As more and more industries shift towards paperless transactions, organizations are realizing that identity-based regulations are becoming more common and stringent across various industries. As a result, transaction-level authentication will be the norm in any situation where a person's identity is an important element of the transaction.

 

Recently, according to a Federal Computer Week article, the Drug Enforcement Administration proposed rules to allow e-prescribing of controlled substances, such as painkillers and stimulants. The proposed rules require doctors to use two forms of identification for each transmission of e-prescriptions for controlled substances in addition to an annual audit of each system by a certified public accountancy. Under current rules, doctors may use e-prescribing for most prescriptions but must sign a written prescription for Schedule II controlled substances, such as Nembutal, OxyContin and opium. The DEA rule, if it becomes final, would allow doctors to use the same system for generating and transmitting all prescriptions.

 

In addition, other industries are keenly exploring transaction-level security. Wherever there is a need for an absolute audit trail, wherever there is strict regulation like GLBA, HIPAA and PCI -- whether government-driven or industry-driven -- transaction level security is becoming a crucial element that both companies and software vendors must take into consideration as organizational processes shift toward paperless transactions. Here is a snapshot of notable industries and the activities that are sparking interest in transaction-level security:

• Healthcare: electronic pharmacy transactions involving either high-value or high-volume purchases of prescription drugs
• Banking: electronic funds transfers where cash is moved in and out of accounts
• Legal: document and transaction tracking is key to ensuring a deal is legitimate and authorized
• Pharmaceutical: adding or updating testing data
• Manufacturing/logistics: controlling inventory

 

I believe that these instances of positive identification authentication requirements are just the tip of the regulation iceberg. Whether government-driven or industry-driven -- transaction level security is becoming a crucial element that both companies and software vendors must take into consideration as organizational processes shift toward paperless transactions. Moreover, the business case for transactional strong authentication is very appealing, as authenticated electronic transactions can ensure a more efficient and accountable order system.

 

Are you about to embark on a paperless journey? How are you dealing with strong authentication with your transactions? I'd love to hear your stories.

David

Modeling Risk

Risk management seems to be the conversation du jour.  I was just a the Lenel Paradigm Conference in Rochester with some of their leading security consultants and the topic that constantly came up was Risk and how security practioners needed to understand the business drivers around mitigating risk. With access and authentication management-centric security breaches like LendingTree and Societe Generale making headlines and compliance requirements mandating greater information security, how does one even begin to understand what a company needs to do? New threats, internal and external, pop up every day.  Security is a blend of  technolog, procedures and process that attempt to govern how users access and use information resources.  How do we gauge the effectiveness of technologies in place and calibrate them against their cost effectiveness in reducing improper access and use by employees, contractors, ex-employees and visitors?.  Defense-in-depth is the right approach to strengthening overall security today, but simply deploying intrusion prevention or strong authentication or encryption as another part of the security equation is not enough.  So far in IT security we've gotten away with arm waving to promote the need for improving security and relying on our instincts that certain mitigation technologies will be effective for thwarting breaches. The time has come for us to think more as systems engineers and get a clear view of an organization's security posture by modeling the potential risk of a breach and understanding the cost of such a breach. After all if the goal is to reduce risk, how do you know how much would be appropriate to spend on reducing that risk?

Modeling risk from outside in and across multiple security layers, requires one to quantify the probability that something can slip through a layer (each layer you introduce to the system, is another opportunity for leakage and porosity) in the same way one would create a cascaded set of filters each designed to block specific types of intruder. For those of us that endured those signal processing systems classes years ago this is just a classic  linear system designed to pass certain signals (allowing authorized users to get through) while attenuating or reducing the noise (incorrect or undesirable users) that can be mingled with the signal. In this model one needs to gauge the risk associated with the potential for someone to incorrectly gain access to critical information through each layer.  Modeling how physical, network and application security collectively combine as a system to reduce risk allows one to understand how technology, procedural changes or temporal effects interact with each other to holistically impact the cost-effectiveness of the solution.  IP security often isn't systematically measured, so you can't clearly quantify risk right now.  Therefore you need to determine how to figure out how to model risk in order to understand how to reduce risk associated with compromised system. [more to come on this on an upcoming post.]

Specifically identifying a cost/benefit ratio of security investments vs. the damage an incident could bring forth may never be crystal clear.  However, with a model, it becomes possible to  ascertain where threats are most likely to penetrate specific layers and will be useful in pinpointing where improvements are needed to mitigate and/or to  respond quickly should something indeed happen.  In addition, it'll give you the clarity to communicate what you need to those with the critical business case sign-off on your next security investment.

