Many institutions approach access management incrementally, but forethought at Riyadh, Saudi Arabia-based Banque Saudi Fransi (US$26.7 billion in total assets) permitted a leap from manual password input straight to next-generation biometric authentication. "Password proliferation began creating challenges in 2003," explains Abdulilah Madan, systems security manager for the bank. "But consolidation solutions were too immature, expensive and difficult to deploy in our mixed mainframe and LAN environment. This caused us to delay an authentication project to early 2006. By that time, strong authentication [i.e., tokens, smart cards or biometric devices] had become viable. So we added this capability in our requirements."
Of the six authentication and access management solutions considered, Madan's team narrowed the choices to two by June 2006. One was a software-based solution while the other was Lexington, Mass.-based Imprivata's OneSign, a purpose-built appliance. "Although Imprivata's appliance was faster and simpler to implement, its fingerprint reader capabilities sealed the deal," recalls Madan. "The other solution only supported tokens or smart cards. Since fingerprints are an identifier that can't be stolen or imitated, and you can't loose them, we chose Imprivata."
During September 2006 a contract was negotiated for 200 site licenses to cover the bank's headquarters, with plans to expand to 2,200 users enterprisewide once the initial implementation proved successful. The appliance, along with UPEK's (Emeryville, Calif.) fingerprint biometric readers, arrived in December and implementation started in January. According to Imprivata, the self-contained appliance walks users through the deployment process using a Web-based interface and automatically learns the password/access behaviors of all applications.
"Since the appliance is plug-and-play, we integrated 80 applications and distributed all of the fingerprint readers within two months," Madan notes. "By June 2007 all necessary policies and procedures were developed for an enterprisewide rollout. This included the best practice of scanning three fingers, rather than just one finger, to minimize scanning failures." Over the next 18 months Madan's team visited workstations spread across a country approximately three times larger than the state of Texas to add the remaining 2,000 users.
During the rollout, Madan learned that an impending third-party middleware issue was threatening Imprivata's biometric customers globally. But, he says, the resolution was easily deployed. "Imprivata provided a patch we could deploy overnight, so there was no business impact," Madan explains.
As the rollout of OneSign neared completion in August 2008, benefits were mounting. "Administrative activities related to password resets and lockouts have dropped by 35 to 40 percent," reports Madan. "And workstation sharing has decreased by 90 percent. In addition, reports of password sharing declined from an average of about 20 to one or two. Most important, people stopped keeping written-down passwords under their keyboards or stuck onto their monitors."
Madan also credits Imprivata with incorporating requested improvements into the product. For example, the next upgrade will offer a bleeding-edge functionality called "layered authentication." Whenever a user needs to access a second application from within another application, a pop-up box will provide access instructions, according to Madan. "In the current version, there is no dialogue box prompting users for the second scan," he explains. "And a user's desktop is locked until a scan is completed." To overcome the situation — which affects 800 users — until the upgrade is available, the OneSign appliance currently supplies the same password for the second application that is used to access the first, not an ideal solution from a security standpoint, Madan admits.
Regardless, Madan continues to bring existing OneSign functionalities online. By late 2008 the bank's event monitoring systems were integrated with OneSign, Madan relates. In 2009, he says, OneSign's physical access monitoring capabilities will be enabled, and the bank's identity management system will be linked to the appliance.
At some point, Madan adds, Imprivata's reporting features will be used to tightly align site licenses for all types of applications to match the actual number of users. And the user population will eventually grow to almost 3,000. "Best of all, we never need to modify applications or architecture to accommodate Imprivata," says Madan. "Whatever we add, Imprivata will cater to it automatically."
Case Study Snapshot
Institution: Banque Saudi Fransi (Riyadh, Saudi Arabia).
Assets: US$26.7 billion.
Business Challenge: Improve security by automating password entry.
Solution: Imprivata's (Lexington, Mass.) OneSign appliance with UPEK's (Emeryville, Calif.) fingerprint biometrics scanners.