Embed Size (px)
Citation preview
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 114
copy 2009 Imprivata Inc
A More Secure Front DoorSSO and Strong Authentication
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 2
TAble OF COnTenTS
InTRODUCTIOn 3
The ADvAnTAgeS OF STROng AUThenTICATIOn 3
The vAlUe OF STROng AUThenTICATIOn 5
leADIng AUThenTICATIOn MeThODS 6
COnSIDeRIng envIROnMenT AnD wORkFlOw 8ChOOSIng STROng AUThenTICATIOn MeThODS key FAC-
TORS TO COnSIDeR 8
SpeCIFIC COnSIDeRATIOnS 10
MAkIng STROng AUThenTICATIOn wORk FOR yOU 11
beyOnD STROng AUThenTICATIOn 12
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThen-
TICATIOn 13
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn
wITh IMpRIvATA OneSIgn 14
A MORe SeCURe TODAy -- AnD TOMORROw 14
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 3
copy 2009 Imprivata Inc
InTRODUCTIOn
Times change Sometimes they change even aster than we might expect as recent developments inStrong Authentication have shown Just a ew years ago the idea o requiring users to provide a second orm oidentity to gain access to IT resources was seen by many as only necessary or remote access security or top-
secret jobs
Not anymore Today companies o all types and sizes are deploying Strong Authentication inside the cor-porate rewall enterprise-wide -- even within applications Most regulatory bodies are mandating it andan increasing number o organizations consider it an essential part odata security best practices A recentreport by the Commission on Cyber security or the 44th President recommends it or the government andconsumer companies As the global economic downturn results in unprecedented workorce reductions thesecurity risk o insider security breaches has never been greater At the same time Strong Authenticationtechnologies have become more practical aordable easy and fexible to implement
For all o these reasons therersquos never been a better time to take advantage o the increased data security oStrong Authentication But what orm(s) o Strong Authentication are best or you and your organizationWhat actors should you consider as you evaluate Strong Authentication What capabilities do you require
What are the opportunities issues and trade-os you can expect Imprivata has published this white paperto help answer these and other key questions
The ADvAnTAgeS OF STROng AUThenTICATIOn
In a recent Forrester Research report Analyst Bill Nagel stated that ldquoMFA (multi-actor authentication) adop-tion is rising steadily and even rms not in heavily regulated industries need to adoptrdquo Imprivatarsquos own 2009survey o customers revealed that nearly 47 had already deployed Strong Authentication and another 45were considering doing so
There are several reasons or this growing interest in Strong Authentication including
Increased access
Corporate computing environments are no longer closed sel-contained entities As more internal and exter-nal users access corporate applications mdash local host-based and Web-based mdash in more ways rom more kindso devices the opportunities or unauthorized access will grow dramatically
Increased awareness
The rising incidence o internal data breaches has alerted corporate executives o the real threats to their in-ormation assets mdash and the potentially grave consequences to their business operations customer relationsand nancial perormance For example
A senbull ior nancial analyst in the sub-prime lending division o Countrywide Financial stole and sold theSocial Security numbers o as many as two million loan applicants over a two-year periodFormer employees o Lending Tree participated inbull password sharing with other mortgage lenders giv-ing them access to the companyrsquos customer database which they used to market their own products andservicesA ormer contractor to the State o Massachusetts gained access to a workersrsquo compensation databasebull
and stole personal inormation or use in obtaining raudulent credit cardsA man who worked in the admissions oce o Columbia Presbyterian HospitalWeill Cornell Medical Cen-bull
ter stole the Social Security numbers o 50000 patients and sold them or illegal activitiesA terminated Fannie Mae IT contractor used his network access to remotely plant a logic bomb that couldbull
have destroyed data on 4000 servers had it been successul
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 4
For each o these examples there are many more that have not received media coverage or resulted in well-publicized legal action
Increased regulation
Within the last decade governments around the world have mandated a series o new IT security measuresand processes as part o such acts as Gramm-Leach-Bliley Sarbanes-Oxley and Health Insurance Portabilityand Accountability (HIPAA) in the US and the Data Protection Act in the UK Industry regulations such asBasel II FDIC and the US Code o Federal Regulations (CFR) as well as industry standards such as BS7799 inthe UK and BS7799-2 and ISO 17799 worldwide are also mandating stronger authentication Organizationsand corporate ocers must comply with these regulations or be subject to nes legal action andor loss obrand reputation resulting in negative customer reaction
More choices
As demand or Strong Authentication has grown so have the number and variety o commercially-availableorms o Strong Authentication devices that organizations can deploy This means organizations are in abetter position to choose the types o Strong Authentication that make the best sense or their dierent
user populations For example many healthcare workers need solutions that support their workfow withworkstation sharing rapid access easy user authentication and a way to handle unattended workstationsIn contrast nancial services companies need strong authentication methods that make data security thehighest priority with convenience and speed o lesser concern For most companies the security benets ostrong authentication cannot come at the expense o employee productivity or customer service levels Inresponse to these diverse needs the industry has developed a broad range o Strong Authentication devicessuch as laptops with built-in ngerprint biometric swipes keyboards with smart card readers computers withbuilt-in cameras and laptops with integrated readers or acility access cards As a result organizations todayare in a better position to nd solutions that meet their unique security needs
Greater aordability
As competition heats up and technologies advance the cost o Strong Authentication devices has startedto drop signicantly indicating a maturing market For example biometric ngerprint scanners were oncebulky devices costing upwards o $100 to $200 each Today small portable scanners o similar capability canbe purchased or under $30 In addition many manuacturers now produce keyboards laptop computersand even mobile phones with built-in biometric scanners at little incremental cost since there is little or nocost or packaging Similarly USB proximity card readers that sold or over $100 a ew years ago are now sell-ing or less than hal that amount as sales volumes increase and the technology becomes commoditized
Improved reliability
Technological advances have improved the perormance and reliability o Strong Authentication technolo-gies to the point that widespread deployment to large user populations is more easible and manageable
More applications
While Strong Authentication is still primarily used to conrm user identity beore gaining network access or-ganizations have begun to employ it in other innovative ways For example some organizations now requireuser authentication or employees to access business-critical applications or even when perorming certainsensitive transactions This is happening today in hospitals and pharmacies As more records and transactionsoccur online hospitals are becoming paperless ndash switching to ully electronic medical records (EMR) ManyEMR solutions require prescribers to reconrm their identities whenever they enter online prescriptions orpatient medications The same is true or many brokers and bankers who must authenticate themselves be-ore conducting key nancial transactions
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 514
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 5
Growing virtualization
More organizations are now moving rom traditional distributed PC-oriented environments to the use ovirtual servers and virtual desktops that can be accessed rom almost anywhere This new model eectivelyremoves the links that associate a user with his or her workstation and its physical location thereby chal-lenging organizations to think in new ways about desktop security and the role o Strong AuthenticationBusiness continuity and pandemic planning oten dictate providing employees with IT access rom outsidethe boundaries o the enterprise It is best practice to use strong authentication to guarantee the identity othese remote users working osite
Analyst recommendations
Analysts are also leading the move to Strong Authentication An August 2004 report by Gartner (ldquoAssessAuthentication Methods or Strong System Securityrdquo) outlines two primary recommendations or increasingsecurity and reducing password issues 1) implementpassword management and 2) utilize strong two-actor authentication More recently a 2008 study by Aberdeen Group revealed that organizations enjoying best-in-class security perormance had increased their usage o multi-actor Strong Authentication by 300 overa nine-month period This suggests that the use o multiple actors will continue to gain momentum as a
proven means o improving overall security
Proven results
Above all the most compelling reason or the growing adoption o Strong Authentication is that it worksAccording to that same Aberdeen Group study organizations that have deployed Strong Authenticationhave realized signicant decreases in the number o security-related incidents the volume o authentication-related helpdesk calls the costs o secure authentication management and nancial losses due to raud Inparticular the study showed that organizations achieving Best-in-Class perormance were able to reduce bymore than one-hal the amount o human error related to security the number o incidents o non-compli-ance and the total cost o addressing security incidents
The vAlUe OF STROng AUThenTICATIOn
On the ace o it the logic or implementing strong or two-actor authentication is sel-evident it providesgreater protection rom unauthorized access Like the secure vault inside a locked bank the second authen-tication actor provides extra protection where it is most needed But there are other equally compellingreasons to implement Strong Authentication They include
The elimination o passwords
The prolieration o application passwords in recent years has negatively aected productivity and datasecurity in many organizations Users have diculty remembering multiple complex passwords and resortto either writing them down where they can be stolen or calling IT helpdesks or requentpassword resets By deploying Strong Authentication organizations can eliminate the need or users to deal with passwords
entirely This permanently solves a common user complaint while reducing resource requirements at IT help-desks and strengthening security enterprise-wide
A ast ROI
With the cost o authentication technologies dropping Strong Authentication has been proven to not onlyimprove security but also lower helpdesk and security management costs Experts believe there are severalreasons or this First use o Strong Authentication is easier or users than memorizing complex passwordsso they make ewer helpdesk calls or password resets Strong Authentication also has a denite deterrenteect against potential insider threats resulting in ewer incidents and thus lower security managementcosts
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 614
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 6
As the demand or stronger authentication measures has grown so have the solutions available to organiza-tions The ollowing are the most prevalent authentication methods in use today
Passwords
The original and simplest authentication method passwords became popular because they were simple andrelatively eective As long as users kept their passwords secret no one else could gain unauthorized accessto applications However the prolieration o applications requiring passwords made it either harder or us-ers to remember multiple passwords or the user-created passwords were oten too simple or reused making
them easy to crack
Strong passwords
To remedy the problems o simple passwords many organizations began mandating the use o strong pass-words mdash passwords that are more complex utilizing numbers and special characters rather than just lettersUnortunately strong passwords are oten too complex or users themselves to remember resulting in an up-surge o costly calls to helpdesks or assistance This in turn has a negative impact on productivity as users areprevented rom doing their work while waiting or password resets Worse yet users may leave passwordswritten down where anyone could steal and use them In environments such as healthcare where a clinicianhas to enter the same logon credentials with each dierent patient visit the amount o time spent on thisrepetitive unproductive task can be signicant
ID tokens
ID tokens are small devices which generate numeric codes that validate user access or a limited time or a sin-gle use Some ID token systems as an extra measure o protection require the user to type a challenge stringinto the token beore the passcode is generated Many combine a PIN to be entered alongside the One-TimePassword (OTP) or two-actor authentication Leading ID token vendors include RSA Secure Computing andVasco Traditionally tokens have been used or employees accessing networks and applications via remoteaccess There are many orms o tokens including time-based and event-based tokens Time-based tokensgenerate OTPs based on a combination o a secret key and current time while event-based tokens generateOTPs by the press o a button on the device
Proven regulatory compliance
Some organizations have implemented measures such as strongpassword policies designed to comply withregulations such as HIPAA and Sarbanes-Oxley but lack objective documented proo that those measures arebeing ollowed and enorced This means they still may be at risk o being ound non-compliant Strong au-
thentication -- with the proper management tracking and reporting unctionality -- provides demonstrablecompliance in the orm o audit logs that record all relevant access activity
Stronger application and transaction-level security
Today more organizations and industries are relying on online records and transactions to be more produc-tive reduce paperwork and support environmental sustainability As more business tasks are perormedwithin an online environment organizations have an opportunity to apply additional security measures atboth the application and transaction levels Strong Authentication gives organizations a powerul tool toselectively deploy an additional level o security at points where it can be most eective For example thereare companies now requiring users to authenticate their identities beore accessing critical enterprise appli-cations such as nancial or manuacturing systems Others are mandating Strong Authentication beore a
user can perorm sensitive transactions such as electronic unds transers
leADIng AUThenTICATIOn MeThODS
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 714
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 814
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 8
COnSIDeRIng envIROnMenT AnD wORkFlOw
Every organization wants to prevent unauthorized access to its inormation assets mdash and all organizationscan benet rom the use oStrong Authentication Because organizations environments and regulatory andworkfow requirements vary greatly dierent authentication technologies and procedures may be calledor For example
In a healthcare environment with strict requirements or tracking pharmaceutical orders clinicians sub-bull
mitting orders electronically are required to conrm their identity to reduce the potential or raudu-lent orders When a clinician lls out the medication order orm the system prompts her to scan herngerprint to validate that a) she is the same person currently logged into the application and b) she isreally who she claims to be Upon successul re-authentication the order is accepted and processed bythe system
A behavioral health oce with shared workstations needs to comply with the patient inormation con-bull
dentiality requirements o the Health Insurance Portability and Accountability Act (HIPAA) Thereoreits clinicians use proximity cards and a solution that allows them to authenticate themselves quickly --and terminate sessions promptly -- at that shared workstation
A customer call center needs to meet PCI or customer privacy requirements or controlling access to thebull
application andor specic screens so only the appropriate personnel can view the inormation and allaccess activities are tracked or auditability Within a logged-in application when a screen with privatecustomer inormation is about to be displayed the system prompts the user to re-authenticate to ensurethat the same authorized person is reviewing the inormation
Other actors to consider include the number o enterprise locations the variety o roles and accessbull
requirements and the use o remote access by traveling employees The proper combination o StrongAuthentication technologies can accommodate these and many other unique requirements
ChOOSIng STROng AUThenTICATIOn MeThODS key FACTORS TO COnSIDeR
In addition to considering your organizationrsquos unique security requirements it is important that you weighthe benets and costs o dierent Strong Authentication choices These include
IT benefts
Is the authentication method easy to deploy enterprise-wide Will it require additional IT resources Is iteasy to integrate with existing ESSO solutions Does it support centralized management Are multiple serv-ers or databases required to set up the solution I using multiple authentication methods what are the setup requirements to make them all work Will end users be burdened i changes are made ater devices aredeployed Is there an easy way to track access events regardless o devices used Can it be used as a deter-rent
User benefts
Is the authentication method easy to use Will end users accept the new process Will it increase user pro-ductivity Does it put an undue burden on users Does it require them to carry a device that could get lostor damaged Will users be concerned about privacy
Compliance benefts
How ully does the authentication method support the regulatory requirements o Sarbanes-Oxley Gramm-Leach-Bliley HIPAA CFR Basel II the UKrsquos Data Protection Act or BS7799 Does it go beyond simple accesscontrol by tracking authentication events and supplying reporting acilities that support auditing require-ments and objectively and easily prove compliance
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 914
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 9
Industry-specifc benefts
Are there aspects o the authentication method that make it better suited or certain industries or unctionalareas For example i employees have to wear gloves to do their jobs then biometrics is not the choice orthe organization
Initial purchase cost
Is the cost o the authentication method worth the resulting improvement inenterprise security Is there acost per user that will grow every time a new user is added What is the replacement cost ndash both or the de-vice and its associated administrative burden ndash or the orms o Strong Authentication
Deployment cost
Does deployment require physical installation by a technical person on every workstation at every site Doesthe IT organization need to write custom code add middleware or incur other hardware or sotware costs
The matrix below illustrates how each o the major authentication methods compare to each other on these key actors
Type Ease o Man-agement orIT
Ease o Use orEmployees
Compliance Security Level
Cost to Pur-chase
Cost per Userto Deploy
Password Medium Medium Low $ $
Strong Password Low Low Medium $ $$
ID Token Medium Medium1 High $$$ $$$
Smart Card andUSB Token
Low Medium1 High $$$ $$$
Passive Proximity High High1 High2 $$ $
Active Proximity Medium High3 Low $$$$ $$
Finger Biometrics High High High $$ $
Time and Resources involved to deploy and maintain the technology or to support the end userNOTES1 Device needs to be carried by user and is subject to loss or damage2 When combined with another authentication actor3 Fingerprints can never be lost or orgotten
By doing a cost-benet analysis o the dierentStrong Authentication approaches you can determine whichtechnologies best meet your organizationrsquos needs and preerences For exampleI ease o use or employees and IT sta is a top priority nger biometrics might be your best choice
I your organization is large or growing rapidly you may want to keep per-user deployment costs low bybull
selecting passive proximity cardsI your organization is in a sensitive industry that demands strong security above all else then smart cardsbull
or ID tokens might make the most senseI your security requirements vary by location or department you may preer to implement dierentbull
authentication methods based on user sophistication and needsI you want to repurpose existing technology then enabling building access or identity cards might bebull
most ecient
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1014
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 10
SpeCIFIC COnSIDeRATIOnS
Even i you have decided which method o authentication is best or you and your organization there are anumber o other more specic actors you should consider beore you make your purchase decision as theycould aect the cost resource requirements and eectiveness o your solution During the evaluation pro-cess you should ask the ollowing questions about everyStrong Authentication solution on your short list
How does the Strong Authentication solution integrate with your existing directory inrastructure1
The Strong Authentication system should not require changes to the existing directory inrastructure Direc-tories are the critical backbone or most IT organizations and keeping them reliable means keeping themas close to their core unctionality as possible Layering additional schema changes or running applicationsotware on the directory should be avoided at all costs because o the potential to destabilize the overallsystem especially i directory replication is involved
How does the Strong Authentication solution aect your existing application inrastructure 2
The Strong Authentication solution should not require any changes to the existing application inrastructureor Windows Web or mainrame applications It should also be able to integrate within applications to en-
sure strong authentication at the transaction level ndash or reauthentication or example immediately prior toperorming a nancial transaction or drug disbursement
How does the Strong Authentication solution integrate into your existing environment3
The Strong Authentication solution should not require any programming in order to integrate into the appli-cation environment or to handle any potential exception situations that could occur during deployment timeto all client workstations Adding Strong Authentication should also be a pure conguration activity ndash not aprogrammingscripting activity Many strong authentication technologies are oered with an SDK to allowcustomized implementations This should not be necessary in most situations
How does the Strong Authentication solution handle disaster recovery and ailover4
With the Strong Authentication solution responsible or managing all Windows authentications o all users inall systems o the enterprise it is imperative that it provides out-o-the-box ault tolerance protection pre-erably at the lowest possible level in order to avoid any potential end-user inconvenience I possible strongauthentication should continue to work in an o-line mode when the workstation is not connected to thenetwork
How and where are policies credentials and logfles o the Strong Authentication solution stored 5and made accessible or administrators
The Strong Authentication solution should provide a secure transmission and storage acility or all security-sensitive data (eg policy inormation credential inormation logging inormation) This requires all data tobe encrypted both in rest and in transit without any conguration burdens to be imposed on the administra-
tors o the Strong Authentication solution
Can the Strong Authentication solution support the management o multiple Strong Authentication6devices Are there any additional costslicenses required or specifc authentication devices or combinationo devices Are there any additional server-side or client-side components that need to be confgured or installed in order to support a specifc strong authentication option
Since the Strong Authentication solution will be replacing the current Windows authentication strategiesit is important that the single authentication action can be reinorced with a choice o strong multi-actorauthentication methods and technologies These Strong Authentication options should also be available inboth online and ofine (disconnected rom the network) modes
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1114
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 11
Does the Strong Authentication solution provide any logging andor reporting acilities Are there7any additional licenses required or this Are there any serverclient-side sotware components required or this
The Strong Authentication solution should provide standardized reporting and notication capabilities that
capture all authentication and password management related events that take place in the system Thesereports and notications should be available through an online Web interace e-mail and scheduled exportmechanisms to remote reporting and archiving systems to ensure compliance requirements are easily met
How does the Strong Authentication solution integrate with metadirectory andor provisioning sys-8tems
The Strong Authentication system should be able to support identity-standard provisioning systems as wellas any uture implementations o SPML-based provisioning and metadirectory systems This will ensure thatwhen password changes are initiated in dierent backend systems these changes will also immediately bemade available in the Strong Authentication solution This will also ensure ease o deprovisioning
How does the Strong Authentication solution integrate existing physical access policies into its logi-9
cal access policies
The Strong Authentication system should provide acilities or location-based authentication so that eachuserrsquos location can be applied as a determining actor in the authentication policy This enables an organiza-tion or example to grant access to an individual only ater that user has badged into a specied companyacility or secure area The ability to apply network access policies that leverage location is extremely useulin situations where it is necessary to conrm that the properly authenticated user is accessing the computerrom within a secure operational work area such as a manuacturing control room or pharmacy area
Does the Strong Authentication solution support ast user switching in thin and thick client archi-10tectures
The Strong Authentication solution should provide support or dierent types o ast user switching to make
the end-user experience o logging in and out as swit and convenient as possible This means that boththick clients and thin clients should support ldquokiosk-stylerdquo operation both client-based and server-based com-puting environments should be supported in server-based computing environments both Citrix PresentationManager and Windows Terminal Server environments should be supported and in server-based computingenvironments both roaming and concurrent sessions should be supported
Can the Strong Authentication solution be extended to incorporate additional capabilities such as11Single Sign On
As your IT security needs evolve you may want to add more capabilities such as Single Sign On Your StrongAuthentication solution should accommodate these and other capabilities easily Single Sign On is an idealcomplementary technology to deploy when Strong Authentication is being introduced by improving applica-
tion-level password security and is oten used to ensure urther adoption o Strong Authentication policies
MAkIng STROng AUThenTICATIOn wORk FOR yOU
Whether you have already chosen and deployed a Strong Authentication solution or yoursquore still in the evalua-tion process you need a solution you and your organization can live with As Strong Authentication becomesa part o your organizationrsquos daily lie you want it to be as user-riendly easy to manage and ully utilizedas possible The ollowing questions and answers can help you get the most out o your Strong Authentica-tion solution -- maximizing its eectiveness while keeping ongoing costs and administrative requirements toa minimum
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 12
Should you have dierent Strong Authentication methods or dierent users1
It makes sense to match the method to usersrsquo roles needs and relative security risks Other actors to con-sider include cost workfow requirements and ease o use
Are there ways to streamline the administration o a Strong Authentication solution 2
Administration can take many orms including vendor-specic requirements management tools and useradministration and the tasks associated with them vary according to the organizationrsquos needs and preer-ences However there are some tasks that are necessary to achieve maximum benet rom the authentica-tion choice such as tracking and reporting Itrsquos also a good idea to ofoad as much o the administrativeburden as possible rom users because their ability to simply ldquoplug and gordquo will help ensure organization-wide acceptance
How can the use o Strong Authentication be made as easy as possible or users3
The key is to choose solutions that are both secure and easily adopted by end users It is important to gainuser acceptance o the type o Strong Authentication beore making a purchase by consulting with them onthe options and their preerences In general users will welcome a solution that does not require them to
alter or abandon their established routines For example in environments where a user is required to carry abadge to gain entry into doors reusing that same device or desktop access can be easily accepted
Once users are authenticated how do we more eectively address security when users walk away 4rom their computers
There are many solutions to this issue but most have been ineective Many organizations require a lockedscreen saver or inactivity timeout to address the walk away security issue but these are easily deeated by
just moving the mouse Imprivata is addressing this problem with a unique new solution OneSign SecureWalk-Away It uses a combination o active presence detection and acial biometrics to automatically locka workstation upon user departure and then automatically unlock it when the same user returns OneSignSecure Walk-Away is the only solution to eectively address this issue today
What is the best way to deploy Strong Authentication at multiple locations5
When choosing a device solution make sure it meets both the security needs o the business and theconvenience needs o the users When choosing a management system or your devices pick one that isgeographically scalable and can support a range o Strong Authentication options This way you can becondent in the ability o the system to scale as well as to address the needs o various departments withinthe organization which many times have dierent requirements or Strong Authentication Be sure to ollowthe vendorrsquos list o best practices to ensure your nal outcome will be optimized
beyOnD STROng AUThenTICATIOn
Today you may regard Strong Authentication as a ldquoone-ordquo solution that ullls your most critical needs
or enterprise access security However itrsquos important to know that your Strong Authentication solution canprovide even greater value going orward acting as a platorm or deploying additional capabilities acrossyour organization to urther strengthen security satisy related user needs and reduce costs
Strong Authentication and Single Sign-On
Single Sign-On enables your user community to logon to the network and sign on to all the applications theyare authorized to use on a daily basis by using a single strong password Single Sign-On relieves users o theburden o memorizing multiple passwords increases productivity by helping users avoid getting locked outo systems and lowers resource costs by reducing the number o password reset calls to your helpdesk Aboveall Single Sign-On strengthens IT security because users no longer resort to writing down passwords and leav-
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 13
ing them where they can be stolen and used by unauthorized people
Combining Strong Authentication with Single Sign-On gives your organization proven security benets asrecommended by leading analysts and security experts At the same time the combination o both solutionsenables you to enorce strong security policies enterprise-wide while increasing user satisaction and requir-ing no disruptive changes to user workfow or behavior
Strong Authentication and Integrated PhysicalLogical Security
In most organizations physical security (systems that control physical access to buildings and work areas)and logical security (systems that control access to IT resources) are separate realms This lack o integrationbetween physical and logical security systems creates gaps that can be exploited and prevents centralizedmanagement and control o overall security In many cases or example a terminated employee may beimmediately barred rom re-entering corporate acilities but may still be able to gain remote access to thecorporate network or days or weeks beore privileges are revoked An integrated physicallogical securitysolution makes it possible to link both security environments synchronize control and response
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThenTICATIOn
Imprivata OneSignreg Authentication Management is a unique user authentication solution that integrates abroad range o fexible and powerul strong authentication types ndash all managed rom within a single admin-istrator ramework OneSign eases the cost and complexity o managing independent systems and providesa central location or reporting access events across all Strong Authentication devices strengthening securitywhile reducing the burden o regulatory compliance
Flexible authentication options
OneSign Authentication Management provides native support or a broad range o plug-and-play authen-tication options such as One-Time-Password (OTP) tokens (including built-in control and management sup-port or VASCOreg DIGIPASSreg) nger biometrics smart cards proximity cards building access cards and USBtokens Simply plug them into your workstation and you are ready to go
Consolidated reporting
With OneSign Authentication Management you can easily report in real-time an aggregated view o whenhow and rom where an employee gained access to the network By having all access inormation available atthe push o a button via standardized reporting OneSign Authentication Management provides critical valuein helping you rapidly respond to audit inquiries that may otherwise require manual viewing and collation oindependent system logs When adding OneSign Single Sign-On you can also incorporate reporting on useraccess events to applications as well
ROI right out o the box
The power o OneSign Authentication Management is that it comes packaged in a hardened appliance One-Sign Authentication Management is designed to be aordable and easy to adopt Purpose-built or fexible
and rapid enterprise deployment OneSignrsquos appliance-based approach to user authentication dramaticallyminimizes implementation time inrastructure needs and installation costs ndash accelerating your return oninvestment right out o the box
Application Transaction Level Strong Authentication
The Imprivata OneSign ProveID capability allows an application to leverage OneSignrsquos strong authenticationservices to positively identiy a user at any point in the application workfow Examples o ProveID in use in-clude banking environments where positive identication o a user is required prior to executing a nancialtransaction and healthcare environments where positive identication o a user is required at the point odrug disbursement
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 2
TAble OF COnTenTS
InTRODUCTIOn 3
The ADvAnTAgeS OF STROng AUThenTICATIOn 3
The vAlUe OF STROng AUThenTICATIOn 5
leADIng AUThenTICATIOn MeThODS 6
COnSIDeRIng envIROnMenT AnD wORkFlOw 8ChOOSIng STROng AUThenTICATIOn MeThODS key FAC-
TORS TO COnSIDeR 8
SpeCIFIC COnSIDeRATIOnS 10
