Power to the people

If your help desk is typical, workers there spend a lot of time fielding calls from people who have either forgotten or need to change their passwords. Password-management software offers a solution. By giving users a secure way to reset passwords on their own, it can ease the burden on the help desk, improve security, boost productivity and cut costs.

One reason agencies such as the Census Bureau and the Library of Congress now use password-management software is to cut down on the number of costly, password-related calls to help desks.

A study by market research firm Gartner Inc., Stamford, Conn., found that up to 25 percent of service-desk calls are for password resets. "Of all the problem types, it's the [easy], low-hanging fruit of problems you can solve by automating," said Kris Brittain, research director of Gartner's consolidated service desk. Help-desk software helps solve only part of the problem by providing quality assurance, statistical analysis and issue-tracking data on calls. "As help-desk software has gotten better with issue-tracking systems, it raised the visibility of the password-management problem," said Idan Shoham, chief technology officer at M-Tech Mercury Information Technology Inc., an Alberta, Canada, security services company with a password-management product.

The need for increased security is a secondary, albeit growing, reason that password-management software is taking off. Despite the downturn in consumer-based e-commerce, e-government and business-to-business (B2B) networks have continued to soar, said Jeff Smith, a principal at integrator Booz-Allen & Hamilton Inc., San Diego, Calif.

The subsequent growth of Web access, wireless technology, remote computing and virtual private networks caused agencies to let more employees into their systems, said Willy Leichter, product marketing manager with Secure Computing Corp., San Jose, Calif.

The growth of outward-facing systems has also increased the need for better security, according to vendors. Last year, password-management start-up Waveset Technologies Inc., Austin, Texas, completed a study showing password and access management to be the chief concern of large information technology departments. "We found that IT increasingly is hosting external constituencies, and the number of applications online for external users has grown," said Mike Turner, Waveset's chief executive officer.

Booz-Allen & Hamilton managers are training their staff to integrate Waveset's security administration solutions. "We've found that password-management software allows users to facilitate B2B and e-government security administration more easily," said Chris Pierce, a senior associate at the company.

Others concur. "You get increased security and service from these products," said Pete Lindstrom, a senior security analyst with Hurwitz Group, Framingham, Mass.

That added security and service drove the Census Bureau to buy ProfileBuilder and PasswordCourier software from Courion Corp., also of Framingham (see box, Page 33).

Courion's software provides one place for users to reset their passwords on multiple platforms, although it does not allow them to have the same password on all systems, and it does not consolidate or propagate passwords. "That would be a security breach," said Dale Reed, branch chief of Courion's IT client support office. "It preserves the integrity of each individual system's password, and that's the beauty of it."

The need for one place to reset multiple-platform passwords was one of the top reasons that the Library of Congress chose BMC Software Inc.'s Control-SA/PassPort software. The Library was already a user of the Houston-based company's enterprise software, Patrol, so it made sense to choose BMC's password-management module, according to Library officials.

"We had developed our own homegrown password-management program that didn't scale well," said John King, an LOC computer specialist. "We spent a lot of time maintaining user accounts on multiple operating systems and database platforms. This product supports every platform we have here from a central location." Although the LOC system is still only in the pilot stage, the agency has completed tests on the integration of Control-SA with Unix and Microsoft Corp. Windows NT servers to see if it could manage security from Control-SA rather than having to log on to the individual server machines. "We were satisfied we could do that," King said.

LOC officials also tested the software's ability to set up groups of users who have similar access rights. "PassPort enables us to manage those definitions from one Control-SA management station," King said. PassPort enables LOC administrators or users to reset passwords. "It depends on agency policy whether the administrator is the password facilitator or the end users are allowed to synchronize their own passwords," said Joe Skocich, manager of product marketing for BMC's Security Management solution.

Password-management systems also effectively support a key part of any good security policy: frequent password changes. "If the users can reset their own passwords, then it doesn't matter how many passwords they have or how often they change them," said Yiwei Yi, a Census Bureau computer specialist. "The end result is that users will reset their passwords more frequently because it is easier to do, and the more they reset, the more security" there is.

"Some environments are so highly secure that you have to change every password everywhere, every 30 days," said Brian Anderson, chief marketing officer at Access360. The Irvine, Calif., company offers a password-management system called enRole and views password management as part of a larger market it calls policy-based provisioning.

In general, password-management software has grown more complex in recent years. M-Tech's P-Synch server product, for instance, has evolved from a fairly simple application that resides on users' desktops to a scalable, multiple-platform system that can support 100,000 users, according to the company.

"We no longer have desktop components," said M-Tech's Shoham. "We are server-based, and we run on more than 60 platforms out of the box. We can manage passwords in Unix, Windows NT and 2000, mainframes, databases and [human resources] systems."

Many products now can also be integrated more easily with related software, such as automated help-desk systems. Courion's software "interfaces well with our help-desk software, Remedy," said Roger Rhoads, Census Bureau branch chief for network and technical services. "If you can't successfully reset your password, it'll automatically generate a help-desk ticket showing that the user is having a problem."

Tom Rose, Courion's vice president of marketing, said, "We integrate with all help-desk software today, and we ship a variety of connectors that connect to databases, such as Oracle [Corp. databases] and Microsoft SQL Server, as well as to directory servers."

Today, password-management vendors walk the line between help-desk support and security. But in the future, password management will continue to grow more complex as the IT world moves beyond passwords into other types of security technology.

"There's a lot of science-fiction technology that hasn't reached maturity yet," Secure Computing's Leichter said. "But you don't want to rely on only one factor if you want the best security." n Gerber is a freelance writer based in Kingston, N.Y.The secret word is money

As in most workplaces, time is money for a computer-user help desk. Market research firm Gartner Inc. determined that helping users reset passwords can be costly indeed.

"We calculate cost per call at $14 to $28, based on seven minutes per call, the cost of the individual and the cost of facilities," said Kris Brittain, research director of Gartner's consolidated service desk. "Given these metrics and based on a 10,000-employee [organization], if you have 2,500 calls per month at $20 per call, then it costs you $50,000 per month or $600,000 per year."