skip navigation
Subscribe via RSS  


Tag Cloud
password management, hitech, data breach, breach, security, hipaa compliance, biometrics authentication, password sharing, security risk, security breach, secure authentication, data security, password policy, healthcare access management, user authentication, fingerprint biometrics, user access, data breaches, biometric authentication, healthcare single sign on, strong authentication, fingerprint biometrics,, hipaa, access management, single sign-on, onesign, application access, network access, proximity cards, insider breaches, compliance, authentication management, healthcare, emr, finger biometrics, two-factor authentication, security risks, biometric fingerprints, identity management, management, identity and access, secure application access, enterprise security, biometrics, application security, single sign on, mckesson insight conference, medical records, healthcare single sign-on, enterprise single sign on, single sign on technology, fingerprint biometric, identity and access management, biometric fingerprint, password policy management, himss 09, physical and logical convergence, two factor authentication, biometric identification, insider threat, events, user provisioning, electronic transactions, passwords, physical-logical convergence, physical logical security, esso, simple sign-on, sso, sso appliance, summit, keystone, 2008, authentication and access management, physical and logical access, authentication, physical/logical, asis, convergence, strong passwords, physical security, access and authentication, security breaches, secure access, sign-on


Archive
July 2010 (2)
June 2010 (3)
May 2010 (3)
March 2010 (4)
February 2010 (5)
January 2010 (1)
December 2009 (3)
November 2009 (3)
October 2009 (4)
September 2009 (4)
August 2009 (7)
July 2009 (4)
June 2009 (4)
May 2009 (1)
April 2009 (2)
March 2009 (2)
February 2009 (2)
January 2009 (1)
December 2008 (1)
November 2008 (2)
October 2008 (3)
September 2008 (4)
August 2008 (4)
July 2008 (6)
June 2008 (5)
May 2008 (8)


Authors
Michael Bilancieri
Dr. Barry Chaiken
Jim Whelan
Ali Pabrai
Tom McDermott
Jon Hamdorf
Chris Feeney
David Ting
Bill McQuaid
Jason Mafera
John Clark
Chip LeBlanc
Christopher Paidhrin
Rik Van Bruggen


Recent Posts
Even Spies Have Password Management Problems
HIT Policy Committee Consumer Choice Technology Hearing Recap
Major Healthcare Patient Data Breaches Nearing 100-Mark
PHI Access Requires Robust Security and Privacy
User Access Relevance in a HITECH Age


Chat Now
Chat Now
 


SSO and Strong Authentication: How OhioHealth Built a Paperless Hospital
In this case study presentation, Joe Greene, IT Security Director at OhioHealth, explains how he and his team approached employee access challenges when they laid the IT foundation at Dublin Methodist, a brand new paperless hospital. More than a year after the doors opened at Dublin, their project is a proven success and there are many best practices and lessons learned to be shared with viewers.  Download the webinar today!

Identity 360 - An Imprivata Blog



filter by tag: access management

Barriers to EHR Implementation: Fact and Fun

February 5, 2010 at 7:45 PM by David Ting

Over at the Life as a Healthcare CIO blog, John D. Halamka MD captured a list of top barriers to electronic health record (EHR) implementations, then added on with another ‘Top 10’ that puts a little fun into the serious business of EHRs. Below are barriers that stood out to me from a data security and healthcare access management perspective, and I urge you to check out John’s blog for more specifics – definitely worth the read and a great source of information.

 

Key Barriers to deploying EHR worth noting:

#10. Usability – products are hard to use and not well-engineered for clinical workflow

#8. Fear of lost productivity – clinicians are concerned they will lose 25% of their productivity for 3 months after implementations.  Administrators are worried that the clinicians are right.

#5. Privacy – there is significant local variation in privacy policy and consent management strategies.

 

And my favorite tongue-in-cheek barriers John highlighted in his post:

#4.  You read about your security breaches in the New York Times

#3. Patients get to go home early because clinicians are busy implementing software

 

Click over to John’s post for the full lists, and the #1 reasons that are both worth the quick read!

