Imprivata OneSign 2.5 simplifies password-juggling
Single sign-on solution arms users with simple, secure access to all their applications
Depending on which study you believe, the average company has anywhere from a dozen to hundreds of applications that require user log-ins. Typically, users are left to manage each password for each account on each system that they access. This often leads to the user employing the same insecure password for all applications, or writing down a list of passwords and taping it to his or her monitor. Either approach makes the entire network less secure.
SSO (single sign-on) is a promising solution to this security problem. An SSO product, such as Imprivata’s OneSign 2.5, enables a user to log in once to an authoritative system that then handles the actual log-ins to other systems and apps.
The OneSign 2.5 appliance inconspicuously captures users’ log-in information as they log in to applications and then allows them to log in once using a strong password, ID token, or biometric authentication and access all the applications they need. Giving the user only one difficult-to-crack password can boost security. Enabling the ID token or biometric option certainly adds costs, but it makes logging in all the more secure.
SSO differs from direc-tory synchronization or virtualization solutions such as the recently reviewed RadiantLogic RadiantOne and MaXware Virtual Directory. These types of products are aimed at administering large numbers of users across all the applications and systems in a network, removing invalid users and adding new users to all appropriate applications.
Ready, Set, Secure
Setting up the OneSign is easy. A default IP address is provided, so an administrator can perform the initial configuration via a browser rather than a serial connection. Once the administrator enters network information, he or she must also provide the initial directory that will be used to import user and group information. The OneSign does not store user and group information in a separate database; rather, the solution imports it from an Active Directory, NT Domain, NetWare, or Sun ONE (LDAP) directory.
In addition to the actual appliance, there are two other major components to the OneSign solution. The OneSign Agent resides on each workstation, replacing the normal Windows log-in box. The agent intercepts the standard initial log-in to Windows and uses it to authenticate to the OneSign server. It is deployed using the standard Windows Installer application. The APG (Application Profile Generator) creates a profile for each enterprise application, specifying how log-ins are accomplished.
In addition to the standard agent, there are others that allow multiple accounts per workstation and provide support for Citrix application servers. The agents are automatically updated through the appliance when a new version is available, when security policies have been changed, or when new applications are added. I had no problems while testing log-in or boot compatibility.
The biometric log-in option proved effective in my tests. I used fingerprint modules supplied by Imprivata. After the training process, the readers worked consistently and more easily than typing a password. This approach is more secure than even strong passwords, and while the initial cost is relatively high at $10,000 for the server and $149 per workstation for the readers, it offers great security.