Manageability of Large Usernames and Passwords 2
“How to Manage Large Usernames and Passwords within an Enterprise”
RES 531: Research Methods
March 19, 2014
Chapter 1: Literature Review……………………………………………3
The Problem…………………………………………4-5
Security………………………………………………5
IT Governance……………………………………….6
Solution……………………………………………….7
Chapter 2: Introduction……………………………………………………8
Background…………………………………………..8-9
Purpose……………………………………………….9
Importance……………………………………………9
Chapter 3: Context of the Problem……………………………………….10
Problem Statement…………………………………...10-11
Problem………………………………………………11
Chapter 4: Significance and Impact………………………………………12
Importance…………………………………………....12
Significance of Theory or Practice…………………...12-13
Impact………………………………………………...13-14
Chapter 5: Research Design Methodology………………………………..15
Research Objectives…………………………………..15
Major Research Question…………………………….15
Research Questions-Qualitative or Quantitative……...15-18
Design Usefulness……………………………………..18
Chapter 6: Procedures………………………………………………………19
Information and Data Collection……………………..19-21
Benefits………………………………………………...21
Conclusion……………………………………………………………………..22
References……………………………………………………………………..23-24
Vocabulary…………………………………………………………………….25-27
Chapter 1: Literature Review
Access controls are necessary to protect the privacy, confidentiality, availability and integrity of information within a large enterprise and/or organization (Burr, 2013). According to Andersson (2013), usernames and passwords are the most common form of technical access control which introduces an enormous amount of complexity within an organization. Some of those complexities are: increased administrative burden, IT cost, information system complexity, information system security risk, and business time loss (Andersson, 2013).
From a purely end user and IT support point of view, the deployment of username and password systems create subject usability problems (such as the inability to remember multiple passwords for different network resources) and IT manageability challenges (such as having to reset user account passwords often and security breach occurrences because) (Pandey, et. al., 2013). This research will identify each of the challenges related to the use of large usernames and passwords while recommending potential solutions that focus on balance, cost, time, and security effectiveness (Bhattacharya, Chhaware, & Pandy, (2013).
- The Problem
According to Andersson (2013), and Pandey, et. al., (2013), the use of usernames and passwords provides a simple, relatively low cost way for enterprises to manage and control accessibility to their information. However, both attest to the complexity that occur when organizations grow, and the network resources expand. Therefore, this growth creates a need for more managing of the credentials.
Many solutions have been proposed and tried in an effort to reduce access control complexity and cost effectiveness while an organization is in their infancy (Pandey, et. al., 2013). According to Andersson (2013), of the many methods available for addressing the manageability issue, most fall within two categories: simplifying end user usability and simplifying IT administration, management, and support. Andersson (2013) analyzed one method that made it easier for end users to remember passwords by implementing passphrases that can invoke the use of mnemonics. With the use of mnemonics, users are less likely to forget the many usernames and passwords that will in-turn decrease the burden on administrative support. However, studies have found that putting them into practice, does not result in any decrease in IT administrative burden (Andersson, 2013). Therefore, Pandey et. al., (2013), addressed the problem from an IT administrative approach by proposing a Single Sign-on (SSO) solution.
- Security
With increased complexity of access credentials, also comes increased risk of information compromise, (Morris & Thompson, 1979). Within the security aspect of access control methodology, there are many theories on how to better manage, control cost, and secure these types of issues (Stoneburner, 2002). Large U.S. Federal Government agencies such as the National Institute of Standards and Technology (NIST), have dedicated a major portion of their resources to this topic to provide a set of common best practices that are dedicated to striking the best balance between cost, simplicity, usability and security (Burr, 2013).
Although large usernames and passwords cause administrative burden, regulatory compliance laws must be met (Gerdes, 2008). Within this realm, the main focus is on successfully passing regulatory audits by implementing the best possible methods of access control (Wurzler, 2013). Overall, once a balance has been found, it will result in the preservation and protection of the organization's valuable information (Burr, 2013).
