skip navigation
Subscribe via RSS  


Tag Cloud
password management, hitech, data breach, breach, security, hipaa compliance, biometrics authentication, password sharing, security risk, security breach, secure authentication, data security, password policy, healthcare access management, user authentication, fingerprint biometrics, user access, data breaches, biometric authentication, healthcare single sign on, strong authentication, fingerprint biometrics,, hipaa, access management, single sign-on, onesign, application access, network access, proximity cards, insider breaches, compliance, authentication management, healthcare, emr, finger biometrics, two-factor authentication, security risks, biometric fingerprints, identity management, management, identity and access, secure application access, enterprise security, biometrics, application security, single sign on, mckesson insight conference, medical records, healthcare single sign-on, enterprise single sign on, single sign on technology, fingerprint biometric, identity and access management, biometric fingerprint, password policy management, himss 09, physical and logical convergence, two factor authentication, biometric identification, insider threat, events, user provisioning, electronic transactions, passwords, physical-logical convergence, physical logical security, esso, simple sign-on, sso, sso appliance, summit, keystone, 2008, authentication and access management, physical and logical access, authentication, physical/logical, asis, convergence, strong passwords, physical security, access and authentication, security breaches, secure access, sign-on


Archive
July 2010 (2)
June 2010 (3)
May 2010 (3)
March 2010 (4)
February 2010 (5)
January 2010 (1)
December 2009 (3)
November 2009 (3)
October 2009 (4)
September 2009 (4)
August 2009 (7)
July 2009 (4)
June 2009 (4)
May 2009 (1)
April 2009 (2)
March 2009 (2)
February 2009 (2)
January 2009 (1)
December 2008 (1)
November 2008 (2)
October 2008 (3)
September 2008 (4)
August 2008 (4)
July 2008 (6)
June 2008 (5)
May 2008 (8)


Authors
Michael Bilancieri
Dr. Barry Chaiken
Jim Whelan
Ali Pabrai
Tom McDermott
Jon Hamdorf
Chris Feeney
David Ting
Bill McQuaid
Jason Mafera
John Clark
Chip LeBlanc
Christopher Paidhrin
Rik Van Bruggen


Recent Posts
Even Spies Have Password Management Problems
HIT Policy Committee Consumer Choice Technology Hearing Recap
Major Healthcare Patient Data Breaches Nearing 100-Mark
PHI Access Requires Robust Security and Privacy
User Access Relevance in a HITECH Age


Chat Now
Chat Now
 


SSO and Strong Authentication: How OhioHealth Built a Paperless Hospital
In this case study presentation, Joe Greene, IT Security Director at OhioHealth, explains how he and his team approached employee access challenges when they laid the IT foundation at Dublin Methodist, a brand new paperless hospital. More than a year after the doors opened at Dublin, their project is a proven success and there are many best practices and lessons learned to be shared with viewers.  Download the webinar today!

Identity 360 - An Imprivata Blog



filter by tag: ESSO

New York Times article on Single Sign-on: Cryptography vs. Passwords?

August 21, 2008 at 12:00 pm by David Ting

The New York Times recently posted an article decrying passwords as an inadequate defense mechanism for security today in a wave of identity theft occurrences.  The article goes on to push a cryptography-based approach to log-on systems, touting ‘information cards' that rely on the computer handshake between machines to authenticate a user, or in this case, a site visitor.  The article goes on to rail against the OpenID initiative because of its password-driven approach to SSO to access OpenID-enabled Web sites.

I read some of the comments under the article and they are politely saying the same thing - that it would be great if all the servers and users out there used PKI for mutually authenticating each other.  Reality: this won't happen unless everyone makes the big switch.  Unfortunately major upheavals like this take tremendous investment.  Major investment indeed - by a lot of people, companies and policy makers.

Taking a look at a relevant analogy is the transition to fiber optics at home - 30 years ago we knew it was a better technology and it would revolutionize telecommunications *but*, with copper in place for telephone service, who was going to make the investment to solve the "last mile problem" - the copper that runs between the pole and your phone in the house [not to mention ditching the previous investments put into copper all those years]. Only now, with telcos being allowed to sell new services such as video content, are they incented to invest the billions of dollars required to bring fiber to the house.