So, have you assessed your risk potential?  What does your model say is the biggest threat today? I'd love to hear what others have found , and approaches on how you are modeling risk at your companies.

-David

There and Back again...

By Christopher Paidhrin

Summary --

Full disclosure: I'm just a medium-sized hospital's IT security guy. I've had Imprivata's ESSO appliance (three of them actually, a pair of HA, and a test box) up and running, happily, for about three years. I was invited by Imprivata and Ping Identity to participate in a panel discussion at the SSO Summit held in Keystone, CO, on July 23-25 (http://www.ssosummit.com/).

Andre Durand (Ping Identity) and friends put on a very nice event. There was a good blend of topics, from SSO-centric details, to Federation issues, and a mixture of interesting case studies to visionary presenters like John Haggard (independent security consultant and long-time IT mentor) and Gunnar Peterson (Arctec Group). The event was solid throughout, but to hear John and Gunnar speak about the important issues of the past and future of SSO and IT/Web security, made the event a powerful experience not to be missed.

The conference was well balanced with interesting case studies-GM, Chrysler and 3M were fascinating-vendor technologies-Covisint, Ping Identity and Coreblox-and breakout sessions. Normally, I don't find much value in breakout sessions, they tend to be space fillers and socializing sessions, but not here. I was impressed by the topic-centered groups, I think there were seven or eight for each round, in that they addressed real and interesting questions. I had difficulty choosing which to sit in on. Fortunately, we pulled together at the end of each session to share the highlights from each group. Even though there were a number of new-to-SSO attendees, the depth and breadth of collaboration within the small groups was impressive. I'm a slow note-taker, so I am anxiously awaiting the digital copies of the presentations and breakout session summaries.

The customer discussion panel that I participated in, with Steve Craige, VP, Bank of the West, and Michael Thomason, Chief Technical Architect, Emory Healthcare, was a good way to contrast how the three of us choose our SSO partners, what our challenges were, and what we learned about ourselves, our organizations and our vendors, in the process.

The "take-away" value from the SSO Summit has been transformative. Now, all I have to do is transfer this experience to my IT security peers and the security architects within ACS, and hope that I do justice to the experts who shared their insight and knowledge with us.

Wish you could have been there. I hope to return again next year.

Details, if you're into that sort of thing--

The Keystone Lodge was a welcoming environment, the facilities were well kept and managed, and the staff was first rate. The weather was mild, the beetle-infested trees were disconcerting, and the ride via Colorado Mountain Express (CME) up and down from Denver International was a pleasant alternative to the rental car experience.

Pluses: Two-plus days in the high mountain air and beautiful scenery; comfortable room, and good food. A day and a half was just right for this event. Dave Kearns, Network World, who hosted the SSO customer panel, commented several times on the Burton Group Catalyst conference held in late June, in San Diego. That conference was three days of sessions, plus two days of workshops. Most people needed a vacation after that much intensity. I was in San Diego too, and I can say that the SSO Summit held its own for the quality and value of content.

Minuses: High mountain altitude made several folks not feel so well. I had a low grade headache for most of the time. I guess it's a trade-off.

Topics of interest

One might not think that SSO would be an engrossing stand-alone topic for a conference, but there was a steady and high interest level among the attendees. I have attended a few-make that several-conferences, and there is an ever present opportunity to put the masses to sleep. I was pleased to see an active engagement between the hosts, presenters and the audience.

It was evident from the presentations that SSO tools/technologies/standards have come a long way in the past few years. It was also evident that we still have a ways to go. The current state of SSO is solid, but it is conceptualized within three distinct areas, a) Enterprise, b) Federated enterprises, and c) Web-services or universal. Each of these have existing, viable technologies and vendor solutions, but the talk of universal standards is pulling all of them together-if not to share common security standards, then to share common protocol standards. There was a lot of talk about SAML (http://en.wikipedia.org/wiki/SAML) and certificates.

The future of SSO is coming upon us quickly. The adoption of standardized federation, identity and authorization schemas is lagging behind the adoption of Web 2.0, cloud-everything and mobile-diversity technologies and service demands. Both John Haggard and Gunnar Peterson spoke emphatically to the need for "real" security to catch up with the explosion of perimeter-less networks and SaaS/SOA/cloud services. If you have a chance to hear these guys, don't miss it. Or, better yet, invite them to your nearest ITSec event; they'll knock your socks off.

