Can single sign-on be simple sign-on?

Review Fundamentally, Single Sign On (SSO) is a straightforward idea. You use a proxy device to authenticate a user, and the proxy then manages all the login idiosyncrasies of the applications they want to access.

Easy to describe, and straightforward to transcribe onto slideware. The devil is, of course, in the detail. For example, how do you know how all of your enterprise applications manage their login? Does the proxy do this for you or do you have to write a login script for each one individually? If you deploy the solution and the application decides it wants a password refresh, is your helpdesk buried by calls from angry users who can't get into the application and do their work?

The other thing we need to realise is that SSO is not an authentication solution in itself; the connection to the proxy can be as open or tightly controlled as you like. The ability to integrate with different authentication technologies, including tokens for example, and to accommodate two-factor authentication mechanisms, is therefore a key consideration. An SSO proxy also needs to be 100 per cent reliable, otherwise it will lock out all users from the system when it fails. Furthermore, security of the SSO solution itself is a big consideration as the proxy necessarily contains the login credentials and access rights of every user on the network.

Implemented appropriately, however, a well-executed SSO solution gives network and security managers a central point for implementing network policies, such as application access rights. This includes the provision of alternative application environments and capabilities to a user depending on the login location and available network bandwidth.

So, it all sounds pretty good, but there is a lot to think about and deal with, often causing SSO projects to turn out a lot more complicated, time consuming and costly than people first envisaged when they embarked on them. Imprivata, however, manufacturers of the OneSign Enterprise Single Sign On (Esso) solution, has set out to simplify the process of getting to the SSO vision with a straightforward no-nonsense appliance. After talking to the company and reviewing a couple of its customers, we were convinced that the Imprivata approach was different enough to be worth highlighting, so here's a bit more detail.

On set-up, the system can import existing directory information from Active Directory, NetWare Directory Services, and others. From here, it allows a variety of pre-defined security management policies to be set up and targeted at individual users or groups.

An important capability of the system is its ability to learn the authentication behaviour of applications by example, which it stores in an XML profile document, including password change procedures. The basic principle is that the system only needs to see an example of a standard login to capture it into the profile, which is then available for subsequent access to that same application. The profile is automatically modified if the application's behaviour changes, which is typically done without custom scripting.

This approach can cut down the time to implement the system dramatically, since minimal or no scripting and connector development is required to set up and maintain proxy access to the various applications.

Policy decisions by the network administrator using the associated management tool then tie users to applications, and at that point the system is ready to use. Given the design, the system can handle subsequent password resets automatically without involving the helpdesk in a live call.

In terms of security, user information is held in separate, encrypted areas of the appliance, protecting it from outside attack, and sign on messaging is also heavily encrypted. With regard to authentication, Imprivata allows the straightforward implementation of two-factor solutions from a variety of popular vendors, with provision for the use of tokens, smartcards, biometrics, etc.

And everything is monitored. Password-related user access events are stored on the appliance, providing monitoring trails that may be used as input to any compliance or other investigation. The system can reveal instances of users sharing confidential credentials, for example.

All-in-all, the Imprivata solution hides a lot of essential smarts away in its redundant configuration, providing a good option for mid size organisations, in particular, to implement convenient secure application access, password management and some important elements of compliance, with additional features that can greatly help with your network policies.

The suitability of solution for those who can't afford a large and highly specialised security staff is corroborated by the makeup of Imprivata's customer base. At the recent Infosec show, for example, Imprivata hosted a presentation from Gary Bellfield of Tayside Fire and Rescue, typical of the type of user who can benefit from the system, with a small staff on a tight public sector budget providing services to a large user community in a critical service industry.

With so many SSO projects stalling over the past couple of years or being de-scoped due to time and budget over-runs, it is good to see the industry trying to introduce more of an an element of simplicity into the process. ®