Product Group Tests
Single sign-on (2006)March 01, 2006
Imprivata and RSA both excelled in this test, but we felt that the features of the RSA Sign-On Manager, backed up by the rest of the RSA suit, and the technology’s strong pedigree, makes it a worthy Best Buy. The Imprivata OneSign’s extensive set of features and robust solution win it our Recommended award.
Whether you prefer to call it single sign-on, access control or user authentication, the products in this test have been designed to verify the identity of users as they access applications and data on a computer or network.
Such access might be directly to the host device where data is stored, or to a remote device or service. Or the identity verification might be via resident software on the local device, software on a network server, a separate physical appliance connected to the network, a remotely managed service, or a combination of these.
And the identifying feature could be provided by a password, an electronic token, a biometric, or a PIN-generating device. Confused?
Are we in danger of making the whole concept so complicated that it becomes difficult for a typical systems administrator to manage? If so, this factor itself would be a potential security weakness.
The truth is that user authentication has become more complex, but this simply echoes the growing complexity of IT in general and the way people, corporations and governments access and use data.
And when you add the requirements of regulatory compliance to developments in operating systems, e-commerce and collaborative applications, IT security tools and the trend towards managed services, we may conclude that user authentication will become a crucial factor in our everyday IT experience.
Wherever a requirement exists, market forces rise to the challenge, producing a range of user authentication methodologies and devices to choose from. We might like to use the inherent capabilities of the popular operating systems and their directories, or we might choose to enhance those capabilities with electronic tokens or a biometric.
We might prefer a more sophisticated approach, with a dedicated appliance and a customised methodology, or we might like to use a managed service from a third-party supplier.
Or we might choose to construct our user authentication method and associated policies from a combination of these approaches.
Just how far we go might depend upon the perceived risk associated with unauthorised access to our IT resources and associated data. Clearly, this risk will vary significantly between organisations.
A good first step, then, would be a detailed risk assessment in order to identify and classify the level of risk appropriate to a given operation. Without this classification, it will be difficult to understand what degree of user authentication should exist within the organisation.
We should also understand precisely who our users are, what special requirements they might have, and how well we know them. For example, we might have never actually seen, or know very much about, some of our regular users – increasingly the case with collaborative applications.
However, while our systems architecture will reflect this, an appropriate level of confidence about the identity of who is connecting to our valuable resources is essential.
As well as the important security perspective, there is an additional need for identity management – for example, managing password or token expiry, removing leavers’ credentials, and generally verifying that your user information is correct and up to date.
Generally, you will need tools to manage this effectively, especially if you have chosen to implement a customised approach to user authentication. If you are using biometrics, there is an additional layer of managing the quality of reference templates and user-related verification issues.
Consequently, in this group test, we explore some different approaches to the issue and evaluate some of the readily available tools.
These form quite a mixed bag, and it is not easy to compare like with like. So we needed to take fully into account the benefits claimed by each product in isolation and how well these are realised in practice, as well as a comparative evaluation.
The resulting overviews should provide a basis for the reader to understand the different approaches taken by individual vendors, together with their associated strengths and weaknesses. The reader might then like to align this with the realities of their own situation and how each approach might enhance user authentication within the organisation.
In conclusion, the whole area of user authentication is undoubtedly becoming more sophisticated as new challenges emerge within the sphere of information technology.
Fortunately, as we confirm in this group test, there are some excellent tools available with which to meet these challenges.