Feeds

Can single sign-on be simple sign-on?

Imprivata's Esso applicance

Choosing a cloud hosting partner with confidence

Review Fundamentally, Single Sign On (SSO) is a straightforward idea. You use a proxy device to authenticate a user, and the proxy then manages all the login idiosyncrasies of the applications they want to access.

Easy to describe, and straightforward to transcribe onto slideware. The devil is, of course, in the detail. For example, how do you know how all of your enterprise applications manage their login? Does the proxy do this for you or do you have to write a login script for each one individually? If you deploy the solution and the application decides it wants a password refresh, is your helpdesk buried by calls from angry users who can't get into the application and do their work?

The other thing we need to realise is that SSO is not an authentication solution in itself; the connection to the proxy can be as open or tightly controlled as you like. The ability to integrate with different authentication technologies, including tokens for example, and to accommodate two-factor authentication mechanisms, is therefore a key consideration. An SSO proxy also needs to be 100 per cent reliable, otherwise it will lock out all users from the system when it fails. Furthermore, security of the SSO solution itself is a big consideration as the proxy necessarily contains the login credentials and access rights of every user on the network.

Implemented appropriately, however, a well-executed SSO solution gives network and security managers a central point for implementing network policies, such as application access rights. This includes the provision of alternative application environments and capabilities to a user depending on the login location and available network bandwidth.

So, it all sounds pretty good, but there is a lot to think about and deal with, often causing SSO projects to turn out a lot more complicated, time consuming and costly than people first envisaged when they embarked on them. Imprivata, however, manufacturers of the OneSign Enterprise Single Sign On (Esso) solution, has set out to simplify the process of getting to the SSO vision with a straightforward no-nonsense appliance. After talking to the company and reviewing a couple of its customers, we were convinced that the Imprivata approach was different enough to be worth highlighting, so here's a bit more detail.

On set-up, the system can import existing directory information from Active Directory, NetWare Directory Services, and others. From here, it allows a variety of pre-defined security management policies to be set up and targeted at individual users or groups.

An important capability of the system is its ability to learn the authentication behaviour of applications by example, which it stores in an XML profile document, including password change procedures. The basic principle is that the system only needs to see an example of a standard login to capture it into the profile, which is then available for subsequent access to that same application. The profile is automatically modified if the application's behaviour changes, which is typically done without custom scripting.

This approach can cut down the time to implement the system dramatically, since minimal or no scripting and connector development is required to set up and maintain proxy access to the various applications.

Policy decisions by the network administrator using the associated management tool then tie users to applications, and at that point the system is ready to use. Given the design, the system can handle subsequent password resets automatically without involving the helpdesk in a live call.

In terms of security, user information is held in separate, encrypted areas of the appliance, protecting it from outside attack, and sign on messaging is also heavily encrypted. With regard to authentication, Imprivata allows the straightforward implementation of two-factor solutions from a variety of popular vendors, with provision for the use of tokens, smartcards, biometrics, etc.

And everything is monitored. Password-related user access events are stored on the appliance, providing monitoring trails that may be used as input to any compliance or other investigation. The system can reveal instances of users sharing confidential credentials, for example.

All-in-all, the Imprivata solution hides a lot of essential smarts away in its redundant configuration, providing a good option for mid size organisations, in particular, to implement convenient secure application access, password management and some important elements of compliance, with additional features that can greatly help with your network policies.

The suitability of solution for those who can't afford a large and highly specialised security staff is corroborated by the makeup of Imprivata's customer base. At the recent Infosec show, for example, Imprivata hosted a presentation from Gary Bellfield of Tayside Fire and Rescue, typical of the type of user who can benefit from the system, with a small staff on a tight public sector budget providing services to a large user community in a critical service industry.

With so many SSO projects stalling over the past couple of years or being de-scoped due to time and budget over-runs, it is good to see the industry trying to introduce more of an an element of simplicity into the process. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
How to simplify SSL certificate management
Simple steps to take control of SSL certificates across the enterprise, and recommendations centralizing certificate management throughout their lifecycle.