Deploying SSO and biometrics in the race to put out fires
Tayside Fire and Rescue (TFR) is one of eight fire and rescue services operating in Scotland. Based in the northeast of the country, it serves more than 400,000 people in the cities of Dundee and Perth and in the surrounding rural areas. In total, TFR receives around 15,000 fire-and-rescue related calls per year, mainly through the 999 emergency system, resulting in fire-fighters responding to more than 8,000 incidents in the year ending 31st March 2005, spread over an area of 7,500 square miles.
To cover such a wide area, TFR needs to employ many staff and currently has around 800 personnel, of which around 730 are operational fire-fighters. Fire-fighters located around the two major cities of Dundee and Perth are primarily employed full time, working in shifts to provide coverage 365 days per year. But in the more rural areas, many of the fire-fighters are retained staff, who carry pagers to alert them to incidents. In the most remote areas, volunteer staff provide coverage.
The problem
In line with the targets set by the UK government and Scottish Executive for electronic services delivery, all personnel must have access to computer technology, including e-mail and the internet. This has seen the usage of communications technology increase substantially over the past couple of years, with the number of technology users increasing from less than 60 to more than 800 persons in that period. Not only this, but personnel now need access to as many as ten separate applications, ranging from online training applications to programs that allow officers to analyse risk profiles in the areas where they are stationed.
As technology usage has increased, there has been a massive increase in issues related to user management, with password management becoming a headache. According to Gary Bellfield, ICT Manager at TFR, dealing with password resets was threatening to take six months of one of his IT administrator\’s time—and, including Bellfield himself, TFR only has three members of staff in the IT team.
As the use of technology had grown, TFR had put in place VPN technology and was using electronic security tokens for authenticating users accessing the system. But the system was proving to be very expensive to run, costing £20,000 to £30,000 per year (6,000 to 4,000). An obvious strategy would have been to hire extra IT resources, but this is not possible as the resource numbers are controlled by the government. This meant that Bellfield had to find a way of working smarter, alleviating difficulties before they happen.
The solution
Bellfield and his team began looking at what solutions were available on the market, based on the requirement that any technology selected had to be non-intrusive in terms of the other technology used by TFR, and must also integrate with its existing token strategy.
TFR decided to implement single sign-on (SSO) technology for managing identities of staff and controlling access to its technology applications. To get around the pressing password management problems that it was facing, it decided to mandate the use of strong authentication with this SSO technology for securely authenticating users, settling on fingerprint biometrics as the most efficient way for users to securely logon.
Its evaluation long-list was quickly whittled down to three vendors, which were then subjected to a more in-depth evaluation. Of these, Imprivata, a vendor of enterprise SSO technology, was shown to score more highly on all points of the evaluation than the other two vendors. The fact that its solution is appliance-based is particularly attractive for a company with no IT development team as well as the fact that it was non-intrusive, requiring no building of interfaces to backend technology.
The decision to license Imprivata\’s technology resulted in TFR undertaking a three-month pilot of the solution. To set up this pilot, three days of engineering time were required in total. Initial installation of Imprivata\’s appliances—which ship in pairs for failover purposes—took only around 15 minutes. The rest of the setup time involved learning how to use Imprivata\’s profile generator, which eliminates the task of writing login scripts or building connectors for each application in order to enable SSO. But, according to Bellfield, this is one of the key features of Imprivata\’s technology. Developing a profile manually for each application would take weeks to develop, which is just not feasible, and versioning changes to applications would further require that all profiles be recreated when an update is made available. Using Imprivata, this chore is eliminated.
However, not all went smoothly in the pilot as TFR was using version 2.6 of Imprivata\’s technology—and there were problems encountered. One of the main problems was that TFR\’s technology infrastructure is an environment based on Citrix. Adding the 2.6 version of the SSO technology to this environment proved to be heavy in terms of the system resources required, causing all users to see a slowdown which resulted in an unacceptable delay when logging in and out of the system.
