DataRails utilizes OneLogin Access, which extends the reach of the OneLogin Unified Access Management Platform to applications hosted on-premises, at remote data centers or in private clouds. OneLogin access allows companies to simplify access administration, reduce IT costs, improve security and optimize the user experience.

Administrative staff manages solution configuration and application access policies using the OneLogin administration user interface and APIs for cloud applications, eliminating dependencies on aging access management tools that are complex to operate, expensive to maintain and are incapable of addressing the access needs for both cloud and on-premises environments.

Access to commercial, open source and custom customer managed applications, regardless of their worldwide locations, is provided to users from a unified cloud portal.

End-users, including employees, partners and customers, experience a simplified access experience through a Single Sign-On portal to access both SaaS and web apps from any device and any location. OneLogin strengthens security and protects accounts through adaptive authentication to automatically respond to anomalous activity with Multi-Factor Authentication.

How OneLogin Access Works

OneLogin’s cloud-based Unified Access Management Platform is the central point of management for all directories, users and policies for authentication and authorization across the organization.

As such, the Unified Access Management Platform serves as the configuration, policy management and policy distribution point for applications managed and secured with OneLogin Access. Configuration and policy are distributed from the cloud-based OneLogin platform to Enforcement Points, which are local gatekeepers (e.g. deployed on servers on-premises) to customer managed applications.

Enforcement Points are lightweight OneLogin Access software components, which are available for download and deployment as modern packages such as Docker containers. They are downloaded from OneLogin and installed on the local network where applications reside. Enforcement Points can be of type Gateway, which include a HTTP reverse proxy, or type of Agent, which integrates with customer web servers such as Apache, IIS and Java EE.

Using the combination of Enforcement Points and a cloud-based administration point, OneLogin Access connects your web applications with the Unified Access Management Platform in two critical ways: First, OneLogin Access automatically provisions application-custom access policies to otherwise manually or disparately managed applications where the policies need to be enforced locally. Second, it standardizes and modernizes the user’s authentication and authorization flow, such that it is the exact same Single Sign-On experience for all corporate applications, whether on-premises or in the cloud. It leverages the same role-based access control policies, as well as advanced controls such as multi-factor authentication and security events.

Each instance of an Enforcement Point is uniquely identified at OneLogin. The Enforcement Points self-register at startup, and automatically retrieve configuration, policy and software updates from OneLogin using secure, firewall friendly connections.

Enforcement Points control and manage access based on cloud-managed policies. They essentially redirect users to OneLogin for a secure sign-in using SAML. The Enforcement Point handles the secure authentication response (i.e. SAML response) from OneLogin, creates application sessions with fixed and inactivity timeouts, and sets secure HTTP headers that enable signing in to legacy applications such as Oracle E-Business Suite.

This also enables organizations to replace legacy solutions like CA SiteMinder® and Oracle Access Manager by mimicking and automating the underlying mechanism, such as setting the user identity HTTP header to SiteMinder’s SM_USER.

Access for IT Practitioners

• Eliminate complex Access Management tools that are complex and incapable of supporting SaaS apps
• Manage access for all your apps from a centralized platform with a single user interface
• Modernize Access Management for legacy apps with features including Federation, Single Sign-On (SSO), and Adaptive Authentication

Access for IT Executives

• Migrate off of expensive and labor-intensive legacy Access Management tools
• Increase security with a single portal for employees, partners, and even customers to access their apps
• Consolidate Access Management vendors and gain operational efficiency

Access for Everyone

• Access all apps through a single secure portal from anywhere on any device
• Eliminate the need to recall dozens of passwords
• Make security easy with Adaptive Authentication for dynamic, risk-appropriate Multi-Factor Authentication

High-level architecture of OneLogin Access, which provides user session information and access control services to applications hosted on premises, at data centers and in private clouds.