 

-David

 

Tagsdata_security access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

2010 Look Ahead: Chief Security Concerns for Chief Executives

January 13, 2010 at 1:22 PM by David Ting

As we turn the page to 2010 and look to delve into the top–level security concerns that lie ahead, we’d be remiss not to reflect on those security events that helped shape 2009 into the ‘year of the data breach,’ and take these as learning experiences for the New Year.

With the economy in its worst state in decades, we saw IT budgets decimated and security threats evolve into clever, sophisticated entities that caused serious havoc for organizations.  Do the names Kaiser Permanente, Fannie Mae and Stens Corporation ring a bell?  These big name organizations experienced some of the most high-profile data breaches as a result of poor security and access management policies.  And whether it is a result of disgruntled employees, inappropriate password sharing or terminated employees retaining access rights, these events point to a trend that isn’t going away. 

Now let’s focus our attention back to 2010 and break down the top-level security concerns chief executives need to focus on to protect the integrity of their organization.  The global economic downturn and wave of breaches mentioned above are clear indicators that these types of activities are only going to propagate more strongly in 2010, as threats are not only escalating but becoming more sophisticated and damaging. And to help protect these organizations, we are seeing an increased number of federal compliance regulations set in place—HITECH ACT, Data Breach Notification Laws, HIPAA, Meaningful Use of EMRs, etc.

Understanding these regulations and having strong security policies in place are critical to starting 2010 off on the right foot.  On Wednesday, January 27th we will be conducting a webinar demo on Imprivata OneSign and will have a discussion on how technologies such as single sign-on (SSO) strengthen user authentication to network applications, streamline application access and simplify the process of compliance reporting—key elements to understanding the changing security landscape in 2010.  We encourage you to attend and participate, and share your ideas for the New Year.

--David

Tagsonesign Single_Sign-On security application_access password_sharing data_breaches user_authentication HIPAA access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Observations from the 2009 Cerner Health Conference

October 8, 2009 at 9:56 AM by Jon Hamdorf

I just left the annual Cerner Health Conference in Kansas City, where clinical and technical users of Cerner software gather to share ideas, best practices and technology solutions that are molding the future of healthcare.

As is the case year after year, I am truly amazed at Cerner’s representation of the worldwide market. There were representatives from healthcare facilities from around the globe - Australia, Dubai, South America, Canada - all here to discuss their Cerner healthcare IT systems and share their experiences with new and innovative healthcare solutions.

As expected, discussions surrounding the migration to electronic medical records and the HITECH Act swirled around both the sessions and the hallways consistently, but one of the surprising topics that dominated the conversations I had was access management. Access management is a significant pain point for hospitals and after speaking with dozens of organizations at the event, it is clear that healthcare IT executives are eager for fast, convenient and secure access to critical data. It’s notable that with compliance challenges and numerous, high-profile patient privacy violations making front page news, healthcare organizations are still looking for ways to properly protect patient information while providing seamless access to heterogeneous technology environments.

I did have the opportunity to meet with end users at organizations that have committed to providing its clinicians with fast and secure application access to data. These organizations (including Advocate Health Care, BJC Healthcare, Baycare and Albert Einstein Medical) all stressed that the faster the provider can access patient information, the more positive the health outcome is for the patient. Each respective organization described similar challenges within their unique environments which single sign-on and strong authentication solutions are addressing to provide secure access to critical applications, while improving user productivity.

The healthcare industry is certainly experiencing some exciting changes and opportunities, which will continue as we look to turn the page to 2010. I’d be interested in hearing about the solutions and initiatives your organization is looking to deploy to help secure application access.

Tagssecure_application_access strong_authentication access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Massachusetts Data Protection Law Delayed Again—Is Your Company (Still) At Risk?

