Price: Starts at $16,000 for 200 users
Passwords are infosecurity's Achilles Heel. Weak passwords--your pet's name or mother's maiden name--are easy to remember and easy to guess. Strong passwords are hard to remember, spawning myriad help desk calls and notes stuck on monitors for the world to see. Single sign-on (SSO) products address many of the security and administrative headaches, but complexity and cost of implementation can put them out of reach of many organizations.
Imprivata's OneSign is SSO for the rest of us, with an innovative technology that makes adding almost any application a snap.
The star of the OneSign package is its powerful yet intuitive Application Profile Generator (APG), which "learns" virtually any application and can recognize when OneSign should enter the credentials. It sets itself apart by doing away with having to manually script login procedures, saving time, money and frustration. In our lab, we easily generated several application profiles without even opening the APG guidebook. We succeeded with every authentication portal tested, including various Web and application logons, PUTTY, VNC and several other mechanisms. Each application was recognized, and the performance was flawless.
The client agent is close to transparent to the user. It constantly searches for matches to its known login screens to make application login processes automatic. Once the application is in the OneSign database, the user simply needs to open the application and go to the login screen. The agent will sense the presence of the login screen and alert the user to a new login detection via a system tray bubble. When the user credentials are entered, the agent captures and uploads them to the OneSign appliance in an encrypted format.
The appliance was very easy to install. The device walks you through several steps for an effortless configuration. Users can be imported from Active Directory, NT Domains, Sun ONE, Novell NDS or any LDAPv3-compatible implementation. OneSign can be instructed to sync with the directory at any time to update the user list, storing attributes in lightweight XML files.
OneSign ships with two appliances standard for failover. The product's security is very tight. The security policy can be set to require the user to reauthenticate at set intervals, from 1 to 60 minutes, or at random. The desktop is locked when reauthentication is required to protect unattended machines. OneSign supports standard passwords, fingerprint readers, ID tokens, smartcard/USB tokens and proximity cards. Offline operation can also be permitted for users through the policy, ensuring that access will not be interrupted. If offline mode is enabled, passwords are encrypted on the user's computer.
Imprivata is targeting the mid-sized business market with OneSign. The powerful feature set makes it very attractive for organizations overwhelmed by password management/security issues. Larger organizations may also be interested in the product, but may be turned off by the lack of a distributed architecture.
While OneSign isn't cheap, Imprivata positions it as an affordable option because it doesn't require the pricey professional services often required for SSO implementations. Based on our experience, that's a pretty compelling argument.
This product review originally appears in the September 2005 issue of Information Security magazine.