Imprivata Enterprise Access Management Security Considerations

Download this guide.

User Security Best Practices

The sections below describe security best practices for Imprivata Enterprise Access Management administrators, end users, and temporary workers and vendors.

Security Best Practices for Imprivata Administrators

Least Privilege and Limited Duration Access for Administrators

A guiding principle for all user security is to limit the scope of access to only those who need it and to end that access for an individual or group when it is no longer needed. Imprivata strongly recommends an approach of least privilege, which for administrators means limiting them to only the operations, computers, or users that they must manage. For examples:

  • Limit and record the names of users who have privileged access in the organization and the level of their access. Update the list whenever users with privileged access join or leave the organization.

  • Restrict the number of administrators allowed to maintain multiple accounts for an application. For more information, see "Enabling Multiple Accounts for a Select Population" in the Imprivata Enterprise Access Management online help.

  • Instruct administrators to log out of the Imprivata Admin Console and the Imprivata Appliance Console when they finish using those consoles for the present time. For more best practices for administrative consoles, see Appliance Administrative Interfaces.

Administrator Roles and Delegated Administration

Imprivata uses administrator and sub-administrator roles so you can delegate administrative authority throughout an enterprise. Imprivata provides three levels of administrator roles. One Super Administrator role can perform all operations in the enterprise. You can create as many subordinate roles as you need and have multiple users in each role.

The number of roles used typically depends on the size of your organization:

  • Small organizations with only one or two IT department members do not need delegated administration. Those one or two administrators usually have Super Administrator privileges. Imprivata recommends having at least two people per site or region assigned to this role to avoid a scenario in which one leaves or does not have access to the other's credentials.

  • Mid-size organizations might have, for example, two Super Administrators and four lower-level administrators. The four might be grouped into two pairs, with each pair having a different sub-set of privileges. For example, each pair might have limited access to properties, policy management, and/or user account management. Mid-size organizations often use a similar distribution of roles as large organizations, distributing roles to specific departments such as support, IT, or administration.

  • Large organizations typically have multiple levels of administrators with more fully delegated administration of operations, user accounts, and/or geographic regions. Imprivata recommends placing five or six roles in an administrative group. Examples of administrator roles limited by operations may include Help Desk Administrator, Application Profile Creator, ID Token Administrator, and Compliance Auditor.

Imprivata Enterprise Access Management operational capabilities with the greatest importance for security and risk include: 

  • Assigning the Super Administrator role to a user, described in "Managing User Accounts" in the Imprivata Enterprise Access Management online help.

  • Controlling access to the Imprivata Admin Console, which provides access to many critical operational capabilities. For more information, see "Imprivata Admin Console" in the help portal.

  • Synchronizing the Imprivata users list to an active directory, described in "Synchronizing the Users List" in the online help portal. Synchronizing the Imprivata database updates the list of users in the Imprivata Admin Console to match the list of users in the selected directory server.

  • Deleting a domain (directory), described in "Managing Domains (Directories)" in the help portal. When you delete an Imprivata domain, you delete all user records and all user application credentials for that domain.

For a comprehensive overview of administrator roles and capabilities, including delegated administration, see "Administrator Roles (Delegated Administration)" in the help portal.

Two-Factor Authentication for Administrators

If an extra layer of security is needed for certain users and/or computers, for example, for administrators or for access to virtual desktop servers, implement two-factor authentication by adding Imprivata ID for Windows access, and disable "password-only" access. When a user logs into Windows with their username and password, Imprivata ID sends a push notification to their mobile device. They accept and are granted access. For more details, see "Imprivata ID for Windows Access" in the Imprivata Enterprise Access Management online help.

Also see Two Factor Authentication.

Administrator Password Management

  • Keep administrator passwords in a shared password safe, such as Dashlane, KeyPass, and so on.

  • Whenever an IT employee leaves the organization, change key administrator passwords that day.

  • Follow best practices for password complexity, as described in "Best Practice — Password Complexity" in the Imprivata Enterprise Access Management online help.

Disabling an Administrator or Super Administrator Account

To disable an administrator account, disable it first in the active directory and then also in Imprivata Enterprise Access Management. If you have automated synchronization between your Imprivata user list and active directory or directories, the next synchronization will disable the administrator account in OneSign. For better security, manually disable the account in EAM without waiting for the next synchronization. Also change key administrator passwords across your organization, including for access to the Imprivata Admin Console and Imprivata Appliance Console.

If the account you are disabling is a Super Administrator account, then after you disable it in Active Directory, the synchronization with EAM will not disable the account in EAM. You must manually disable or delete the account from EAM. Also change key administrator passwords and Super Administrator passwords across your organization.

