John has logged into his desktop computer using the correct authentication credentials and is busily copying files from the network. The problem is, however, that John is on a business trip and couldn't possibly be at his desk. So who is?
That situation could have been prevented if the physical and logical access control systems were working together, so that John – or someone pretending to be him – would not have had access to the network from a corporate desktop if he hadn't first badged in. Similarly, if John were logged on to the network remotely, no one could have come into the building pretending to be him – the system would have recognized that he was already remotely authenticated to the network and therefore couldn't possibly be at the door using his badge.
Imprivata's OneSign appliance helps accomplish this convergence of access control systems, says Geoff Hogan, senior vice president, business development and product management, at the Lexington, Massachusetts-based company. Hogan explains that traditionally it's been difficult for companies to correlate three events – physical access to a building, local access to a network from within the building, and someone trying to access that network remotely.
OneSign is a device that consolidates the various physical and logical identities so that a security manager can create what Hogan calls 'a converged policy.' For example, the ability to log onto the corporate network from inside the building is predicated on that user first having badged into the building. When violations occur, users can be locked out physically or logically, and administrators are notified (right now, notifications are via e-mail, but Imprivata is researching new notification interfaces).
Consolidating user identities into one appliance has another benefit, Hogan says. When an employee leaves a company, his or her access badge is taken away so that physical access to a facility becomes impossible. "But on the IT side, identity persists in many places, such as in domain directories and human resource department databases," Hogan says. With OneSign in place, deactivating an ID card "will automatically lock people out of IT access. This is the real value of convergence," Hogan says. "You can use physical location as a determinant for whether or not they can get into the IT side of the business."