The most famous person on the U.S. Postal Service's payroll -- six-time Tour de France champion Lance Armstrong -- is known for his singular focus, a trait that appears to be rubbing off on his colleagues who handle the government agency's IT services. The focus in IT isn't on a bicycle race, but on single sign-on (SSO), a way to ease password management for IT staff and end users alike, and help slash by 10 percent the monthly slog of password reset calls to the help desk.
The USPS' IT department is enjoying the first fruit of a nearly two-year effort that has resulted in the rollout of SSO capabilities to nearly 150,000 users who access nearly 1,000 applications on the agency's network.
"We believe single sign-on improves our user experience. It reduces costs and it actually improves security," says Wayne Grimes, manager of customer care operations for IT at the USPS. Grimes is based in Raleigh, N.C., the hub of the USPS' distributed infrastructure.
"If you have 15 or 20 identities or passwords for your legacy applications you have to have those written down someplace or stored in a file. It might be a Post-It note on the terminal, or it might be on a piece of paper in someone's wallet, or it might be in a file on the computer. None of those places are acceptable," Grimes says. "So SSO and streamlining the number of passwords that users have has absolutely improved our security."
Grimes says the USPS has a three-pronged attack to meet its goal of having users log on once and not have to enter another user ID or password to gain access to network applications or partner Web sites. He says the ultimate implementation of that goal is SSO, but something he calls single logon, which requires the user to re-enter the same password at each application, is another acceptable implementation.
The USPS' three-part plan uses V-GO SSO from Passlogix Inc., which provides quick SSO capabilities to end users without having to modify applications; Oblix NetPoint to provide SSO for external users coming onto the USPS network; and a massive multi-year project to modify internally developed business applications for SSO using Kerberos and Microsoft Corp.'s Active Directory. To date, the USPS has modified 700 applications.
"There is no single technology solution to solve single sign-on. If there was, the whole world would be clamoring for it," Grimes says.
But the USPS uses Passlogix as the baseline for its SSO strategy and to bridge the gap while it modifies some applications for native SSO, Grimes says.
V-GO SSO works from a user's desktop by keeping an encrypted file of access credentials for every application available to that user. V-GO SSO is first activated when a user logs on to an application. The software asks the user if he wants V-GO to manage access to that application. If the user agrees, the password is stored in the V-GO file.
Next time the user logs on to that application, V-GO intercepts the application's logon request, grabs the appropriate credentials from its profile store and presents it to the application. The only password users need is their desktop logon.
"Ideally, from a central management standpoint, we don't have to put pre-defined user definitions out on these 1,000 applications," Grimes says. "That would almost be like a Y2K effort to go out and identify all those applications."
Grimes says there are other benefits, including a Passlogix logging feature that details who accesses applications and how often, data that helps determine if applications are still of value, especially mainframe applications.
"If you have a ROI for applications and you are getting ready to enhance that application and you find you only have 10 users and it will cost you $300,000 to upgrade, well we now have more information on whether it would be better to retire that application," he says.
Driven by help desk calls, password reset requests and user satisfaction, the USPS began evaluating V-GO nearly two years ago as part of an upgrade of 130,000 desktops from Windows 95 and a Novell back end to Windows XP and Active Directory.
Grimes says the eventual rollout of V-GO, which concluded in August, included schema changes made to Active Directory to implement V-GO, and the creation of templates to help V-GO deal with unique logon requirements of Java and mainframe applications. Grimes also has V-GO password files replicated to Active Directory so users can roam to different machines and retain their SSO capabilities.
Grimes said it took only one full-time and one part-time administrator for the first few months of the V-GO deployment, but once the rollout got going the only tasks were developing V-GO templates and testing, which did not require a full-time dedicated employee. He would not reveal what the USPS spent on the implementation.
Now the USPS is working on SSO synchronization between Active Directory and a mainframe security platform from Computer Associates called ACF2, which contains user accounts and passwords.
"It will take us years to convert our applications, but our strategy is that we are not going to convert them just for SSO," Grimes says.
"The next time we have a maintenance, update or enhancement for those applications, then we will implement the SSO enhancements," he says. "Passlogix bridges that gap and will probably be here forever. Can you image how long it will take to go into each one of those applications and modify the code?"
Grimes can, and his current SSO implementation buys him time to cycle through the steps needed to complete the enormous task. -- Network World (US)
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.