Frequently Asked Questions

1. What is end-point identity and access management and why is it important?
2. What is an enterprise end-point?
3. What end-points do Encentuate support? Does it support remote users?
4. What is an Encentuate Wallet? How does it represent your online identity?
5. How is the Encentuate Wallet protected?
6. What applications can Encentuate successfully single sign on to?
7. Does Encentuate require scripting?
8. What session management capabilities does Encentuate provide?
9. What hardware tokens does Encentuate support for strong authentication?
10. What is Encentuate iTag?
11. What if I forget or lose my authentication factor or forget my Encentuate password?
12. How difficult is it to deploy Encentuate? Are infrastructure changes required?
13. Does Encentuate require directory replication or schema extension?
14. How scalable is the Encentuate solution?
15. What security standards does Encentuate adhere to?
16. Does the Encentuate solution only work for healthcare?
17. Does Encentuate support provisioning?
18. Does Encentuate support context management?
19. What is the ROI for Encentuate?
20. What's unique about Encentuate?

1. What is end-point identity and access management and why is it important?

End-Point IAM refers to the provision of identity and access management capabilities at the enterprise end-points (PC's, PDA's, portals). User-centric functions such as enterprise single sign-on, strong authentication, access workflow automation, auditing and compliance move to the enterprise end-points and provide maximum benefits to the end-user.

An end-point identity and access management architecture leverages an intelligent user agent at the enterprise end-points to manage single sign-on, two-factor authentication and workflow automation. The end-point architecture offers several advantages over conventional server-centric architectures:

• Improves productivity. By providing an intelligent user agent at the end point, the agent can simplify access, provide single sign-on and automate workflows to raise user productivity.
  
  
• Simplifies integration. The agent at the end point interfaces with all the server side applications at the presentation layer, eliminating the need to modify the applications. Instead of one application extender per application, only a single user agent is required at each enterprise end-point. This provides flexibility and extensibility with minimal deployment risk or overhead.

2. What is an enterprise end-point?

An enterprise end-point refers to the edge of the corporate network; it is any access point where a user enters the corporate network. This could be a user's laptop, his desktop in his office, the Terminal Services server, the Citrix Server or the web portal. In short, PC's, PDA's, and portals.

3. What end-points do Encentuate support? Does it support remote users?

Encentuate supports all major end-points including laptops, desktops, shared workstations, Terminal Services, the Citrix and web portals.

Remote users may enjoy single sign-on through Citrix, Terminal Services or Web Workplace without the need to install any client on their machine. In particular, Web Workplace supports an entirely browser based approach.

4. What is an Encentuate Wallet? How does it represent your online identity?

The Encentuate Wallet is an identity wallet that stores a user's access credentials and security policies. Each user has an Encentuate Wallet that acts as his personal meta-directory. The Wallet roams to any point of access where an Encentuate AccessAgent is installed. The AccessAgent uses the information in the Wallet for single sign-on, for security enforcement, and for personalizing each session.

5. How is the Encentuate Wallet protected?

Wallets are encrypted using 128-bit AES and is further protected by an authentication factor. The authentication factor can be as simple as a password or a 2nd factor such as fingerprints, building access badges, iTag, smart cards, one-time passwords, or a combination thereof. Use of the Wallet is governed by a set of wallet security policies.

6. What applications can Encentuate successfully single sign on to?

Encentuate can single sign-on to all major application types including desktop applications, tele-type applications, mainframe applications, and web applications.

7. Does Encentuate require scripting?

Scripting is not required. The Encentuate AccessStudio Wizard can auto-generate the AccessProfile required to single sign-on to the applications.

8. What session management capabilities does Encentuate provide?

Encentuate Session Management provides fast user switching through one of the following capabilities:

• Shared Desktop: Shared Desktops allow multiple users to share a generic Windows desktop.
  
  
• Private Desktop: Private Desktops allow multiple users to have their own private Windows desktops in a workstation.
  
  
• Roaming Desktop: Roaming Desktops allow users' Windows desktops to "roam" to the users' points of access, from workstation to workstation.
  
  

9. What hardware tokens does Encentuate support for strong authentication?

Encentuate provides a wide choice of authentication factors: ranging from strong passwords, to building access badges (HID Prox, iClass, Indala), to active RFID badges (Xyloc), to smart labels and other sticker labels via Encentuate iTag, to one-time password based authentication via cell phones or other tokens, to biometrics, USB and regular smart cards. To ensure flexibility in supporting new authentication factors, Encentuate also supports strong authentication standards such as OATH for one-time passwords, BioAPI for biometrics, PC/SC for smart cards, and PKCS 11 for hardware devices. A wide choice of authentication factors ensures that the needs of different user groups are met with a single integrated solution, not with multiple point solutions.