September 3, 2009 at 9:44 AM by David Ting

A recent BankInfoSecurity article reported that the Massachusetts Data Protection Law has been delayed yet again, pushing the new effective date back to March 1, 2010. As part of the law, organizations are required to protect confidential data – social security numbers, driver license numbers and financial account/credit/debit card numbers – of Massachusetts citizens. The regulation covers all non-public data, regardless of how the company obtains the information.

However, the state’s Office of Consumer Affairs and Business Regulation (OCABR) modified its data security regulations by facilitating a "risk-based approach" to data security to help small businesses better comply with these regulations. These new amendments take into consideration the size of a business and the amount of personal information it manages, and this is directly linked to the type of security plan that business operates.

As I mentioned in a November 2008 blog post, Massachusetts Data Privacy Regulations – Are You Protected? -- the need for strong authentication and solid access management policies is apparent as all companies, regardless of location and size, need control over who is accessing what information, how and from where and equally important to maintain detailed audit records. These regulations were put in place to ensure companies are doing just that – taking the proper steps to provide a comprehensive security posture that prevents unauthorized access to confidential customer information. This is especially important in preventing a data security breaches as the insider threat continues to escalate.

Nevertheless, this marks the third time in the past 8 months the law has been extended, - perhaps underscoring the point that Massachusetts-based companies may notbe prepared or equipped with the security solutions necessary to properly protect their critical customer data …begging the question: is your organization still at risk of a data breach or unauthorized access.

As I said in 2008, the deadline will be here before you know it and the last thing you don’t want to find your company at risk for being non-compliant. Pushing off compliance-driven activities because the deadline is extended only increasesthe potential for a breach. If the penalties are not enough to warrant taking action, think about the potential damages to your company’s reputation if such a breach were to occur.

Is your organization compliant with the Massachusetts Data Privacy Regulations? If so, what security policies have you implemented to ensure the integrity of your organization?

Tagsaccess_management strong_authentication data_security

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Access Management Questions to Ponder

June 4, 2009 at 6:07 PM by David Ting

I was reading about the recent access management related breach at the California Water Services Company, where an auditor resigned, but illegally accessed computer systems to steal more than $9 million before leaving. While the company should be lauded for catching the fraud before the wire transfers could go through and irreparable damage could be done, it should serve as another cautionary tale in what has become a recurring theme on the application security front. This is just one more saga in an every growing litany of tales of breaches that we’ve hearing about.

If you’re looking to review your authentication and access management policies, here’s a quick list of topics to focus on and questions you should ask yourself:

Orphaned Account Clean Up
This is a classic and recurring vulnerability in most organizations, and a priority for getting your house in order. When an employee leaves an organization, too often his access to sensitive applications and information is left open. Organizations run into trouble when accounts can’t be quickly deactivated, or if they lack a direct correlation between employee names and the accounts they were credentialed to access.
By using technologies like single sign-on, organizations can view access records, employee access rights, and accounts that need to be removed. Deactivating orphaned account access is a critical first step towards comprehensive enterprise security.
Questions to ask: Can we track which employees have access to specific systems? If the employee leaves, can we quickly deactivate access? Do you have the means to gain visibility into what application accounts your users access? If you don’t then it is time to think about how to regain some control.

Controlling User Privileges
Too often, security and employee productivity are viewed as being at odds with each other – this doesn’t have to be the case. A good security policy ensures that employees have the access and information required to perform their job function, but at the least level of access.
Questions to ask: Do we understand what privilege levels each individual user has been given? Do they have the lowest level of access privilege required to do their job? What mechanisms do you have to elevate their privilege level, even temporarily and can you control it?

Defining Organizational Roles
Defining roles in an organization is critical to a strong authentication policy. Assigning access by organizational role provides greater insight into what applications users are touching and if access rights are in accordance with the privilege rights provided. Organizations usually have little to no role definition, or go to the other extreme by creating too many roles, which can be unmanageable. Start by getting a handle on who is accessing what. Discuss organizational roles with your business managers to figure out what users need to touch to do their jobs, and then set reasonable boundaries for access outside those defined roles.
Questions to ask: Have we defined roles in our organization? Do the defined roles go far enough? Are our current roles manageable? Again the question goes back to having enough information on what applications your users are actually touching. single sign-on systems that provide detailed reports on usage patterns are invaluable during the role discovery phase.

