Identity 360 - An Imprivata Blog

Seven Habits of Highly-Effective Healthcare Security (without Sacrificing Clinician Workflow)

March 22, 2010 at 3:49 PM by David Ting

Healthcare access management plays an integral role in the healthcare industry these days, with patient data security and breach disclosure notification mandates front and center with HIPAA compliance, HITECH incentives and other mandates from various parts of the world focused on protecting personal health information (PHI).

Coming out of HIMSS 2010, it was clear that patient data security was a chief concern, but so was the need for improved clinician workflows.  For all the requirements driven by new laws and the stimulus bill, what was overlooked was the impact of security in the real-world hospital environment from a user perspective.  Forcing someone to change habits and daily routines is difficult, if not impossible, to do. Therefore, it is integral to the successful adoption of these security endeavors that they be paired with improving workflow.  If change makes people’s lives easier, it’s easier for them to embrace.  It doesn’t need to be an either/or argument.  

• As such, here are our seven habits of highly-effective healthcare security:
  Ensure adequate password complexity across systems and applications logons to protect PHI
• Auto-generate strong passwords where possible to simplify the backend security process; take the task out of your hands and focus your attention where it can be better utilized
• Rely on technology that is easy to implement (for you) and support (for your users)
• Select strong authentication technologies (e.g., fingerprint biometrics) that  simplify user access to help achieve user adoption
• Seek solutions that have built-in audit logging and reporting capabilities; when compliance audits knock, proof should be a quick click away
• Manage password resets through self-service portal : enabling clinicians to solve simple password problems themselves eliminates unnecessary IT costs and reduces instances of password sharing across the medical unit or nurses station
• Fast access termination across systems and applications is mission-critical, as unattended workstations create a gaping hole in even the best-laid security plans

From a high-level, aligning with these habits can help secure user access in your healthcare organization, but as I mentioned workflow MUST be improved at the same time. Be sure whatever security solutions you’re deploying are easy for users to embrace.  Practical security innovations born from real-world clinician workflows can deliver the best in both transparent security and user productivity.  This is why the use of healthcare single sign-on and strong authentication that is easy for clinicians to use and doesn’t disrupt workflow is so attractive. 

Do you have any good healthcare security habits to share?   We’d love to hear them!

--David

 

Security Wish List and This Year’s Ultimate Strong Authentication Stocking Stuffer

December 23, 2009 at 10:22 AM by David Ting

2009 was a tough year with the global economic downturn resulting in unprecedented workforce reductions.  As a result, security risk from insider breaches has never been greater.  Now, as we look to turn the page to 2010, it’s already clear that organizations will continue to go beyond the traditional levels of network access security by implementing policies that require users to provide a second form of identity to gain access to IT resources.

Once considered an unnecessary form of security, strong authentication has materialized into an essential part of data security best practices.  In fact, most regulatory bodies are now starting to mandate the use of strong authentication.  The need for organizations to implement multiple types of strong authentication options is driven primarily by user environment, habits and workflow.  While there are several options available—biometrics, One-Time-Password (OTP) tokens, proximity cards, USB tokens, smart cards – there’s only one that stands apart as the strong authentication method must-have this holiday season: proximity cards.

 After speaking with a slew of OneSign customers in recent months to hear how their single sign-on (SSO) experiences are going and to get a grasp on what their future security plans entail, the common denominator amongst these initiatives is the use of proximity cards.  Proximity cards are a practical and affordable way for organizations to gain greater control of their physical access systems and meet regulatory compliance demands. They also serve as an effective way to achieve a comprehensive view of who is accessing what, when, and from where.

From industries including financial services, government and healthcare, proximity cards is the strong authentication modality of choice for chief executives as they look to further leverage their existing network systems, achieve holistic security postures and meet budgetary concerns.  They also make for great stocking stuffers for the security guru that is looking to protect their family from an insider attack.

 What’s on your security wish list this holiday season?

SSO and Password Management Best Practices

December 9, 2009 at 7:27 AM by David Ting

Imprivata’s Geoff Hogan authored an article for Security Technology Executive last month titled, “Passwords in Peril” that delves into the password management conundrum that organizations face with the growing number of applications that employees use daily.  While the article summarizes succinctly the helpdesk costs issue, employee productivity and the data security vulnerabilities that a runaway password management problem causes, it also highlights effective single sign-on (SSO) strategies and tactics to overcome these challenges.

I wanted to take this opportunity to pull out a couple of SSO and Password Management best practices that Geoff covered, while adding a couple more.

When Choosing an SSO Solution:

• Scrutinize your real business issues before engaging.  Technology can only truly help if it is guided to solve the right problems; an undirected experiment without clear goals won’t lead to long-term benefit for vendor or buyer and will result in wasted cycles.
• Choose a solution that is easy to deploy without modifying your existing infrastructure. If anything goes awry, there is no “Easy Button” to undo expensive custom code or change policies without severe headaches or business interruption.  Be sure the undo is as easy has the deployment.
• Make sure an SSO solution fully supports the management of multiple strong authentication methods. This provides the flexibility to segment employees and empower them with the specific user authentication they’ll quickly adopt while ensuring the appropriate levels of security.
 

 When Deploying an SSO Solution:

 • Don’t recreate the workflow wheel.  Making employees change their daily behavior and jump through security hoops is a surefire way to stifle adoption, and you’ll find users trying to circumvent the system.  Make SSO easy for employees to embrace by minimizing change.
• Regularly conduct educational sessions.  While SSO should be inherently easy to use, educational sessions for employees around company polices and the technologies that support them are key to getting buy-in and making secure authentication the new status quo.
• Find the internal influencers.  Every organization has people that set the tone, regardless of level.  Get them on-board with how easy SSO is and how it improves productivity, and the rest will follow their lead.  Understanding the social influences within a business can help affect positive change.

These are just a few tips.  What other best practices do you follow?

--David

Five Security Considerations when Deploying EMR

November 17, 2009 at 8:22 AM by David Ting

EMRs are the hot topic du jour and rightfully so with the tax incentives and federal grants tied to them, as well as the overall efficiencies they bring to the healthcare industry. The conversation is only now starting to talk about the role of secure access in deploying EMRs, and I project this will increase in importance and awareness in 2010.

 To stay ahead of things, here are five security considerations organizations should plan for as they deploy EMRs:

·         The User’s Perspective is Vital

o   Just because this patient information is moving to an electronic format, doesn’t mean the complexity and number of passwords decreases to access data.  It is important to consider how this migration will impact clinician workflow, as any hiccup/disruption in the healthcare setting can be detrimental to patient data security.  Single sign-on technologies, for instance, not only decrease the amount of passwords to remember, but they also have a direct impact on user workflow and productivity improvements.

·    Strong Authentication Remains a Secure Priority

o   Combining EMRs with employee workflow improvements can be further augmented by utilizing strong authentication, fingerprint biometrics and other modes of two-factor authentication, such as proximity badges, to ensure secure access is limited to those who are truly authorized.  Readers of this blog already know the importance of strong authentication—its role and value to the healthcare sector will be vital to data security as EMRs become more widespread.

·         Auditing of Access is a Patient Right

o   Patients have the right to know who has accessed his/her information and when, and by law, healthcare organizations are required to track this information.  Organizations need to be sure they have a system in place that can quickly and easily report on healthcare access management details including: password sharing, what applications users are authorized to access, and what credentials they are using.

·         Compliance is Still King

o   Let’s not forget that, although hospitals are being incented to use EMR, this transition cannot be made at the expense of compliance.  Government mandates such as the Health Insurance Portability and Accountability Act (HIPAA) were put in place to protect patient information.  Electronic medical records are more efficient than paper-based systems, but that shift brings with it a new environment that must be proven secure, otherwise there could be risk fines, penalties and/or reputational damage. 

·         Federation of Identities Equates to a New Level of Required Trust

o   Federated identity establishes a mutual trust between organizations and systems, enabling the portability of identity information between systems and thus allowing secure access.  This plays a central role in the expected efficiencies of EMRs because of the various requirements for patient data privacy, secure access and compliance.  This emphasizes the need for secure authentication within one’s own system in order to ensure that trust with other systems can be guarantted and benefits can be realized.

