Feeds

Can single sign-on be simple sign-on?

Imprivata's Esso applicance

High performance access to file storage

Review Fundamentally, Single Sign On (SSO) is a straightforward idea. You use a proxy device to authenticate a user, and the proxy then manages all the login idiosyncrasies of the applications they want to access.

Easy to describe, and straightforward to transcribe onto slideware. The devil is, of course, in the detail. For example, how do you know how all of your enterprise applications manage their login? Does the proxy do this for you or do you have to write a login script for each one individually? If you deploy the solution and the application decides it wants a password refresh, is your helpdesk buried by calls from angry users who can't get into the application and do their work?

The other thing we need to realise is that SSO is not an authentication solution in itself; the connection to the proxy can be as open or tightly controlled as you like. The ability to integrate with different authentication technologies, including tokens for example, and to accommodate two-factor authentication mechanisms, is therefore a key consideration. An SSO proxy also needs to be 100 per cent reliable, otherwise it will lock out all users from the system when it fails. Furthermore, security of the SSO solution itself is a big consideration as the proxy necessarily contains the login credentials and access rights of every user on the network.

Implemented appropriately, however, a well-executed SSO solution gives network and security managers a central point for implementing network policies, such as application access rights. This includes the provision of alternative application environments and capabilities to a user depending on the login location and available network bandwidth.

So, it all sounds pretty good, but there is a lot to think about and deal with, often causing SSO projects to turn out a lot more complicated, time consuming and costly than people first envisaged when they embarked on them. Imprivata, however, manufacturers of the OneSign Enterprise Single Sign On (Esso) solution, has set out to simplify the process of getting to the SSO vision with a straightforward no-nonsense appliance. After talking to the company and reviewing a couple of its customers, we were convinced that the Imprivata approach was different enough to be worth highlighting, so here's a bit more detail.

On set-up, the system can import existing directory information from Active Directory, NetWare Directory Services, and others. From here, it allows a variety of pre-defined security management policies to be set up and targeted at individual users or groups.

An important capability of the system is its ability to learn the authentication behaviour of applications by example, which it stores in an XML profile document, including password change procedures. The basic principle is that the system only needs to see an example of a standard login to capture it into the profile, which is then available for subsequent access to that same application. The profile is automatically modified if the application's behaviour changes, which is typically done without custom scripting.

This approach can cut down the time to implement the system dramatically, since minimal or no scripting and connector development is required to set up and maintain proxy access to the various applications.

Policy decisions by the network administrator using the associated management tool then tie users to applications, and at that point the system is ready to use. Given the design, the system can handle subsequent password resets automatically without involving the helpdesk in a live call.

In terms of security, user information is held in separate, encrypted areas of the appliance, protecting it from outside attack, and sign on messaging is also heavily encrypted. With regard to authentication, Imprivata allows the straightforward implementation of two-factor solutions from a variety of popular vendors, with provision for the use of tokens, smartcards, biometrics, etc.

And everything is monitored. Password-related user access events are stored on the appliance, providing monitoring trails that may be used as input to any compliance or other investigation. The system can reveal instances of users sharing confidential credentials, for example.

All-in-all, the Imprivata solution hides a lot of essential smarts away in its redundant configuration, providing a good option for mid size organisations, in particular, to implement convenient secure application access, password management and some important elements of compliance, with additional features that can greatly help with your network policies.

The suitability of solution for those who can't afford a large and highly specialised security staff is corroborated by the makeup of Imprivata's customer base. At the recent Infosec show, for example, Imprivata hosted a presentation from Gary Bellfield of Tayside Fire and Rescue, typical of the type of user who can benefit from the system, with a small staff on a tight public sector budget providing services to a large user community in a critical service industry.

With so many SSO projects stalling over the past couple of years or being de-scoped due to time and budget over-runs, it is good to see the industry trying to introduce more of an an element of simplicity into the process. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.