MAkIng STROng AUThenTICATIOn wORk FOR yOU 11
beyOnD STROng AUThenTICATIOn 12
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThen-
TICATIOn 13
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn
wITh IMpRIvATA OneSIgn 14
A MORe SeCURe TODAy -- AnD TOMORROw 14
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 3
copy 2009 Imprivata Inc
InTRODUCTIOn
Times change Sometimes they change even aster than we might expect as recent developments inStrong Authentication have shown Just a ew years ago the idea o requiring users to provide a second orm oidentity to gain access to IT resources was seen by many as only necessary or remote access security or top-
secret jobs
Not anymore Today companies o all types and sizes are deploying Strong Authentication inside the cor-porate rewall enterprise-wide -- even within applications Most regulatory bodies are mandating it andan increasing number o organizations consider it an essential part odata security best practices A recentreport by the Commission on Cyber security or the 44th President recommends it or the government andconsumer companies As the global economic downturn results in unprecedented workorce reductions thesecurity risk o insider security breaches has never been greater At the same time Strong Authenticationtechnologies have become more practical aordable easy and fexible to implement
For all o these reasons therersquos never been a better time to take advantage o the increased data security oStrong Authentication But what orm(s) o Strong Authentication are best or you and your organizationWhat actors should you consider as you evaluate Strong Authentication What capabilities do you require
What are the opportunities issues and trade-os you can expect Imprivata has published this white paperto help answer these and other key questions
The ADvAnTAgeS OF STROng AUThenTICATIOn
In a recent Forrester Research report Analyst Bill Nagel stated that ldquoMFA (multi-actor authentication) adop-tion is rising steadily and even rms not in heavily regulated industries need to adoptrdquo Imprivatarsquos own 2009survey o customers revealed that nearly 47 had already deployed Strong Authentication and another 45were considering doing so
There are several reasons or this growing interest in Strong Authentication including
Increased access
Corporate computing environments are no longer closed sel-contained entities As more internal and exter-nal users access corporate applications mdash local host-based and Web-based mdash in more ways rom more kindso devices the opportunities or unauthorized access will grow dramatically
Increased awareness
The rising incidence o internal data breaches has alerted corporate executives o the real threats to their in-ormation assets mdash and the potentially grave consequences to their business operations customer relationsand nancial perormance For example
A senbull ior nancial analyst in the sub-prime lending division o Countrywide Financial stole and sold theSocial Security numbers o as many as two million loan applicants over a two-year periodFormer employees o Lending Tree participated inbull password sharing with other mortgage lenders giv-ing them access to the companyrsquos customer database which they used to market their own products andservicesA ormer contractor to the State o Massachusetts gained access to a workersrsquo compensation databasebull
and stole personal inormation or use in obtaining raudulent credit cardsA man who worked in the admissions oce o Columbia Presbyterian HospitalWeill Cornell Medical Cen-bull
ter stole the Social Security numbers o 50000 patients and sold them or illegal activitiesA terminated Fannie Mae IT contractor used his network access to remotely plant a logic bomb that couldbull
have destroyed data on 4000 servers had it been successul
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 4
For each o these examples there are many more that have not received media coverage or resulted in well-publicized legal action
Increased regulation
Within the last decade governments around the world have mandated a series o new IT security measuresand processes as part o such acts as Gramm-Leach-Bliley Sarbanes-Oxley and Health Insurance Portabilityand Accountability (HIPAA) in the US and the Data Protection Act in the UK Industry regulations such asBasel II FDIC and the US Code o Federal Regulations (CFR) as well as industry standards such as BS7799 inthe UK and BS7799-2 and ISO 17799 worldwide are also mandating stronger authentication Organizationsand corporate ocers must comply with these regulations or be subject to nes legal action andor loss obrand reputation resulting in negative customer reaction
More choices
As demand or Strong Authentication has grown so have the number and variety o commercially-availableorms o Strong Authentication devices that organizations can deploy This means organizations are in abetter position to choose the types o Strong Authentication that make the best sense or their dierent
user populations For example many healthcare workers need solutions that support their workfow withworkstation sharing rapid access easy user authentication and a way to handle unattended workstationsIn contrast nancial services companies need strong authentication methods that make data security thehighest priority with convenience and speed o lesser concern For most companies the security benets ostrong authentication cannot come at the expense o employee productivity or customer service levels Inresponse to these diverse needs the industry has developed a broad range o Strong Authentication devicessuch as laptops with built-in ngerprint biometric swipes keyboards with smart card readers computers withbuilt-in cameras and laptops with integrated readers or acility access cards As a result organizations todayare in a better position to nd solutions that meet their unique security needs
Greater aordability
As competition heats up and technologies advance the cost o Strong Authentication devices has startedto drop signicantly indicating a maturing market For example biometric ngerprint scanners were oncebulky devices costing upwards o $100 to $200 each Today small portable scanners o similar capability canbe purchased or under $30 In addition many manuacturers now produce keyboards laptop computersand even mobile phones with built-in biometric scanners at little incremental cost since there is little or nocost or packaging Similarly USB proximity card readers that sold or over $100 a ew years ago are now sell-ing or less than hal that amount as sales volumes increase and the technology becomes commoditized
Improved reliability
Technological advances have improved the perormance and reliability o Strong Authentication technolo-gies to the point that widespread deployment to large user populations is more easible and manageable
More applications
While Strong Authentication is still primarily used to conrm user identity beore gaining network access or-ganizations have begun to employ it in other innovative ways For example some organizations now requireuser authentication or employees to access business-critical applications or even when perorming certainsensitive transactions This is happening today in hospitals and pharmacies As more records and transactionsoccur online hospitals are becoming paperless ndash switching to ully electronic medical records (EMR) ManyEMR solutions require prescribers to reconrm their identities whenever they enter online prescriptions orpatient medications The same is true or many brokers and bankers who must authenticate themselves be-ore conducting key nancial transactions
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 514
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 5
Growing virtualization
More organizations are now moving rom traditional distributed PC-oriented environments to the use ovirtual servers and virtual desktops that can be accessed rom almost anywhere This new model eectivelyremoves the links that associate a user with his or her workstation and its physical location thereby chal-lenging organizations to think in new ways about desktop security and the role o Strong AuthenticationBusiness continuity and pandemic planning oten dictate providing employees with IT access rom outsidethe boundaries o the enterprise It is best practice to use strong authentication to guarantee the identity othese remote users working osite
Analyst recommendations
Analysts are also leading the move to Strong Authentication An August 2004 report by Gartner (ldquoAssessAuthentication Methods or Strong System Securityrdquo) outlines two primary recommendations or increasingsecurity and reducing password issues 1) implementpassword management and 2) utilize strong two-actor authentication More recently a 2008 study by Aberdeen Group revealed that organizations enjoying best-in-class security perormance had increased their usage o multi-actor Strong Authentication by 300 overa nine-month period This suggests that the use o multiple actors will continue to gain momentum as a
proven means o improving overall security
Proven results
Above all the most compelling reason or the growing adoption o Strong Authentication is that it worksAccording to that same Aberdeen Group study organizations that have deployed Strong Authenticationhave realized signicant decreases in the number o security-related incidents the volume o authentication-related helpdesk calls the costs o secure authentication management and nancial losses due to raud Inparticular the study showed that organizations achieving Best-in-Class perormance were able to reduce bymore than one-hal the amount o human error related to security the number o incidents o non-compli-ance and the total cost o addressing security incidents
The vAlUe OF STROng AUThenTICATIOn
On the ace o it the logic or implementing strong or two-actor authentication is sel-evident it providesgreater protection rom unauthorized access Like the secure vault inside a locked bank the second authen-tication actor provides extra protection where it is most needed But there are other equally compellingreasons to implement Strong Authentication They include
The elimination o passwords
The prolieration o application passwords in recent years has negatively aected productivity and datasecurity in many organizations Users have diculty remembering multiple complex passwords and resortto either writing them down where they can be stolen or calling IT helpdesks or requentpassword resets By deploying Strong Authentication organizations can eliminate the need or users to deal with passwords
entirely This permanently solves a common user complaint while reducing resource requirements at IT help-desks and strengthening security enterprise-wide
A ast ROI
With the cost o authentication technologies dropping Strong Authentication has been proven to not onlyimprove security but also lower helpdesk and security management costs Experts believe there are severalreasons or this First use o Strong Authentication is easier or users than memorizing complex passwordsso they make ewer helpdesk calls or password resets Strong Authentication also has a denite deterrenteect against potential insider threats resulting in ewer incidents and thus lower security managementcosts
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 614
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 6
As the demand or stronger authentication measures has grown so have the solutions available to organiza-tions The ollowing are the most prevalent authentication methods in use today
Passwords
The original and simplest authentication method passwords became popular because they were simple andrelatively eective As long as users kept their passwords secret no one else could gain unauthorized accessto applications However the prolieration o applications requiring passwords made it either harder or us-ers to remember multiple passwords or the user-created passwords were oten too simple or reused making
them easy to crack
Strong passwords
To remedy the problems o simple passwords many organizations began mandating the use o strong pass-words mdash passwords that are more complex utilizing numbers and special characters rather than just lettersUnortunately strong passwords are oten too complex or users themselves to remember resulting in an up-surge o costly calls to helpdesks or assistance This in turn has a negative impact on productivity as users areprevented rom doing their work while waiting or password resets Worse yet users may leave passwordswritten down where anyone could steal and use them In environments such as healthcare where a clinicianhas to enter the same logon credentials with each dierent patient visit the amount o time spent on thisrepetitive unproductive task can be signicant
ID tokens
ID tokens are small devices which generate numeric codes that validate user access or a limited time or a sin-gle use Some ID token systems as an extra measure o protection require the user to type a challenge stringinto the token beore the passcode is generated Many combine a PIN to be entered alongside the One-TimePassword (OTP) or two-actor authentication Leading ID token vendors include RSA Secure Computing andVasco Traditionally tokens have been used or employees accessing networks and applications via remoteaccess There are many orms o tokens including time-based and event-based tokens Time-based tokensgenerate OTPs based on a combination o a secret key and current time while event-based tokens generateOTPs by the press o a button on the device
Proven regulatory compliance
Some organizations have implemented measures such as strongpassword policies designed to comply withregulations such as HIPAA and Sarbanes-Oxley but lack objective documented proo that those measures arebeing ollowed and enorced This means they still may be at risk o being ound non-compliant Strong au-
thentication -- with the proper management tracking and reporting unctionality -- provides demonstrablecompliance in the orm o audit logs that record all relevant access activity
Stronger application and transaction-level security
Today more organizations and industries are relying on online records and transactions to be more produc-tive reduce paperwork and support environmental sustainability As more business tasks are perormedwithin an online environment organizations have an opportunity to apply additional security measures atboth the application and transaction levels Strong Authentication gives organizations a powerul tool toselectively deploy an additional level o security at points where it can be most eective For example thereare companies now requiring users to authenticate their identities beore accessing critical enterprise appli-cations such as nancial or manuacturing systems Others are mandating Strong Authentication beore a
user can perorm sensitive transactions such as electronic unds transers
leADIng AUThenTICATIOn MeThODS
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 714
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 814
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 8
COnSIDeRIng envIROnMenT AnD wORkFlOw
Every organization wants to prevent unauthorized access to its inormation assets mdash and all organizationscan benet rom the use oStrong Authentication Because organizations environments and regulatory andworkfow requirements vary greatly dierent authentication technologies and procedures may be calledor For example
In a healthcare environment with strict requirements or tracking pharmaceutical orders clinicians sub-bull
mitting orders electronically are required to conrm their identity to reduce the potential or raudu-lent orders When a clinician lls out the medication order orm the system prompts her to scan herngerprint to validate that a) she is the same person currently logged into the application and b) she isreally who she claims to be Upon successul re-authentication the order is accepted and processed bythe system
A behavioral health oce with shared workstations needs to comply with the patient inormation con-bull
dentiality requirements o the Health Insurance Portability and Accountability Act (HIPAA) Thereoreits clinicians use proximity cards and a solution that allows them to authenticate themselves quickly --and terminate sessions promptly -- at that shared workstation
A customer call center needs to meet PCI or customer privacy requirements or controlling access to thebull
application andor specic screens so only the appropriate personnel can view the inormation and allaccess activities are tracked or auditability Within a logged-in application when a screen with privatecustomer inormation is about to be displayed the system prompts the user to re-authenticate to ensurethat the same authorized person is reviewing the inormation
Other actors to consider include the number o enterprise locations the variety o roles and accessbull
requirements and the use o remote access by traveling employees The proper combination o StrongAuthentication technologies can accommodate these and many other unique requirements
ChOOSIng STROng AUThenTICATIOn MeThODS key FACTORS TO COnSIDeR
In addition to considering your organizationrsquos unique security requirements it is important that you weighthe benets and costs o dierent Strong Authentication choices These include
IT benefts
Is the authentication method easy to deploy enterprise-wide Will it require additional IT resources Is iteasy to integrate with existing ESSO solutions Does it support centralized management Are multiple serv-ers or databases required to set up the solution I using multiple authentication methods what are the setup requirements to make them all work Will end users be burdened i changes are made ater devices aredeployed Is there an easy way to track access events regardless o devices used Can it be used as a deter-rent
User benefts
Is the authentication method easy to use Will end users accept the new process Will it increase user pro-ductivity Does it put an undue burden on users Does it require them to carry a device that could get lostor damaged Will users be concerned about privacy
Compliance benefts
How ully does the authentication method support the regulatory requirements o Sarbanes-Oxley Gramm-Leach-Bliley HIPAA CFR Basel II the UKrsquos Data Protection Act or BS7799 Does it go beyond simple accesscontrol by tracking authentication events and supplying reporting acilities that support auditing require-ments and objectively and easily prove compliance
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 914
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 9
Industry-specifc benefts
Are there aspects o the authentication method that make it better suited or certain industries or unctionalareas For example i employees have to wear gloves to do their jobs then biometrics is not the choice orthe organization
Initial purchase cost
Is the cost o the authentication method worth the resulting improvement inenterprise security Is there acost per user that will grow every time a new user is added What is the replacement cost ndash both or the de-vice and its associated administrative burden ndash or the orms o Strong Authentication
Deployment cost
Does deployment require physical installation by a technical person on every workstation at every site Doesthe IT organization need to write custom code add middleware or incur other hardware or sotware costs
The matrix below illustrates how each o the major authentication methods compare to each other on these key actors
Type Ease o Man-agement orIT
Ease o Use orEmployees
Compliance Security Level
Cost to Pur-chase
Cost per Userto Deploy
Password Medium Medium Low $ $
Strong Password Low Low Medium $ $$
ID Token Medium Medium1 High $$$ $$$
Smart Card andUSB Token
Low Medium1 High $$$ $$$
Passive Proximity High High1 High2 $$ $
Active Proximity Medium High3 Low $$$$ $$
Finger Biometrics High High High $$ $
Time and Resources involved to deploy and maintain the technology or to support the end userNOTES1 Device needs to be carried by user and is subject to loss or damage2 When combined with another authentication actor3 Fingerprints can never be lost or orgotten
By doing a cost-benet analysis o the dierentStrong Authentication approaches you can determine whichtechnologies best meet your organizationrsquos needs and preerences For exampleI ease o use or employees and IT sta is a top priority nger biometrics might be your best choice
I your organization is large or growing rapidly you may want to keep per-user deployment costs low bybull
selecting passive proximity cardsI your organization is in a sensitive industry that demands strong security above all else then smart cardsbull
or ID tokens might make the most senseI your security requirements vary by location or department you may preer to implement dierentbull
authentication methods based on user sophistication and needsI you want to repurpose existing technology then enabling building access or identity cards might bebull
most ecient
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1014
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 10
SpeCIFIC COnSIDeRATIOnS
Even i you have decided which method o authentication is best or you and your organization there are anumber o other more specic actors you should consider beore you make your purchase decision as theycould aect the cost resource requirements and eectiveness o your solution During the evaluation pro-cess you should ask the ollowing questions about everyStrong Authentication solution on your short list
How does the Strong Authentication solution integrate with your existing directory inrastructure1
The Strong Authentication system should not require changes to the existing directory inrastructure Direc-tories are the critical backbone or most IT organizations and keeping them reliable means keeping themas close to their core unctionality as possible Layering additional schema changes or running applicationsotware on the directory should be avoided at all costs because o the potential to destabilize the overallsystem especially i directory replication is involved
How does the Strong Authentication solution aect your existing application inrastructure 2
The Strong Authentication solution should not require any changes to the existing application inrastructureor Windows Web or mainrame applications It should also be able to integrate within applications to en-
sure strong authentication at the transaction level ndash or reauthentication or example immediately prior toperorming a nancial transaction or drug disbursement
How does the Strong Authentication solution integrate into your existing environment3
The Strong Authentication solution should not require any programming in order to integrate into the appli-cation environment or to handle any potential exception situations that could occur during deployment timeto all client workstations Adding Strong Authentication should also be a pure conguration activity ndash not aprogrammingscripting activity Many strong authentication technologies are oered with an SDK to allowcustomized implementations This should not be necessary in most situations
How does the Strong Authentication solution handle disaster recovery and ailover4
With the Strong Authentication solution responsible or managing all Windows authentications o all users inall systems o the enterprise it is imperative that it provides out-o-the-box ault tolerance protection pre-erably at the lowest possible level in order to avoid any potential end-user inconvenience I possible strongauthentication should continue to work in an o-line mode when the workstation is not connected to thenetwork
How and where are policies credentials and logfles o the Strong Authentication solution stored 5and made accessible or administrators
The Strong Authentication solution should provide a secure transmission and storage acility or all security-sensitive data (eg policy inormation credential inormation logging inormation) This requires all data tobe encrypted both in rest and in transit without any conguration burdens to be imposed on the administra-
tors o the Strong Authentication solution
Can the Strong Authentication solution support the management o multiple Strong Authentication6devices Are there any additional costslicenses required or specifc authentication devices or combinationo devices Are there any additional server-side or client-side components that need to be confgured or installed in order to support a specifc strong authentication option
Since the Strong Authentication solution will be replacing the current Windows authentication strategiesit is important that the single authentication action can be reinorced with a choice o strong multi-actorauthentication methods and technologies These Strong Authentication options should also be available inboth online and ofine (disconnected rom the network) modes
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1114
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 11
Does the Strong Authentication solution provide any logging andor reporting acilities Are there7any additional licenses required or this Are there any serverclient-side sotware components required or this
The Strong Authentication solution should provide standardized reporting and notication capabilities that
capture all authentication and password management related events that take place in the system Thesereports and notications should be available through an online Web interace e-mail and scheduled exportmechanisms to remote reporting and archiving systems to ensure compliance requirements are easily met
How does the Strong Authentication solution integrate with metadirectory andor provisioning sys-8tems
The Strong Authentication system should be able to support identity-standard provisioning systems as wellas any uture implementations o SPML-based provisioning and metadirectory systems This will ensure thatwhen password changes are initiated in dierent backend systems these changes will also immediately bemade available in the Strong Authentication solution This will also ensure ease o deprovisioning
How does the Strong Authentication solution integrate existing physical access policies into its logi-9
cal access policies
The Strong Authentication system should provide acilities or location-based authentication so that eachuserrsquos location can be applied as a determining actor in the authentication policy This enables an organiza-tion or example to grant access to an individual only ater that user has badged into a specied companyacility or secure area The ability to apply network access policies that leverage location is extremely useulin situations where it is necessary to conrm that the properly authenticated user is accessing the computerrom within a secure operational work area such as a manuacturing control room or pharmacy area
Does the Strong Authentication solution support ast user switching in thin and thick client archi-10tectures
The Strong Authentication solution should provide support or dierent types o ast user switching to make
the end-user experience o logging in and out as swit and convenient as possible This means that boththick clients and thin clients should support ldquokiosk-stylerdquo operation both client-based and server-based com-puting environments should be supported in server-based computing environments both Citrix PresentationManager and Windows Terminal Server environments should be supported and in server-based computingenvironments both roaming and concurrent sessions should be supported
Can the Strong Authentication solution be extended to incorporate additional capabilities such as11Single Sign On
As your IT security needs evolve you may want to add more capabilities such as Single Sign On Your StrongAuthentication solution should accommodate these and other capabilities easily Single Sign On is an idealcomplementary technology to deploy when Strong Authentication is being introduced by improving applica-
tion-level password security and is oten used to ensure urther adoption o Strong Authentication policies
MAkIng STROng AUThenTICATIOn wORk FOR yOU
Whether you have already chosen and deployed a Strong Authentication solution or yoursquore still in the evalua-tion process you need a solution you and your organization can live with As Strong Authentication becomesa part o your organizationrsquos daily lie you want it to be as user-riendly easy to manage and ully utilizedas possible The ollowing questions and answers can help you get the most out o your Strong Authentica-tion solution -- maximizing its eectiveness while keeping ongoing costs and administrative requirements toa minimum
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 12
Should you have dierent Strong Authentication methods or dierent users1
It makes sense to match the method to usersrsquo roles needs and relative security risks Other actors to con-sider include cost workfow requirements and ease o use
Are there ways to streamline the administration o a Strong Authentication solution 2
Administration can take many orms including vendor-specic requirements management tools and useradministration and the tasks associated with them vary according to the organizationrsquos needs and preer-ences However there are some tasks that are necessary to achieve maximum benet rom the authentica-tion choice such as tracking and reporting Itrsquos also a good idea to ofoad as much o the administrativeburden as possible rom users because their ability to simply ldquoplug and gordquo will help ensure organization-wide acceptance
How can the use o Strong Authentication be made as easy as possible or users3
The key is to choose solutions that are both secure and easily adopted by end users It is important to gainuser acceptance o the type o Strong Authentication beore making a purchase by consulting with them onthe options and their preerences In general users will welcome a solution that does not require them to
alter or abandon their established routines For example in environments where a user is required to carry abadge to gain entry into doors reusing that same device or desktop access can be easily accepted
Once users are authenticated how do we more eectively address security when users walk away 4rom their computers
There are many solutions to this issue but most have been ineective Many organizations require a lockedscreen saver or inactivity timeout to address the walk away security issue but these are easily deeated by
just moving the mouse Imprivata is addressing this problem with a unique new solution OneSign SecureWalk-Away It uses a combination o active presence detection and acial biometrics to automatically locka workstation upon user departure and then automatically unlock it when the same user returns OneSignSecure Walk-Away is the only solution to eectively address this issue today
What is the best way to deploy Strong Authentication at multiple locations5
When choosing a device solution make sure it meets both the security needs o the business and theconvenience needs o the users When choosing a management system or your devices pick one that isgeographically scalable and can support a range o Strong Authentication options This way you can becondent in the ability o the system to scale as well as to address the needs o various departments withinthe organization which many times have dierent requirements or Strong Authentication Be sure to ollowthe vendorrsquos list o best practices to ensure your nal outcome will be optimized
beyOnD STROng AUThenTICATIOn
Today you may regard Strong Authentication as a ldquoone-ordquo solution that ullls your most critical needs
or enterprise access security However itrsquos important to know that your Strong Authentication solution canprovide even greater value going orward acting as a platorm or deploying additional capabilities acrossyour organization to urther strengthen security satisy related user needs and reduce costs
Strong Authentication and Single Sign-On
Single Sign-On enables your user community to logon to the network and sign on to all the applications theyare authorized to use on a daily basis by using a single strong password Single Sign-On relieves users o theburden o memorizing multiple passwords increases productivity by helping users avoid getting locked outo systems and lowers resource costs by reducing the number o password reset calls to your helpdesk Aboveall Single Sign-On strengthens IT security because users no longer resort to writing down passwords and leav-
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 13
ing them where they can be stolen and used by unauthorized people
Combining Strong Authentication with Single Sign-On gives your organization proven security benets asrecommended by leading analysts and security experts At the same time the combination o both solutionsenables you to enorce strong security policies enterprise-wide while increasing user satisaction and requir-ing no disruptive changes to user workfow or behavior
Strong Authentication and Integrated PhysicalLogical Security
In most organizations physical security (systems that control physical access to buildings and work areas)and logical security (systems that control access to IT resources) are separate realms This lack o integrationbetween physical and logical security systems creates gaps that can be exploited and prevents centralizedmanagement and control o overall security In many cases or example a terminated employee may beimmediately barred rom re-entering corporate acilities but may still be able to gain remote access to thecorporate network or days or weeks beore privileges are revoked An integrated physicallogical securitysolution makes it possible to link both security environments synchronize control and response
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThenTICATIOn
Imprivata OneSignreg Authentication Management is a unique user authentication solution that integrates abroad range o fexible and powerul strong authentication types ndash all managed rom within a single admin-istrator ramework OneSign eases the cost and complexity o managing independent systems and providesa central location or reporting access events across all Strong Authentication devices strengthening securitywhile reducing the burden o regulatory compliance
Flexible authentication options
OneSign Authentication Management provides native support or a broad range o plug-and-play authen-tication options such as One-Time-Password (OTP) tokens (including built-in control and management sup-port or VASCOreg DIGIPASSreg) nger biometrics smart cards proximity cards building access cards and USBtokens Simply plug them into your workstation and you are ready to go
Consolidated reporting
With OneSign Authentication Management you can easily report in real-time an aggregated view o whenhow and rom where an employee gained access to the network By having all access inormation available atthe push o a button via standardized reporting OneSign Authentication Management provides critical valuein helping you rapidly respond to audit inquiries that may otherwise require manual viewing and collation oindependent system logs When adding OneSign Single Sign-On you can also incorporate reporting on useraccess events to applications as well
ROI right out o the box
The power o OneSign Authentication Management is that it comes packaged in a hardened appliance One-Sign Authentication Management is designed to be aordable and easy to adopt Purpose-built or fexible
and rapid enterprise deployment OneSignrsquos appliance-based approach to user authentication dramaticallyminimizes implementation time inrastructure needs and installation costs ndash accelerating your return oninvestment right out o the box
Application Transaction Level Strong Authentication
The Imprivata OneSign ProveID capability allows an application to leverage OneSignrsquos strong authenticationservices to positively identiy a user at any point in the application workfow Examples o ProveID in use in-clude banking environments where positive identication o a user is required prior to executing a nancialtransaction and healthcare environments where positive identication o a user is required at the point odrug disbursement
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 3
copy 2009 Imprivata Inc
InTRODUCTIOn
Times change Sometimes they change even aster than we might expect as recent developments inStrong Authentication have shown Just a ew years ago the idea o requiring users to provide a second orm oidentity to gain access to IT resources was seen by many as only necessary or remote access security or top-
secret jobs
Not anymore Today companies o all types and sizes are deploying Strong Authentication inside the cor-porate rewall enterprise-wide -- even within applications Most regulatory bodies are mandating it andan increasing number o organizations consider it an essential part odata security best practices A recentreport by the Commission on Cyber security or the 44th President recommends it or the government andconsumer companies As the global economic downturn results in unprecedented workorce reductions thesecurity risk o insider security breaches has never been greater At the same time Strong Authenticationtechnologies have become more practical aordable easy and fexible to implement
