The discussion on desktop virtualization, or hosted virtual desktop, is heating up. Some view it as futuristic.  Others say it is throwback to the world of mainframe computing. With economic concerns forcing businesses to take a hard look at expenses across the enterprise, however, there are many reasons this is such a hot topic.  

In our current cost conscious world, the potential to reduce IT costs are obvious:   virtualization significantly reduces the need for idle computing hardware and drastically lowers power consumption - especially in mission critical environments like healthcare where machines need to be on 24 hours a day.  Lower power consumption comes from reducing the need to run lightly loaded but high powered CPUs at each desktop and delivering desktop sessions for multiple users from a server that can be heavily loaded. Most importantly, virtualization frees up IT from having to maintain large numbers of desktop systems that are largely user managed. It also eliminates the need to constantly re-image machines that have degraded through common usage. Imagine how many fewer head aches we would have if we could have a new copy of the OS Image everyday - and not have to suffer through the "plaque" build up that slowly kills performance.

This all sounds good.  But, before diving headfirst into the virtualization pool, it's important to realize that the benefits of desktop virtualization also lead to a new security challenges - especially around managing user identities, strong authentication and enforcement of access policies.

With user identities being relevant in multiple points within the virtual desktop , coordinating and enforcing access policies becomes far more difficult and error prone as all the systems have to be in sync.  Since one of the advantages of having virtual desktops is the ability to dynamically create desktops specific to the user's role within the organization, having a centralized way to manage user identities, roles and access (or desktop) policies is critical in this new virtualized environment. Allowing users to only access tailored desktops specific to their role or access location can be tremendously valuable in controlling access to computing resources. Being able to leverage a single location for authenticating users, obtaining desktop access rights and auditing session related information is equally  important, if not more so, than what we have in a conventional desktop environment.

While it is still some time out before adoption becomes common - security capabilities and limitations present a barrier to adoption - we're beginning to see customers who need to address these issues -  connecting the user identity with authentication and policy link all the way from the client to the virtualized session and even to the virtualized application.

Desktop virtualization has tremendous promise - however, until we can replicate the user's current experience --and more importantly--make it easier to set and enforce authentication and policy in this environment, there's still work to be done.

Are you working through some of these issues? I'd be interested in hearing how you fill the policy and authentication gap while keeping your critical infrastructure secure.

A closer examination of the regulations shows that they're very similar to the Payment Card Industry (PCI) Data Security Standards (DSS).  That's good news for many companies that handle financial information and have achieved PCI Compliance, or those that are working towards compliance.  In fact, a recent survey of IT decision makers commissioned by Imprivata examining identity management trends in PCI compliance, shows that a majority of companies are either currently compliant with PCI standards, or plan to be in the next 18 months.

The departure from PCI comes from the types of information that need to be secured - the new regulations go beyond financial information and cover any personal information a business might collect, including bank account information, social security numbers, etc...  This impacts a large number of businesses that might not have fallen under the PCI umbrella. 

If your business falls under that category and you haven't gotten started on your way to compliance with these new regulations, a good place to start is to make sure you have access policies in place to control how users access information. Implementing strong authentication wouldn't be a bad idea either as it ensures that access to records are controlled and you can verify and report on the identity of the user accessing the data.

From an IT stand point, this means that, not only do all users in your business have distinct passwords and logins but each user has the authorized rights to access the information. Consistent with the principles of role-based access and least privileged access, you also want to make sure the level of access granted to users is consistent with their job function and restricted in scope. Above all, IT systems need to have authentication, authorization, and traceability to demonstrate user accountability for whatever information they're accessing.

Most importantly, businesses need to ensure that when employees leave or job functions change, there is a quick way to deactivate access to information.  This is a critical step in preventing a data breach, ensuring that former employees can't access sensitive information and applications once they're no longer part of the company, and ensuring that unauthorized personnel can't access the same information using access credentials provided by their former colleague.  How often have we heard of data breaches traced back to expired accounts belonging to innocent former employees that no longer have access to the system? Keeping your IT and applications accounts in sync with active employee is just good IT housekeeping.

These new regulations put the onus on the business to make sure they're taking proactive steps to protect sensitive customer information.  While the new regulations haven't outlined the potential penalties for violation yet, the threat of a fine shouldn't be the trigger for an action when it comes to protecting customer information.  Nor should businesses wait until they have a breach before getting serious about security - these are common sense steps that all businesses should take to ensure that they're protecting their critical assets and data.

Is your business impacted by the new regulations? If so, where are you starting your journey to protect your business and your customers?