- IT Governance
With improvements to access credentials in the areas of security, IT management, and end-user usability, visibility is another aspect that must be addressed in order to resolve the managing of large usernames and passwords (Hillegersberg & Smits, 2013). Any solution that meets the needs of all stakeholders within an organization must provide upper management with the ability to control access across several dimensions of the organization (Gerdes, 2008). This requirement ensures that information cannot be accessed, stolen, or corrupted intentionally and/or inadvertently. Therefore, this will satisfy the compliance mandates set in place by regulations such as Sarbanes-Oxley, PCI DSS, and HIPAA (Gerdes, 2008).
Unfortunately, with the many highly refined, well established IT management frameworks available within the IT governance market space today (such as ITIL, Cobit 5, and ISO27001), there continues to be a substantial disconnect between upper management and IT practices (Hillegersberg & Smits, 2013). This disconnect results in little or no visibility into an organization's IT practices, which places the organization as a whole in a serious compromise and a serious risk of failed regulatory audits (resulting in substantial fines and even prison time for some) (Hillegersberg & Smits, 2013).
- Solution
As we continue to move forward into the era of Web 2.0 technologies, cross-platform Single Sign-On (SSO) technologies have emerged that leverage the cross-platform world (such as Windows, Linux, Unix and Mac OSX) (NISO, 2011). Although SSO does not assume all platforms that are web protocol capable, but they do accommodate cross-platform integration issues using a combination of solutions (Ormancy, 2008). Some of those solutions are WS-Federation, The Apache Web Server, Shibboleth Service Provider Module, and Microsoft ADFS in Active Directory (Ormancy, 2008). These solutions provides each user with a single set of credentials for accessing resources residing within platforms that support web based protocols (Ormancy, 2008).
Therefore, of all the solutions proposed to the problem of username and password management, the most common solution that comes close to balancing the cost, administration, usability, visibility, and support requirement is Microsoft ADFS in Active Directory; a SSO solution (Myllyniemi, 2006).
Chapter 2: Introduction
The research topic covered in this report, entitled “How to Manage Large Numbers of Usernames and Passwords within an Enterprise” resides within the realm of information systems management (Ormancy, 2008). This research will cover the purpose behind the use of usernames and passwords and current issues with credentialed access control. It will also show how it impacts an organization and the current existing and potential future solutions to minimize such large numbers of usernames and passwords (Morris & Thompson, 1979, p. 574-597).
- Background
Information access control was introduced to overcome data confidentiality and integrity issues so that organizations could safely reap the benefits of information technologies (Wurzler, 2013, p. 2-4). However, the result was an environment in which users would write down their login credentials, which in-turn placed the organization's data at risk of compromise due to the ease of them being (Andersson, 2013). Eventually, access control methodologies were introduced at the single instance platform and application/service level (Bhattacharya, Chhaware, & Pandy, 2013). This allowed for users to be authenticated (by employing credentials such as usernames and passwords) to be used to verify one’s identity, authorize one according to a preset permission configuration, and provide accounting services (Bhattacharya, Chhaware, & Pandy,2013).
- Purpose
The purpose of this project is to find and recommend technologies, methods and processes that will enable organizations to protect their information with one username and password (Burr, 2013). With this finding, it will also decrease the complexity of having to manage a large number of usernames and passwords as the organization grows and expands (Burr, 2013).
- Importance
How to manage usernames and passwords within an enterprise is an important topic to organizations for several reasons. Some of those reasons are information security, information management, accuracy, availability, and confidentiality (W3C, 2001). When an organization moves from the use of older storage to technology based storage, the organization's process to manage, maintain, and secure information can become a bit overwhelming for administration (NISO, 2011). Therefore, organizational dependencies upon information technology can introduce substantial business process delays due to the amount of network resources that an organization use (NISO, 2011).
Chapter 3: Context of the Problem
Information technology or “IT”, offers organizations the ability and opportunity to manage massive amounts of data in an efficient and effective way through the use of computers and software (such as databases) that facilitate much faster search, storage, and retrieval of information (Wurzler, 2013). However, the same technologies that facilitate efficient, effective use of data also enable information thieves easy access to data (both locally and remotely) that should be kept confidential (Wurzler, 2013, p. 2-4).