HIMSS Virtual Conference Box Butte General Hospital -- VDI, Productivity and the User Experience

November 5, 2009 at 11:55 AM by David Ting

The HIMSS Virtual Conference occurred this week, covering myriad of topics ranging from Electronic Health Records (EHRs), impact of the HITECH Act, workflow optimization as well as privacy and security in the cloud for healthcare systems.

 One presentation that readers of this blog may find useful was that from Box Butte General Hospital on Nov. 4 at 9:00am CT (you can register on the site for access; HIMSS members can already access it online).  Here’s a brief synopsis from the session description highlighting what was covered in the presentation:

• Describe attainable savings to a hospital after implementation of virtualized desktop infrastructure (VDI) and single sign-on (SSO)
• Recognize how the use of technologies such as SSO, strong authentication and virtualization increase productivity, improve security and improve user convenience
• Explain how replacing PCs with virtualized desktops, in conjunction with an SSO and strong authentication deployment can garner healthcare organization significant annual savings associated with password management and electricity bills

Congrats to Tony Hindman and Mandy Whaley of Box Butte General Hospital on an insightful session.  Thanks for sharing your experiences and innovative approach with healthcare access management! 

Halloween Scary Security Stories – Healthcare Security Risks

October 30, 2009 at 11:28 AM by David Ting

 

 

This week, I took part in Network World’s annual real-life scary security stories podcast, a panel hosted by Keith Shaw that looks at some of the most frightful security incidents over the past year.  This year, I focused on some of the data security incidents that are becoming all too common in the healthcare industry.

 

It seems like we read about a new healthcare related data breach every other week – whether its celebrity records being exposed, or a case like the Virginia Department of Health exposing more than 8 million patient records.  For security officers and CIOs in healthcare, a bigger scare is found in the new fines imposed by states like California, where organizations are fined up to $250,000 for each data breach incident.

 

These incidents, and the harsh penalties being enacted, have forced the healthcare industry to take a closer look at their security practices.  Most organizations understand the need for strong authentication – using technologies such as biometric fingerprints to ensure that only the properly credentialed can access sensitive data.  While this prevents the wrong people from accessing your systems, it doesn’t address the growing concern of unintentional data breaches caused through inadvertent access.

 

Inadvertent access occurs when someone is authenticated into a system, but accidentally leaves the access open on the workstation they’re using.   Here’s one story I shared with Keith:

 

·         A customer I spoke with had a small clinical practice with 3 examination rooms – each containing a computer.  As the nurse walks in, she securely authenticates into the workstation to log patient data.  When she’s finished, she locks the stations and goes to get the doctor.  As the doctor comes in to see the patient, he re-authenticates into the system and adds in his patient notes and diagnosis, then leaves to check on another patient – leaving the system unlocked.   The patient now has access to his medical records and can see all the notes the doctor wrote – while having the ability to access other records in the system.

 

In the instance above, the healthcare organization was sued by the patient who actually looked at his own record and didn’t like the information the doctor wrote about them.

 

Scary stuff – despite properly authenticating users, unintentionally leaving the system open created a security hole that circumvented these controls.  I’ve blogged about the importance of walk away security in the past, which can close the other side of the security gate and prevent unintentional access from occurring.

 

Have a scary security story to share?  Email me and let me know.

 

Tags:  security risks, data security, strong authentication, biometric fingerprints

Identifying Identity Resources, Part II

October 22, 2009 at 9:36 AM by David Ting

 

Back when this blog was in its infancy, we outlined a number of identity management resources that readers should check out.  Those blogs are still on the “must-read” list, but there are a number of new ones that have popped up that people interested in identity and access management may find useful

 

·         The Health Care Blog: this blog covers everything from electronic health records (EHRs) and HIPAA Compliance to HITECH and Health 2.0, often with amusing headlines and relevant details to get the most pressing issues across succinctly.

·         ITBusinessEdge’s Authentication Systems channel:   This covers opinion pieces and news, ranging from fingerprint biometrics and other forms of strong authentication to password policy and security risk.

·         FierceEMR: “Mapping the future of Healthcare Information,” this site combines news with opinion on topics ranging from electronic medical records (EMRs), health information exchanges, healthcare access management, interoperability and deployment updates.

·         Healthcare & Technology blog:  this blog covers the high-level healthcare IT issues and trends while also pulling in various graphics, charts and video to help tell the story. 

·         Planet Identity blog: This blog aggregates blogs related to identity management topics, leaning towards the technical while pulling through data, survey findings and trends from some of the most highly-subscribed blog feeds.

 

Observations from the 2009 Cerner Health Conference

October 8, 2009 at 9:56 AM by Jon Hamdorf

I just left the annual Cerner Health Conference in Kansas City, where clinical and technical users of Cerner software gather to share ideas, best practices and technology solutions that are molding the future of healthcare.

As is the case year after year, I am truly amazed at Cerner’s representation of the worldwide market. There were representatives from healthcare facilities from around the globe - Australia, Dubai, South America, Canada - all here to discuss their Cerner healthcare IT systems and share their experiences with new and innovative healthcare solutions.

As expected, discussions surrounding the migration to electronic medical records and the HITECH Act swirled around both the sessions and the hallways consistently, but one of the surprising topics that dominated the conversations I had was access management. Access management is a significant pain point for hospitals and after speaking with dozens of organizations at the event, it is clear that healthcare IT executives are eager for fast, convenient and secure access to critical data. It’s notable that with compliance challenges and numerous, high-profile patient privacy violations making front page news, healthcare organizations are still looking for ways to properly protect patient information while providing seamless access to heterogeneous technology environments.

I did have the opportunity to meet with end users at organizations that have committed to providing its clinicians with fast and secure application access to data. These organizations (including Advocate Health Care, BJC Healthcare, Baycare and Albert Einstein Medical) all stressed that the faster the provider can access patient information, the more positive the health outcome is for the patient. Each respective organization described similar challenges within their unique environments which single sign-on and strong authentication solutions are addressing to provide secure access to critical applications, while improving user productivity.

The healthcare industry is certainly experiencing some exciting changes and opportunities, which will continue as we look to turn the page to 2010. I’d be interested in hearing about the solutions and initiatives your organization is looking to deploy to help secure application access.

From HIPAA Compliance to HITECH – Reforming Healthcare Security

September 22, 2009 at 3:10 PM by David Ting

Khalid Kark of Forrester Research recently issued a useful whitepaper that outlines the security reforms needed to improve patient data security in the healthcare industry. A complimentary copy of the Forrester whitepaper, “Healthcare Security: Ready or not, Here it Comes,” can be downloaded from the Imprivata website.

The whitepaper highlights four key reasons why healthcare organizations are failing behind on security. Khalid provides a comprehensive set of recommendations to help healthcare organizations address these challenges – these are near and dear to what we do here every day. I thought I would share some of the insights gathered from work with our many healthcare customers.

I’ll tackle two of these issues in today’s post, and address the remaining ones in a subsequent posting.

1. Basic security technologies and processes are missing:
Kark correctly states that many CISOs struggle to get management’s attention on security issues and are limited in the resources they have to address the critical security risks they face. Bill McQuaid, CIO for Parkview Adventist Medical Center, recently spoke about how they were able to achieve Stage 6 HIMSS Analytics status, despite their relatively small size. Deploying strong authentication technologies, like fingerprint biometrics, considerably increases clinician productivity, while ensuring that only properly credentialed users have accessing sensitive information. This combination of security along with greater user productivity is sure to gain the attention of any manager.

2. Security spending lags behind other leading industries

As Khalid notes in his whitepaper, higher spending doesn’t necessarily equate to stronger security. What matters is using the dollars and resources you do have wisely. The days of enterprise-wide projects that take years to complete are over. By identifying the immediate areas of risk and implementing projects that yield immediate results, you can protect your organization, while demonstrating a quick ROI – this can come in handy when fighting for more dollars to spend on additional projects.

