Sean R. Nicholson

As the centralized point of access to organizational information, your Intranet portal may also represent a potential security risk. This is especially true if your portal is accessible to employees via the Internet. If your Intranet authentication is tied to your Active Directory or LDAP, be sure to put policies in place that ensure that your employees change their passwords on a periodic basis. In addition, be sure to encourage (or require) employees to use “strong” passwords, that are comprised of a combination of alpha characters, numbers, symbols and mixed cases.

Unfortunately, according to Wired Magazine the most common password successfully used in a recent Hotmail attack was “123456″. Yes, that’s correct…virtually the same password used by Mel Brooks in Spaceballs to secure his luggage.

As an Intranet professional, it’s important that your employee communications focus on employee education around the topic of frequent password changes, password strength, and their ability to identify and avoid password phishing scams. The Journal of Accountancy provides a great analysis of different types of passwords and their ability to be compromised, as well as a five step process that can be followed to analyze your existing application password strength.

1. Start by developing a full understanding of how your computer system stores passwords.

2. Determine whether your encryption method is powerful enough to safeguard your system, and ensure users choose passwords wisely.

3. If your analysis reveals that your password security is inadequate, begin your search for improvements at the lower end of the cost spectrum.

4. If your assessment reveals that you need an entirely new password management system, look for “yes” answers to each of the following four questions when you evaluate products. (click here to view the additional 4 questions)

5. Regardless of how confident you are in the accuracy and completeness of your security assessment and any remedial solutions you may choose, consider conducting a penetration test.

Source: Journal of Accountancy, July 2009.

If you haven’t run a recent campaign reminding employees of their responsibility to keep corporate information secure, it might be a good time to put one together and teach your employees how to avoid weak passwords and phishing scams.

Angie Cullen

When selecting an Identity Management Application, don’t expected it to integrate seamlessly with every application in your enterprise. Work toward using the tool as a “simpler” sign-on solution instead of a “single” sign-on solution. Setting that correct expectation with your sponsors and users will ensure that they have the right perception of how the tool will work.

Sean R. Nicholson

Who isn’t interested in accomplishing Single Sign-On? You know, that nirvana of Identity Management where users only ever have to sign on to their local workstation and then have completely unfettered access to applications throughout the enterprise. While this concept may sound great  to end-users and executives, it’s an absolute nightmare concept for IT personnel and application administrators.

The Wild, Wild West In An Enterprise With No Identity Management Infrastructure

If you have ever been in an organization with no Identity Management infrastructure or strategy, you probably know how bad it can be…and the larger the organization, the worse it gets. When working with one Fortune 100 company in recent years, I found myself with 15 different User names and passwords on my first day. After asking around whether I was doing something wrong, one of my co-workers indicated “No…that’s just the way we do things here.” Let’s see, I had a login for my desktop, one for the Intranet portal, another for the expense management system, one for my project tracking system, the list went on and on. And to make things worse, each of these different applications had separate password expiration policies, so I was anticipating a future where my passwords were quickly out of sync.

Soon, I was relegated to having to manage my passwords in a password utility called KeePass. Obviously not ideal, but it beat the heck out of having to reset my passwords every time I tried to login because I couldn’t remember my password or getting locked out of the application due to failed attempts. On a side note, I had a conversation with an exec who informed me that most of the corporate executives were keeping their passwords on a piece of paper under their keyboard.

Putting All Your Corporate Identities Into One Basket…A Potential Single Sign-On Nightmare

The flipside to the wild, wild west is a highly organized, very restrictive identity management strategy, but even this scenario can have its downsides. While working with a customer recently that used a common enterprise IdM application to manage a single sign-on environment, the entire enterprise was brought to a grinding halt when the identity policies for their application were corrupted. The end result, no users in their enterprise were able to login to any application in the environment. Basically, their back-office business was brought to a grinding halt until the policies were able to be restored.

