At Hilton Grand Vacations we successfully heightened the security of our system years ago by mandating that passwords be complex (alphanumeric, case sensitive) and expire at least every 90 days. But, our front line team members are hired to be sales and service professionals, not technologists. Like most organizations, we have a mixture of legacy and new applications that require various levels of password sophistication. As the number of applications and login routines grew, our help desk’s reset requests also climbed. By late 2006, the rate of reset requests accounted for almost 50 percent of all help desk requests.

Further complicating the situation was the workforce diversity of our 3,500 employees. For instance, in Asia the support culture is often more high touch and some customers are reluctant to pick up a phone and dial a help desk for support. As we considered strategies for reducing password woes, it was critical that any type of proposed self-service solution would truly have to be more self-sustaining.

Another concern was the fast-paced dynamic environment at our company. Like most IT departments, the demands of our schedule are intense, so any password solution proposed had to be churn-free – not just at the inception but throughout its lifecycle – because we couldn’t exclusively dedicate a resource to serve as a sign-on expert. In a nutshell, we wanted a solution that required virtually no tweaking, tuning or real-time monitoring – period.

Any solution would need to handle SOX, PCI and related audit requirements, along with a low administration requirement, or as some say, no care and feeding required. Beyond these regulatory and administrative issues, there were complexity and aging rules that varied according to operating system and application. For example, regulatory compliance may require 90-day password expiration, but our legacy application would only allow us to set passwords for 60-day expiration and, of course, this varied by application.

Our operating systems include a mixture of Windows, Linux, Solaris and UNIX. Application-wise, any given employee could use up to seven different applications requiring authentication on a daily basis.

Finding the Right Fit
To address these issues, we began researching options early in 2007. Originally, we looked at both provisioning and single sign-on systems. Eventually, with the help of an integration partner Tribridge, we narrowed the field down to four different vendors. We decided to forego the provisioning system at that time due to the complexity involved and the length of time required to implement a company wide provisioning system. Our goal with this project was to reduce our service and support calls along with simplifying password complexity issues for our end users. We did make sure all the products we reviewed could be easily integrated into a provisioning system down the road. 

One of the product options we researched and eventually chose was Imprivata which offered a purpose-built appliance called OneSign. As the name implies, the solution promised to reduce numerous passwords to one, while transparently handling all of the complexity chores in the background. In addition, passwords can be reset via an intuitive self-service Web interface by entering answers to questions the users were asked during the installation (i.e., mother’s maiden name, first pet’s name, etc.).

Beyond self service, another key feature for us was the ability to handle two-factor or strong authentication. This means using a password and another identifier such as a token or a finger print scanner. The OneSign product met this need and also offered a solution for integrating computer access with our existing building access badges.

We decided to move forward with a demo appliance in our data center. The appliance met our criteria for being simple to implement and use, yet elegant and sophisticated in design and functionality. It was also exceptionally granular; we could grant specific people, in a specific group, a specific authority level for a specific application. And, with one click, everyone else in that group could have a completely different level of access to that application.

For DR and business continuity purposes, we invested in an additional appliance. So we had a primary unit and a secondary one for failover. We also planned a phased rollout to minimize disruption to the business and safeguard us in case we needed to roll back.

When it comes to technology in a box, I have to say that I am a cynic at heart. The biggest challenges that we encountered were around existing processes and policies, not technology. After we revisited a few password policies and processes around system logins to our parent company, we were ready to begin full-scale implementation and deployment.

Ultimately, we rolled out the solution over the course of about eight weeks. But, the process went so smoothly we could have accomplished it in far less time. A critical factor was the ease of introduction to end users. This proved to be true during the implementation and the product lived up to its billing. There was so little to learn that we reconsidered our initial plans for a formal training course. Instead, we trained our help desk staff to be teachers and, in turn, they empowered employees to reset their passwords themselves.

In these days of six-minute abs and get rich-in-a-week infomercials, it is nice to have a product that actually works better than advertised—even for a technology cynic.

Rich Jackson is the vice president of technology operations at Hilton Grand Vacations, a division of Hilton Hotels Corporation. E-mail can be sent to rjackson@hgvc.com to let him know your best user password lockout story.