Identity 360 - An Imprivata Blog

Identifying Identity Resources, Part II

October 22, 2009 at 9:36 AM by David Ting

 

Back when this blog was in its infancy, we outlined a number of identity management resources that readers should check out.  Those blogs are still on the “must-read” list, but there are a number of new ones that have popped up that people interested in identity and access management may find useful

 

·         The Health Care Blog: this blog covers everything from electronic health records (EHRs) and HIPAA Compliance to HITECH and Health 2.0, often with amusing headlines and relevant details to get the most pressing issues across succinctly.

·         ITBusinessEdge’s Authentication Systems channel:   This covers opinion pieces and news, ranging from fingerprint biometrics and other forms of strong authentication to password policy and security risk.

·         FierceEMR: “Mapping the future of Healthcare Information,” this site combines news with opinion on topics ranging from electronic medical records (EMRs), health information exchanges, healthcare access management, interoperability and deployment updates.

·         Healthcare & Technology blog:  this blog covers the high-level healthcare IT issues and trends while also pulling in various graphics, charts and video to help tell the story. 

·         Planet Identity blog: This blog aggregates blogs related to identity management topics, leaning towards the technical while pulling through data, survey findings and trends from some of the most highly-subscribed blog feeds.

 

Tunneling into a Data Breach: The Problem with Remote Access and the Terminated Employee

July 21, 2009 at 1:48 PM by David Ting

Another insider unauthorized access incident came across my radar just as I put the finishing touches on my most recent blog post highlighting Lesmany Nunez’s case being the latest example of a disgruntled employee breaching a network. As of today, the most current remote access security breach involves Danielle Duann, an IT director of a nonprofit organ and tissue donation center.

According to the Department of Justice’s press release, the LifeGift Organization Donation Center claims that Duann’s access had been revoked when her employment had been terminated. However on the evening she was fired, not only was Duann able to access and delete sensitive information such as organ donation database records, but she also tampered with the computer logging function on LifeGift’s servers to mask her actions.

The DoJ’s also states that Duann plead guilty to the charge of unauthorized computer access and was sentenced to two years in prison, three years of supervised released and ordered to pay more than $94,000 to her former employer as compensation for this incident.

In my perspective, the two key takeaways from this incident are:

1. The organization thought it had enough security measures in place to prevent a malicious insider attack from occurring

2. Duann was able to remotely access the system after her termination

As mentioned in a blog post last month, using the summer months to check for ghost or orphaned accounts is a worthwhile endeavor. Remote access continues to be a common vulnerability with recently-terminated employees holding the keys to the castle from afar… it happens over and over. How many times have we heard about ex-employees who boast they still have remote access to their former place of employment? This incident should underscore how prevalent security breaches are as layoffs increase, and serve as a reminder to survey and close off every potential entry point to an organization through a sound identity management strategy that ensures secure authentication and access.

What do you think are the key points here?

-David

2009 Identity Management Mid-Year Report: A brief look back and ahead

July 9, 2009 at 3:23 PM by David Ting

Back in January, I shared some of my observations on 2009 Priorities for identity management in the new economic reality people are faced with - productivity, security and manageable IT projects. This year’s economics have forced people to do more with less, manage tighter budgets and maintain enterprise security while dealing with re-orgs and layoffs. While 2008 was the worst year to date for data breaches, 2009 hasn’t been much better if you look at this chronology of data breaches, including the recently disclosed incident at Goldman Sachs. The Identity Theft Resource Center keeps tabs as well, and has a nice snapshot of high-profile data breaches. Many of these are the result of unauthorized access, some combined with placing malicious code on servers or laptops to siphon off data. It’s amazing the methods that are being used to access systems, steal data, sometimes extort money and always damage reputations. Potential impact of the Goldman Sachs’s unauthorized upload of proprietary software is still under investigation, but information on how easy it was to pull off makes for scary reading. Given the potential impact of data breaches, there has been significant progress made to tighten access to systems, so let’s review some of the relevant things that are happening in identity management. Following are three areas, I believe, we need to watch for in the latter half of 2009.

Biometrics Hit Stride, Will Gain Even More Steam

Frost & Sullivan projects the European biometrics market to triple from 2008 to 2012, as biometrics are used more now to secure access and prevent breaches. With fingerprint biometric readers and other scanners embedded in everyday devices, the ability to tie unique identity to access via strong authentication means has a profound effect on overall data security.

EHRs Become Focal Point of Healthy Debates

Electronic Health Records (EHRs) are also making headway, thanks in large part to the Recovery and Reinvestment Act of 2009. A large portion of the discussion is based on healthcare access management, patient data security and user authentication. Security assurance is a key hurdle to widespread EHR adoption, but using strong authentication capabilities that are now widely available is a significant enabler to achieving the benefits EHRs promise, while minimizing the security risk. Watch for these specific debates and discussions to progress in 2H 2009.

Greater Emphasis on User Workflows Considered in Product Development
While biometrics authentication has certainly played a role in making user lives easier, new developments around walk-away security and faster access to systems are shortening the process to secure logon. By making it easier for users to come and go from a system, there is less password sharing and improved employee productivity, while encouraging and enforcing better overall identity and password policy management.

What areas do you see most, now that we are half way through 2009?

What issues do you seek to solve?

How can identity management better serve you? --David

2008 Identity Management Trends in Healthcare Survey Results

May 29, 2008 at 11:00 am by John Clark

Solving the Chaos of Identities

May 22, 2008 at 9:15 am by David Ting

To paraphrase Princess Leia, ‘the more you tighten your grip, the more star systems will slip through your fingers.' The same can be said in trying to manage identities in today's enterprise.  A number of weeks back, I got into a discussion with the 451Group's Steve Coplan about this very topic:  the chaos of identities.