So it is with PKI - the notion of using an info card to authenticate is the same strategy tried with PKI almost a decade ago. It failed because it required companies to make a significant investment to not only upgrade their server applications to use certificates, but more importantly, it required all clients to have valid certificates. The investment and expense required couldn't be justified on the basis of improving security, much less to provide SSO convenience. If a company has to choose between turning away customers that don't have info cards or certificates and increasing security - which option would it pick? The existing infrastructure for user authentication will continue to use passwords for a long time just like we lived with copper and analog voice support because the economics aren't there to switch. Using PKI to reduce user convenience issues isn't worth it when other technologies such as enterprise SSO can address those same issues.

Sure, single sign-on in the enterprise and Web-based SSO operate in different realities, but the convenience factor combined with the continuous infrastructure investment already made over the past two decades point to the reality that password-based SSO isn't going anywhere anytime soon.  Are there ways to strengthen the security of password-based SSO, while not losing the convenience of it, sure: add strong authentication methods like biometrics [check out my post last week] to provide two factor authentication - at least there's widespread nearer-term investments that are being made in that area in devices all over the world in every industry.

What do you think about password-based SSO vs. the cryptography/information cards approach to SSO the New York Times wrote about? 

-David
Tagstwo-factor_authentication biometrics ESSO strong_authentication password_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Putting my finger on the state of biometrics

August 14, 2008 at 1:30 pm by David Ting

Dave Kearns recently posted an article from an interview with Upek on the state of things in the world of biometrics, talking how fingerprint readers are now being built into laptops, keyboards and all types of devices at a dizzying pace. [disclosure: Imprivata partners with Upek]  It was nice to see Dave addressing the topic of biometrics adoption.

Let's be honest, I spend a good deal of time collecting and vetting these amazing little biometric devices that have proven so valuable to our customers.  Years ago working on civil biometrics programs we had large fingerprint scanners that were nothing more than video cameras that used mirrors, prisms and lenses to obtain an image of a fingerprint.  Today's sensors that are mounted on keyboards, notebooks, electronic door locks and safes are often direct imaging silicon, low-cost sensors capable of producing high quality images with a very small footprint.  Combining biometrics with single sign-on has a strong value prop, as more and more industry and government regulations require two-factor authentication and audit trails for access reporting.  Clearly, this last bit is self-promotional as biometrics is right in Imprivata's sweet spot.  You have to admit the convenience of using a simple finger swipe or touch to access all the applications you need on a daily basis is huge - especially if you have to repeatedly logon and logoff. And hopefully you always bring your fingerprint with you, unless you're having a very bad day.

Seriously though, the combination of biometrics and single sign-on has a natural synergy.  I'll have some more news shortly on the strong authentication front, but in the meantime when you're thinking of using biometrics and SSO, it's important to take into considerations a few things:

  • Ensure high-end image processing technology is embedded into the commercial product you are looking at - there are many solutions out there, and some cost more than they should, so keep an eye out for the balance between cost and system capabilities
  • Look for solutions that limit failure rate, or "False Accepts" and "False Rejects." While it is impossible to guarantee that there won't ever be a false accept, keeping the rate better than 1 in 1 million is important.
  • For most end-users, authentication is something they want to get done quickly so they can get their job done, so identification or authentication speed is paramount. Acceptable time for authentication (where you enter a user name) should be within a second and identification (where you don't enter a username), within 2-3 seconds. Consider the verification speeds of integrated ESSO-biometrics solutions and do head-to-head comparison of the best alternatives
  • Focus on solutions that can handle a wide range of finger image presentation with higher accuracy. Users don't put their fingers at the same angle, position within the senor or swipe the same way as they did during enrollment so having a robust solution that can handle variability ensures user adoption. Test the system to see what finger placements are allowed to gauge the user experience - try placing the finger at a different angle or swipe at different speeds. Test with dry, moist, dirty, or oily fingers (right after you've had that French fry) and above all, try using it by touch alone with your eyes closed.

What do you think about biometrics? Are you using it in your environments?  Is it tied to your SSO system?  What type of biometrics are you using?

-David
TagsSSO biometrics ESSO strong_authentication two-factor_authentication

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

SSO Summit field notes

July 29, 2008 at 9:45 pm by Christopher Paidhrin

There and Back again...

By Christopher Paidhrin

Summary --

Full disclosure: I'm just a medium-sized hospital's IT security guy. I've had Imprivata's ESSO appliance (three of them actually, a pair of HA, and a test box) up and running, happily, for about three years. I was invited by Imprivata and Ping Identity to participate in a panel discussion at the SSO Summit held in Keystone, CO, on July 23-25 (http://www.ssosummit.com/).