- Problem Statement
IT network resources built and used by big enterprises typically support a very large number of employees that require many different usernames and passwords, for each network resource to which they access (Andersson, 2013). Furthermore, as large organizations continue to grow and expand, the existence of network resources tends to grow exponentially, greatly increasing the size and scope of administration like user account setup, password resets, and similar activities. This change places demands upon the organization that are well beyond reasonable IT staffing numbers and or cost (Pandey, et. al., 2013). Therefore, this proposal will identify, define, and provide a solution to the problem of minimizing large usernames and passwords in its entirety.
- Problem
Credentialed access to IT systems is perhaps the most widespread administration and maintenance issue of large organizations (Andersson, 2013). Due to the number of IT systems necessary to support a large organization, password resets, management, and IT staff increase while information security decrease. According to Andersson (2013), the main reason is because the IT staff will be too focused on the credentialing issues instead of other major security problems within the enterprise.
Chapter 4: Significance and Impact
- Importance
How to manage usernames and passwords within an enterprise is important to organizations for several reasons. Some of those reasons are information security, information management, accuracy, availability, and confidentiality (W3C, 2001). When an organization moves from the use of older storage, (such as paper documentation and file drawers), to technology based (electronic and computer systems), the organization's process to manage, maintain, and secure information can become a bit overwhelming for administration (NISO, 2011).
Organizational dependencies upon information technology can result in substantial process delays due to the expansion of resources that the organization uses (NISO, 2011). In general, of all the problems that can occur within an organization, the most common everyday issues are constant reports of lost, stolen, or forgotten usernames and passwords (NISO, 2011).
- Significance of Theory or Practice
The study of managing large numbers of usernames and passwords within an enterprise can be either significant in theory or practice (Schmidt, 2011). Significant in theory is the process of forming one’s own opinion based on the research they have done and read without doing it physically and significant in practice is the process of being able to see for one’s self as to what is going on by doing it physically and formulating a positive or negative answer based on the outcome (Schmidt, 2011). Therefore, this research is significant in practice because the requirement for tight access control is a needed essential within an organization in order to protect its information, as well as the employees (Schmidt, 2011). This significance of practice will also show a viable solution for minimizing large numbers of access credentials while avoiding business time loss, cost, and unauthorized access to networks (Schmidt, 2011).
- Impact
Credentialed access to IT systems is perhaps the most widespread administration and maintenance issue among large organizations (Bhattacharya, Chhaware, & Pandy, 2013). Within these organizations, every individual that requires access to digital information and resources (such as desktop or laptop computer, smart phone, thin client, dumb terminal/main frame, and tablet computer) are impacted by access control issues (Pandey, et., al., 2013). Therefore, since managing large usernames and passwords increase management tasks, it also increases costs (Stoneburner, 2002).
For example, one company that is widely known for its productive Billing and Reimbursement Departments is comprised of over 150 employees. Within this company, each employee serves different functions, requires access to many network resources, and has a separate set of access credentials for each. Therefore, the Reimbursement Department (to which I am an employee) is comprised of 12 people and each person on the team must access six (6) different platforms that each requires six (6) different username and password combinations. If a user makes a simple mistake by keying incorrect information into one of the network based reimbursement applications, the group manager has to type in the names of all 12 people in the group in order to determine to whom the user name associated with the erroneous data is assigned. The entire process is extremely disruptive, consuming a minimum of 1.5 hours (and sometimes more than a day) in order to resolve the incorrectly keyed data entry. With a consumption of this kind of time, the business slows down, employees can’t work, the IT staff has to focus solely on this issue, and stakeholders are losing money in every increment (Bhattacharya, Chhaware, & Pandy, 2013).
Chapter 5: Research Design Methodology
- Research Objectives
The focus of this research is to identify, analyze and determine the best strategies available for resolving the issues cited regarding credentialed access (Pandey, et., al., 2013). Considerations covered by the research will also include issues with cross-platform compatibility, service and protocol interoperability, ease of use, administrative burden, and information security (Pandey, et., al., 2013). Therefore, this research will conclude with the identification of technologies and methodologies that will provide the best solution to this problem (Pandey, et. al., 2013).
- Major Research Question
The primary question this study will aim to answer is, “How can organizations minimize large usernames and passwords with less complexity?” (Burr, 2013). The heart of the research is the ability to be able to secure valuable information with minimized credentialing (Burr, 2013). However, once credentialing has been implemented, it along with the information has to be managed effectively to prevent unauthorized access (Stoneburner, 2002).