The real kicker? This particular organization had also tied their website customer portal accounts to their IdM system, so their entire business was brought to a standstill. Not only were employees irritated at the outage, but customers began flooding the call centers with calls and the call center reps weren’t able to access their CRM system. While watching this fiasco unroll, I began to clearly understand situations where the concept of single sign-on can actually be a bad thing. Every egg in one basket just doesn’t seem like a good idea.

The other downside to true single sign-on is that once an account has been compromised, the hacker has access to your entire infrastructure. This means that users who walk away from their workstations without locking them present a MASSIVE risk to your enterprise. It also places more accountability on your IT professionals who are working on users desktops. Think of the desktop technician who assists an executive with an issue and, during the course of the their assistance, is able to access systems using the executive account. Obviously, these professionals have a high level of accountability in the first place, but having unfettered access to all information inside the enterprise can be a risk.

Simpler Sign-On – The Middle Ground

So what’s the solution? Obviously “single sign-on” isn’t necessarily the silver bullet that execs often think it is, but requiring users to manage disparate user IDs and passwords creates a usability nightmare. The middle ground, then, is a balance of what I commonly refer to as “simpler sign-on”. The idea is to make the authentication process as easy to use for your end-users while maintaining a level of security and application stability that meets your organizational needs. The strategy I often suggest is not a complex one and can be leveraged by any organization, no matter how large or small.  The suggested strategy is as follows:

1) Classify your applications by information risk. Clearly understand and document what risk the information would pose if it were exposed to everyone inside (and potentially outside) your enterprise. While your classifications will be unique to your organization, a guideline to start from might be:

• Low risk applications – Those that surface benign information that is of low risk if it were exposed. Think of the daily lunch menu being posted on the Intranet.
• Medium risk applications – These are systems that often contain a combination of low risk data with high risk data. Intranet portals often fall into this category because they might have the daily lunch menu, but also contain strategic sales, marketing, or organizational performance information that might be risky if it were exposed.
• High risk applications - These systems contain highly sensitive data and often include (but are certainly not limited to) performance management systems, Customer Relationship Management systems, recruiting systems, and corporate records management systems.

2) Assign an appropriate identity management strategy. Decide whether each application should use its native authentication or whether a federated IdM strategy would be appropriate to secure the data.

3) Provide a secure, enterprise methodology for employees to secure their User IDs and passwords. If you’re going to require that your employees have disparate user IDs and passwords, give them a way to secure them. It’s better to provide clear guidance and, ideally, and enterprise application, to store their passwords as opposed to letting them store them on a sheet of paper or spreadsheet. You’d be surprised how cheap and enterprise license for a password storage tool can be.

4) Attempt to synchronize password expirations and document the process. If your employees are going to be required to reset their passwords on a periodic basis (a best practice for information security), be sure that you attempt to synchronize the timing of the password expirations and provide your employees with clear instructions on the process for resetting them. It’s amazing how much simpler the process can be with a single sheet of instructions.

5) Educate your employees on the importance of information security and the reasons behind your policies. Employees are much more likely to accept your IdM strategy if they understand that there is a reason behind it. The fact that the simpler sign-on strategy has been analyzed, streamlined, and employee usability has been considered will help them adopt the process and adhere to the policies.

In the end, it’s always better to be over-protective of your information and access to your organizational systems, but keep in mind that taking employee usability into account can increase employee satisfaction and reduce security risks that occur when employees write down their passwords or store them in unsecured electronic formats. The chase for single sign-on can often lead to additional security and application stability threats, while a more reasonable standard of “simpler” sign-on might achieve the security needed while driving user adoption.

Thoughts or comments? I’d love to hear your experiences with simple sign-on, IdM applications, and constructive criticism of the thoughts in this article.

Sean R. Nicholson

One of the strengths of a good Intranet portal is the ability to integrate the disparate applications that exist within an enterprise. Just because links to the applications are presented in the portal or, in some cases, even natively surfaced in the portal doesn’t make them effectively integrated.  Take a look at the following tips and see if they indicate that your portal has mashups or messes.