We talked about the value of single sign-on as not just a convenience and productivity play, but also a key lever to help manage the chaos of identities resulting from an increasingly distributed and decentralized working environment. Provisioning while critical to an identity management strategy by itself is not enough.  The reasons for this are fundamental to the way businesses are run today. Organizations aren't centralized anymore; decisions are made closest to the point where the needs are. Department heads within lines of businesses perform a critical role in authorizing what applications are used and who within their organizations have access to them. This decentralized decision making not only streamlines the speed of business but empowers the departments to make the best decision.

With the trend towards using hosted applications, the responsibility for managing user access rights, data loss prevention and application security migrates away from IT to the hands of individual employees. Think about those applications used within the organization that are signed and managed by individuals within different business units and you start to appreciate how the [star] systems have slipped through the [IT] hands.

At the same time, however, IT is where the auditors focus when they need to assess compliance and where the investigators look when a breach occurs.  It's a bit counter-intuitive from a security perspective, but rather than fighting the chaos brought on by the proliferation of applications and identities, we need to recognize this behavior naturally occurs as part of the business workflow and work to regain visibility and manageability of the identities created around the enterprise.  Rather than trying to mandate control through centralized control of identities, IT needs to decentralize ways to regain visibility into what applications are used, by whom and through what accounts.

Any large company will attest to the thousands of apps they must manage, but this chaos, if managed correctly, can work in our favor.  Extending the value of SSO to help manage this chaos rather than forcing employees to follow strict, time-consuming counter-productive protocol makes more sense... people are going to do what it takes to get their jobs done, so why add hurdles to the rat race that they'll simply find a way around anyway?  Instead, managing the chaos can provide the observability (for auditing and accountability) and controllability (turning access to data, applications and networks on/off) that companies ultimately seek.

Embrace the chaos.  So, tell us... how chaotic is your star system?  Let us know what you're doing to embrace the chaos, or if you're fighting it!

-David Ting, CTO

Five Identity Management Trends to Watch

May 19, 2008 at 11:00 am by David Ting

I'm often asked what seems like a simple question: "what's new in identity management?"  As simple as it is, it's a big question so here are five trends that I see out there for identity management... at least for now.

#1: The Pendulum Swing is Back to Thin Client Computing
Technology changes including the 64-bit computing platform, multicore processors, cost effective broadband connectivity, dirt-cheap storage, combined with rising costs of energy, cooling and space are forcing a re-evaluation of how we put computing power at the hands of the user. Virtualization has simplified the management of shared computing resources and to propel the shift back to thin client computing. This has put even greater emphasis on how you manage identities, control access and provision applications managed within these virtualized environments.  The shift to centrally-managed, centrally-hosted environments, enables (and is driven by) greater mobility and flexibility in workflow and workforce - that puts new pressures on how identity management policy, procedure and technology all work together to create a secure yet flexible environment.

#2: De-Perimeterizing the Network:  Softening of the Network Continues
Perimeters are no longer rigid, hard and securable, so firewalls, IDS and IPS are no longer adequate on their own.  Defense in depth security comes to mind as the boundaries of the perimeter blur and soften with insider threats rising in prominence. The notion that the network can be secured is rapidly melting away as business practices force opening up access to partners, customers and remote workers.  The emphasis shifts to knowing who is doing what with your data and applications regardless of where they are geographically.  Strong authentication and contextual authorization including the notion of location-based authentication becomes even more critical in this environment as one tries to extend enforcement of access policies to critical corporate resources.

#3: Enterprise Biometrics Realizing its Potential
Look around you... everything is being biometrics-enabled - laptops and computer hardware are now manufactured with fingerprint readers nowadays, for example.  Cost as a barrier to widespread adoption is no longer the issue as scanners become commoditized. With this change, enterprises are re-examining how best to deploy strong authentication within their organizations.  Storing enterprise biometrics safely to support a mobile workforce is the key to unleashing the true power and usability of biometrics.  Interoperability and assuring the privacy concerns for users that their biometric identities are properly secured are critical to widespread adoption.  The time for biometrics is now.

#4: Enterprise-Level Functionality Moves to the Mid-Market
ESSO, strong authentication and access control have become mainstream.  All of these technologies are becoming more cost-effective for the midmarket and easier to implement, making them more attainable.  The economics are there for midmarket companies to achieve the security that was once thought of as an enterprise luxury, strengthening the security of our overall ecosystem of business worldwide.  Joel Dubin hits this point well in his SearchCIO-Midmarket.com piece.  The more midmarket companies can deploy strong security practices and technologies, the tougher time the bad guys have to wreak havoc.

#5: Higher Emphasis on Insider Threats Drive a Focus on Data Protection and Compliance
At Kuppinger and Cole's 2^nd European Identity Conference it was clear the events at Society Generale have elevated everyone's sensitivity to how much damage can be perpetrated by an insider. One speaker described succinctly when he said that "banks have money, a lot of money and often some of their employees feel they should have some of that money as well." It is clear insider threats will only become more frequent as we open up more access to critical systems.  It is simply too lucrative and too easy to hide behind the anonymity of the digital identity - after all how are they going to prove it is you that has accessed the system when you used your colleague's logon credentials.  As an enterprise, you better know who your people are, how they are getting on the system, what they are doing, and from where.  The insider threat will be amongst the top threats in 2008, and is already a key discussion within identity management circles.

So let me put the question out to you?  What are the trends that you are seeing out there?  Chime in on the comments section, or drop me a line.

-David Ting, CTO