Benefits of Imprivata OneSign Single Sign-On
Seamless Physical Access Control System Integration
OneSign Physical/Logical has built in integration for Physical Access Control systems:
- Tyco/Software House - C●Cure
- Lenel Systems International – OnGuard
- S2 Security - NetBoX
- Identity Mapping – One “Converged” Virtual Identity
Today, identities in physical access security systems and their related access policy are independent from identities and access policy managed on the IT security side of the organization. This creates security gaps, heightening opportunity for threats to enterprise assets.
OneSign Physical/Logical maps identities between physical access systems and IT directories to enable one converged policy for allowing or denying network access based on a user’s physical location and badge events, organizational role, and/or employee status.
Location-based Authentication
To better secure building facilities and conduct employee role calls in the event of an emergency, many companies have anti-tailgating policies which seek to prohibit employees or visitors from gaining entry to a workplace location by following in on the heels of a co-worker who has just badged into a door entry reader.
Unfortunately, anti-tailgating policies are difficult to enforce. OneSign Physical/Logical incorporates a user’s location and building card access events (have you badged into the building or zone?) as a factor when determining authentication to the network, thus improving the ability to enforce anti-tailgating policies.
Using OneSign Physical/Logical, companies can cost effectively enforce anti-tailgating by tying an employee’s network access to use of their physical access card when entering the workplace.
Further still, location-based authentication can be leveraged to apply a finer grain of authentication to sensitive network resources. For example, policy can be applied to determine that only certain groups of individuals, say email server administrators, can only log onto email servers within a secured room after they have first badged into the room.
Instant User Lock-Out
For most organizations, latency between revoking a user’s identity from the physical access control system and deprovisioning their respective IT and VPN directory identities takes days or weeks - - and sometimes never. This creates serious security gaps for protecting company confidential information.
OneSign Physical/Logical closes these gaps. With mapped identities and access policy, when an employee leaves the company and is revoked from the physical access control system, the user is also locked out of access to both the local network and remote VPN - - instantly - - regardless of the user’s identity status in other directories, thus mitigating the threat of former employees accessing network assets with the intent of malice.
Monitoring and Reporting
The ability to monitor and report on who is accessing what, from where, and when is a critical component to demonstrating compliance, both for the purpose of government regulations and corporate governance.
OneSign’s robust monitoring and reporting engine allows organizations to compile the sequence of events between a user’s physical access activities and network use to provide detailed user access reports, and administrator notifications, thus improving the ability to demonstrate regulatory compliance.
Broad Support for Strong Authentication
OneSign Authentication Management provides native support for a broad range of authentication options. Customers can offer their users choices that best suit their roles. Strong authentication methods are available stand-alone or can be achieved by mix and match use of access cards with finger biometrics or passwords –including native integration with VASCO DIGIPASS. Users can even take advantage of pre-existing, low cost passive access cards as a familiar, easy authentication option without reissuing cards to users.
Application Profile Generator (APG)
The OneSign Single Sign-On Application Profile Generator™ (APG) enables secure and seamless single sign-on and password change support for ALL enterprise applications - without requiring any modifications to existing code. With OneSign’s APG, the arduous task of writing login scripts, or building connectors to each application in order to enable single sign-on is completely eliminated. OneSign’s APG “learns” the behavior of any application’s authentication processes and then generates a single sign-on application profile that stores these attributes in XML. Applications can be single sign-on enabled within minutes. These profiles, together with their corresponding policies, are automatically uploaded to the OneSign appliance by the APG and are ready for deployment and automatic distribution to users at runtime.
With OneSign’s APG, even the most challenging of application password change behaviors and login processes can be learned. The powerful technology can capture and proxy for applications like custom Terminal Emulators, SAP, Oracle Forms, JAVA clients, etc. – all of which have complex or hidden controls that have previously required IT staff to write 'workarounds' or custom scripts to successfully configure single sign-on.
Automated Password Changes
OneSign Single Sign-On allows administrators to implement a clear, straightforward, and secure password policy across all target applications based on users’ primary authentication. For additional security measures, OneSign Single Sign-On has the ability to cycle complex application passwords behind-the-scenes on users’ behalf, enabling realistic enforcement of a strong password policy from one central location.
Self-Service Password (SSPW)
Management Many OneSign Single Sign-On customers will use MS Domain or Novell passwords as a primary authentication mechanism for single sign-on. OneSign Single Sign-On users can reset their primary domain password by adding this optional self-service mechanism. SSPW management requires the user to enroll shared secret information using personalized questions and answers.
Enrollment consists of providing answers to a set of personal questions drawn from a central list. The Administrator decides how many questions must be selected from a list presented to the user and answered during enrollment. The Administrator also decides how many questions must be answered correctly during a SSPW services request. These two settings are part of the security policy and are applied to users.
Provisioning Interface
Using OneSign Single Sign-On’s new standards-based Service Provisioning Markup Language (SPML) interface, third party User Provisioning systems can provision and update user accounts, applications and application credentials within OneSign Single Sign-On, eliminating the need to distribute application passwords to end users. Imprivata provisioning partners who have developed out-of-the-box connectors to OneSign Single Sign-On include Courion and Fischer International.
Monitoring and Reporting
OneSign Single Sign-On records all user and application events in a centralized log file, providing a reporting trail accessible to the administrator. User events pertaining to SSO services - including data on which users accessed what applications and when - are collected and consolidated by OneSign Single Sign-On for centralized viewing and reporting. In addition, event logs capture information on user switching and password changes with time stamps and computer attributes that verify authentication and lockout incidents.