Imprivata's David Ting on ID Provisioning as a Converged Application

| 0 Comments | 0 TrackBacks

Page:   1   2   3  Next  »

DTing.jpgTying logical user provisioning actions to their related physical access points is a key benefit of converged identity management. A prerequisite to achieving it is tight integration of physical access control systems with logical identity management system, a formidable task for many enterprises.

Imprivata, based in Lexington, Mass., specializes in such integration. Similar to companies such as Quantum Secure and AlertEnterprise, Imprivata creates virtual bridges among disparate physical access control and identity management systems. It differs from other companies in this space by offering a hardware-based solution: the OneSign Platform.

According to David Ting (pictured), chief technology officer at Imprivata, OneSign is a hardened Linux server. It includes all the interfaces required to link to popular physical access control systems offered by Tyco, Lenel and AMAG as well as with identity management systems such as IBM Tivoli Identity Manager. The appliance also incorporates an operating system, an Oracle distributed database, a web server, an application server, and Imprivata's business logic that runs the administration for the entire application.

Security Squared's Sharon J. Watson spoke with Ting in mid-May about how increased control over physical and logical access rights is especially attractive in industries with ever stricter regulatory rules and regulations, such as finance and health care. We also discussed single sign-on's role in convergence, the relationship between IP address and physical location and more.

What follows is an edited, abridged transcription of our conversation.

Sharon J. Watson: An application has no concept of where it exists in physical space and the physical access system has no concept...

David Ting: ...of IP access. So by bridging the two you can now superimpose a policy on top of that to control application and network access based on location. People are saying, maybe I'll have control room access for a production plant [to verify] when the user is actually in that location, so you have to badge into the building, badge into the control room before the user can actually log into the control system.
SJW: Forgive me if this is real basic: how does single sign-on (SSO) differ from and complement that kind of convergence?

DT: It's easy. Single sign-on eliminates the need for users to know those passwords [to application accounts]. When your users don't have to enter or even know the passwords, then you have the ability to totally shut down user access to applications just by disabling the single sign-on. So it becomes your enforcement point for access policies to a variety of applications. If your users don't know what passwords they have or can use, then the moment they leave the organization, and I shut off their network access to SSO, they can't go out and reuse their passwords--because they don't know what they are.

So SSO is often used as a means to obfuscate the passwords to the individual application. You funnel all your users' access through the SSO agent.

SJW: Let me envision that. I am a nurse in the ICU, and I get to login to a lot of sensitive applications. I badge into the building, and that [function] may or may not be connected to the SSO.

Ting: That may not be [connected], right. There may be different levels [of integration].

SJW: But let's say the two things were combined, so then I have to swipe the badge to get into the workstation and then--how do I log in?

DT: You can use the password, you can use the card alone. In a lot of health-care locations now what they're doing is during the day, the first time you come in with the card, you may have to enter the password or PIN to go with the card.  Then during the rest of the shift, because the doctors or nurses have to constantly be getting in and out of applications, the card alone may be sufficient.

That gets even more secure when you combine location to know the person who is swiping that badge is actually within a known location within the hospital.

Page:   1   2   3  Next  »

DTing.jpgTying logical user provisioning actions to their related physical access points is a key benefit of converged identity management. A prerequisite to achieving it is tight integration of physical access control systems with logical identity management system, a formidable task for many enterprises.

Imprivata, based in Lexington, Mass., specializes in such integration. Similar to companies such as Quantum Secure and AlertEnterprise, Imprivata creates virtual bridges among disparate physical access control and identity management systems. It differs from other companies in this space by offering a hardware-based solution: the OneSign Platform.

According to David Ting (pictured), chief technology officer at Imprivata, OneSign is a hardened Linux server. It includes all the interfaces required to link to popular physical access control systems offered by Tyco, Lenel and AMAG as well as with identity management systems such as IBM Tivoli Identity Manager. The appliance also incorporates an operating system, an Oracle distributed database, a web server, an application server, and Imprivata's business logic that runs the administration for the entire application.

Security Squared's Sharon J. Watson spoke with Ting in mid-May about how increased control over physical and logical access rights is especially attractive in industries with ever stricter regulatory rules and regulations, such as finance and health care. We also discussed single sign-on's role in convergence, the relationship between IP address and physical location and more.

What follows is an edited, abridged transcription of our conversation.

Sharon J. Watson: An application has no concept of where it exists in physical space and the physical access system has no concept...

David Ting: ...of IP access. So by bridging the two you can now superimpose a policy on top of that to control application and network access based on location. People are saying, maybe I'll have control room access for a production plant [to verify] when the user is actually in that location, so you have to badge into the building, badge into the control room before the user can actually log into the control system.
SJW: Forgive me if this is real basic: how does single sign-on (SSO) differ from and complement that kind of convergence?

DT: It's easy. Single sign-on eliminates the need for users to know those passwords [to application accounts]. When your users don't have to enter or even know the passwords, then you have the ability to totally shut down user access to applications just by disabling the single sign-on. So it becomes your enforcement point for access policies to a variety of applications. If your users don't know what passwords they have or can use, then the moment they leave the organization, and I shut off their network access to SSO, they can't go out and reuse their passwords--because they don't know what they are.