Testing the Backup Systems
Properly functioning backup systems are crucial to business continuity. Too often, organizations are faced with a situation that requires backup or recovery, only to find out that the procedures, passwords or location of the data are nowhere to be found. Organizations need to ensure they have no dependencies on administrative accounts or employees that may have left the organization. It’s like testing a fire system – you have to make sure it works. In this instance, backup systems will only work if you still have control over them.

Questions to ask: Do we regularly test backup systems? Can we access them? Are they protected with passwords that may reside with employees?
If you ask yourself these questions, and answer “no” to any of them, then you may be at risk. What questions keep you up at night? email me and let me know.

Tagsaccess_management application_security strong_authentication Single_Sign-On

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Security in the Cloud

October 13, 2008 at 9:30 am by David Ting

While the concept of cloud computing (accessing applications online) has been around for close to a decade, talks on the subject have intensified significantly in recent months. The catalysts to these discussions range from the sharp decline in hardware and network infrastructure costs to the desire for a business to "go green" to the need for accessibly by an increasingly distributed workforce.  Whatever the reason, big business has taken notice and as this interest turns into action, these companies must be prepared to look at all of the key issues around this move before taking action.

What we are seeing today is a growing wave of interest from businesses in deploying a company-wide cloud computing model. In fact, InfoWorld predicted earlier this month that "the high cost of power and space is going to force the IT world to look at cloud services, with a shift to computing as a cloud resource occurring in the next five years." The author goes on to predict that the "emergence of cloud computing will reduce the need for computing at the enterprise level."

Few people question that cloud computing will bring an array of benefits to businesses, many which have been touched on above.  The issue as I see it is that for those businesses looking to the cloud, many are not easing in with their eyes fully open but rather are jumping in head first -- as a result, they are forgetting to weigh all key areas ahead of time, specifically those on the security side.  A perfect example involves strong authentication.  

Strong authentication solutions are essential for businesses looking to safeguard their company assets against unauthorized access.  For those businesses leveraging a cloud computing model, a major selling point is that employees can access critical applications from virtually anywhere while the company saves bundles of cash on infrastructure and maintenance costs. The issue is that it once you are in the cloud the risks of protecting your systems from unauthorized access grow dramatically.

Since the clouding computing model creates new wave of challenges for the security team, I assumed that these folks are highly involved all discussions.  What surprised me is that in many instances this is not the case.  What I have witnessed is that businesses are shutting the security teams out of the discussions altogether and are instead focusing almost solely on architecture. The security team is eventually brought into the discussions but in many instances the team is literally forced to participate. This is a major oversight that could potentially have significant ramifications down the road.

Strong authentication is a vital element to protecting a business's assets from unauthorized attacks and the need for these solutions only grows when a business shifts to a cloud computing model.  As a result, for those businesses preparing to transform to the cloud model, the security team must be a central participant in the discussion from the very beginning.  By including them in the process and making them a part of the plan at the initial planning stages, businesses will be able to ensure that operating in a cloud doesn't mean they are flying blind.

-David
Tagsstrong_authentication access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Who’s Really Afraid of HIPAA?

September 4, 2008 at 4:00 pm by John Clark

Since 1996, HIPAA has become one of the most important and highly publicized pieces of healthcare legislation in the United States. Over this time it has also become one of THE biggest topics of conversation within the healthcare and security industries and with good reason-HIPAA involves two major issues, patients and privacy. What's truly amazing to me is that behind the scenes, one would naturally have to assume that the majority of healthcare organizations are being driven by the worry of the potential penalties that might be levied on them by the Department of Health & Human Services (HHS) for their failure to fully comply with HIPAA.

