Sean R. Nicholson

As the centralized point of access to organizational information, your Intranet portal may also represent a potential security risk. This is especially true if your portal is accessible to employees via the Internet. If your Intranet authentication is tied to your Active Directory or LDAP, be sure to put policies in place that ensure that your employees change their passwords on a periodic basis. In addition, be sure to encourage (or require) employees to use “strong” passwords, that are comprised of a combination of alpha characters, numbers, symbols and mixed cases.

Unfortunately, according to Wired Magazine the most common password successfully used in a recent Hotmail attack was “123456″. Yes, that’s correct…virtually the same password used by Mel Brooks in Spaceballs to secure his luggage.

As an Intranet professional, it’s important that your employee communications focus on employee education around the topic of frequent password changes, password strength, and their ability to identify and avoid password phishing scams. The Journal of Accountancy provides a great analysis of different types of passwords and their ability to be compromised, as well as a five step process that can be followed to analyze your existing application password strength.

1. Start by developing a full understanding of how your computer system stores passwords.

2. Determine whether your encryption method is powerful enough to safeguard your system, and ensure users choose passwords wisely.

3. If your analysis reveals that your password security is inadequate, begin your search for improvements at the lower end of the cost spectrum.

4. If your assessment reveals that you need an entirely new password management system, look for “yes” answers to each of the following four questions when you evaluate products. (click here to view the additional 4 questions)

5. Regardless of how confident you are in the accuracy and completeness of your security assessment and any remedial solutions you may choose, consider conducting a penetration test.

Source: Journal of Accountancy, July 2009.

If you haven’t run a recent campaign reminding employees of their responsibility to keep corporate information secure, it might be a good time to put one together and teach your employees how to avoid weak passwords and phishing scams.

Sean R. Nicholson

Having been in the field of information management for quite a while now, I have developed a few credos that seem to prove more and more useful as the volumes of organizational information continues to grow. I used to drive one of my previous team absolutely crazy with this one:

“The only thing worse than no information is BAD information”

Think about it. When you have no information, you seek out answers, solutions, and advice. When you have bad information,  it’s likely that you don’t know it’s bad, so you react to the information. Only after you have used the information and determined that it was incorrect do you (after a few choice words) continue your search for good information.

Take an example of a call center representative who answers the phone and provides the customer on the other end with what they think to be the most current product prices from a document they printed yesterday. Little do they know that a new copy of the rate sheet was published a couple hours ago with significant rate changes that is now impacting their potential sale.

Did they have information? Yes! Was it good information? No!

The reality is that organizations are generating more and more information on an hourly basis. Take a moment and think about all the documents, spreadsheets, presentations, emails, voice mails, and sticky notes you generated on a daily basis just 3 years ago. Now, add modern day blogs, tweets, text messages, forum posts, comments, status updates, videos, podcasts, and wiki posts to your list and what do you get? More information? Definitely! But the larger problem is the fact that the information is now spread out in more places, making it harder for other employees and customers to find it.

In the past customers could simply call a 1-800 line for support and get one-stop service. In the modern day of social media, though, they can call the 800 number, tweet their problems, look for solutions in a knowledge base, email, complain in an online forum, post a video on YouTube of your product malfunctioning, or blog about it. Compound the problem with the fact that your employees are having a difficult time finding the most current methods to resolve the customer issues and you have quite an information disaster in the making. In fact, it’s a situation that could have a negative impact on both customer and employee satisfaction.

For some, the temptation might be to throw their hands up in the air and surrender to the fact that there are just too many channels out there. If you’re curious as to how confusing it really is, just take a look at all the new channels being created in the social media space alone via the Social Media Prism! Now think about what your employee-to-employee and employee-to-customer communication channels are going to look like in 5 years. Believe me…I understand the desire to just crawl back in bed and ignore social media. The reality is, however, that few business ever succeed by ignoring change. Instead, you’re going to need to stop dismissing social media (both internal and external) as a fad and start working on how to resolve the issue.

