|
ID
|
. |
Requirements
|
. |
FastPass
solution
|
|
EU
|
. |
End-user
functionality and handling
|
. |
The user must
have simple functions for password reset/change/unlock, and
enrolment.
All
easy-to-use without training requirements.
|
|
EU1
|
. |
User able to
reset/unlock AD passwords without assistance from IT
service desk
|
. |
FastPass
Password Manager has tight integration with Windows Server and
Active Directory. Essentially it is an ad-on for AD.
|
|
EU2
|
. |
User able to
reset/unlock AD without assistance from IT service desk
across a VPN connection
|
. |
FastPass will
work from different kinds of networks
|
|
EU3
|
. |
User able to
reset/unlock AD without assistance from IT service desk in Citrix
environment
|
. |
There are a
number of different solutions in a Citrix environment that will
enable the users to reach FastPass.
|
|
EU4
|
. |
User able to
reset/unlock Active Directory password without assistance from IT
service desk with Outlook Webmail
|
. |
FastPass can
be accessed both inside and outside the LAN, and there are no
dependencies on Outlook Web Access.
|
|
EU5
|
. |
Different
types of user authentication including strong
authentication
|
. |
FastPass has
a built-in multi-authentication engine. This allows for
multi-factor authentication. Administrators
can configure the users’ authentication
procedure. If
a user attempts to access the solution on
the LAN then
a less-strict authentication is needed
than if the
user is on the internet. User authentication
happens
dynamically based on the configuration within
the
solution.
|
|
EU6
|
. |
User able to
enrol without training or education
|
. |
To ensure
that all users enrol in the solution, FastPass
offers two
services, Discovery Services and Enrolment
Services.
Discovery
Services collects information of the users
(domains,
group membership etc.)
Enrolment
Services invites users to enrol by mail or
SMS. The
invitation is sent automatically to invite users
to enrol.
Users that have not enrolled within, say, one
week will
receive a reminder e-mail. The built-in
scheduler
will automate this process.
|
|
EU7
|
. |
Clear,
detailed guidance to users advising how to enrol and reset
password
|
. |
On every page
a short description of what the user should do helps the user
move forward. FastPass is a very intuitive solution.
|
|
EU8
|
. |
Easy and
individual language adaption
|
. |
FastPass user
interface selects language depending on the language setting in
Explorer.
FastPass
supports eight different languages:
English
Spanish
French
German
Dutch
Swedish
Danish
Norwegian
Other
languages easily added
|
|
EU9
|
. |
Application
guidance for user
|
. |
FastPass has
clear and descriptive guidance for all functions. Administrator
can however change the text to suit individual organizational
needs
|
|
EU10
|
. |
Meaningful
challenge questions
|
. |
FastPass is
delivered with a standard set of challenge questions.
Administrator can change the question list to match the needs of
the organization
|
|
EU11
|
. |
Look and feel
of user interface must be modifiable to customer’ standard
portal look.
|
. |
The customer
can change the skinning of the FastPass end-user application to
satisfy his own requirements
|
|
|
. |
|
. |
|
|
AC
|
. |
End-user
accessibility
|
. |
The user must
be able to access the password application from his favoured
platforms.
|
|
AC1
|
. |
User able to
reset password from her own PC, even when the Password to the PC
is forgotten.
|
. |
FastPass
delivers a function for XP and Vista that allows the user to
change password. For XP it is a GINA extension.
Requires
connection to the Domain.
|
|
AC2
|
. |
User able to
reset Password from a WEB browser from secured network
|
. |
FastPass ia a
browser-based application, without need for SW distribution
(unless the company wants to use the Gina extension mentioned
above)
|
|
AC3
|
. |
User able to
reset Password from a WEB browser from unsecured network
(outside)
|
. |
Administrator
can define authentication process depending on the network.
FastPass is a browser application.
|
|
AC4
|
. |
User able to
reset password from mobile phones with Internet
browsers
|
. |
FastPass is
designed for use at cell phones with: Windows Mobile, Blackberry,
Symbian and IPhone.
|
|
|
. |
|
. |
|
|
|
. |
Enrolment
process
|
. |
Successful
enrolment is key for productivity
improvement
from password management. The aim
should be
more than 95% enrolled users to reduce
calls to
helpdesk.
|
|
EN1
|
. |
Flexible
process defined by Administrator
|
. |
Administrator
defines the enrolment processes and ties them with the
User-groups. The process defines when invitation will be sent and
when and how many reminders will be sent to the user (and
notification to administrators and managers)
|
|
EN2
|
. |
Administrator
defined mail invitation
|
. |
Administrator
writes the invitation mails including a link to FastPass
enrolment process.
|
|
EN3
|
. |
Automatic
mail-reminder process
|
. |
Any number of
reminders can be sent to each user
with
different text and different dates or time intervals.
Fully
automatic process.
|
|
EN4
|
. |
Automatic
invitation of new users
|
. |
When a new
user is activated in an AD, and
discovered by
FastPass, then the invitation process is
invoked
automatically for the user.
|
|
EN5
|
. |
HelpDesk PIN
for handling of non-enrolled users
|
. |
When
non-enrolled users contact the HelpDesk with a password problem,
the Service Desk issues a PIN code, which the user can use for
verification in the enrolment process. When the user then is
enrolled, he can reset his password.
