Security Architecture, Cloud Security, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Staying current: Merit Medical Systems and Symplified

A medical device manufacturer built in access to apps for mobile devices to allow staff to keep up with the times, reports Greg Masters.

Merit Medical Systems has hundreds of employees, partners and distributors who need to access multiple software-as-a-service (SaaS) applications to facilitate collaboration.

It's vital, as well, to be able to disseminate up-to-date training and sales information using laptops, iPhones, iPads, and the like. The apps used on these devices contain sensitive – and regulated – data, so the company needs to ensure that access control and authorization policies are enforced. 

The company, headquartered near Salt Lake City manufactures medical devices used in diagnostic and interventional cardiology and radiology procedures. With more than 2,000 people worldwide, the IT team determined it was necessary to streamline the efforts of workers in the field who have multiple login requirements. There was too much stress from sometimes-conflicting access permissions, says Lincoln Cannon, the company's director of marketing technology. If the login wasn't correct, the company's information wouldn't integrate and display correctly, he says. 

Also, Merit's sales executives and IT staff of the company – which markets its products in the United States and Europe through a direct sales force and a network of distributors – wanted to evolve to keep up with technological offerings. So, first, Cannon determined to provide Merit's mobile workers with simplified and secure access to company sales tools, training modules and collaboration applications from their laptops, smartphones and tablets. 

He and his team also sought to eliminate the existing multiple username/password combinations required to access cloud applications. Further, there was a need to reduce IT security risks associated with provisioning and de-provisioning users (setting up user accounts), and management costs associated with resetting passwords. And, the IT team wanted to establish centralized access management and a tight audit trail for security and compliance requirements.

The fact that Merit has a highly mobile workforce prompted action, says Cannon (left). “We have employees, partners and distributors with varying access permissions who need to collaborate from anywhere on the device of their choice,” he says. “We are supporting an array of smartphones, pads and laptops in the field.” Though, he adds, the days are numbered for laptops, as Merit's sales and marketing staff prefer the portability and form factor of iPads. These, he says, enable staff to more effectively share online brochures and videos during meetings, and they believe the pads foster a more collaborative conversation with prospects and clients. 

“Without unified identity and access management, IT staff was burdened with higher security risks for user provisioning/de-provisioning, and higher costs for password resets for users worldwide,” Cannon says. “The users themselves were burdened with logging in to several applications each time they required information to do their jobs effectively.”

Cannon's team of around 30 information technologists took a look at solutions from a number of large identity and access management (IAM) vendors, but the cost and implementation time would have been prohibitive, he says, and they didn't solve the mobile issue or cover SaaS, in-house and custom apps, which Merit needed to address. 

Symplified was the only vendor Cannon could find that was able to provide universal single sign-on (SSO) to on-premises, cloud and custom applications directly from any mobile device. And, he adds, as a cloud-delivered service, Symplified doesn't require his team to install and administer software on each device. “This enables our small IT staff to manage hundreds of global users on an array of mobile devices with relative ease,” Cannon says. “With one username and password, our user base has secure, fast and easy access to all the applications and data they are authorized to use.”

Cannon uses Symplified to manage corporate identities from Active Directory. The solution can also manage consumer identities provided by Google, Yahoo, Microsoft and other OpenID providers, unifying SSO for professional and social network applications, which are becoming increasingly popular.

Merit is using an integrated combination of Salesforce.com, Google Docs, Google Sites, Google Video, eLeaP learning management, a 3DCart store and various intranet applications with authentication provided through Active Directory. Cannon selected Symplified for what he terms its unified access management model, its speed of deployment and its ability to extend security to any mobile device. 

Universal coverage

To provide universal coverage for all mobile platforms in use at Merit, Symplified uses an identity-based approach to protect apps and data that does not require the installation and maintenance of software on the tablet or smartphone. This makes it possible to secure any operating system, which is especially helpful in cases where the device belongs to the employee. 