10. What is Encentuate iTag?

Encentuate iTag is a patent-pending technology that converts any photo badge or personal device into a proximity authentication device through the application of a smart label or other identification tags. It enables users and enterprises to leverage an existing device or badge to be used as a 2nd factor without need to provision or distribute new authentication factors. It also increases user convenience by leveraging what they already have.

11. What if I forget or lose my authentication factor or forget my Encentuate password?

Encentuate provides comprehensive loss management scenarios. Users may reset their Encentuate password through Encentuate AccessAssistant a web-based password self-service portal. Encentuate also enables authorized users to bypass or reset their authentication factors through the issuance of an authorization code.

12. How difficult is it to deploy Encentuate? Are infrastructure changes required?

Encentuate is designed to work with minimal or no change to an enterprise's existing IT infrastructure. Encentuate does not require any change to the applications nor the directory infrastructure. Because there is no change to the existing infrastructure, deployment may be done application by application and user group by user group, in an incremental low risk manner.

13. Does Encentuate require directory replication or schema extension?

Encentuate will work with any directory structure, and does not require any expensive directory consolidation project prior to deployment. It also does not require any directory schema extension, nor require any replication of directory data.

14. How scalable is the Encentuate solution?

Encentuate leverages the compute power at the enterprise end-points to provide a loosely coupled distributed system managed by a centralized IMS Server. Each AccessAgent at each end-point can authenticate to a cached Encentuate Wallet and provide single sign-on to applications even when the IMS Server is unavailable. This effectively eliminates any single point of failure or performance bottlenecks. We have customers running tens of thousands of users on a single server.

In addition, Encentuate IMS Servers are stateless application servers that leverage the existing data-tier and directory infrastructure for user storage. This stateless n-tier architecture ensures that existing high availability and disaster recovery processes at the application and data tier can be re-used without any change. Enterprises may provide high availability by simply adding more IMS Servers.

Unlike hardware or appliance solutions, there is no pre-set user limit.

15. What security standards does Encentuate adhere to?

Encentuate is X.509v3 compliant, and supports RSA 1024 and 2048 key pairs for asymmetric encryption, 128-bit AES for symmetric encryption, and uses RC4/RC2/RC5, SHA-1, MD5/MD2/MD4 for hashing and signatures.

16. Does the Encentuate solution only work for healthcare?

Encentuate is designed to work with any enterprise. Encentuate Solution for Healthcare provides identity and access management for healthcare providers. However, Encentuate is not limited to healthare. In fact, some of our largest installations are not healthcare enterprises. Encentuate has customers in healthcare, government, manufacturing, bio-tech, finance and in other industries.

17. Does Encentuate support provisioning?

Encentuate AccessProvisioning provides centralized provisioning of accounts. Encentuate supports 3rd party provisioning solutions to provide more advanced role-based provisioning capabilities. Encentuate also provides a Provisioning API to allow easy integration with home-grown provisioning systems and processes.

18. Does Encentuate support context management?

Yes. Encentuate supports context management for patient information aggregation and is compliant with the CCOW standard.

19. What is the ROI for Encentuate?

Encentuate's low-risk, incremental deployment capabilities bring faster returns. The table below illustrates:

20. What's unique about Encentuate?

Encentuate has been acknowledged by the industry as a best-in-class solution. Encentuate won the Best Identity Management Solution, Best Single Sign-On, and Best 2-Factor Solution from SC Magazine.

Encentuate's end-point identity and access management (IAM) solution is a new approach; Encentuate extends IAM to the end-points while maintaining central administration. Our key differentiators are:

• Comprehensive support of two-factor authentication devices, including: any personal device via Encentuate^® iTag, building access badges, USB tokens, OTP, Active RFID, biometrics, smart-cards, and mobile phones
  
  
• Extends ESSO to provide automation of access and security workflows - enhances user productivity and compliance.
  
  
• Centralized management through a web-based interface with group-based policy-driven templates to enable easy management.
  
  
• Distributed architecture with no single point of failure, ensuring high availability.
  
  
• Widest coverage of end-points across: Windows, Citrix, Terminal Services, web/portals, thin-client devices, and PDA web access, ensuring a consistent access experience and tracking.
  
  
• Leverages existing IT infrastructure without any modifications via end-point automation technology.