Keeping track of passwords and controlling end-user access to applications was becoming an unwieldy mess for Omaha Public Power District. Then the light bulb went on.
The IT department for the electric utility, which services eastern Nebraska, this past summer embarked on a project to automate password management. The project features an online workflow process that also enables the utility to centralize authorization and security policies.
With the proliferation of intranet applications at the utility, it had almost become impossible for the IT department to manually process password requests or deletions for the 2,500 employees, plus hundreds of outside contractors, working at three large power plants or from mobile laptops in the field. Using paper forms, it was taking weeks for local administrators to get their password requests approved.
The new system is based on software called enRole from Access360, an Irvine, Calif., start-up, which beat out software from Computer Associates and others. EnRole consists of software agents loaded onto Windows NT or Unix servers, databases or mainframes to restrict access unless a user has a password that's been generated by the enRole management server, which has its own database.
Omaha Power defines usage policies based on roles, such as engineers, sales teams, outside contractors, clerical and new employees.
If a local administrator deletes user access rights, that information is reported to the enRole management server, which records it, ensuring the network access and application usage rights are terminated as well. There's also a way to terminate access rights based on time periods.
"It had gotten to the point that we just couldn't maintain password control over what's become a large intranet," says Ron Workman, supervisor of information protection at Omaha Power. "If someone left the
company, it didn't get into the records. Now we've centralized, and the accounts are all in the enRole database. We have a fluid workforce, with contractors that come in seasonally as we shut down the nuclear power plants for maintenance. It's simplified administration considerably."
What the local systems administrators in the IT department see are the hordes of end users clamoring to have access to Omaha Power's huge ATM-based WAN, its Unix-based customer information application or mainframe-based utility technical specifications, depending on their job. Employees also may need access to a PeopleSoft human resources application or a material-management system.
When the systems administrator gets a request for access from an end user, he can now log on to the Web-based enRole interface to generate a request that's sent in workflow style to the supervisor. If the supervisor OKs the request, the user is granted access to a set of network and application resources based on a role-based profile.
"We were using just the native security -- Novell, NT or Unix," Workman says. "We simply couldn't maintain password control."
What Workman likes about the enRole application is that it doesn't interfere with or replace native security. "It does allow you to synchronize these passwords, though," he says.
Workman points out that managers using enRole can change all the passwords for a user account at once.
While the enRole software costs about $200,000, Omaha Power estimates it has already seen a return on at least half of that through improved productivity -- particularly because a single day of plant downtime where outside contractors come in needing network resources costs the company about $500,000.