In this way
he only calls the HelpDesk this one time
|
|
|
. |
|
. |
|
|
|
. |
Administration
of users
|
. |
Administration
of users and handling of user processes must be simple and
intuitive for the administrator
|
|
AD1
|
. |
Efficient
insertion of users in Password Manager
|
. |
Administrator
selects AD groups to be registered in FastPass
|
|
AD2
|
. |
Automatic
insertion of new users
|
. |
FastPass
Discovery Service will on regular intervals identify all new
users in the selected AD groups, and insert them in
FastPass
|
|
AD3
|
. |
Automatic
deletion of users
|
. |
FastPass
Discovery Service will on regular intervals identify all
deleted/exposed users in the selected AD groups, and delete them
from FastPass
|
|
AD4
|
. |
Specific
deletion of users by administrator
|
. |
Administrator
can at any point in time delete a user in FastPass
|
|
AD5
|
. |
Administration
of user authentication process
|
. |
Administrator
defines the desired authentication processes. Each Group is then
tied with an authentication process
FastPass is
delivered with some standard authentication processes.
|
|
AD6
|
. |
Password
changes must be subject to profile in AD
|
. |
Before
resetting or changing the password in AD, FastPass controls the
user setting in AD and will always respect this
setting.
|
|
AD7
|
. |
New passwords
must adhere to Password policy in AD
|
. |
Password
rules for length and complexity will be respected by
FastPass
|
|
AD8
|
. |
Temporary
exclusion of users
|
. |
Administrator
can exclude users from FastPass even though his AD-group is
included
|
|
|
. |
|
. |
|
|
|
. |
Authentication
– strong authentication
|
. |
It is
essential that the organization can choose the authentication
that meets the security demands. Strong Authentication is a
layered authentication approach
relying on two or more methods of authentication to establish
the
identity of
an originator or receiver of information
|
|
AU1
|
. |
Number of
challenge questions to be defined by administrator
|
. |
Number of
challenge questions is set by the
Administrator
|
|
AU2
|
. |
2-Factor
authentication with SMS PIN-code and Challenge
questions
|
. |
FastPass can
send a PIN Code to the user via SMS,
which they
must enter before answering the Challenge
questions.
User’s Cell number needs to be registered
in
AD.
|
|
AU3
|
. |
2-Factor
authentication with Help Desk Pin code and Challenge
questions
|
. |
A qualified
person at the Help Desk can verify a user’s
identity
before giving them a PIN. The user must enter
the PIN
before answering the Challenge questions.
|
|
AU4
|
. |
Authentication
process to be decided based on user’ present network
(secure or unsecure network)
|
. |
FastPass
allows administrators to define different profiles depending
on the
user’s network.
|
|
AU5
|
. |
Authentication
profile is defined for each usergroup
|
. |
You can have
different profiles for different groups.
|
|
|
. |
|
. |
|
|
|
. |
Notification
service
|
. |
Any attempts
to misuse the Password Manager to gain
access to
other users’ password must generate alerts
|
|
N1
|
. |
Information
to user when the user has performed an operation in the Password
Manager
|
. |
FastPass
forwards a mail to the user when a password has been
reset/unlocked or changed through FastPass, or when it has
been attempted but failed
Se more in
Reporting items
|
|
|
. |
|
. |
|
|
|
. |
Reporting
|
. |
Administrators
and management need reports and action lists to manage the
Passwords. Standard reports and data transfer to HelpDesk
products are necessary.
|
|
R1
|
. |
All incidents
to be transferred to SW-HelpDesk tool of the customer’s
choice
|
. |
FastPass can
transfer information about password reset/change/unlock as
records to SW-HelpDesk tools. Import setup to be done by
customer.
Records can
be forwarded real-time or as batch.
Integration
with HD-tools means that a “create problem” ticket
& “close problem” ticket will automatically be
generated. This will get the data into this system automatically
and take advantage of reporting facilities available from the
Help Desk system.
|
|
R2
|
. |
Provide
daily, monthly, yearly data on number of password resets/unlocks
by user
|
. |
Reporting is
provided from the Administration Client.
|
|
R3
|
. |
Log of
incidents with full data content to be transferred to standard
reporting tools (like EXCEL)
|
. |
FastPass can
deliver data in XML or CSV format real-time or on defined time
intervals.
|
|
R4
|
. |
Provide
details of real time exception through notification (e.g.
multiple failed resets, detection of potential unauthorised
access) to ICT professionals (i.e. alerting)
|
. |
FastPass
notification Service offers live notification to registered
contacts in the groups: Administrative Contacts, Technical
Contacts and Help Desk Manager Contacts and to Users (or their
Managers if available in AD). Live notifications can be sent by
e-mail or SMS or to third-party alerting or Help Desk
tools.