Unfortunately, I don’t have a magic product that I can sell for $19.99 to serve as the magic bullet. This one’s going to require smart people in your organization rolling up their sleeves and building a solid information management architecture. No, it’s not easy, but it’s going to be a requirement for businesses to survive in the future! A good place to being would be by looking at the following criteria:

1. How do your employees work? Are they being asked to store information in multiple locations (e.g. My Documents, file shares, document repositories, WIKIs, etc…)?
2. Do your employees know where to go for the single source of truth? (hint, hint…it should be your Intranet)
3. Where are you storing your information? In legacy applications that aren’t searchable? In repositories that require no periodic content review?
4. Does your organization offer a single search interface that allows employees to search information in multiple repositories?
5. Is your information governance killing your employees ability to share information (e.g. no blogs, wikis, microblogs, etc…)?
6. How are your customers interact with your organization? Are they seeking answers from multiple sources (e.g. Phone, website, Twitter, etc..)
7. Do your customers know where to go for a single source of the truth (hint, hint…it should be your Web site)
8. Do you have the infrastructure in place to respond to new types of interactions? Do you have corporate accounts for sites like Twitter, YouTube, Blogger, LinkedIn, and Facebook? Does someone monitor searches on your company and products?
9. Are you making it as easy as possible for your customers to get help and resolve issues?
10. Are YOU embracing internal and external information tools that will allow your employees to share information more easily and provide customers with more ways to serve themselves or seek assistance?

If you haven’t started a review of your current information architecture, it’s time to start and because I find the Social Media Prism to be so useful in explaining the external growth challenge that faces organizations, I have also put together an internal information stratification diagram that hopefully will help IT, Intranet, and ECM professionals demonstrate the internal complexities that exist inside the firewall.  Click on the image below for a larger view or feel free to print out a PDF version.

As always….this is a work in progress and all input, comments, feedback are welcome!

Internal Information Stratification Wheel

Angie Cullen

When selecting an Identity Management Application, don’t expected it to integrate seamlessly with every application in your enterprise. Work toward using the tool as a “simpler” sign-on solution instead of a “single” sign-on solution. Setting that correct expectation with your sponsors and users will ensure that they have the right perception of how the tool will work.

Sean R. Nicholson

Who isn’t interested in accomplishing Single Sign-On? You know, that nirvana of Identity Management where users only ever have to sign on to their local workstation and then have completely unfettered access to applications throughout the enterprise. While this concept may sound great  to end-users and executives, it’s an absolute nightmare concept for IT personnel and application administrators.

The Wild, Wild West In An Enterprise With No Identity Management Infrastructure

If you have ever been in an organization with no Identity Management infrastructure or strategy, you probably know how bad it can be…and the larger the organization, the worse it gets. When working with one Fortune 100 company in recent years, I found myself with 15 different User names and passwords on my first day. After asking around whether I was doing something wrong, one of my co-workers indicated “No…that’s just the way we do things here.” Let’s see, I had a login for my desktop, one for the Intranet portal, another for the expense management system, one for my project tracking system, the list went on and on. And to make things worse, each of these different applications had separate password expiration policies, so I was anticipating a future where my passwords were quickly out of sync.

Soon, I was relegated to having to manage my passwords in a password utility called KeePass. Obviously not ideal, but it beat the heck out of having to reset my passwords every time I tried to login because I couldn’t remember my password or getting locked out of the application due to failed attempts. On a side note, I had a conversation with an exec who informed me that most of the corporate executives were keeping their passwords on a piece of paper under their keyboard.

Putting All Your Corporate Identities Into One Basket…A Potential Single Sign-On Nightmare

The flipside to the wild, wild west is a highly organized, very restrictive identity management strategy, but even this scenario can have its downsides. While working with a customer recently that used a common enterprise IdM application to manage a single sign-on environment, the entire enterprise was brought to a grinding halt when the identity policies for their application were corrupted. The end result, no users in their enterprise were able to login to any application in the environment. Basically, their back-office business was brought to a grinding halt until the policies were able to be restored.

The real kicker? This particular organization had also tied their website customer portal accounts to their IdM system, so their entire business was brought to a standstill. Not only were employees irritated at the outage, but customers began flooding the call centers with calls and the call center reps weren’t able to access their CRM system. While watching this fiasco unroll, I began to clearly understand situations where the concept of single sign-on can actually be a bad thing. Every egg in one basket just doesn’t seem like a good idea.

The other downside to true single sign-on is that once an account has been compromised, the hacker has access to your entire infrastructure. This means that users who walk away from their workstations without locking them present a MASSIVE risk to your enterprise. It also places more accountability on your IT professionals who are working on users desktops. Think of the desktop technician who assists an executive with an issue and, during the course of the their assistance, is able to access systems using the executive account. Obviously, these professionals have a high level of accountability in the first place, but having unfettered access to all information inside the enterprise can be a risk.