-David

The other week, we announced some findings from a survey conducted over the past couple of months aimed at understanding where authentication and access management sits in the eyes of those concerned with Payment Card Industry (PCI) data security standards (DSS).  With PCI publishing the latest PCI Data Security Standard 1.2 on Oct. 1, 2008, this online survey highlighted some interesting trends as companies work toward compliance.

Here are a few stats to briefly call out:

• Despite the latest PCI DSS compliance requirements deadline having passed in June 2008, only 39 percent of respondents confirmed they are currently compliant
• Of the 61 percent of respondents that are not yet compliant, 53 percent expect to become compliant within 12 months; 65 percent expect to be compliant within 18 months

Clearly, PCI DSS still has a long way to go if more than 60 percent of respondents aren't yet compliant, but it looks like a clear priority over the next 12-18 months for most companies.  Of the 12 areas across IT disciplines that PCI DSS addresses, many are tied to access and authentication technologies - after all, the goal is to control access to critical customer information. Deployments of single sign-on, strong authentication and physical-logical security integrations with specific ties to compliance are increasing and/or in the works for most respondents in the short term.

• To control individual access to computing resources and cardholder information, of those that are now compliant, 74 percent have assigned a unique user ID, 63 percent have deployed strong authentication technologies and 63 percent have deployed password management technologies

Managing IDs is tough enough when one considers how many different systems employees at most companies interact with, so it is great to see that 74 percent or respondents have assigned a unique user ID for each employee.  A unique ID and strong authentication is critical in ensuring there is a link between a logon id and an individual's true identity.  This is critical not only for audit purposes but it also acts as deterrence.

• 26 percent of those not yet compliant aim to have the best security available in the industry to protect data

A surprising tidbit that came from this survey is that more than a quarter of respondents are less driven specifically by compliance of industry regulation and more driven to make sure they have the best security available in place.  This is a positive trend as often times security investments had been relegated to the minimalist checklist of what was required to have "good enough" security. This confirms the anecdotal evidence that companies are increasingly becoming more aware of the potential damage to their public image and are determined not to be in the headlines for the wrong reasons.

For the full Executive Summary of the report, click here, and for the press release, click here.

How's your PCI DSS compliance coming along?

-David

So here's a run-down of FIVE scary security stories that made me shiver:

1. During a security audit, one company set up a team to see where the vulnerabilities of its organization existed. The undercover team posed as outsourced IT staff in one instance, and asked an employee to offer up her strong password so that he could access the computer to change its fluid... change its fluid!... and sure enough, the employee not only coughed up her password (required to be strong), but noted the strong password was due to their company's strict security policy.

2. Convenience shouldn't be written on the wall... literally. I came across one example of a hospital where they were considering re-painting a room and the doctors were in an uproar about it. Turns out, most of the doctors travelled to different hospitals and had written their application passwords on the wall behind the computer for easy recall and sharing with colleagues. Each doctor had a "reserved" area where they would scribble their logon information specific to that hospital. I've seen a lot of passwords written on sticky notes, behind monitors, but right on a wall!? This was a first, and I later found out it was done at multiple hospitals in the area.

3. In some instances, vulnerabilities are based simply on the basic human nature of trust. One time I was due to meet with a company, and it was raining buckets outside, so as my team waited outside a member of the cleaning crew kindly let us into the facility and pointed out the room we were supposed to meet in. No need to sign in or be escorted - even though there were plenty of signs about security and proper disposal for documents in locked bins. Then left us alone in the conference room complete with network access to setup our equipment and wait for the meeting with the CISO The cleaning crew like most people trusted that people were good (a positive thought, in general, however) and helped us bypass a necessary physical security hurdle.

4. In some instances, thieves can get downright brazen. In one instance I recently heard, someone walked into a company on a Friday afternoon with an overall with PC Repair written on it, and walked off with 50 computers. He told the staff they were getting new computers on Monday and had to remove the old computers. Since it was Friday afternoon, not only was he not challenged by anyone, but someone actually helped him get the stuff out. When I heard this one, I was shocked how easy it is for thieves to get by physical security by using a credible story.

5. I also learned recently about a company that had an employee who was stealing computers by wrapping up laptops in papers and padding, and tossing them into trash cans in the office, then going outside when the trash was taken out to recover them outside of the facility, after the unknowing cleaning people had completed their work. Interesting approach to circumventing the physical security infrastructure, but it goes to show you how creative, yet simple, tactics can be to get around security.

