VASCO DIGIPASS Plug-In for Imprivata
Secure your LAN, remote access and Single Sign-on with VASCO and Imprivata

Benefits:

Secure LAN and remote access and SSO

• Adding two factor authentication to the remote network, local network and SSO
• Secure access to the corporate network assets anytime and anywhere
• Secure access to enterprise applications
• Prevents unauthorized network access

Native integration

• Native integration with Imprivata OneSign
• Leverages existing IT infrastructure
• Up and running in no time

Scalable

• More users can simply be added
• Can be reused to secure more/other business applications
• Caters for all your strong authentication needs

Low Total Cost of Ownership

• Little to no cost for user administration and support
• No additional infrastructure investments

Imprivata OneSign Authentication Management:

Imprivata OneSign Authentication Management (OneSign AM) replaces Windows and remote access VPN passwords with a broad range of strong authentication options, including integrated management for VASCO DIGIPASS One-Time-Password tokens, finger biometrics, smart cards and building access cards. OneSign AM provides greater security through flexible user authentication management, whether accessed through the network locally, via remote VPN, or while working offline.

Imprivata OneSign is shipped as a hardware appliance pair - there is nothing else to buy, install or maintain. The power of OneSign is that it’s ALL in the box. You can seamlessly enable additional capabilities as your needs evolve - all with a simple license key.

Benefits for Imprivata OneSign Authentication Management

Hardened, appliance-based packaging

• Encrypted database
• Locked ports
• Hardened operating environment

Plug-and-Go

• Easy to install, configure, deploy and manage
• Built-in failover and redundancy
• Nothing else to buy, install or manage

Out-of-the-Box

• Choice of strong authentication options by user
• Simple and intuitive web-based administrative UI
• Built-in monitoring and reporting
• No change to existing infrastructure – directories, applications or workflow
• Seamless integration with OneSign Single Sign-On and Physical/Logical; simple license key upgrade

Lowest TCO

• Less than 50% of the cost of competitive solutions
• Minimal consulting/services costs
• Low end user training/support costs with no disruption to user workflow

Features for Imprivata OneSign Authentication Management

Broad Support for Strong Authentication

OneSign Authentication Management provides native support for a broad range of authentication options including:

• One-Time-Password (OTP) tokens (including built-in support for VASCO DIGIPASS OTP tokens)
• Finger biometrics
• Smart cards
• Building access cards
• Kerberos ]
• USB tokens
• ID tokens

Customers can offer their users choices that best suit their roles. Strong authentication methods are available stand-alone or can be achieved by mix and match use of access cards with finger biometrics or passwords. OneSign Authentication Management is designed to make deployment of authentication technologies easy, eliminating the need for third party authentication servers typically associated with implementations. Users can even take advantage of pre-existing, low cost passive access cards as a familiar, easy authentication option without reissuing cards to users.

Built-in RADIUS Host for Remote Access Authentication

The OneSign appliance now contains a built-in RADIUS host for handling remote access authentication using passwords or VASCO DIGIPASS One-Time-Password tokens.

Built-in Support for Low Cost TouchStrip Fingerprint Scanner

OneSign provides native support for the new, low cost USB fingerprint readers that utilize the UPEK TouchStrip sensor, as well as the UPEK TouchStrip readers built into many laptop models including the Dell Latitude and IBM/Lenovo Thinkpad. Native support includes OneSign enrollment and seamless fingerprint identity matching.

Monitoring and Reporting

OneSign records all user events in a centralized log file, providing a reporting trail accessible to the administrator. User events, including data on which users accessed the network and when, are collected and consolidated for centralized viewing and reporting. Pre-established reports are easy to create and manage.

Imprivata OneSign Single Sign-On :

Imprivata OneSign Single Sign-On (OneSign SSO) quickly and effectively solves password management, security and user access issues. OneSign SSO single sign-on enables ALL applications - legacy, client/server, and web - without requiring any custom scripting, changes to existing directories, or inconvenient end-user workflow changes.

Imprivata OneSign is shipped as a hardware appliance pair - there is nothing else to buy, install or maintain. The power of OneSign is that it’s ALL in the box. You can seamlessly enable additional capabilities as your needs evolve - all with a simple license key.

Benefits of Imprivata OneSign Single Sign-On:

Seamless Physical Access Control System Integration

OneSign Physical/Logical has built in integration for Physical Access Control systems:

• Tyco/Software House - Cure
• Lenel Systems International – OnGuard
• S2 Security - NetBoX
• Identity Mapping – One “Converged” Virtual Identity

Today, identities in physical access security systems and their related access policy are independent from identities and access policy managed on the IT security side of the organization. This creates security gaps, heightening opportunity for threats to enterprise assets.

OneSign Physical/Logical maps identities between physical access systems and IT directories to enable one converged policy for allowing or denying network access based on a user’s physical location and badge events, organizational role, and/or employee status.