Key take-aways

It helps to know that confusion is not just a personal state of mind. Everyone seems to be struggling with the many issues and challenges of finding, paying for, integrating and deploying a robust, high-availability, scalable, feature-rich and easy-to-manage SSO solution.

There is much room for maturity in the SSO marketplace. It will help when the dust settles from all the mergers and acquisitions, and when the community agrees upon common best practices, protocols, and federation schemas. As the business communities of the world migrate ever so rapidly into a webified service delivery experience, identity and access management will become ever more important. And right there at the gateway, SSO-in one form or another will be keeping guard.

When people ask me about SSO, I have tried to stress the importance of finding a really good vendor/partner (like Imprivata), because there is too much at stake when deploying an enterprise-wide SSO solution to not have a high degree of competence and wisdom behind you to guarantee success. Even if you have deployed ESSO solutions before, it helps to have expertise on your bench.

Next year's conference focus? Andre hasn't said what that will be, but if it is anything like this year's event, it will be well worth attending.

Regards,

Christopher

Christopher Paidhrin

HIPAA & IT Security Officer

ACS HCS, Inc. for

http://www.superiorconsultant.com/

Southwest Washington Medical Center

http://www.swmedicalcenter.org/

The term "security policy" used to mean different things to different people.  For the facilities management department, it covers physical access points and teaching staff to lock office doors and file cabinets before leaving for the night.  For the IT manager, it means keeping up to date with the latest patches and ensuring that users can only access the applications and data that they are allowed to.  However, this situation is changing with IT and physical security being managed together.  Although they come from separate disciplines, what these two areas have in common is policy.

However, from my travels in the field, I've found that the biggest area of interest in both the physical and logical sides of security is ensuring that these policies are actually being enforced and adhered to by employees. The physical security guys all agree that making security policies stick can be tough, especially if they change the ways that employees have been working for some time.  And, all agree that the convergence of these two disparate security disciplines ensures policy enforcement will now be possible across both disciplines.

During a recent visit with a pharmaceutical company, I chatted with a security executive about policy management and physical-logical security convergence.  We discussed that by linking the physical access system to the IT infrastructure, behavior can be enforced more strictly.  He agreed wholeheartedly.  I added that in the case of "tailgating," someone who does not badge in to a particular zone (such as a data center) can be denied access to his IT assets if he is not authorized to access them.  When logging in, the network can automatically query the building access system to check that the person has badged himself into the premises and into the zone accordingly. If not, access will be denied or the employee will be challenged with questions in order to access the network.  This approach does not impact correct user behavior and reinforces adherence to the company's policy.  The CIO seemed to have a Eureka moment - sound security policy theory with practical application in the real-world!

We continued to discuss how this investment in building access cards can be used as an authentication factor for gaining access to the IT system as well.  By linking a user's password to the building access card, an organization can roll out strong authentication for its staff without having to invest in additional tokens or biometric readers.  As most building access cards are short-range RFID devices, a USB reader connected to the PC can also act as a method for entering the network securely.  Having an additional factor replace the standard password for access means that security is tighter overall, and unauthorized access is more difficult.

Using building access systems and IT security together in a converged manner creates an infrastructure that is more secure overall, while offering cost benefits compared to the traditionally disparate solutions.  So instead of retiring older physical infrastructure investments like badges and readers, integrating with IT security can actually extend the value and revitalize those deep-rooted investments.  Ah-ha moment #2 for the pharma security executive.

In addition, auditing and reporting within this converged security environment can be simpler: having a single overview of security, whether it is to buildings or IT assets, considerably eases the burden of proving that employees are meeting company policy.  A converged security system covering both physical access and IT creates an infrastructure where the whole is greater than the sum of its parts - and makes it easier to see if policies are being followed appropriately and meet various compliance requirements.

What are your policy management concerns and challenges?  How has the growing awareness of the need to converge physical and IT security changed the way you interact with your security peers? And, what's working for you?

-Chip LeBlanc, VP Business Development

Managing the Increasing Vulnerability of a Decentralized Workforce

More and more companies today are enabling employees and partners to work remotely, accessing networks, data and applications from just about anywhere to be productive.  Being productive is good.  Behaving less responsibly is not.  I was reading that Cisco Systems commissioned a survey to examine the security behavior of remote workers, and I found some of the findings startling -- here's a few that stood out for me:

• 33 percent of respondents said they "don't see anything wrong" with sharing their work computers with friends and family
• Nearly half (49 percent) of respondents now say they are using their own personal devices to access work files

So what's wrong with this picture? Yes, opening up remote access for telecommuters, consultants and contractors is important for enabling productivity and work/life balance in many cases, but there is often only a nebulous process for shutting access down.  And if remote workers are behaving badly, then that opens new potential for security vulnerabilities.

