Passwords are everywhere- there are about 1,400 employee passwords at America First Credit Union here-and managing them can be a "nightmare," according to Randy Hunter, network systems manager at the $3.6-billion CU.
"It was very painful to update even the few user passwords and expirations that were part of our initial Microsoft Active Directory," Hunter said. "We realized early in the game that it would be very difficult to manage all of our network directories without a synchronization tool."
Identity management is eating up more time than ever for information technology (IT) managers, in part due to the increasing demand for security. These days, strong security often means using multiple passwords and log-ins to control employee access to various systems.
Taming The Beast
Identity management tools can help IT managers tame the beast, but so far, most credit unions aren't using them, according to a 2006 study by several CU organizations and the University of Wisconsin-Madison.
America First, however, turned four years ago to Identity Manager, the Novell, Inc. identity management solution that automatically creates, updates or terminates user identities, including passwords. The platform works across multiple applications, such as teller, human resources and core systems.
"It's so difficult to add a new system and then ask users to remember yet another user name and password," Hunter said. "People are tempted to write down all their user names and passwords and stick them under their keyboards."
Instead, Identity Manager allows America First employees to use just one password to access the various applications that are part of Active Directory, as well as a second directory service, Novell's eDirectory.
When employees can have just one user name and password, that's a "big thing," for IT, said Doug Youngberg, senior network administrator at America First.
Easing The Headache
"Identity Manager has eased the headache of administering user identities in each separate system," he explained. "Now we can update all users with the one tool, which synchronizes the changes in all the other systems."
"Identity Manager and eDirectory make it easy for a few administrators to manage many users," added Hunter.
Still, some employees have more than one user name and password. About three-quarters of the CU's applications require authentication that cannot be integrated into Identity Manager.
"Fortunately, those applications - many of them legacy - are used by a very small subset of employees," Hunter said.
Hunter voiced one major concern about single-password log-ins. "A single name and password makes it easier to breach multiple systems," he said. "That's why we're looking for another authentication factor to add to the password."
Though America First installed Identity Manager four years ago, the credit union is still mining the possibilities. For example, the human resources department currently must email IT with any changes in employee status. IT then enters the changes into Identity Manager.
Early next year, however, human resources itself will be able to directly-and instantly-update user identities as employees are hired, moved or fired.
"We hope the project will result in significant time savings," Hunter said. The help desk receives a "large" number of calls about employee moves, Youngberg said.
CUJ Resources
For info on this story:
* www.americafirst.com
* www.novell.com
