partners who were familiar with federated services signed on, Rohm and Haas quickly learned that theyd be paying something closer to $150,000 per relationship—for a total of some 22 to 25 relationships.

"That was starting to sound pretty expensive to us," Megill said.

The cost of the IBM solution was $254,000 for 17,000 users, he said—a substantial savings for a much less complex solution. For that price, Rohm and Haas purchase a few different modules besides single sign-on.

One module is a kiosk adapter thats capable of enforcing time-outs for shared machines, such as training PCs or PCs on shop floors. This is allowing the company to cut off credentials on sites that havent been secured in the past, Megill said.

Another module, for account provisioning, allows Rohm and Haas to push passwords out, so that the help desk can reset passwords or set passwords for new employees.

Rohm and Haas also purchased a user self-service password reset module. This comes in handy when, upon logging into Windows with Control-Alt-Delete, a user forgets the system password.

The module presents a link at the top of the page that offers help with forgotten Windows passwords, asks a number of personal, predefined questions (such as mothers maiden name), and delivers the password if the user answers correctly.

The upshot? "The IBM single sign-on software is so simple and easy to use that it takes the burden of password management off our employees, improving our security while also saving the company time and money," Megill said in a statement.

/zimages/3/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.