The other week, we announced some findings from a survey conducted over the past couple of months aimed at understanding where authentication and access management sits in the eyes of those concerned with Payment Card Industry (PCI) data security standards (DSS).  With PCI publishing the latest PCI Data Security Standard 1.2 on Oct. 1, 2008, this online survey highlighted some interesting trends as companies work toward compliance.

Here are a few stats to briefly call out:

• Despite the latest PCI DSS compliance requirements deadline having passed in June 2008, only 39 percent of respondents confirmed they are currently compliant
• Of the 61 percent of respondents that are not yet compliant, 53 percent expect to become compliant within 12 months; 65 percent expect to be compliant within 18 months

Clearly, PCI DSS still has a long way to go if more than 60 percent of respondents aren't yet compliant, but it looks like a clear priority over the next 12-18 months for most companies.  Of the 12 areas across IT disciplines that PCI DSS addresses, many are tied to access and authentication technologies - after all, the goal is to control access to critical customer information. Deployments of single sign-on, strong authentication and physical-logical security integrations with specific ties to compliance are increasing and/or in the works for most respondents in the short term.

• To control individual access to computing resources and cardholder information, of those that are now compliant, 74 percent have assigned a unique user ID, 63 percent have deployed strong authentication technologies and 63 percent have deployed password management technologies

Managing IDs is tough enough when one considers how many different systems employees at most companies interact with, so it is great to see that 74 percent or respondents have assigned a unique user ID for each employee.  A unique ID and strong authentication is critical in ensuring there is a link between a logon id and an individual's true identity.  This is critical not only for audit purposes but it also acts as deterrence.

• 26 percent of those not yet compliant aim to have the best security available in the industry to protect data

A surprising tidbit that came from this survey is that more than a quarter of respondents are less driven specifically by compliance of industry regulation and more driven to make sure they have the best security available in place.  This is a positive trend as often times security investments had been relegated to the minimalist checklist of what was required to have "good enough" security. This confirms the anecdotal evidence that companies are increasingly becoming more aware of the potential damage to their public image and are determined not to be in the headlines for the wrong reasons.

For the full Executive Summary of the report, click here, and for the press release, click here.

How's your PCI DSS compliance coming along?

-David

So here's a run-down of FIVE scary security stories that made me shiver:

1. During a security audit, one company set up a team to see where the vulnerabilities of its organization existed. The undercover team posed as outsourced IT staff in one instance, and asked an employee to offer up her strong password so that he could access the computer to change its fluid... change its fluid!... and sure enough, the employee not only coughed up her password (required to be strong), but noted the strong password was due to their company's strict security policy.

2. Convenience shouldn't be written on the wall... literally. I came across one example of a hospital where they were considering re-painting a room and the doctors were in an uproar about it. Turns out, most of the doctors travelled to different hospitals and had written their application passwords on the wall behind the computer for easy recall and sharing with colleagues. Each doctor had a "reserved" area where they would scribble their logon information specific to that hospital. I've seen a lot of passwords written on sticky notes, behind monitors, but right on a wall!? This was a first, and I later found out it was done at multiple hospitals in the area.

3. In some instances, vulnerabilities are based simply on the basic human nature of trust. One time I was due to meet with a company, and it was raining buckets outside, so as my team waited outside a member of the cleaning crew kindly let us into the facility and pointed out the room we were supposed to meet in. No need to sign in or be escorted - even though there were plenty of signs about security and proper disposal for documents in locked bins. Then left us alone in the conference room complete with network access to setup our equipment and wait for the meeting with the CISO The cleaning crew like most people trusted that people were good (a positive thought, in general, however) and helped us bypass a necessary physical security hurdle.

4. In some instances, thieves can get downright brazen. In one instance I recently heard, someone walked into a company on a Friday afternoon with an overall with PC Repair written on it, and walked off with 50 computers. He told the staff they were getting new computers on Monday and had to remove the old computers. Since it was Friday afternoon, not only was he not challenged by anyone, but someone actually helped him get the stuff out. When I heard this one, I was shocked how easy it is for thieves to get by physical security by using a credible story.

5. I also learned recently about a company that had an employee who was stealing computers by wrapping up laptops in papers and padding, and tossing them into trash cans in the office, then going outside when the trash was taken out to recover them outside of the facility, after the unknowing cleaning people had completed their work. Interesting approach to circumventing the physical security infrastructure, but it goes to show you how creative, yet simple, tactics can be to get around security.