Andre Durand (Ping Identity) and friends put on a very nice event. There was a good blend of topics, from SSO-centric details, to Federation issues, and a mixture of interesting case studies to visionary presenters like John Haggard (independent security consultant and long-time IT mentor) and Gunnar Peterson (Arctec Group). The event was solid throughout, but to hear John and Gunnar speak about the important issues of the past and future of SSO and IT/Web security, made the event a powerful experience not to be missed.

The conference was well balanced with interesting case studies-GM, Chrysler and 3M were fascinating-vendor technologies-Covisint, Ping Identity and Coreblox-and breakout sessions. Normally, I don't find much value in breakout sessions, they tend to be space fillers and socializing sessions, but not here. I was impressed by the topic-centered groups, I think there were seven or eight for each round, in that they addressed real and interesting questions. I had difficulty choosing which to sit in on. Fortunately, we pulled together at the end of each session to share the highlights from each group. Even though there were a number of new-to-SSO attendees, the depth and breadth of collaboration within the small groups was impressive. I'm a slow note-taker, so I am anxiously awaiting the digital copies of the presentations and breakout session summaries.

The customer discussion panel that I participated in, with Steve Craige, VP, Bank of the West, and Michael Thomason, Chief Technical Architect, Emory Healthcare, was a good way to contrast how the three of us choose our SSO partners, what our challenges were, and what we learned about ourselves, our organizations and our vendors, in the process.

The "take-away" value from the SSO Summit has been transformative. Now, all I have to do is transfer this experience to my IT security peers and the security architects within ACS, and hope that I do justice to the experts who shared their insight and knowledge with us.

Wish you could have been there. I hope to return again next year.

Details, if you're into that sort of thing--

The Keystone Lodge was a welcoming environment, the facilities were well kept and managed, and the staff was first rate. The weather was mild, the beetle-infested trees were disconcerting, and the ride via Colorado Mountain Express (CME) up and down from Denver International was a pleasant alternative to the rental car experience.

Pluses: Two-plus days in the high mountain air and beautiful scenery; comfortable room, and good food. A day and a half was just right for this event. Dave Kearns, Network World, who hosted the SSO customer panel, commented several times on the Burton Group Catalyst conference held in late June, in San Diego. That conference was three days of sessions, plus two days of workshops. Most people needed a vacation after that much intensity. I was in San Diego too, and I can say that the SSO Summit held its own for the quality and value of content.

Minuses: High mountain altitude made several folks not feel so well. I had a low grade headache for most of the time. I guess it's a trade-off.

Topics of interest

One might not think that SSO would be an engrossing stand-alone topic for a conference, but there was a steady and high interest level among the attendees. I have attended a few-make that several-conferences, and there is an ever present opportunity to put the masses to sleep. I was pleased to see an active engagement between the hosts, presenters and the audience.

It was evident from the presentations that SSO tools/technologies/standards have come a long way in the past few years. It was also evident that we still have a ways to go. The current state of SSO is solid, but it is conceptualized within three distinct areas, a) Enterprise, b) Federated enterprises, and c) Web-services or universal. Each of these have existing, viable technologies and vendor solutions, but the talk of universal standards is pulling all of them together-if not to share common security standards, then to share common protocol standards. There was a lot of talk about SAML (http://en.wikipedia.org/wiki/SAML) and certificates.

The future of SSO is coming upon us quickly. The adoption of standardized federation, identity and authorization schemas is lagging behind the adoption of Web 2.0, cloud-everything and mobile-diversity technologies and service demands. Both John Haggard and Gunnar Peterson spoke emphatically to the need for "real" security to catch up with the explosion of perimeter-less networks and SaaS/SOA/cloud services. If you have a chance to hear these guys, don't miss it. Or, better yet, invite them to your nearest ITSec event; they'll knock your socks off.

Key take-aways

It helps to know that confusion is not just a personal state of mind. Everyone seems to be struggling with the many issues and challenges of finding, paying for, integrating and deploying a robust, high-availability, scalable, feature-rich and easy-to-manage SSO solution.

There is much room for maturity in the SSO marketplace. It will help when the dust settles from all the mergers and acquisitions, and when the community agrees upon common best practices, protocols, and federation schemas. As the business communities of the world migrate ever so rapidly into a webified service delivery experience, identity and access management will become ever more important. And right there at the gateway, SSO-in one form or another will be keeping guard.