What are the main obstacles you’re facing in securing your organization? Share your story.
David

Live from the McKesson Insight 2009 Annual Conference

September 11, 2009 at 9:44 AM by Chris Feeney

I am currently at the Insight 2009 Annual Conference in Orlando, where 1,200-1,400 attendees are converging to learn and build relationships centered on their McKesson healthcare IT systems. Users are hearing details of new product enhancements and integrations, learning best practices and engaging in valuable peer discussions they can take back to their organizations.

Overall, there seem to be two overarching themes that are driving discussions, both in sessions and in the hallways:

1. Economic Stimulus Education: people are learning about the HITECH act, and learning about the stimulus’ impact on healthcare IT, electronic medical records and data security in general

2. Healthcare Reform: on the heels of President Obama’s address to Congress Wednesday night, attendees are eager to get the latest on the healthcare reform debate in which the entire nation is enveloped

It is clear that we’re at a time when unprecedented change is coming to the healthcare industry. With this in mind, McKesson Chairman and CEO John Hammergren’s keynote focused on three things regarding healthcare IT reform:

1. Access to healthcare

2. Quality of healthcare

3. Cost of healthcare

Also worth noting, Hammergren highlighted the coming consumer revolution in healthcare, and tied it back to the healthcare IT systems that will empower patient care. Specifically, Consumer Reports is publishing a new rating system for hospitals, so healthcare organizations must compete in an entirely new way by having the right systems in place to ensure they are amongst the best across the three-legged stool of healthcare excellence: access, quality and cost.

Talking with a number of attendees at the conference, secure authentication continued to be a strong focus, with proximity cards and fingerprint biometrics driving the demos and discussions with vendors and peers. Workflow continues to be amongst the biggest drivers of strong authentication and healthcare single sign-on discussions, as healthcare organizations look to streamline operations, strengthen security and improve usability for clinicians, physicians and staff.

Hospitals are gearing up to make significant changes in healthcare IT, with a singular focus on upgrading systems and improving the healthcare experience for all – it’s clearly on top of everyone’s minds.

Massachusetts Data Protection Law Delayed Again—Is Your Company (Still) At Risk?

September 3, 2009 at 9:44 AM by David Ting

A recent BankInfoSecurity article reported that the Massachusetts Data Protection Law has been delayed yet again, pushing the new effective date back to March 1, 2010. As part of the law, organizations are required to protect confidential data – social security numbers, driver license numbers and financial account/credit/debit card numbers – of Massachusetts citizens. The regulation covers all non-public data, regardless of how the company obtains the information.

However, the state’s Office of Consumer Affairs and Business Regulation (OCABR) modified its data security regulations by facilitating a "risk-based approach" to data security to help small businesses better comply with these regulations. These new amendments take into consideration the size of a business and the amount of personal information it manages, and this is directly linked to the type of security plan that business operates.

As I mentioned in a November 2008 blog post, Massachusetts Data Privacy Regulations – Are You Protected? -- the need for strong authentication and solid access management policies is apparent as all companies, regardless of location and size, need control over who is accessing what information, how and from where and equally important to maintain detailed audit records. These regulations were put in place to ensure companies are doing just that – taking the proper steps to provide a comprehensive security posture that prevents unauthorized access to confidential customer information. This is especially important in preventing a data security breaches as the insider threat continues to escalate.

Nevertheless, this marks the third time in the past 8 months the law has been extended, - perhaps underscoring the point that Massachusetts-based companies may notbe prepared or equipped with the security solutions necessary to properly protect their critical customer data …begging the question: is your organization still at risk of a data breach or unauthorized access.

As I said in 2008, the deadline will be here before you know it and the last thing you don’t want to find your company at risk for being non-compliant. Pushing off compliance-driven activities because the deadline is extended only increasesthe potential for a breach. If the penalties are not enough to warrant taking action, think about the potential damages to your company’s reputation if such a breach were to occur.

Is your organization compliant with the Massachusetts Data Privacy Regulations? If so, what security policies have you implemented to ensure the integrity of your organization?

HITECH Grants – Earmark Dollars for Data Security Too

August 27, 2009 at 7:09 PM by David Ting

In February 2009, the Obama administration announced that $2.0 billion in grant money will be made available to help hospitals and other health care providers transition to electronic health records (EHR). This past Monday, the White House took a big step and launched the first of two grant programs under the HITECH act which lays the groundwork for EHR.

The grant will be used to create what the HITECH Act calls the Health Information Technology Regional Extension Centers. These regional centers will play a major role in implementing a nationwide system of health information networks.
According to the Health and Human Services website, these centers will help hospitals select EMR technology, provide assistance on the implementation front, and ensure that the hospitals are complying with all regulatory and legal requirements to protect the patient’s health information.

While it’s encouraging that the regional centers will have a strong focus on enterprise security, it’s critically important that HITECH doesn’t become a HIPAA like paper tiger of passive regulations with little accountability. As I’ve blogged previously, the universal adoption of EHR significantly increases the vulnerabilities for a security breach of patient information. Security assurance remains a primary hurdle to the widespread adoption of EHR, but technologies like strong authentication, including fingerprint biometrics, proximity cards, etc…, are now widely available and can fullfill the promise of EHRs by significantly minimizing the security risks.

Khalid Kark of Forrester Research just issued a compelling whitepaper on how HITECH can strengthen information security across healthcare – accomplishing what HIPAA ultimately may have failed to do. If you’re moving forward on EMRs and have questions about security, you can download a complimentary copy of the Forrester whitepaper, “Healthcare Security: Ready or not, Here it Comes,” from the Imprivata website.

I’d be interested in hearing how HITECH may impact your hospital’s move towards EHRs, and what role you think these centers can play in facilitating your timely implementation.

2009 Desktop Virtualization Survey – Understanding the New Security Risks

August 18, 2009 at 4:00 PM by David Ting

Last December, I blogged about the growing interest in implementing desktop virtualization (VDI) and the enterprise security challenges companies would face in this new environment. As with any new technology the best way to learn what is really happening is to listen to the field. With that in mind we polled executives across industries to understand the rate of VDI adoption and recently released the results as part of the “2009 Desktop Virtualization Survey.”

While organizations are increasingly embracing VDI/hosted virtual desktop as a way to reduce IT costs associated with desktop maintenance, there are still security concerns and fundamental challenges facing these companies as they change to this new desktop delivery vehicle. Most of these concerns center around managing user identities, roles and enforcing access policies.

In a VDI environment, user identities become relevant in multiple points within the virtual desktop, making the coordination and enforcement of access policies a more difficult task. Having a centralized way to manage user identities, roles and access policies is critical. This is true however you choose to deliver desktops to your users.

To help deal with these security challenges, the survey found organizations are increasingly turning to strong authentication solutions such as fingerprint biometrics, and proximity cards to associate a user identity to the desktop so an authentication and policy can be applied to control the type desktop the user can access. This type of strong authentication ensures the desktop is being used by a properly credentialed user and provides the critical step in managing role-based access at the desktop level.

As the unique security challenges of VDI become more well know, I expect we’ll see a greater emphasis on multiple forms of strong authentication to coordinate user IDs and access policies, which will enable organizations to overcome the final barrier to realizing the true potential of VDI solutions.

I’ll be discussing this and more in an upcoming webinar with Forrester’s Natalie Lambert, go here to register.

Have you implemented VDI in your organization? Are you on that track? Let me know what challenges you’re facing.

Thoughts from the Siemens Innovations Conference

August 12, 2009 at 10:01 AM by Chip LeBlanc

I just got back from the annual Siemens Innovations Conference in Philadelphia. Even though the conference took place in early August, when many people are vacationing, there were over 1000 attendees from 200 hospitals who beat the heat by attending Innovations - attendance exceeded the expectations of the conference organizers.  Innovations is not a Siemens Medical Solutions hosted event, rather it is a Siemens Med customer-driven conference with various tracks offered for the conference attendees to hear real stories from their peers regarding implementing Siemens Med solutions.

