Imprivata Enterprise Access Management Environment Architecture Best Practices

Download this guide.

Imprivata understands the importance of data security to your organization. Much of the security is built into the Imprivata Enterprise Access Management product.

The Imprivata appliance is a closed, locked down system.

  • The Imprivata appliance is accessible only through authenticated sessions in the Imprivata Appliance Console, by Imprivata Enterprise Access Management client software, or the appliance APIs (Confirm ID, Prove ID Web, and Prove ID Embedded).

  • All unnecessary services on the appliances are closed and there is no command line access to the appliance.

  • There is no direct operating system or database access.

  • There is no ability to modify or create operating system or database users.

  • Software updates can only be done through the Imprivata Appliance Console and only in the form of digitally signed packages from Imprivata.

With that understanding, there are several environment and configuration settings that directly impact the security of the Imprivata solution. This section outlines best practices related to the implementation of the Imprivata Enterprise Access Management solution.

Environment

The Imprivata appliance is designed with standalone security measures, but strong security practices involve a defense in depth approach. For defense in depth, the appliance relies on secure environments in which to operate:

  • The Imprivata appliances must be hosted with appropriate physical data center security.

  • The appliances rely on strong corporate network security. Appliances are meant to be internal, never Internet facing.

  • The hypervisor infrastructure hosting the appliances must be secured, with only appropriate individuals having access to the infrastructure.

    For other security considerations for the hypervisor infrastructure, see the documentation from your hypervisor vendor.

Certificates

  • Use TLS to secure communications, whenever possible. This is especially important in the following scenarios:

    • Establishing trust with an LDAP directory server.

    • Importing users from Active Directory. For more information, see "Managing Domains (Directories)" in the Imprivata Enterprise Access Management Online Help system.

  • Use certificates from the Active Directory PKI infrastructure.

  • On Linux thin clients, when configuring ProveID Embedded, install the Domain Root CA certificate.

  • Track the certificates that are in use. Take special note of the following:

    • The expiry date of the certificates.

    • Where the certificates are installed or being used.

Communication

Consider the following items when configuring the communication to the Imprivata enterprise in your organization:

  • Use firewall access rules for internal servers to external to communicate only with known and trusted DNS names.

    Use SSL inspection where this is able to be used (where SSL inspection will not cause communication issues)..

  • Configure a separate VLAN for the server subnet, so that traffic such as broadcast traffic or port scans from the wider network have no effect.

Imprivata Appliances

Appliance Administrative Interfaces

There is no direct remote access to the Imprivata appliance via command line interfaces at the operating system or database level. There is access to the appliance by two web applications: the Imprivata Admin Console and the Imprivata Appliance Console.

  • The Imprivata Admin Console is used to configure the application (users, applications, policies, etc.) Access to the Imprivata Admin Console is controlled via application users imported from and integrated with Active Directory or created within the application directly.

    • There is delegated administration available in the Imprivata Admin Console to control administration rights and roles for application administrators.

      Imprivata strongly recommends an approach of least privilege, where administrators are limited only to functions or users that they need to manage.

      For example, a helpdesk team member may be able to manage a set of users, but not manage the configuration, applications, or audit records.

    • Token-based two factor authentication is directly available for the Imprivata Admin Console, and is recommended to be used.

    • The Imprivata Admin Console imposes a timeout period for inactive administrator sessions. In the Imprivata Admin Console, go to the Settings page, System Settings section to configure a timeout value of up to 90 minutes using the Imprivata Admin Console Session Timeoutsetting.

  • The Imprivata Appliance Console is used to configure and manage the virtual appliances for enterprise configuration, bootstrapping, backups, restores, upgrades, SMTP, and NTP.

    • The Imprivata Appliance Console ships with two pre-defined users: the Administrator and the Super-Administrator.

      Imprivata recommends using a very complex password and a Privileged Access Management system, for example, Imprivata Privileged Access Management, to manage these two appliance administrator credentials. For more information on Imprivata's Privileged Access Manager, see the Imprivata Privileged Access Management online help.

    • Imprivata strongly recommends an approach of least privilege, where administrators are limited only to functions or users that they need to manage.

    • Configure email notifications for consecutive login failures to the Imprivata Appliance Console and set automatic account disablement after a preset number of login failures. Configure these settings using the Intrusion Detection Tab of the Security page in the Imprivata Appliance Console.

    • The Imprivata Appliance Console imposes a timeout period for inactive administrator sessions. In the Imprivata Appliance Console, go to the System page, Settings tab to set the auto logout time to up to 600 minutes (10 hours).

Audit Records Management

Keeping a good audit trail is essential to a strong records management strategy. It facilitates non-repudiation and the ability to have a definitive log on which administrator made what change at what time in the Imprivata Admin Console when a computer or use policy changes.

  • Archive the results on a regular basis to a file share, so they are not solely on the Imprivata appliance.