For all o these reasons therersquos never been a better time to take advantage o the increased data security oStrong Authentication But what orm(s) o Strong Authentication are best or you and your organizationWhat actors should you consider as you evaluate Strong Authentication What capabilities do you require
What are the opportunities issues and trade-os you can expect Imprivata has published this white paperto help answer these and other key questions
The ADvAnTAgeS OF STROng AUThenTICATIOn
In a recent Forrester Research report Analyst Bill Nagel stated that ldquoMFA (multi-actor authentication) adop-tion is rising steadily and even rms not in heavily regulated industries need to adoptrdquo Imprivatarsquos own 2009survey o customers revealed that nearly 47 had already deployed Strong Authentication and another 45were considering doing so
There are several reasons or this growing interest in Strong Authentication including
Increased access
Corporate computing environments are no longer closed sel-contained entities As more internal and exter-nal users access corporate applications mdash local host-based and Web-based mdash in more ways rom more kindso devices the opportunities or unauthorized access will grow dramatically
Increased awareness
The rising incidence o internal data breaches has alerted corporate executives o the real threats to their in-ormation assets mdash and the potentially grave consequences to their business operations customer relationsand nancial perormance For example
A senbull ior nancial analyst in the sub-prime lending division o Countrywide Financial stole and sold theSocial Security numbers o as many as two million loan applicants over a two-year periodFormer employees o Lending Tree participated inbull password sharing with other mortgage lenders giv-ing them access to the companyrsquos customer database which they used to market their own products andservicesA ormer contractor to the State o Massachusetts gained access to a workersrsquo compensation databasebull
and stole personal inormation or use in obtaining raudulent credit cardsA man who worked in the admissions oce o Columbia Presbyterian HospitalWeill Cornell Medical Cen-bull
ter stole the Social Security numbers o 50000 patients and sold them or illegal activitiesA terminated Fannie Mae IT contractor used his network access to remotely plant a logic bomb that couldbull
have destroyed data on 4000 servers had it been successul
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 4
For each o these examples there are many more that have not received media coverage or resulted in well-publicized legal action
Increased regulation
Within the last decade governments around the world have mandated a series o new IT security measuresand processes as part o such acts as Gramm-Leach-Bliley Sarbanes-Oxley and Health Insurance Portabilityand Accountability (HIPAA) in the US and the Data Protection Act in the UK Industry regulations such asBasel II FDIC and the US Code o Federal Regulations (CFR) as well as industry standards such as BS7799 inthe UK and BS7799-2 and ISO 17799 worldwide are also mandating stronger authentication Organizationsand corporate ocers must comply with these regulations or be subject to nes legal action andor loss obrand reputation resulting in negative customer reaction
More choices
As demand or Strong Authentication has grown so have the number and variety o commercially-availableorms o Strong Authentication devices that organizations can deploy This means organizations are in abetter position to choose the types o Strong Authentication that make the best sense or their dierent
user populations For example many healthcare workers need solutions that support their workfow withworkstation sharing rapid access easy user authentication and a way to handle unattended workstationsIn contrast nancial services companies need strong authentication methods that make data security thehighest priority with convenience and speed o lesser concern For most companies the security benets ostrong authentication cannot come at the expense o employee productivity or customer service levels Inresponse to these diverse needs the industry has developed a broad range o Strong Authentication devicessuch as laptops with built-in ngerprint biometric swipes keyboards with smart card readers computers withbuilt-in cameras and laptops with integrated readers or acility access cards As a result organizations todayare in a better position to nd solutions that meet their unique security needs
Greater aordability
As competition heats up and technologies advance the cost o Strong Authentication devices has startedto drop signicantly indicating a maturing market For example biometric ngerprint scanners were oncebulky devices costing upwards o $100 to $200 each Today small portable scanners o similar capability canbe purchased or under $30 In addition many manuacturers now produce keyboards laptop computersand even mobile phones with built-in biometric scanners at little incremental cost since there is little or nocost or packaging Similarly USB proximity card readers that sold or over $100 a ew years ago are now sell-ing or less than hal that amount as sales volumes increase and the technology becomes commoditized
Improved reliability
Technological advances have improved the perormance and reliability o Strong Authentication technolo-gies to the point that widespread deployment to large user populations is more easible and manageable
More applications
While Strong Authentication is still primarily used to conrm user identity beore gaining network access or-ganizations have begun to employ it in other innovative ways For example some organizations now requireuser authentication or employees to access business-critical applications or even when perorming certainsensitive transactions This is happening today in hospitals and pharmacies As more records and transactionsoccur online hospitals are becoming paperless ndash switching to ully electronic medical records (EMR) ManyEMR solutions require prescribers to reconrm their identities whenever they enter online prescriptions orpatient medications The same is true or many brokers and bankers who must authenticate themselves be-ore conducting key nancial transactions
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 514
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 5
Growing virtualization
More organizations are now moving rom traditional distributed PC-oriented environments to the use ovirtual servers and virtual desktops that can be accessed rom almost anywhere This new model eectivelyremoves the links that associate a user with his or her workstation and its physical location thereby chal-lenging organizations to think in new ways about desktop security and the role o Strong AuthenticationBusiness continuity and pandemic planning oten dictate providing employees with IT access rom outsidethe boundaries o the enterprise It is best practice to use strong authentication to guarantee the identity othese remote users working osite
Analyst recommendations
Analysts are also leading the move to Strong Authentication An August 2004 report by Gartner (ldquoAssessAuthentication Methods or Strong System Securityrdquo) outlines two primary recommendations or increasingsecurity and reducing password issues 1) implementpassword management and 2) utilize strong two-actor authentication More recently a 2008 study by Aberdeen Group revealed that organizations enjoying best-in-class security perormance had increased their usage o multi-actor Strong Authentication by 300 overa nine-month period This suggests that the use o multiple actors will continue to gain momentum as a
proven means o improving overall security
Proven results
Above all the most compelling reason or the growing adoption o Strong Authentication is that it worksAccording to that same Aberdeen Group study organizations that have deployed Strong Authenticationhave realized signicant decreases in the number o security-related incidents the volume o authentication-related helpdesk calls the costs o secure authentication management and nancial losses due to raud Inparticular the study showed that organizations achieving Best-in-Class perormance were able to reduce bymore than one-hal the amount o human error related to security the number o incidents o non-compli-ance and the total cost o addressing security incidents
The vAlUe OF STROng AUThenTICATIOn
On the ace o it the logic or implementing strong or two-actor authentication is sel-evident it providesgreater protection rom unauthorized access Like the secure vault inside a locked bank the second authen-tication actor provides extra protection where it is most needed But there are other equally compellingreasons to implement Strong Authentication They include
The elimination o passwords
The prolieration o application passwords in recent years has negatively aected productivity and datasecurity in many organizations Users have diculty remembering multiple complex passwords and resortto either writing them down where they can be stolen or calling IT helpdesks or requentpassword resets By deploying Strong Authentication organizations can eliminate the need or users to deal with passwords
entirely This permanently solves a common user complaint while reducing resource requirements at IT help-desks and strengthening security enterprise-wide
A ast ROI
With the cost o authentication technologies dropping Strong Authentication has been proven to not onlyimprove security but also lower helpdesk and security management costs Experts believe there are severalreasons or this First use o Strong Authentication is easier or users than memorizing complex passwordsso they make ewer helpdesk calls or password resets Strong Authentication also has a denite deterrenteect against potential insider threats resulting in ewer incidents and thus lower security managementcosts
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 614
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 6
As the demand or stronger authentication measures has grown so have the solutions available to organiza-tions The ollowing are the most prevalent authentication methods in use today
Passwords
The original and simplest authentication method passwords became popular because they were simple andrelatively eective As long as users kept their passwords secret no one else could gain unauthorized accessto applications However the prolieration o applications requiring passwords made it either harder or us-ers to remember multiple passwords or the user-created passwords were oten too simple or reused making
them easy to crack
Strong passwords
To remedy the problems o simple passwords many organizations began mandating the use o strong pass-words mdash passwords that are more complex utilizing numbers and special characters rather than just lettersUnortunately strong passwords are oten too complex or users themselves to remember resulting in an up-surge o costly calls to helpdesks or assistance This in turn has a negative impact on productivity as users areprevented rom doing their work while waiting or password resets Worse yet users may leave passwordswritten down where anyone could steal and use them In environments such as healthcare where a clinicianhas to enter the same logon credentials with each dierent patient visit the amount o time spent on thisrepetitive unproductive task can be signicant
ID tokens
ID tokens are small devices which generate numeric codes that validate user access or a limited time or a sin-gle use Some ID token systems as an extra measure o protection require the user to type a challenge stringinto the token beore the passcode is generated Many combine a PIN to be entered alongside the One-TimePassword (OTP) or two-actor authentication Leading ID token vendors include RSA Secure Computing andVasco Traditionally tokens have been used or employees accessing networks and applications via remoteaccess There are many orms o tokens including time-based and event-based tokens Time-based tokensgenerate OTPs based on a combination o a secret key and current time while event-based tokens generateOTPs by the press o a button on the device
Proven regulatory compliance
Some organizations have implemented measures such as strongpassword policies designed to comply withregulations such as HIPAA and Sarbanes-Oxley but lack objective documented proo that those measures arebeing ollowed and enorced This means they still may be at risk o being ound non-compliant Strong au-
thentication -- with the proper management tracking and reporting unctionality -- provides demonstrablecompliance in the orm o audit logs that record all relevant access activity
Stronger application and transaction-level security
Today more organizations and industries are relying on online records and transactions to be more produc-tive reduce paperwork and support environmental sustainability As more business tasks are perormedwithin an online environment organizations have an opportunity to apply additional security measures atboth the application and transaction levels Strong Authentication gives organizations a powerul tool toselectively deploy an additional level o security at points where it can be most eective For example thereare companies now requiring users to authenticate their identities beore accessing critical enterprise appli-cations such as nancial or manuacturing systems Others are mandating Strong Authentication beore a
user can perorm sensitive transactions such as electronic unds transers
leADIng AUThenTICATIOn MeThODS
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 714
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 814
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 8
COnSIDeRIng envIROnMenT AnD wORkFlOw
Every organization wants to prevent unauthorized access to its inormation assets mdash and all organizationscan benet rom the use oStrong Authentication Because organizations environments and regulatory andworkfow requirements vary greatly dierent authentication technologies and procedures may be calledor For example
In a healthcare environment with strict requirements or tracking pharmaceutical orders clinicians sub-bull
mitting orders electronically are required to conrm their identity to reduce the potential or raudu-lent orders When a clinician lls out the medication order orm the system prompts her to scan herngerprint to validate that a) she is the same person currently logged into the application and b) she isreally who she claims to be Upon successul re-authentication the order is accepted and processed bythe system
A behavioral health oce with shared workstations needs to comply with the patient inormation con-bull
dentiality requirements o the Health Insurance Portability and Accountability Act (HIPAA) Thereoreits clinicians use proximity cards and a solution that allows them to authenticate themselves quickly --and terminate sessions promptly -- at that shared workstation
A customer call center needs to meet PCI or customer privacy requirements or controlling access to thebull
application andor specic screens so only the appropriate personnel can view the inormation and allaccess activities are tracked or auditability Within a logged-in application when a screen with privatecustomer inormation is about to be displayed the system prompts the user to re-authenticate to ensurethat the same authorized person is reviewing the inormation
Other actors to consider include the number o enterprise locations the variety o roles and accessbull
requirements and the use o remote access by traveling employees The proper combination o StrongAuthentication technologies can accommodate these and many other unique requirements
ChOOSIng STROng AUThenTICATIOn MeThODS key FACTORS TO COnSIDeR
In addition to considering your organizationrsquos unique security requirements it is important that you weighthe benets and costs o dierent Strong Authentication choices These include
IT benefts
Is the authentication method easy to deploy enterprise-wide Will it require additional IT resources Is iteasy to integrate with existing ESSO solutions Does it support centralized management Are multiple serv-ers or databases required to set up the solution I using multiple authentication methods what are the setup requirements to make them all work Will end users be burdened i changes are made ater devices aredeployed Is there an easy way to track access events regardless o devices used Can it be used as a deter-rent
User benefts
Is the authentication method easy to use Will end users accept the new process Will it increase user pro-ductivity Does it put an undue burden on users Does it require them to carry a device that could get lostor damaged Will users be concerned about privacy
Compliance benefts
How ully does the authentication method support the regulatory requirements o Sarbanes-Oxley Gramm-Leach-Bliley HIPAA CFR Basel II the UKrsquos Data Protection Act or BS7799 Does it go beyond simple accesscontrol by tracking authentication events and supplying reporting acilities that support auditing require-ments and objectively and easily prove compliance
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 914
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 9
Industry-specifc benefts
Are there aspects o the authentication method that make it better suited or certain industries or unctionalareas For example i employees have to wear gloves to do their jobs then biometrics is not the choice orthe organization
Initial purchase cost
Is the cost o the authentication method worth the resulting improvement inenterprise security Is there acost per user that will grow every time a new user is added What is the replacement cost ndash both or the de-vice and its associated administrative burden ndash or the orms o Strong Authentication
Deployment cost
Does deployment require physical installation by a technical person on every workstation at every site Doesthe IT organization need to write custom code add middleware or incur other hardware or sotware costs
The matrix below illustrates how each o the major authentication methods compare to each other on these key actors
Type Ease o Man-agement orIT
Ease o Use orEmployees
Compliance Security Level
Cost to Pur-chase
Cost per Userto Deploy
Password Medium Medium Low $ $
Strong Password Low Low Medium $ $$
ID Token Medium Medium1 High $$$ $$$
Smart Card andUSB Token
Low Medium1 High $$$ $$$
Passive Proximity High High1 High2 $$ $
Active Proximity Medium High3 Low $$$$ $$
Finger Biometrics High High High $$ $
Time and Resources involved to deploy and maintain the technology or to support the end userNOTES1 Device needs to be carried by user and is subject to loss or damage2 When combined with another authentication actor3 Fingerprints can never be lost or orgotten
By doing a cost-benet analysis o the dierentStrong Authentication approaches you can determine whichtechnologies best meet your organizationrsquos needs and preerences For exampleI ease o use or employees and IT sta is a top priority nger biometrics might be your best choice
I your organization is large or growing rapidly you may want to keep per-user deployment costs low bybull
selecting passive proximity cardsI your organization is in a sensitive industry that demands strong security above all else then smart cardsbull
or ID tokens might make the most senseI your security requirements vary by location or department you may preer to implement dierentbull
authentication methods based on user sophistication and needsI you want to repurpose existing technology then enabling building access or identity cards might bebull
most ecient
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1014
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 10
SpeCIFIC COnSIDeRATIOnS
Even i you have decided which method o authentication is best or you and your organization there are anumber o other more specic actors you should consider beore you make your purchase decision as theycould aect the cost resource requirements and eectiveness o your solution During the evaluation pro-cess you should ask the ollowing questions about everyStrong Authentication solution on your short list
How does the Strong Authentication solution integrate with your existing directory inrastructure1
The Strong Authentication system should not require changes to the existing directory inrastructure Direc-tories are the critical backbone or most IT organizations and keeping them reliable means keeping themas close to their core unctionality as possible Layering additional schema changes or running applicationsotware on the directory should be avoided at all costs because o the potential to destabilize the overallsystem especially i directory replication is involved
How does the Strong Authentication solution aect your existing application inrastructure 2
The Strong Authentication solution should not require any changes to the existing application inrastructureor Windows Web or mainrame applications It should also be able to integrate within applications to en-
sure strong authentication at the transaction level ndash or reauthentication or example immediately prior toperorming a nancial transaction or drug disbursement
How does the Strong Authentication solution integrate into your existing environment3
The Strong Authentication solution should not require any programming in order to integrate into the appli-cation environment or to handle any potential exception situations that could occur during deployment timeto all client workstations Adding Strong Authentication should also be a pure conguration activity ndash not aprogrammingscripting activity Many strong authentication technologies are oered with an SDK to allowcustomized implementations This should not be necessary in most situations
How does the Strong Authentication solution handle disaster recovery and ailover4
With the Strong Authentication solution responsible or managing all Windows authentications o all users inall systems o the enterprise it is imperative that it provides out-o-the-box ault tolerance protection pre-erably at the lowest possible level in order to avoid any potential end-user inconvenience I possible strongauthentication should continue to work in an o-line mode when the workstation is not connected to thenetwork
How and where are policies credentials and logfles o the Strong Authentication solution stored 5and made accessible or administrators
The Strong Authentication solution should provide a secure transmission and storage acility or all security-sensitive data (eg policy inormation credential inormation logging inormation) This requires all data tobe encrypted both in rest and in transit without any conguration burdens to be imposed on the administra-
tors o the Strong Authentication solution
Can the Strong Authentication solution support the management o multiple Strong Authentication6devices Are there any additional costslicenses required or specifc authentication devices or combinationo devices Are there any additional server-side or client-side components that need to be confgured or installed in order to support a specifc strong authentication option
Since the Strong Authentication solution will be replacing the current Windows authentication strategiesit is important that the single authentication action can be reinorced with a choice o strong multi-actorauthentication methods and technologies These Strong Authentication options should also be available inboth online and ofine (disconnected rom the network) modes
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1114
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 11
Does the Strong Authentication solution provide any logging andor reporting acilities Are there7any additional licenses required or this Are there any serverclient-side sotware components required or this
The Strong Authentication solution should provide standardized reporting and notication capabilities that
capture all authentication and password management related events that take place in the system Thesereports and notications should be available through an online Web interace e-mail and scheduled exportmechanisms to remote reporting and archiving systems to ensure compliance requirements are easily met
How does the Strong Authentication solution integrate with metadirectory andor provisioning sys-8tems
The Strong Authentication system should be able to support identity-standard provisioning systems as wellas any uture implementations o SPML-based provisioning and metadirectory systems This will ensure thatwhen password changes are initiated in dierent backend systems these changes will also immediately bemade available in the Strong Authentication solution This will also ensure ease o deprovisioning
How does the Strong Authentication solution integrate existing physical access policies into its logi-9
cal access policies
The Strong Authentication system should provide acilities or location-based authentication so that eachuserrsquos location can be applied as a determining actor in the authentication policy This enables an organiza-tion or example to grant access to an individual only ater that user has badged into a specied companyacility or secure area The ability to apply network access policies that leverage location is extremely useulin situations where it is necessary to conrm that the properly authenticated user is accessing the computerrom within a secure operational work area such as a manuacturing control room or pharmacy area
Does the Strong Authentication solution support ast user switching in thin and thick client archi-10tectures
The Strong Authentication solution should provide support or dierent types o ast user switching to make
the end-user experience o logging in and out as swit and convenient as possible This means that boththick clients and thin clients should support ldquokiosk-stylerdquo operation both client-based and server-based com-puting environments should be supported in server-based computing environments both Citrix PresentationManager and Windows Terminal Server environments should be supported and in server-based computingenvironments both roaming and concurrent sessions should be supported
Can the Strong Authentication solution be extended to incorporate additional capabilities such as11Single Sign On
As your IT security needs evolve you may want to add more capabilities such as Single Sign On Your StrongAuthentication solution should accommodate these and other capabilities easily Single Sign On is an idealcomplementary technology to deploy when Strong Authentication is being introduced by improving applica-
tion-level password security and is oten used to ensure urther adoption o Strong Authentication policies
MAkIng STROng AUThenTICATIOn wORk FOR yOU
Whether you have already chosen and deployed a Strong Authentication solution or yoursquore still in the evalua-tion process you need a solution you and your organization can live with As Strong Authentication becomesa part o your organizationrsquos daily lie you want it to be as user-riendly easy to manage and ully utilizedas possible The ollowing questions and answers can help you get the most out o your Strong Authentica-tion solution -- maximizing its eectiveness while keeping ongoing costs and administrative requirements toa minimum
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 12
Should you have dierent Strong Authentication methods or dierent users1
It makes sense to match the method to usersrsquo roles needs and relative security risks Other actors to con-sider include cost workfow requirements and ease o use
Are there ways to streamline the administration o a Strong Authentication solution 2
Administration can take many orms including vendor-specic requirements management tools and useradministration and the tasks associated with them vary according to the organizationrsquos needs and preer-ences However there are some tasks that are necessary to achieve maximum benet rom the authentica-tion choice such as tracking and reporting Itrsquos also a good idea to ofoad as much o the administrativeburden as possible rom users because their ability to simply ldquoplug and gordquo will help ensure organization-wide acceptance
How can the use o Strong Authentication be made as easy as possible or users3
The key is to choose solutions that are both secure and easily adopted by end users It is important to gainuser acceptance o the type o Strong Authentication beore making a purchase by consulting with them onthe options and their preerences In general users will welcome a solution that does not require them to
alter or abandon their established routines For example in environments where a user is required to carry abadge to gain entry into doors reusing that same device or desktop access can be easily accepted
Once users are authenticated how do we more eectively address security when users walk away 4rom their computers
There are many solutions to this issue but most have been ineective Many organizations require a lockedscreen saver or inactivity timeout to address the walk away security issue but these are easily deeated by
just moving the mouse Imprivata is addressing this problem with a unique new solution OneSign SecureWalk-Away It uses a combination o active presence detection and acial biometrics to automatically locka workstation upon user departure and then automatically unlock it when the same user returns OneSignSecure Walk-Away is the only solution to eectively address this issue today
What is the best way to deploy Strong Authentication at multiple locations5
When choosing a device solution make sure it meets both the security needs o the business and theconvenience needs o the users When choosing a management system or your devices pick one that isgeographically scalable and can support a range o Strong Authentication options This way you can becondent in the ability o the system to scale as well as to address the needs o various departments withinthe organization which many times have dierent requirements or Strong Authentication Be sure to ollowthe vendorrsquos list o best practices to ensure your nal outcome will be optimized
beyOnD STROng AUThenTICATIOn
Today you may regard Strong Authentication as a ldquoone-ordquo solution that ullls your most critical needs
or enterprise access security However itrsquos important to know that your Strong Authentication solution canprovide even greater value going orward acting as a platorm or deploying additional capabilities acrossyour organization to urther strengthen security satisy related user needs and reduce costs
Strong Authentication and Single Sign-On
Single Sign-On enables your user community to logon to the network and sign on to all the applications theyare authorized to use on a daily basis by using a single strong password Single Sign-On relieves users o theburden o memorizing multiple passwords increases productivity by helping users avoid getting locked outo systems and lowers resource costs by reducing the number o password reset calls to your helpdesk Aboveall Single Sign-On strengthens IT security because users no longer resort to writing down passwords and leav-
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 13
ing them where they can be stolen and used by unauthorized people
Combining Strong Authentication with Single Sign-On gives your organization proven security benets asrecommended by leading analysts and security experts At the same time the combination o both solutionsenables you to enorce strong security policies enterprise-wide while increasing user satisaction and requir-ing no disruptive changes to user workfow or behavior
Strong Authentication and Integrated PhysicalLogical Security
In most organizations physical security (systems that control physical access to buildings and work areas)and logical security (systems that control access to IT resources) are separate realms This lack o integrationbetween physical and logical security systems creates gaps that can be exploited and prevents centralizedmanagement and control o overall security In many cases or example a terminated employee may beimmediately barred rom re-entering corporate acilities but may still be able to gain remote access to thecorporate network or days or weeks beore privileges are revoked An integrated physicallogical securitysolution makes it possible to link both security environments synchronize control and response
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThenTICATIOn
Imprivata OneSignreg Authentication Management is a unique user authentication solution that integrates abroad range o fexible and powerul strong authentication types ndash all managed rom within a single admin-istrator ramework OneSign eases the cost and complexity o managing independent systems and providesa central location or reporting access events across all Strong Authentication devices strengthening securitywhile reducing the burden o regulatory compliance
Flexible authentication options
OneSign Authentication Management provides native support or a broad range o plug-and-play authen-tication options such as One-Time-Password (OTP) tokens (including built-in control and management sup-port or VASCOreg DIGIPASSreg) nger biometrics smart cards proximity cards building access cards and USBtokens Simply plug them into your workstation and you are ready to go
Consolidated reporting
With OneSign Authentication Management you can easily report in real-time an aggregated view o whenhow and rom where an employee gained access to the network By having all access inormation available atthe push o a button via standardized reporting OneSign Authentication Management provides critical valuein helping you rapidly respond to audit inquiries that may otherwise require manual viewing and collation oindependent system logs When adding OneSign Single Sign-On you can also incorporate reporting on useraccess events to applications as well
ROI right out o the box
The power o OneSign Authentication Management is that it comes packaged in a hardened appliance One-Sign Authentication Management is designed to be aordable and easy to adopt Purpose-built or fexible
and rapid enterprise deployment OneSignrsquos appliance-based approach to user authentication dramaticallyminimizes implementation time inrastructure needs and installation costs ndash accelerating your return oninvestment right out o the box
Application Transaction Level Strong Authentication
The Imprivata OneSign ProveID capability allows an application to leverage OneSignrsquos strong authenticationservices to positively identiy a user at any point in the application workfow Examples o ProveID in use in-clude banking environments where positive identication o a user is required prior to executing a nancialtransaction and healthcare environments where positive identication o a user is required at the point odrug disbursement
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 4
For each o these examples there are many more that have not received media coverage or resulted in well-publicized legal action
Increased regulation
Within the last decade governments around the world have mandated a series o new IT security measuresand processes as part o such acts as Gramm-Leach-Bliley Sarbanes-Oxley and Health Insurance Portabilityand Accountability (HIPAA) in the US and the Data Protection Act in the UK Industry regulations such asBasel II FDIC and the US Code o Federal Regulations (CFR) as well as industry standards such as BS7799 inthe UK and BS7799-2 and ISO 17799 worldwide are also mandating stronger authentication Organizationsand corporate ocers must comply with these regulations or be subject to nes legal action andor loss obrand reputation resulting in negative customer reaction
More choices
As demand or Strong Authentication has grown so have the number and variety o commercially-availableorms o Strong Authentication devices that organizations can deploy This means organizations are in abetter position to choose the types o Strong Authentication that make the best sense or their dierent
user populations For example many healthcare workers need solutions that support their workfow withworkstation sharing rapid access easy user authentication and a way to handle unattended workstationsIn contrast nancial services companies need strong authentication methods that make data security thehighest priority with convenience and speed o lesser concern For most companies the security benets ostrong authentication cannot come at the expense o employee productivity or customer service levels Inresponse to these diverse needs the industry has developed a broad range o Strong Authentication devicessuch as laptops with built-in ngerprint biometric swipes keyboards with smart card readers computers withbuilt-in cameras and laptops with integrated readers or acility access cards As a result organizations todayare in a better position to nd solutions that meet their unique security needs