So SSO is often used as a means to obfuscate the passwords to the individual application. You funnel all your users' access through the SSO agent.

SJW: Let me envision that. I am a nurse in the ICU, and I get to login to a lot of sensitive applications. I badge into the building, and that [function] may or may not be connected to the SSO.

Ting: That may not be [connected], right. There may be different levels [of integration].

SJW: But let's say the two things were combined, so then I have to swipe the badge to get into the workstation and then--how do I log in?

DT: You can use the password, you can use the card alone. In a lot of health-care locations now what they're doing is during the day, the first time you come in with the card, you may have to enter the password or PIN to go with the card.  Then during the rest of the shift, because the doctors or nurses have to constantly be getting in and out of applications, the card alone may be sufficient.

That gets even more secure when you combine location to know the person who is swiping that badge is actually within a known location within the hospital.

<!--nextpage-->

SJW: How much interest are you seeing in that aspect of convergence?

DT: We're seeing it in specialized environments. We're starting to see more of it in financial services, people who are doing insurance processing, we see a little bit in health care.

Health care is still experimenting with that concept. We see far more adoption in state/local as well as highly secured areas.  We see it, for example, in transportation, utilities, things that have regulated requirements.

SJW: Where they're under more pressure to prove the actual physical person was actually there to do the logical application?

DT: Correct. And in those for whom demonstrating compliance is required or [they have] requirements to do deep forensic investigations.

SJW: Why is it fairly limited to those highly secure markets? Is there just not a use case for it elsewhere?

DT: In a health care environment, I think people are still trying to figure out how can you complement the workflow without adding one more layer of inconvenience to the user. So they're just starting to experiment with the use of the cards. But a lot of health-care organizations are saying, we really do like the use of the cards, we just don't have the means yet to tie in location through the physical security system.

SJW: The means being the money or the capability?

Ting: The capability. From a monetary perspective, the cost of adding it is not that much. But increasingly what we're seeing hospitals do is be much more proactive in using the card as a means of authentication. You've got to remember for the longest time, health-care has had no security requirements. They didn't even require users to log into the computer. Everyone shared passwords--as long as you were getting access to the patient record, that was all that was required.

Where it's becoming more important is when health-care intersects with pharmaceutical products. There we're increasingly seeing stricter regulations around user authentication and re-verification.

SJW: Who within the enterprise is most receptive to this message?

DT: Today it's the physical security manager or the CSO who has seen either data breaches or insider threat and wants to mitigate the organization from future incursion. So they have been very proactive in bringing us in. They say, I'd like you to talk to my IT counterpart to see how we can do this together. And many times when we talk to these people, it's usually after some sort of breach has occurred that they're not going to discuss. So after the horse has run out, they decide they need to add more security.

<!--nextpage-->

SJW: What's typically your reception from IT?

DT: IT gets sold on a different premise. They get sold on the single sign-on, on the ability to integrate policies and yes, the physical security interface to give them more flexibility on [enforcing] policy. So there are really two sides of the equation. The IT side, what they often like is the ability to deploy strong authentication and implement SSO, and auditing. From the physical security side, it is the ability to now incorporate policy that includes their access records as well.

SJW: I want to be clear, David: Are you talking health care or across the board?

DT: Across the board.

SJW: I talked to Sun and IBM: both had said their identity management platforms can do this stuff. You can define roles--down to individual Web pages--and push them out to systems.

DT: But they don't tie into physical security. You can set policies all you want--at the web page, at the application level--but you can't include where that user has last been or what door they came through last. That's information the physical security system grants you.

Talk to an identity management provider, and their concept of policy typically means authorization levels for a web page or web resource or network resource they can control through a network filter. If you talk to a [network access control] vendor, they'll say I can control all the network access, all the ports over the network, and I can set up policies. Yes, that is true. What [Imprivata] controls from our SSO is what privileges for application level access you can get from a given location. So it is quite different.

SJW: When you say given location, you mean more than an IP address?

DT: Absolutely.

SJW: So you are able to verify that a person is sitting in office A?

DT: Yes. Not only do I know you're in office A, but because the physical security system is tied back to the surveillance system, I can [ask] when Sharon came through that door, was that really her? I can go back to the surveillance camera and [see] you walking through the door and I can pinpoint you to say okay, you came through the door at 12:04 and you went into the pharmacy at 12:45 and you got onto this computer.

I think that's pretty much a physical evidence trail that leads you to say, the logical identity you used to log into a computer is tied to a location to an entrance event to a surveillance event. In many places, that's what they are looking for.

SJW: Is there a sense of competition between identity management vendors and folks like you or are you playing in different areas?

DT: It's complementary. It's actually more than complementary. We can do what they can't do. They can do certain levels of applications and web resource authorization, but they can't tie into location. So we supplement what they can't do.

SJW: That was largely my list of questions. What had you come prepared to talk about that we haven't?

DT: The only other thing I was going to add was in today's IT world, as we start to virtualize the servers, then virtualize more and more applications onto desktops...making sure your users are really in the building, in that server room configuring them, becomes more important.

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/50

Leave a comment