REVIEWED BY BRAD CAUSEY
Price: $28 per user for 1,000-user license;
$75 per user with VASCO authentication token option
Imprivata's new OneSign ENA appliance places strong network authentication within reach of small- and medium-sized organizations. It's a cost-effective solution to the security nightmare of managing usernames and passwords by providing support for one-time password tokens, proximity cards, smart cards, USB tokens and fingerprint biometrics.
ENA comes with an optional embedded VASCO Digipass token system.
The initial setup was easy and intuitive, using a simple arrow-based button system and digital display. The documentation was complete and well written.
Configuring the appliance consisted of utilizing two different Web interfaces, one for the appliance configuration and one for user and policy management. ENA supports most major directories, such as Active Directory and eDirectory, but notably missing is support for standard LDAP systems, such as OpenLDAP.
Opting to use a directory system other than AD will disable many features, such as password self-service and Web-based user creation; this could cripple the integration of this product for any company. The product enumerates users and groups based on a synchronization schedule. This may prove to be problematic in environments where users and groups change frequently, because the appliance can be configured to check the directory for changes no faster than hourly. Changes that need to be applied immediately require a manual refresh from the Web interface.
Hardware support is excellent, utilizing nearly all the major players in the strong authentication market, including RSA. However, VASCO is heavily embedded with the appliance, providing a great single interface to handle token assignment and user enrollment. You would, however, lose many of the features of the enrollment process if you choose a token other than VASCO. Many laptop-embedded fingerprint readers are supported.
More information from SearchSecurity.com
Expert Joel Dubin looks at two-factor authentication in this technical tip
Our experts answer your SSO questions.
Policy Control C
OneSign ENA allows administrators to configure policies that restrict or allow various types of authentication mechanisms and password self-help services. The policies are easy to configure, and are built on a single default policy for each directory target.
Exceptions are configured by adding users into a group and choosing a different policy for that group, something that could become difficult depending on the variation of authentication hardware in your organization. Once a user has been added and assigned a policy, the user must then enroll in the specified authentication method(s). Although policy configuration could be more granular, this feature alone justifies this product for companies with varying hardware and authentication capabilities by providing them with a single point to manage authentication policies.
Reporting is handled through an easy-to-navigate Web interface. Reports can be generated quickly to provide extensive information about logon activity, such as who logged in, where, how, and if the attempt was successful. Saved and scheduled reporting allows results to be automatically emailed in text format, exported to an FTP site, or posted to a Web location via XML. Executive- and management-level reports are made simple by an easy-to-use grouping mechanism.
OneSign ENA does a great job of simplifying the process of updating organizations to use stronger authentication. Policy management is simple, but managing a wide variety of hardware authentication would prove to be difficult to maintain in larger organizations.
Testing methodology: Our lab included two Active Directory domain controllers, each in a separate forest. We imported more than 2,000 users from each domain and enrolled them in the various forms of authentication, including passwords, smart cards, fingerprints and tokens. Each authentication mechanism was tested on Windows XP SP2 and Windows 2000 SP4.
Dig Deeper on Enterprise Single Sign-On (SSO)