“Since users need only enter a single URL on their devices to securely access the apps they need, we can rapidly extend secure web access management, federated SSO and auditing to mobile devices and applications,” Cannon says.

Symplified's new architecture delivers the right applications to the right users on any computing device, anywhere the user happens to be – and does it securely and with centralization of management and auditing, says Darren Platt, CTO of Boulder, Colo.-based Symplified. “The Symplified solution has greatly improved user productivity, reduced IT management time in identity management, in setting/resetting passwords, increased security and provides Merit with audit capabilities on SaaS apps.”

Symplified uses a proven proxy architecture that works without agents or custom code, Platt says. “The company has developed and patented the only cloud-native IAM solution that extends and enforces policies on public and private cloud applications, and audits usage.” While some vendors focus on specific pieces of the cloud IAM problem, Symplified performs all the functions needed to secure access to cloud resources, he says.

Instead of requiring companies to install or write complex plug-in software for each application they want to secure, Symplified allows companies to select the applications they want to secure from the Symplified Trust Fabric App Store, says Platt. From there, security administrators simply set up their policies and link to the identity repositories they want to use for enforcing rules. 

Expansion planned

The deployment of Symplified's solution at Merit was faster and went even more smoothly than Cannon anticipated, and, he says, the company's support has been highly responsive when needed. “I'm pleased with Symplified, particularly because it extends identity management and SSO to any mobile platform without having to manage software on each device.”

The solution touches all of Merit's sales and marketing personnel, its distributors and portions of other divisions throughout the company. Cannon says that as the company continues to expand, it is likely to extend deployment of Symplified to more employees – and perhaps to customers.

“Symplified transforms access management integration projects into simple online service activation,” says Platt. “The solution also integrates with existing identity stores on a company's network, eliminating the need to replace or migrate user repositories. Unlike traditional access management technologies, with Symplified there is no software to install, manage or update.”

Further, deploying cloud applications presents a significant intellectual property protection and compliance challenge for enterprises. “Symplified enables IT departments to set and enforce access control policies on business data that resides outside the enterprise in third-party data centers,” says Platt. “Symplified natively integrates with hundreds of cloud applications, and more are continually added. If an application used by an organization is not currently available, Symplified offers integration services to add new cloud services to its catalog.”

These sorts of rapid updates have become essential in today's burgeoning market for mobile devices. According to Gartner, 46 percent of the world's mobile phones will be smartphones by 2013. And, Platt says, Symplified addresses this growing market by delivering identity and access management to any mobile device. 

Smartphones and tablets present unique security risks, and Merit has implemented measures to give additional protection to the data should a device be lost or stolen, says Cannon. “We have the ability to remotely wipe a device, and cloud applications tend to store less information on the device than do native applications.”

The cloud is becoming the new operating system, and mobile devices are becoming its dominant user interface, Cannon adds. Consequently, companies like Merit face the challenge of extending security and compliance policies to cloud applications accessed on various mobile devices. 

“Symplified greatly eased our transition to the cloud, and it enables us to extend to any mobile device without installing and managing software on each device,” he says. “This ensures Merit will continue to operate from a position of advantage in our highly competitive market.” 

[sidebar]

INGREDIENTS: SSO for mobile

Lincoln Cannon, director of marketing technology for Merit Medical Systems, says that by using a proxy architecture, Symplified manages security on traffic flowing to and from cloud applications to deliver the following services:

Centralized authentication and access control linked to Active Directory.

Security policy enforcement on cloud applications, without exposing identity information outside the firewall.

Single sign-on “SSO” to all authorized applications, including via mobile devices such as iPhones, iPads and laptops, for a more secure and efficient user experience.

Federated SSO between SAML (Google) and Non-SAML (eLeap) applications which facilitates mashups between cloud applications.

Audit and reporting of cloud application usage for compliance.


This article originally appeared in an SC Magazine Mobile Spotlight. To download a PDF of the issue, click here.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.