Greater aordability
As competition heats up and technologies advance the cost o Strong Authentication devices has startedto drop signicantly indicating a maturing market For example biometric ngerprint scanners were oncebulky devices costing upwards o $100 to $200 each Today small portable scanners o similar capability canbe purchased or under $30 In addition many manuacturers now produce keyboards laptop computersand even mobile phones with built-in biometric scanners at little incremental cost since there is little or nocost or packaging Similarly USB proximity card readers that sold or over $100 a ew years ago are now sell-ing or less than hal that amount as sales volumes increase and the technology becomes commoditized
Improved reliability
Technological advances have improved the perormance and reliability o Strong Authentication technolo-gies to the point that widespread deployment to large user populations is more easible and manageable
More applications
While Strong Authentication is still primarily used to conrm user identity beore gaining network access or-ganizations have begun to employ it in other innovative ways For example some organizations now requireuser authentication or employees to access business-critical applications or even when perorming certainsensitive transactions This is happening today in hospitals and pharmacies As more records and transactionsoccur online hospitals are becoming paperless ndash switching to ully electronic medical records (EMR) ManyEMR solutions require prescribers to reconrm their identities whenever they enter online prescriptions orpatient medications The same is true or many brokers and bankers who must authenticate themselves be-ore conducting key nancial transactions
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 514
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 5
Growing virtualization
More organizations are now moving rom traditional distributed PC-oriented environments to the use ovirtual servers and virtual desktops that can be accessed rom almost anywhere This new model eectivelyremoves the links that associate a user with his or her workstation and its physical location thereby chal-lenging organizations to think in new ways about desktop security and the role o Strong AuthenticationBusiness continuity and pandemic planning oten dictate providing employees with IT access rom outsidethe boundaries o the enterprise It is best practice to use strong authentication to guarantee the identity othese remote users working osite
Analyst recommendations
Analysts are also leading the move to Strong Authentication An August 2004 report by Gartner (ldquoAssessAuthentication Methods or Strong System Securityrdquo) outlines two primary recommendations or increasingsecurity and reducing password issues 1) implementpassword management and 2) utilize strong two-actor authentication More recently a 2008 study by Aberdeen Group revealed that organizations enjoying best-in-class security perormance had increased their usage o multi-actor Strong Authentication by 300 overa nine-month period This suggests that the use o multiple actors will continue to gain momentum as a
proven means o improving overall security
Proven results
Above all the most compelling reason or the growing adoption o Strong Authentication is that it worksAccording to that same Aberdeen Group study organizations that have deployed Strong Authenticationhave realized signicant decreases in the number o security-related incidents the volume o authentication-related helpdesk calls the costs o secure authentication management and nancial losses due to raud Inparticular the study showed that organizations achieving Best-in-Class perormance were able to reduce bymore than one-hal the amount o human error related to security the number o incidents o non-compli-ance and the total cost o addressing security incidents
The vAlUe OF STROng AUThenTICATIOn
On the ace o it the logic or implementing strong or two-actor authentication is sel-evident it providesgreater protection rom unauthorized access Like the secure vault inside a locked bank the second authen-tication actor provides extra protection where it is most needed But there are other equally compellingreasons to implement Strong Authentication They include
The elimination o passwords
The prolieration o application passwords in recent years has negatively aected productivity and datasecurity in many organizations Users have diculty remembering multiple complex passwords and resortto either writing them down where they can be stolen or calling IT helpdesks or requentpassword resets By deploying Strong Authentication organizations can eliminate the need or users to deal with passwords
entirely This permanently solves a common user complaint while reducing resource requirements at IT help-desks and strengthening security enterprise-wide
A ast ROI
With the cost o authentication technologies dropping Strong Authentication has been proven to not onlyimprove security but also lower helpdesk and security management costs Experts believe there are severalreasons or this First use o Strong Authentication is easier or users than memorizing complex passwordsso they make ewer helpdesk calls or password resets Strong Authentication also has a denite deterrenteect against potential insider threats resulting in ewer incidents and thus lower security managementcosts
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 614
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 6
As the demand or stronger authentication measures has grown so have the solutions available to organiza-tions The ollowing are the most prevalent authentication methods in use today
Passwords
The original and simplest authentication method passwords became popular because they were simple andrelatively eective As long as users kept their passwords secret no one else could gain unauthorized accessto applications However the prolieration o applications requiring passwords made it either harder or us-ers to remember multiple passwords or the user-created passwords were oten too simple or reused making
them easy to crack
Strong passwords
To remedy the problems o simple passwords many organizations began mandating the use o strong pass-words mdash passwords that are more complex utilizing numbers and special characters rather than just lettersUnortunately strong passwords are oten too complex or users themselves to remember resulting in an up-surge o costly calls to helpdesks or assistance This in turn has a negative impact on productivity as users areprevented rom doing their work while waiting or password resets Worse yet users may leave passwordswritten down where anyone could steal and use them In environments such as healthcare where a clinicianhas to enter the same logon credentials with each dierent patient visit the amount o time spent on thisrepetitive unproductive task can be signicant
ID tokens
ID tokens are small devices which generate numeric codes that validate user access or a limited time or a sin-gle use Some ID token systems as an extra measure o protection require the user to type a challenge stringinto the token beore the passcode is generated Many combine a PIN to be entered alongside the One-TimePassword (OTP) or two-actor authentication Leading ID token vendors include RSA Secure Computing andVasco Traditionally tokens have been used or employees accessing networks and applications via remoteaccess There are many orms o tokens including time-based and event-based tokens Time-based tokensgenerate OTPs based on a combination o a secret key and current time while event-based tokens generateOTPs by the press o a button on the device
Proven regulatory compliance
Some organizations have implemented measures such as strongpassword policies designed to comply withregulations such as HIPAA and Sarbanes-Oxley but lack objective documented proo that those measures arebeing ollowed and enorced This means they still may be at risk o being ound non-compliant Strong au-
thentication -- with the proper management tracking and reporting unctionality -- provides demonstrablecompliance in the orm o audit logs that record all relevant access activity
Stronger application and transaction-level security
Today more organizations and industries are relying on online records and transactions to be more produc-tive reduce paperwork and support environmental sustainability As more business tasks are perormedwithin an online environment organizations have an opportunity to apply additional security measures atboth the application and transaction levels Strong Authentication gives organizations a powerul tool toselectively deploy an additional level o security at points where it can be most eective For example thereare companies now requiring users to authenticate their identities beore accessing critical enterprise appli-cations such as nancial or manuacturing systems Others are mandating Strong Authentication beore a
user can perorm sensitive transactions such as electronic unds transers
leADIng AUThenTICATIOn MeThODS
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 714
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 814
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 8
COnSIDeRIng envIROnMenT AnD wORkFlOw
Every organization wants to prevent unauthorized access to its inormation assets mdash and all organizationscan benet rom the use oStrong Authentication Because organizations environments and regulatory andworkfow requirements vary greatly dierent authentication technologies and procedures may be calledor For example
In a healthcare environment with strict requirements or tracking pharmaceutical orders clinicians sub-bull
mitting orders electronically are required to conrm their identity to reduce the potential or raudu-lent orders When a clinician lls out the medication order orm the system prompts her to scan herngerprint to validate that a) she is the same person currently logged into the application and b) she isreally who she claims to be Upon successul re-authentication the order is accepted and processed bythe system
A behavioral health oce with shared workstations needs to comply with the patient inormation con-bull
dentiality requirements o the Health Insurance Portability and Accountability Act (HIPAA) Thereoreits clinicians use proximity cards and a solution that allows them to authenticate themselves quickly --and terminate sessions promptly -- at that shared workstation
A customer call center needs to meet PCI or customer privacy requirements or controlling access to thebull
application andor specic screens so only the appropriate personnel can view the inormation and allaccess activities are tracked or auditability Within a logged-in application when a screen with privatecustomer inormation is about to be displayed the system prompts the user to re-authenticate to ensurethat the same authorized person is reviewing the inormation
Other actors to consider include the number o enterprise locations the variety o roles and accessbull
requirements and the use o remote access by traveling employees The proper combination o StrongAuthentication technologies can accommodate these and many other unique requirements
ChOOSIng STROng AUThenTICATIOn MeThODS key FACTORS TO COnSIDeR
In addition to considering your organizationrsquos unique security requirements it is important that you weighthe benets and costs o dierent Strong Authentication choices These include
IT benefts
Is the authentication method easy to deploy enterprise-wide Will it require additional IT resources Is iteasy to integrate with existing ESSO solutions Does it support centralized management Are multiple serv-ers or databases required to set up the solution I using multiple authentication methods what are the setup requirements to make them all work Will end users be burdened i changes are made ater devices aredeployed Is there an easy way to track access events regardless o devices used Can it be used as a deter-rent
User benefts
Is the authentication method easy to use Will end users accept the new process Will it increase user pro-ductivity Does it put an undue burden on users Does it require them to carry a device that could get lostor damaged Will users be concerned about privacy
Compliance benefts
How ully does the authentication method support the regulatory requirements o Sarbanes-Oxley Gramm-Leach-Bliley HIPAA CFR Basel II the UKrsquos Data Protection Act or BS7799 Does it go beyond simple accesscontrol by tracking authentication events and supplying reporting acilities that support auditing require-ments and objectively and easily prove compliance
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 914
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 9
Industry-specifc benefts
Are there aspects o the authentication method that make it better suited or certain industries or unctionalareas For example i employees have to wear gloves to do their jobs then biometrics is not the choice orthe organization
Initial purchase cost
Is the cost o the authentication method worth the resulting improvement inenterprise security Is there acost per user that will grow every time a new user is added What is the replacement cost ndash both or the de-vice and its associated administrative burden ndash or the orms o Strong Authentication
Deployment cost
Does deployment require physical installation by a technical person on every workstation at every site Doesthe IT organization need to write custom code add middleware or incur other hardware or sotware costs
The matrix below illustrates how each o the major authentication methods compare to each other on these key actors
Type Ease o Man-agement orIT
Ease o Use orEmployees
Compliance Security Level
Cost to Pur-chase
Cost per Userto Deploy
Password Medium Medium Low $ $
Strong Password Low Low Medium $ $$
ID Token Medium Medium1 High $$$ $$$
Smart Card andUSB Token
Low Medium1 High $$$ $$$
Passive Proximity High High1 High2 $$ $
Active Proximity Medium High3 Low $$$$ $$
Finger Biometrics High High High $$ $
Time and Resources involved to deploy and maintain the technology or to support the end userNOTES1 Device needs to be carried by user and is subject to loss or damage2 When combined with another authentication actor3 Fingerprints can never be lost or orgotten
By doing a cost-benet analysis o the dierentStrong Authentication approaches you can determine whichtechnologies best meet your organizationrsquos needs and preerences For exampleI ease o use or employees and IT sta is a top priority nger biometrics might be your best choice
I your organization is large or growing rapidly you may want to keep per-user deployment costs low bybull
selecting passive proximity cardsI your organization is in a sensitive industry that demands strong security above all else then smart cardsbull
or ID tokens might make the most senseI your security requirements vary by location or department you may preer to implement dierentbull
authentication methods based on user sophistication and needsI you want to repurpose existing technology then enabling building access or identity cards might bebull
most ecient
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1014
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 10
SpeCIFIC COnSIDeRATIOnS
Even i you have decided which method o authentication is best or you and your organization there are anumber o other more specic actors you should consider beore you make your purchase decision as theycould aect the cost resource requirements and eectiveness o your solution During the evaluation pro-cess you should ask the ollowing questions about everyStrong Authentication solution on your short list
How does the Strong Authentication solution integrate with your existing directory inrastructure1
The Strong Authentication system should not require changes to the existing directory inrastructure Direc-tories are the critical backbone or most IT organizations and keeping them reliable means keeping themas close to their core unctionality as possible Layering additional schema changes or running applicationsotware on the directory should be avoided at all costs because o the potential to destabilize the overallsystem especially i directory replication is involved
How does the Strong Authentication solution aect your existing application inrastructure 2
The Strong Authentication solution should not require any changes to the existing application inrastructureor Windows Web or mainrame applications It should also be able to integrate within applications to en-
sure strong authentication at the transaction level ndash or reauthentication or example immediately prior toperorming a nancial transaction or drug disbursement
How does the Strong Authentication solution integrate into your existing environment3
The Strong Authentication solution should not require any programming in order to integrate into the appli-cation environment or to handle any potential exception situations that could occur during deployment timeto all client workstations Adding Strong Authentication should also be a pure conguration activity ndash not aprogrammingscripting activity Many strong authentication technologies are oered with an SDK to allowcustomized implementations This should not be necessary in most situations
How does the Strong Authentication solution handle disaster recovery and ailover4
With the Strong Authentication solution responsible or managing all Windows authentications o all users inall systems o the enterprise it is imperative that it provides out-o-the-box ault tolerance protection pre-erably at the lowest possible level in order to avoid any potential end-user inconvenience I possible strongauthentication should continue to work in an o-line mode when the workstation is not connected to thenetwork
How and where are policies credentials and logfles o the Strong Authentication solution stored 5and made accessible or administrators
The Strong Authentication solution should provide a secure transmission and storage acility or all security-sensitive data (eg policy inormation credential inormation logging inormation) This requires all data tobe encrypted both in rest and in transit without any conguration burdens to be imposed on the administra-
tors o the Strong Authentication solution
Can the Strong Authentication solution support the management o multiple Strong Authentication6devices Are there any additional costslicenses required or specifc authentication devices or combinationo devices Are there any additional server-side or client-side components that need to be confgured or installed in order to support a specifc strong authentication option
Since the Strong Authentication solution will be replacing the current Windows authentication strategiesit is important that the single authentication action can be reinorced with a choice o strong multi-actorauthentication methods and technologies These Strong Authentication options should also be available inboth online and ofine (disconnected rom the network) modes
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1114
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 11
Does the Strong Authentication solution provide any logging andor reporting acilities Are there7any additional licenses required or this Are there any serverclient-side sotware components required or this
The Strong Authentication solution should provide standardized reporting and notication capabilities that
capture all authentication and password management related events that take place in the system Thesereports and notications should be available through an online Web interace e-mail and scheduled exportmechanisms to remote reporting and archiving systems to ensure compliance requirements are easily met
How does the Strong Authentication solution integrate with metadirectory andor provisioning sys-8tems
The Strong Authentication system should be able to support identity-standard provisioning systems as wellas any uture implementations o SPML-based provisioning and metadirectory systems This will ensure thatwhen password changes are initiated in dierent backend systems these changes will also immediately bemade available in the Strong Authentication solution This will also ensure ease o deprovisioning
How does the Strong Authentication solution integrate existing physical access policies into its logi-9
cal access policies
The Strong Authentication system should provide acilities or location-based authentication so that eachuserrsquos location can be applied as a determining actor in the authentication policy This enables an organiza-tion or example to grant access to an individual only ater that user has badged into a specied companyacility or secure area The ability to apply network access policies that leverage location is extremely useulin situations where it is necessary to conrm that the properly authenticated user is accessing the computerrom within a secure operational work area such as a manuacturing control room or pharmacy area
Does the Strong Authentication solution support ast user switching in thin and thick client archi-10tectures
The Strong Authentication solution should provide support or dierent types o ast user switching to make
the end-user experience o logging in and out as swit and convenient as possible This means that boththick clients and thin clients should support ldquokiosk-stylerdquo operation both client-based and server-based com-puting environments should be supported in server-based computing environments both Citrix PresentationManager and Windows Terminal Server environments should be supported and in server-based computingenvironments both roaming and concurrent sessions should be supported
Can the Strong Authentication solution be extended to incorporate additional capabilities such as11Single Sign On
As your IT security needs evolve you may want to add more capabilities such as Single Sign On Your StrongAuthentication solution should accommodate these and other capabilities easily Single Sign On is an idealcomplementary technology to deploy when Strong Authentication is being introduced by improving applica-
tion-level password security and is oten used to ensure urther adoption o Strong Authentication policies
MAkIng STROng AUThenTICATIOn wORk FOR yOU
Whether you have already chosen and deployed a Strong Authentication solution or yoursquore still in the evalua-tion process you need a solution you and your organization can live with As Strong Authentication becomesa part o your organizationrsquos daily lie you want it to be as user-riendly easy to manage and ully utilizedas possible The ollowing questions and answers can help you get the most out o your Strong Authentica-tion solution -- maximizing its eectiveness while keeping ongoing costs and administrative requirements toa minimum
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 12
Should you have dierent Strong Authentication methods or dierent users1
It makes sense to match the method to usersrsquo roles needs and relative security risks Other actors to con-sider include cost workfow requirements and ease o use
Are there ways to streamline the administration o a Strong Authentication solution 2
Administration can take many orms including vendor-specic requirements management tools and useradministration and the tasks associated with them vary according to the organizationrsquos needs and preer-ences However there are some tasks that are necessary to achieve maximum benet rom the authentica-tion choice such as tracking and reporting Itrsquos also a good idea to ofoad as much o the administrativeburden as possible rom users because their ability to simply ldquoplug and gordquo will help ensure organization-wide acceptance
How can the use o Strong Authentication be made as easy as possible or users3
The key is to choose solutions that are both secure and easily adopted by end users It is important to gainuser acceptance o the type o Strong Authentication beore making a purchase by consulting with them onthe options and their preerences In general users will welcome a solution that does not require them to
alter or abandon their established routines For example in environments where a user is required to carry abadge to gain entry into doors reusing that same device or desktop access can be easily accepted
Once users are authenticated how do we more eectively address security when users walk away 4rom their computers
There are many solutions to this issue but most have been ineective Many organizations require a lockedscreen saver or inactivity timeout to address the walk away security issue but these are easily deeated by
just moving the mouse Imprivata is addressing this problem with a unique new solution OneSign SecureWalk-Away It uses a combination o active presence detection and acial biometrics to automatically locka workstation upon user departure and then automatically unlock it when the same user returns OneSignSecure Walk-Away is the only solution to eectively address this issue today
What is the best way to deploy Strong Authentication at multiple locations5
When choosing a device solution make sure it meets both the security needs o the business and theconvenience needs o the users When choosing a management system or your devices pick one that isgeographically scalable and can support a range o Strong Authentication options This way you can becondent in the ability o the system to scale as well as to address the needs o various departments withinthe organization which many times have dierent requirements or Strong Authentication Be sure to ollowthe vendorrsquos list o best practices to ensure your nal outcome will be optimized
beyOnD STROng AUThenTICATIOn
Today you may regard Strong Authentication as a ldquoone-ordquo solution that ullls your most critical needs
or enterprise access security However itrsquos important to know that your Strong Authentication solution canprovide even greater value going orward acting as a platorm or deploying additional capabilities acrossyour organization to urther strengthen security satisy related user needs and reduce costs
Strong Authentication and Single Sign-On
Single Sign-On enables your user community to logon to the network and sign on to all the applications theyare authorized to use on a daily basis by using a single strong password Single Sign-On relieves users o theburden o memorizing multiple passwords increases productivity by helping users avoid getting locked outo systems and lowers resource costs by reducing the number o password reset calls to your helpdesk Aboveall Single Sign-On strengthens IT security because users no longer resort to writing down passwords and leav-
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 13
ing them where they can be stolen and used by unauthorized people
Combining Strong Authentication with Single Sign-On gives your organization proven security benets asrecommended by leading analysts and security experts At the same time the combination o both solutionsenables you to enorce strong security policies enterprise-wide while increasing user satisaction and requir-ing no disruptive changes to user workfow or behavior
Strong Authentication and Integrated PhysicalLogical Security
In most organizations physical security (systems that control physical access to buildings and work areas)and logical security (systems that control access to IT resources) are separate realms This lack o integrationbetween physical and logical security systems creates gaps that can be exploited and prevents centralizedmanagement and control o overall security In many cases or example a terminated employee may beimmediately barred rom re-entering corporate acilities but may still be able to gain remote access to thecorporate network or days or weeks beore privileges are revoked An integrated physicallogical securitysolution makes it possible to link both security environments synchronize control and response
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThenTICATIOn
Imprivata OneSignreg Authentication Management is a unique user authentication solution that integrates abroad range o fexible and powerul strong authentication types ndash all managed rom within a single admin-istrator ramework OneSign eases the cost and complexity o managing independent systems and providesa central location or reporting access events across all Strong Authentication devices strengthening securitywhile reducing the burden o regulatory compliance
Flexible authentication options
OneSign Authentication Management provides native support or a broad range o plug-and-play authen-tication options such as One-Time-Password (OTP) tokens (including built-in control and management sup-port or VASCOreg DIGIPASSreg) nger biometrics smart cards proximity cards building access cards and USBtokens Simply plug them into your workstation and you are ready to go
Consolidated reporting
With OneSign Authentication Management you can easily report in real-time an aggregated view o whenhow and rom where an employee gained access to the network By having all access inormation available atthe push o a button via standardized reporting OneSign Authentication Management provides critical valuein helping you rapidly respond to audit inquiries that may otherwise require manual viewing and collation oindependent system logs When adding OneSign Single Sign-On you can also incorporate reporting on useraccess events to applications as well
ROI right out o the box
The power o OneSign Authentication Management is that it comes packaged in a hardened appliance One-Sign Authentication Management is designed to be aordable and easy to adopt Purpose-built or fexible
and rapid enterprise deployment OneSignrsquos appliance-based approach to user authentication dramaticallyminimizes implementation time inrastructure needs and installation costs ndash accelerating your return oninvestment right out o the box
Application Transaction Level Strong Authentication
The Imprivata OneSign ProveID capability allows an application to leverage OneSignrsquos strong authenticationservices to positively identiy a user at any point in the application workfow Examples o ProveID in use in-clude banking environments where positive identication o a user is required prior to executing a nancialtransaction and healthcare environments where positive identication o a user is required at the point odrug disbursement
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 514
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 5
Growing virtualization
More organizations are now moving rom traditional distributed PC-oriented environments to the use ovirtual servers and virtual desktops that can be accessed rom almost anywhere This new model eectivelyremoves the links that associate a user with his or her workstation and its physical location thereby chal-lenging organizations to think in new ways about desktop security and the role o Strong AuthenticationBusiness continuity and pandemic planning oten dictate providing employees with IT access rom outsidethe boundaries o the enterprise It is best practice to use strong authentication to guarantee the identity othese remote users working osite
Analyst recommendations
Analysts are also leading the move to Strong Authentication An August 2004 report by Gartner (ldquoAssessAuthentication Methods or Strong System Securityrdquo) outlines two primary recommendations or increasingsecurity and reducing password issues 1) implementpassword management and 2) utilize strong two-actor authentication More recently a 2008 study by Aberdeen Group revealed that organizations enjoying best-in-class security perormance had increased their usage o multi-actor Strong Authentication by 300 overa nine-month period This suggests that the use o multiple actors will continue to gain momentum as a
proven means o improving overall security
Proven results
Above all the most compelling reason or the growing adoption o Strong Authentication is that it worksAccording to that same Aberdeen Group study organizations that have deployed Strong Authenticationhave realized signicant decreases in the number o security-related incidents the volume o authentication-related helpdesk calls the costs o secure authentication management and nancial losses due to raud Inparticular the study showed that organizations achieving Best-in-Class perormance were able to reduce bymore than one-hal the amount o human error related to security the number o incidents o non-compli-ance and the total cost o addressing security incidents
The vAlUe OF STROng AUThenTICATIOn
On the ace o it the logic or implementing strong or two-actor authentication is sel-evident it providesgreater protection rom unauthorized access Like the secure vault inside a locked bank the second authen-tication actor provides extra protection where it is most needed But there are other equally compellingreasons to implement Strong Authentication They include
The elimination o passwords
The prolieration o application passwords in recent years has negatively aected productivity and datasecurity in many organizations Users have diculty remembering multiple complex passwords and resortto either writing them down where they can be stolen or calling IT helpdesks or requentpassword resets By deploying Strong Authentication organizations can eliminate the need or users to deal with passwords
entirely This permanently solves a common user complaint while reducing resource requirements at IT help-desks and strengthening security enterprise-wide
A ast ROI
With the cost o authentication technologies dropping Strong Authentication has been proven to not onlyimprove security but also lower helpdesk and security management costs Experts believe there are severalreasons or this First use o Strong Authentication is easier or users than memorizing complex passwordsso they make ewer helpdesk calls or password resets Strong Authentication also has a denite deterrenteect against potential insider threats resulting in ewer incidents and thus lower security managementcosts
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 614
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 6
As the demand or stronger authentication measures has grown so have the solutions available to organiza-tions The ollowing are the most prevalent authentication methods in use today
Passwords
The original and simplest authentication method passwords became popular because they were simple andrelatively eective As long as users kept their passwords secret no one else could gain unauthorized accessto applications However the prolieration o applications requiring passwords made it either harder or us-ers to remember multiple passwords or the user-created passwords were oten too simple or reused making
them easy to crack
Strong passwords
To remedy the problems o simple passwords many organizations began mandating the use o strong pass-words mdash passwords that are more complex utilizing numbers and special characters rather than just lettersUnortunately strong passwords are oten too complex or users themselves to remember resulting in an up-surge o costly calls to helpdesks or assistance This in turn has a negative impact on productivity as users areprevented rom doing their work while waiting or password resets Worse yet users may leave passwordswritten down where anyone could steal and use them In environments such as healthcare where a clinicianhas to enter the same logon credentials with each dierent patient visit the amount o time spent on thisrepetitive unproductive task can be signicant
ID tokens
ID tokens are small devices which generate numeric codes that validate user access or a limited time or a sin-gle use Some ID token systems as an extra measure o protection require the user to type a challenge stringinto the token beore the passcode is generated Many combine a PIN to be entered alongside the One-TimePassword (OTP) or two-actor authentication Leading ID token vendors include RSA Secure Computing andVasco Traditionally tokens have been used or employees accessing networks and applications via remoteaccess There are many orms o tokens including time-based and event-based tokens Time-based tokensgenerate OTPs based on a combination o a secret key and current time while event-based tokens generateOTPs by the press o a button on the device
Proven regulatory compliance
Some organizations have implemented measures such as strongpassword policies designed to comply withregulations such as HIPAA and Sarbanes-Oxley but lack objective documented proo that those measures arebeing ollowed and enorced This means they still may be at risk o being ound non-compliant Strong au-
thentication -- with the proper management tracking and reporting unctionality -- provides demonstrablecompliance in the orm o audit logs that record all relevant access activity
Stronger application and transaction-level security