What I took away from these recent conversations and stories is that the human element plays a major role in ensuring overall security. And, that training and education must be a security priority for all types of employees in an organization. Often, the social engineering of threats - online and offline - feeds off the inherent trust that people have in one another, so whether a breach, scam or vulnerability is sophisticated or simple, we all need greater awareness of our environments and follow security best practices even if it may feel a bit awkward.

So with Halloween upon us, what are your scary security stories? [please don't use real names!]

--David

While the concept of cloud computing (accessing applications online) has been around for close to a decade, talks on the subject have intensified significantly in recent months. The catalysts to these discussions range from the sharp decline in hardware and network infrastructure costs to the desire for a business to "go green" to the need for accessibly by an increasingly distributed workforce.  Whatever the reason, big business has taken notice and as this interest turns into action, these companies must be prepared to look at all of the key issues around this move before taking action.

What we are seeing today is a growing wave of interest from businesses in deploying a company-wide cloud computing model. In fact, InfoWorld predicted earlier this month that "the high cost of power and space is going to force the IT world to look at cloud services, with a shift to computing as a cloud resource occurring in the next five years." The author goes on to predict that the "emergence of cloud computing will reduce the need for computing at the enterprise level."

Few people question that cloud computing will bring an array of benefits to businesses, many which have been touched on above.  The issue as I see it is that for those businesses looking to the cloud, many are not easing in with their eyes fully open but rather are jumping in head first -- as a result, they are forgetting to weigh all key areas ahead of time, specifically those on the security side.  A perfect example involves strong authentication.  

Strong authentication solutions are essential for businesses looking to safeguard their company assets against unauthorized access.  For those businesses leveraging a cloud computing model, a major selling point is that employees can access critical applications from virtually anywhere while the company saves bundles of cash on infrastructure and maintenance costs. The issue is that it once you are in the cloud the risks of protecting your systems from unauthorized access grow dramatically.

Since the clouding computing model creates new wave of challenges for the security team, I assumed that these folks are highly involved all discussions.  What surprised me is that in many instances this is not the case.  What I have witnessed is that businesses are shutting the security teams out of the discussions altogether and are instead focusing almost solely on architecture. The security team is eventually brought into the discussions but in many instances the team is literally forced to participate. This is a major oversight that could potentially have significant ramifications down the road.

Strong authentication is a vital element to protecting a business's assets from unauthorized attacks and the need for these solutions only grows when a business shifts to a cloud computing model.  As a result, for those businesses preparing to transform to the cloud model, the security team must be a central participant in the discussion from the very beginning.  By including them in the process and making them a part of the plan at the initial planning stages, businesses will be able to ensure that operating in a cloud doesn't mean they are flying blind.

-David

1. Make sure that the technology you select can be easily managed centrally
2. Check that the vendor supports multiple types of Strong Authentication technologies, so that is easy to mix and match different types with a single installation and policy.  In many cases a single type of Strong Authentication technology is not enough to cover an entire organization, as different groups of users may need different types.
3. Make sure you understand the strengths and weaknesses of each approach and that it fits into your overall security needs.
4. Ask what happens if a device is lost or stolen, how easy is it for the user to continue working until the device is replaced?
5. Ask how each technology fits into the 3 categories of multi-factor authentication, something you have (device), something you know (PIN # or Password), something you are (biometric).

For more information on different types of strong authentication and a comparison of strengths and weaknesses, please view the pre-recorded webinar by clicking on the following URL:   http://www.imprivata.com/content12349.html

Hundreds of McKesson customers converged in Grapevine, Texas this past week to learn what their peers are doing and to get the latest product updates from McKesson. If we are heading into an economic crisis, you'd never know it by the size of the groups that many hospitals sent to the conference!

Infrastructure upgrades was a common theme this year for many of the attendees I spoke to, with virtualization in particular continuing to rise in priority. Many hospitals had partially or completely virtualized their data center, and some had even virtualized all their desktops.

Conspicuously absent from the conversations I caught was any talk about stricter HIPAA enforcement. The sentiment from some of the attendees I spoke to was that the HIPAA leaves a lot of room for interpretation, so they weren't too concerned with actually being fined. Combine that sentiment with the fact that there has been a grant total of one fine levied by the Office of Inspector General in the last ten years, and it's no wonder HIPAA is not a top concern for healthcare providers. On the other hand, despite the large number of hospitals that have rolled out a physician portal, passwords continue to be a huge headache for clinicians and physicians. This can be attributed partially to HIPAA regulations because many of the organizations I spoke with have implemented unique login IDs, stronger password policies and make their users log off applications between patient visits. For those of us in IT, four passwords doesn't sound like a lot to manage, but for a physician, where literally every second counts, that is a big source of frustration.