Without interlocking IT access with physical-access privileges, there's no telling where someone is accessing the system from, or if multiple people are simultaneously using the same credentials.  This makes it impossible to trace any action back to an individual.

I want to restate the problem: most organizations have a nebulous process for shutting access down to remote workers (past and present!).  In many cases, consultants can still access files/networks from old engagements.  Think of the Lending Tree debacle from earlier this year.  Old employees sharing of passwords with outsiders with remote/Web was the culprit there, but it highlights an important issue.  How many of us know people who claim they can still log in remotely to their former accounts?

Remote access is very problematic, because it bypasses the layers (guards, turnstiles, badge readers, etc) that safeguard computer access within the building so it is extremely risky to leave open.  This is the reason almost all compliance requirements mandate the shutting down of access as part of an employee/partnership termination process. 

I've had discussions with many consultants and found that as businesses shift to a more de-centralized, deperimiterized model, remote access is increasingly important for business operations, but at the same time it cannot be left unmanaged.  The challenge: Remote access is often orphaned because it falls between physical, IT and the networking group - companies shut off physical access, but nobody informs the network manager responsible for remote access so most often times access privileges are left open.  Responsibility for the user account is unclear, so even though your company has stopped paying the employee/consultant and shut off physical access, the remote access isn't shut off.  Good, bad or ugly, how do you manage your remote access?

-David Ting

Users from temporary staff all the way up to the corner office complain about ‘drowning in security.'  Why does it take four more passwords to open an email at work in some cases than to check a bank balance via the home PC?  The things that make a car safe - airbags, safety glass, crumple zones, etc. - are not obvious to the driver.  What lessons can we adopt from hidden security measures to make security less of a drag on employee performance?

People are resourceful.  They'll find ways over, under, around or through security if it is inconvenient or disrupts their workflows or daily behaviors.  Sharing passwords among colleagues became standard practice in hospitals because it took too long to log in and out of each application and workstation, until a combo of finger biometrics and single sign-on made it less a chore to access.  The more we can make security invisible to the end user and easy to embrace, the more secure we'll be.

What do you think? Are you drowning in security?

-David

The merger between RxHub and SureScripts has garnered extensive coverage - here, here and here, among others.  This is a huge step forward for standardizing on, and speeding the adoption of, electronic prescriptions.  It is significant progress, and the latest of many advancements the healthcare sector is driving forward.  There is one area of the electronic prescriptions story though that is missing from all of the stories around the RxHub/SureScripts merger, though it's an important piece of the equation - authenticating that the prescription drug order is legitimate, and truly from an approved physician.  Electronic transactions are easier and quicker, sure, but so is the potential for misuse and fraud.

The Ohio State Board of Pharmacy is on the mark with the requirements calling for "positive identification" for the prescriber with online prescription orders to use "a method that may not rely solely on the use of a private personal identifier such as a password, but also include a secure means of identification such as the following:" including biometrics or proximity badges (Part N in the mandate). 

OhioHealth, on the cutting edge with opening an entirely paperless facility (which the WSJ Health blog covered earlier this year) has also taken a significant step in deploying a strong authentication solution to help its physicians and clinicians embrace electronic prescriptions while adhering to the state's mandates surrounding them.  Now many other states are following suit requiring positive identification and strong authentication for these online orders.  [Disclosure: OhioHealth is using Imprivata technology].  However, we've been quite involved in the area of transactional strong authentication, especially in the area of e-prescription authentication, and it a crucial component of the online prescription drug order process - as noted in Network World. 

The RxHub/SureScripts merger is a big step forward in the industry more broadly realizing the benefits of e-prescriptions, but the role of positive identification in the electronic prescription drug order process cannot be overlooked.  If you think otherwise, just look at how state mandates are driving technology policy at hospitals nationwide - Ohio is just one of many states that are in tune with these issues. 

