It’s a technology that many companies still find elusive, but single sign-on (SSO) is working as promised at Southwest Washington Medical Center (SWMC), while delivering a return on investment in just eight months. As a bonus, the SSO project also prompted the company to delve into virtualization technology, which is saving the firm some 20% on server resources along with heating, electricity and support costs.
The Vancouver, Wash.-based SWMC embarked on its SSO project to reduce the “hassle factor” for the 6,000 users that log on to an average of six to 12 applications per day, according to Christopher Paidhrin, CSO for the firm. During a session at the recent Network World IT Roadmap Conference & Expo in San Francisco, Paidhrin told attendees that SSO saves 15 to 30 seconds per logon, or roughly five minutes per day per employee – paying for the $100,000 price tab of the project in just eight months.
See a video from the show.
The SSO project, which involved implementation of the Imprivata OneSign appliance, was impressive enough on its own to earn SWMC a Network World All-Star Award. But during his IT Roadmap presentation, and in a follow-up interview, Paidhrin also expounded on the virtualization angle of the project. That involved implementation of the Softricity (now Microsoft) SoftGrid application virtualization platform, which reduced the number of Citrix servers required to provision applications for some 2,500 remote users while simplifying provisioning for internal users as well.
Driving the need
SWMC’s quest for SSO began in early 2005, driven by business and IT considerations. Reducing the hassle factor was important not only from a business productivity standpoint but also a competitive one, Paidhrin says. “Physicians work in a highly competitive environment and there’s competition right down the street,” he says, referring to the hospital eight miles away. Making their logon experience as seamless as possible can help encourage physicians to bring their patients to SWMC instead of another facility.
From an IT perspective, Paidhrin was looking to gain centralized control over all access management. And of course the medical center had to comply with regulations, including HIPAA and the Joint Commission on Accreditation of Healthcare Information Management requirements.
“There are 45 technical HIPAA elements, and single sign-on alone fully addresses eight and somewhat addresses 15 of them, at least as implemented in the Imprivata product. That gets us most of the way to our technical compliance,” Paidhrin says.
Selection and implementation
SWMC spent nine months researching SSO products before settling on Imprivata OneSign. The company looked at players both large and small, including Novell, IBM, CA and Sentillion. Many solutions were “very nice, but very expensive,” Paidhrin says.
Ultimately, Imprivata proved to be a good fit because it cost less than some competitors and could deal with multiple back-end sources of authentication information. That was important because SWMC, while on its way to migrating to Microsoft Active Directory as its sole source of authentication data, in the meantime had to deal with data stored in Novell NDS, a RADIUS server and a couple of proprietary healthcare-specific data stores.
At the time, Imprivata was still a relatively young company, however, so Paidhrin had one more requirement: that the product be easy to remove, just in case something went wrong. “We tested it. We turned the power off on both [Imprivata OneSign] devices and it had zero impact on the rest of the network,” he said. In that case, users would simply revert to their old logonn routines.
The actual implementation took three months—not bad, considering SWMC at the time had more than 160 applications, a figure that is now closer to 200, and more than 6,600 employees or partners. The OneSign device requires no changes to any applications, only an agent to be installed on each client. OneSign builds XML-based profiles that describe the logon requirements for each application by “observing” typical application behavior. These profiles are stored on the OneSign appliance along with any company-defined policies.
SWMC started its implementation with 50 core applications, a process that was so successful that the company quickly expanded to the remaining applications.
Going virtual
Some 200 clinics, with about 2,500 physicians and medical staff, tie into SWMC remotely via SSL-based VPNs. To support those users, the company opted to create a Web portal through which remote users could access patient information. The back-end applications and SSL services run on Citrix servers, and SoftGrid enables the company to support more users with about 20% fewer servers. With SoftGrid, applications need to be loaded on only one server; the rest run virtual implementations that are served up as needed.
The company faced just a few hiccups in its Citrix/SoftGrid implementation, with only five to 10 applications presenting a serious challenge. “There are no applications that we have that cannot be Citrix-served,” Paidhrin says. That includes a large suite of new McKesson healthcare applications that the company is now installing.
Besides reducing server hardware requirements, SoftGrid saves SWMC an average of 20% on costs for HVAC, power, rack space and desktop support. It also makes upgrades, including patches, far easier to implement, because applications actually exist on only a single server. After testing the upgrade, “one individual can update an entire server farm in a matter of minutes,” he says.
Similarly, the virtual approach simplifies troubleshooting of user problems. “If it’s one user having a problem but you’ve got 300 other users using the same application on the same cluster, your triage cycle is greatly pruned,” Paidhrin says. Most problems are solved by simply closing and reopening the Citrix client or rebooting the machine.
Tallying the benefits
With its SSO and virtualization implementations up and running for about 12 months now, SWMC is now enjoying the benefits—and ROI is certainly one. In addition to the eight-month ROI for OneSign, the SoftGrid ROI was immediate, based on the 20% savings in number of servers required.
At the same time, security has improved for SWMC. In the past, password policies were difficult to enforce, even though it stipulated password changes only every six months. For users that routinely used even six applications, that was too much. “We were lucky to get everyone to change once per year,” Paidhrin admits. Now, password changes are far simpler and the company can easily run an audit to determine when user passwords are out of compliance with company policy.
SWMC will also soon have all of its authentication data migrated to Active Directory. That single source for user data and policy information likewise improves security by eliminating duplicate accounts and making it simpler to enforce policies.
OneSign also supports a variety of authentication mechanisms, including biometrics, SecurID tokens and the traditional username/password. SWMC uses some of each for various applications. Its fingerprint readers work well most of the time, although Paidhrin says certain individuals have had problems. For example, one doctor swims every morning and comes in with hands swollen from chlorine. “In the afternoon [the reader] works flawlessly, but it doesn’t work in the morning.”
SWMC is now testing Indala Corp.'s passive stripe proximity cards, which are ID cards that can be read by a reader at distances of about 3 to 6 inches. The same card can be used to open doors to secure areas, log on to computers and even buy food in the cafeteria. In the trial, users swipe the card and enter a PIN, providing for two-factor authentication. Without the PIN, a lost or stolen card could be used by anyone to gain unfettered access until it was disabled in the system.
Perhaps the greatest benefit for SWMC from its SSO project is that the frustration level among users is down, Paidhrin says. “Once people get used to [Imprivata OneSign], they love it. Now they only have to remember one user account and one password.”
Desmond is events editor for Network World and president of PDEdit, an IT publishing company in Southborough, Mass. Reach him at paul@pdedit.com.