It’s Good to be Single
Card access control. Biometrics. PIN. For physical and logical security needs, often employees must use different sign ons for various applications. While, on the surface, the approach may seem like it provides higher level security, the truth is that the cost of maintaining these entries as well as the cost of a help desk are often extreme.
Enter the single sign on.
Single sign on (SSO) is a session/user authentication process that allows a user to provide his or her credentials once in order to access multiple applications. The single sign on authenticates the user to access all the applications he or she has been authorized to access. It eliminates future authentication requests when the user switches applications during that particular session.
ON THE WEBOn the Web, single sign on works strictly with applications accessed with a Web browser. The request to access a Web resource is intercepted either by a component in the Web server, or by the application itself. Unauthenticated users are diverted to an authentication service and returned only after a successful authentication.
There are digital threats. Digital threats are such things as hackers, viruses, network bottlenecks, and other accidental or malicious assaults on the security or flow of data. Digital threats have a high profile in the industry and the press, and most data centers have robust and actively maintained systems, such as firewalls and virus checkers, to defend against them.
There are physical threats.
Physical threats include such things as power and cooling problems, human error or malice, fire, leaks and air quality. Some of these, including threats related to power and some related to cooling and fire are routinely monitored by built-in capabilities of power, cooling, and fire suppression devices. For example, UPS systems monitor power quality, load, and battery health; there is monitoring of circuit loads; cooling units monitor input and output temperatures and filter status; fire suppression systems – the ones that are required by building codes – monitor the presence of smoke or heat. Such monitoring typically follows well understood protocols automated by software systems that aggregate, log, interpret, and display the information.
SSO REQUIREMENTSAccording to SearchSecurity.com, there are pre-requisites for implementing single sign on (SSO) in an organization. There isn’t a cookie cutter set of requirements or components for implementing SSO in an enterprise. It depends predominantly on two things: the size of the organization and the risk levels of the different systems that would be enrolled in the SSO set up. Besides that, SSO comes in different varieties such as a set of software modules or as a hardware appliance. Again, it all depends on the size and business needs of the organization.
As a general rule, however, every SSO implementation should have the following: an inventory of systems, a needs analysis and a deployment schedule.
According to SearchSecurity.com, before setting up an SSO system, it’s important to know what systems are in place, what type of authentication they require and what directory services they are using. One purpose of SSO is to knit together diverse systems. So, a good SSO system should be able to work with both Active Directory and a LDAP (Lightweight Directory Access Protocol), with links to more information. LDAP is the Internet standard for providing “white pages” (phone book-like) service to organizations, workgroups or the public LDAP, as well as handle the different types of authentication systems in the environment.
USER NEEDSThe other thing to consider is whether the organization needs SSO strictly for network access or for Web access as well.
Next, conduct a needs analysis to determine which systems should have SSO access. Which systems are being accessed the most frequently by users? Are they a mix of Web applications or network systems? This will determine what technology components are necessary for SSO implementation.
Lastly, it’s necessary to put a deployment schedule in place. Users have to get accustomed to the SSO system. A roll out should be in phases, so that if something goes wrong, or employees are having difficulty, it won’t take down the entire access management infrastructure at once.
The key components of an SSO depend on whether it’s a software or hardware implementation.
For a software-based implementation, dedicated servers are required to run the system. Also important are development resources to tweak and customize the packages to the organization’s specific requirements. For a hardware-based implementation, such as with Imprivata’s all-in-one appliance, the product must be compatible with the network architecture.
Baptist Health System, one of the largest healthcare systems in Alabama, has gone live with Sentillion’s clinical workstation solution, Vergence. To date, all the intensive care units of its largest hospital are up and running with SSO and context management, and deployment to more than 3,000 clinicians system-wide is expected to be completed soon.
ELIMINATING MULTIPLE PASSWORDSBaptist Health System selected SSO to help eliminate multiple passwords with SSO and improve clinical workflow by context management-enabling its clinical and business applications. Physicians at Baptist Health System typically work with at least five different software vendors – including Siemens Medical Solutions, Novius and Cerner among others – while nurses may work with upwards of 10 applications regularly.
Deploying Vergence contributes significantly to Baptist Health System’s physician engagement objective, according to John West, the network’s chief technology officer. “Over the years, caregivers have voiced frustration about having to remember multiple log-in names and passwords for the various software applications they use. We don’t want them to spend their valuable time struggling to get critical patient information, and Vergence goes a long way toward solving that problem.”
The solution unifies single sign on, context management and strong authentication into one fully integrated, out-of-the box clinical workstation solution that enables caregivers to access and navigate quickly and easily between the many clinical and business software applications they use regularly. The identity and access management solutions are the most widely deployed in healthcare and are used daily by more than 350,000 caregivers in over 600 hospitals across North America and the United Kingdom.
“The level of enthusiasm among our clinical staff for this information technology initiative has been greater than anything we’ve done before,” Phyllis Grant, Baptist Health System’s director of clinical informatics, said. “Single sign on capability sent our doctors and nurses gasping -- but context management really sent them over the edge that was the ‘wow factor’.”
Next summer, Baptist Health System expects to deploy a centralized and automated provisioning process that will eliminate the challenges of manual user account management. With that, the IT staff can get caregivers up, running and productive on Baptist’s information systems on the first day of their residency, staff assignment or upon receiving admitting privileges.
USPS APPLICATIONFor the United States Postal Service, “Passlogix of New York delivered on its promise to help solve the USPS most critical end-user problem – forgotten passwords,” said Bob Otto, USPS chief technical officer.
“The ability to leverage our current infrastructure and deploy SSO without modifying applications or completing any integration was especially important to us.”
With it, users need only log on once - to Windows to provide secure access for all Microsoft Windows, Web, Telnet, Java, homegrown and host-based applications without requiring any application modifications, scripting or agents.
The technology uses an intelligent client-side agent that accepts any form of authentication, including passwords, PKI, smart cards, tokens or biometrics, and connects to any mainframe, Microsoft Windows, Web, Java and homegrown program.