-David

I've had a few conversations lately tied around the topic of the insider threat in the financial services arena, so I figured I'd scan around the Web to see what's out there and came across an interesting InfoWorld article.  Though it is from last Fall, it hits on a number of concerns that are timely now, especially given the major breaches like Societe Generale.  The article reports on a Deloitte study that highlights two major data points that I want to call out:

1. 91% of financial services companies' CIOs are concerned with the inability to deal with the inside threat

2. 79% of respondents stated that human behavior is a big factor

Read those numbers again.  This was a survey of 100 global financial services firms that have deep pockets and vast technologies, and that was conducted before Societe Generale was in everyone's vocabulary.  More significantly, most weren't providing new training to workers on security.  In general, training requires changes in behavior, and let's face it, most people don't embrace change to their daily routines especially to improve security.  Change is disruptive; change implies more work.  Thus, further reinforcing the belief that security needs to be invisible to the user (which I'll address in a future blog entry). 

These insider threats have brought on the wave of data leakage protection (DLP) technologies, but at the core, identity and access management still remains as the central choke for addressing the insider threat.  Knowing who's accessing what, when and from where is a key part of the paper trail to find out if there's been misbehavior or accidental leakage.  Mix in integration of physical and logical security, a touch of strong authentication and effective access management, and you've created a potent recipe for deterring the insider threat.  The operative word here is deter - the ability to undeniably trace actions back to an individual reduces the urge to push the limits on misusing the system. 

Tell me, what's your insider threat protection recipe?  What are you using (or planning to use) to address the biggest business security threat we now face?  How does/will it change human behavior of your workers?

--David

There's a lot of news and opinions on the web as the blogosphere continues to grow.  As a result, the web can be overwhelming on one hand and full of wonder on the other as you sort and click through the rabbit hole of conversations on the other side. 

In light of this, I thought I would provide a short list of great blogs and resources that I follow from the identity management circles that are worth checking out and engaging with: 

Kim Cameron's Identity Weblog - Kim covers all the bases of identity and gets into really good online dialogue with others out in the identity ether

The Virtual Quill - Dave Kearns' "rants, raves, and musings about identity from the Old Man in the Corner."  If you know IDM, you surely know Dave's name. 

Digital ID World - Eric Norlin keeps an eye on the uber-trends on the business side of identity management as well as the technology behind it.

Virtual Identity Dialogue - Mark Wilcox focuses on IDM and directory services stuff and delves into the development side.

Clayton Donley's Blog - Clayton combines topical takes on trends, with a regular post of other blogs/news to check out.  Worth a read.

The Healthcare IT Guy - Shahid N. Shah keeps close tabs on issues in the healthcare space.  If you're in this space (or have clients there), check out his blog regularly.

The Health Blog -WSJ's Theo Francis and Jacob Goldstein post throughout each day on the business level trends, issues and current events in the healthcare arena.

SecurityDreamer - Steve Hunt's among the most vocal and thoughtful on topics surrounding physical-logical security convergence.

Zalud's Security Blog - Security Mag's Bill Zalud chimes in on security happenings with an editor's bent.

So what IDM blogs and outlets to you follow?  Let me know - I'd love to add ‘em to my reading list.

-David

We have met the enemy, and he is us

Insider threat is among the biggest challenges security folks face in 2008.  The perimeter is dissolving with increased reliance on distributed computing and the mobile workforce, making it more difficult than ever to put up definitive walls around the enterprise.  It's a simple reality that we all have to deal with.  Check out last month's 2008 Global Information Security Workforce Study conducted by Frost & Sullivan for ISC(2) and SearchSecurity.com's coverage.  Two-factor authentication using biometrics as well as physical-logical convergence will gain speed in dealing with the insider threat.

All of a sudden it feels like potentially anyone can be impacted. Check out the stories that have made headlines worldwide, from breaches of Britney Spears' and Farrah Fawcett's medical records to LendingTree customer data being compromised by former employees with still-active passwords.  These are scenarios where better access management and strong authentication would have made the difference. The side benefit of implementing strong authentication is often the elevated awareness that security is taken seriously.

And now the feds are involved.  They're investigating ties between hospitals and the tabloids to source and pursue the leaks of celebrity medical files.

It's clear insider threats will only become more frequent.  It's simply too lucrative, and too easy to hide behind a digital identity.  As an enterprise, you better know who your people are, what they are doing, and from where.  Or at least get the message out that preventative steps are in the works! (more on this in a future blog).

I actually just had an interesting podcast discussion on this subject with Network World's Keith Shaw that you should check out. 

What are your stories?  How are you dealing with the insider threat? 

--David Ting, CTO