Imprivata had a booth at the event.  I had an opportunity to talk with existing and prospective OneSign customers. Clearly, single sign-on and authentication are top of mind for many of the Siemens customers we spoke with. One thing is clear - CMIOs and IT folks are looking for ways to make application access seamless and secure for the clinicians while NOT changing workflows. Imprivata OneSign is what Siemens Med is recommending as the solution of choice. In fact, there were two customer presentations where OneSign was discussed.  

As we all know, conferences can be long and tiring but I truly enjoyed this conference and highly recommend it for the future.

The Enterprise Systems Design Challenge: Security vs. Usability

August 6, 2009 at 5:13 PM by David Ting

Security expert Bruce Schneier pulls out an interesting excerpt from an essay “When Security Gets in the Way” that is sparking great discussion on his Schneier on Security blog. The essay, from Don Norman’s jnd site, debates security vs. usability, and addresses design considerations for enterprise security systems. This article captures important concerns often discussed in security circles on how to make security stronger without disrupting user behavior. It’s a delicate balance – we often say the most secure computer is the one in a locked room not powered up but that would hardly be usable. At Imprivata we have always believed that usability and security don’t need to be mutually exclusive.

As a case in point, the essay highlights password management as an example of the tension between the employee’s desire for ease-of-use and security’s desire for complexity. The unintended result of course is the secondary costs around increased helpdesk calls and escalating problem of users having to know and enter dozens if not hundreds of passwords each day.

The essay concludes with some prescriptive design measures to consider when designing security systems. One of the ones I particularly like is the following:

Both security and privacy are difficult problems. We need systems that are easy to use for their intended purposes or by the intended people, but difficult for non-authorized people or uses. For these purposes we need components not normally considered in simple product design: means of authenticating identities or authority, needs and permissions. Some of this will require physical tokens, biometric identifiers, and privately known information. Some of this requires rules and policies, sometimes editable by the user of the system, sometimes only editable by authorized administrators, sometimes buried in the code and unchangeable without significant development costs.

 

It’s a challenge businesses face each day, and one that emphasizes the role that strong authentication and enterprise single sign-on can serve to unify security and usability.

The essay is a fascinating read and captures a lot of the behind-the-scenes discussions and thinking we at Imprivata go through as we build products that pull through the best of security and usability. Check it out.

Also if you’re really interested in this topic, there is great in-depth discussion going on in the comments section of Schneier’s security vs. usability blog entry.

David

Reaching Stage 6 Status with Imprivata

August 4, 2009 at 9:35 AM by Bill McQuaid

Thanks David.

We’re very proud of our accomplishment of being only one of a handful of hospitals that have been awarded with HIMSS Analytics Stage 6 status, especially when you consider our relatively small size compared to the many other bigger hospitals with larger IT departments trying to accomplish the same thing. Moving to an EMR format and a paperless environment requires a significant commitment from the executive team and from our clinicians.

As we began our move to EMR, we had two major concerns. 1 – Can we maintain patient data security and HIPAA compliance in an electronic format? 2 – Will the clinicians buy into what we’re doing and use the technologies we provide? These are two critical components in achieving Stage 6 status.

Training for Success
To address the concerns simultaneously, we knew that we had to come up with a solution that would get immediate buy-in from our clinicians. If you don’t have people internally using the systems and championing them for you with their colleagues and peers, it makes the road to full scale EMR a very difficult one.

This has been one of the secrets to our success – we haven’t forced any of our doctors to use the systems we implement. Instead, we work with the people who want to be worked with, and then let the rest come to us once they see how easy and successful it is.

A great example of this is when we started asking doctors to do computerized physician order entry (CPOE), which requires all doctors to do their own ordering using a computer. There was some hesitancy on the part of the doctors when we asked them to do their own ordering. The chief concern was accessing the necessary systems – doctors kept telling us “there’s no way we can log in – we won’t be able to remember all the passwords.”

To address these concerns, we used Imprivata OneSign to create a zero sign-on environment through the use of biometric authentication. We went live and gave access to a few people – when other clinicians saw how well it worked, they all wanted to use it. But here’s the key – we made them sign up for training and went through the whole process with them individually. By providing a quick and easy tutorial on the technology, we were able to mitigate any concerns of using the technology. The result is that the doctors loved it, and we use this technology in all of the physician practices now.

Not only did we get a groundswell movement on the part of clinicians to use the technology, but we also solved our core data security issues. Biometric authentication considerably increases productivity, but also ensures that only the properly credentialed users are accessing sensitive information. This level of strong authentication meant that clinical staff now had the ability to walk up to any workstation and securely log into the network, providing the real-time, secure access needed to provide superior care to our patients.

In fact, it’s worked so well, we’re rolling it out to secure remote access as well. We’ve set up virtual desktops for some doctors, so when they log in remotely, they log in once and get the security of single sign-on. So now, no matter where they are, they get their own desktop – they can print orders and do what they need to do from anywhere in the country.

The road to Stage 6 status can be a tough journey. What we’ve learned along the way is that technology alone isn’t the solution – educating the staff on the value of the technology is the most powerful tool in your arsenal.

If you’re currently working on similar projects, I’d love to hear your thoughts on how the project is progressing and if you have great tips to share for others too.

Using Single Sign-On to Ease EMR Adoption – A Look at Parkview Adventist Medical Center

August 3, 2009 at 2:18 PM by David Ting

Congratulations to Imprivata customer Parkview Adventist Medical Center for recently earning the HIMSS Analytics Stage 6 designation! HIMSS Analytics highlights the Stage 6 award as recognition for hospitals that have made significant investments in healthcare IT and as well as implementing paperless medical records. This is a remarkable achievement for Parkview, considering that they’re one of only 42 hospitals out of 5,166 in the US to attain this level.

Parkview is a great example of how our healthcare customers are using single sign-on technology and strong authentication solutions like fingerprint biometric identification to address the productivity and security concerns that come with deploying a full-scale electronic medical records system.

We’ve asked Bill McQuaid, CIO of Parkview, to be a guest blogger to share some tips on how they’re using the Imprivata OneSign platform to increase physician productivity, while ensuring data security for patient records in a completely paperless environment. With the federal government continuing to push healthcare providers to adopt an EMR format, Parkview provides a successful model to emulate and learn from.

California Medical Data Breach Report Highlights Healthcare Access Management Concerns

July 14, 2009 at 3:57 PM by David Ting

Late last year, California enacted a new state law to help notify patients of potential breaches of their personally identifiable health information, requiring healthcare organizations to report suspected incidents of data breaches. The initial results are in, and it’s not pretty. According to the Journal of the American Health Information Management Association, California officials have received more than 800 reports of potential health data breaches in the first five months since the laws went into effect on January 1st. Of the 122 cases that have been investigated, 116 have been confirmed as security breaches. Officials expect the numbers to grow as more organizations put in the processes to report potential breaches.

While the majority of the breaches are being called “unintentional” breaches, the intentions behind the unauthorized access of patient information matters little. Seemingly innocuous activities, such as password sharing, present significant data security challenges for healthcare organizations that put them, and their patient’s private information, at risk.

These initial reports demonstrate that access management is still a priority concern for healthcare organizations to prevent unauthorized access to patient records – whether intentional or not. Tying a user’s identity to access via strong authentication, such as proximity cards and biometric fingerprints, can have a profound effect on overall enterprise security and help prevent organizations from becoming another one of the statistics cited in the next report. Are these numbers an accurate reflection of the state of security in the healthcare industry? Do you think that the numbers will decrease as organizations get a handle on the processes to prevent or report breaches? Email me and let me know.

2009 Identity Management Mid-Year Report: A brief look back and ahead

July 9, 2009 at 3:23 PM by David Ting

Back in January, I shared some of my observations on 2009 Priorities for identity management in the new economic reality people are faced with - productivity, security and manageable IT projects. This year’s economics have forced people to do more with less, manage tighter budgets and maintain enterprise security while dealing with re-orgs and layoffs. While 2008 was the worst year to date for data breaches, 2009 hasn’t been much better if you look at this chronology of data breaches, including the recently disclosed incident at Goldman Sachs. The Identity Theft Resource Center keeps tabs as well, and has a nice snapshot of high-profile data breaches. Many of these are the result of unauthorized access, some combined with placing malicious code on servers or laptops to siphon off data. It’s amazing the methods that are being used to access systems, steal data, sometimes extort money and always damage reputations. Potential impact of the Goldman Sachs’s unauthorized upload of proprietary software is still under investigation, but information on how easy it was to pull off makes for scary reading. Given the potential impact of data breaches, there has been significant progress made to tighten access to systems, so let’s review some of the relevant things that are happening in identity management. Following are three areas, I believe, we need to watch for in the latter half of 2009.

