Imprivata attempts at single sign-on

Single sign-on, the “Holy Grail” of identity management, has now entered the appliance category. Start-up Imprivata is launching its OneSign appliance as a “unique and innovative” solution to the need for strong authentication to networks, resources and services while retaining user friendliness.

Traditional solution providers in this space – such as PassLogix, with its v-GO software solution – have stored multiple passwords for a user in a secure directory structure, then acted on the user’s behalf when authentication was required. Some other schemes have used password synchronization via virtual and meta-directory products to attempt to overcome the “proliferating passwords” problem.

None of the existing solutions is 100% effective. But I’m not sure Imprivata understands why. Veteran readers should know that the following paragraph, taken from Imprivata’s introduction of OneSign, is guaranteed to raise my hackles:

“For some applications, directories are useful for storing user identities. However, most applications are incompatible with available schemas. Creating and maintaining a secure central directory service for all enterprise applications is impractical for most organizations.”

Well, duh! Most vendors I know and most enterprises gave up on trying to find a single-directory solution years ago. Yet in January 2003 Imprivata wants us to think that its competitors still see this as a viable solution. Even Microsoft, with its reliance on Active Directory for most things, realizes that there is more than one identity system on most networks.

In practice, what Imprivata does is to take v-GO’s methods of SSO and put them into a “black box,” which controls all access. That is, it monitors users’ authentication the first time they access a resource or service, stores user names and passwords, then mimics the authentication methods whenever a user subsequently accesses the service or resource.

While the idea of a dedicated appliance isn’t bad, that’s not going to make OneSign easier to install or maintain. You will still need to visit (physically or virtually) every user to install the OneSign client, to “train” the system on application access, and to protect against users going behind the security (through unprotected computers, for example) – all things you have to do with existing SSO services.

The appliance nature is useful in that there’s no contention for resources on the device. It’s also easy to install, maintain, upgrade and remove. The people behind Imprivata have good pedigrees, too – Chris Shaw, vice president of R&D, came from Netegrity while CTO (and co-founder) David Ting worked with biometric security systems for government projects. These people know and understand identity and security.

It is a company to watch, but here’s hoping it forgets the “straw man” arguments and try to sell based on the strengths of its own product.