This article can also be found in the Premium Editorial Download "Information Security magazine: Special manager's guide: Monitoring identities."
Download it now to read this article plus other related content.
The Southwest Washington Medical Center has one of the busiest emergency rooms on the West Coast with more than 100,000 visits per year. Bogging down personnel with multiple logins and passwords cuts into patient care, which is unacceptable, explains Christopher Paidhrin, senior security officer for ACS Healthcare Solutions.
Enterprise single sign-on was an obvious solution, and Paidhrin decided to go with OneSign ESSO from Imprivata. The rollout, which began in February, lasted four months and focused on 75 of the hospital's 160 applications.
Paidhrin's team began the implementation with the clinical side of the hospital, where each employee logs in to 12 applications. He then took the ESSO solution to the emergency room and rolled out biometric devices in conjunction with the Imprivata technology. According to Paidhrin, the rollout was smooth because out of the box, OneSign ESSO supported biometrics, swipe cards and proximity cards, among other strong authentication mechanisms. More difficult was having the IT infrastructure ready to receive the SSO solution, he says.
"We needed our Active Directory policies in place, and structured processes throughout the IT infrastructure," says Paidhrin. Your security posture is only as strong as the weakest link, he says.
How do security tokens work?
Used in combination with a user name and password, tokens are a popular means of strong, two-factor authentication (something you know and something you have). There is a wide variety of tokens available, including USB tokens, random-number-generator key fobs that produce one-time passwords, and software tokens that emulate the function of a hardware token on a computing device.
Pros and cons: Among the token choices, the USB tends to be the most cost effective and versatile. The USB reader is standard equipment on today's PCs, so a separate reader is not required as it is for other two-factor authentication methods such as smart cards. Unlike random number generators like RSA Security's SecurID, USB tokens provide storage for various certificates and logon credentials, making them more flexible. RSA Security, Aladdin Knowledge Systems, ActivIdentity (formerly ActivCard), Authenex and SafeNet are a few of the vendors offering USB tokens.
However, implementing tokens isn't easy. Token vendors tend to split up their required client software into several discrete components: one for storing network credentials, another for storing Web site information, and a third for VPN credentials. This leads to a need for separate analysis and versioning control of the different software components to ensure compatibility with enterprise desktops. Plus, users are reluctant to carry yet another hardware device in their pocket to access enterprise services, and can easily lose it. Software tokens avoid that drawback, but can only be used on the host where the software resides.
Another problem with most tokens is that the software may leak user names/passwords onto the hard drive. In addition, it's possible to crash the client software (particularly Java-based software) by overloading the processor with multiple tasks operating simultaneously, or tasks like CAD that require large amounts of CPU and/or memory.
What to do: Depending on their security needs and regulatory requirements, companies may want to deploy USB tokens throughout the enterprise for network logon or just for remote access via a VPN or Citrix system.
This was first published in August 2006