Easy Access
Single sign-on cuts support and training costs while speeding access to critical data.
Nelson Martinez Jr. used to hate Monday mornings. As systems support manager for the city of Miami Beach, Fla., he is charged with ensuring that IT efficiently supports the city’s government offices as well as its public-safety officers. And each Monday, his help desk was inundated with calls for password resets.
But these days, Monday mornings are quiet. Just over two years ago, Martinez implemented Imprivata’s OneSign single sign-on (SSO) appliance, which, in addition to providing law enforcement and government employees with access to the city’s various applications and data stores through a single ID and password, also includes a self-service password-reset function.
“Before, we were getting 50 calls every Monday, and now it’s gone down to maybe two or three, if that,” he says. “It’s a nice change.”
Simplified Sign-on
More state and local law enforcement agencies are implementing SSO as it matures and the benefits become more concrete. In the past, SSO solutions were complex and difficult to integrate, but options like Imprivata’s appliance are now easing SSO rollouts.
Imprivata’s OneSign is a hardened appliance with a Linux-based OS that integrates with the city’s Active Directory (AD) directory service to enable employees to use just one ID and password to access a variety of back-end applications and data stores. It can also handle access to legacy, non-AD applications by using profiles developed in house.
“Being in government, we like to get the most ROI we can, and we still have our share of legacy applications,” Martinez says. “And unfortunately, with legacy apps, some of them have internal built-in ID authentication that doesn’t really integrate with a directory service like Active Directory.”
To include legacy applications in the SSO solution, Martinez uses a wizard within Imprivata to build a profile for each app that includes parameters such as the look of the login screen, where on the screen the ID and password are entered, what they look like and what screens a successful login generates. The next time users try that application, they enter their user ID and password, but Imprivata captures that information.
“The minute they put in their ID and password, the Imprivata agent associates it with them, so the next time they crank it up, it automatically provides the user ID and password,” Martinez says. “And they don’t have to put anything in there again.”
The result is that Miami Beach’s law enforcement community is far more efficient. “The less time it takes for us to log in or do password resets for public safety, the more time they can spend inside their vehicles doing productive work,” Martinez explains. “And that benefits the whole community.”
Active Directory Approach
Like Miami Beach, law enforcement agencies within the state of Alabama also were finding that password management for its various back-end data stores and applications was getting out of hand.
“We had multiple tools out there that weren’t getting used because it would take officers too long to log in,” says Shane Hammett, senior project manager for the Alabama Criminal Justice Information Center (ACJIC). “Plus, there were multiple passwords, people were constantly calling that they’d forgotten their password, and expiration of passwords on all these applications were at different times. It got to be very complicated, and we knew we had to address that.”
At the time, appliance-based solutions like Imprivata were not commonplace. So the team at ACJIC implemented a homegrown SSO solution as part of the AlaCOP.gov web portal. The .NET application, called the Active Directory Authentication Processing Tool (ADAPT), acts as a generic front end to the various applications and data stores accessed through the portal. ADAPT integrates with AD in the background so that once a user logs into the portal, ADAPT checks his AD credentials and automatically provides him with the correct rights and privileges.
“This allows law enforcement to access as many different data stores as possible, everything from driver’s license information to criminal history to office of the courts documentation, warrants and sex offender data stores,” Hammett says. As a result, this has significantly reduced support costs.
The key, Hammett says, is to ensure the gateway SSO access application is as generic as possible. “It’s homegrown, but we’ve done it in such a generic way that it’s not been too costly to implement, and every time we need to add a new application, it’s pretty straightforward for the vendor to adapt to it.”
He is working on extending the SSO solution to enable access to data stores outside the state’s borders. “It’s a policy challenge, not an SSO or technology challenge,” he says.
License and Registration, Please
Dane County, Wis., integrates several state and local law enforcement databases to provide real-time data access to patrol officers anytime, anywhere.
A Madison, Wis., police officer recently stopped a driver for a routine traffic offense. After ticketing the individual, he used his wireless notebook to enter the information he collected about the driver into Dane County’s Transaction Information for Management of Enforcement (TIME) system.
Meanwhile, across the lake in Monona, Wis., another officer was gathering information in an attempt to solve a string of armed robberies in the area. When he checked the TIME system, he immediately saw the new information entered from the traffic stop in Madison. And with that in hand, he was able to make an arrest.
Digging Up Data
When Dane County officers pull over a motorist, they check the driver’s license and registration to see what else they can learn about the person. They follow these four steps to access the data:
- An officer pulls over a motorist and requests license and registration.
- Back in the squad car, the officer logs into a Citrix XenApp-based web portal. From there, they access databases containing information from a variety of local police department databases, the TIME system and Dane County’s criminal history system, which includes digital pictures, background information, mug shots and electronic fingerprints of suspected criminals.
- The officer receives a series of hits from the search and, if necessary, clicks on them for more information. Because all information is entered and accessed in real time, the system ensures officers have the right data to make the right decisions.
- After ticketing the motorist, the officer then enters any new information directly into the system.
Information Abundance
The Dane County Regional Records Project provides access to the following information sources and databases:
TIME
- Wisconsin Crime Information Bureau, Wisconsin Department of Transportation (DOT)
- The National Crime Information Center (NCIC)
- National Law Enforcement Telecommunications System (NLETS) data
The Wisconsin Sex Offender Apprehension and Felony Enforcement (SAFE) Unit
The Wisconsin Department of Justice
The Dane County Narcotics and Gang Task Force (DC NAG)
The Dane County Sheriff n Emergency medical and fire department personnel
Lessons Learned
Nelson Martinez Jr., systems support manager for the city of Miami Beach, offers advice to agencies looking to implement single sign-on.
Test thrice. “Every environment is different, so you have to test, test and test again,” Martinez says. “SSO is an infrastructure product that’s critical, so it can either help you or kill you.”
Don’t skimp on biometrics. “You can buy a fingerprint reader for $20, but our readers cost us about $130 or $140 apiece,” Martinez says. “But it’s money well spent. I’ve used it on a daily basis for years, and it hasn’t broken.”
Avoid Windows. A main problem with many SSO solutions is they represent a single point of entry for hackers. Martinez specifically avoided any Windows-based SSO solutions because that operating system is a favorite target of hackers.
Go for redundancy. Similarly, Martinez went with Imprivata because it could be configured in a clustered setup. “I bought three devices, two that are basically clustered, so that if one were to fail, the other will back it up, and my third is for business continuity and disaster recovery,” he says.