What I took away from these recent conversations and stories is that the human element plays a major role in ensuring overall security. And, that training and education must be a security priority for all types of employees in an organization. Often, the social engineering of threats - online and offline - feeds off the inherent trust that people have in one another, so whether a breach, scam or vulnerability is sophisticated or simple, we all need greater awareness of our environments and follow security best practices even if it may feel a bit awkward.

So with Halloween upon us, what are your scary security stories? [please don't use real names!]

--David

While the concept of cloud computing (accessing applications online) has been around for close to a decade, talks on the subject have intensified significantly in recent months. The catalysts to these discussions range from the sharp decline in hardware and network infrastructure costs to the desire for a business to "go green" to the need for accessibly by an increasingly distributed workforce.  Whatever the reason, big business has taken notice and as this interest turns into action, these companies must be prepared to look at all of the key issues around this move before taking action.

What we are seeing today is a growing wave of interest from businesses in deploying a company-wide cloud computing model. In fact, InfoWorld predicted earlier this month that "the high cost of power and space is going to force the IT world to look at cloud services, with a shift to computing as a cloud resource occurring in the next five years." The author goes on to predict that the "emergence of cloud computing will reduce the need for computing at the enterprise level."

Few people question that cloud computing will bring an array of benefits to businesses, many which have been touched on above.  The issue as I see it is that for those businesses looking to the cloud, many are not easing in with their eyes fully open but rather are jumping in head first -- as a result, they are forgetting to weigh all key areas ahead of time, specifically those on the security side.  A perfect example involves strong authentication.  

Strong authentication solutions are essential for businesses looking to safeguard their company assets against unauthorized access.  For those businesses leveraging a cloud computing model, a major selling point is that employees can access critical applications from virtually anywhere while the company saves bundles of cash on infrastructure and maintenance costs. The issue is that it once you are in the cloud the risks of protecting your systems from unauthorized access grow dramatically.

Since the clouding computing model creates new wave of challenges for the security team, I assumed that these folks are highly involved all discussions.  What surprised me is that in many instances this is not the case.  What I have witnessed is that businesses are shutting the security teams out of the discussions altogether and are instead focusing almost solely on architecture. The security team is eventually brought into the discussions but in many instances the team is literally forced to participate. This is a major oversight that could potentially have significant ramifications down the road.

Strong authentication is a vital element to protecting a business's assets from unauthorized attacks and the need for these solutions only grows when a business shifts to a cloud computing model.  As a result, for those businesses preparing to transform to the cloud model, the security team must be a central participant in the discussion from the very beginning.  By including them in the process and making them a part of the plan at the initial planning stages, businesses will be able to ensure that operating in a cloud doesn't mean they are flying blind.

-David

1. Make sure that the technology you select can be easily managed centrally
2. Check that the vendor supports multiple types of Strong Authentication technologies, so that is easy to mix and match different types with a single installation and policy.  In many cases a single type of Strong Authentication technology is not enough to cover an entire organization, as different groups of users may need different types.
3. Make sure you understand the strengths and weaknesses of each approach and that it fits into your overall security needs.
4. Ask what happens if a device is lost or stolen, how easy is it for the user to continue working until the device is replaced?
5. Ask how each technology fits into the 3 categories of multi-factor authentication, something you have (device), something you know (PIN # or Password), something you are (biometric).

For more information on different types of strong authentication and a comparison of strengths and weaknesses, please view the pre-recorded webinar by clicking on the following URL:   http://www.imprivata.com/content12349.html

Hundreds of McKesson customers converged in Grapevine, Texas this past week to learn what their peers are doing and to get the latest product updates from McKesson. If we are heading into an economic crisis, you'd never know it by the size of the groups that many hospitals sent to the conference!

Infrastructure upgrades was a common theme this year for many of the attendees I spoke to, with virtualization in particular continuing to rise in priority. Many hospitals had partially or completely virtualized their data center, and some had even virtualized all their desktops.

Conspicuously absent from the conversations I caught was any talk about stricter HIPAA enforcement. The sentiment from some of the attendees I spoke to was that the HIPAA leaves a lot of room for interpretation, so they weren't too concerned with actually being fined. Combine that sentiment with the fact that there has been a grant total of one fine levied by the Office of Inspector General in the last ten years, and it's no wonder HIPAA is not a top concern for healthcare providers. On the other hand, despite the large number of hospitals that have rolled out a physician portal, passwords continue to be a huge headache for clinicians and physicians. This can be attributed partially to HIPAA regulations because many of the organizations I spoke with have implemented unique login IDs, stronger password policies and make their users log off applications between patient visits. For those of us in IT, four passwords doesn't sound like a lot to manage, but for a physician, where literally every second counts, that is a big source of frustration.

