Depending on which study you believe, the average company has anywhere from a dozen to hundreds of applications that require
user log-ins. Typically, users are left to manage each password for each account on each system that they access. This often
leads to the user employing the same insecure password for all applications, or writing down a list of passwords and taping
it to his or her monitor. Either approach makes the entire network less secure.
Imprivata OneSign 2.5
Imprivata, imprivata.com
|
 Excellent 8.9 |
|
| criteria |
score |
weight |
| Performance |
9 |
20% |
 |
| Flexibility |
9 |
15% |
|
| Management |
9 |
15% |
|
| Scalability |
9 |
15% |
|
| Setup |
9 |
15% |
|
| Security |
9 |
10% |
|
| Value |
8 |
10% |
|
|
|
Cost:
Starts at $15,995 for 200 users; $10,000 for fingerprint option
Platforms:
Active Directory, Windows NT Domains, Novell NDS, LDAP
Bottom Line:
A simple and effective way to enable single sign-on for an entire enterprise, OneSign supports virtually any application and
directory. This appliance can heighten security dramatically by ensuring that all users need only one strong password, or,
even better, with token-based or biometric authentication.
|
|
About our Reviews and Scoring Methodology
|
|
|
|
SSO (single sign-on) is a promising solution to this security problem. An SSO product, such as Imprivata’s OneSign 2.5, enables
a user to log in once to an authoritative system that then handles the actual log-ins to other systems and apps.
The OneSign 2.5 appliance inconspicuously captures users’ log-in information as they log in to applications and then allows
them to log in once using a strong password, ID token, or biometric authentication and access all the applications they need.
Giving the user only one difficult-to-crack password can boost security. Enabling the ID token or biometric option certainly
adds costs, but it makes logging in all the more secure.
SSO differs from direc-tory synchronization or virtualization solutions such as the recently reviewed RadiantLogic RadiantOne and MaXware Virtual Directory. These types of products are aimed at administering large numbers of users across all the applications and systems in a network,
removing invalid users and adding new users to all appropriate applications.
Ready, Set, Secure
Setting up the OneSign is easy. A default IP address is provided, so an administrator can perform the initial configuration
via a browser rather than a serial connection. Once the administrator enters network information, he or she must also provide
the initial directory that will be used to import user and group information. The OneSign does not store user and group information
in a separate database; rather, the solution imports it from an Active Directory, NT Domain, NetWare, or Sun ONE (LDAP) directory.
In addition to the actual appliance, there are two other major components to the OneSign solution. The OneSign Agent resides
on each workstation, replacing the normal Windows log-in box. The agent intercepts the standard initial log-in to Windows
and uses it to authenticate to the OneSign server. It is deployed using the standard Windows Installer application. The APG
(Application Profile Generator) creates a profile for each enterprise application, specifying how log-ins are accomplished.
In addition to the standard agent, there are others that allow multiple accounts per workstation and provide support for Citrix
application servers. The agents are automatically updated through the appliance when a new version is available, when security
policies have been changed, or when new applications are added. I had no problems while testing log-in or boot compatibility.
The biometric log-in option proved effective in my tests. I used fingerprint modules supplied by Imprivata. After the training
process, the readers worked consistently and more easily than typing a password. This approach is more secure than even strong
passwords, and while the initial cost is relatively high at $10,000 for the server and $149 per workstation for the readers,
it offers great security.
I didn’t test the ID Token capability of the OneSign, which requires either RSA SecurID with the ACE/Server or Secure Computing
SafeWord with the Premier Access Server. Tokens for these systems can be either software (very long certificates stored locally),
or hardware, such as smart cards or USB tokens. Hardware tokens require an investment per workstation in a reader or USB token,
which can vary in price from $30 to $150.
Watch and Learn
The APG offers an easy approach to creating connectors to each application. Rather than having a programmer write a connector
for each app, the APG watches the log-in process and creates an XML document that enables log-ins for each app. The XML document
is then stored on the OneSign, and all users with access to that application can log in.
The XML documents only describe how the log-in process works; the actual passwords are securely stored in an encrypted database
on the appliance, which is accessible only by the administrator. It can’t be hacked by anyone, as it is only accessible via
a subnet separate from the incoming verification requests.
The APG worked flawlessly in my testing for host-based applications, terminal shell applications, database applications, ERP
apps, and Web-based apps. I couldn’t find any application that the APG couldn’t capture log-in information for, or which required
more than one try to enable.
OneSign also offers security logging of all user and application events, offering a way to trace problems. The workstation
agents pass data to the appliance for central access and monitoring, so checking individual logs isn’t necessary. The data
collected includes what applications have been accessed, user log-in/log-out times and dates, and lockout incidents when the
allowed number of log-in attempts are exceeded.
Imprivata ships the OneSign in a redundant pair configuration for fail-over protection, which is necessary given the appliance’s
critical influence after it’s installed. If the primary appliance becomes unavailable, OneSign will automatically transfer
users to the failover appliance without affecting connected users.
Imprivata released Version 2.6 this month, too late for this test. The new version includes internationalization of user names
and passwords for Western Europe and user name correlation, which checks to ensure that multiple users aren’t using the same
log-in or password.
Although the OneSign is not cheap at $16,000 for 200 users, plus $10,000 for the fingerprint option, it offers an easy way
to implement single sign-on across the enterprise, which can result in much higher security, both internally and externally.
It enables very secure passwords, token-based log-ins, or biometric log-ins with very little time required for installation
or administration. Any organization concerned with application security should consider evaluating OneSign.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