Biometrics Hit Stride, Will Gain Even More Steam

Frost & Sullivan projects the European biometrics market to triple from 2008 to 2012, as biometrics are used more now to secure access and prevent breaches. With fingerprint biometric readers and other scanners embedded in everyday devices, the ability to tie unique identity to access via strong authentication means has a profound effect on overall data security.

EHRs Become Focal Point of Healthy Debates

Electronic Health Records (EHRs) are also making headway, thanks in large part to the Recovery and Reinvestment Act of 2009. A large portion of the discussion is based on healthcare access management, patient data security and user authentication. Security assurance is a key hurdle to widespread EHR adoption, but using strong authentication capabilities that are now widely available is a significant enabler to achieving the benefits EHRs promise, while minimizing the security risk. Watch for these specific debates and discussions to progress in 2H 2009.

Greater Emphasis on User Workflows Considered in Product Development
While biometrics authentication has certainly played a role in making user lives easier, new developments around walk-away security and faster access to systems are shortening the process to secure logon. By making it easier for users to come and go from a system, there is less password sharing and improved employee productivity, while encouraging and enforcing better overall identity and password policy management.

What areas do you see most, now that we are half way through 2009?

What issues do you seek to solve?

How can identity management better serve you? --David

Medical ID Theft and Tying Patients to Electronic Records with Strong Authentication

June 26, 2009 at 7:15 AM by David Ting

The New York Times recently published an interesting article on the rising problem of medical identity theft. When the federal government last researched the issue in 2007, more than 250,000 Americans reported that they were victims of medical identity theft. Since that last report, most experts agree the problem has undoubtedly grown, in part because of the growing use of electronic medical records built without extensive safeguards. To exacerbate the situation, cleaning up after medical ID theft can be hindered by HIPPA compliance – the regulations protect the medical information of the ID thieves as well as you.

Medical ID theft is an issue that can impact anyone. From a financial standpoint, if your identity is stolen and then used to receive emergency care, the insurance payments and collections can follow you around for years – without the victim even knowing it. This can destroy credit ratings or create a situation where insurance benefits limits are exceeded at a time when a legitimate claim is made.

More important than the financial impact is the potential impact on the healthcare or treatment a victim receives. Once a medical ID is stolen and used to receive treatment, the medical records can now contain erroneous medical history information. This can lead to a fatal mistake in an emergency care situation.

I’ve blogged about some of the data security and strong authentication concerns that come with accessing electronic patient records from the clinician point of view. Some healthcare providers I’ve spoken to are looking to strong authentication to solve the medical ID theft problem as well, using technologies like biometric authentication to securely and uniquely tie patients to their records.

This would create a seamless environment where clinicians are authenticated for access to applications and information, while the patients are authenticated to their medical records. This will be a critical component of the success of EMRs as these systems begin sharing information between healthcare providers. Strong authentication will be critical not only from a data security perspective, but could also prevent a situation where a patient receives improper care.

Strong Authentication Best Practices for Success Webinar with Forrester Research

June 18, 2009 at 1:07 PM by David Ting

Join us for an informative session on the “Do’s and Don’ts” of employee access management next Wednesday, June 24. Forrester Research’s Bill Nagel will lead the discussion on what organizations should do to improve security with strong authentication.

In addition, the session will discuss the pros and cons of various strong authentication methods, explain why a single point of authentication to the network is key to employee access and provide examples of a wide range of implementations via real-world case studies.

Register for the event today and join us on the 24^th at 11:00am ET to hear from a leading analyst on useful advice for implementing strong authentication in your environment.

Five Things to do in Identity Management this Summer

June 15, 2009 at 8:20 AM by David Ting

Theoretically, as employees go on vacation during the summer months, there will be fewer demands on your IT team. Realistically, we know that’s not true and it seems like there is actually more to do. However, summer can provide the opportunity to step back and evaluate the state of your identity and authentication management infrastructure and policies. Here are five things that are easy to overlook throughout the year that you should consider doing this summer:

1. Check for Ghost and Orphaned Accounts: user provisioning and de-provisioning of accounts can happen in a flurry of activity, especially during times like these with turnover in the workforce being common. In the haste to move through the termination process, accounts are left open or missed – even those organizations with the tightest policies and procedures. Often a user’s primary network credentials are locked but what about remote access accounts or critical applications accounts. Use this time to eliminate any that may be in question.

2. Map the Apps: Take an inventory of what apps are running in your environment. Are they all approved? Any that are ‘rogue’? Are any being used that are not tied to identities at your organization? Getting a clear view of the application population can help ensure holes are plugged, policies followed and data security is optimal. This gets much harder to do as organizations increasingly subscribe to services that are not managed by IT. Getting a handle on those accounts will become even more important as we rely more on applications delivered by service providers.

3. Cut Costs by Weeding Out Unused Application Licenses: While you’re mapping what apps are in your environment, cross examine their usage by analyzing the activity logs of your employees’ identities. Are there shared accounts and passwords being used inappropriately? Are there under-utilized applications? Are you paying for more licenses than you need for an application? There’s a treasure trove of cost savings to be found if you take the time to dig in to your identity and application logs. If you can squeeze savings out of somewhere unexpectedly, your CFO will love you.

4. Let Your Fingers do the Walking: If you’re not using finger biometrics or proximity cards, give these user authentication technologies a try. They are relatively inexpensive and can easily integrate into most identity management systems nowadays. Pull in a small focus group to try them out, and see how they can improve employee productivity while strengthening security… and minimizing password management help desk calls to your team.

5. Reconnect with your customer: Review the identity policies and procedures you’ve set forth for your organization -- when were they originally created? Has anything changed? New industry regulations your organization must adhere to? Examine user authentication requirements, strong authentication modalities that are available to your employees and password management parameters to follow. Update, distribute and schedule a series of brief sessions to educate your user base on security best practices to follow. Remember your customer base is everyone that interacts with or uses the IT system.

What else are you doing during these summer months? Any best practices to share? We’d love to hear them.
--David

Access Management Questions to Ponder

June 4, 2009 at 6:07 PM by David Ting

I was reading about the recent access management related breach at the California Water Services Company, where an auditor resigned, but illegally accessed computer systems to steal more than $9 million before leaving. While the company should be lauded for catching the fraud before the wire transfers could go through and irreparable damage could be done, it should serve as another cautionary tale in what has become a recurring theme on the application security front. This is just one more saga in an every growing litany of tales of breaches that we’ve hearing about.

If you’re looking to review your authentication and access management policies, here’s a quick list of topics to focus on and questions you should ask yourself:

Orphaned Account Clean Up
This is a classic and recurring vulnerability in most organizations, and a priority for getting your house in order. When an employee leaves an organization, too often his access to sensitive applications and information is left open. Organizations run into trouble when accounts can’t be quickly deactivated, or if they lack a direct correlation between employee names and the accounts they were credentialed to access.
By using technologies like single sign-on, organizations can view access records, employee access rights, and accounts that need to be removed. Deactivating orphaned account access is a critical first step towards comprehensive enterprise security.
Questions to ask: Can we track which employees have access to specific systems? If the employee leaves, can we quickly deactivate access? Do you have the means to gain visibility into what application accounts your users access? If you don’t then it is time to think about how to regain some control.

Controlling User Privileges
Too often, security and employee productivity are viewed as being at odds with each other – this doesn’t have to be the case. A good security policy ensures that employees have the access and information required to perform their job function, but at the least level of access.
Questions to ask: Do we understand what privilege levels each individual user has been given? Do they have the lowest level of access privilege required to do their job? What mechanisms do you have to elevate their privilege level, even temporarily and can you control it?

