Single Sign-on Does Double Duty
It began in the world of IT, where users sought a single method of access control to authenticate once and gain access to the resources of multiple software systems. In a homogeneous IT infrastructure or at least where a single user entity authentication scheme exists or where the user database is centralized, single sign-on is a visible benefit.
That benefit has spread to include physical access control through a turnstile, doorway or garage entrance.
According to Beth Thomas, building security starts with a badge, often a proximity card. IT security, meanwhile, starts with a user name and password.
When organizations want to add more security to a card, they can add a PIN or a biometric. As IT systems look to increase security, however, the choices are not equivalent. Organizations can add: An RSA token or biometric that authenticates the correct person. A smart chip – embedded either in a card or in a USB dongle – that authenticates the correct person, and is also used for non-reputable digital signatures. Digital signatures are important in regulated environments to verify a person did approve or take action.
Single Card SolutionBut there is a single-card solution that includes a contact smart chip for IT and proximity technologies (contactless smart or 125 kHz proximity), which enables the organization to manage one resource for each employee, thereby minimizing both material and administrative costs. An optimized card issuance process allows building security to continue issuing badges, and the badge issuance process will be connected to IT systems for provisioning as a single process, according to Honeywell Security’s Thomas.
Numerous enterprises are driving to a single sign-on.
To create a single Nissan ID card, Nissan Europe searched the market for a suitable solution. The team evaluated several card management software and card middleware solutions to cover more than 100,000 badges and selected ActivIdentity Smart Employee ID. Initially the Nissan security team tested the technology in one Nissan Europe site, including 30 users, and then extended the pilot for another month across more sites, including an additional 300 users. During the pilot phase, six Nissan CMS administrators were fully trained, five databases were replicated and both operator roles and card profiles were implemented. The team received positive feedback from the pilot and decided to start the full and live implementation of the project. Nissan Europe decided to implement the card management system to manage the issuance and administration of the Nissan ID that handles both physical and logical security.
Another firm, Rearden Commerce, has embraced single sign-on. The company has Rearden Personal Assistant, a technology that learns who customers are and what they like, then goes out across the Web to find the services they need when they need them. With Federated Identity Management from Ping Identity, Rearden Commerce now enables its partners to leverage existing identity systems, keep control over the credentials, manage all policy and allow users to easily and securely interact with service providers. Rearden Commerce initially built and offered a proprietary single sign-on application, which required customers to hire technical staff, do custom integration work and keep up with a plethora of protocols. As a result, customer deployments required more time and resources than desired, and user adoption lagged expectations.
To change that paradigm, Rearden Commerce went with a standards-based approach to allow everyone in the circle of trust to purchase commercial products, and use existing identity management system capabilities.
For Darryl Bonner, radiology information services at the Henry Ford Health System, “Remembering passwords simply isn’t our doctors’ highest priorities and password resets were occurring more frequently at all hours of the day and night. Getting the on-call IT person out of bed at 2 a.m. during a trauma to reset a radiologist’s password was inefficient and time-consuming in an environment where time is of the essence.”
Overcoming CostHe began to rediscover single sign-on, previously abandoned due to cost barriers.
“Online help resources and an e-mail ‘advertising’ campaign not only familiarized people with OneSign from Imprivata, but also kept us in constant communication with users. As a result, the vast majority of users picked it up right away. For the small minority that wanted us as a security blanket, we worked on building their confidence until they didn’t need us anymore.”
For Eric Leader, chief technology architect at Catholic Healthcare West, the challenge also was managing user identities across hundreds of applications running on multiple platforms. A streamlined identity management solution running on Linux has increased security and improved regulatory compliance, while dramatically reducing costs.
“We operate in a highly regulated environment where the requirements are always changing. We simply had to consolidate identity management or we would see a huge increase in time spent managing regulatory issues. The identity and access management solution provided by Novell helps us stay ahead of the curve,” said Leader.
“A solution based on open standards fits our model of doing business,” said Leader. “Healthcare procedures are not proprietary, and information concerning how best to meet the needs of our patients is freely shared among caregivers. Because we work in an open community, it makes sense for us to have an open environment.” Centralized identity management has greatly improved the organization’s overall security and ability to comply with HIPAA, Sarbanes-Oxley and other regulatory requirements. Using Novell Audit, CHW can conduct timely audits to track who is accessing information and when. The IT and security staff can also immediately revoke network access when employees leave the organization.
Moffitt Cancer Center in Tampa, Fla., employs more than 2,600 people, supports an excess of 300 researchers and faculty from the University of South Florida, and handles over 232,060 outpatient visits per year. With high patient volume and a constantly-changing population of physicians and nurses using a variety of software applications, access control and IT management team was concerned that password and user provisioning problems could compromise its mission of delivering superior care.
Donald Wasylyna, manager, Information Security & Protection, Moffitt Cancer Center, was burdened by two primary challenges:
- Rapid Provisioning and De-Provisioning: Every 30 to 90 days there is an influx of residents arriving from the University of South Florida and other institutions. The Center needed to find an easier, quicker way to manage the provisioning and de-provisioning process to ensure physicians had immediate access to critical applications and systems, and that that access was rescinded as soon as their responsibilities changed, or they moved on to other positions.
- Seamless User Experience: With a diverse set of applications that physicians need access to (ranging from six to 10 at any given time), the Center needed to provide users with a password management solution that improved productivity, while keeping in mind the importance of providing a seamless user experience and excellence in “usability.”