Today more organizations and industries are relying on online records and transactions to be more produc-tive reduce paperwork and support environmental sustainability As more business tasks are perormedwithin an online environment organizations have an opportunity to apply additional security measures atboth the application and transaction levels Strong Authentication gives organizations a powerul tool toselectively deploy an additional level o security at points where it can be most eective For example thereare companies now requiring users to authenticate their identities beore accessing critical enterprise appli-cations such as nancial or manuacturing systems Others are mandating Strong Authentication beore a
user can perorm sensitive transactions such as electronic unds transers
leADIng AUThenTICATIOn MeThODS
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 714
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 814
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 8
COnSIDeRIng envIROnMenT AnD wORkFlOw
Every organization wants to prevent unauthorized access to its inormation assets mdash and all organizationscan benet rom the use oStrong Authentication Because organizations environments and regulatory andworkfow requirements vary greatly dierent authentication technologies and procedures may be calledor For example
In a healthcare environment with strict requirements or tracking pharmaceutical orders clinicians sub-bull
mitting orders electronically are required to conrm their identity to reduce the potential or raudu-lent orders When a clinician lls out the medication order orm the system prompts her to scan herngerprint to validate that a) she is the same person currently logged into the application and b) she isreally who she claims to be Upon successul re-authentication the order is accepted and processed bythe system
A behavioral health oce with shared workstations needs to comply with the patient inormation con-bull
dentiality requirements o the Health Insurance Portability and Accountability Act (HIPAA) Thereoreits clinicians use proximity cards and a solution that allows them to authenticate themselves quickly --and terminate sessions promptly -- at that shared workstation
A customer call center needs to meet PCI or customer privacy requirements or controlling access to thebull
application andor specic screens so only the appropriate personnel can view the inormation and allaccess activities are tracked or auditability Within a logged-in application when a screen with privatecustomer inormation is about to be displayed the system prompts the user to re-authenticate to ensurethat the same authorized person is reviewing the inormation
Other actors to consider include the number o enterprise locations the variety o roles and accessbull
requirements and the use o remote access by traveling employees The proper combination o StrongAuthentication technologies can accommodate these and many other unique requirements
ChOOSIng STROng AUThenTICATIOn MeThODS key FACTORS TO COnSIDeR
In addition to considering your organizationrsquos unique security requirements it is important that you weighthe benets and costs o dierent Strong Authentication choices These include
IT benefts
Is the authentication method easy to deploy enterprise-wide Will it require additional IT resources Is iteasy to integrate with existing ESSO solutions Does it support centralized management Are multiple serv-ers or databases required to set up the solution I using multiple authentication methods what are the setup requirements to make them all work Will end users be burdened i changes are made ater devices aredeployed Is there an easy way to track access events regardless o devices used Can it be used as a deter-rent
User benefts
Is the authentication method easy to use Will end users accept the new process Will it increase user pro-ductivity Does it put an undue burden on users Does it require them to carry a device that could get lostor damaged Will users be concerned about privacy
Compliance benefts
How ully does the authentication method support the regulatory requirements o Sarbanes-Oxley Gramm-Leach-Bliley HIPAA CFR Basel II the UKrsquos Data Protection Act or BS7799 Does it go beyond simple accesscontrol by tracking authentication events and supplying reporting acilities that support auditing require-ments and objectively and easily prove compliance
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 914
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 9
Industry-specifc benefts
Are there aspects o the authentication method that make it better suited or certain industries or unctionalareas For example i employees have to wear gloves to do their jobs then biometrics is not the choice orthe organization
Initial purchase cost
Is the cost o the authentication method worth the resulting improvement inenterprise security Is there acost per user that will grow every time a new user is added What is the replacement cost ndash both or the de-vice and its associated administrative burden ndash or the orms o Strong Authentication
Deployment cost
Does deployment require physical installation by a technical person on every workstation at every site Doesthe IT organization need to write custom code add middleware or incur other hardware or sotware costs
The matrix below illustrates how each o the major authentication methods compare to each other on these key actors
Type Ease o Man-agement orIT
Ease o Use orEmployees
Compliance Security Level
Cost to Pur-chase
Cost per Userto Deploy
Password Medium Medium Low $ $
Strong Password Low Low Medium $ $$
ID Token Medium Medium1 High $$$ $$$
Smart Card andUSB Token
Low Medium1 High $$$ $$$
Passive Proximity High High1 High2 $$ $
Active Proximity Medium High3 Low $$$$ $$
Finger Biometrics High High High $$ $
Time and Resources involved to deploy and maintain the technology or to support the end userNOTES1 Device needs to be carried by user and is subject to loss or damage2 When combined with another authentication actor3 Fingerprints can never be lost or orgotten
By doing a cost-benet analysis o the dierentStrong Authentication approaches you can determine whichtechnologies best meet your organizationrsquos needs and preerences For exampleI ease o use or employees and IT sta is a top priority nger biometrics might be your best choice
I your organization is large or growing rapidly you may want to keep per-user deployment costs low bybull
selecting passive proximity cardsI your organization is in a sensitive industry that demands strong security above all else then smart cardsbull
or ID tokens might make the most senseI your security requirements vary by location or department you may preer to implement dierentbull
authentication methods based on user sophistication and needsI you want to repurpose existing technology then enabling building access or identity cards might bebull
most ecient
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1014
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 10
SpeCIFIC COnSIDeRATIOnS
Even i you have decided which method o authentication is best or you and your organization there are anumber o other more specic actors you should consider beore you make your purchase decision as theycould aect the cost resource requirements and eectiveness o your solution During the evaluation pro-cess you should ask the ollowing questions about everyStrong Authentication solution on your short list
How does the Strong Authentication solution integrate with your existing directory inrastructure1
The Strong Authentication system should not require changes to the existing directory inrastructure Direc-tories are the critical backbone or most IT organizations and keeping them reliable means keeping themas close to their core unctionality as possible Layering additional schema changes or running applicationsotware on the directory should be avoided at all costs because o the potential to destabilize the overallsystem especially i directory replication is involved
How does the Strong Authentication solution aect your existing application inrastructure 2
The Strong Authentication solution should not require any changes to the existing application inrastructureor Windows Web or mainrame applications It should also be able to integrate within applications to en-
sure strong authentication at the transaction level ndash or reauthentication or example immediately prior toperorming a nancial transaction or drug disbursement
How does the Strong Authentication solution integrate into your existing environment3
The Strong Authentication solution should not require any programming in order to integrate into the appli-cation environment or to handle any potential exception situations that could occur during deployment timeto all client workstations Adding Strong Authentication should also be a pure conguration activity ndash not aprogrammingscripting activity Many strong authentication technologies are oered with an SDK to allowcustomized implementations This should not be necessary in most situations
How does the Strong Authentication solution handle disaster recovery and ailover4
With the Strong Authentication solution responsible or managing all Windows authentications o all users inall systems o the enterprise it is imperative that it provides out-o-the-box ault tolerance protection pre-erably at the lowest possible level in order to avoid any potential end-user inconvenience I possible strongauthentication should continue to work in an o-line mode when the workstation is not connected to thenetwork
How and where are policies credentials and logfles o the Strong Authentication solution stored 5and made accessible or administrators
The Strong Authentication solution should provide a secure transmission and storage acility or all security-sensitive data (eg policy inormation credential inormation logging inormation) This requires all data tobe encrypted both in rest and in transit without any conguration burdens to be imposed on the administra-
tors o the Strong Authentication solution
Can the Strong Authentication solution support the management o multiple Strong Authentication6devices Are there any additional costslicenses required or specifc authentication devices or combinationo devices Are there any additional server-side or client-side components that need to be confgured or installed in order to support a specifc strong authentication option
Since the Strong Authentication solution will be replacing the current Windows authentication strategiesit is important that the single authentication action can be reinorced with a choice o strong multi-actorauthentication methods and technologies These Strong Authentication options should also be available inboth online and ofine (disconnected rom the network) modes
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1114
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 11
Does the Strong Authentication solution provide any logging andor reporting acilities Are there7any additional licenses required or this Are there any serverclient-side sotware components required or this
The Strong Authentication solution should provide standardized reporting and notication capabilities that
capture all authentication and password management related events that take place in the system Thesereports and notications should be available through an online Web interace e-mail and scheduled exportmechanisms to remote reporting and archiving systems to ensure compliance requirements are easily met
How does the Strong Authentication solution integrate with metadirectory andor provisioning sys-8tems
The Strong Authentication system should be able to support identity-standard provisioning systems as wellas any uture implementations o SPML-based provisioning and metadirectory systems This will ensure thatwhen password changes are initiated in dierent backend systems these changes will also immediately bemade available in the Strong Authentication solution This will also ensure ease o deprovisioning
How does the Strong Authentication solution integrate existing physical access policies into its logi-9
cal access policies
The Strong Authentication system should provide acilities or location-based authentication so that eachuserrsquos location can be applied as a determining actor in the authentication policy This enables an organiza-tion or example to grant access to an individual only ater that user has badged into a specied companyacility or secure area The ability to apply network access policies that leverage location is extremely useulin situations where it is necessary to conrm that the properly authenticated user is accessing the computerrom within a secure operational work area such as a manuacturing control room or pharmacy area
Does the Strong Authentication solution support ast user switching in thin and thick client archi-10tectures
The Strong Authentication solution should provide support or dierent types o ast user switching to make
the end-user experience o logging in and out as swit and convenient as possible This means that boththick clients and thin clients should support ldquokiosk-stylerdquo operation both client-based and server-based com-puting environments should be supported in server-based computing environments both Citrix PresentationManager and Windows Terminal Server environments should be supported and in server-based computingenvironments both roaming and concurrent sessions should be supported
Can the Strong Authentication solution be extended to incorporate additional capabilities such as11Single Sign On
As your IT security needs evolve you may want to add more capabilities such as Single Sign On Your StrongAuthentication solution should accommodate these and other capabilities easily Single Sign On is an idealcomplementary technology to deploy when Strong Authentication is being introduced by improving applica-
tion-level password security and is oten used to ensure urther adoption o Strong Authentication policies
MAkIng STROng AUThenTICATIOn wORk FOR yOU
Whether you have already chosen and deployed a Strong Authentication solution or yoursquore still in the evalua-tion process you need a solution you and your organization can live with As Strong Authentication becomesa part o your organizationrsquos daily lie you want it to be as user-riendly easy to manage and ully utilizedas possible The ollowing questions and answers can help you get the most out o your Strong Authentica-tion solution -- maximizing its eectiveness while keeping ongoing costs and administrative requirements toa minimum
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 12
Should you have dierent Strong Authentication methods or dierent users1
It makes sense to match the method to usersrsquo roles needs and relative security risks Other actors to con-sider include cost workfow requirements and ease o use
Are there ways to streamline the administration o a Strong Authentication solution 2
Administration can take many orms including vendor-specic requirements management tools and useradministration and the tasks associated with them vary according to the organizationrsquos needs and preer-ences However there are some tasks that are necessary to achieve maximum benet rom the authentica-tion choice such as tracking and reporting Itrsquos also a good idea to ofoad as much o the administrativeburden as possible rom users because their ability to simply ldquoplug and gordquo will help ensure organization-wide acceptance
How can the use o Strong Authentication be made as easy as possible or users3
The key is to choose solutions that are both secure and easily adopted by end users It is important to gainuser acceptance o the type o Strong Authentication beore making a purchase by consulting with them onthe options and their preerences In general users will welcome a solution that does not require them to
alter or abandon their established routines For example in environments where a user is required to carry abadge to gain entry into doors reusing that same device or desktop access can be easily accepted
Once users are authenticated how do we more eectively address security when users walk away 4rom their computers
There are many solutions to this issue but most have been ineective Many organizations require a lockedscreen saver or inactivity timeout to address the walk away security issue but these are easily deeated by
just moving the mouse Imprivata is addressing this problem with a unique new solution OneSign SecureWalk-Away It uses a combination o active presence detection and acial biometrics to automatically locka workstation upon user departure and then automatically unlock it when the same user returns OneSignSecure Walk-Away is the only solution to eectively address this issue today
What is the best way to deploy Strong Authentication at multiple locations5
When choosing a device solution make sure it meets both the security needs o the business and theconvenience needs o the users When choosing a management system or your devices pick one that isgeographically scalable and can support a range o Strong Authentication options This way you can becondent in the ability o the system to scale as well as to address the needs o various departments withinthe organization which many times have dierent requirements or Strong Authentication Be sure to ollowthe vendorrsquos list o best practices to ensure your nal outcome will be optimized
beyOnD STROng AUThenTICATIOn
Today you may regard Strong Authentication as a ldquoone-ordquo solution that ullls your most critical needs
or enterprise access security However itrsquos important to know that your Strong Authentication solution canprovide even greater value going orward acting as a platorm or deploying additional capabilities acrossyour organization to urther strengthen security satisy related user needs and reduce costs
Strong Authentication and Single Sign-On
Single Sign-On enables your user community to logon to the network and sign on to all the applications theyare authorized to use on a daily basis by using a single strong password Single Sign-On relieves users o theburden o memorizing multiple passwords increases productivity by helping users avoid getting locked outo systems and lowers resource costs by reducing the number o password reset calls to your helpdesk Aboveall Single Sign-On strengthens IT security because users no longer resort to writing down passwords and leav-
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 13
ing them where they can be stolen and used by unauthorized people
Combining Strong Authentication with Single Sign-On gives your organization proven security benets asrecommended by leading analysts and security experts At the same time the combination o both solutionsenables you to enorce strong security policies enterprise-wide while increasing user satisaction and requir-ing no disruptive changes to user workfow or behavior
Strong Authentication and Integrated PhysicalLogical Security
In most organizations physical security (systems that control physical access to buildings and work areas)and logical security (systems that control access to IT resources) are separate realms This lack o integrationbetween physical and logical security systems creates gaps that can be exploited and prevents centralizedmanagement and control o overall security In many cases or example a terminated employee may beimmediately barred rom re-entering corporate acilities but may still be able to gain remote access to thecorporate network or days or weeks beore privileges are revoked An integrated physicallogical securitysolution makes it possible to link both security environments synchronize control and response
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThenTICATIOn
Imprivata OneSignreg Authentication Management is a unique user authentication solution that integrates abroad range o fexible and powerul strong authentication types ndash all managed rom within a single admin-istrator ramework OneSign eases the cost and complexity o managing independent systems and providesa central location or reporting access events across all Strong Authentication devices strengthening securitywhile reducing the burden o regulatory compliance
Flexible authentication options
OneSign Authentication Management provides native support or a broad range o plug-and-play authen-tication options such as One-Time-Password (OTP) tokens (including built-in control and management sup-port or VASCOreg DIGIPASSreg) nger biometrics smart cards proximity cards building access cards and USBtokens Simply plug them into your workstation and you are ready to go
Consolidated reporting
With OneSign Authentication Management you can easily report in real-time an aggregated view o whenhow and rom where an employee gained access to the network By having all access inormation available atthe push o a button via standardized reporting OneSign Authentication Management provides critical valuein helping you rapidly respond to audit inquiries that may otherwise require manual viewing and collation oindependent system logs When adding OneSign Single Sign-On you can also incorporate reporting on useraccess events to applications as well
ROI right out o the box
The power o OneSign Authentication Management is that it comes packaged in a hardened appliance One-Sign Authentication Management is designed to be aordable and easy to adopt Purpose-built or fexible
and rapid enterprise deployment OneSignrsquos appliance-based approach to user authentication dramaticallyminimizes implementation time inrastructure needs and installation costs ndash accelerating your return oninvestment right out o the box
Application Transaction Level Strong Authentication
The Imprivata OneSign ProveID capability allows an application to leverage OneSignrsquos strong authenticationservices to positively identiy a user at any point in the application workfow Examples o ProveID in use in-clude banking environments where positive identication o a user is required prior to executing a nancialtransaction and healthcare environments where positive identication o a user is required at the point odrug disbursement
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 614
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 6
As the demand or stronger authentication measures has grown so have the solutions available to organiza-tions The ollowing are the most prevalent authentication methods in use today
Passwords
The original and simplest authentication method passwords became popular because they were simple andrelatively eective As long as users kept their passwords secret no one else could gain unauthorized accessto applications However the prolieration o applications requiring passwords made it either harder or us-ers to remember multiple passwords or the user-created passwords were oten too simple or reused making
them easy to crack
Strong passwords
To remedy the problems o simple passwords many organizations began mandating the use o strong pass-words mdash passwords that are more complex utilizing numbers and special characters rather than just lettersUnortunately strong passwords are oten too complex or users themselves to remember resulting in an up-surge o costly calls to helpdesks or assistance This in turn has a negative impact on productivity as users areprevented rom doing their work while waiting or password resets Worse yet users may leave passwordswritten down where anyone could steal and use them In environments such as healthcare where a clinicianhas to enter the same logon credentials with each dierent patient visit the amount o time spent on thisrepetitive unproductive task can be signicant
ID tokens
ID tokens are small devices which generate numeric codes that validate user access or a limited time or a sin-gle use Some ID token systems as an extra measure o protection require the user to type a challenge stringinto the token beore the passcode is generated Many combine a PIN to be entered alongside the One-TimePassword (OTP) or two-actor authentication Leading ID token vendors include RSA Secure Computing andVasco Traditionally tokens have been used or employees accessing networks and applications via remoteaccess There are many orms o tokens including time-based and event-based tokens Time-based tokensgenerate OTPs based on a combination o a secret key and current time while event-based tokens generateOTPs by the press o a button on the device
Proven regulatory compliance
Some organizations have implemented measures such as strongpassword policies designed to comply withregulations such as HIPAA and Sarbanes-Oxley but lack objective documented proo that those measures arebeing ollowed and enorced This means they still may be at risk o being ound non-compliant Strong au-
thentication -- with the proper management tracking and reporting unctionality -- provides demonstrablecompliance in the orm o audit logs that record all relevant access activity
Stronger application and transaction-level security
Today more organizations and industries are relying on online records and transactions to be more produc-tive reduce paperwork and support environmental sustainability As more business tasks are perormedwithin an online environment organizations have an opportunity to apply additional security measures atboth the application and transaction levels Strong Authentication gives organizations a powerul tool toselectively deploy an additional level o security at points where it can be most eective For example thereare companies now requiring users to authenticate their identities beore accessing critical enterprise appli-cations such as nancial or manuacturing systems Others are mandating Strong Authentication beore a
user can perorm sensitive transactions such as electronic unds transers
leADIng AUThenTICATIOn MeThODS
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 714
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 814
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 8
COnSIDeRIng envIROnMenT AnD wORkFlOw
Every organization wants to prevent unauthorized access to its inormation assets mdash and all organizationscan benet rom the use oStrong Authentication Because organizations environments and regulatory andworkfow requirements vary greatly dierent authentication technologies and procedures may be calledor For example
In a healthcare environment with strict requirements or tracking pharmaceutical orders clinicians sub-bull
mitting orders electronically are required to conrm their identity to reduce the potential or raudu-lent orders When a clinician lls out the medication order orm the system prompts her to scan herngerprint to validate that a) she is the same person currently logged into the application and b) she isreally who she claims to be Upon successul re-authentication the order is accepted and processed bythe system
A behavioral health oce with shared workstations needs to comply with the patient inormation con-bull
dentiality requirements o the Health Insurance Portability and Accountability Act (HIPAA) Thereoreits clinicians use proximity cards and a solution that allows them to authenticate themselves quickly --and terminate sessions promptly -- at that shared workstation
A customer call center needs to meet PCI or customer privacy requirements or controlling access to thebull
application andor specic screens so only the appropriate personnel can view the inormation and allaccess activities are tracked or auditability Within a logged-in application when a screen with privatecustomer inormation is about to be displayed the system prompts the user to re-authenticate to ensurethat the same authorized person is reviewing the inormation
Other actors to consider include the number o enterprise locations the variety o roles and accessbull
requirements and the use o remote access by traveling employees The proper combination o StrongAuthentication technologies can accommodate these and many other unique requirements
ChOOSIng STROng AUThenTICATIOn MeThODS key FACTORS TO COnSIDeR
In addition to considering your organizationrsquos unique security requirements it is important that you weighthe benets and costs o dierent Strong Authentication choices These include
IT benefts
Is the authentication method easy to deploy enterprise-wide Will it require additional IT resources Is iteasy to integrate with existing ESSO solutions Does it support centralized management Are multiple serv-ers or databases required to set up the solution I using multiple authentication methods what are the setup requirements to make them all work Will end users be burdened i changes are made ater devices aredeployed Is there an easy way to track access events regardless o devices used Can it be used as a deter-rent
User benefts
Is the authentication method easy to use Will end users accept the new process Will it increase user pro-ductivity Does it put an undue burden on users Does it require them to carry a device that could get lostor damaged Will users be concerned about privacy
Compliance benefts
How ully does the authentication method support the regulatory requirements o Sarbanes-Oxley Gramm-Leach-Bliley HIPAA CFR Basel II the UKrsquos Data Protection Act or BS7799 Does it go beyond simple accesscontrol by tracking authentication events and supplying reporting acilities that support auditing require-ments and objectively and easily prove compliance
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 914
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 9
Industry-specifc benefts
Are there aspects o the authentication method that make it better suited or certain industries or unctionalareas For example i employees have to wear gloves to do their jobs then biometrics is not the choice orthe organization
Initial purchase cost
Is the cost o the authentication method worth the resulting improvement inenterprise security Is there acost per user that will grow every time a new user is added What is the replacement cost ndash both or the de-vice and its associated administrative burden ndash or the orms o Strong Authentication
Deployment cost
Does deployment require physical installation by a technical person on every workstation at every site Doesthe IT organization need to write custom code add middleware or incur other hardware or sotware costs
The matrix below illustrates how each o the major authentication methods compare to each other on these key actors
Type Ease o Man-agement orIT
Ease o Use orEmployees
Compliance Security Level
Cost to Pur-chase
Cost per Userto Deploy
Password Medium Medium Low $ $
Strong Password Low Low Medium $ $$
ID Token Medium Medium1 High $$$ $$$
Smart Card andUSB Token
Low Medium1 High $$$ $$$
Passive Proximity High High1 High2 $$ $
Active Proximity Medium High3 Low $$$$ $$
Finger Biometrics High High High $$ $
Time and Resources involved to deploy and maintain the technology or to support the end userNOTES1 Device needs to be carried by user and is subject to loss or damage2 When combined with another authentication actor3 Fingerprints can never be lost or orgotten
By doing a cost-benet analysis o the dierentStrong Authentication approaches you can determine whichtechnologies best meet your organizationrsquos needs and preerences For exampleI ease o use or employees and IT sta is a top priority nger biometrics might be your best choice
I your organization is large or growing rapidly you may want to keep per-user deployment costs low bybull
selecting passive proximity cardsI your organization is in a sensitive industry that demands strong security above all else then smart cardsbull
or ID tokens might make the most senseI your security requirements vary by location or department you may preer to implement dierentbull
authentication methods based on user sophistication and needsI you want to repurpose existing technology then enabling building access or identity cards might bebull
most ecient
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1014
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 10
SpeCIFIC COnSIDeRATIOnS
Even i you have decided which method o authentication is best or you and your organization there are anumber o other more specic actors you should consider beore you make your purchase decision as theycould aect the cost resource requirements and eectiveness o your solution During the evaluation pro-cess you should ask the ollowing questions about everyStrong Authentication solution on your short list
How does the Strong Authentication solution integrate with your existing directory inrastructure1
The Strong Authentication system should not require changes to the existing directory inrastructure Direc-tories are the critical backbone or most IT organizations and keeping them reliable means keeping themas close to their core unctionality as possible Layering additional schema changes or running applicationsotware on the directory should be avoided at all costs because o the potential to destabilize the overallsystem especially i directory replication is involved
How does the Strong Authentication solution aect your existing application inrastructure 2
The Strong Authentication solution should not require any changes to the existing application inrastructureor Windows Web or mainrame applications It should also be able to integrate within applications to en-
sure strong authentication at the transaction level ndash or reauthentication or example immediately prior toperorming a nancial transaction or drug disbursement
How does the Strong Authentication solution integrate into your existing environment3
The Strong Authentication solution should not require any programming in order to integrate into the appli-cation environment or to handle any potential exception situations that could occur during deployment timeto all client workstations Adding Strong Authentication should also be a pure conguration activity ndash not aprogrammingscripting activity Many strong authentication technologies are oered with an SDK to allowcustomized implementations This should not be necessary in most situations
How does the Strong Authentication solution handle disaster recovery and ailover4
With the Strong Authentication solution responsible or managing all Windows authentications o all users inall systems o the enterprise it is imperative that it provides out-o-the-box ault tolerance protection pre-erably at the lowest possible level in order to avoid any potential end-user inconvenience I possible strongauthentication should continue to work in an o-line mode when the workstation is not connected to thenetwork
How and where are policies credentials and logfles o the Strong Authentication solution stored 5and made accessible or administrators
The Strong Authentication solution should provide a secure transmission and storage acility or all security-sensitive data (eg policy inormation credential inormation logging inormation) This requires all data tobe encrypted both in rest and in transit without any conguration burdens to be imposed on the administra-
tors o the Strong Authentication solution
Can the Strong Authentication solution support the management o multiple Strong Authentication6devices Are there any additional costslicenses required or specifc authentication devices or combinationo devices Are there any additional server-side or client-side components that need to be confgured or installed in order to support a specifc strong authentication option
Since the Strong Authentication solution will be replacing the current Windows authentication strategiesit is important that the single authentication action can be reinorced with a choice o strong multi-actorauthentication methods and technologies These Strong Authentication options should also be available inboth online and ofine (disconnected rom the network) modes
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1114
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 11
Does the Strong Authentication solution provide any logging andor reporting acilities Are there7any additional licenses required or this Are there any serverclient-side sotware components required or this
The Strong Authentication solution should provide standardized reporting and notication capabilities that
capture all authentication and password management related events that take place in the system Thesereports and notications should be available through an online Web interace e-mail and scheduled exportmechanisms to remote reporting and archiving systems to ensure compliance requirements are easily met
How does the Strong Authentication solution integrate with metadirectory andor provisioning sys-8tems
The Strong Authentication system should be able to support identity-standard provisioning systems as wellas any uture implementations o SPML-based provisioning and metadirectory systems This will ensure thatwhen password changes are initiated in dierent backend systems these changes will also immediately bemade available in the Strong Authentication solution This will also ensure ease o deprovisioning
How does the Strong Authentication solution integrate existing physical access policies into its logi-9
cal access policies