There was unanimous agreement between the attendees I spoke with at the conference that 1) the young physicians coming out of med school are much more willing and able to embrace healthcare IT than the "old-timers", and 2) that if you want the physicians to change their behavior, even if it's IT-related, the mandate has to come from the Chief Medical Officer.

Are you seeing a generational gap in your physicians in terms of their willingness to embrace IT-driven solutions?  Is your organization willing to lose a physician to another hospital to make a point with the rest of your physicians?

- John

I just came back from the ASIS 2008 Show in Atlanta and boy, do my feet hurt. Over 15,000 attendees, participation in 6 booths including our own, 3 days of constant conversation will do that to a person.  This security show is the top venue for those wanting to be educated on the latest in security...from state of the art manhole covers to new IP video and access control systems.  Imprivata participates to support our partners and promote the capabilities of our OneSign platform as a key component of physical/logical convergence.  

The subject of security convergence has been discussed for years and  some pundits are skeptical that it may never happen in their lifetime. Well, based on prospect meetings, sessions, and interactions with attendees at ASIS, convergence is going strong. ...and more importantly, technologies to deliver the capability are being budgeted for 2009. 

A key factor to expediting the adoption of converged physical and logical security systems is the understanding among the facility security and IT security decision makers that they must engage with each other in order to drive the advancement of their company's security capabilties. To reinforce this, the security integrators and manufacturers, those charged with delivering a converged solution, must understand this as well. And our partners do! I was very happy to hear our partners instructing their customers and prospects (facility security managers and executives) that as they embark on upgrading and/or installing new security systems, their IT counterparts must be involved. If not, their projects will likely not happen. I must say, this was quite refreshing to hear as conversations like that were not quite so prevalent at ASIS 2007.

 Convergence is happening.

 Chip

Since 1996, HIPAA has become one of the most important and highly publicized pieces of healthcare legislation in the United States. Over this time it has also become one of THE biggest topics of conversation within the healthcare and security industries and with good reason-HIPAA involves two major issues, patients and privacy. What's truly amazing to me is that behind the scenes, one would naturally have to assume that the majority of healthcare organizations are being driven by the worry of the potential penalties that might be levied on them by the Department of Health & Human Services (HHS) for their failure to fully comply with HIPAA.

Something tells me the industry isn't quite as concerned as I thought. The latest piece of evidence lending credence to this suspicion involves the recent news around Providence Health & Services, which just last month was penalized for their violation of the privacy section of HIPAA. The fact that a healthcare organization failed to properly protect patient information is not unusual. There have been over 10,000 HIPAA-related complaints filed in recent years. There have also been numerous patient privacy violations as well, including the high-profile breaches that took place earlier this year at the UCLA Medical Center. What we have learned from these incidents is that while many organizations have taken concrete steps to protect their patients, many turning to access management and authentication management solutions, there are always going to be those that fail to properly address their areas of weakness.  What really stands out to me is that while both complaints have been filed and incidents have occurred, Providence Health & Services holds what CSO Magazine's Bill Brenner describes as the "uncomfortable distinction of being the first organization penalized for violating the privacy section of the Federal Health Insurance Portability and Accountability Act (HIPAA)."

That's right. While many healthcare organizations have failed to meet the regulations of HIPAA, fines such as the recent $100,000 bill levied to Providence Health & Services, have been few and far between. What this tells us is that while HIPAA has raised the bar for the protection of patient information and created an immediate call to action to most organizations, HHS has limited the effectiveness of HIPAA due to its lack of commitment to enforcing the guidelines. The result? Companies which should be focusing on meeting HIPAA's standards and considering the consequences they might face if they fail to do so are ultimately deciding to focus on other projects that they deem more important.

The question is - will HHS ever become more hands on within the industry regarding HIPAA? Because, until HHS becomes consistently more involved and penalizes those that are in violation, the industry will continue with its "business as usual" approach instead of taking all the precautions as outlined by HIPAA.  I'd be interested to know - are you addressing HIPAA? And, which is your greater worry - HHS levied fines, or media exposure to a data breach?

If you are interested in hearing more about how a specific healthcare organization - William Osler Health Centre - is leveraging technology to address HIPAA issues, feel free to sit in our September 9 Webinar titled, "Imprivata, Single Sign-on and Biometrics Deployment: One Hospital Corporation, 3 Strategies." See you there!

-John