Depending on which study you believe, the average company has anywhere from a dozen to hundreds of applications that require user log-ins.
SSO (single sign-on) is a promising solution to this security problem. An SSO product, such as Imprivata Inc.’s OneSign 2.5, enables a user to log in once to an authoritative system that then handles the actual log-ins to other systems and applications.
The OneSign 2.5 appliance inconspicuously captures users’ log-in information as they log in to applications and then allows them to log in once using a strong password, ID token, or biometric authentication and access all the applications they need.
Ready, Set, Secure
Setting up the OneSign is easy. A default IP address is provided, so an administrator can perform the initial configuration via a browser rather than through a serial connection. Once the administrator enters network information, he or she must also provide the initial directory that will be used to import user and group information. The OneSign does not store user and group information in a separate database; rather, the solution imports it from an Active Directory, NT Domain, NetWare, or Sun ONE (LDAP) directory.
In addition to the actual appliance, there are two other major components to the OneSign solution. The OneSign Agent resides on each workstation, replacing the normal Windows log-in box. The agent intercepts the standard initial log-in to Windows and uses it to authenticate to the OneSign server. It is deployed using the standard Windows Installer application. The APG (Application Profile Generator) creates a profile for each enterprise application, specifying how log-ins are accomplished.
The biometric log-in option proved effective in my tests. I used fingerprint modules supplied by Imprivata. After the training process, the readers worked consistently and more easily than typing a password.
Watch and Learn
The APG offers an easy approach to creating connectors to each application. Rather than having a programmer write a connector for each app, the APG watches the log-in process and creates an XML document that enables log-ins for each app. The XML document is then stored by OneSign, and all users with access to that application can log in.
The XML documents only describe how the log-in process works; the actual passwords are securely stored in an encrypted database on the appliance, which is accessible only by the administrator. It is only accessible via a subnet, on that is separate from the incoming verification requests.
OneSign also offers security logging of all user and application events, offering a way to trace problems. The workstation agents pass data to the appliance for central access and monitoring, so checking individual logs isn’t necessary. The data collected includes what applications have been accessed, user log-in/log-out times and dates, and lockout incidents when the allowed number of log-in attempts are exceeded.
Although the OneSign is not cheap, at US$16,000 for 200 users, plus US$10,000 for the fingerprint option, it offers an easy way to implement single sign-on across the enterprise, which can result in much higher security, both internally and externally.