Miami Beach eases the pain of passwords

Miami Beach may be a glamorous location, but the problems facing the city's information technology department can be downright prosaic. Recently, the department tackled a problem many organizations share ' password propagation.

City employees, who need to access a variety of applications, had too many passwords. As a result, the help desk too often got swamped with requests for help with password resets.

'The first thing I wanted to do was let my customers do self-service password resets,' said Nelson Martinez, director of the city's IT support division.

Passwords are a headache just about everywhere. As the number of passwords a user must remember mounts, they can become a risk rather than an aid to security. They become vulnerable when people write them down for quick reference or use the same password for multiple sign-ons.

And they can become an expensive nuisance to help-desk employees who must reset forgotten passwords.

Miami Beach's IT division is a 24-hour operation supporting police, fire and other public-service departments in the city. But the division does not have a 24-hour, on-site help staff. IT administrators wanted to eliminate the more routine after-hour help-desk calls so on-call employees could focus on critical issues.

The support division chose the OneSign platform from Imprivata, an identity and access management tool that integrates with any kind of authentication on the front end, then tracks and manages sessions, creating an audit trail for access policy enforcement.

A single sign-on feature presents credentials to applications automatically so users don't have to manage and remember their own passwords.

'The basis of IT security is knowing who your users are and being able to enforce policy,' Imprivata Chief Technology Officer David Ting said. 'It is difficult to achieve that kind of control by modifying your applications,' so OneSign creates an interface among the user, directory and applications.

OneSign supports any kind of authentication used by government agencies, including passwords, tokens, digital certificates and biometrics. The Defense Department, for example, requires its authentication management tools and those of its contractors to support the Common Access Card, which uses digital certificates, Ting said.

Easy does it

'State and local government tends to be driven by convenience,' Ting said, and they focus on fingerprint readers as the primary source of authentication. That is the case in Miami Beach.

Everyone in the IT department and senior management uses fingerprint readers, and all laptop computers come with readers built in. 'That's how we order them now,' Martinez said.

For stand-alone readers, the department has standardized on ultrasound fingerprint readers from Ultra- Scan with TouchChip TCS1 sensors from UPIK.

'It's not a cheap reader, but the quality is better,' Martinez said. 'We haven't had any issues with it.'

Print templates for authentication are stored centrally in a database on the OneSign server. Its algorithms support any standard type of print reader, whether stand-alone or embedded on laptops.

'In early releases of the product, you had to use the laptop driver working with the Imprivata agent,' Martinez said. But the agent now interfaces directly with the embedded reader and does not require a driver to be running. 'That's one less driver that can malfunction.'

The OneSign server is a purpose-built hardware appliance running a hardened Linux operating system.

Once it has authenticated a user, it tracks the session and all applications used for audit purposes, a critical factor for regulatory compliance.

OneSign comes with a standard set of reports that are generated monthly.

The reports can be customized, though Imprivata tries to anticipate what users will need.

A client agent resides on the user device to handle authentication, track activity and present credentials for single sign-on. OneSign creates profiles of each application, recognizing log-in screens and presenting the proper credentials ' usually a password ' automatically.

The agent also can automatically generate new passwords as old ones expire so the user does not have to keep track of passwords.

Older passwords

Handling multiple passwords is necessary because the city has a number of applications that do not integrate with Microsoft Active Directory and require their own passwords.

Many of these applications are older programs developed in-house, Martinez said. 'We are in the process of getting rid of them,' he said, but commercial applications often do their own authentication, 'which means there is another password that needs to be remembered.'

When the number of passwords a user has to remember reaches seven to 10, administrators start looking for alternatives such as OneSign, Ting said.

The server can support as many as 40,000 agents, but multiple servers might be needed for geographically dispersed networks and to provide load balancing and adequate throughput for peak periods when most users are signing on.

Ting said the company has customers with as few as 200 users and as many as 40,000, but 'the sweet spot for us right now would be 2,000 to 5,000.'

Miami Beach fits the profile, with about 2,000 users at 34 locations scattered across the city's 7.1 square miles of land. Some locations are on T1 links rather than the city's metro network.

Despite this widely dispersed user base, Martinez said, he has had no problems with the OneSign client agents.

'If you have a problem pushing agents or managing them, it's because the tools you are using to do it aren't working properly,' he said.

His division uses Microsoft Systems Management Server and Altiris deployment software for pushing and managing, and 'we haven't had any problems at all with the agents.'

The city has been using OneSign for about two years, and it is a part of the IT department's standard image.

'The roll-out was very easy,' Martinez said. 'A week was more than sufficient' to get the needed training and experience to manage it.

Calls to the help desk are down, he added, the turnaround time for calls has improved, and IT employees now focus on more critical problems. 'It's a win-win for everyone.'

THERE ARE A LOT of access and password management products on the market, most of them performing similar functions. But that doesn't mean they're all the same from an agency's point of view.

'You can't make a decision based just on functionality,' said Nelson Martinez, director of support services at Miami Beach's Information Technology Department. Access, identity and password management are critical functions and store a lot of sensitive information. 'You have to consider the security profile.'

Martinez eventually settled on the OneSign platform from Imprivata, a client/server system that has a dedicated hardware/software appliance for a server.

One of the goals of password and access management, after all, is to improve security. In his search for security along with function, Martinez wanted a product that would provide a heterogeneous environment. Most of the products he looked at were software packages running on Microsoft servers. He was leery of them because he did not want to put password management on a server with known vulnerabilities being targeted by hackers.

'One of the reasons I decided to go with Imprivata was the fact it was an appliance solution running a lightweight, non- Microsoft operating system,' Martinez said.

OneSign runs a hardened Linux operating system. The only functionality Martinez said he has sacrificed by going to OneSign is the ability to establish more detailed password profiles. 'In that sense, Windows is lacking,' he said. He added that he would like to see Imprivata include middleware in its product that would allow the use of more flexible password requirements with Microsoft Active Directory.