Persuading business executives to spend money on security technologies can be harder than pulling teeth. It can be much less difficult, however, if you are able to show how a new technology can make executives lives easier and cut costs while improving security.
Thats what Whirlpool Corp. Vice President of Architecture and Planning Jim Haney learned last year. Recognizing that harried executives were becoming tired of using and managing as many as 10 passwords each to access enterprise applications, Haney said he could simplify their lives while cutting help desk and administrative costs by deploying a companywide, Web-based, single-sign-on system. Whirlpool executives, not surprisingly, couldnt approve the project fast enough.
The decision to reduce the number of passwords is paying off. Whirlpool recently rolled out identity management products that not only enable 59,000 company employees and 15,000 trading partners to authenticate to enterprise applications with one user name and password combination, but also allow them to reset their passwords via a portal. Those capabilities will save the $11 billion appliance company millions of dollars in help desk calls and dramatically increase end-user productivity, Haney said.
“When executive management leadership in the company complained about all the different sign-ons we had, that was indication No. 1 that something was amiss,” Haney said. “We didnt want our application vendors to dictate security schemes and directories to us. We wanted to consolidate and standardize application authentication and handle security our way.”
An increasing number of enterprises such as Whirlpool are turning to single-sign-on technologies as a cost-effective way to manage user account and access rights, experts say. And its not hard to see why. Gartner Inc., of Stamford, Conn., predicts that a return on investment of nearly 300 percent and savings of $3.5 million can be achieved over three years by a business of 10,000 employees that has implemented an automated identity management system.
And this interest in single sign-on will grow as an increasing number of organizations are forced to respond to privacy and security regulation and as they struggle to authenticate users on more online applications, says Gartner.
Whirlpools decision to tackle single sign-on, long seen as the Holy Grail by security managers, was born out of necessity. As the corporation began deploying an increasing number of Web-enabled applications—including business-to-business trading portals and SAP AGs MySAP enterprise resource planning portal—IT managers struggled to handle different authentication schemes and an increasing number of passwords.
: Whirlpool Cleans Up With Single Sign-On”>
When, last year, users began logging on to an average of six or seven applications each—entering different password and user name combinations each time—calls to Whirlpools outsourced call center for password resets began skyrocketing. Those calls cost the company millions of dollars annually.
To regain control, Haney developed a strategy last year built around a combined reduced-sign-on/single-sign-on approach. Haney decided that all Web-enabled applications and applications with LDAP support would be tied to IBMs Tivoli Access Manager.
Tivoli Access Manager is used to define the policies stored in an IBM SecureWay LDAP Server for application authentication. The policies exist to authenticate Whirlpools employees worldwide as well as all its suppliers, consumers and trading partners. Using the security policy manager, for example, Haney can set different application timeout rules for different users, depending on whether a user is internal or external to Whirlpool.
Whirlpool is expanding use of single sign-on, migrating SAPs R/3 and MySAP Enterprise Portal modules as well as Siebel Call Center from Siebel Systems Inc. to Access Manager.
Once the migration, which will happen during the course of this year, is completed, users will be able to log in to the portal via a Web browser. One user name and password will give users access to any enterprise applications that authenticate to the LDAP server. Those applications include IBMs Lotus Software divisions Notes e-mail, WebSphere Portal applications, the WebSphere portal itself, SAP portals and Siebel Call Center. Each session is secured via HTTP over Secure Sockets Layer.
Currently, employees working remotely use VPNs (virtual private networks) to access company applications such as e-mail. Once Access Manager is fully deployed, Haney said, hell migrate from VPN technology by using a combination of reverse proxy servers and Access Manager components, which will control and monitor security. Employees will be able to use any Web browser to securely log on to a Whirlpool portal with a user name and password combination to gain access to enterprise applications.
Haney is also deploying the IBM Tivoli Identity Manager to handle password provisioning and password resets. Identity Manager will allow Whirlpool to use the same naming convention for all user names and to synchronize passwords across all applications. This capability will allow users to use one set of passwords and user names, even when accessing Whirlpools mainframe-based legacy applications.
Because those applications dont authenticate to his LDAP directory—and because Haney was reluctant to redesign them to support LDAP—he chose not to include applications that are not Web-enabled in his single-sign-on strategy. End users will continue to sign on to each legacy application separately. They will, however, be able to access legacy applications using the same user name and password combination used to log on to Web-based systems. The password synchronization capability is already up and running in North America and is expected to be available to Whirlpools European users by summer.
While reducing the number of password resets is his top priority, Haney also plans to tie the identity management system to Whirlpools human resources applications. Once that is accomplished, user accounts will be automatically provisioned when a new employee starts working at any of Whirlpools 300 offices worldwide. Just as important, employees will be deleted when they leave the company.
Not that single sign-on is a security cure-all. In fact, as Haney acknowledges, single-sign-on systems could increase vulnerability by providing hackers with a single point of access to password information. But Haney said he does not feel single sign-on puts his enterprise applications at a significantly increased risk for security breaches.
A full-blown security and privacy program at Whirlpool, as well as a global security education program, probably help allay Haneys fears. A chief privacy office with a staff of six deals strictly with security policies and with enforcing those policies on a global basis. For example, all passwords are changed every 30 days. And the portal times out all applications once a computer has been idle for a certain amount of time.
Still, Haney is savvy enough to know that when it comes to security, there are no silver bullets. “Single sign-on compromises security, but, likewise, having too many passwords compromises security as well,” he said. “Theres probably a higher risk of someone walking into our offices and flipping up a keyboard to see if passwords are written underneath it. If someone wants to access our apps, they will, regardless of whether were doing single sign-on or not.”
Senior Writer Anne Chen can be reached at email@example.com.
: Case File”>
Location: Benton Harbor, Mich.
- The need Provide Web-based single sign-on to reduce the number of passwords within the organization; synchronize user names and passwords for legacy applications; reduce help desk calls
- The solution Use an access management product to manage policies for Web-based applications tied to an LDAP server; deploy an identity management product to provision user names and passwords and allow users to reset their own passwords via a portal
- Products IBM Tivoli Access Manager, IBM Tivoli Identity Manager, IBM SecureWay LDAP Server
- ROI Potential savings of millions of dollars in reduced help desk calls annually
- Whats next Tie single sign-on to human resources applications; move off VPNs