Location-based Authentication

To better secure building facilities and conduct employee role calls in the event of an emergency, many companies have anti-tailgating policies which seek to prohibit employees or visitors from gaining entry to a workplace location by following in on the heels of a co-worker who has just badged into a door entry reader.

Unfortunately, anti-tailgating policies are difficult to enforce. OneSign Physical/Logical incorporates a user’s location and building card access events (have you badged into the building or zone?) as a factor when determining authentication to the network, thus improving the ability to enforce anti-tailgating policies.

Using OneSign Physical/Logical, companies can cost effectively enforce anti-tailgating by tying an employee’s network access to use of their physical access card when entering the workplace.

Further still, location-based authentication can be leveraged to apply a finer grain of authentication to sensitive network resources. For example, policy can be applied to determine that only certain groups of individuals, say email server administrators, can only log onto email servers within a secured room after they have first badged into the room.

Instant User Lock-Out

For most organizations, latency between revoking a user’s identity from the physical access control system and deprovisioning their respective IT and VPN directory identities takes days or weeks - - and sometimes never. This creates serious security gaps for protecting company confidential information.

OneSign Physical/Logical closes these gaps. With mapped identities and access policy, when an employee leaves the company and is revoked from the physical access control system, the user is also locked out of access to both the local network and remote VPN - - instantly - - regardless of the user’s identity status in other directories, thus mitigating the threat of former employees accessing network assets with the intent of malice.

Monitoring and Reporting

The ability to monitor and report on who is accessing what, from where, and when is a critical component to demonstrating compliance, both for the purpose of government regulations and corporate governance.

OneSign’s robust monitoring and reporting engine allows organizations to compile the sequence of events between a user’s physical access activities and network use to provide detailed user access reports, and administrator notifications, thus improving the ability to demonstrate regulatory compliance.

Broad Support for Strong Authentication

OneSign Authentication Management provides native support for a broad range of authentication options. Customers can offer their users choices that best suit their roles. Strong authentication methods are available stand-alone or can be achieved by mix and match use of access cards with finger biometrics or passwords –including native integration with VASCO DIGIPASS. Users can even take advantage of pre-existing, low cost passive access cards as a familiar, easy authentication option without reissuing cards to users.

Application Profile Generator (APG)

The OneSign Single Sign-On Application Profile Generator™ (APG) enables secure and seamless single sign-on and password change support for ALL enterprise applications - without requiring any modifications to existing code. With OneSign’s APG, the arduous task of writing login scripts, or building connectors to each application in order to enable single sign-on is completely eliminated. OneSign’s APG “learns” the behavior of any application’s authentication processes and then generates a single sign-on application profile that stores these attributes in XML. Applications can be single sign-on enabled within minutes. These profiles, together with their corresponding policies, are automatically uploaded to the OneSign appliance by the APG and are ready for deployment and automatic distribution to users at runtime.

With OneSign’s APG, even the most challenging of application password change behaviors and login processes can be learned. The powerful technology can capture and proxy for applications like custom Terminal Emulators, SAP, Oracle Forms, JAVA clients, etc. – all of which have complex or hidden controls that have previously required IT staff to write 'workarounds' or custom scripts to successfully configure single sign-on.

Automated Password Changes

OneSign Single Sign-On allows administrators to implement a clear, straightforward, and secure password policy across all target applications based on users’ primary authentication. For additional security measures, OneSign Single Sign-On has the ability to cycle complex application passwords behind-the-scenes on users’ behalf, enabling realistic enforcement of a strong password policy from one central location.

Self-Service Password (SSPW)

Management Many OneSign Single Sign-On customers will use MS Domain or Novell passwords as a primary authentication mechanism for single sign-on. OneSign Single Sign-On users can reset their primary domain password by adding this optional self-service mechanism. SSPW management requires the user to enroll shared secret information using personalized questions and answers.

Enrollment consists of providing answers to a set of personal questions drawn from a central list. The Administrator decides how many questions must be selected from a list presented to the user and answered during enrollment. The Administrator also decides how many questions must be answered correctly during a SSPW services request. These two settings are part of the security policy and are applied to users.

Provisioning Interface

Using OneSign Single Sign-On’s new standards-based Service Provisioning Markup Language (SPML) interface, third party User Provisioning systems can provision and update user accounts, applications and application credentials within OneSign Single Sign-On, eliminating the need to distribute application passwords to end users. Imprivata provisioning partners who have developed out-of-the-box connectors to OneSign Single Sign-On include Courion and Fischer International.

Monitoring and Reporting

OneSign Single Sign-On records all user and application events in a centralized log file, providing a reporting trail accessible to the administrator. User events pertaining to SSO services - including data on which users accessed what applications and when - are collected and consolidated by OneSign Single Sign-On for centralized viewing and reporting. In addition, event logs capture information on user switching and password changes with time stamps and computer attributes that verify authentication and lockout incidents.