Defining Organizational Roles
Defining roles in an organization is critical to a strong authentication policy. Assigning access by organizational role provides greater insight into what applications users are touching and if access rights are in accordance with the privilege rights provided. Organizations usually have little to no role definition, or go to the other extreme by creating too many roles, which can be unmanageable. Start by getting a handle on who is accessing what. Discuss organizational roles with your business managers to figure out what users need to touch to do their jobs, and then set reasonable boundaries for access outside those defined roles.
Questions to ask: Have we defined roles in our organization? Do the defined roles go far enough? Are our current roles manageable? Again the question goes back to having enough information on what applications your users are actually touching. single sign-on systems that provide detailed reports on usage patterns are invaluable during the role discovery phase.

Testing the Backup Systems
Properly functioning backup systems are crucial to business continuity. Too often, organizations are faced with a situation that requires backup or recovery, only to find out that the procedures, passwords or location of the data are nowhere to be found. Organizations need to ensure they have no dependencies on administrative accounts or employees that may have left the organization. It’s like testing a fire system – you have to make sure it works. In this instance, backup systems will only work if you still have control over them.

Questions to ask: Do we regularly test backup systems? Can we access them? Are they protected with passwords that may reside with employees?
If you ask yourself these questions, and answer “no” to any of them, then you may be at risk. What questions keep you up at night? email me and let me know.

What NIST Missed: The value of password management + SSO + strong authentication

May 20, 2009 at 8:25 AM by David Ting

The National Institute of Standards and Technology (NIST) recently put out a draft “Guide to Enterprise Password Management” for public comment for feedback and improvement. While it gives a lesson in password management history, it doesn’t quite break new grounds on prescriptive opinion.

Dave Kearns provided useful analysis of the NIST paper in his recent Managing Passwords article on Network World, and a couple of nuggets of wisdom jumped out at me:

• To their credit, the authors immediately add “…organizations should make long-term plans for replacing or supplementing password-based authentication with stronger forms of authentication for resources with higher security needs.” If I were editing, I’d remove that last phrase (“for resources with higher security needs”).
• Username/password as sole authentication method needs to go away, and go away now. Especially for the enterprise but, really, for everyone. As more and more of our personal data, private data, and economically valuable data moves out into “the cloud” it becomes absolutely necessary to provide stronger methods of identification. The sooner, the better.

The only way to improve usability and security of password management today is to combine it with single sign-on and multi-factor authentication, as Dave stated in his piece. Dave’s article made me think a bit more about the NIST paper and the intersection of SSO and strong authentication, and here are some of my observations:

• Workflow Trumps Security: No matter how much security folks put ‘best practices’ in place for security (and managing passwords, specifically), they must mesh with the needs of the business. Users won’t embrace policies and best practices unless they are easy to adopt and don’t interrupt their daily workflow.
• Where’s the Business Value: We frequently hear of high-valued users who feel their job is to get the job done (trading, saving lives) rather than dealing with the mechanics of entering passwords. Mandating a longer and more complex password is great from a theoretical point of view if you log into an application once per day, but not so much if you have to repetitively access the same application multiple times each hour. 
• No More Passwords Please: The most effective solution to dealing with password management issues today is to combine stronger user authentication with a system for automating them and leveraging the maximum strength within the passwords – i.e., SSO coupled with the use of opaque (unknown to the users) passwords. This gives you the best of both worlds.
• Automate the Logon Where Possible: Direct injection of the passwords into forms mitigates the ability for keyboard loggers to sniff and record the password and log-in sequence so you can close that potential vulnerability gap.
• Leverage Strong Authentication Options: There are still many people that believe passwords are an inexpensive option for authentication, however today’s strong auth solutions are far more cost-effective, easier to deploy and maintain than they were just a few years ago and more importantly we see higher user adoption.

So the value of password management + SSO + strong authentication is increasing in acknowledgment. Among our customer base at Imprivata 75-80 percent of customers are using one or more form of strong authentication with SSO. We rarely encounter a new deal that does not include strong authentication, and many of our customers prefer to deploy a variety of modalities (finger biometrics, tokens, proximity cards) that they can tie to the security level of the data being accessed by a given user. In fact, now strong authentication is often the driver of a deal, and SSO is pulled through.

We’ve run a few surveys lately, one squarely on this topic of strong authentication and SSO that you may find worth checking out: /content27465
--Dave

Looking Forward – 2009 Priorities

January 8, 2009 at 4:15 pm by David Ting

Desktop Virtualization – Has it hit your desk yet?

December 15, 2008 at 10:37 am by David Ting

Massachusetts Data Privacy Regulations – Are You Protected?

November 26, 2008 at 3:30 pm by David Ting

A recent Gartner Blog Network post and Wall Street Journal article both focus on new, stricter data regulations being passed in several states, including Massachusetts.  The final set of the Massachusetts regulations focus on restricting employee access to data, monitoring malicious activity on the network, and strong authentication protocols. The new regulations will go into effect beginning January 1, 2009.

While it sounds like common sense legislation, and represents a good step forward in helping mitigate data breaches, the new regulations will have a wide ranging impact and will affect every business in Massachusetts that comes into contact with consumer information - including financial services organizations, healthcare organizations, and even educational institutions.

A closer examination of the regulations shows that they're very similar to the Payment Card Industry (PCI) Data Security Standards (DSS).  That's good news for many companies that handle financial information and have achieved PCI Compliance, or those that are working towards compliance.  In fact, a recent survey of IT decision makers commissioned by Imprivata examining identity management trends in PCI compliance, shows that a majority of companies are either currently compliant with PCI standards, or plan to be in the next 18 months.

The departure from PCI comes from the types of information that need to be secured - the new regulations go beyond financial information and cover any personal information a business might collect, including bank account information, social security numbers, etc...  This impacts a large number of businesses that might not have fallen under the PCI umbrella. 

If your business falls under that category and you haven't gotten started on your way to compliance with these new regulations, a good place to start is to make sure you have access policies in place to control how users access information. Implementing strong authentication wouldn't be a bad idea either as it ensures that access to records are controlled and you can verify and report on the identity of the user accessing the data.

From an IT stand point, this means that, not only do all users in your business have distinct passwords and logins but each user has the authorized rights to access the information. Consistent with the principles of role-based access and least privileged access, you also want to make sure the level of access granted to users is consistent with their job function and restricted in scope. Above all, IT systems need to have authentication, authorization, and traceability to demonstrate user accountability for whatever information they're accessing.

Most importantly, businesses need to ensure that when employees leave or job functions change, there is a quick way to deactivate access to information.  This is a critical step in preventing a data breach, ensuring that former employees can't access sensitive information and applications once they're no longer part of the company, and ensuring that unauthorized personnel can't access the same information using access credentials provided by their former colleague.  How often have we heard of data breaches traced back to expired accounts belonging to innocent former employees that no longer have access to the system? Keeping your IT and applications accounts in sync with active employee is just good IT housekeeping.

These new regulations put the onus on the business to make sure they're taking proactive steps to protect sensitive customer information.  While the new regulations haven't outlined the potential penalties for violation yet, the threat of a fine shouldn't be the trigger for an action when it comes to protecting customer information.  Nor should businesses wait until they have a breach before getting serious about security - these are common sense steps that all businesses should take to ensure that they're protecting their critical assets and data.

Is your business impacted by the new regulations? If so, where are you starting your journey to protect your business and your customers?

-David

Security in the Cloud

October 13, 2008 at 9:30 am by David Ting

While the concept of cloud computing (accessing applications online) has been around for close to a decade, talks on the subject have intensified significantly in recent months. The catalysts to these discussions range from the sharp decline in hardware and network infrastructure costs to the desire for a business to "go green" to the need for accessibly by an increasingly distributed workforce.  Whatever the reason, big business has taken notice and as this interest turns into action, these companies must be prepared to look at all of the key issues around this move before taking action.