|
|
|
. |
|
. |
|
|
|
. |
Technical
|
. |
Answers
to technical environment and specifications
|
|
|
. |
|
. |
|
|
T1
|
. |
Solution is
LDAP Complaint
|
. |
Yes
|
|
T2
|
. |
Solution is
Secure LDAP Complaint
|
. |
Yes
|
|
T3
|
. |
Support for
Multiple AD domains
|
. |
Yes
|
|
T4
|
. |
Support for
Multi Forrest
|
. |
Yes
|
|
T5
|
. |
Support for
Multi Customers
|
. |
Yes –
Of relevance for Service Providers
|
|
T6
|
. |
Software
requirements for FastPass Server
|
. |
FastPass
back-end resides on
Microsoft
Windows Server 2003 (32 bit and 64 bit)
Microsoft
Windows Server 2008 (32 bit and 64 bit)
|
|
T7
|
. |
Support for
client component to reset password, when PC is locked caused by
forgotten password
|
. |
For Windows
XP, FastPass has a GINA-extension.
Also
available for VISTA
The client
component can be distributed by normal SW distribution
methods.
|
|
T8
|
. |
Secure
communications
|
. |
All
communication from clients to server and between server
components are SSL and https based.
|
|
T9
|
. |
Ultimate Data
security
|
. |
All user data
(challenge questions and answers) are hashed and encrypted by
128bit key.
Can be
changed by administrator
|
|
T10
|
. |
User data
only in AD
|
. |
FastPass use
data in AD (user-id, name, password, mobile and other) but does
not require any changes to AD schema.
All other
FastPass data are stored in AD extension (ADAM / ADLDS). No
special database to be installed
|
|
T11
|
. |
Scalability
|
. |
FastPass is
tested for more than 100.000 users. Customer contracts exceed
50.000 users
|
|
T12
|
. |
Flexibility
of configuration of AD back-end
|
. |
FastPass
back-end can be installed directly on Domain Server, or on
another server attached to the Domain. This server can be
physical or virtual.
|
|
T13
|
. |
Fall-over
technology available to handle single point of failure of
hardware and software
|
. |
You can
configure FastPass to handle single point of failure.
For a maximum
availability configuration consult your FastPass partner or
FastPassCorp
|
|
|
. |
|
. |
|
|
|
. |
Software
security certification
|
. |
The Software
must be proven robust from hostile attacks.
|
|
SSC1
|
. |
PCI-DSS
compliant
|
. |
FastPass has
passed the PCI-DSS test. Verified by
nsense
See
certification report.
|
|
|
. |
|
. |
|
|
|
. |
Installation
and Implementation
|
. |
Installation
and implementation must be simple and straightforward to secure
low start-up costs.
|
|
II1
|
. |
Lead times to
implement the solution for Active Directory password
resets
|
. |
Installation
and configuration on Active Directory is 1 day.
|
|
II2
|
. |
Installation
must be performed easily through installation wizard
|
. |
FastPass
installation - as download or from CD - takes app 30 minutes
guided by installation wizards
|
|
II3
|
. |
Hardware
required to host the solution
|
. |
The solution
can be implemented either on a domain controller in the existing
Windows Server environment. An additional Windows Server is not
needed based on performance but should rather be considered based
on the security architecture and design. A standard Server with 2
GHz CPU, 512 MB RAM and 2 GB Disc space is required.
|
|
|
. |
|
. |
|
|
|
. |
Synchronization
to other target systems
|
. |
When users
only have one password to remember they will be more satisfied
and productive
|
|
SY1
|
. |
Passwords
must be synchronized from AD to target system when changed at AD
with Password Manager
|
. |
FastPass has
a Synchronization module which is invoked when there are changes
to AD passwords. The Sync module decides to which target-system
and user-id to send the changed password.
|
|
|
. |
Passwords
must be synchronized from AD to target system when changed at AD
with Standard Microsoft tools.
|
. |
FastPass has
a Synchronization module which is invoked when there are changes
to AD passwords – even when initiated from outside
FastPass. The Sync module decides to which target-system and
user-id to send the changed password.
|
|
SY2
|
. |
Synchronization
must handle different user-id for same user on different
systems
|
. |
FastPass
controls synchronization by a Table, defining relationships
between users on different systems.
|
|
SY3
|
. |
Retries for
failing sync to target systems
|
. |
FastPass
retries synchronization according to rules set by
administrator
|
|
SY4
|
. |
Synchronization
to SAP
|
. |
FastPass 3.3
has connectors for SAP
|
|
SY5
|
. |
Synchronization
to AS400
|
. |
FastPass 3.3
has connectors for AS400
|
|
SY6
|
. |
Synchronization
to SQL
|
. |
FastPass 3.4
has connectors for SQL
|
|
SY7
|
. |
General
synchronization for customer specific applications
|
. |
FastPass 3.4
has a Generic connector where the customer can write CLI commands
to interface to other systems.
|
|
SY8
|
. |
Password
Filtering for Password alignment when target systems have
different password models
|
. |
FastPass 3.4
allows for Password modification, so the AD password can comply
with the specifications of the Target system.
|