User adoption will be low if your end-users have to login over and over again!

Some portal vendors are already integrating Identity Management functionality into their portal applications, but don’t be tricked into thinking these solutions are a magic bullet. Legacy applications often use hidden authentication fields or tricky redirects to ensure that they aren’t being “spoofed”. In one recent situation, my Development team spent a couple of weeks attempting to use BEAs Aqualogic User Interaction portal to federate authentication to applications like Peoplesoft and Concur Expense Management. Each of these applications use a specific redirect functionality to ensure the security integrity of their application. As with this situation some application IdM may not be able to be addressed by a portal or IdM suite. The goal, however, is to minimize the number of times your users have to login by federating wherever possible.

A Customer Service Mashup

5) Usability – Nothing screams “MESS!” more than a hodgepodge or information hastily slapped together on a page. Care should be taken to understand how your users expect to use the mashup before placing the content onto the page. Your end-users can often describe the flow of information they use, which will guide you in arranging the mashup appropriately. For instance, in the case of our customer service agent, do they often ask how the weather is in the customers location? If so, having the weather information prominently displayed may assist establishing a relationship with the customer. During a heaving outage period, however, it might be better to relocate the outage information to the top of the page and allow the weather to be secondary.

Creating a good mashup isn’t just about bringing together commonly-linked information. To avoid a mashup mess, take the above tips into account and you’re sure to produce something worthwhile to your end-users.

Sean R. Nicholson

A couple of years ago, I was involved in the selection and construction of a new Intranet portal for a large telecom company. The organization had nearly 25,000 employees at the time, distributed all over the United States and they had previously relied heavily on an Intranet portal to communicate corporate events, share HR information, and collaborate on business documents.  The project I was working on at the time was focused on creating a brand new Intranet portal for a spin-off company.

One of the most memorable moments of the project occurred during one of the initial funding conversations, when a Senior Executive at the company asked a very simple question. Amid all of the discussions about functionality, Identity Management, timelines, user adoption, and vendor selection, the Senior Exec simply asked “Do we really need an Intranet portal?”  The question was powerful enough to quiet a room of 25 people and, for an uncomfortable 30 seconds or so, I mentally wrestled between blurting out a visceral response like  ”Are you kidding?” and taking a more tactical response explaining the value of a portal. Luckily, while I was pondering the choice, one of my IT Execs jumped in and provided a quick, concise answer as to the value of the Intranet portal, which was good enough to get the funding conversation back on track. Eventually the project was funded, proved to be wildly successful (on time and under budget is always a good thing), and that particular Senior Exec got to fully realize the value of the portal in ways that had not previously been used in his organization. I still kick myself every once in a while for not having an “elevator speech” response prepared for the occasion.

How often do we question the value of the technologies we support?

An interesting aftereffect from that meeting, however, were that rumors of the conversation quickly spread throughout our IT organization. I can’t tell you how many times I got on an elevator with other IT professionals and, after a few moments of silence, one of them would turn to me and ask ”So…do we really need an Intranet?”.  We’d have a good laugh and part our separate ways on different floors.

To this day, I often reflect on the power of that simple question. The more I think about the situation, the more impressed I am with the fact that one person, in the midst of turbulent conversations had the courage to ask the simple question of “why”. Too often in IT, we press forward with technology, especially when it comes to legacy systems, without asking why we’re doing it. Sometimes we feel like we’re trapped by a proprietary platform, or maybe our end-users are resistant to change, so we simply pour money into costly upgrades or development efforts without raising our hand and asking “Why?” or “What is the alternative?”.  Different options always exist, so in these rough economic times, maybe it’s an ideal time to take a closer look at the technologies that are fueling your organization, compare them to the feature-functionality of new products, and determine whether a new product could actually do the job better for cheaper…or maybe whether you actually need the technology at all.