  • Use a secure method when archiving and storing audit records.

    • For transferring the audit records, use a secure method, such as secure SSH. The FTP protocol is not secure.

    • Store the audit records in a secure location.

  • Balance the need for archived audit records carefully with performance considerations.

    You don't want to build up such a large set of audit logs that it adversely impacts the performance of the appliance. For this reason, Imprivata recommends that you use the Archive and delete option in Imprivata Admin Console.

  • Archive the audit records for a period of two years, so you can use them for forensic investigations.

For more information, see "Managing and Maintaining Audit Records" in the Imprivata OneSign online help system.

Post to Syslog and Appliance Log Management

The Imprivata appliance has a system log. A portion of these logs can be transferred to a system log server. These event logs can be used for active alerting and in cases where forensics are needed when the Imprivata appliance is unavailable.

Set up a server to receive the system logs.

In the Imprivata Appliance Console > System > Logs tab, click Edit to configure a remote syslog server. Enter the IP address or hostname of the syslog server and enable TLS communication to secure it.

Configuring NTP

It is important to synchronize the enterprise's time to a single source of truth. It is critical when using Kerberos authentication or smart cards, as the local time of endpoints can drift over time. For forensics, it is important to have consistent timestamps in events.

Configure the NTP server in the Imprivata Appliance Console > Network > NTP tab. For more information, see "Managing NTP Server" settings in the Imprivata OneSign online help system.

Setting Up SMTP and Appliance Notifications

  • Set up an SMTP server for the variety of appliance notifications sent to administrators.

  • Set up email accounts that administrators will actively monitor.

Suspicious Email Alerts

Imprivata recommends that you configure email notifications of suspicious activity on the appliance or in Imprivata software applications, and login failures.

For more information, see The Intrusion Detection Tab in the Imprivata Enterprise Access Management online help system.

Reduce Login Failure

To reduce login failures, Imprivata recommends configuring several settings in the Imprivata Appliance Console.

For more information, see The Intrusion Detection Tab in the Imprivata Enterprise Access Management online help system.

Max bad attempts

Set this to a non-zero value.

Send Email Alert

Enable this setting.

Imprivata Admin Console Settings

Imprivata recommends the following Imprivata Admin Console settings.

Disable API Access

If you are not using API access for Imprivata Confirm ID, ProveID Web, or Imprivata ProveID Embedded, disable it.

On the API Access page in Imprivata Admin Console, select Do not allow API access from the drop-down lists.

Procedure Code Extensions

Procedure code extensions run any arbitrary script when a certain event occurs in the context of the user.

Security considerations should include:

  • The area written to and what happens to the file.

  • Whether the Administrator must perform a security review, because scripts can do damage.

For more information, see "Imprivata OneSign Extension Objects" in the Imprivata Enterprise Access Management online help system.

Imprivata Admin Console Session Timeout

The Imprivata Admin Console imposes a timeout period for inactive Administrator sessions. You can configure this value (up to 90 minutes) via the Imprivata Admin Console Session Timeout setting in the System Settings section of the Settings page.

SPML Provisioning

For SPML provisioning, enable the following settings:

  • Enable IP access protection

  • Enable Client Request Authentication

For more information, see "Using Imprivata Provisioning Features" in the Imprivata Enterprise Access Management online help system.

Directories

Use TLS for secure communication to Active Directory.

Appliance Backup

Consider the following items when configuring Imprivata appliances in your organization:

  • For each appliance, schedule database backups for twice daily — one in the morning and one in the afternoon.

    The Imprivata database backup file contains the backup for the entire enterprise, not just a single site. The database backup does not back up the enterprise, agent, or appliance configuration files.

  • Encrypt the backup file.

  • Backups should use a secure file server, through the use of a SCP or network share.

Imprivata Agents

Consider the following items when configuring the Imprivata agent on endpoints in your enterprise:

  • Use SSL Validation on all endpoints.

    • G4 appliances running 7.8 or later support TLS 1.3.

    • G3 appliances running 7.4 or later support TLS 1.2.

      TLS 1.1 and TLS 1.0 are not supported.

    • G3 appliances up to the 7.3 release support TLS 1.1 and TLS 1.2.

      TLS 1.0 is not supported.

    The following Microsoft versions default to TLS 1.0:

    • Windows Server 2008 R2

    • Windows Server 2012

    If your Windows endpoints are not already configured to use TLS 1.2 or higher, action may be required to prevent Imprivata agent to G3 appliance communication from failing on some agent versions.

    If you are unsure of which endpoints are enabled for SSL validation, you can scan the Windows registry for the SSLValidation value of the ISXAgent registry key. The following table details this value:

    Name Location Value
    SSLValidation

    32-bit: HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\ISXAgent

    64-bit: HKEY_LOCAL_MACHINE\SOFTWARE\SSOProvider\ISXAgent

    Enabled=1

    Disabled=0