When people ask me about SSO, I have tried to stress the importance of finding a really good vendor/partner (like Imprivata), because there is too much at stake when deploying an enterprise-wide SSO solution to not have a high degree of competence and wisdom behind you to guarantee success. Even if you have deployed ESSO solutions before, it helps to have expertise on your bench.

Next year's conference focus? Andre hasn't said what that will be, but if it is anything like this year's event, it will be well worth attending.

Regards,

Christopher

Christopher Paidhrin

HIPAA & IT Security Officer

ACS HCS, Inc. for

http://www.superiorconsultant.com/

Southwest Washington Medical Center

http://www.swmedicalcenter.org/

TagsSummit Keystone 2008 SSO ESSO

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Proving policies work – easing audit and enforcement of physical and logical security

July 24, 2008 at 1:00 pm by Chip LeBlanc

The term "security policy" used to mean different things to different people.  For the facilities management department, it covers physical access points and teaching staff to lock office doors and file cabinets before leaving for the night.  For the IT manager, it means keeping up to date with the latest patches and ensuring that users can only access the applications and data that they are allowed to.  However, this situation is changing with IT and physical security being managed together.  Although they come from separate disciplines, what these two areas have in common is policy.

However, from my travels in the field, I've found that the biggest area of interest in both the physical and logical sides of security is ensuring that these policies are actually being enforced and adhered to by employees. The physical security guys all agree that making security policies stick can be tough, especially if they change the ways that employees have been working for some time.  And, all agree that the convergence of these two disparate security disciplines ensures policy enforcement will now be possible across both disciplines.

During a recent visit with a pharmaceutical company, I chatted with a security executive about policy management and physical-logical security convergence.  We discussed that by linking the physical access system to the IT infrastructure, behavior can be enforced more strictly.  He agreed wholeheartedly.  I added that in the case of "tailgating," someone who does not badge in to a particular zone (such as a data center) can be denied access to his IT assets if he is not authorized to access them.  When logging in, the network can automatically query the building access system to check that the person has badged himself into the premises and into the zone accordingly. If not, access will be denied or the employee will be challenged with questions in order to access the network.  This approach does not impact correct user behavior and reinforces adherence to the company's policy.  The CIO seemed to have a Eureka moment - sound security policy theory with practical application in the real-world!

We continued to discuss how this investment in building access cards can be used as an authentication factor for gaining access to the IT system as well.  By linking a user's password to the building access card, an organization can roll out strong authentication for its staff without having to invest in additional tokens or biometric readers.  As most building access cards are short-range RFID devices, a USB reader connected to the PC can also act as a method for entering the network securely.  Having an additional factor replace the standard password for access means that security is tighter overall, and unauthorized access is more difficult.

Using building access systems and IT security together in a converged manner creates an infrastructure that is more secure overall, while offering cost benefits compared to the traditionally disparate solutions.  So instead of retiring older physical infrastructure investments like badges and readers, integrating with IT security can actually extend the value and revitalize those deep-rooted investments.  Ah-ha moment #2 for the pharma security executive.

In addition, auditing and reporting within this converged security environment can be simpler: having a single overview of security, whether it is to buildings or IT assets, considerably eases the burden of proving that employees are meeting company policy.  A converged security system covering both physical access and IT creates an infrastructure where the whole is greater than the sum of its parts - and makes it easier to see if policies are being followed appropriately and meet various compliance requirements.

What are your policy management concerns and challenges?  How has the growing awareness of the need to converge physical and IT security changed the way you interact with your security peers? And, what's working for you?

-Chip LeBlanc, VP Business Development

Tagsphysical_and_logical_convergence two_factor_authentication identity_and_access_management physical_logical_security SSO_Appliance SSO ESSO access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Where’s your Remote Control?

July 17, 2008 at 3:05 pm by David Ting

Managing the Increasing Vulnerability of a Decentralized Workforce

More and more companies today are enabling employees and partners to work remotely, accessing networks, data and applications from just about anywhere to be productive.  Being productive is good.  Behaving less responsibly is not.  I was reading that Cisco Systems commissioned a survey to examine the security behavior of remote workers, and I found some of the findings startling -- here's a few that stood out for me:

  • 33 percent of respondents said they "don't see anything wrong" with sharing their work computers with friends and family
  • Nearly half (49 percent) of respondents now say they are using their own personal devices to access work files

So what's wrong with this picture? Yes, opening up remote access for telecommuters, consultants and contractors is important for enabling productivity and work/life balance in many cases, but there is often only a nebulous process for shutting access down.  And if remote workers are behaving badly, then that opens new potential for security vulnerabilities.

