Imprivata Network Communication
Imprivata supports a distributed architecture that can include multiple, geographically dispersed appliances clustered together for scalability, increased availability, and end-user roaming among multiple sites.
By clustering multiple appliances, your organization can scale your Imprivata solution to handle environments with hundreds of thousands of users. An Imprivata enterprise can be deployed across LANs and WANs at multiple locations. Clustered appliances synchronize information among themselves to support scalability and availability and provide shared services. Because appliances balance end-user loads among themselves, even simple deployments of two clustered appliances can see improved performance at peak periods.
In a multi-site enterprise, users can roam among sites and receive the same single sign-on (SSO) and authentication services throughout the enterprise. Building on Imprivata's computer policies, which augment and can override Imprivata's user policies, organizations can specify different SSO and strong authentication policies for different sites.
The distributed architecture also increases availability, business continuity, and disaster recovery capabilities. In a G3 (third generation) enterprise, G3 appliances in a cluster synchronize their databases so that if one appliance fails, the other appliances cover for it and handle its load. In a G4 (fourth generation) enterprise with two database appliances, only those two appliances have synchronized databases, eliminating replication traffic through all service appliances. However, if any appliance fails, the other appliances can still cover for it and handle its load. For more information on G3 and G4 appliances, see G3 and G4 Appliance Types.
If no other appliances in a site are available, appliances in other sites can serve users at the failed site, provided there is an appropriate underlying network capability. This can be controlled by configuration to designate specific failover sites.
Imprivata Secure Exchange (ISX)
Imprivata components communicate using standard HTTPS. All communication is over secured channels. Standard ports are used: port 443 for Imprivata agent communication, and port 81 for communication with the Imprivata Admin Console and the Imprivata Appliance Console.
All data is transferred over a TLS-secured channel using a combination of Imprivata’s patented Imprivata Secure Exchange (ISX) technology and 256-bit AES encryption. The following image represents the secure data transmission provided by ISX.
ISX does this through a combination of:
- TLS/HTTPS
- AES 256-bit encryption
- A unique key-pair, recreated for communication session
Database Replication
Imprivata provides uninterrupted secure service across the enterprise without burdening the network with non-essential traffic.
Imprivata maintains full database replication across multiple sites for a G3 enterprise, or across two database appliances for a G4 enterprise. For a G4 enterprise, replication across multiple sites depends on how the database appliances are set up with respect to site assignments. Replicated data includes:
- User records
- User policies
- Computer policies
- Application SSO enrollment data
This enables users to go freely from one site to another in an enterprise with full Imprivata service in each site.
This figure shows database replication paths for a G3 enterprise:
In a G4 enterprise, only the two database appliances have synchronized databases, eliminating replication traffic through all service appliances. Every G4 enterprise should have two database appliances to ensure service continuity in the event one database appliance becomes unavailable. This figure shows the database replication paths for a G4 enterprise:
Active Sessions Replication
In a G3 enterprise, to reduce network traffic between sites, active user session data is replicated between appliances in a site, but it is not normally replicated across sites. This figure shows session replication for a G3 enterprise:
In a G4 enterprise, active user session data is replicated only between database appliances. This replication can occur within a site or across sites, depending on the placement of database appliances within sites. This figure shows session replication for a G4 enterprise:
Imprivata agents can be configured to failover to Imprivata appliances in another site if all appliances in a site fail. For seamless failover, it may be better to have two appliances at each of two sites, rather than to have three appliances at one site and a single appliance at another site.
Audit Data Replication
Audit data makes up by far the greatest amount of Imprivata information transmitted over the network. To balance network traffic with the needs of data redundancy, audit data is replicated only to designated audit appliances in a G3 enterprise, and only to database appliances in a G4 enterprise.
In a G3 enterprise, audit appliances hold audit records. Any G3 appliance can be designated as an audit appliance. Every Imprivata G3 enterprise should have at least two audit appliances to ensure audit continuity in the event one audit appliance becomes unavailable. Auditing creates network overhead, so one audit appliance per site is enough for most enterprise needs. This figure shows audit data collection for a G3 enterprise:
In a G4 enterprise, only the database appliances hold audit records. Every G4 enterprise should have two database appliances to ensure audit continuity in the event one database appliance becomes unavailable. This figure shows audit data collection and replication for a G4 enterprise:
