|
midrange.com
I think the issue over security comes down to the environment of challenge
questions. And when we look at the help desk now the nuisance security
calls are way high. A year ago 40% of our calls were printer related,
another 40% were security related. Through new printers, proper afp
resource settings, and IBM's MarkVision we have eliminated over 80% of our
printer calls. That's good but now we are really skewed with security
related calls - they make over 60% of our calls now - and the majority are
password change problems, account lockouts, password resets, etc. A person
calls in needing assistance. Right now today we have an idea of who they
are but we do not authenticate them. Our parent company says we have to
using challenge questions - so, I'm extending that requirement and saying
that using that authentication method in a self-service environment is the
most beneficial.
Having said that I believe that the challenge system has to be somewhat
robust. Unfortunately if it's to difficult it can the results can be the
exact opposite of what you want. I've got a restriction on my credit
profile - damn, I almost can't answer the questions to get through but
that's another story.
I think the self-service system also has to have very robust controls -
only so many actions within a given time frame, good reporting, and good
messaging.
If all of these things are met I think it is possible to provide a secure
environment that improves customer service (and hopefully satisfaction) and
reduces nuisance type calls to the help desk. If I can do that then the
night creatures are happy, my help desk people are happy, and the customers
are happy.
A good SSO environment would go a long way to reducing this but that's not
entirely possible in our environment....and even with SSO I think I would
still want some sort of function available for the domain access.
rob@xxxxxxxxx
06/02/2005 11:54 To
PM Midrange Systems Technical
Discussion
<midrange-l@xxxxxxxxxxxx>
Please respond to cc
Midrange Systems
Technical Subject
Discussion Re: Profile self-service
<midrange-l@midra
nge.com>
I don't think it defeats the purpose for a security officer or
administrator. Ever use a web site with a password? Now, figure you're a
nation wide bank with 2 million customers. Now how many Pakistanis would
you have to employ just to reset user's passwords? And wouldn't they ask
the same sort of questions that a good program could ask? Mother's maiden
name or some such thing. That's the purpose of a good challenge question
system.
We've analyzed our help desk calls for our internal users. A vast bulk of
the calls fit two categories: Resetting printer writers, and, resetting
passwords. We've tackled the first and now it's time to move on to the
second. We were looking at adding another help desk person. Sad to see
this not happen. Gal we had in mind lives about two miles away and is
dying to get back in to programming after her layoff from another company.
With the economy the way it is, this looked like the best way to sneak
another person in. Start her out at the help desk and move her into
programming.
Rob Berendt
--
Group Dekko Services, LLC
Dept 01.073
PO Box 2000
Dock 108
6928N 400E
Kendallville, IN 46755
http://www.dekko.com
ron_adams@xxxxxxxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
06/02/2005 04:11 PM
Please respond to
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
To
Midrange Systems Technical Discussion <midrange-l@xxxxxxxxxxxx>
cc
Subject
Re: Profile self-service
I'm not sure if this necessarily fits the bill for your issue, but I wrote
a password reset utility a while back that would allow a manager (*SECADM)
to reset a disabled user profile.
It will allow them the choice also of resetting the password to default
which is the same as the user id.
I set it up with object authority so that only those I specified could run
it and that they could only change a user profile if the user did not have
any of the following attributes, *ALLOBJ, *SECADM, *SPLCTL or *SERVICE .
Also, I set it up so it will also send me a message when it's executed.
I can send you a copy if you think it will help.
As for self service, I would think something like this would be too risky
and/or difficult to set up. It also defeats the purpose for a security
officer or administrator.
Ron Adams
Mike.Crump@xxxxxxxxxxxxxxxx
Sent by: midrange-l-bounces@xxxxxxxxxxxx
06/02/2005 03:31 PM
Please respond to Midrange Systems Technical Discussion
To: midrange-l@xxxxxxxxxxxx
cc:
Subject: Profile self-service
I'm working on two possibilities but was wondering if anyone was familiar
with a software package that:
1.) Verifies user identity through a series of challenge questions and
2.) Allows them to change/reset/unlock their account.
NetIQ (ie Pentasafe) has something close with their Vigilent and
PSPasswordManager products but I don't think all the pieces are there.
Triaworks (Powerlock) might have something if TIM PM ever sees the
sunlight
of GA.....
http://www.triaworks.com/downloads/TIM%20PM%20Datasheet.pdf
Due to constraints beyond my control we will be on a NT 4.0 domain for a
while so a good SSO solution may not be in my near future. I'm looking at
some other types of reduced SO options but in the mean time need to
investigate this. Even if I can't do self service my audit/parent company
(ie: those bloodsucking night creatures without a real job) demands will
necessitate that we maintain a challenge question database for my end
users
so that we can correctly identify John Smith and not be socially
engineered. So, my drop back position is to have an application that
allows me to setup, manage, and identify end users by challenge questions.
Michael Crump
Manager, Computing Services
Saint-Gobain Containers
1509 S. Macedonia Ave.
Muncie, IN 47302
(765)741-7696
(765)741-7012 f
(800)428-8642
"The probability that we may fail in the struggle ought not to deter us
from the support of a cause we believe to be just" Abraham Lincoln
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