The Strong Authentication system should provide acilities or location-based authentication so that eachuserrsquos location can be applied as a determining actor in the authentication policy This enables an organiza-tion or example to grant access to an individual only ater that user has badged into a specied companyacility or secure area The ability to apply network access policies that leverage location is extremely useulin situations where it is necessary to conrm that the properly authenticated user is accessing the computerrom within a secure operational work area such as a manuacturing control room or pharmacy area
Does the Strong Authentication solution support ast user switching in thin and thick client archi-10tectures
The Strong Authentication solution should provide support or dierent types o ast user switching to make
the end-user experience o logging in and out as swit and convenient as possible This means that boththick clients and thin clients should support ldquokiosk-stylerdquo operation both client-based and server-based com-puting environments should be supported in server-based computing environments both Citrix PresentationManager and Windows Terminal Server environments should be supported and in server-based computingenvironments both roaming and concurrent sessions should be supported
Can the Strong Authentication solution be extended to incorporate additional capabilities such as11Single Sign On
As your IT security needs evolve you may want to add more capabilities such as Single Sign On Your StrongAuthentication solution should accommodate these and other capabilities easily Single Sign On is an idealcomplementary technology to deploy when Strong Authentication is being introduced by improving applica-
tion-level password security and is oten used to ensure urther adoption o Strong Authentication policies
MAkIng STROng AUThenTICATIOn wORk FOR yOU
Whether you have already chosen and deployed a Strong Authentication solution or yoursquore still in the evalua-tion process you need a solution you and your organization can live with As Strong Authentication becomesa part o your organizationrsquos daily lie you want it to be as user-riendly easy to manage and ully utilizedas possible The ollowing questions and answers can help you get the most out o your Strong Authentica-tion solution -- maximizing its eectiveness while keeping ongoing costs and administrative requirements toa minimum
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 12
Should you have dierent Strong Authentication methods or dierent users1
It makes sense to match the method to usersrsquo roles needs and relative security risks Other actors to con-sider include cost workfow requirements and ease o use
Are there ways to streamline the administration o a Strong Authentication solution 2
Administration can take many orms including vendor-specic requirements management tools and useradministration and the tasks associated with them vary according to the organizationrsquos needs and preer-ences However there are some tasks that are necessary to achieve maximum benet rom the authentica-tion choice such as tracking and reporting Itrsquos also a good idea to ofoad as much o the administrativeburden as possible rom users because their ability to simply ldquoplug and gordquo will help ensure organization-wide acceptance
How can the use o Strong Authentication be made as easy as possible or users3
The key is to choose solutions that are both secure and easily adopted by end users It is important to gainuser acceptance o the type o Strong Authentication beore making a purchase by consulting with them onthe options and their preerences In general users will welcome a solution that does not require them to
alter or abandon their established routines For example in environments where a user is required to carry abadge to gain entry into doors reusing that same device or desktop access can be easily accepted
Once users are authenticated how do we more eectively address security when users walk away 4rom their computers
There are many solutions to this issue but most have been ineective Many organizations require a lockedscreen saver or inactivity timeout to address the walk away security issue but these are easily deeated by
just moving the mouse Imprivata is addressing this problem with a unique new solution OneSign SecureWalk-Away It uses a combination o active presence detection and acial biometrics to automatically locka workstation upon user departure and then automatically unlock it when the same user returns OneSignSecure Walk-Away is the only solution to eectively address this issue today
What is the best way to deploy Strong Authentication at multiple locations5
When choosing a device solution make sure it meets both the security needs o the business and theconvenience needs o the users When choosing a management system or your devices pick one that isgeographically scalable and can support a range o Strong Authentication options This way you can becondent in the ability o the system to scale as well as to address the needs o various departments withinthe organization which many times have dierent requirements or Strong Authentication Be sure to ollowthe vendorrsquos list o best practices to ensure your nal outcome will be optimized
beyOnD STROng AUThenTICATIOn
Today you may regard Strong Authentication as a ldquoone-ordquo solution that ullls your most critical needs
or enterprise access security However itrsquos important to know that your Strong Authentication solution canprovide even greater value going orward acting as a platorm or deploying additional capabilities acrossyour organization to urther strengthen security satisy related user needs and reduce costs
Strong Authentication and Single Sign-On
Single Sign-On enables your user community to logon to the network and sign on to all the applications theyare authorized to use on a daily basis by using a single strong password Single Sign-On relieves users o theburden o memorizing multiple passwords increases productivity by helping users avoid getting locked outo systems and lowers resource costs by reducing the number o password reset calls to your helpdesk Aboveall Single Sign-On strengthens IT security because users no longer resort to writing down passwords and leav-
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 13
ing them where they can be stolen and used by unauthorized people
Combining Strong Authentication with Single Sign-On gives your organization proven security benets asrecommended by leading analysts and security experts At the same time the combination o both solutionsenables you to enorce strong security policies enterprise-wide while increasing user satisaction and requir-ing no disruptive changes to user workfow or behavior
Strong Authentication and Integrated PhysicalLogical Security
In most organizations physical security (systems that control physical access to buildings and work areas)and logical security (systems that control access to IT resources) are separate realms This lack o integrationbetween physical and logical security systems creates gaps that can be exploited and prevents centralizedmanagement and control o overall security In many cases or example a terminated employee may beimmediately barred rom re-entering corporate acilities but may still be able to gain remote access to thecorporate network or days or weeks beore privileges are revoked An integrated physicallogical securitysolution makes it possible to link both security environments synchronize control and response
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThenTICATIOn
Imprivata OneSignreg Authentication Management is a unique user authentication solution that integrates abroad range o fexible and powerul strong authentication types ndash all managed rom within a single admin-istrator ramework OneSign eases the cost and complexity o managing independent systems and providesa central location or reporting access events across all Strong Authentication devices strengthening securitywhile reducing the burden o regulatory compliance
Flexible authentication options
OneSign Authentication Management provides native support or a broad range o plug-and-play authen-tication options such as One-Time-Password (OTP) tokens (including built-in control and management sup-port or VASCOreg DIGIPASSreg) nger biometrics smart cards proximity cards building access cards and USBtokens Simply plug them into your workstation and you are ready to go
Consolidated reporting
With OneSign Authentication Management you can easily report in real-time an aggregated view o whenhow and rom where an employee gained access to the network By having all access inormation available atthe push o a button via standardized reporting OneSign Authentication Management provides critical valuein helping you rapidly respond to audit inquiries that may otherwise require manual viewing and collation oindependent system logs When adding OneSign Single Sign-On you can also incorporate reporting on useraccess events to applications as well
ROI right out o the box
The power o OneSign Authentication Management is that it comes packaged in a hardened appliance One-Sign Authentication Management is designed to be aordable and easy to adopt Purpose-built or fexible
and rapid enterprise deployment OneSignrsquos appliance-based approach to user authentication dramaticallyminimizes implementation time inrastructure needs and installation costs ndash accelerating your return oninvestment right out o the box
Application Transaction Level Strong Authentication
The Imprivata OneSign ProveID capability allows an application to leverage OneSignrsquos strong authenticationservices to positively identiy a user at any point in the application workfow Examples o ProveID in use in-clude banking environments where positive identication o a user is required prior to executing a nancialtransaction and healthcare environments where positive identication o a user is required at the point odrug disbursement
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 714
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 814
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 8
COnSIDeRIng envIROnMenT AnD wORkFlOw
Every organization wants to prevent unauthorized access to its inormation assets mdash and all organizationscan benet rom the use oStrong Authentication Because organizations environments and regulatory andworkfow requirements vary greatly dierent authentication technologies and procedures may be calledor For example
In a healthcare environment with strict requirements or tracking pharmaceutical orders clinicians sub-bull
mitting orders electronically are required to conrm their identity to reduce the potential or raudu-lent orders When a clinician lls out the medication order orm the system prompts her to scan herngerprint to validate that a) she is the same person currently logged into the application and b) she isreally who she claims to be Upon successul re-authentication the order is accepted and processed bythe system
A behavioral health oce with shared workstations needs to comply with the patient inormation con-bull
dentiality requirements o the Health Insurance Portability and Accountability Act (HIPAA) Thereoreits clinicians use proximity cards and a solution that allows them to authenticate themselves quickly --and terminate sessions promptly -- at that shared workstation
A customer call center needs to meet PCI or customer privacy requirements or controlling access to thebull
application andor specic screens so only the appropriate personnel can view the inormation and allaccess activities are tracked or auditability Within a logged-in application when a screen with privatecustomer inormation is about to be displayed the system prompts the user to re-authenticate to ensurethat the same authorized person is reviewing the inormation
Other actors to consider include the number o enterprise locations the variety o roles and accessbull
requirements and the use o remote access by traveling employees The proper combination o StrongAuthentication technologies can accommodate these and many other unique requirements
ChOOSIng STROng AUThenTICATIOn MeThODS key FACTORS TO COnSIDeR
In addition to considering your organizationrsquos unique security requirements it is important that you weighthe benets and costs o dierent Strong Authentication choices These include
IT benefts
Is the authentication method easy to deploy enterprise-wide Will it require additional IT resources Is iteasy to integrate with existing ESSO solutions Does it support centralized management Are multiple serv-ers or databases required to set up the solution I using multiple authentication methods what are the setup requirements to make them all work Will end users be burdened i changes are made ater devices aredeployed Is there an easy way to track access events regardless o devices used Can it be used as a deter-rent
User benefts
Is the authentication method easy to use Will end users accept the new process Will it increase user pro-ductivity Does it put an undue burden on users Does it require them to carry a device that could get lostor damaged Will users be concerned about privacy
Compliance benefts
How ully does the authentication method support the regulatory requirements o Sarbanes-Oxley Gramm-Leach-Bliley HIPAA CFR Basel II the UKrsquos Data Protection Act or BS7799 Does it go beyond simple accesscontrol by tracking authentication events and supplying reporting acilities that support auditing require-ments and objectively and easily prove compliance
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 914
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 9
Industry-specifc benefts
Are there aspects o the authentication method that make it better suited or certain industries or unctionalareas For example i employees have to wear gloves to do their jobs then biometrics is not the choice orthe organization
Initial purchase cost
Is the cost o the authentication method worth the resulting improvement inenterprise security Is there acost per user that will grow every time a new user is added What is the replacement cost ndash both or the de-vice and its associated administrative burden ndash or the orms o Strong Authentication
Deployment cost
Does deployment require physical installation by a technical person on every workstation at every site Doesthe IT organization need to write custom code add middleware or incur other hardware or sotware costs
The matrix below illustrates how each o the major authentication methods compare to each other on these key actors
Type Ease o Man-agement orIT
Ease o Use orEmployees
Compliance Security Level
Cost to Pur-chase
Cost per Userto Deploy
Password Medium Medium Low $ $
Strong Password Low Low Medium $ $$
ID Token Medium Medium1 High $$$ $$$
Smart Card andUSB Token
Low Medium1 High $$$ $$$
Passive Proximity High High1 High2 $$ $
Active Proximity Medium High3 Low $$$$ $$
Finger Biometrics High High High $$ $
Time and Resources involved to deploy and maintain the technology or to support the end userNOTES1 Device needs to be carried by user and is subject to loss or damage2 When combined with another authentication actor3 Fingerprints can never be lost or orgotten
By doing a cost-benet analysis o the dierentStrong Authentication approaches you can determine whichtechnologies best meet your organizationrsquos needs and preerences For exampleI ease o use or employees and IT sta is a top priority nger biometrics might be your best choice
I your organization is large or growing rapidly you may want to keep per-user deployment costs low bybull
selecting passive proximity cardsI your organization is in a sensitive industry that demands strong security above all else then smart cardsbull
or ID tokens might make the most senseI your security requirements vary by location or department you may preer to implement dierentbull
authentication methods based on user sophistication and needsI you want to repurpose existing technology then enabling building access or identity cards might bebull
most ecient
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1014
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 10
SpeCIFIC COnSIDeRATIOnS
Even i you have decided which method o authentication is best or you and your organization there are anumber o other more specic actors you should consider beore you make your purchase decision as theycould aect the cost resource requirements and eectiveness o your solution During the evaluation pro-cess you should ask the ollowing questions about everyStrong Authentication solution on your short list
How does the Strong Authentication solution integrate with your existing directory inrastructure1
The Strong Authentication system should not require changes to the existing directory inrastructure Direc-tories are the critical backbone or most IT organizations and keeping them reliable means keeping themas close to their core unctionality as possible Layering additional schema changes or running applicationsotware on the directory should be avoided at all costs because o the potential to destabilize the overallsystem especially i directory replication is involved
How does the Strong Authentication solution aect your existing application inrastructure 2
The Strong Authentication solution should not require any changes to the existing application inrastructureor Windows Web or mainrame applications It should also be able to integrate within applications to en-
sure strong authentication at the transaction level ndash or reauthentication or example immediately prior toperorming a nancial transaction or drug disbursement
How does the Strong Authentication solution integrate into your existing environment3
The Strong Authentication solution should not require any programming in order to integrate into the appli-cation environment or to handle any potential exception situations that could occur during deployment timeto all client workstations Adding Strong Authentication should also be a pure conguration activity ndash not aprogrammingscripting activity Many strong authentication technologies are oered with an SDK to allowcustomized implementations This should not be necessary in most situations
How does the Strong Authentication solution handle disaster recovery and ailover4
With the Strong Authentication solution responsible or managing all Windows authentications o all users inall systems o the enterprise it is imperative that it provides out-o-the-box ault tolerance protection pre-erably at the lowest possible level in order to avoid any potential end-user inconvenience I possible strongauthentication should continue to work in an o-line mode when the workstation is not connected to thenetwork
How and where are policies credentials and logfles o the Strong Authentication solution stored 5and made accessible or administrators
The Strong Authentication solution should provide a secure transmission and storage acility or all security-sensitive data (eg policy inormation credential inormation logging inormation) This requires all data tobe encrypted both in rest and in transit without any conguration burdens to be imposed on the administra-
tors o the Strong Authentication solution
Can the Strong Authentication solution support the management o multiple Strong Authentication6devices Are there any additional costslicenses required or specifc authentication devices or combinationo devices Are there any additional server-side or client-side components that need to be confgured or installed in order to support a specifc strong authentication option
Since the Strong Authentication solution will be replacing the current Windows authentication strategiesit is important that the single authentication action can be reinorced with a choice o strong multi-actorauthentication methods and technologies These Strong Authentication options should also be available inboth online and ofine (disconnected rom the network) modes
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1114
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 11
Does the Strong Authentication solution provide any logging andor reporting acilities Are there7any additional licenses required or this Are there any serverclient-side sotware components required or this
The Strong Authentication solution should provide standardized reporting and notication capabilities that
capture all authentication and password management related events that take place in the system Thesereports and notications should be available through an online Web interace e-mail and scheduled exportmechanisms to remote reporting and archiving systems to ensure compliance requirements are easily met
How does the Strong Authentication solution integrate with metadirectory andor provisioning sys-8tems
The Strong Authentication system should be able to support identity-standard provisioning systems as wellas any uture implementations o SPML-based provisioning and metadirectory systems This will ensure thatwhen password changes are initiated in dierent backend systems these changes will also immediately bemade available in the Strong Authentication solution This will also ensure ease o deprovisioning
How does the Strong Authentication solution integrate existing physical access policies into its logi-9
cal access policies
The Strong Authentication system should provide acilities or location-based authentication so that eachuserrsquos location can be applied as a determining actor in the authentication policy This enables an organiza-tion or example to grant access to an individual only ater that user has badged into a specied companyacility or secure area The ability to apply network access policies that leverage location is extremely useulin situations where it is necessary to conrm that the properly authenticated user is accessing the computerrom within a secure operational work area such as a manuacturing control room or pharmacy area
Does the Strong Authentication solution support ast user switching in thin and thick client archi-10tectures
The Strong Authentication solution should provide support or dierent types o ast user switching to make
the end-user experience o logging in and out as swit and convenient as possible This means that boththick clients and thin clients should support ldquokiosk-stylerdquo operation both client-based and server-based com-puting environments should be supported in server-based computing environments both Citrix PresentationManager and Windows Terminal Server environments should be supported and in server-based computingenvironments both roaming and concurrent sessions should be supported
Can the Strong Authentication solution be extended to incorporate additional capabilities such as11Single Sign On
As your IT security needs evolve you may want to add more capabilities such as Single Sign On Your StrongAuthentication solution should accommodate these and other capabilities easily Single Sign On is an idealcomplementary technology to deploy when Strong Authentication is being introduced by improving applica-
tion-level password security and is oten used to ensure urther adoption o Strong Authentication policies
MAkIng STROng AUThenTICATIOn wORk FOR yOU
Whether you have already chosen and deployed a Strong Authentication solution or yoursquore still in the evalua-tion process you need a solution you and your organization can live with As Strong Authentication becomesa part o your organizationrsquos daily lie you want it to be as user-riendly easy to manage and ully utilizedas possible The ollowing questions and answers can help you get the most out o your Strong Authentica-tion solution -- maximizing its eectiveness while keeping ongoing costs and administrative requirements toa minimum
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 12
Should you have dierent Strong Authentication methods or dierent users1
It makes sense to match the method to usersrsquo roles needs and relative security risks Other actors to con-sider include cost workfow requirements and ease o use
Are there ways to streamline the administration o a Strong Authentication solution 2
Administration can take many orms including vendor-specic requirements management tools and useradministration and the tasks associated with them vary according to the organizationrsquos needs and preer-ences However there are some tasks that are necessary to achieve maximum benet rom the authentica-tion choice such as tracking and reporting Itrsquos also a good idea to ofoad as much o the administrativeburden as possible rom users because their ability to simply ldquoplug and gordquo will help ensure organization-wide acceptance
How can the use o Strong Authentication be made as easy as possible or users3
The key is to choose solutions that are both secure and easily adopted by end users It is important to gainuser acceptance o the type o Strong Authentication beore making a purchase by consulting with them onthe options and their preerences In general users will welcome a solution that does not require them to
alter or abandon their established routines For example in environments where a user is required to carry abadge to gain entry into doors reusing that same device or desktop access can be easily accepted
Once users are authenticated how do we more eectively address security when users walk away 4rom their computers
There are many solutions to this issue but most have been ineective Many organizations require a lockedscreen saver or inactivity timeout to address the walk away security issue but these are easily deeated by
just moving the mouse Imprivata is addressing this problem with a unique new solution OneSign SecureWalk-Away It uses a combination o active presence detection and acial biometrics to automatically locka workstation upon user departure and then automatically unlock it when the same user returns OneSignSecure Walk-Away is the only solution to eectively address this issue today
What is the best way to deploy Strong Authentication at multiple locations5
When choosing a device solution make sure it meets both the security needs o the business and theconvenience needs o the users When choosing a management system or your devices pick one that isgeographically scalable and can support a range o Strong Authentication options This way you can becondent in the ability o the system to scale as well as to address the needs o various departments withinthe organization which many times have dierent requirements or Strong Authentication Be sure to ollowthe vendorrsquos list o best practices to ensure your nal outcome will be optimized
beyOnD STROng AUThenTICATIOn
Today you may regard Strong Authentication as a ldquoone-ordquo solution that ullls your most critical needs
or enterprise access security However itrsquos important to know that your Strong Authentication solution canprovide even greater value going orward acting as a platorm or deploying additional capabilities acrossyour organization to urther strengthen security satisy related user needs and reduce costs
Strong Authentication and Single Sign-On
Single Sign-On enables your user community to logon to the network and sign on to all the applications theyare authorized to use on a daily basis by using a single strong password Single Sign-On relieves users o theburden o memorizing multiple passwords increases productivity by helping users avoid getting locked outo systems and lowers resource costs by reducing the number o password reset calls to your helpdesk Aboveall Single Sign-On strengthens IT security because users no longer resort to writing down passwords and leav-
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 13
ing them where they can be stolen and used by unauthorized people
Combining Strong Authentication with Single Sign-On gives your organization proven security benets asrecommended by leading analysts and security experts At the same time the combination o both solutionsenables you to enorce strong security policies enterprise-wide while increasing user satisaction and requir-ing no disruptive changes to user workfow or behavior
Strong Authentication and Integrated PhysicalLogical Security
In most organizations physical security (systems that control physical access to buildings and work areas)and logical security (systems that control access to IT resources) are separate realms This lack o integrationbetween physical and logical security systems creates gaps that can be exploited and prevents centralizedmanagement and control o overall security In many cases or example a terminated employee may beimmediately barred rom re-entering corporate acilities but may still be able to gain remote access to thecorporate network or days or weeks beore privileges are revoked An integrated physicallogical securitysolution makes it possible to link both security environments synchronize control and response
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThenTICATIOn
Imprivata OneSignreg Authentication Management is a unique user authentication solution that integrates abroad range o fexible and powerul strong authentication types ndash all managed rom within a single admin-istrator ramework OneSign eases the cost and complexity o managing independent systems and providesa central location or reporting access events across all Strong Authentication devices strengthening securitywhile reducing the burden o regulatory compliance
Flexible authentication options
OneSign Authentication Management provides native support or a broad range o plug-and-play authen-tication options such as One-Time-Password (OTP) tokens (including built-in control and management sup-port or VASCOreg DIGIPASSreg) nger biometrics smart cards proximity cards building access cards and USBtokens Simply plug them into your workstation and you are ready to go
Consolidated reporting
With OneSign Authentication Management you can easily report in real-time an aggregated view o whenhow and rom where an employee gained access to the network By having all access inormation available atthe push o a button via standardized reporting OneSign Authentication Management provides critical valuein helping you rapidly respond to audit inquiries that may otherwise require manual viewing and collation oindependent system logs When adding OneSign Single Sign-On you can also incorporate reporting on useraccess events to applications as well
ROI right out o the box
The power o OneSign Authentication Management is that it comes packaged in a hardened appliance One-Sign Authentication Management is designed to be aordable and easy to adopt Purpose-built or fexible
and rapid enterprise deployment OneSignrsquos appliance-based approach to user authentication dramaticallyminimizes implementation time inrastructure needs and installation costs ndash accelerating your return oninvestment right out o the box
Application Transaction Level Strong Authentication
The Imprivata OneSign ProveID capability allows an application to leverage OneSignrsquos strong authenticationservices to positively identiy a user at any point in the application workfow Examples o ProveID in use in-clude banking environments where positive identication o a user is required prior to executing a nancialtransaction and healthcare environments where positive identication o a user is required at the point odrug disbursement
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 814
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 8
COnSIDeRIng envIROnMenT AnD wORkFlOw
Every organization wants to prevent unauthorized access to its inormation assets mdash and all organizationscan benet rom the use oStrong Authentication Because organizations environments and regulatory andworkfow requirements vary greatly dierent authentication technologies and procedures may be calledor For example
In a healthcare environment with strict requirements or tracking pharmaceutical orders clinicians sub-bull
mitting orders electronically are required to conrm their identity to reduce the potential or raudu-lent orders When a clinician lls out the medication order orm the system prompts her to scan herngerprint to validate that a) she is the same person currently logged into the application and b) she isreally who she claims to be Upon successul re-authentication the order is accepted and processed bythe system
A behavioral health oce with shared workstations needs to comply with the patient inormation con-bull
dentiality requirements o the Health Insurance Portability and Accountability Act (HIPAA) Thereoreits clinicians use proximity cards and a solution that allows them to authenticate themselves quickly --and terminate sessions promptly -- at that shared workstation
A customer call center needs to meet PCI or customer privacy requirements or controlling access to thebull
application andor specic screens so only the appropriate personnel can view the inormation and allaccess activities are tracked or auditability Within a logged-in application when a screen with privatecustomer inormation is about to be displayed the system prompts the user to re-authenticate to ensurethat the same authorized person is reviewing the inormation
Other actors to consider include the number o enterprise locations the variety o roles and accessbull
requirements and the use o remote access by traveling employees The proper combination o StrongAuthentication technologies can accommodate these and many other unique requirements
ChOOSIng STROng AUThenTICATIOn MeThODS key FACTORS TO COnSIDeR
In addition to considering your organizationrsquos unique security requirements it is important that you weighthe benets and costs o dierent Strong Authentication choices These include
IT benefts
Is the authentication method easy to deploy enterprise-wide Will it require additional IT resources Is iteasy to integrate with existing ESSO solutions Does it support centralized management Are multiple serv-ers or databases required to set up the solution I using multiple authentication methods what are the setup requirements to make them all work Will end users be burdened i changes are made ater devices aredeployed Is there an easy way to track access events regardless o devices used Can it be used as a deter-rent
User benefts
Is the authentication method easy to use Will end users accept the new process Will it increase user pro-ductivity Does it put an undue burden on users Does it require them to carry a device that could get lostor damaged Will users be concerned about privacy
Compliance benefts
How ully does the authentication method support the regulatory requirements o Sarbanes-Oxley Gramm-Leach-Bliley HIPAA CFR Basel II the UKrsquos Data Protection Act or BS7799 Does it go beyond simple accesscontrol by tracking authentication events and supplying reporting acilities that support auditing require-ments and objectively and easily prove compliance
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 914
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 9
Industry-specifc benefts
Are there aspects o the authentication method that make it better suited or certain industries or unctionalareas For example i employees have to wear gloves to do their jobs then biometrics is not the choice orthe organization
Initial purchase cost
Is the cost o the authentication method worth the resulting improvement inenterprise security Is there acost per user that will grow every time a new user is added What is the replacement cost ndash both or the de-vice and its associated administrative burden ndash or the orms o Strong Authentication
Deployment cost
Does deployment require physical installation by a technical person on every workstation at every site Doesthe IT organization need to write custom code add middleware or incur other hardware or sotware costs
The matrix below illustrates how each o the major authentication methods compare to each other on these key actors
Type Ease o Man-agement orIT
Ease o Use orEmployees
Compliance Security Level
Cost to Pur-chase
Cost per Userto Deploy
Password Medium Medium Low $ $
Strong Password Low Low Medium $ $$
ID Token Medium Medium1 High $$$ $$$
Smart Card andUSB Token
Low Medium1 High $$$ $$$
Passive Proximity High High1 High2 $$ $
Active Proximity Medium High3 Low $$$$ $$
Finger Biometrics High High High $$ $
Time and Resources involved to deploy and maintain the technology or to support the end userNOTES1 Device needs to be carried by user and is subject to loss or damage2 When combined with another authentication actor3 Fingerprints can never be lost or orgotten
By doing a cost-benet analysis o the dierentStrong Authentication approaches you can determine whichtechnologies best meet your organizationrsquos needs and preerences For exampleI ease o use or employees and IT sta is a top priority nger biometrics might be your best choice
I your organization is large or growing rapidly you may want to keep per-user deployment costs low bybull
selecting passive proximity cardsI your organization is in a sensitive industry that demands strong security above all else then smart cardsbull
or ID tokens might make the most senseI your security requirements vary by location or department you may preer to implement dierentbull