Security Best Practices for Imprivata End Users

Least Privilege and Limited Duration Access for End Users

  • Ensure that users do not have administrator access to endpoint devices, including Windows administrator privileges and Linux root privileges. The Windows registry on Windows endpoints and the Imprivata folders on all endpoints should be protected from end-user access.

  • Ensure that users cannot install applications themselves. All application folders should be protected by default.

  • Deploy applications only to users who need those applications. If applications share credentials, then the application vendor must control and limit access to those applications. For applications that don't share credentials, you can limit the deployment of those applications to end users. In the latter case, disable access in the third-party application and also in EAM for layered security.

  • Restrict the number of users allowed to maintain multiple accounts for an application. For more information, see "Enabling Multiple Application Accounts for a Select Population" in the Imprivata Enterprise Access Management online help.

  • Use inactivity detection of less than 15 minutes in physical areas where users tend to use one workstation or remain in the area. Imprivata also recommends using Secure Walk Away, as described in Locking Workstations.

Secure Remote Access

  • Provide a VPN to secure traffic for employees when they are offsite.

  • Use Imprivata Enterprise Access Management Remote Access for users' remote access and enforce two factor authentication especially when accessing from offsite. For more details, see "Remote Access: Before You Begin" in the Imprivata Enterprise Access Management online help.

User Password and Imprivata PIN Management

  • Imprivata Self-Service Password Reset provides a convenience feature for users that can reduce calls to your help desk. For full details, see "Imprivata Self-Service Password Reset" in the Imprivata Enterprise Access Management online help. Consider the various factors involved for greater or lesser security, including: 

    • Requiring re-authentication after password reset.

    • Allowing remote/external access to Imprivata Self-Service Password Reset. If you allow this access, allow HTTPS traffic only to the URLs and ports specified in that topic. Do not allow POST requests to any URL except the URL listed in the table in that section. For all other URLs, allow only GET requests.

    • For details on underlying security aspects of this feature, see "Technical Considerations" in that help topic.

  • Similarly, Self-Service  Reset lets users enter their password or answer security questions to reset a forgotten PIN. You can manage the security questions and require users to enroll security questions. For more details, see "Self-Service Imprivata PIN Reset" in the help portal.

  • Regarding the Imprivata Password Manager, if some or all users do not need to view or manage their own credentials, then disable this password manager for those users. You can disable it for some or all users in user policies under the Single Sign-On tab, as described in "Configuring SSO in User Policy" in the help portal. For more details on this password manager, see "The Imprivata Password Manager" in the help portal.

Mobile Device Management for End Users

Instruct users to report lost, stolen, discarded, sold, recycled, or replaced mobile devices to your helpdesk within 24 hours. In such cases, delete the user's Imprivata ID enrollment as described in "Managing User Devices" in the Imprivata Enterprise Access Management help. After a device is replaced, the user must download the Imprivata ID app again and enroll a new Imprivata ID. You can also enable users to delete an enrolled Imprivata ID from their workstation without calling your helpdesk first. For related information, see "Temporary Codes for Windows Access" in the Imprivata Enterprise Access Management online help.

Two Factor Authentication for End Users

Require two-factor authentication and disable "password-only" authentication for end users. For additional details, see Two Factor Authentication.

Disabling a User Account

To disable a user account, disable it first in the Active Directory and then also in Imprivata Enterprise Access Management. If you have automated synchronization between your Imprivata user list and active directory or directories, and if that synchronization frequency is every hour, then the next hourly synchronization will disable the user account in Imprivata Enterprise Access Management.

For better security, and if your synchronization period is longer, manually disable the account in Imprivata Enterprise Access Management without waiting for the next synchronization.

Security Best Practices for Temporary Workers and Vendors

  • For temporary workers for whom you want to provide Imprivata services but do not want to have regular network accounts, you can create an Imprivata Directory Domain from which you can create those user accounts. Imprivata recommends that you create one or more user policies for those new users. For details, see "Creating Imprivata Accounts for Non-Domain Users" in the Imprivata Enterprise Access Management online help.

    You also can implement a password change policy for an Imprivata Directory Domain, as described in "Implementing a Password Policy" in the help portal.

  • Alternatively, temporary codes can be used when you need to provide Windows desktop two factor-authentication to a temporary user such as a contractor. The user uses their network password as their first factor and the temporary code as their second factor for authentication.

    • Temporary codes are only available for Imprivata Enterprise Access Management Remote Access and Imprivata ID for Windows Access.

    • Specify a temporary code expiration for when the worker no longer needs access. The maximum time period allowed is 14 days. Because this user will only ever authenticate with their password and a temporary code, place them in a user policy separate from your permanent employees.

    • Temporary contractors should not be allowed to enroll any authentication methods. For more information, see "Temporary Codes for Windows Access" in the help portal.

  • Ensure that vendors who access the Imprivata system propose remote access periods. Enable their accounts only for the time period needed and set them to expire after that period.