Identity 360 - An Imprivata Blog

2010 Look Ahead: Chief Security Concerns for Chief Executives

January 13, 2010 at 1:22 PM by David Ting

As we turn the page to 2010 and look to delve into the top–level security concerns that lie ahead, we’d be remiss not to reflect on those security events that helped shape 2009 into the ‘year of the data breach,’ and take these as learning experiences for the New Year.

With the economy in its worst state in decades, we saw IT budgets decimated and security threats evolve into clever, sophisticated entities that caused serious havoc for organizations.  Do the names Kaiser Permanente, Fannie Mae and Stens Corporation ring a bell?  These big name organizations experienced some of the most high-profile data breaches as a result of poor security and access management policies.  And whether it is a result of disgruntled employees, inappropriate password sharing or terminated employees retaining access rights, these events point to a trend that isn’t going away. 

Now let’s focus our attention back to 2010 and break down the top-level security concerns chief executives need to focus on to protect the integrity of their organization.  The global economic downturn and wave of breaches mentioned above are clear indicators that these types of activities are only going to propagate more strongly in 2010, as threats are not only escalating but becoming more sophisticated and damaging. And to help protect these organizations, we are seeing an increased number of federal compliance regulations set in place—HITECH ACT, Data Breach Notification Laws, HIPAA, Meaningful Use of EMRs, etc.

Understanding these regulations and having strong security policies in place are critical to starting 2010 off on the right foot.  On Wednesday, January 27th we will be conducting a webinar demo on Imprivata OneSign and will have a discussion on how technologies such as single sign-on (SSO) strengthen user authentication to network applications, streamline application access and simplify the process of compliance reporting—key elements to understanding the changing security landscape in 2010.  We encourage you to attend and participate, and share your ideas for the New Year.

--David

Access Management Questions to Ponder

June 4, 2009 at 6:07 PM by David Ting

I was reading about the recent access management related breach at the California Water Services Company, where an auditor resigned, but illegally accessed computer systems to steal more than $9 million before leaving. While the company should be lauded for catching the fraud before the wire transfers could go through and irreparable damage could be done, it should serve as another cautionary tale in what has become a recurring theme on the application security front. This is just one more saga in an every growing litany of tales of breaches that we’ve hearing about.

If you’re looking to review your authentication and access management policies, here’s a quick list of topics to focus on and questions you should ask yourself:

Orphaned Account Clean Up
This is a classic and recurring vulnerability in most organizations, and a priority for getting your house in order. When an employee leaves an organization, too often his access to sensitive applications and information is left open. Organizations run into trouble when accounts can’t be quickly deactivated, or if they lack a direct correlation between employee names and the accounts they were credentialed to access.
By using technologies like single sign-on, organizations can view access records, employee access rights, and accounts that need to be removed. Deactivating orphaned account access is a critical first step towards comprehensive enterprise security.
Questions to ask: Can we track which employees have access to specific systems? If the employee leaves, can we quickly deactivate access? Do you have the means to gain visibility into what application accounts your users access? If you don’t then it is time to think about how to regain some control.

Controlling User Privileges
Too often, security and employee productivity are viewed as being at odds with each other – this doesn’t have to be the case. A good security policy ensures that employees have the access and information required to perform their job function, but at the least level of access.
Questions to ask: Do we understand what privilege levels each individual user has been given? Do they have the lowest level of access privilege required to do their job? What mechanisms do you have to elevate their privilege level, even temporarily and can you control it?

Defining Organizational Roles
Defining roles in an organization is critical to a strong authentication policy. Assigning access by organizational role provides greater insight into what applications users are touching and if access rights are in accordance with the privilege rights provided. Organizations usually have little to no role definition, or go to the other extreme by creating too many roles, which can be unmanageable. Start by getting a handle on who is accessing what. Discuss organizational roles with your business managers to figure out what users need to touch to do their jobs, and then set reasonable boundaries for access outside those defined roles.
Questions to ask: Have we defined roles in our organization? Do the defined roles go far enough? Are our current roles manageable? Again the question goes back to having enough information on what applications your users are actually touching. single sign-on systems that provide detailed reports on usage patterns are invaluable during the role discovery phase.

Testing the Backup Systems
Properly functioning backup systems are crucial to business continuity. Too often, organizations are faced with a situation that requires backup or recovery, only to find out that the procedures, passwords or location of the data are nowhere to be found. Organizations need to ensure they have no dependencies on administrative accounts or employees that may have left the organization. It’s like testing a fire system – you have to make sure it works. In this instance, backup systems will only work if you still have control over them.