Something tells me the industry isn't quite as concerned as I thought. The latest piece of evidence lending credence to this suspicion involves the recent news around Providence Health & Services, which just last month was penalized for their violation of the privacy section of HIPAA. The fact that a healthcare organization failed to properly protect patient information is not unusual. There have been over 10,000 HIPAA-related complaints filed in recent years. There have also been numerous patient privacy violations as well, including the high-profile breaches that took place earlier this year at the UCLA Medical Center. What we have learned from these incidents is that while many organizations have taken concrete steps to protect their patients, many turning to access management and authentication management solutions, there are always going to be those that fail to properly address their areas of weakness.  What really stands out to me is that while both complaints have been filed and incidents have occurred, Providence Health & Services holds what CSO Magazine's Bill Brenner describes as the "uncomfortable distinction of being the first organization penalized for violating the privacy section of the Federal Health Insurance Portability and Accountability Act (HIPAA)."

That's right. While many healthcare organizations have failed to meet the regulations of HIPAA, fines such as the recent $100,000 bill levied to Providence Health & Services, have been few and far between. What this tells us is that while HIPAA has raised the bar for the protection of patient information and created an immediate call to action to most organizations, HHS has limited the effectiveness of HIPAA due to its lack of commitment to enforcing the guidelines. The result? Companies which should be focusing on meeting HIPAA's standards and considering the consequences they might face if they fail to do so are ultimately deciding to focus on other projects that they deem more important.

The question is - will HHS ever become more hands on within the industry regarding HIPAA? Because, until HHS becomes consistently more involved and penalizes those that are in violation, the industry will continue with its "business as usual" approach instead of taking all the precautions as outlined by HIPAA.  I'd be interested to know - are you addressing HIPAA? And, which is your greater worry - HHS levied fines, or media exposure to a data breach?

If you are interested in hearing more about how a specific healthcare organization - William Osler Health Centre - is leveraging technology to address HIPAA issues, feel free to sit in our September 9 Webinar titled, "Imprivata, Single Sign-on and Biometrics Deployment: One Hospital Corporation, 3 Strategies." See you there!

-John

Tagsauthentication_management HIPAA_compliance access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

A Logical Security Convergence Starting Point: The Data Center

August 28, 2008 at 11:27 am by Chip LeBlanc

Physical logical security convergence has garnered increased attention over the past year, and we've had countless conversations with both IT departments and physical security teams about the people, process and technology issues that come with the territory.  Integrating teams and policy, not just the technology, needs to be well thought out.  Increasingly, the path of our conversations with prospects and customers interested in converging physical and logical access focuses on where to start that type of project.  Though very interested in the promise of converged access, like any technology, people want to wade into the waters to make sure that it works as advertised technically, is easy to adopt for users,  the kinks are hammered out in reporting and there is a clear understanding of the ownership of the integrated environment. 

Security Magazine's Bill Zalud just moderated an interesting Webinar on the topic of converged physical-logical solutions with folks from Convergint Technologies, Tyco International, M.C. Peterson & Associates and the Open Security Exchange - check it out here.  The topic of project ownership and budget, and inter-departmental communication were identified as primary hurdles to moving forward with a convergence effort.  Let's be honest, the physical and IT groups within most organizations often don't communicate as much as one might think. 

However, there is a strategic bridge for these two groups -- the data center.  IT owns the servers; physical security is responsible for locking down the room.  In most cases, the server room/data center is of tremendous importance in today's business and there is a smaller authorized employee base to manage/monitor, so both groups can certainly agree on the need to lock it down and ensure only authorized personnel have access.  Finger-pointing and avoidance both get thrown out the door when the company's crown jewels (secret formulas, customer lists, financial reports - which are all stored electronically) are on the line. 

The data center as a starting point can help physical and IT groups bridge the gap and start walking the walk, instead of talking the talk.  The stakes are too high not to collaborate.  In addition, leveraging existing investments tied to the data center makes it an easier transition - two-factor authentication can leverage physical security assets and infrastructure such as card readers.  This inserts IT into the process immediately and helps ‘force' collaboration amongst the disparate teams for the common good.