What we are seeing today is a growing wave of interest from businesses in deploying a company-wide cloud computing model. In fact, InfoWorld predicted earlier this month that "the high cost of power and space is going to force the IT world to look at cloud services, with a shift to computing as a cloud resource occurring in the next five years." The author goes on to predict that the "emergence of cloud computing will reduce the need for computing at the enterprise level."

Few people question that cloud computing will bring an array of benefits to businesses, many which have been touched on above.  The issue as I see it is that for those businesses looking to the cloud, many are not easing in with their eyes fully open but rather are jumping in head first -- as a result, they are forgetting to weigh all key areas ahead of time, specifically those on the security side.  A perfect example involves strong authentication.  

Strong authentication solutions are essential for businesses looking to safeguard their company assets against unauthorized access.  For those businesses leveraging a cloud computing model, a major selling point is that employees can access critical applications from virtually anywhere while the company saves bundles of cash on infrastructure and maintenance costs. The issue is that it once you are in the cloud the risks of protecting your systems from unauthorized access grow dramatically.

Since the clouding computing model creates new wave of challenges for the security team, I assumed that these folks are highly involved all discussions.  What surprised me is that in many instances this is not the case.  What I have witnessed is that businesses are shutting the security teams out of the discussions altogether and are instead focusing almost solely on architecture. The security team is eventually brought into the discussions but in many instances the team is literally forced to participate. This is a major oversight that could potentially have significant ramifications down the road.

Strong authentication is a vital element to protecting a business's assets from unauthorized attacks and the need for these solutions only grows when a business shifts to a cloud computing model.  As a result, for those businesses preparing to transform to the cloud model, the security team must be a central participant in the discussion from the very beginning.  By including them in the process and making them a part of the plan at the initial planning stages, businesses will be able to ensure that operating in a cloud doesn't mean they are flying blind.

-David

Tips and Tricks for selecting Strong Authentication

October 3, 2008 at 8:49 am by Jason Mafera

Strong authentication can come in a variety of forms, each with it's own unique strengths and weaknesses.  Before selecting a type of strong authentication, think about the following:

1. Make sure that the technology you select can be easily managed centrally
2. Check that the vendor supports multiple types of Strong Authentication technologies, so that is easy to mix and match different types with a single installation and policy.  In many cases a single type of Strong Authentication technology is not enough to cover an entire organization, as different groups of users may need different types.
3. Make sure you understand the strengths and weaknesses of each approach and that it fits into your overall security needs.
4. Ask what happens if a device is lost or stolen, how easy is it for the user to continue working until the device is replaced?
5. Ask how each technology fits into the 3 categories of multi-factor authentication, something you have (device), something you know (PIN # or Password), something you are (biometric).

 

For more information on different types of strong authentication and a comparison of strengths and weaknesses, please view the pre-recorded webinar by clicking on the following URL:   http://www.imprivata.com/content12349.html

New York Times article on Single Sign-on: Cryptography vs. Passwords?

August 21, 2008 at 12:00 pm by David Ting

The New York Times recently posted an article decrying passwords as an inadequate defense mechanism for security today in a wave of identity theft occurrences.  The article goes on to push a cryptography-based approach to log-on systems, touting ‘information cards' that rely on the computer handshake between machines to authenticate a user, or in this case, a site visitor.  The article goes on to rail against the OpenID initiative because of its password-driven approach to SSO to access OpenID-enabled Web sites.

I read some of the comments under the article and they are politely saying the same thing - that it would be great if all the servers and users out there used PKI for mutually authenticating each other.  Reality: this won't happen unless everyone makes the big switch.  Unfortunately major upheavals like this take tremendous investment.  Major investment indeed - by a lot of people, companies and policy makers.

Taking a look at a relevant analogy is the transition to fiber optics at home - 30 years ago we knew it was a better technology and it would revolutionize telecommunications *but*, with copper in place for telephone service, who was going to make the investment to solve the "last mile problem" - the copper that runs between the pole and your phone in the house [not to mention ditching the previous investments put into copper all those years]. Only now, with telcos being allowed to sell new services such as video content, are they incented to invest the billions of dollars required to bring fiber to the house.

So it is with PKI - the notion of using an info card to authenticate is the same strategy tried with PKI almost a decade ago. It failed because it required companies to make a significant investment to not only upgrade their server applications to use certificates, but more importantly, it required all clients to have valid certificates. The investment and expense required couldn't be justified on the basis of improving security, much less to provide SSO convenience. If a company has to choose between turning away customers that don't have info cards or certificates and increasing security - which option would it pick? The existing infrastructure for user authentication will continue to use passwords for a long time just like we lived with copper and analog voice support because the economics aren't there to switch. Using PKI to reduce user convenience issues isn't worth it when other technologies such as enterprise SSO can address those same issues.

Sure, single sign-on in the enterprise and Web-based SSO operate in different realities, but the convenience factor combined with the continuous infrastructure investment already made over the past two decades point to the reality that password-based SSO isn't going anywhere anytime soon.  Are there ways to strengthen the security of password-based SSO, while not losing the convenience of it, sure: add strong authentication methods like biometrics [check out my post last week] to provide two factor authentication - at least there's widespread nearer-term investments that are being made in that area in devices all over the world in every industry.

What do you think about password-based SSO vs. the cryptography/information cards approach to SSO the New York Times wrote about? 

-David

Putting my finger on the state of biometrics

August 14, 2008 at 1:30 pm by David Ting

Dave Kearns recently posted an article from an interview with Upek on the state of things in the world of biometrics, talking how fingerprint readers are now being built into laptops, keyboards and all types of devices at a dizzying pace. [disclosure: Imprivata partners with Upek]  It was nice to see Dave addressing the topic of biometrics adoption.

Let's be honest, I spend a good deal of time collecting and vetting these amazing little biometric devices that have proven so valuable to our customers.  Years ago working on civil biometrics programs we had large fingerprint scanners that were nothing more than video cameras that used mirrors, prisms and lenses to obtain an image of a fingerprint.  Today's sensors that are mounted on keyboards, notebooks, electronic door locks and safes are often direct imaging silicon, low-cost sensors capable of producing high quality images with a very small footprint.  Combining biometrics with single sign-on has a strong value prop, as more and more industry and government regulations require two-factor authentication and audit trails for access reporting.  Clearly, this last bit is self-promotional as biometrics is right in Imprivata's sweet spot.  You have to admit the convenience of using a simple finger swipe or touch to access all the applications you need on a daily basis is huge - especially if you have to repeatedly logon and logoff. And hopefully you always bring your fingerprint with you, unless you're having a very bad day.

Seriously though, the combination of biometrics and single sign-on has a natural synergy.  I'll have some more news shortly on the strong authentication front, but in the meantime when you're thinking of using biometrics and SSO, it's important to take into considerations a few things:

• Ensure high-end image processing technology is embedded into the commercial product you are looking at - there are many solutions out there, and some cost more than they should, so keep an eye out for the balance between cost and system capabilities
• Look for solutions that limit failure rate, or "False Accepts" and "False Rejects." While it is impossible to guarantee that there won't ever be a false accept, keeping the rate better than 1 in 1 million is important.
• For most end-users, authentication is something they want to get done quickly so they can get their job done, so identification or authentication speed is paramount. Acceptable time for authentication (where you enter a user name) should be within a second and identification (where you don't enter a username), within 2-3 seconds. Consider the verification speeds of integrated ESSO-biometrics solutions and do head-to-head comparison of the best alternatives
• Focus on solutions that can handle a wide range of finger image presentation with higher accuracy. Users don't put their fingers at the same angle, position within the senor or swipe the same way as they did during enrollment so having a robust solution that can handle variability ensures user adoption. Test the system to see what finger placements are allowed to gauge the user experience - try placing the finger at a different angle or swipe at different speeds. Test with dry, moist, dirty, or oily fingers (right after you've had that French fry) and above all, try using it by touch alone with your eyes closed.

What do you think about biometrics? Are you using it in your environments?  Is it tied to your SSO system?  What type of biometrics are you using?