Questions to ask: Do we regularly test backup systems? Can we access them? Are they protected with passwords that may reside with employees?
If you ask yourself these questions, and answer “no” to any of them, then you may be at risk. What questions keep you up at night? email me and let me know.

What NIST Missed: The value of password management + SSO + strong authentication

May 20, 2009 at 8:25 AM by David Ting

The National Institute of Standards and Technology (NIST) recently put out a draft “Guide to Enterprise Password Management” for public comment for feedback and improvement. While it gives a lesson in password management history, it doesn’t quite break new grounds on prescriptive opinion.

Dave Kearns provided useful analysis of the NIST paper in his recent Managing Passwords article on Network World, and a couple of nuggets of wisdom jumped out at me:

• To their credit, the authors immediately add “…organizations should make long-term plans for replacing or supplementing password-based authentication with stronger forms of authentication for resources with higher security needs.” If I were editing, I’d remove that last phrase (“for resources with higher security needs”).
• Username/password as sole authentication method needs to go away, and go away now. Especially for the enterprise but, really, for everyone. As more and more of our personal data, private data, and economically valuable data moves out into “the cloud” it becomes absolutely necessary to provide stronger methods of identification. The sooner, the better.

The only way to improve usability and security of password management today is to combine it with single sign-on and multi-factor authentication, as Dave stated in his piece. Dave’s article made me think a bit more about the NIST paper and the intersection of SSO and strong authentication, and here are some of my observations:

• Workflow Trumps Security: No matter how much security folks put ‘best practices’ in place for security (and managing passwords, specifically), they must mesh with the needs of the business. Users won’t embrace policies and best practices unless they are easy to adopt and don’t interrupt their daily workflow.
• Where’s the Business Value: We frequently hear of high-valued users who feel their job is to get the job done (trading, saving lives) rather than dealing with the mechanics of entering passwords. Mandating a longer and more complex password is great from a theoretical point of view if you log into an application once per day, but not so much if you have to repetitively access the same application multiple times each hour. 
• No More Passwords Please: The most effective solution to dealing with password management issues today is to combine stronger user authentication with a system for automating them and leveraging the maximum strength within the passwords – i.e., SSO coupled with the use of opaque (unknown to the users) passwords. This gives you the best of both worlds.
• Automate the Logon Where Possible: Direct injection of the passwords into forms mitigates the ability for keyboard loggers to sniff and record the password and log-in sequence so you can close that potential vulnerability gap.
• Leverage Strong Authentication Options: There are still many people that believe passwords are an inexpensive option for authentication, however today’s strong auth solutions are far more cost-effective, easier to deploy and maintain than they were just a few years ago and more importantly we see higher user adoption.

So the value of password management + SSO + strong authentication is increasing in acknowledgment. Among our customer base at Imprivata 75-80 percent of customers are using one or more form of strong authentication with SSO. We rarely encounter a new deal that does not include strong authentication, and many of our customers prefer to deploy a variety of modalities (finger biometrics, tokens, proximity cards) that they can tie to the security level of the data being accessed by a given user. In fact, now strong authentication is often the driver of a deal, and SSO is pulled through.

We’ve run a few surveys lately, one squarely on this topic of strong authentication and SSO that you may find worth checking out: /content27465
--Dave

Stimulating Strong Authentication

February 20, 2009 at 6:54 pm by David Ting

The stimulus package recently signed by President Obama has been the cause for vigorous debate.  One by-product of the package that has not been widely discussed is a provision that would reshape the medical industry by creating a central repository of computerized medical records for all American's.  An increase in the level of electronic information of this magnitude exponentially raises the vulnerability of a security breach, which we'll focus on today.

While the program sets high goals of making records accessible, increasing healthcare efficiencies and reducing costs, security for a program of this magnitude needs to take a zero-gap approach - removing any security risk that could lead to a data breach. When you consider the number of sources for medical information, and the number of healthcare employees across the country, security for a project of this size represents some huge challenges.  

So where do we start?  From a data security standpoint, a lot can be learned from the hospitals and healthcare facilities, which have spent years focused on HIPAA compliance,  as well as from other countries that have embraced a similar approach to digital medical records.    

We've seen customers such as OhioHealth go completely paperless, with digital record keeping replacing extensive paper file commonplace in the industry.  OhioHealth took an innovative approach to securing patient data from the access standpoint, leveraging single sign-on as the core of its digital authentication strategy.  Ensuring employees access the applications and information they need, after having first authenticated via a biometric device or strong password. 

