How to Implement Imprivata OneSign Single Sign-On and Authentication Management Successfully
Table of Contents Introduction 1 The Methodology 1 Project Management 2 Project Phases 2 Certification Training 2 Application Readiness 3 Enablement 3 End-User Testing 4 Full Deployment 5 Post Deployment 5 Customer Practices 5 We Can Help You 6
How to Implement Imprivata OneSign Single Sign-On and Authentication Management Successfully 1 Introduction Implementing the Imprivata OneSign solution is essential to improving workflow efficiency, reducing helpdesk costs and simplifying password management for end-users. Deciding to implement the solution is easy, however, proper implementation directly impacts how well the solution is embraced and adopted by end users. The level of success for an implementation is dependent on the level of planning involved. Imprivata OneSign is an enterprise class software solution that will require tight integration with your corporate infrastructure. Planning and understanding all the necessary work related to an Imprivata OneSign implementation is imperative. Taking full advantage of all Imprivata OneSign has to offer can only be done with the appropriate amount of training, attention to the detailed tasks during installation and configuration, understanding common risk areas, and having a solid understanding of the impact the new solution will have on end user workflows. Consider this: While the solution is simple and non intrusive to the end user, Imprivata OneSign significantly and positively changes how the end user interacts with their workstations and applications. Imprivata OneSign will improve how end-users interact with their workstation and applications, therefore, it is critical that you bring them through the process and assist them with the transition so they understand the changes they will see and adopt the solution. If you are planning on implementing a large number of applications and workflows, it is highly recommended that you start with 3-5 applications and workflows to ensure that they are properly tested. In our experience, focusing on a small pilot group is critical for the following reasons: Smaller changes in the end-user workflows are more easily tolerated Giving end-users a few applications to start with shows them how the solution can improve the speed and overall end-user experience and gets you an early win in the project Triage of any issues found will be easier as you work with a smaller group to define and troubleshoot the problem Early successes make user-adoption easier Imprivata has developed an Implementation Methodology and set of best practices that leverage its extensive experience implementing Imprivata OneSign across various environments for its customers. This guide is designed to provide an overview of the key phases of a successful implementation as well as to provide an overview of the framework and disciplines required to achieve it. The Methodology Imprivata s delivery methodology focuses around six (6) key process/task phases. Each phase constitutes its own set of detailed tasks, but the overall process revolves mostly around a waterfall based delivery process. Basic project management and milestone tracking is incorporated into each phase, and it should be closely watched to ensure adherence to project schedules and requirements. Training Application Readiness Enablement End-User Testing Full Deployment Post Deployment Within each phase, a discrete set of tasks focuses the Imprivata Technical Service Group s (ITSG) efforts on specific work items for that phase. Key success criteria within each phase determine when the phases are completed, and work can continue to the next phase. Within each phase, it is critical to address each work item, to ensure a holistic approach to delivering the phase and not leaving an area unaddressed. 2010 2010 Imprivata, Inc. Inc.
How to Implement Imprivata OneSign Single Sign-On and Authentication Management Successfully 2 Key principles that should be followed in each phase are: Understanding the key success criteria of the phase Identifying the resources that will perform each task within the phase Setting delivery dates for key tasks and identifying checkpoints along the way Documenting key information required within the phase Communication, both to your end users and stakeholders Project Management In addition to the phases of the project, it is standard practice for each of our deployments to include a Project Manager (PM). While many customers have their own PM to manage the implementation, an Imprivata PM will be there to assist in the following areas: Setting up a kickoff call with the appropriate resources Coordination of resources onsite and offsite Be a point person for items raised in between the various phases when the Implementation Engineer is working with other customers Ensure that the various milestones are being met Move forward any issues that may need to be resolved before the next point in the engagement Project Phases Each project phases contains a discrete set of work items that should be completed to adhere to best practices developed by Imprivata and to implement Imprivata OneSign. The graphic below illustrates the basic flow of an Imprivata OneSign project through each phase. Repeat with additional applications and workflows Training Application Readiness Enablement End-User Testing Deployment Post Deployment Imprivata s methodology has been developed to allow you to implement, test and deploy a number of applications and workflows with the first agent rollout and then repeat the process with additional applications and workflows. The duration of each phase can vary, but on average, an Imprivata OneSign product implementation can be accomplished in 6-8 weeks (depending on the size of the deployment), or take as long as 3 6 months if your organization has many end users. The detail on each phase that follows provides an overview of the work required within each phase and the best practice recommendations to ensure its success. Certification Training While all of our phases include a training overview, it is critical that administrators complete the certification training course that Imprivata offers. Course completion ensures that administrators acquire deep knowledge of the product enabling your organization to efficiently maximize the value from your implementation. The more knowledgeable your staff is, the more self-sufficient your organization will be in supporting your end users and quickly resolving any issues that may arise. 2009 Imprivata