authentication methods based on user sophistication and needsI you want to repurpose existing technology then enabling building access or identity cards might bebull
most ecient
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1014
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 10
SpeCIFIC COnSIDeRATIOnS
Even i you have decided which method o authentication is best or you and your organization there are anumber o other more specic actors you should consider beore you make your purchase decision as theycould aect the cost resource requirements and eectiveness o your solution During the evaluation pro-cess you should ask the ollowing questions about everyStrong Authentication solution on your short list
How does the Strong Authentication solution integrate with your existing directory inrastructure1
The Strong Authentication system should not require changes to the existing directory inrastructure Direc-tories are the critical backbone or most IT organizations and keeping them reliable means keeping themas close to their core unctionality as possible Layering additional schema changes or running applicationsotware on the directory should be avoided at all costs because o the potential to destabilize the overallsystem especially i directory replication is involved
How does the Strong Authentication solution aect your existing application inrastructure 2
The Strong Authentication solution should not require any changes to the existing application inrastructureor Windows Web or mainrame applications It should also be able to integrate within applications to en-
sure strong authentication at the transaction level ndash or reauthentication or example immediately prior toperorming a nancial transaction or drug disbursement
How does the Strong Authentication solution integrate into your existing environment3
The Strong Authentication solution should not require any programming in order to integrate into the appli-cation environment or to handle any potential exception situations that could occur during deployment timeto all client workstations Adding Strong Authentication should also be a pure conguration activity ndash not aprogrammingscripting activity Many strong authentication technologies are oered with an SDK to allowcustomized implementations This should not be necessary in most situations
How does the Strong Authentication solution handle disaster recovery and ailover4
With the Strong Authentication solution responsible or managing all Windows authentications o all users inall systems o the enterprise it is imperative that it provides out-o-the-box ault tolerance protection pre-erably at the lowest possible level in order to avoid any potential end-user inconvenience I possible strongauthentication should continue to work in an o-line mode when the workstation is not connected to thenetwork
How and where are policies credentials and logfles o the Strong Authentication solution stored 5and made accessible or administrators
The Strong Authentication solution should provide a secure transmission and storage acility or all security-sensitive data (eg policy inormation credential inormation logging inormation) This requires all data tobe encrypted both in rest and in transit without any conguration burdens to be imposed on the administra-
tors o the Strong Authentication solution
Can the Strong Authentication solution support the management o multiple Strong Authentication6devices Are there any additional costslicenses required or specifc authentication devices or combinationo devices Are there any additional server-side or client-side components that need to be confgured or installed in order to support a specifc strong authentication option
Since the Strong Authentication solution will be replacing the current Windows authentication strategiesit is important that the single authentication action can be reinorced with a choice o strong multi-actorauthentication methods and technologies These Strong Authentication options should also be available inboth online and ofine (disconnected rom the network) modes
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1114
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 11
Does the Strong Authentication solution provide any logging andor reporting acilities Are there7any additional licenses required or this Are there any serverclient-side sotware components required or this
The Strong Authentication solution should provide standardized reporting and notication capabilities that
capture all authentication and password management related events that take place in the system Thesereports and notications should be available through an online Web interace e-mail and scheduled exportmechanisms to remote reporting and archiving systems to ensure compliance requirements are easily met
How does the Strong Authentication solution integrate with metadirectory andor provisioning sys-8tems
The Strong Authentication system should be able to support identity-standard provisioning systems as wellas any uture implementations o SPML-based provisioning and metadirectory systems This will ensure thatwhen password changes are initiated in dierent backend systems these changes will also immediately bemade available in the Strong Authentication solution This will also ensure ease o deprovisioning
How does the Strong Authentication solution integrate existing physical access policies into its logi-9
cal access policies
The Strong Authentication system should provide acilities or location-based authentication so that eachuserrsquos location can be applied as a determining actor in the authentication policy This enables an organiza-tion or example to grant access to an individual only ater that user has badged into a specied companyacility or secure area The ability to apply network access policies that leverage location is extremely useulin situations where it is necessary to conrm that the properly authenticated user is accessing the computerrom within a secure operational work area such as a manuacturing control room or pharmacy area
Does the Strong Authentication solution support ast user switching in thin and thick client archi-10tectures
The Strong Authentication solution should provide support or dierent types o ast user switching to make
the end-user experience o logging in and out as swit and convenient as possible This means that boththick clients and thin clients should support ldquokiosk-stylerdquo operation both client-based and server-based com-puting environments should be supported in server-based computing environments both Citrix PresentationManager and Windows Terminal Server environments should be supported and in server-based computingenvironments both roaming and concurrent sessions should be supported
Can the Strong Authentication solution be extended to incorporate additional capabilities such as11Single Sign On
As your IT security needs evolve you may want to add more capabilities such as Single Sign On Your StrongAuthentication solution should accommodate these and other capabilities easily Single Sign On is an idealcomplementary technology to deploy when Strong Authentication is being introduced by improving applica-
tion-level password security and is oten used to ensure urther adoption o Strong Authentication policies
MAkIng STROng AUThenTICATIOn wORk FOR yOU
Whether you have already chosen and deployed a Strong Authentication solution or yoursquore still in the evalua-tion process you need a solution you and your organization can live with As Strong Authentication becomesa part o your organizationrsquos daily lie you want it to be as user-riendly easy to manage and ully utilizedas possible The ollowing questions and answers can help you get the most out o your Strong Authentica-tion solution -- maximizing its eectiveness while keeping ongoing costs and administrative requirements toa minimum
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 12
Should you have dierent Strong Authentication methods or dierent users1
It makes sense to match the method to usersrsquo roles needs and relative security risks Other actors to con-sider include cost workfow requirements and ease o use
Are there ways to streamline the administration o a Strong Authentication solution 2
Administration can take many orms including vendor-specic requirements management tools and useradministration and the tasks associated with them vary according to the organizationrsquos needs and preer-ences However there are some tasks that are necessary to achieve maximum benet rom the authentica-tion choice such as tracking and reporting Itrsquos also a good idea to ofoad as much o the administrativeburden as possible rom users because their ability to simply ldquoplug and gordquo will help ensure organization-wide acceptance
How can the use o Strong Authentication be made as easy as possible or users3
The key is to choose solutions that are both secure and easily adopted by end users It is important to gainuser acceptance o the type o Strong Authentication beore making a purchase by consulting with them onthe options and their preerences In general users will welcome a solution that does not require them to
alter or abandon their established routines For example in environments where a user is required to carry abadge to gain entry into doors reusing that same device or desktop access can be easily accepted
Once users are authenticated how do we more eectively address security when users walk away 4rom their computers
There are many solutions to this issue but most have been ineective Many organizations require a lockedscreen saver or inactivity timeout to address the walk away security issue but these are easily deeated by
just moving the mouse Imprivata is addressing this problem with a unique new solution OneSign SecureWalk-Away It uses a combination o active presence detection and acial biometrics to automatically locka workstation upon user departure and then automatically unlock it when the same user returns OneSignSecure Walk-Away is the only solution to eectively address this issue today
What is the best way to deploy Strong Authentication at multiple locations5
When choosing a device solution make sure it meets both the security needs o the business and theconvenience needs o the users When choosing a management system or your devices pick one that isgeographically scalable and can support a range o Strong Authentication options This way you can becondent in the ability o the system to scale as well as to address the needs o various departments withinthe organization which many times have dierent requirements or Strong Authentication Be sure to ollowthe vendorrsquos list o best practices to ensure your nal outcome will be optimized
beyOnD STROng AUThenTICATIOn
Today you may regard Strong Authentication as a ldquoone-ordquo solution that ullls your most critical needs
or enterprise access security However itrsquos important to know that your Strong Authentication solution canprovide even greater value going orward acting as a platorm or deploying additional capabilities acrossyour organization to urther strengthen security satisy related user needs and reduce costs
Strong Authentication and Single Sign-On
Single Sign-On enables your user community to logon to the network and sign on to all the applications theyare authorized to use on a daily basis by using a single strong password Single Sign-On relieves users o theburden o memorizing multiple passwords increases productivity by helping users avoid getting locked outo systems and lowers resource costs by reducing the number o password reset calls to your helpdesk Aboveall Single Sign-On strengthens IT security because users no longer resort to writing down passwords and leav-
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 13
ing them where they can be stolen and used by unauthorized people
Combining Strong Authentication with Single Sign-On gives your organization proven security benets asrecommended by leading analysts and security experts At the same time the combination o both solutionsenables you to enorce strong security policies enterprise-wide while increasing user satisaction and requir-ing no disruptive changes to user workfow or behavior
Strong Authentication and Integrated PhysicalLogical Security
In most organizations physical security (systems that control physical access to buildings and work areas)and logical security (systems that control access to IT resources) are separate realms This lack o integrationbetween physical and logical security systems creates gaps that can be exploited and prevents centralizedmanagement and control o overall security In many cases or example a terminated employee may beimmediately barred rom re-entering corporate acilities but may still be able to gain remote access to thecorporate network or days or weeks beore privileges are revoked An integrated physicallogical securitysolution makes it possible to link both security environments synchronize control and response
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThenTICATIOn
Imprivata OneSignreg Authentication Management is a unique user authentication solution that integrates abroad range o fexible and powerul strong authentication types ndash all managed rom within a single admin-istrator ramework OneSign eases the cost and complexity o managing independent systems and providesa central location or reporting access events across all Strong Authentication devices strengthening securitywhile reducing the burden o regulatory compliance
Flexible authentication options
OneSign Authentication Management provides native support or a broad range o plug-and-play authen-tication options such as One-Time-Password (OTP) tokens (including built-in control and management sup-port or VASCOreg DIGIPASSreg) nger biometrics smart cards proximity cards building access cards and USBtokens Simply plug them into your workstation and you are ready to go
Consolidated reporting
With OneSign Authentication Management you can easily report in real-time an aggregated view o whenhow and rom where an employee gained access to the network By having all access inormation available atthe push o a button via standardized reporting OneSign Authentication Management provides critical valuein helping you rapidly respond to audit inquiries that may otherwise require manual viewing and collation oindependent system logs When adding OneSign Single Sign-On you can also incorporate reporting on useraccess events to applications as well
ROI right out o the box
The power o OneSign Authentication Management is that it comes packaged in a hardened appliance One-Sign Authentication Management is designed to be aordable and easy to adopt Purpose-built or fexible
and rapid enterprise deployment OneSignrsquos appliance-based approach to user authentication dramaticallyminimizes implementation time inrastructure needs and installation costs ndash accelerating your return oninvestment right out o the box
Application Transaction Level Strong Authentication
The Imprivata OneSign ProveID capability allows an application to leverage OneSignrsquos strong authenticationservices to positively identiy a user at any point in the application workfow Examples o ProveID in use in-clude banking environments where positive identication o a user is required prior to executing a nancialtransaction and healthcare environments where positive identication o a user is required at the point odrug disbursement
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 914
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 9
Industry-specifc benefts
Are there aspects o the authentication method that make it better suited or certain industries or unctionalareas For example i employees have to wear gloves to do their jobs then biometrics is not the choice orthe organization
Initial purchase cost
Is the cost o the authentication method worth the resulting improvement inenterprise security Is there acost per user that will grow every time a new user is added What is the replacement cost ndash both or the de-vice and its associated administrative burden ndash or the orms o Strong Authentication
Deployment cost
Does deployment require physical installation by a technical person on every workstation at every site Doesthe IT organization need to write custom code add middleware or incur other hardware or sotware costs
The matrix below illustrates how each o the major authentication methods compare to each other on these key actors
Type Ease o Man-agement orIT
Ease o Use orEmployees
Compliance Security Level
Cost to Pur-chase
Cost per Userto Deploy
Password Medium Medium Low $ $
Strong Password Low Low Medium $ $$
ID Token Medium Medium1 High $$$ $$$
Smart Card andUSB Token
Low Medium1 High $$$ $$$
Passive Proximity High High1 High2 $$ $
Active Proximity Medium High3 Low $$$$ $$
Finger Biometrics High High High $$ $
Time and Resources involved to deploy and maintain the technology or to support the end userNOTES1 Device needs to be carried by user and is subject to loss or damage2 When combined with another authentication actor3 Fingerprints can never be lost or orgotten
By doing a cost-benet analysis o the dierentStrong Authentication approaches you can determine whichtechnologies best meet your organizationrsquos needs and preerences For exampleI ease o use or employees and IT sta is a top priority nger biometrics might be your best choice
I your organization is large or growing rapidly you may want to keep per-user deployment costs low bybull
selecting passive proximity cardsI your organization is in a sensitive industry that demands strong security above all else then smart cardsbull
or ID tokens might make the most senseI your security requirements vary by location or department you may preer to implement dierentbull
authentication methods based on user sophistication and needsI you want to repurpose existing technology then enabling building access or identity cards might bebull
most ecient
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1014
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 10
SpeCIFIC COnSIDeRATIOnS
Even i you have decided which method o authentication is best or you and your organization there are anumber o other more specic actors you should consider beore you make your purchase decision as theycould aect the cost resource requirements and eectiveness o your solution During the evaluation pro-cess you should ask the ollowing questions about everyStrong Authentication solution on your short list
How does the Strong Authentication solution integrate with your existing directory inrastructure1
The Strong Authentication system should not require changes to the existing directory inrastructure Direc-tories are the critical backbone or most IT organizations and keeping them reliable means keeping themas close to their core unctionality as possible Layering additional schema changes or running applicationsotware on the directory should be avoided at all costs because o the potential to destabilize the overallsystem especially i directory replication is involved
How does the Strong Authentication solution aect your existing application inrastructure 2
The Strong Authentication solution should not require any changes to the existing application inrastructureor Windows Web or mainrame applications It should also be able to integrate within applications to en-
sure strong authentication at the transaction level ndash or reauthentication or example immediately prior toperorming a nancial transaction or drug disbursement
How does the Strong Authentication solution integrate into your existing environment3
The Strong Authentication solution should not require any programming in order to integrate into the appli-cation environment or to handle any potential exception situations that could occur during deployment timeto all client workstations Adding Strong Authentication should also be a pure conguration activity ndash not aprogrammingscripting activity Many strong authentication technologies are oered with an SDK to allowcustomized implementations This should not be necessary in most situations
How does the Strong Authentication solution handle disaster recovery and ailover4
With the Strong Authentication solution responsible or managing all Windows authentications o all users inall systems o the enterprise it is imperative that it provides out-o-the-box ault tolerance protection pre-erably at the lowest possible level in order to avoid any potential end-user inconvenience I possible strongauthentication should continue to work in an o-line mode when the workstation is not connected to thenetwork
How and where are policies credentials and logfles o the Strong Authentication solution stored 5and made accessible or administrators
The Strong Authentication solution should provide a secure transmission and storage acility or all security-sensitive data (eg policy inormation credential inormation logging inormation) This requires all data tobe encrypted both in rest and in transit without any conguration burdens to be imposed on the administra-
tors o the Strong Authentication solution
Can the Strong Authentication solution support the management o multiple Strong Authentication6devices Are there any additional costslicenses required or specifc authentication devices or combinationo devices Are there any additional server-side or client-side components that need to be confgured or installed in order to support a specifc strong authentication option
Since the Strong Authentication solution will be replacing the current Windows authentication strategiesit is important that the single authentication action can be reinorced with a choice o strong multi-actorauthentication methods and technologies These Strong Authentication options should also be available inboth online and ofine (disconnected rom the network) modes
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1114
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 11
Does the Strong Authentication solution provide any logging andor reporting acilities Are there7any additional licenses required or this Are there any serverclient-side sotware components required or this
The Strong Authentication solution should provide standardized reporting and notication capabilities that
capture all authentication and password management related events that take place in the system Thesereports and notications should be available through an online Web interace e-mail and scheduled exportmechanisms to remote reporting and archiving systems to ensure compliance requirements are easily met
How does the Strong Authentication solution integrate with metadirectory andor provisioning sys-8tems
The Strong Authentication system should be able to support identity-standard provisioning systems as wellas any uture implementations o SPML-based provisioning and metadirectory systems This will ensure thatwhen password changes are initiated in dierent backend systems these changes will also immediately bemade available in the Strong Authentication solution This will also ensure ease o deprovisioning
How does the Strong Authentication solution integrate existing physical access policies into its logi-9
cal access policies
The Strong Authentication system should provide acilities or location-based authentication so that eachuserrsquos location can be applied as a determining actor in the authentication policy This enables an organiza-tion or example to grant access to an individual only ater that user has badged into a specied companyacility or secure area The ability to apply network access policies that leverage location is extremely useulin situations where it is necessary to conrm that the properly authenticated user is accessing the computerrom within a secure operational work area such as a manuacturing control room or pharmacy area
Does the Strong Authentication solution support ast user switching in thin and thick client archi-10tectures
The Strong Authentication solution should provide support or dierent types o ast user switching to make
the end-user experience o logging in and out as swit and convenient as possible This means that boththick clients and thin clients should support ldquokiosk-stylerdquo operation both client-based and server-based com-puting environments should be supported in server-based computing environments both Citrix PresentationManager and Windows Terminal Server environments should be supported and in server-based computingenvironments both roaming and concurrent sessions should be supported
Can the Strong Authentication solution be extended to incorporate additional capabilities such as11Single Sign On
As your IT security needs evolve you may want to add more capabilities such as Single Sign On Your StrongAuthentication solution should accommodate these and other capabilities easily Single Sign On is an idealcomplementary technology to deploy when Strong Authentication is being introduced by improving applica-
tion-level password security and is oten used to ensure urther adoption o Strong Authentication policies
MAkIng STROng AUThenTICATIOn wORk FOR yOU
Whether you have already chosen and deployed a Strong Authentication solution or yoursquore still in the evalua-tion process you need a solution you and your organization can live with As Strong Authentication becomesa part o your organizationrsquos daily lie you want it to be as user-riendly easy to manage and ully utilizedas possible The ollowing questions and answers can help you get the most out o your Strong Authentica-tion solution -- maximizing its eectiveness while keeping ongoing costs and administrative requirements toa minimum
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 12
Should you have dierent Strong Authentication methods or dierent users1
It makes sense to match the method to usersrsquo roles needs and relative security risks Other actors to con-sider include cost workfow requirements and ease o use
Are there ways to streamline the administration o a Strong Authentication solution 2
Administration can take many orms including vendor-specic requirements management tools and useradministration and the tasks associated with them vary according to the organizationrsquos needs and preer-ences However there are some tasks that are necessary to achieve maximum benet rom the authentica-tion choice such as tracking and reporting Itrsquos also a good idea to ofoad as much o the administrativeburden as possible rom users because their ability to simply ldquoplug and gordquo will help ensure organization-wide acceptance
How can the use o Strong Authentication be made as easy as possible or users3
The key is to choose solutions that are both secure and easily adopted by end users It is important to gainuser acceptance o the type o Strong Authentication beore making a purchase by consulting with them onthe options and their preerences In general users will welcome a solution that does not require them to
alter or abandon their established routines For example in environments where a user is required to carry abadge to gain entry into doors reusing that same device or desktop access can be easily accepted
Once users are authenticated how do we more eectively address security when users walk away 4rom their computers
There are many solutions to this issue but most have been ineective Many organizations require a lockedscreen saver or inactivity timeout to address the walk away security issue but these are easily deeated by
just moving the mouse Imprivata is addressing this problem with a unique new solution OneSign SecureWalk-Away It uses a combination o active presence detection and acial biometrics to automatically locka workstation upon user departure and then automatically unlock it when the same user returns OneSignSecure Walk-Away is the only solution to eectively address this issue today
What is the best way to deploy Strong Authentication at multiple locations5
When choosing a device solution make sure it meets both the security needs o the business and theconvenience needs o the users When choosing a management system or your devices pick one that isgeographically scalable and can support a range o Strong Authentication options This way you can becondent in the ability o the system to scale as well as to address the needs o various departments withinthe organization which many times have dierent requirements or Strong Authentication Be sure to ollowthe vendorrsquos list o best practices to ensure your nal outcome will be optimized
beyOnD STROng AUThenTICATIOn
Today you may regard Strong Authentication as a ldquoone-ordquo solution that ullls your most critical needs
or enterprise access security However itrsquos important to know that your Strong Authentication solution canprovide even greater value going orward acting as a platorm or deploying additional capabilities acrossyour organization to urther strengthen security satisy related user needs and reduce costs
Strong Authentication and Single Sign-On
Single Sign-On enables your user community to logon to the network and sign on to all the applications theyare authorized to use on a daily basis by using a single strong password Single Sign-On relieves users o theburden o memorizing multiple passwords increases productivity by helping users avoid getting locked outo systems and lowers resource costs by reducing the number o password reset calls to your helpdesk Aboveall Single Sign-On strengthens IT security because users no longer resort to writing down passwords and leav-
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 13
ing them where they can be stolen and used by unauthorized people
Combining Strong Authentication with Single Sign-On gives your organization proven security benets asrecommended by leading analysts and security experts At the same time the combination o both solutionsenables you to enorce strong security policies enterprise-wide while increasing user satisaction and requir-ing no disruptive changes to user workfow or behavior
Strong Authentication and Integrated PhysicalLogical Security
In most organizations physical security (systems that control physical access to buildings and work areas)and logical security (systems that control access to IT resources) are separate realms This lack o integrationbetween physical and logical security systems creates gaps that can be exploited and prevents centralizedmanagement and control o overall security In many cases or example a terminated employee may beimmediately barred rom re-entering corporate acilities but may still be able to gain remote access to thecorporate network or days or weeks beore privileges are revoked An integrated physicallogical securitysolution makes it possible to link both security environments synchronize control and response
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThenTICATIOn
Imprivata OneSignreg Authentication Management is a unique user authentication solution that integrates abroad range o fexible and powerul strong authentication types ndash all managed rom within a single admin-istrator ramework OneSign eases the cost and complexity o managing independent systems and providesa central location or reporting access events across all Strong Authentication devices strengthening securitywhile reducing the burden o regulatory compliance
Flexible authentication options
OneSign Authentication Management provides native support or a broad range o plug-and-play authen-tication options such as One-Time-Password (OTP) tokens (including built-in control and management sup-port or VASCOreg DIGIPASSreg) nger biometrics smart cards proximity cards building access cards and USBtokens Simply plug them into your workstation and you are ready to go
Consolidated reporting
With OneSign Authentication Management you can easily report in real-time an aggregated view o whenhow and rom where an employee gained access to the network By having all access inormation available atthe push o a button via standardized reporting OneSign Authentication Management provides critical valuein helping you rapidly respond to audit inquiries that may otherwise require manual viewing and collation oindependent system logs When adding OneSign Single Sign-On you can also incorporate reporting on useraccess events to applications as well
ROI right out o the box
The power o OneSign Authentication Management is that it comes packaged in a hardened appliance One-Sign Authentication Management is designed to be aordable and easy to adopt Purpose-built or fexible
and rapid enterprise deployment OneSignrsquos appliance-based approach to user authentication dramaticallyminimizes implementation time inrastructure needs and installation costs ndash accelerating your return oninvestment right out o the box
Application Transaction Level Strong Authentication
The Imprivata OneSign ProveID capability allows an application to leverage OneSignrsquos strong authenticationservices to positively identiy a user at any point in the application workfow Examples o ProveID in use in-clude banking environments where positive identication o a user is required prior to executing a nancialtransaction and healthcare environments where positive identication o a user is required at the point odrug disbursement
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1014
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 10
SpeCIFIC COnSIDeRATIOnS
Even i you have decided which method o authentication is best or you and your organization there are anumber o other more specic actors you should consider beore you make your purchase decision as theycould aect the cost resource requirements and eectiveness o your solution During the evaluation pro-cess you should ask the ollowing questions about everyStrong Authentication solution on your short list
How does the Strong Authentication solution integrate with your existing directory inrastructure1
The Strong Authentication system should not require changes to the existing directory inrastructure Direc-tories are the critical backbone or most IT organizations and keeping them reliable means keeping themas close to their core unctionality as possible Layering additional schema changes or running applicationsotware on the directory should be avoided at all costs because o the potential to destabilize the overallsystem especially i directory replication is involved
How does the Strong Authentication solution aect your existing application inrastructure 2
The Strong Authentication solution should not require any changes to the existing application inrastructureor Windows Web or mainrame applications It should also be able to integrate within applications to en-
sure strong authentication at the transaction level ndash or reauthentication or example immediately prior toperorming a nancial transaction or drug disbursement
How does the Strong Authentication solution integrate into your existing environment3
The Strong Authentication solution should not require any programming in order to integrate into the appli-cation environment or to handle any potential exception situations that could occur during deployment timeto all client workstations Adding Strong Authentication should also be a pure conguration activity ndash not aprogrammingscripting activity Many strong authentication technologies are oered with an SDK to allowcustomized implementations This should not be necessary in most situations
How does the Strong Authentication solution handle disaster recovery and ailover4
With the Strong Authentication solution responsible or managing all Windows authentications o all users inall systems o the enterprise it is imperative that it provides out-o-the-box ault tolerance protection pre-erably at the lowest possible level in order to avoid any potential end-user inconvenience I possible strongauthentication should continue to work in an o-line mode when the workstation is not connected to thenetwork
How and where are policies credentials and logfles o the Strong Authentication solution stored 5and made accessible or administrators
The Strong Authentication solution should provide a secure transmission and storage acility or all security-sensitive data (eg policy inormation credential inormation logging inormation) This requires all data tobe encrypted both in rest and in transit without any conguration burdens to be imposed on the administra-
tors o the Strong Authentication solution
Can the Strong Authentication solution support the management o multiple Strong Authentication6devices Are there any additional costslicenses required or specifc authentication devices or combinationo devices Are there any additional server-side or client-side components that need to be confgured or installed in order to support a specifc strong authentication option
Since the Strong Authentication solution will be replacing the current Windows authentication strategiesit is important that the single authentication action can be reinorced with a choice o strong multi-actorauthentication methods and technologies These Strong Authentication options should also be available inboth online and ofine (disconnected rom the network) modes
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1114