Features of Imprivata OneSign Single Sign-On:

Hardened, appliance-based packaging

• Encrypted database
• Locked ports
• Hardened operating system

Plug-and-Go

• Easy to install, configure, deploy and manage
• Built-in failover and redundancy
• Nothing else to buy, install or manage

Out-of-the-Box

• Drag and drop enablement of all applications - Application Profile Generator (APG)
• Simple and intuitive web-based administrative UI
• Built-in monitoring and reporting
• No change to existing infrastructure – directories, applications or workflow
• Seamless integration with OneSign Physical/Logical; simple license key upgrade

Strong Authentication

• Built-in support for a wide variety of strong authentication including finger biometrics, smart cards, VASCO DIGIPASS One-Time-Password tokens, building access cards, other

Lowest TCO

• Minimal consulting/services costs
• Low end user training/support costs with no disruption to user workflow

Imprivata OneSign Physical/Logical:

OneSigN Physical/Logical integrates network and building access systems to provide a single consolidated user identity. Organizations can now implement one comprehensive, converged policy for allowing or denying network access based on a user’s physical location, role, and/or employee status.

Imprivata OneSign is shipped as a hardware appliance pair - there is nothing else to buy, install or maintain. The power of OneSign is that it’s ALL in the box. You can seamlessly enable additional capabilities as your needs evolve - all with a simple license key.

Benefits for Imprivata OneSign Physical/Logical

Interoperability with Physical Access Control systems?

• Card/badge agnostic
• Maps identities between physical security and network directories
• Single converged building and IT access policy
• Interoperable with existing infrastructure; no impact to existing systems

Hardened, appliance-based packaging

• Encrypted database
• Locked ports
• Hardened operating system – Linux

Plug-and-Go

• Easy to install, configure, deploy and manage
• Built-in failover and redundancy

Out-of-the-Box

• Simple and intuitive web-based administrative UI
• Built-in monitoring and reporting
• No change to existing infrastructure – directories, applications or workflow
• Seamless integration with OneSign Single Sign-On; simple license key upgrade

Strong Authentication

• Built-in support for a wide variety of strong authentication including finger biometrics, smart cards, One-Time-Password (OTP) tokens, building access cards, other
• Built-in RADIUS host

Lowest TCO

• Minimal consulting/services costs
• Low end user training/support costs with no disruption to user workflow

Features of Imprivata OneSign Physical/Logical

Seamless Physical Access Control System Integration

OneSign Physical/Logical has built in integration for Physical Access Control systems:

• Tyco/Software House - C●Cure
• Lenel Systems International – OnGuard
• S2 Security - NetBoX
• Identity Mapping – One “Converged” Virtual Identity

Today, identities in physical access security systems and their related access policy are independent from identities and access policy managed on the IT security side of the organization. This creates security gaps, heightening opportunity for threats to enterprise assets.

OneSign Physical/Logical maps identities between physical access systems and IT directories to enable one converged policy for allowing or denying network access based on a user’s physical location and badge events, organizational role, and/or employee status.

Location-based Authentication

To better secure building facilities and conduct employee role calls in the event of an emergency, many companies have anti-tailgating policies which seek to prohibit employees or visitors from gaining entry to a workplace location by following in on the heels of a co-worker who has just badged into a door entry reader.

Unfortunately, anti-tailgating policies are difficult to enforce. OneSign Physical/Logical incorporates a user’s location and building card access events (have you badged into the building or zone?) as a factor when determining authentication to the network, thus improving the ability to enforce anti-tailgating policies.

Using OneSign Physical/Logical, companies can cost effectively enforce anti-tailgating by tying an employee’s network access to use of their physical access card when entering the workplace.

Further still, location-based authentication can be leveraged to apply a finer grain of authentication to sensitive network resources. For example, policy can be applied to determine that only certain groups of individuals, say email server administrators, can only log onto email servers within a secured room after they have first badged into the room.

Instant User Lock-Out

For most organizations, latency between revoking a user’s identity from the physical access control system and deprovisioning their respective IT and VPN directory identities takes days or weeks - - and sometimes never. This creates serious security gaps for protecting company confidential information.

OneSign Physical/Logical closes these gaps. With mapped identities and access policy, when an employee leaves the company and is revoked from the physical access control system, the user is also locked out of access to both the local network and remote VPN - - instantly - - regardless of the user’s identity status in other directories, thus mitigating the threat of former employees accessing network assets with the intent of malice.

Monitoring and Reporting

The ability to monitor and report on who is accessing what, from where, and when is a critical component to demonstrating compliance, both for the purpose of government regulations and corporate governance.

OneSign’s robust monitoring and reporting engine allows organizations to compile the sequence of events between a user’s physical access activities and network use to provide detailed user access reports, and administrator notifications, thus improving the ability to demonstrate regulatory compliance.

Documentation:

Download the VASCO VACMAN DIGIPASS Plug-in for Imprivata Data Sheet (.PDF)