3 How to Implement Imprivata OneSign Single Sign-On and Authentication Management Successfully The Imprivata OneSign Certification Course is our premier training course which is offered in a classroom environment with practice sessions and problem solving exercises. Upon successful completion of this course, the participants will become Imprivata certified in Imprivata OneSign, also known as an Imprivata Certified Engineer (ICE). Material covered during this course includes topics such as: The Imprivata OneSign appliance interface The Imprivata OneSign administrator interface Integration with physical access systems Strong authentication device setup and configuration Application profiling concepts Advanced use of the Application Profile Generator Testing operations and saving Deploying application profiles Advanced deployment Advanced APG techniques Advanced troubleshooting Additionally, workshops are held throughout the course to ensure that you are able to apply what you are learning. This course is held in various locations and times throughout the year. Information on the course and course schedule can be found on our website. Application Readiness The primary objective of the Application Readiness phase is to review the technical details of the customer environment, including application and authentication workflows, understanding the project s timelines and understanding the success criteria you are seeking to achieve. Topic areas for discussion during this phase typically involve a deep level review of the applications that will be enabled, network topology, operating environment, and security policies. Proactive project management Participating in a kick off call (Imprivata assisted projects) Review of the scope of engagement; users, applications, authentication modalities, physical/logical, etc. Identifying key stakeholders within your organization (to provide updates as well as escalate issues to) Completion of the Implementation Pre trip Checklist (for Imprivata assisted projects) Completion of the Application Sign Off Sheet (for Imprivata assisted projects) Identifying key project team members Documenting strong authentication methods included in project Schedule onsite visits and confirm logistics (for Imprivata assisted projects) Building of agent deployment package End user workflows should be documented and reviewed in order to understand how to apply them to Imprivata OneSign. It is critical that you consider how your end users use their systems today and how the implementation will impact them. How will end-users complete their work post implementation? Enablement In this phase, the appliances are installed and configured. A majority of the time is spent profiling applications for Single Sign-On (SSO) and configuring end-user workflows. We recommend that you initially profile three-five applications and workflows to ensure a successful initial rollout. Once the initial rollout is complete, adding additional applications is easy because the end-users are familiar with how Imprivata OneSign interacts with applications. We do recommend that the initial pilot group
How to Implement Imprivata OneSign Single Sign-On and Authentication Management Successfully 4 is not the IT department as they often do not use the same applications in the same manner as the enduser. While this is useful to include, it should not be used as a substitute for true end-user testing. This phase consists of four primary bundles of work items: Appliance Setup & Configuration Application profiling Workflow configurationn (Security policies, authentication types) Preparation for End-User Testing phase One of the more important parts of this phase is defining the group that will be participating in the End- User Testing phase. It is important to select a cross-functional group that represents the users from the application and authentication workflows that will be in use once the product is fully deployed. Typical work items/activities during Enablement should include: Proactive project management Appliance network installation Initial appliance setup and configuration Application profiling and enablement Creating and managing security policies as required Importing and managing users & Imprivata OneSign domains Setup and configuration of any included strong authentication or physical access system integration Disaster recovery planning Review of reporting requirements End user workflow definition Preparation for end user enablement, including definition of the initial group that will be participating in the End-User Testing phase. End-User Testing Every successful enterprise solution requires extensive testing from the implementation team and from a cross section of the end-user community. Imprivata best practices recommend a two-week testing phase with a cross-functional representation of end users that will be using the system in production. This phase is intended to certify that the Imprivata OneSign configuration is ready for enterprise wide deployment. End-user shadowing also plays a key role, as it helps triage issues quickly and assists with end-user training. The most challenging part of any software project is the adoption period. Setting the stage correctly for your end users and ensuring a positive experience should be the primary objective of any roll out. This is where the rubber meets the road. Typical work items/activities during End-User Testing should include: Proactive project management Communication to pilot group regarding installation and workflow changes Enrollment and training workstations tested Extensive Imprivata OneSign testing by the defined end-user group Shadowing of end-users including walking around assistance with the product functionality Quick triage of issues discovered to ensure a positive view of the Imprivata OneSign product. Verification of success criteria being met Ensure solution meets needs to key user groups Review of agent types and determining appropriate deployment method End user workstation testing Application workflow testing Strong authentication and/or physical access integration testing Collection of feedback from pilot group Document final workflows