But Bellfield states that Imprivata pulled out all the stops to provide answers to all the issues that TFR were facing—and, indeed, addressed every issue to the satisfaction of TFR. This involved a great deal of hands-on effort from Imprivata\’s resources in both the US and the UK, including conversations late into many an evening. For this, Bellfield and his team are very grateful as the nature of TFR\’s work means that the ability to quickly authenticate users and grant them access to the applications that they need is mission critical. Technology must aid fire-fighters in being able to get to incidents as quickly as possible as any delay could increase the chance of loss of life occurring.
Although problems were encountered during the pilot, Imprivata\’s efforts to resolve issues raised, which it incorporated in version 2.8 of its technology, led to TFR electing to purchase the SSO devices and deploy the system throughout the organisation. According to Bellfield, it took just half an hour to get the permanent solution up and running, including copying all the profiles that had been generated out of the evaluation appliance.
And the password problem has now been eliminated, freeing up half of the IT administrator\’s time which can now be spent on more value-added tasks, including essential systems maintenance. Previously, when a password needed to be reset, a form had to be completed, printed out and sent back to the corporate station. For a full-time employee, this was taking a couple of days to achieve, but the process could take as long as two weeks for resetting passwords for retained or volunteer staff in remote locations. Now, staff can automatically request that a password be reset via a quick link on the login screen that prompts individuals to answer five questions. As long as they get the answers right, their password can be reset in as little as two minutes—a quality of service with which TFR is extremely happy.
As part of its SSO implementation, TFR had always been intending to rollout fingerprint biometric identification for stronger levels of authentication and to provide the fastest possible access to resources. The fact that Imprivata\’s technology supports biometric authentication had been another reason for choosing to license its technology. One of the main reasons for this is that TFR has only around 200 computational devices, spread out across 24 locations. In a shared workstation environment, people need to be able to login and logout of applications quickly—and basing access rights on fingerprint authentication is one of the fastest ways of achieving this. Many people feel that provision of biometrics technology is still too expensive—but Bellfield does not agree, stating that the readers cost just £50 (0) each, which is neither here nor there, in addition to a site licence for all 800 users, which is provided by one of Imprivata\’s partners.
To date, the biometrics authentication systems have been rolled out only at stations where fire-fighters are full-time staff, but this will be extended to all retained fire-fighters by end-2005. This means that around 400 fire-fighters are currently using the system and only two problems have been encountered so far. The first involved the decision to use the index fingers of both the left and right hand to provide computer access, but the sixth person to enrol their fingerprints had lost the index finger on their right hand. Because of this, the policy was changed to enrolling all ten fingers for users, which TFR found added just a few seconds to the enrolment process.
The second problem involved a very senior officer, whose fingerprints have very little profile, meaning that the system was not able to authenticate him. This was something even Imprivata had never come across before, but they worked hard to find a solution to the problem as fast as possible. They found that the problem was due to the officer pressing his finger too hard on the reader, causing the profile to be obliterated. But Imprivata was able to write an application that solved the problem by recording pictures of fingers, and the problem is now solved. Apart from that, there have been no further problems with false positives or rejects.
According to Bellfield, deploying Imprivata\’s technology in combination with fingerprint biometrics has been a major bonus for TFR\’s operations and has been positively received by all the fire and rescue personnel as well. He states that the system has paid for itself within the first six months of deployment and that they are seeing the benefits on an everyday basis.
Going forward, the ability to efficiently and securely identify users will allow TFR to deploy technology to automate further areas of its operations as Imprivata\’s technology has removed the barrier of managing identities, which is essential in isolating which users can do what and when. One further area in which it is investing is an asset management system, enabling staff to simply order equipment and uniforms online when required. This requires a culture change at TFR, but is popular among staff as they have to deal with significantly less paperwork than previously.
In the longer term, sorting out identity authentication will enable TFR to better comply with national projects that are being developed. One of these is the FireLink programme being developed by the UK government to replace mobile communications technology with a fully digitised system by 2009. As well as voice communications, there are also data elements involved in the project. The ability to prove who has access to what through strong authentication will be a key part of achieving compliance with this development.