Without interlocking IT access with physical-access privileges, there's no telling where someone is accessing the system from, or if multiple people are simultaneously using the same credentials.  This makes it impossible to trace any action back to an individual.

I want to restate the problem: most organizations have a nebulous process for shutting access down to remote workers (past and present!).  In many cases, consultants can still access files/networks from old engagements.  Think of the Lending Tree debacle from earlier this year.  Old employees sharing of passwords with outsiders with remote/Web was the culprit there, but it highlights an important issue.  How many of us know people who claim they can still log in remotely to their former accounts?

Remote access is very problematic, because it bypasses the layers (guards, turnstiles, badge readers, etc) that safeguard computer access within the building so it is extremely risky to leave open.  This is the reason almost all compliance requirements mandate the shutting down of access as part of an employee/partnership termination process. 

I've had discussions with many consultants and found that as businesses shift to a more de-centralized, deperimiterized model, remote access is increasingly important for business operations, but at the same time it cannot be left unmanaged.  The challenge: Remote access is often orphaned because it falls between physical, IT and the networking group - companies shut off physical access, but nobody informs the network manager responsible for remote access so most often times access privileges are left open.  Responsibility for the user account is unclear, so even though your company has stopped paying the employee/consultant and shut off physical access, the remote access isn't shut off.  Good, bad or ugly, how do you manage your remote access?

-David Ting

TagsESSO simple_sign-on physical-logical_convergence two-factor_authentication access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Drowning in Security: Keeping Security Transparent from Users

July 3, 2008 at 10:00 am by David Ting

Users from temporary staff all the way up to the corner office complain about ‘drowning in security.'  Why does it take four more passwords to open an email at work in some cases than to check a bank balance via the home PC?  The things that make a car safe - airbags, safety glass, crumple zones, etc. - are not obvious to the driver.  What lessons can we adopt from hidden security measures to make security less of a drag on employee performance?

People are resourceful.  They'll find ways over, under, around or through security if it is inconvenient or disrupts their workflows or daily behaviors.  Sharing passwords among colleagues became standard practice in hospitals because it took too long to log in and out of each application and workstation, until a combo of finger biometrics and single sign-on made it less a chore to access.  The more we can make security invisible to the end user and easy to embrace, the more secure we'll be.

What do you think? Are you drowning in security?

-David

Tagsaccess_management ESSO two-factor_authentication Single_Sign-On

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

One Small Step for E-Prescriptions, One Giant Leap for Healthcare

July 2, 2008 at 3:15 pm by David Ting

The merger between RxHub and SureScripts has garnered extensive coverage - here, here and here, among others.  This is a huge step forward for standardizing on, and speeding the adoption of, electronic prescriptions.  It is significant progress, and the latest of many advancements the healthcare sector is driving forward.  There is one area of the electronic prescriptions story though that is missing from all of the stories around the RxHub/SureScripts merger, though it's an important piece of the equation - authenticating that the prescription drug order is legitimate, and truly from an approved physician.  Electronic transactions are easier and quicker, sure, but so is the potential for misuse and fraud.

The Ohio State Board of Pharmacy is on the mark with the requirements calling for "positive identification" for the prescriber with online prescription orders to use "a method that may not rely solely on the use of a private personal identifier such as a password, but also include a secure means of identification such as the following:" including biometrics or proximity badges (Part N in the mandate). 

OhioHealth, on the cutting edge with opening an entirely paperless facility (which the WSJ Health blog covered earlier this year) has also taken a significant step in deploying a strong authentication solution to help its physicians and clinicians embrace electronic prescriptions while adhering to the state's mandates surrounding them.  Now many other states are following suit requiring positive identification and strong authentication for these online orders.  [Disclosure: OhioHealth is using Imprivata technology].  However, we've been quite involved in the area of transactional strong authentication, especially in the area of e-prescription authentication, and it a crucial component of the online prescription drug order process - as noted in Network World

The RxHub/SureScripts merger is a big step forward in the industry more broadly realizing the benefits of e-prescriptions, but the role of positive identification in the electronic prescription drug order process cannot be overlooked.  If you think otherwise, just look at how state mandates are driving technology policy at hospitals nationwide - Ohio is just one of many states that are in tune with these issues. 

-David

Tagstwo-factor_authentication biometrics ESSO strong_authentication password_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 
© 2010 Imprivata, Inc. all rights reserved | Sitemap