The second reason I often think about that situation has to do with a mindset of automatically assuming that the technology we advocate for is invaluable to the company. Regardless of whether your area of experience is Intranet, Business Intelligence, Data Warehousing, CRM, or any of the other IT realms, you need to be prepared for the question of “Why”. As your business partners begin to look for places to cut costs, reduce their overall application portfolio, or move to a Software as a Service (SaaS) model, you need to be able to realistically justify the technology you support.

To that end, here are my top 10 justifications for a corporate Intranet portal. I’d be very interested to hear additions that readers feel are important.

1. A centralized location for corporate communications – This is more important to larger organizations than it is to companies of 25 employees. The larger and more distributed the organization, the more important it is to the corporate culture to have a single place where all employees can go to find information on company strategies, announcements, HR information, and special activities.
2. Application and information aggregation - There is nothing more frustrating to employees than to have to open 15 different browser applications and 10 different application clients to find the information they need. Employees (especially those facing the customer) need to find information quickly and almost need the information to find them. Case in point, one of the more recent Intranets I worked with allowed the employees to look up a customer by name in the Intranet portal. The resulting page created a mashup of application information including links to the customers service contracts, open service tickets, and even a Google map of where the customer was located with the closest service technician shown on the map via an integration with a Global Information System (GIS) application. All of this information came from several different applications, mashed into a single view of relevant information.
3. Federated Search – A good Intranet portal offers a federated search model, allowing end-users to use a single, simple search interface to find information stored in a variety of applications. For instance, the portal should be able to leverage APIs from the corporate HR system, document management system, as well as CRM and ERP applications. The value of locating information stored in disparate systems makes a strong business process improvement case for the ROI of a portal.
4. Identity Management (aka “simpler sign-on”) – Modern portals provide a single point of entry to corporate applications and information, so they should either include an Identity Management (IdM) solution, or leverage a third party system. To ensure a high rate of user adoption, end-users should be required to authenticate as few times as necessary to support corporate security policies. This “simpler sign-on” schema reduces the number of times a user has to log in, saving time, and enhancing employee satisfaction.
5. Knowledge Management and Collaboration - Through the use of collaboration tools such as knowledge bases, Wikis, forums, chat rooms, or blogs, Intranet portals capture the corporate knowledge of how things get done. These collaborative tools ensure that commonly repeated solutions are captured in a searchable manner that can be discovered easily by future employees. In addition, these tools mitigate the danger of allowing knowledge to “walk out the door” when employees leave the company.
6. Decentralized Content Management – Intranet portals with integrated security and content management systems allow each department within the organization to manage their own content creation/management strategy. Long gone are the days where every article published to the portal had to be scoured and approved by a Content Manager in Corporate Communications. Instead, the Corp Comm group often establishes guidelines and best practices for the departments (and sometimes at the individual level) to follow. This allows for information to flow more freely within the organization and updates to the content to made in a more timely manner.
7. Organizational Transparency (aka “silo-busting”) - An added bonus to the decentralization of content management is a transparency factor. The more content that is published by each department, the better the chance that the rest of the company will gain an understanding of their goals and strategies. This helps drive cross-departmental communication, reduces the amount of overlapping work being done, and drives organizational collaboration.
8. Environmental Sustainability – More information stored in electronic format that is easily searchable naturally results in fewer file cabinets full of paper. Intranet portals can serve as document repositories for smaller companies and integrate with third party document management systems in larger organizations. The end result is less paper, and a better solution for the environment.
9. Employee Satisfaction – The easier information is to find, the more likely an employee will be able to resolve the business problems they face in their daily duties. Whether it’s locating customer information in order to resolve a customer issue, or locating research information that the employee can leverage in their next presentation, the more business information that is available throughout the organization, the better decisions employees can make in their jobs and the more successful they will be.
10. Customer Satisfaction – Last, but by no means least, is customer satisfaction. By centralizing information and providing access to federated search tools, customer-facing employees can reduce the amount of time it takes to locate customer information and can make better business decisions that reduce call handling times, increase first-call resolution in call centers, and lead to upsell opportunities that provide customers with enhanced services that meet their needs.