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 11
Does the Strong Authentication solution provide any logging andor reporting acilities Are there7any additional licenses required or this Are there any serverclient-side sotware components required or this
The Strong Authentication solution should provide standardized reporting and notication capabilities that
capture all authentication and password management related events that take place in the system Thesereports and notications should be available through an online Web interace e-mail and scheduled exportmechanisms to remote reporting and archiving systems to ensure compliance requirements are easily met
How does the Strong Authentication solution integrate with metadirectory andor provisioning sys-8tems
The Strong Authentication system should be able to support identity-standard provisioning systems as wellas any uture implementations o SPML-based provisioning and metadirectory systems This will ensure thatwhen password changes are initiated in dierent backend systems these changes will also immediately bemade available in the Strong Authentication solution This will also ensure ease o deprovisioning
How does the Strong Authentication solution integrate existing physical access policies into its logi-9
cal access policies
The Strong Authentication system should provide acilities or location-based authentication so that eachuserrsquos location can be applied as a determining actor in the authentication policy This enables an organiza-tion or example to grant access to an individual only ater that user has badged into a specied companyacility or secure area The ability to apply network access policies that leverage location is extremely useulin situations where it is necessary to conrm that the properly authenticated user is accessing the computerrom within a secure operational work area such as a manuacturing control room or pharmacy area
Does the Strong Authentication solution support ast user switching in thin and thick client archi-10tectures
The Strong Authentication solution should provide support or dierent types o ast user switching to make
the end-user experience o logging in and out as swit and convenient as possible This means that boththick clients and thin clients should support ldquokiosk-stylerdquo operation both client-based and server-based com-puting environments should be supported in server-based computing environments both Citrix PresentationManager and Windows Terminal Server environments should be supported and in server-based computingenvironments both roaming and concurrent sessions should be supported
Can the Strong Authentication solution be extended to incorporate additional capabilities such as11Single Sign On
As your IT security needs evolve you may want to add more capabilities such as Single Sign On Your StrongAuthentication solution should accommodate these and other capabilities easily Single Sign On is an idealcomplementary technology to deploy when Strong Authentication is being introduced by improving applica-
tion-level password security and is oten used to ensure urther adoption o Strong Authentication policies
MAkIng STROng AUThenTICATIOn wORk FOR yOU
Whether you have already chosen and deployed a Strong Authentication solution or yoursquore still in the evalua-tion process you need a solution you and your organization can live with As Strong Authentication becomesa part o your organizationrsquos daily lie you want it to be as user-riendly easy to manage and ully utilizedas possible The ollowing questions and answers can help you get the most out o your Strong Authentica-tion solution -- maximizing its eectiveness while keeping ongoing costs and administrative requirements toa minimum
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 12
Should you have dierent Strong Authentication methods or dierent users1
It makes sense to match the method to usersrsquo roles needs and relative security risks Other actors to con-sider include cost workfow requirements and ease o use
Are there ways to streamline the administration o a Strong Authentication solution 2
Administration can take many orms including vendor-specic requirements management tools and useradministration and the tasks associated with them vary according to the organizationrsquos needs and preer-ences However there are some tasks that are necessary to achieve maximum benet rom the authentica-tion choice such as tracking and reporting Itrsquos also a good idea to ofoad as much o the administrativeburden as possible rom users because their ability to simply ldquoplug and gordquo will help ensure organization-wide acceptance
How can the use o Strong Authentication be made as easy as possible or users3
The key is to choose solutions that are both secure and easily adopted by end users It is important to gainuser acceptance o the type o Strong Authentication beore making a purchase by consulting with them onthe options and their preerences In general users will welcome a solution that does not require them to
alter or abandon their established routines For example in environments where a user is required to carry abadge to gain entry into doors reusing that same device or desktop access can be easily accepted
Once users are authenticated how do we more eectively address security when users walk away 4rom their computers
There are many solutions to this issue but most have been ineective Many organizations require a lockedscreen saver or inactivity timeout to address the walk away security issue but these are easily deeated by
just moving the mouse Imprivata is addressing this problem with a unique new solution OneSign SecureWalk-Away It uses a combination o active presence detection and acial biometrics to automatically locka workstation upon user departure and then automatically unlock it when the same user returns OneSignSecure Walk-Away is the only solution to eectively address this issue today
What is the best way to deploy Strong Authentication at multiple locations5
When choosing a device solution make sure it meets both the security needs o the business and theconvenience needs o the users When choosing a management system or your devices pick one that isgeographically scalable and can support a range o Strong Authentication options This way you can becondent in the ability o the system to scale as well as to address the needs o various departments withinthe organization which many times have dierent requirements or Strong Authentication Be sure to ollowthe vendorrsquos list o best practices to ensure your nal outcome will be optimized
beyOnD STROng AUThenTICATIOn
Today you may regard Strong Authentication as a ldquoone-ordquo solution that ullls your most critical needs
or enterprise access security However itrsquos important to know that your Strong Authentication solution canprovide even greater value going orward acting as a platorm or deploying additional capabilities acrossyour organization to urther strengthen security satisy related user needs and reduce costs
Strong Authentication and Single Sign-On
Single Sign-On enables your user community to logon to the network and sign on to all the applications theyare authorized to use on a daily basis by using a single strong password Single Sign-On relieves users o theburden o memorizing multiple passwords increases productivity by helping users avoid getting locked outo systems and lowers resource costs by reducing the number o password reset calls to your helpdesk Aboveall Single Sign-On strengthens IT security because users no longer resort to writing down passwords and leav-
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 13
ing them where they can be stolen and used by unauthorized people
Combining Strong Authentication with Single Sign-On gives your organization proven security benets asrecommended by leading analysts and security experts At the same time the combination o both solutionsenables you to enorce strong security policies enterprise-wide while increasing user satisaction and requir-ing no disruptive changes to user workfow or behavior
Strong Authentication and Integrated PhysicalLogical Security
In most organizations physical security (systems that control physical access to buildings and work areas)and logical security (systems that control access to IT resources) are separate realms This lack o integrationbetween physical and logical security systems creates gaps that can be exploited and prevents centralizedmanagement and control o overall security In many cases or example a terminated employee may beimmediately barred rom re-entering corporate acilities but may still be able to gain remote access to thecorporate network or days or weeks beore privileges are revoked An integrated physicallogical securitysolution makes it possible to link both security environments synchronize control and response
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThenTICATIOn
Imprivata OneSignreg Authentication Management is a unique user authentication solution that integrates abroad range o fexible and powerul strong authentication types ndash all managed rom within a single admin-istrator ramework OneSign eases the cost and complexity o managing independent systems and providesa central location or reporting access events across all Strong Authentication devices strengthening securitywhile reducing the burden o regulatory compliance
Flexible authentication options
OneSign Authentication Management provides native support or a broad range o plug-and-play authen-tication options such as One-Time-Password (OTP) tokens (including built-in control and management sup-port or VASCOreg DIGIPASSreg) nger biometrics smart cards proximity cards building access cards and USBtokens Simply plug them into your workstation and you are ready to go
Consolidated reporting
With OneSign Authentication Management you can easily report in real-time an aggregated view o whenhow and rom where an employee gained access to the network By having all access inormation available atthe push o a button via standardized reporting OneSign Authentication Management provides critical valuein helping you rapidly respond to audit inquiries that may otherwise require manual viewing and collation oindependent system logs When adding OneSign Single Sign-On you can also incorporate reporting on useraccess events to applications as well
ROI right out o the box
The power o OneSign Authentication Management is that it comes packaged in a hardened appliance One-Sign Authentication Management is designed to be aordable and easy to adopt Purpose-built or fexible
and rapid enterprise deployment OneSignrsquos appliance-based approach to user authentication dramaticallyminimizes implementation time inrastructure needs and installation costs ndash accelerating your return oninvestment right out o the box
Application Transaction Level Strong Authentication
The Imprivata OneSign ProveID capability allows an application to leverage OneSignrsquos strong authenticationservices to positively identiy a user at any point in the application workfow Examples o ProveID in use in-clude banking environments where positive identication o a user is required prior to executing a nancialtransaction and healthcare environments where positive identication o a user is required at the point odrug disbursement
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1114
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 11
Does the Strong Authentication solution provide any logging andor reporting acilities Are there7any additional licenses required or this Are there any serverclient-side sotware components required or this
The Strong Authentication solution should provide standardized reporting and notication capabilities that
capture all authentication and password management related events that take place in the system Thesereports and notications should be available through an online Web interace e-mail and scheduled exportmechanisms to remote reporting and archiving systems to ensure compliance requirements are easily met
How does the Strong Authentication solution integrate with metadirectory andor provisioning sys-8tems
The Strong Authentication system should be able to support identity-standard provisioning systems as wellas any uture implementations o SPML-based provisioning and metadirectory systems This will ensure thatwhen password changes are initiated in dierent backend systems these changes will also immediately bemade available in the Strong Authentication solution This will also ensure ease o deprovisioning
How does the Strong Authentication solution integrate existing physical access policies into its logi-9
cal access policies
The Strong Authentication system should provide acilities or location-based authentication so that eachuserrsquos location can be applied as a determining actor in the authentication policy This enables an organiza-tion or example to grant access to an individual only ater that user has badged into a specied companyacility or secure area The ability to apply network access policies that leverage location is extremely useulin situations where it is necessary to conrm that the properly authenticated user is accessing the computerrom within a secure operational work area such as a manuacturing control room or pharmacy area
Does the Strong Authentication solution support ast user switching in thin and thick client archi-10tectures
The Strong Authentication solution should provide support or dierent types o ast user switching to make
the end-user experience o logging in and out as swit and convenient as possible This means that boththick clients and thin clients should support ldquokiosk-stylerdquo operation both client-based and server-based com-puting environments should be supported in server-based computing environments both Citrix PresentationManager and Windows Terminal Server environments should be supported and in server-based computingenvironments both roaming and concurrent sessions should be supported
Can the Strong Authentication solution be extended to incorporate additional capabilities such as11Single Sign On
As your IT security needs evolve you may want to add more capabilities such as Single Sign On Your StrongAuthentication solution should accommodate these and other capabilities easily Single Sign On is an idealcomplementary technology to deploy when Strong Authentication is being introduced by improving applica-
tion-level password security and is oten used to ensure urther adoption o Strong Authentication policies
MAkIng STROng AUThenTICATIOn wORk FOR yOU
Whether you have already chosen and deployed a Strong Authentication solution or yoursquore still in the evalua-tion process you need a solution you and your organization can live with As Strong Authentication becomesa part o your organizationrsquos daily lie you want it to be as user-riendly easy to manage and ully utilizedas possible The ollowing questions and answers can help you get the most out o your Strong Authentica-tion solution -- maximizing its eectiveness while keeping ongoing costs and administrative requirements toa minimum
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 12
Should you have dierent Strong Authentication methods or dierent users1
It makes sense to match the method to usersrsquo roles needs and relative security risks Other actors to con-sider include cost workfow requirements and ease o use
Are there ways to streamline the administration o a Strong Authentication solution 2
Administration can take many orms including vendor-specic requirements management tools and useradministration and the tasks associated with them vary according to the organizationrsquos needs and preer-ences However there are some tasks that are necessary to achieve maximum benet rom the authentica-tion choice such as tracking and reporting Itrsquos also a good idea to ofoad as much o the administrativeburden as possible rom users because their ability to simply ldquoplug and gordquo will help ensure organization-wide acceptance
How can the use o Strong Authentication be made as easy as possible or users3
The key is to choose solutions that are both secure and easily adopted by end users It is important to gainuser acceptance o the type o Strong Authentication beore making a purchase by consulting with them onthe options and their preerences In general users will welcome a solution that does not require them to
alter or abandon their established routines For example in environments where a user is required to carry abadge to gain entry into doors reusing that same device or desktop access can be easily accepted
Once users are authenticated how do we more eectively address security when users walk away 4rom their computers
There are many solutions to this issue but most have been ineective Many organizations require a lockedscreen saver or inactivity timeout to address the walk away security issue but these are easily deeated by
just moving the mouse Imprivata is addressing this problem with a unique new solution OneSign SecureWalk-Away It uses a combination o active presence detection and acial biometrics to automatically locka workstation upon user departure and then automatically unlock it when the same user returns OneSignSecure Walk-Away is the only solution to eectively address this issue today
What is the best way to deploy Strong Authentication at multiple locations5
When choosing a device solution make sure it meets both the security needs o the business and theconvenience needs o the users When choosing a management system or your devices pick one that isgeographically scalable and can support a range o Strong Authentication options This way you can becondent in the ability o the system to scale as well as to address the needs o various departments withinthe organization which many times have dierent requirements or Strong Authentication Be sure to ollowthe vendorrsquos list o best practices to ensure your nal outcome will be optimized
beyOnD STROng AUThenTICATIOn
Today you may regard Strong Authentication as a ldquoone-ordquo solution that ullls your most critical needs
or enterprise access security However itrsquos important to know that your Strong Authentication solution canprovide even greater value going orward acting as a platorm or deploying additional capabilities acrossyour organization to urther strengthen security satisy related user needs and reduce costs
Strong Authentication and Single Sign-On
Single Sign-On enables your user community to logon to the network and sign on to all the applications theyare authorized to use on a daily basis by using a single strong password Single Sign-On relieves users o theburden o memorizing multiple passwords increases productivity by helping users avoid getting locked outo systems and lowers resource costs by reducing the number o password reset calls to your helpdesk Aboveall Single Sign-On strengthens IT security because users no longer resort to writing down passwords and leav-
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 13
ing them where they can be stolen and used by unauthorized people
Combining Strong Authentication with Single Sign-On gives your organization proven security benets asrecommended by leading analysts and security experts At the same time the combination o both solutionsenables you to enorce strong security policies enterprise-wide while increasing user satisaction and requir-ing no disruptive changes to user workfow or behavior
Strong Authentication and Integrated PhysicalLogical Security
In most organizations physical security (systems that control physical access to buildings and work areas)and logical security (systems that control access to IT resources) are separate realms This lack o integrationbetween physical and logical security systems creates gaps that can be exploited and prevents centralizedmanagement and control o overall security In many cases or example a terminated employee may beimmediately barred rom re-entering corporate acilities but may still be able to gain remote access to thecorporate network or days or weeks beore privileges are revoked An integrated physicallogical securitysolution makes it possible to link both security environments synchronize control and response
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThenTICATIOn
Imprivata OneSignreg Authentication Management is a unique user authentication solution that integrates abroad range o fexible and powerul strong authentication types ndash all managed rom within a single admin-istrator ramework OneSign eases the cost and complexity o managing independent systems and providesa central location or reporting access events across all Strong Authentication devices strengthening securitywhile reducing the burden o regulatory compliance
Flexible authentication options
OneSign Authentication Management provides native support or a broad range o plug-and-play authen-tication options such as One-Time-Password (OTP) tokens (including built-in control and management sup-port or VASCOreg DIGIPASSreg) nger biometrics smart cards proximity cards building access cards and USBtokens Simply plug them into your workstation and you are ready to go
Consolidated reporting
With OneSign Authentication Management you can easily report in real-time an aggregated view o whenhow and rom where an employee gained access to the network By having all access inormation available atthe push o a button via standardized reporting OneSign Authentication Management provides critical valuein helping you rapidly respond to audit inquiries that may otherwise require manual viewing and collation oindependent system logs When adding OneSign Single Sign-On you can also incorporate reporting on useraccess events to applications as well
ROI right out o the box
The power o OneSign Authentication Management is that it comes packaged in a hardened appliance One-Sign Authentication Management is designed to be aordable and easy to adopt Purpose-built or fexible
and rapid enterprise deployment OneSignrsquos appliance-based approach to user authentication dramaticallyminimizes implementation time inrastructure needs and installation costs ndash accelerating your return oninvestment right out o the box
Application Transaction Level Strong Authentication
The Imprivata OneSign ProveID capability allows an application to leverage OneSignrsquos strong authenticationservices to positively identiy a user at any point in the application workfow Examples o ProveID in use in-clude banking environments where positive identication o a user is required prior to executing a nancialtransaction and healthcare environments where positive identication o a user is required at the point odrug disbursement
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1214
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 12
Should you have dierent Strong Authentication methods or dierent users1
It makes sense to match the method to usersrsquo roles needs and relative security risks Other actors to con-sider include cost workfow requirements and ease o use
Are there ways to streamline the administration o a Strong Authentication solution 2
Administration can take many orms including vendor-specic requirements management tools and useradministration and the tasks associated with them vary according to the organizationrsquos needs and preer-ences However there are some tasks that are necessary to achieve maximum benet rom the authentica-tion choice such as tracking and reporting Itrsquos also a good idea to ofoad as much o the administrativeburden as possible rom users because their ability to simply ldquoplug and gordquo will help ensure organization-wide acceptance
How can the use o Strong Authentication be made as easy as possible or users3
The key is to choose solutions that are both secure and easily adopted by end users It is important to gainuser acceptance o the type o Strong Authentication beore making a purchase by consulting with them onthe options and their preerences In general users will welcome a solution that does not require them to
alter or abandon their established routines For example in environments where a user is required to carry abadge to gain entry into doors reusing that same device or desktop access can be easily accepted
Once users are authenticated how do we more eectively address security when users walk away 4rom their computers
There are many solutions to this issue but most have been ineective Many organizations require a lockedscreen saver or inactivity timeout to address the walk away security issue but these are easily deeated by
just moving the mouse Imprivata is addressing this problem with a unique new solution OneSign SecureWalk-Away It uses a combination o active presence detection and acial biometrics to automatically locka workstation upon user departure and then automatically unlock it when the same user returns OneSignSecure Walk-Away is the only solution to eectively address this issue today
What is the best way to deploy Strong Authentication at multiple locations5
When choosing a device solution make sure it meets both the security needs o the business and theconvenience needs o the users When choosing a management system or your devices pick one that isgeographically scalable and can support a range o Strong Authentication options This way you can becondent in the ability o the system to scale as well as to address the needs o various departments withinthe organization which many times have dierent requirements or Strong Authentication Be sure to ollowthe vendorrsquos list o best practices to ensure your nal outcome will be optimized
beyOnD STROng AUThenTICATIOn
Today you may regard Strong Authentication as a ldquoone-ordquo solution that ullls your most critical needs
or enterprise access security However itrsquos important to know that your Strong Authentication solution canprovide even greater value going orward acting as a platorm or deploying additional capabilities acrossyour organization to urther strengthen security satisy related user needs and reduce costs
Strong Authentication and Single Sign-On
Single Sign-On enables your user community to logon to the network and sign on to all the applications theyare authorized to use on a daily basis by using a single strong password Single Sign-On relieves users o theburden o memorizing multiple passwords increases productivity by helping users avoid getting locked outo systems and lowers resource costs by reducing the number o password reset calls to your helpdesk Aboveall Single Sign-On strengthens IT security because users no longer resort to writing down passwords and leav-
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 13
ing them where they can be stolen and used by unauthorized people
Combining Strong Authentication with Single Sign-On gives your organization proven security benets asrecommended by leading analysts and security experts At the same time the combination o both solutionsenables you to enorce strong security policies enterprise-wide while increasing user satisaction and requir-ing no disruptive changes to user workfow or behavior
Strong Authentication and Integrated PhysicalLogical Security
In most organizations physical security (systems that control physical access to buildings and work areas)and logical security (systems that control access to IT resources) are separate realms This lack o integrationbetween physical and logical security systems creates gaps that can be exploited and prevents centralizedmanagement and control o overall security In many cases or example a terminated employee may beimmediately barred rom re-entering corporate acilities but may still be able to gain remote access to thecorporate network or days or weeks beore privileges are revoked An integrated physicallogical securitysolution makes it possible to link both security environments synchronize control and response
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThenTICATIOn
Imprivata OneSignreg Authentication Management is a unique user authentication solution that integrates abroad range o fexible and powerul strong authentication types ndash all managed rom within a single admin-istrator ramework OneSign eases the cost and complexity o managing independent systems and providesa central location or reporting access events across all Strong Authentication devices strengthening securitywhile reducing the burden o regulatory compliance
Flexible authentication options
OneSign Authentication Management provides native support or a broad range o plug-and-play authen-tication options such as One-Time-Password (OTP) tokens (including built-in control and management sup-port or VASCOreg DIGIPASSreg) nger biometrics smart cards proximity cards building access cards and USBtokens Simply plug them into your workstation and you are ready to go
Consolidated reporting
With OneSign Authentication Management you can easily report in real-time an aggregated view o whenhow and rom where an employee gained access to the network By having all access inormation available atthe push o a button via standardized reporting OneSign Authentication Management provides critical valuein helping you rapidly respond to audit inquiries that may otherwise require manual viewing and collation oindependent system logs When adding OneSign Single Sign-On you can also incorporate reporting on useraccess events to applications as well
ROI right out o the box
The power o OneSign Authentication Management is that it comes packaged in a hardened appliance One-Sign Authentication Management is designed to be aordable and easy to adopt Purpose-built or fexible
and rapid enterprise deployment OneSignrsquos appliance-based approach to user authentication dramaticallyminimizes implementation time inrastructure needs and installation costs ndash accelerating your return oninvestment right out o the box
Application Transaction Level Strong Authentication
The Imprivata OneSign ProveID capability allows an application to leverage OneSignrsquos strong authenticationservices to positively identiy a user at any point in the application workfow Examples o ProveID in use in-clude banking environments where positive identication o a user is required prior to executing a nancialtransaction and healthcare environments where positive identication o a user is required at the point odrug disbursement
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1314
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 13
ing them where they can be stolen and used by unauthorized people
Combining Strong Authentication with Single Sign-On gives your organization proven security benets asrecommended by leading analysts and security experts At the same time the combination o both solutionsenables you to enorce strong security policies enterprise-wide while increasing user satisaction and requir-ing no disruptive changes to user workfow or behavior
Strong Authentication and Integrated PhysicalLogical Security
In most organizations physical security (systems that control physical access to buildings and work areas)and logical security (systems that control access to IT resources) are separate realms This lack o integrationbetween physical and logical security systems creates gaps that can be exploited and prevents centralizedmanagement and control o overall security In many cases or example a terminated employee may beimmediately barred rom re-entering corporate acilities but may still be able to gain remote access to thecorporate network or days or weeks beore privileges are revoked An integrated physicallogical securitysolution makes it possible to link both security environments synchronize control and response
The IMpRIvATA OneSIgnreg SOlUTIOn FOR STROng AUThenTICATIOn
Imprivata OneSignreg Authentication Management is a unique user authentication solution that integrates abroad range o fexible and powerul strong authentication types ndash all managed rom within a single admin-istrator ramework OneSign eases the cost and complexity o managing independent systems and providesa central location or reporting access events across all Strong Authentication devices strengthening securitywhile reducing the burden o regulatory compliance
Flexible authentication options
OneSign Authentication Management provides native support or a broad range o plug-and-play authen-tication options such as One-Time-Password (OTP) tokens (including built-in control and management sup-port or VASCOreg DIGIPASSreg) nger biometrics smart cards proximity cards building access cards and USBtokens Simply plug them into your workstation and you are ready to go
Consolidated reporting
With OneSign Authentication Management you can easily report in real-time an aggregated view o whenhow and rom where an employee gained access to the network By having all access inormation available atthe push o a button via standardized reporting OneSign Authentication Management provides critical valuein helping you rapidly respond to audit inquiries that may otherwise require manual viewing and collation oindependent system logs When adding OneSign Single Sign-On you can also incorporate reporting on useraccess events to applications as well
ROI right out o the box
The power o OneSign Authentication Management is that it comes packaged in a hardened appliance One-Sign Authentication Management is designed to be aordable and easy to adopt Purpose-built or fexible
and rapid enterprise deployment OneSignrsquos appliance-based approach to user authentication dramaticallyminimizes implementation time inrastructure needs and installation costs ndash accelerating your return oninvestment right out o the box
Application Transaction Level Strong Authentication
The Imprivata OneSign ProveID capability allows an application to leverage OneSignrsquos strong authenticationservices to positively identiy a user at any point in the application workfow Examples o ProveID in use in-clude banking environments where positive identication o a user is required prior to executing a nancialtransaction and healthcare environments where positive identication o a user is required at the point odrug disbursement
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
822019 A More Secure Front Door
httpslidepdfcomreaderfulla-more-secure-front-door 1414
copy 2009 Imprivata Inc
A Mor Scur Frot Door SSO ad Stro Autticatio 14
Built-in RADIUS Host or Remote Access Authentication
OneSign Authentication Management contains a built-in RADIUS host or handling remote access authentica-tion using VASCO DIGIPASS tokens SecurID Secure Computing tokens or domain passwords
OneSign Authentication Management can also be purchased alone or as part o The OneSign Platormtrade thetechnology solution that is helping more than 800 companies around the globe to achieve their most pressingEmployee Access Management security mandates
whAT CUSTOMeRS SAy AbOUT STROng AUThenTICATIOn wITh IMpRIvATA OneSIgn
Herersquos how OneSign customers describe their experiences deploying Strong Authentication
ldquoAmong its many benets Imprivata supports multiple strong authentication methods In act organizationscan even use it with multiple interchangeable methods making it an extremely fexible solutionrdquo
-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
ldquoSta carry their HID physical access cards with them already so using these cards or network access as wellmade a lot o sense We can re-use our existing systems to provide additional value while also providing stawith a system that suits their individual needs Imprivata OneSign makes it all possiblerdquo
ndashDr Zaar Chaudry Director o Inormation Management and Technology Liverpool Womenrsquos NHSTrust
ldquoOnce they have the convenience o SSO and strong authentication or access to critical applications depart-ment heads will want every user enabled or every applicationrdquo
ndashBill McQuaid AVP and CIO Parkview Adventist Medical Center
ldquoAll our employees ndash whether loan ocers customer service reps or ITndash are more productive Wersquove elimi-nated 95 or more o password-related reset callsrdquo-- Riat Ikram Vice President o Electronic Delivery and Support Services Justice Federal Credit Union
A MORe SeCURe TODAy -- AnD TOMORROw
Creating a Strong Authentication solution with Imprivata OneSign gives you an eective and aordable wayto implement the security measures highly recommended or mandated by regulatory bodies industry ana-lysts industry associations and governmental commissions
At the same time OneSign gives you the fexibility to choose the right combination o Strong Authenticationmethods that best suits your business your organization and your employeesrsquo dierent roles and responsi-bilities -- no matter how large or geographically-dispersed your enterprise
Above all OneSign is a solution your organization can live with -- because it requires little rom users tomaintain compliance and because it actually enhances their productivity by reducing password problems andhelp desk calls
For more inormation on how you can easily deploy Strong Authentication with OneSign please visithttp wwwimprivatacomonesign_authentication_managementor contact Imprivata at 1-800-ONESIGN or 1-781-674-2700