The annual ASIS event is coming up in September (swing by booth #4024 if you're there!), and the topic of physical logical access convergence will be a hot topic once again this year.  Come by Imprivata's booth and let's talk shop - I'd love to hear your thoughts on the data center as a physical-logical starting point... whether here on the blog, or at ASIS in September!

-Chip

Tagsphysical_and_logical_convergence two_factor_authentication access_management physical_logical_security

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Proving policies work – easing audit and enforcement of physical and logical security

July 24, 2008 at 1:00 pm by Chip LeBlanc

The term "security policy" used to mean different things to different people.  For the facilities management department, it covers physical access points and teaching staff to lock office doors and file cabinets before leaving for the night.  For the IT manager, it means keeping up to date with the latest patches and ensuring that users can only access the applications and data that they are allowed to.  However, this situation is changing with IT and physical security being managed together.  Although they come from separate disciplines, what these two areas have in common is policy.

However, from my travels in the field, I've found that the biggest area of interest in both the physical and logical sides of security is ensuring that these policies are actually being enforced and adhered to by employees. The physical security guys all agree that making security policies stick can be tough, especially if they change the ways that employees have been working for some time.  And, all agree that the convergence of these two disparate security disciplines ensures policy enforcement will now be possible across both disciplines.

During a recent visit with a pharmaceutical company, I chatted with a security executive about policy management and physical-logical security convergence.  We discussed that by linking the physical access system to the IT infrastructure, behavior can be enforced more strictly.  He agreed wholeheartedly.  I added that in the case of "tailgating," someone who does not badge in to a particular zone (such as a data center) can be denied access to his IT assets if he is not authorized to access them.  When logging in, the network can automatically query the building access system to check that the person has badged himself into the premises and into the zone accordingly. If not, access will be denied or the employee will be challenged with questions in order to access the network.  This approach does not impact correct user behavior and reinforces adherence to the company's policy.  The CIO seemed to have a Eureka moment - sound security policy theory with practical application in the real-world!

We continued to discuss how this investment in building access cards can be used as an authentication factor for gaining access to the IT system as well.  By linking a user's password to the building access card, an organization can roll out strong authentication for its staff without having to invest in additional tokens or biometric readers.  As most building access cards are short-range RFID devices, a USB reader connected to the PC can also act as a method for entering the network securely.  Having an additional factor replace the standard password for access means that security is tighter overall, and unauthorized access is more difficult.

Using building access systems and IT security together in a converged manner creates an infrastructure that is more secure overall, while offering cost benefits compared to the traditionally disparate solutions.  So instead of retiring older physical infrastructure investments like badges and readers, integrating with IT security can actually extend the value and revitalize those deep-rooted investments.  Ah-ha moment #2 for the pharma security executive.

In addition, auditing and reporting within this converged security environment can be simpler: having a single overview of security, whether it is to buildings or IT assets, considerably eases the burden of proving that employees are meeting company policy.  A converged security system covering both physical access and IT creates an infrastructure where the whole is greater than the sum of its parts - and makes it easier to see if policies are being followed appropriately and meet various compliance requirements.

What are your policy management concerns and challenges?  How has the growing awareness of the need to converge physical and IT security changed the way you interact with your security peers? And, what's working for you?

-Chip LeBlanc, VP Business Development

Tagsphysical_and_logical_convergence two_factor_authentication identity_and_access_management physical_logical_security SSO_Appliance SSO ESSO access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Where’s your Remote Control?

July 17, 2008 at 3:05 pm by David Ting

Managing the Increasing Vulnerability of a Decentralized Workforce

More and more companies today are enabling employees and partners to work remotely, accessing networks, data and applications from just about anywhere to be productive.  Being productive is good.  Behaving less responsibly is not.  I was reading that Cisco Systems commissioned a survey to examine the security behavior of remote workers, and I found some of the findings startling -- here's a few that stood out for me:

  • 33 percent of respondents said they "don't see anything wrong" with sharing their work computers with friends and family
  • Nearly half (49 percent) of respondents now say they are using their own personal devices to access work files

So what's wrong with this picture? Yes, opening up remote access for telecommuters, consultants and contractors is important for enabling productivity and work/life balance in many cases, but there is often only a nebulous process for shutting access down.  And if remote workers are behaving badly, then that opens new potential for security vulnerabilities.

