Feeds

Can single sign-on be simple sign-on?

Imprivata's Esso applicance

Providing a secure and efficient Helpdesk

Review Fundamentally, Single Sign On (SSO) is a straightforward idea. You use a proxy device to authenticate a user, and the proxy then manages all the login idiosyncrasies of the applications they want to access.

Easy to describe, and straightforward to transcribe onto slideware. The devil is, of course, in the detail. For example, how do you know how all of your enterprise applications manage their login? Does the proxy do this for you or do you have to write a login script for each one individually? If you deploy the solution and the application decides it wants a password refresh, is your helpdesk buried by calls from angry users who can't get into the application and do their work?

The other thing we need to realise is that SSO is not an authentication solution in itself; the connection to the proxy can be as open or tightly controlled as you like. The ability to integrate with different authentication technologies, including tokens for example, and to accommodate two-factor authentication mechanisms, is therefore a key consideration. An SSO proxy also needs to be 100 per cent reliable, otherwise it will lock out all users from the system when it fails. Furthermore, security of the SSO solution itself is a big consideration as the proxy necessarily contains the login credentials and access rights of every user on the network.

Implemented appropriately, however, a well-executed SSO solution gives network and security managers a central point for implementing network policies, such as application access rights. This includes the provision of alternative application environments and capabilities to a user depending on the login location and available network bandwidth.

So, it all sounds pretty good, but there is a lot to think about and deal with, often causing SSO projects to turn out a lot more complicated, time consuming and costly than people first envisaged when they embarked on them. Imprivata, however, manufacturers of the OneSign Enterprise Single Sign On (Esso) solution, has set out to simplify the process of getting to the SSO vision with a straightforward no-nonsense appliance. After talking to the company and reviewing a couple of its customers, we were convinced that the Imprivata approach was different enough to be worth highlighting, so here's a bit more detail.

On set-up, the system can import existing directory information from Active Directory, NetWare Directory Services, and others. From here, it allows a variety of pre-defined security management policies to be set up and targeted at individual users or groups.

An important capability of the system is its ability to learn the authentication behaviour of applications by example, which it stores in an XML profile document, including password change procedures. The basic principle is that the system only needs to see an example of a standard login to capture it into the profile, which is then available for subsequent access to that same application. The profile is automatically modified if the application's behaviour changes, which is typically done without custom scripting.

This approach can cut down the time to implement the system dramatically, since minimal or no scripting and connector development is required to set up and maintain proxy access to the various applications.

Policy decisions by the network administrator using the associated management tool then tie users to applications, and at that point the system is ready to use. Given the design, the system can handle subsequent password resets automatically without involving the helpdesk in a live call.

In terms of security, user information is held in separate, encrypted areas of the appliance, protecting it from outside attack, and sign on messaging is also heavily encrypted. With regard to authentication, Imprivata allows the straightforward implementation of two-factor solutions from a variety of popular vendors, with provision for the use of tokens, smartcards, biometrics, etc.

And everything is monitored. Password-related user access events are stored on the appliance, providing monitoring trails that may be used as input to any compliance or other investigation. The system can reveal instances of users sharing confidential credentials, for example.

All-in-all, the Imprivata solution hides a lot of essential smarts away in its redundant configuration, providing a good option for mid size organisations, in particular, to implement convenient secure application access, password management and some important elements of compliance, with additional features that can greatly help with your network policies.

The suitability of solution for those who can't afford a large and highly specialised security staff is corroborated by the makeup of Imprivata's customer base. At the recent Infosec show, for example, Imprivata hosted a presentation from Gary Bellfield of Tayside Fire and Rescue, typical of the type of user who can benefit from the system, with a small staff on a tight public sector budget providing services to a large user community in a critical service industry.

With so many SSO projects stalling over the past couple of years or being de-scoped due to time and budget over-runs, it is good to see the industry trying to introduce more of an an element of simplicity into the process. ®

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.