Midrange Stuff, OS/400 Edition--Cox Installs Password Software to Ease Help-Desk Burden

Cox Communications, one of the country's largest cable communications operators, had a little problem. Nearly one in five calls placed to its IT help desk were to reset the passwords that employees used to access various OS/400 and Windows applications. With more than 20,000 employees, that amounted to 7,000 calls per month for forgotten passwords. Company officials realized they'd have to expand the help desk as more applications came online, so instead they chose to attack the problem directly.

The problem faced by Cox is very similar to those faced by many IT organizations. Cox employees needed to remember a different password to access each of five OS/400 servers (a 12-way AS/400 Model 740, two 12-way Model 840s, and one 16-way Model 870) that run the company's various mission-critical applications, including the Convergys ICOMS billing and customer care solution and the J.D. Edwards WorldSoftware financials suite. Employees also needed passwords to access the company's network, which ran on Microsoft Windows and used Active Directory.

Cox has a strong password policy for the OS/400 and Windows systems. Employees could choose their own passwords, but they were required to use a combination of alpha and numeric characters. Employees were also required to change their passwords on a regular basis, which is something that all companies should do in order to reduce the risk of unwanted access.

While access to the servers was tightly controlled, the plethora of passwords that employees had to remember was becoming a burden. Nick Sourant, director of IT help desk operations at the company's corporate headquarters in Atlanta, said his 13-person help desk was fielding about 1,000 calls per month from employees who had been locked out of their system because they forgot a password. Countrywide, the company's IT help desk would field 7,000 such calls in any given month. Twenty percent of all calls to Cox's corporate IT help desk were for password reset requests, and the OS/400 and Windows applications accounted for 90 percent of the reset requests.

Good security practices are important, but so is allowing workers to log on to the server so they can do their work. When you factor in the lost productivity of workers and the time spent by help desk personnel to reset workers' passwords, the costs can be pretty high. According to research firm Gartner, it costs a company $14 to $28 to reset each forgotten or lost password. Sourant says Cox's costs probably aren't that high, but even if the company was losing only $10 on every password reset, that's still $70,000 per month, or $840,000 per year. That isn't a huge loss for a $5 billion company, but it's the equivalent of 21 people making $40,000 a year. And that's enough money to warrant some attention.

In January, Sourant began his search for a solution to Cox's password woes. Sourant figured the cause of the problem wasn't that passwords were too difficult to remember or that it was too hard to get a password reset, but that it was the number of passwords that people had to remember that was the real root of the problem, which could be solved by synchronizing the systems to use a single password. "In my opinion, the lack of synchronization leads to people forgetting the passwords," he says.

Sourant began researching the available password solutions. The main requirements were that it had to do password resets and synchronization on AS/400s and Windows servers, and people had to be able to access it from a GUI and over the telephone. After casting a wide net, Sourant narrowed his search to two offerings: Courion's PasswordCourier and M-Tech's P-Synch.

An important factor that influenced Sourant's ultimate decision to go with Courion was the numerous reference accounts for companies that had deployed PasswordCourier, including deploying it on OS/400 servers. He spoke with several of Courion's large customers and was impressed with their results. Another important factor was the tight integration PasswordCourier has with Vocent's Windows-based voice authentication server.

Cox is running PasswordCourier on two Dell two-way PowerEdge servers running Microsoft Windows 2000 Server and a clustered SQL Server database. In setting up the software, the most crucial and time-consuming part is the process of mapping the user IDs and passwords from the OS/400 and Active Directory application to the new Courion system. Once that is completed, however, a single password should give access to all of the systems. What's more, a user will be able to change the password through normal means in any of the applications, and the change will be automatically replicated across the entire system.

Cox chose the Vocent voice recognition software to allow workers to reset their passwords over the phone when they're locked off their system because they forgot their password. Vocent and Courion put in the effort to make the systems work together so that OS/400 shops deploying PasswordCourier, like Cox, don't have to worry about another point of integration. Instead of voice authentication over the phone, Cox workers who are locked out of their systems have another option: Because Courion replaces the traditional Windows sign-on screen with its own, users can reset their passwords before signing on to the system.

The contract between Cox and Courion was signed in June, but the rollout didn't begin until November. One of the reasons for the delay was that Cox put a lot of thought into how to go about introducing this new software to its employees. "It's absolutely essential that you get a high level of user adoption," Sourant says.

To encourage users to use the new password system, which is called CoxPass, the cable company has signed on for Courion's Self-Service Attainment Program, which provides a framework on how companies can encourage user buy-in. Not surprisingly, this often involves giving users free food and prizes. Cox is coaxing users to enroll in the system and to fill in their challenge questions--which must be answered correctly to be authenticated by the software--by plying them with free ice cream, Home Depot gift certificates, Honey Baked Hams, and movie tickets. Willing employees are also being rewarded with little pads of sticky notes--those notoriously unsecure password repositories--with the words "Don't write your password here!" printed on them.

So far, so good. Cox is rolling out the new system to 500 new users per day. Sourant says most of users are reporting that the PasswordCourier software is very easy to use, and some of them are downright eager to use the Vocent voice recognition system, because of the novelty factor of the biometric system.

It will be some time before PasswordCourier is rolled out to everybody at Cox Communications, which has 22,000 employees. As for Sourant's home turf at the Atlanta help desk, he expects to reach his goal of eliminating 90 percent of the calls for password resets, which will free up his 13-person crew to support other applications. "Our [department staffing] goal is to maintain a flat headcount," Sourant says.