Without interlocking IT access with physical-access privileges, there's no telling where someone is accessing the system from, or if multiple people are simultaneously using the same credentials.  This makes it impossible to trace any action back to an individual.

I want to restate the problem: most organizations have a nebulous process for shutting access down to remote workers (past and present!).  In many cases, consultants can still access files/networks from old engagements.  Think of the Lending Tree debacle from earlier this year.  Old employees sharing of passwords with outsiders with remote/Web was the culprit there, but it highlights an important issue.  How many of us know people who claim they can still log in remotely to their former accounts?

Remote access is very problematic, because it bypasses the layers (guards, turnstiles, badge readers, etc) that safeguard computer access within the building so it is extremely risky to leave open.  This is the reason almost all compliance requirements mandate the shutting down of access as part of an employee/partnership termination process. 

I've had discussions with many consultants and found that as businesses shift to a more de-centralized, deperimiterized model, remote access is increasingly important for business operations, but at the same time it cannot be left unmanaged.  The challenge: Remote access is often orphaned because it falls between physical, IT and the networking group - companies shut off physical access, but nobody informs the network manager responsible for remote access so most often times access privileges are left open.  Responsibility for the user account is unclear, so even though your company has stopped paying the employee/consultant and shut off physical access, the remote access isn't shut off.  Good, bad or ugly, how do you manage your remote access?

-David Ting

TagsESSO simple_sign-on physical-logical_convergence two-factor_authentication access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Drowning in Security: Keeping Security Transparent from Users

July 3, 2008 at 10:00 am by David Ting

Users from temporary staff all the way up to the corner office complain about ‘drowning in security.'  Why does it take four more passwords to open an email at work in some cases than to check a bank balance via the home PC?  The things that make a car safe - airbags, safety glass, crumple zones, etc. - are not obvious to the driver.  What lessons can we adopt from hidden security measures to make security less of a drag on employee performance?

People are resourceful.  They'll find ways over, under, around or through security if it is inconvenient or disrupts their workflows or daily behaviors.  Sharing passwords among colleagues became standard practice in hospitals because it took too long to log in and out of each application and workstation, until a combo of finger biometrics and single sign-on made it less a chore to access.  The more we can make security invisible to the end user and easy to embrace, the more secure we'll be.

What do you think? Are you drowning in security?

-David

Tagsaccess_management ESSO two-factor_authentication Single_Sign-On

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Financial Services CIOs, Insider Threats and the Human Behavior

June 26, 2008 at 11:00 am by David Ting

I've had a few conversations lately tied around the topic of the insider threat in the financial services arena, so I figured I'd scan around the Web to see what's out there and came across an interesting InfoWorld article.  Though it is from last Fall, it hits on a number of concerns that are timely now, especially given the major breaches like Societe Generale.  The article reports on a Deloitte study that highlights two major data points that I want to call out:

1. 91% of financial services companies' CIOs are concerned with the inability to deal with the inside threat

2. 79% of respondents stated that human behavior is a big factor

Read those numbers again.  This was a survey of 100 global financial services firms that have deep pockets and vast technologies, and that was conducted before Societe Generale was in everyone's vocabulary.  More significantly, most weren't providing new training to workers on security.  In general, training requires changes in behavior, and let's face it, most people don't embrace change to their daily routines especially to improve security.  Change is disruptive; change implies more work.  Thus, further reinforcing the belief that security needs to be invisible to the user (which I'll address in a future blog entry). 