-David

Strong Authentication at the Point of Transaction

August 7, 2008 at 3:07 pm by David Ting

As more and more industries shift towards paperless transactions, organizations are realizing that identity-based regulations are becoming more common and stringent across various industries. As a result, transaction-level authentication will be the norm in any situation where a person's identity is an important element of the transaction.

Recently, according to a Federal Computer Week article, the Drug Enforcement Administration proposed rules to allow e-prescribing of controlled substances, such as painkillers and stimulants. The proposed rules require doctors to use two forms of identification for each transmission of e-prescriptions for controlled substances in addition to an annual audit of each system by a certified public accountancy. Under current rules, doctors may use e-prescribing for most prescriptions but must sign a written prescription for Schedule II controlled substances, such as Nembutal, OxyContin and opium. The DEA rule, if it becomes final, would allow doctors to use the same system for generating and transmitting all prescriptions.

In addition, other industries are keenly exploring transaction-level security. Wherever there is a need for an absolute audit trail, wherever there is strict regulation like GLBA, HIPAA and PCI -- whether government-driven or industry-driven -- transaction level security is becoming a crucial element that both companies and software vendors must take into consideration as organizational processes shift toward paperless transactions. Here is a snapshot of notable industries and the activities that are sparking interest in transaction-level security:

• Healthcare: electronic pharmacy transactions involving either high-value or high-volume purchases of prescription drugs
• Banking: electronic funds transfers where cash is moved in and out of accounts
• Legal: document and transaction tracking is key to ensuring a deal is legitimate and authorized
• Pharmaceutical: adding or updating testing data
• Manufacturing/logistics: controlling inventory

I believe that these instances of positive identification authentication requirements are just the tip of the regulation iceberg. Whether government-driven or industry-driven -- transaction level security is becoming a crucial element that both companies and software vendors must take into consideration as organizational processes shift toward paperless transactions. Moreover, the business case for transactional strong authentication is very appealing, as authenticated electronic transactions can ensure a more efficient and accountable order system.

Are you about to embark on a paperless journey? How are you dealing with strong authentication with your transactions? I'd love to hear your stories.

-David

Modeling Risk

July 31, 2008 at 3:30 pm by David Ting

One Small Step for E-Prescriptions, One Giant Leap for Healthcare

July 2, 2008 at 3:15 pm by David Ting

Financial Services CIOs, Insider Threats and the Human Behavior

June 26, 2008 at 11:00 am by David Ting

I've had a few conversations lately tied around the topic of the insider threat in the financial services arena, so I figured I'd scan around the Web to see what's out there and came across an interesting InfoWorld article.  Though it is from last Fall, it hits on a number of concerns that are timely now, especially given the major breaches like Societe Generale.  The article reports on a Deloitte study that highlights two major data points that I want to call out:

1. 91% of financial services companies' CIOs are concerned with the inability to deal with the inside threat

2. 79% of respondents stated that human behavior is a big factor

Read those numbers again.  This was a survey of 100 global financial services firms that have deep pockets and vast technologies, and that was conducted before Societe Generale was in everyone's vocabulary.  More significantly, most weren't providing new training to workers on security.  In general, training requires changes in behavior, and let's face it, most people don't embrace change to their daily routines especially to improve security.  Change is disruptive; change implies more work.  Thus, further reinforcing the belief that security needs to be invisible to the user (which I'll address in a future blog entry). 

These insider threats have brought on the wave of data leakage protection (DLP) technologies, but at the core, identity and access management still remains as the central choke for addressing the insider threat.  Knowing who's accessing what, when and from where is a key part of the paper trail to find out if there's been misbehavior or accidental leakage.  Mix in integration of physical and logical security, a touch of strong authentication and effective access management, and you've created a potent recipe for deterring the insider threat.  The operative word here is deter - the ability to undeniably trace actions back to an individual reduces the urge to push the limits on misusing the system. 

Tell me, what's your insider threat protection recipe?  What are you using (or planning to use) to address the biggest business security threat we now face?  How does/will it change human behavior of your workers?

-David

Identifying Identity Resources

June 19, 2008 at 4:30 pm by David Ting

Inside the Insider Threat

June 12, 2008 at 1:29 pm by David Ting

MUSE Musings

June 2, 2008 at 10:30 am by John Clark

The "best" authentication technology?

May 29, 2008 at 3:47 pm by Rik Van Bruggen

2008 Identity Management Trends in Healthcare Survey Results

May 29, 2008 at 11:00 am by John Clark

Discussing the Identity Balance

May 22, 2008 at 8:00 am by Rik Van Bruggen

Five Identity Management Trends to Watch

May 19, 2008 at 11:00 am by David Ting

I'm often asked what seems like a simple question: "what's new in identity management?"  As simple as it is, it's a big question so here are five trends that I see out there for identity management... at least for now.

#1: The Pendulum Swing is Back to Thin Client Computing
Technology changes including the 64-bit computing platform, multicore processors, cost effective broadband connectivity, dirt-cheap storage, combined with rising costs of energy, cooling and space are forcing a re-evaluation of how we put computing power at the hands of the user. Virtualization has simplified the management of shared computing resources and to propel the shift back to thin client computing. This has put even greater emphasis on how you manage identities, control access and provision applications managed within these virtualized environments.  The shift to centrally-managed, centrally-hosted environments, enables (and is driven by) greater mobility and flexibility in workflow and workforce - that puts new pressures on how identity management policy, procedure and technology all work together to create a secure yet flexible environment.

#2: De-Perimeterizing the Network:  Softening of the Network Continues
Perimeters are no longer rigid, hard and securable, so firewalls, IDS and IPS are no longer adequate on their own.  Defense in depth security comes to mind as the boundaries of the perimeter blur and soften with insider threats rising in prominence. The notion that the network can be secured is rapidly melting away as business practices force opening up access to partners, customers and remote workers.  The emphasis shifts to knowing who is doing what with your data and applications regardless of where they are geographically.  Strong authentication and contextual authorization including the notion of location-based authentication becomes even more critical in this environment as one tries to extend enforcement of access policies to critical corporate resources.

#3: Enterprise Biometrics Realizing its Potential
Look around you... everything is being biometrics-enabled - laptops and computer hardware are now manufactured with fingerprint readers nowadays, for example.  Cost as a barrier to widespread adoption is no longer the issue as scanners become commoditized. With this change, enterprises are re-examining how best to deploy strong authentication within their organizations.  Storing enterprise biometrics safely to support a mobile workforce is the key to unleashing the true power and usability of biometrics.  Interoperability and assuring the privacy concerns for users that their biometric identities are properly secured are critical to widespread adoption.  The time for biometrics is now.

#4: Enterprise-Level Functionality Moves to the Mid-Market
ESSO, strong authentication and access control have become mainstream.  All of these technologies are becoming more cost-effective for the midmarket and easier to implement, making them more attainable.  The economics are there for midmarket companies to achieve the security that was once thought of as an enterprise luxury, strengthening the security of our overall ecosystem of business worldwide.  Joel Dubin hits this point well in his SearchCIO-Midmarket.com piece.  The more midmarket companies can deploy strong security practices and technologies, the tougher time the bad guys have to wreak havoc.

#5: Higher Emphasis on Insider Threats Drive a Focus on Data Protection and Compliance
At Kuppinger and Cole's 2^nd European Identity Conference it was clear the events at Society Generale have elevated everyone's sensitivity to how much damage can be perpetrated by an insider. One speaker described succinctly when he said that "banks have money, a lot of money and often some of their employees feel they should have some of that money as well." It is clear insider threats will only become more frequent as we open up more access to critical systems.  It is simply too lucrative and too easy to hide behind the anonymity of the digital identity - after all how are they going to prove it is you that has accessed the system when you used your colleague's logon credentials.  As an enterprise, you better know who your people are, how they are getting on the system, what they are doing, and from where.  The insider threat will be amongst the top threats in 2008, and is already a key discussion within identity management circles.

So let me put the question out to you?  What are the trends that you are seeing out there?  Chime in on the comments section, or drop me a line.

-David Ting, CTO

Welcome to Identity 360

May 15, 2008 at 10:30 am by David Ting