Single Sign On: Solution or Solution Component?
By John Smaling
No question about it, expansion of clinical systems remains a focal point for healthcare
organizations. As a multitude of different applications are deployed and leveraged by
clinical users, the need for multiple user accounts and related authentication events
increases. For users, having to remember multiple user IDs and passwords is troublesome
enough, but having to sign on to multiple systems every time that a user accesses a
computer compounds the issue. The days of generic logins and permanently signed on
applications are over thanks to HIPAA.
Many of us view the provision of single sign on as the cure to what ails the clinical
user’s computing experience. However, if we look more closely, it becomes apparent
that much more is required to thoroughly address the challenges posed by a highly dynamic,
fast-paced computing environment like that seen in most clinical areas. If a wish list
exists around optimizing session management for clinical users, it would surely contain
some of the following:
- Provide rapid logon and logoff capabilities
- Make it easy for me, and reassure me, that I have the same patient and episode
of treatment, active between the various applications that I have open at any given
time
- Allow me to easily and as transparently as possible, comply with the password
change policies of my organization
- If I forget my password, or lock my account, allow me to assign a new password to
myself and to reset/unlock my account without having to wait for the Help Desk to do
it.
- If I need access to new applications, or if I’m a first-time user, provide
for me what I need quickly as opposed to the two-week delay that it now takes to
grant me the access that I need.
While this list is far from comprehensive, it should give rise to the following
question:
“Can single sign on accomplish all of this and more for my users?”
The answer is a resounding “NO”! A single sign on solution addresses only
number one on the short list above. What is really needed is an identity management
(IDM) solution. Vitalize considers a healthcare oriented identity management solution
as one that addresses the following areas:
- Single Sign On (SSO)
- Password Management (PM)
- Context Management (CM)
- User Provisioning (UP)
Briefly described, these four components of an IDM solution provide varying capabilities
that, when integrated, represent the potential for significant improvements for both the
user community and for IT. While dealt with in this article at a high level, we will
publish more in depth articles in future newsletter editions.
Single Sign On - SSO is the concept most thought of when we consider
improving end user session management. Principally, SSO is viewed as the automated
provision of logon credentials to all applications launched by a user after primary
authentication. While this is true, a rich SSO solution must provide much more.
Functionality such as graceful logoffs, support for kiosk mode, and fast user switching are
highly important considerations. Similarly, the ability to integrate with a variety of
multi-factor authentication solutions such as biometrics or proximity cards is viewed by
many as a must-have feature.
Password Management – Security best practices mandate that
passwords be structurally complex, and that a password change policy be instituted that
requires users to change all of their passwords at regular intervals. Neither of these
is popular with the end user community. Complex passwords (such as those that require
upper and lower case, or that require a blend of numbers and letters) are difficult to
remember, particularly when a user has more than one of them. Furthermore, frequent
changes to this array of complex passwords make the situation more untenable. A password
management system can address these areas and more by allowing for automated assignment of
secondary passwords, self-service password reset/unlock, and enforcement of proper password
construct. When coupled with a rich SSO solution, password management is a big win for the
organization.
Context Management – CM ensures that similar context is
maintained between differing applications. Among the various “contexts” that
are considered more commonplace ones are user, patient, episode, and observation. For
example, maintaining patient context across applications ensures that the same patient is
automatically selected upon the launch of each application that is managed by the CM
solution. A common technique for maintaining context is to leverage the CCOW standard.
Although this greatly eases the work required to deploy context management, not all
applications are CCOW compliant. To address this, vendors of context management solutions
now offer tools to exchange and maintain context controls between non-CCOW compliant
applications.
User Provisioning – The premise behind UP is to ensure that
users get access to the right computing resources, securely, quickly and efficiently.
Highly work flow oriented, provisioning applications largely empower and distribute
application access and account assignment to department managers. These managers follow
a process by which they assign applications and/or resources to users for which they are
responsible. The actual account creation and rights assignment configuration steps are
performed in an automated fashion by the provisioning solution. These solutions also
can de-provision, effectively disabling a user’s access to computing resources
either in its entirety or in part. A great deal of work is required to properly design
and implement provisioning, but the downstream time savings and improved security are
considered worthwhile.
IDM solutions are very complex and there is a tremendous degree of variation among the
many vendor products available today. Not only are there feature and functional
differences among products, but some vendors only address one or a few pieces of the
identity management solution. Purchasers of a single sign on product have been shocked to
learn months after they’ve deployed SSO, that self-service password resets require
that they purchase another vendor’s product. As a consequence, they not only have
to undergo another evaluation and purchase, but they must now take measures to ensure that
the two disparate products integrate seamlessly. This is not to say that a multi-vendor
approach to an IDM solution is a bad one. Rather, take the time to understand the range
of capabilities your organization will require over the long haul, and engage in a
structured and thorough evaluation of the vendors and products in the IDM arena that best
address those needs.
Stay tuned for future newsletter articles about this complex and significant topic! In
future articles, we will address more specific considerations around SSO, PM, CM, and UP,
provide some insight into various vendors that occupy the IDM space, and outline some
important things to consider as you plan for an IDM evaluation and subsequent deployment.