These insider threats have brought on the wave of data leakage protection (DLP) technologies, but at the core, identity and access management still remains as the central choke for addressing the insider threat.  Knowing who's accessing what, when and from where is a key part of the paper trail to find out if there's been misbehavior or accidental leakage.  Mix in integration of physical and logical security, a touch of strong authentication and effective access management, and you've created a potent recipe for deterring the insider threat.  The operative word here is deter - the ability to undeniably trace actions back to an individual reduces the urge to push the limits on misusing the system. 

Tell me, what's your insider threat protection recipe?  What are you using (or planning to use) to address the biggest business security threat we now face?  How does/will it change human behavior of your workers?

-David

Tagsphysical_logical_security strong_authentication access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Identifying Identity Resources

June 19, 2008 at 4:30 pm by David Ting

There's a lot of news and opinions on the web as the blogosphere continues to grow.  As a result, the web can be overwhelming on one hand and full of wonder on the other as you sort and click through the rabbit hole of conversations on the other side. 

In light of this, I thought I would provide a short list of great blogs and resources that I follow from the identity management circles that are worth checking out and engaging with: 

Kim Cameron's Identity Weblog - Kim covers all the bases of identity and gets into really good online dialogue with others out in the identity ether

The Virtual Quill - Dave Kearns' "rants, raves, and musings about identity from the Old Man in the Corner."  If you know IDM, you surely know Dave's name. 

Digital ID World - Eric Norlin keeps an eye on the uber-trends on the business side of identity management as well as the technology behind it.

Virtual Identity Dialogue - Mark Wilcox focuses on IDM and directory services stuff and delves into the development side.

Clayton Donley's Blog - Clayton combines topical takes on trends, with a regular post of other blogs/news to check out.  Worth a read.

The Healthcare IT Guy - Shahid N. Shah keeps close tabs on issues in the healthcare space.  If you're in this space (or have clients there), check out his blog regularly.

The Health Blog -WSJ's Theo Francis and Jacob Goldstein post throughout each day on the business level trends, issues and current events in the healthcare arena.

SecurityDreamer - Steve Hunt's among the most vocal and thoughtful on topics surrounding physical-logical security convergence.

Zalud's Security Blog - Security Mag's Bill Zalud chimes in on security happenings with an editor's bent.

So what IDM blogs and outlets to you follow?  Let me know - I'd love to add ‘em to my reading list.

-David

Tagsidentity_and_access_management physical-logical_convergence strong_authentication access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Inside the Insider Threat

June 12, 2008 at 1:29 pm by David Ting

We have met the enemy, and he is us

Insider threat is among the biggest challenges security folks face in 2008.  The perimeter is dissolving with increased reliance on distributed computing and the mobile workforce, making it more difficult than ever to put up definitive walls around the enterprise.  It's a simple reality that we all have to deal with.  Check out last month's 2008 Global Information Security Workforce Study conducted by Frost & Sullivan for ISC(2) and SearchSecurity.com's coverage.  Two-factor authentication using biometrics as well as physical-logical convergence will gain speed in dealing with the insider threat.

All of a sudden it feels like potentially anyone can be impacted. Check out the stories that have made headlines worldwide, from breaches of Britney Spears' and Farrah Fawcett's medical records to LendingTree customer data being compromised by former employees with still-active passwords.  These are scenarios where better access management and strong authentication would have made the difference. The side benefit of implementing strong authentication is often the elevated awareness that security is taken seriously.

And now the feds are involved.  They're investigating ties between hospitals and the tabloids to source and pursue the leaks of celebrity medical files.

It's clear insider threats will only become more frequent.  It's simply too lucrative, and too easy to hide behind a digital identity.  As an enterprise, you better know who your people are, what they are doing, and from where.  Or at least get the message out that preventative steps are in the works! (more on this in a future blog).

I actually just had an interesting podcast discussion on this subject with Network World's Keith Shaw that you should check out. 

What are your stories?  How are you dealing with the insider threat? 

--David Ting, CTO

Tagsphysical-logical_convergence strong_authentication access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 
© 2010 Imprivata, Inc. all rights reserved | Sitemap