OneLogin and HIPAA Compliance

OneLogin does not store any electronic protected health information (ePHI), so it does not significantly alter your current or planned HIPAA controls. However, OneLogin can augment your HIPAA compliance efforts by providing your IT system administrators with additional functionality that can be leveraged to support the alignment of your IT control environment with HIPAA requirements. In addition, it is important to note that companies subject to HIPAA should include OneLogin as part of their risk assessment performed in response to HIPAA Security reference §164.308(a)(1)(ii)(A).

Access Management [HIPAA Security references §164.308(a)(1)(ii)(B), §164.308(a)(3)(i), §164.308(a)(3)(ii)(A), §164.308(a)(3)(ii)(C), §164.308(a)(4)(ii)(B), §164.308(a)(4)(ii)(C), §164.312(a)(1)]

Granting and removing access to applications can be done either through the OneLogin portal, or if you set up directory integration, through your existing LDAP directory. By establishing or mapping your existing roles and groups to OneLogin, you can quickly grant, modify or remove access based on role-based privileges that are as granular as you need to make them. With real time LDAP to OneLogin updates, changes you make in your local directory system are immediately pushed to OneLogin, thus removing the need for you to have to update several access lists or having to wait for a batch program to process in a timely and complete manner.

Segregation of Duties [HIPAA Security references §164.308(a)(3)(i)]

Roles and groups in OneLogin also help you plan your segregation of duties strategy by allowing you to map out predefined access levels and document any authorized exceptions based on your own organizational structure and resource pool.

Authentication [HIPAA Security references §164.308(a)(5)(ii)(D), §164.312(a)(2)(iii), §164.312(d)]

Not all applications support the same, or robust enough, password requirements. This requires you to keep track of the various password requirements and in extreme cases, having to explain to your auditors how you compensate for weak password requirements. OneLogin allows you to centrally manage one or more password policies in addition to providing you with a multi-factor authentication option. This allows you to create a more robust authentication scheme for remote users or for users of high risk applications, including timing out sessions as needed.

OneLogin and SOX Compliance

OneLogin supports your Sarbanes Oxley compliance efforts by providing your IT system administrators the functionality needed to centrally manage some of the most deficiency prone IT control areas.

Access Management

Granting and removing access to applications can be done either through the OneLogin portal, or if you set up directory integration, through your existing LDAP directory. By establishing or mapping your existing roles and groups to OneLogin, you can quickly grant, modify or remove access based on role based privileges that are as granular as you want to make them. With real-time LDAP to OneLogin updates, changes you make in your local directory system are immediately pushed to OneLogin, thus removing the need for you to have to update several access lists or having to wait for a batch program to start and complete in a timely and complete manner.

Segregation of Duties

Roles and groups in OneLogin also help you plan your segregation of duties strategy by allowing you to map out predefined access levels and document any authorized exceptions based on your own organizational structure and resource pool. In addition, OneLogin creates a login audit trail to correlate the troubleshooting request to when the developer accessed the ERP.

Authentication

Not all applications support the same, or robust enough, password requirements. This requires you to keep track of the various password requirements and in extreme cases, having to explain to your auditors how you compensate for weak password requirements. OneLogin allows you to centrally manage one or more password policies in addition to providing you with a multi-factor authentication option. This allows you to create a more robust authentication scheme for remote users or for users of higher risk applications.

Monitoring

In addition to having preventive controls in place, detective controls provide you the ability to compensate for any exceptions in the performance of preventive controls. In addition, for higher risk applications, monitoring controls have become a de facto requirement. OneLogin provides you with various reports that can help you actively or periodically monitor what your users are doing in the OneLogin portal, and by extension the apps being managed by the same.

Audit Evidence

Your auditors will request a lot of documentation, including several access control lists and evidence that access was granted appropriately for those in scope. Instead of chasing down several access lists or trying to evidence that the list of new users is complete and accurate, if you are using OneLogin as your central point of access management and authentication, you will greatly reduce the SOX audit level of effort and documentation needed.