There was unanimous agreement between the attendees I spoke with at the conference that 1) the young physicians coming out of med school are much more willing and able to embrace healthcare IT than the "old-timers", and 2) that if you want the physicians to change their behavior, even if it's IT-related, the mandate has to come from the Chief Medical Officer.

Are you seeing a generational gap in your physicians in terms of their willingness to embrace IT-driven solutions?  Is your organization willing to lose a physician to another hospital to make a point with the rest of your physicians?

- John

I just came back from the ASIS 2008 Show in Atlanta and boy, do my feet hurt. Over 15,000 attendees, participation in 6 booths including our own, 3 days of constant conversation will do that to a person.  This security show is the top venue for those wanting to be educated on the latest in security...from state of the art manhole covers to new IP video and access control systems.  Imprivata participates to support our partners and promote the capabilities of our OneSign platform as a key component of physical/logical convergence.  

The subject of security convergence has been discussed for years and  some pundits are skeptical that it may never happen in their lifetime. Well, based on prospect meetings, sessions, and interactions with attendees at ASIS, convergence is going strong. ...and more importantly, technologies to deliver the capability are being budgeted for 2009. 

A key factor to expediting the adoption of converged physical and logical security systems is the understanding among the facility security and IT security decision makers that they must engage with each other in order to drive the advancement of their company's security capabilties. To reinforce this, the security integrators and manufacturers, those charged with delivering a converged solution, must understand this as well. And our partners do! I was very happy to hear our partners instructing their customers and prospects (facility security managers and executives) that as they embark on upgrading and/or installing new security systems, their IT counterparts must be involved. If not, their projects will likely not happen. I must say, this was quite refreshing to hear as conversations like that were not quite so prevalent at ASIS 2007.

 Convergence is happening.

 Chip

Since 1996, HIPAA has become one of the most important and highly publicized pieces of healthcare legislation in the United States. Over this time it has also become one of THE biggest topics of conversation within the healthcare and security industries and with good reason-HIPAA involves two major issues, patients and privacy. What's truly amazing to me is that behind the scenes, one would naturally have to assume that the majority of healthcare organizations are being driven by the worry of the potential penalties that might be levied on them by the Department of Health & Human Services (HHS) for their failure to fully comply with HIPAA.

Something tells me the industry isn't quite as concerned as I thought. The latest piece of evidence lending credence to this suspicion involves the recent news around Providence Health & Services, which just last month was penalized for their violation of the privacy section of HIPAA. The fact that a healthcare organization failed to properly protect patient information is not unusual. There have been over 10,000 HIPAA-related complaints filed in recent years. There have also been numerous patient privacy violations as well, including the high-profile breaches that took place earlier this year at the UCLA Medical Center. What we have learned from these incidents is that while many organizations have taken concrete steps to protect their patients, many turning to access management and authentication management solutions, there are always going to be those that fail to properly address their areas of weakness.  What really stands out to me is that while both complaints have been filed and incidents have occurred, Providence Health & Services holds what CSO Magazine's Bill Brenner describes as the "uncomfortable distinction of being the first organization penalized for violating the privacy section of the Federal Health Insurance Portability and Accountability Act (HIPAA)."

That's right. While many healthcare organizations have failed to meet the regulations of HIPAA, fines such as the recent $100,000 bill levied to Providence Health & Services, have been few and far between. What this tells us is that while HIPAA has raised the bar for the protection of patient information and created an immediate call to action to most organizations, HHS has limited the effectiveness of HIPAA due to its lack of commitment to enforcing the guidelines. The result? Companies which should be focusing on meeting HIPAA's standards and considering the consequences they might face if they fail to do so are ultimately deciding to focus on other projects that they deem more important.

The question is - will HHS ever become more hands on within the industry regarding HIPAA? Because, until HHS becomes consistently more involved and penalizes those that are in violation, the industry will continue with its "business as usual" approach instead of taking all the precautions as outlined by HIPAA.  I'd be interested to know - are you addressing HIPAA? And, which is your greater worry - HHS levied fines, or media exposure to a data breach?