5 How to Implement Imprivata OneSign Single Sign-On and Authentication Management Successfully Full Deployment The Full Deployment phase begins once the implementation team agrees that the End-User Testing phase is complete and the solution is ready for enterprise wide deployment. This is a critical phase of the project as it is difficult to obtain user adoption if their initial experience is less than ideal. It is imperative that the solution has been successfully tested, identified risks mitigated and confidence that the solution is ready for enterprise-wide deployment. Typical work items/activities during End User Deployment should include: Proactive project management Finalize and distribute end user communication plan Agent deployment package adjustments if needed Strong authentication device installation and setup across enterprise End-user enrollment and product usage training Enterprise wide agent installation and deployment, up to and/or including walking around assistance with the enrollment of end users to ensure success Refresher helpdesk overview training if required Careful management of identified end user issues At conclusion, verify project success criteria and ensure all identified issues are resolved post deployment Full deployment of the product is critical for long term success, however, your organization s infrastructure is constantly undergoing changes that need to be evaluated for integration with the product. Examples of environment changes include implementing disk encryption, purchasing new laptops or upgrading applications. It is critical that your organization realizes how such changes will impact Imprivata OneSign. Lack of integration can put your organization at risk and negatively affect the end-user community if integration is not considered and implemented. Upgrading applications that are enabled for Single Sign-On Changes in desktop or laptop hardware Adding in additional software packages such as disk encryption or wireless security Implementations of Citrix, Terminal Services, VDI By thinking about how these changes will need to be integrated with Imprivata OneSign, you will be able to avoid potential situations that can greatly affect the end-user community. Customer Practices While the initial deployment of the product is critical for long term success, it is important to understand the role that Imprivata OneSign will play in your environment once it has been installed. Your infrastructure is constantly undergoing changes. Whether it be implementing disk encryption, purchasing new laptops or upgrading one of your applications, not thinking about how those changes impact Imprivata OneSign can put you at risk. Below is a list of examples of changes that can be made within a customer infrastructure that can have a negative impact on the Imprivata OneSign deployment and your IT group if the changes are not planned with Imprivata OneSign in mind. Executive Sponsorship It is critical that the Imprivata OneSign project is sponsored by a key executive within your organization to ensure the success of the project. Executive sponsorship conveys the importance of the project and improve user-adoption. Plan The Details Think about and plan the applications you want to deploy and where you want to deploy them. Consider architecture or infrastructure challenges that could have an impact. Consider phases of the project, key constituents and the order in which to complete implementation. Consider 2009 Imprivata
How to Implement Imprivata OneSign Single Sign-On and Authentication Management Successfully 6 your end-users and the unique workflows in each department. Do this planning before you put a hand on a keyboard to begin the actual work. Put it in a project plan, and use the plan to manage the project. Set Priorities It is human nature to want to do everything at once. Consider what your priorities are. Ask yourself what can be in a second phase, and what must come first. Having thought through the must haves and the nice to haves ahead of prove useful when the time to adjust your course comes. Set Your Goals Decide what the ultimate goal of the solution is. Why are you doing this? Understand the problem you are solving, and be sure your goals directly address it. Be Realistic Regarding Your Resources Sometimes the issue isn t complexity of the project, but rather having the appropriate amount of resources available to actually complete the work. Whether it be project management, or setup and configuration work, be realistic about how much you can do, and by when. Seek assistance if needed to ensure your success. We Can Help You The Imprivata Technical Services Group can ensure the success you require from your Imprivata OneSign implementation. If you would like to discuss how we can help you make your implementation successful, contact your account manager or sales representative.
Offices In: Belgium Germany Italy Singapore UK USA Corporate Headquarters 10 Maguire Road Building 4 Lexington, MA 02421 1 877 ONESIGN 1 781 674 2700 www.imprivata.com MKT-WP-DSO-Ver1-02-2010