Imprivata: Working Toward a One-Password World
If you think you’re drowning in computer passwords, consider the plight of some doctors today. Many medical offices have a separate computer in each exam room, with several databases and other programs running on each machine. Programs containing patient data must be password-protected, and one study found that to access this data, some doctors had to type their passwords an astonishing 200 times an hour. In the time they spent typing passwords, the study estimated, these physicians could have seen one extra patient per day.
The programmers at Imprivata of Lexington, MA, want to help businesses keep computers and data safe while sparing their workers from the plague of passwords. “Good security should be transparent,” says David Ting, the company’s founder and chief technology officer. “It’s like when you’re driving your car. You are surrounded by tons of technology designed to protect you, yet you don’t see it. We are trying to do the same in the IT space, by providing a secure environment without impeding your ability to get your work done.”
The hallmark of the five-year-old, 100-employee company is a “single sign-on” appliance—a box that plugs into a company’s computer network, where it allows users of individual machines on the network to sign into their computer once, then forget about all the other passwords needed by individual applications. The software that comes inside the “OneSign” appliance automatically learns which programs need passwords and supplies them behind the scenes.
“Any application I launch from my desktop should trust me, because I own the desktop,” says Ting. “If you can prove who you are the first time, why should you have to re-verify every time you open a new application?”
Password-protected programs have proliferated inside many organizations to the point that some workers resort to using the same password for every program or, worse yet, writing down their passwords—defeating the whole point of computer security. Hence the glaring need for “enterprise single sign-on” (ESSO) systems, which are now available not just from Imprivata but from software giants like IBM, Oracle, and Novell, Citrix Systems, and CA, as well as smaller firms such as ActivIdentity, Courion, and PassLogix. But Imprivata, a product of Polaroid Corporation’s startup incubator, was an early mover in the area, which explains how it’s rounded up 450 customers and raised some $34.5 million in venture backing to date from Boston-area firms Highland Capital Partners, General Catalyst Partners, and Polaris Venture Partners.
Of course, a single sign-on system is only as secure as the first sign-on. So Imprivata works with any sort of front-end authentication system customers may prefer, from RFID cards to fingerprint scanners to proximity sensors (the latter logs users out automatically if they walk away from their computer). The company’s system also works with DigiPass tokens, keychain-sized devices made by Vasco that display ever-changing numerical “one-time passwords.”
The company’s biggest project right now, says Ting, is to link its computer access control systems with the larger systems that control access to buildings on secure corporate campuses. Imprivata is working with security system vendors such as Honeywell, Tyco, Lenel, and S2 to create an extra layer of authentication, so that users can only log on to their computers if the building’s security system verifies that they’re in the same location with the machine. “You can program it so that a person isn’t able to access his computer unless he’s actually badged into that building and into that room,” Ting explains.
Ting says the company’s biggest competitors in the password management space—Citrix and PassLogix—lack Imprivata’s relationships with physical security vendors and therefore won’t be able to catch up in the area of converged “physical/logical” security systems, to use the industry buzzword. “Imprivata is unique and does not see its ESSO competitors being able to bring all the capabilities—ESSO, authentication management, and physical/logical—into the market in an easy-to-deploy form factor,” Ting says.
Imprivata hasn’t disclosed revenue data, but the company charges $14,000 for every 100 users of its OneSign appliance. (Companies with more than 1,000 employees pay $45 per user.) That may sound like a big expense—but single sign-on systems can often pay for themselves by cutting down on the amount of time IT staffers spend helping users reset their passwords, Ting says.
In Liverpool, England, for example, the Women’s National Health Services Foundation Trust, which provides gynecological services to two local hospitals, is implementing Imprivata’s OneSign system for 1,000 users. The organization told Computer Weekly that it expects the system will save the organization $42,000 per year on IT staffing costs and spare individual staff members 30 minutes per day currently spent signing on to various applications.