skip navigation
Subscribe via RSS  


Tag Cloud
password management, hitech, data breach, breach, security, hipaa compliance, biometrics authentication, password sharing, security risk, security breach, secure authentication, data security, password policy, healthcare access management, user authentication, fingerprint biometrics, user access, data breaches, biometric authentication, healthcare single sign on, strong authentication, fingerprint biometrics,, hipaa, access management, single sign-on, onesign, application access, network access, proximity cards, insider breaches, compliance, authentication management, healthcare, emr, finger biometrics, two-factor authentication, security risks, biometric fingerprints, identity management, management, identity and access, secure application access, enterprise security, biometrics, application security, single sign on, mckesson insight conference, medical records, healthcare single sign-on, enterprise single sign on, single sign on technology, fingerprint biometric, identity and access management, biometric fingerprint, password policy management, himss 09, physical and logical convergence, two factor authentication, biometric identification, insider threat, events, user provisioning, electronic transactions, passwords, physical-logical convergence, physical logical security, esso, simple sign-on, sso, sso appliance, summit, keystone, 2008, authentication and access management, physical and logical access, authentication, physical/logical, asis, convergence, strong passwords, physical security, access and authentication, security breaches, secure access, sign-on


Archive
July 2010 (2)
June 2010 (3)
May 2010 (3)
March 2010 (4)
February 2010 (5)
January 2010 (1)
December 2009 (3)
November 2009 (3)
October 2009 (4)
September 2009 (4)
August 2009 (7)
July 2009 (4)
June 2009 (4)
May 2009 (1)
April 2009 (2)
March 2009 (2)
February 2009 (2)
January 2009 (1)
December 2008 (1)
November 2008 (2)
October 2008 (3)
September 2008 (4)
August 2008 (4)
July 2008 (6)
June 2008 (5)
May 2008 (8)


Authors
Michael Bilancieri
Dr. Barry Chaiken
Jim Whelan
Ali Pabrai
Tom McDermott
Jon Hamdorf
Chris Feeney
David Ting
Bill McQuaid
Jason Mafera
John Clark
Chip LeBlanc
Christopher Paidhrin
Rik Van Bruggen


Recent Posts
Even Spies Have Password Management Problems
HIT Policy Committee Consumer Choice Technology Hearing Recap
Major Healthcare Patient Data Breaches Nearing 100-Mark
PHI Access Requires Robust Security and Privacy
User Access Relevance in a HITECH Age


Chat Now
Chat Now
 


SSO and Strong Authentication: How OhioHealth Built a Paperless Hospital
In this case study presentation, Joe Greene, IT Security Director at OhioHealth, explains how he and his team approached employee access challenges when they laid the IT foundation at Dublin Methodist, a brand new paperless hospital. More than a year after the doors opened at Dublin, their project is a proven success and there are many best practices and lessons learned to be shared with viewers.  Download the webinar today!

Identity 360 - An Imprivata Blog



filter by tag: identity and access management

Miami Incident Illustrates Insider Breach Trend

July 17, 2009 at 3:40 PM by David Ting

I was reading the recent security breach news about Lesmany Nunez, a former IT administrator who was recently sentenced to a year and one day in federal prison for computer fraud. Mr. Nunez was an employee at Miami-based Quantum Technology Partners (QTP) and three months after his employment ended, he was still able to access the company’s network with an administrator password. What he did then was break into QTP’s servers, shut them down, change the system administrators’ passwords and erase files, all of which ended up costing QTP more than $30,000.

This is just the latest example of a disgruntled employee destructing their former employers’ networks as a result of having access to critical information well after their job had been terminated.While it is not clear what the motive was behind this activity it is a clear example of the potential damage caused by former employees. Back in March I blogged for SC Magazine about a similar situation at Fannie Mae where an employee performing a similar deed. When organizations let employees go, whatever the reason may be, they have to make sure that orphaned accounts, such as Nunez’s, are properly deactivated and account passwords changed immediately. Otherwise they leave themselves exposed to these types of vengeful malicious attacks. This is precisely where identity and access management (IAM) initiatives come into play. The right IAM platform provides 360 degrees of employee access management security by providing organizations with the ability to securely authenticate users and streamline application access.

What are your thoughts on this latest insider incident?

Tagssecurity_breach identity_and_access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Proving policies work – easing audit and enforcement of physical and logical security

July 24, 2008 at 1:00 pm by Chip LeBlanc

The term "security policy" used to mean different things to different people.  For the facilities management department, it covers physical access points and teaching staff to lock office doors and file cabinets before leaving for the night.  For the IT manager, it means keeping up to date with the latest patches and ensuring that users can only access the applications and data that they are allowed to.  However, this situation is changing with IT and physical security being managed together.  Although they come from separate disciplines, what these two areas have in common is policy.