Controlling the access is only part of the equation.  Once in, there is a need to monitor and control how the information is being used; preventing a breach once initial access has been granted.  While the proper steps may be taken to authenticate a user, what happens when the clinician walks away and leaves the computer in a compromised position?  And, when a life or death critical order needs to be placed, or a prescription filled, the proper doctor, nurse or clinician must be tracked to that activity.

Making the medical records of 100s of millions of citizens accessible is certainly a step forward, yet keeping them private is a tremendously complex problem - one that will need to be addressed before the program can move forward in earnest.   

What are your thoughts?   Email me and let me know.

Drowning in Security: Keeping Security Transparent from Users

July 3, 2008 at 10:00 am by David Ting

MUSE Musings

June 2, 2008 at 10:30 am by John Clark

Discussing the Identity Balance

May 22, 2008 at 8:00 am by Rik Van Bruggen

Five Identity Management Trends to Watch

May 19, 2008 at 11:00 am by David Ting

I'm often asked what seems like a simple question: "what's new in identity management?"  As simple as it is, it's a big question so here are five trends that I see out there for identity management... at least for now.

#1: The Pendulum Swing is Back to Thin Client Computing
Technology changes including the 64-bit computing platform, multicore processors, cost effective broadband connectivity, dirt-cheap storage, combined with rising costs of energy, cooling and space are forcing a re-evaluation of how we put computing power at the hands of the user. Virtualization has simplified the management of shared computing resources and to propel the shift back to thin client computing. This has put even greater emphasis on how you manage identities, control access and provision applications managed within these virtualized environments.  The shift to centrally-managed, centrally-hosted environments, enables (and is driven by) greater mobility and flexibility in workflow and workforce - that puts new pressures on how identity management policy, procedure and technology all work together to create a secure yet flexible environment.

#2: De-Perimeterizing the Network:  Softening of the Network Continues
Perimeters are no longer rigid, hard and securable, so firewalls, IDS and IPS are no longer adequate on their own.  Defense in depth security comes to mind as the boundaries of the perimeter blur and soften with insider threats rising in prominence. The notion that the network can be secured is rapidly melting away as business practices force opening up access to partners, customers and remote workers.  The emphasis shifts to knowing who is doing what with your data and applications regardless of where they are geographically.  Strong authentication and contextual authorization including the notion of location-based authentication becomes even more critical in this environment as one tries to extend enforcement of access policies to critical corporate resources.

#3: Enterprise Biometrics Realizing its Potential
Look around you... everything is being biometrics-enabled - laptops and computer hardware are now manufactured with fingerprint readers nowadays, for example.  Cost as a barrier to widespread adoption is no longer the issue as scanners become commoditized. With this change, enterprises are re-examining how best to deploy strong authentication within their organizations.  Storing enterprise biometrics safely to support a mobile workforce is the key to unleashing the true power and usability of biometrics.  Interoperability and assuring the privacy concerns for users that their biometric identities are properly secured are critical to widespread adoption.  The time for biometrics is now.

#4: Enterprise-Level Functionality Moves to the Mid-Market
ESSO, strong authentication and access control have become mainstream.  All of these technologies are becoming more cost-effective for the midmarket and easier to implement, making them more attainable.  The economics are there for midmarket companies to achieve the security that was once thought of as an enterprise luxury, strengthening the security of our overall ecosystem of business worldwide.  Joel Dubin hits this point well in his SearchCIO-Midmarket.com piece.  The more midmarket companies can deploy strong security practices and technologies, the tougher time the bad guys have to wreak havoc.

#5: Higher Emphasis on Insider Threats Drive a Focus on Data Protection and Compliance
At Kuppinger and Cole's 2^nd European Identity Conference it was clear the events at Society Generale have elevated everyone's sensitivity to how much damage can be perpetrated by an insider. One speaker described succinctly when he said that "banks have money, a lot of money and often some of their employees feel they should have some of that money as well." It is clear insider threats will only become more frequent as we open up more access to critical systems.  It is simply too lucrative and too easy to hide behind the anonymity of the digital identity - after all how are they going to prove it is you that has accessed the system when you used your colleague's logon credentials.  As an enterprise, you better know who your people are, how they are getting on the system, what they are doing, and from where.  The insider threat will be amongst the top threats in 2008, and is already a key discussion within identity management circles.

So let me put the question out to you?  What are the trends that you are seeing out there?  Chime in on the comments section, or drop me a line.

-David Ting, CTO

Welcome to Identity 360

May 15, 2008 at 10:30 am by David Ting