If you are interested in hearing more about how a specific healthcare organization - William Osler Health Centre - is leveraging technology to address HIPAA issues, feel free to sit in our September 9 Webinar titled, "Imprivata, Single Sign-on and Biometrics Deployment: One Hospital Corporation, 3 Strategies." See you there!

-John

Physical logical security convergence has garnered increased attention over the past year, and we've had countless conversations with both IT departments and physical security teams about the people, process and technology issues that come with the territory.  Integrating teams and policy, not just the technology, needs to be well thought out.  Increasingly, the path of our conversations with prospects and customers interested in converging physical and logical access focuses on where to start that type of project.  Though very interested in the promise of converged access, like any technology, people want to wade into the waters to make sure that it works as advertised technically, is easy to adopt for users,  the kinks are hammered out in reporting and there is a clear understanding of the ownership of the integrated environment. 

Security Magazine's Bill Zalud just moderated an interesting Webinar on the topic of converged physical-logical solutions with folks from Convergint Technologies, Tyco International, M.C. Peterson & Associates and the Open Security Exchange - check it out here.  The topic of project ownership and budget, and inter-departmental communication were identified as primary hurdles to moving forward with a convergence effort.  Let's be honest, the physical and IT groups within most organizations often don't communicate as much as one might think. 

However, there is a strategic bridge for these two groups -- the data center.  IT owns the servers; physical security is responsible for locking down the room.  In most cases, the server room/data center is of tremendous importance in today's business and there is a smaller authorized employee base to manage/monitor, so both groups can certainly agree on the need to lock it down and ensure only authorized personnel have access.  Finger-pointing and avoidance both get thrown out the door when the company's crown jewels (secret formulas, customer lists, financial reports - which are all stored electronically) are on the line. 

The data center as a starting point can help physical and IT groups bridge the gap and start walking the walk, instead of talking the talk.  The stakes are too high not to collaborate.  In addition, leveraging existing investments tied to the data center makes it an easier transition - two-factor authentication can leverage physical security assets and infrastructure such as card readers.  This inserts IT into the process immediately and helps ‘force' collaboration amongst the disparate teams for the common good.

The annual ASIS event is coming up in September (swing by booth #4024 if you're there!), and the topic of physical logical access convergence will be a hot topic once again this year.  Come by Imprivata's booth and let's talk shop - I'd love to hear your thoughts on the data center as a physical-logical starting point... whether here on the blog, or at ASIS in September!

-Chip

I read some of the comments under the article and they are politely saying the same thing - that it would be great if all the servers and users out there used PKI for mutually authenticating each other.  Reality: this won't happen unless everyone makes the big switch.  Unfortunately major upheavals like this take tremendous investment.  Major investment indeed - by a lot of people, companies and policy makers.

Taking a look at a relevant analogy is the transition to fiber optics at home - 30 years ago we knew it was a better technology and it would revolutionize telecommunications *but*, with copper in place for telephone service, who was going to make the investment to solve the "last mile problem" - the copper that runs between the pole and your phone in the house [not to mention ditching the previous investments put into copper all those years]. Only now, with telcos being allowed to sell new services such as video content, are they incented to invest the billions of dollars required to bring fiber to the house.

So it is with PKI - the notion of using an info card to authenticate is the same strategy tried with PKI almost a decade ago. It failed because it required companies to make a significant investment to not only upgrade their server applications to use certificates, but more importantly, it required all clients to have valid certificates. The investment and expense required couldn't be justified on the basis of improving security, much less to provide SSO convenience. If a company has to choose between turning away customers that don't have info cards or certificates and increasing security - which option would it pick? The existing infrastructure for user authentication will continue to use passwords for a long time just like we lived with copper and analog voice support because the economics aren't there to switch. Using PKI to reduce user convenience issues isn't worth it when other technologies such as enterprise SSO can address those same issues.

Sure, single sign-on in the enterprise and Web-based SSO operate in different realities, but the convenience factor combined with the continuous infrastructure investment already made over the past two decades point to the reality that password-based SSO isn't going anywhere anytime soon.  Are there ways to strengthen the security of password-based SSO, while not losing the convenience of it, sure: add strong authentication methods like biometrics [check out my post last week] to provide two factor authentication - at least there's widespread nearer-term investments that are being made in that area in devices all over the world in every industry.

What do you think about password-based SSO vs. the cryptography/information cards approach to SSO the New York Times wrote about?