Imprivata OneSign 2.5 simplifies password-juggling

Single sign-on solution arms users with simple, secure access to all their applications

Depending on which study you believe, the average company has anywhere from a dozen to hundreds of applications that require user log-ins. Typically, users are left to manage each password for each account on each system that they access. This often leads to the user employing the same insecure password for all applications, or writing down a list of passwords and taping it to his or her monitor. Either approach makes the entire network less secure.

SSO (single sign-on) is a promising solution to this security problem. An SSO product, such as Imprivata’s OneSign 2.5, enables a user to log in once to an authoritative system that then handles the actual log-ins to other systems and apps.

The OneSign 2.5 appliance inconspicuously captures users’ log-in information as they log in to applications and then allows them to log in once using a strong password, ID token, or biometric authentication and access all the applications they need. Giving the user only one difficult-to-crack password can boost security. Enabling the ID token or biometric option certainly adds costs, but it makes logging in all the more secure.

SSO differs from direc-tory synchronization or virtualization solutions such as the recently reviewed RadiantLogic RadiantOne and MaXware Virtual Directory. These types of products are aimed at administering large numbers of users across all the applications and systems in a network, removing invalid users and adding new users to all appropriate applications.

Ready, Set, Secure

Setting up the OneSign is easy. A default IP address is provided, so an administrator can perform the initial configuration via a browser rather than a serial connection. Once the administrator enters network information, he or she must also provide the initial directory that will be used to import user and group information. The OneSign does not store user and group information in a separate database; rather, the solution imports it from an Active Directory, NT Domain, NetWare, or Sun ONE (LDAP) directory.

In addition to the actual appliance, there are two other major components to the OneSign solution. The OneSign Agent resides on each workstation, replacing the normal Windows log-in box. The agent intercepts the standard initial log-in to Windows and uses it to authenticate to the OneSign server. It is deployed using the standard Windows Installer application. The APG (Application Profile Generator) creates a profile for each enterprise application, specifying how log-ins are accomplished.

In addition to the standard agent, there are others that allow multiple accounts per workstation and provide support for Citrix application servers. The agents are automatically updated through the appliance when a new version is available, when security policies have been changed, or when new applications are added. I had no problems while testing log-in or boot compatibility.

The biometric log-in option proved effective in my tests. I used fingerprint modules supplied by Imprivata. After the training process, the readers worked consistently and more easily than typing a password. This approach is more secure than even strong passwords, and while the initial cost is relatively high at $10,000 for the server and $149 per workstation for the readers, it offers great security.

I didn’t test the ID Token capability of the OneSign, which requires either RSA SecurID with the ACE/Server or Secure Computing SafeWord with the Premier Access Server. Tokens for these systems can be either software (very long certificates stored locally), or hardware, such as smart cards or USB tokens. Hardware tokens require an investment per workstation in a reader or USB token, which can vary in price from $30 to $150.

Watch and Learn

The APG offers an easy approach to creating connectors to each application. Rather than having a programmer write a connector for each app, the APG watches the log-in process and creates an XML document that enables log-ins for each app. The XML document is then stored on the OneSign, and all users with access to that application can log in.

The XML documents only describe how the log-in process works; the actual passwords are securely stored in an encrypted database on the appliance, which is accessible only by the administrator. It can’t be hacked by anyone, as it is only accessible via a subnet separate from the incoming verification requests.

The APG worked flawlessly in my testing for host-based applications, terminal shell applications, database applications, ERP apps, and Web-based apps. I couldn’t find any application that the APG couldn’t capture log-in information for, or which required more than one try to enable.

OneSign also offers security logging of all user and application events, offering a way to trace problems. The workstation agents pass data to the appliance for central access and monitoring, so checking individual logs isn’t necessary. The data collected includes what applications have been accessed, user log-in/log-out times and dates, and lockout incidents when the allowed number of log-in attempts are exceeded.

Imprivata ships the OneSign in a redundant pair configuration for fail-over protection, which is necessary given the appliance’s critical influence after it’s installed. If the primary appliance becomes unavailable, OneSign will automatically transfer users to the failover appliance without affecting connected users.

Imprivata released Version 2.6 this month, too late for this test. The new version includes internationalization of user names and passwords for Western Europe and user name correlation, which checks to ensure that multiple users aren’t using the same log-in or password.

Although the OneSign is not cheap at $16,000 for 200 users, plus $10,000 for the fingerprint option, it offers an easy way to implement single sign-on across the enterprise, which can result in much higher security, both internally and externally. It enables very secure passwords, token-based log-ins, or biometric log-ins with very little time required for installation or administration. Any organization concerned with application security should consider evaluating OneSign.

InfoWorld Scorecard
Scalability (15.0%)
Security (10.0%)
Management (15.0%)
Value (10.0%)
Flexibility (15.0%)
Setup (15.0%)
Performance (20.0%)
Overall Score (100%)
Imprivata OneSign 2.5 9.0 9.0 9.0 8.0 9.0 9.0 9.0 8.9