Simpler Sign-On – The Middle Ground

So what’s the solution? Obviously “single sign-on” isn’t necessarily the silver bullet that execs often think it is, but requiring users to manage disparate user IDs and passwords creates a usability nightmare. The middle ground, then, is a balance of what I commonly refer to as “simpler sign-on”. The idea is to make the authentication process as easy to use for your end-users while maintaining a level of security and application stability that meets your organizational needs. The strategy I often suggest is not a complex one and can be leveraged by any organization, no matter how large or small.  The suggested strategy is as follows:

1) Classify your applications by information risk. Clearly understand and document what risk the information would pose if it were exposed to everyone inside (and potentially outside) your enterprise. While your classifications will be unique to your organization, a guideline to start from might be:

• Low risk applications – Those that surface benign information that is of low risk if it were exposed. Think of the daily lunch menu being posted on the Intranet.
• Medium risk applications – These are systems that often contain a combination of low risk data with high risk data. Intranet portals often fall into this category because they might have the daily lunch menu, but also contain strategic sales, marketing, or organizational performance information that might be risky if it were exposed.
• High risk applications - These systems contain highly sensitive data and often include (but are certainly not limited to) performance management systems, Customer Relationship Management systems, recruiting systems, and corporate records management systems.

2) Assign an appropriate identity management strategy. Decide whether each application should use its native authentication or whether a federated IdM strategy would be appropriate to secure the data.

3) Provide a secure, enterprise methodology for employees to secure their User IDs and passwords. If you’re going to require that your employees have disparate user IDs and passwords, give them a way to secure them. It’s better to provide clear guidance and, ideally, and enterprise application, to store their passwords as opposed to letting them store them on a sheet of paper or spreadsheet. You’d be surprised how cheap and enterprise license for a password storage tool can be.

4) Attempt to synchronize password expirations and document the process. If your employees are going to be required to reset their passwords on a periodic basis (a best practice for information security), be sure that you attempt to synchronize the timing of the password expirations and provide your employees with clear instructions on the process for resetting them. It’s amazing how much simpler the process can be with a single sheet of instructions.

5) Educate your employees on the importance of information security and the reasons behind your policies. Employees are much more likely to accept your IdM strategy if they understand that there is a reason behind it. The fact that the simpler sign-on strategy has been analyzed, streamlined, and employee usability has been considered will help them adopt the process and adhere to the policies.

In the end, it’s always better to be over-protective of your information and access to your organizational systems, but keep in mind that taking employee usability into account can increase employee satisfaction and reduce security risks that occur when employees write down their passwords or store them in unsecured electronic formats. The chase for single sign-on can often lead to additional security and application stability threats, while a more reasonable standard of “simpler” sign-on might achieve the security needed while driving user adoption.

Thoughts or comments? I’d love to hear your experiences with simple sign-on, IdM applications, and constructive criticism of the thoughts in this article.

Sean R. Nicholson

One of the strengths of a good Intranet portal is the ability to integrate the disparate applications that exist within an enterprise. Just because links to the applications are presented in the portal or, in some cases, even natively surfaced in the portal doesn’t make them effectively integrated.  Take a look at the following tips and see if they indicate that your portal has mashups or messes.

User adoption will be low if your end-users have to login over and over again!

Some portal vendors are already integrating Identity Management functionality into their portal applications, but don’t be tricked into thinking these solutions are a magic bullet. Legacy applications often use hidden authentication fields or tricky redirects to ensure that they aren’t being “spoofed”. In one recent situation, my Development team spent a couple of weeks attempting to use BEAs Aqualogic User Interaction portal to federate authentication to applications like Peoplesoft and Concur Expense Management. Each of these applications use a specific redirect functionality to ensure the security integrity of their application. As with this situation some application IdM may not be able to be addressed by a portal or IdM suite. The goal, however, is to minimize the number of times your users have to login by federating wherever possible.

A Customer Service Mashup

5) Usability – Nothing screams “MESS!” more than a hodgepodge or information hastily slapped together on a page. Care should be taken to understand how your users expect to use the mashup before placing the content onto the page. Your end-users can often describe the flow of information they use, which will guide you in arranging the mashup appropriately. For instance, in the case of our customer service agent, do they often ask how the weather is in the customers location? If so, having the weather information prominently displayed may assist establishing a relationship with the customer. During a heaving outage period, however, it might be better to relocate the outage information to the top of the page and allow the weather to be secondary.

Creating a good mashup isn’t just about bringing together commonly-linked information. To avoid a mashup mess, take the above tips into account and you’re sure to produce something worthwhile to your end-users.