However, from my travels in the field, I've found that the biggest area of interest in both the physical and logical sides of security is ensuring that these policies are actually being enforced and adhered to by employees. The physical security guys all agree that making security policies stick can be tough, especially if they change the ways that employees have been working for some time.  And, all agree that the convergence of these two disparate security disciplines ensures policy enforcement will now be possible across both disciplines.

During a recent visit with a pharmaceutical company, I chatted with a security executive about policy management and physical-logical security convergence.  We discussed that by linking the physical access system to the IT infrastructure, behavior can be enforced more strictly.  He agreed wholeheartedly.  I added that in the case of "tailgating," someone who does not badge in to a particular zone (such as a data center) can be denied access to his IT assets if he is not authorized to access them.  When logging in, the network can automatically query the building access system to check that the person has badged himself into the premises and into the zone accordingly. If not, access will be denied or the employee will be challenged with questions in order to access the network.  This approach does not impact correct user behavior and reinforces adherence to the company's policy.  The CIO seemed to have a Eureka moment - sound security policy theory with practical application in the real-world!

We continued to discuss how this investment in building access cards can be used as an authentication factor for gaining access to the IT system as well.  By linking a user's password to the building access card, an organization can roll out strong authentication for its staff without having to invest in additional tokens or biometric readers.  As most building access cards are short-range RFID devices, a USB reader connected to the PC can also act as a method for entering the network securely.  Having an additional factor replace the standard password for access means that security is tighter overall, and unauthorized access is more difficult.

Using building access systems and IT security together in a converged manner creates an infrastructure that is more secure overall, while offering cost benefits compared to the traditionally disparate solutions.  So instead of retiring older physical infrastructure investments like badges and readers, integrating with IT security can actually extend the value and revitalize those deep-rooted investments.  Ah-ha moment #2 for the pharma security executive.

In addition, auditing and reporting within this converged security environment can be simpler: having a single overview of security, whether it is to buildings or IT assets, considerably eases the burden of proving that employees are meeting company policy.  A converged security system covering both physical access and IT creates an infrastructure where the whole is greater than the sum of its parts - and makes it easier to see if policies are being followed appropriately and meet various compliance requirements.

What are your policy management concerns and challenges?  How has the growing awareness of the need to converge physical and IT security changed the way you interact with your security peers? And, what's working for you?

-Chip LeBlanc, VP Business Development

Tagsphysical_and_logical_convergence two_factor_authentication identity_and_access_management physical_logical_security SSO_Appliance SSO ESSO access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 

Identifying Identity Resources

June 19, 2008 at 4:30 pm by David Ting

There's a lot of news and opinions on the web as the blogosphere continues to grow.  As a result, the web can be overwhelming on one hand and full of wonder on the other as you sort and click through the rabbit hole of conversations on the other side. 

In light of this, I thought I would provide a short list of great blogs and resources that I follow from the identity management circles that are worth checking out and engaging with: 

Kim Cameron's Identity Weblog - Kim covers all the bases of identity and gets into really good online dialogue with others out in the identity ether

The Virtual Quill - Dave Kearns' "rants, raves, and musings about identity from the Old Man in the Corner."  If you know IDM, you surely know Dave's name. 

Digital ID World - Eric Norlin keeps an eye on the uber-trends on the business side of identity management as well as the technology behind it.

Virtual Identity Dialogue - Mark Wilcox focuses on IDM and directory services stuff and delves into the development side.

Clayton Donley's Blog - Clayton combines topical takes on trends, with a regular post of other blogs/news to check out.  Worth a read.

The Healthcare IT Guy - Shahid N. Shah keeps close tabs on issues in the healthcare space.  If you're in this space (or have clients there), check out his blog regularly.

The Health Blog -WSJ's Theo Francis and Jacob Goldstein post throughout each day on the business level trends, issues and current events in the healthcare arena.

SecurityDreamer - Steve Hunt's among the most vocal and thoughtful on topics surrounding physical-logical security convergence.

Zalud's Security Blog - Security Mag's Bill Zalud chimes in on security happenings with an editor's bent.

So what IDM blogs and outlets to you follow?  Let me know - I'd love to add ‘em to my reading list.

-David

Tagsidentity_and_access_management physical-logical_convergence strong_authentication access_management

FACEBOOK
LINKEDIN
DIGG
diigo itDIIGO
FURL
TECHNORATI
STUMBLE UPON
DELICIOUS
 
© 2010 Imprivata, Inc. all rights reserved | Sitemap