Friday Apr 27, 2012

Titantic Catastrophe: Compliant Doesn’t Mean Secure

TitanicApril 15th marked the 100th anniverasary of the sinking of the RMS Titanic - by any measure a catastrophe of epic proportions. As we think about lessons collectively learned from this event, may I suggest a nugget worth remembering that has little to do with sinking ships, but a lot to do with the enterprise we serve today? According to a recent ABC article:
... the Titanic was fully compliant with all marine laws. The British Board of Trade required all vessels above 10,000 tonnes to carry sixteen lifeboats. The White Star Line ensured that the Titanic exceeded the requirements by four boats.
But we all know that twenty lifeboats were not nearly enough for this ship.  The article continues:
But the ship was 46,328 tonnes. The Board of Trade hadn't updated its regulations for nearly 20 years. ... The lifeboat regulations were written for a different era and enforced unthinkingly.
"Enforced unthinkingly."  Therein lies our little lesson. In discipline of information security, we may be tempted to think that "compliant" means secure.  But we must not accept that at face value.  We must really understand what regulations mean and how they apply to our enterprises.  PCI DSS or HIPAA compliance may go part way, but do they really go far enough to protect our vital information that is the lifeblood of our businesses? Let's make sure we have adequate "lifeboats" and not rely completely on those who write regulations to protect our businesses.

Monday Nov 23, 2009

IAM is a Journey, not a Project

In our recent CIO Roundtable tour, a question about Identity and Access Management that emerged in every session was, “where do I go from here?”  It is one thing to talk about the theory of IAM; it is quite another thing to actually implement it in your enterprise.

My advice to the Roundtable participants and to you is this, “IAM is a journey, not a short-term event. Enterprises must begin to approach compliance as a long-term program, not a single project.  Take stock of where you are now, set objectives for where you want to be in the future, and execute your strategy in stages.”

To illustrate this process, the white paper I recently wrote, Identity and Access Management: Enabling HIPAA/HITECH Compliance, proposes thirteen best practices for approaching the application of IAM to HIPAA/HITEC compliance efforts.  Recognizing that IAM is a journey, not a project, is one of the best practices.

Think program, not project. HIPAA/HITECH compliance is a journey, not a short-term event. Enterprises must begin to approach compliance as a long-term program, not a single project. An effective and holistic compliance program should also incorporate governance and risk management. Boards of directors and executives are frequently being held to higher standards than ever before as they are expected to be knowledgeable about, and held liable for, everything going on within the enterprise.

roadmap

The step-by-step process depicted above doesn’t fit everyone.  It only serves to illustrate the need to for defining your IAM journey as a series of phases subdivided into measureable steps.  Our experience has shown that those enterprises who follow this basic process usually succeed, while those who attempt to do much all at once, or focus on one small tactical project, often fail to realize the benefits of a well-executed IAM strategy.

Happy trails!  (I couldn’t resist that last comment, even though the “happy trails” comment in my previous post dealt with airline travel, not IAM journeys.)

Tuesday Nov 17, 2009

Identity and Access Management - Enabling HIPAA/HITECH Compliance

hipaa The white paper I mentioned several days ago, Identity and Access Management – Enabling HIPAA/HITECH Compliance, is now hot off the press and ready for download.  Thanks to all the great people at Sun Microsystems that contributed to this project and made it a reality.  Hopefully, the paper will be beneficial to those who are facing the challenges of how to comply with the increasing regulations surrounding management of healthcare data and information systems.

The paper’s abstract reads:

As healthcare organizations and vendors become more reliant on digital information technology, complying with increasing regulatory requirements presents a range of challenges. This paper explores the requirements that these organizations face, best practices for implementing identity management systems that help ensure compliance, and how Sun’s pragmatic approach to identity management simplifies the technology environment.

The table of contents:

  1. Executive Summary
  2. Healthcare Information Technology Challenges
  3. Health Insurance Portability and Accountability Act (HIPAA)
  4. Health Information Technology for Economic and Clinical Health Act (HITECH)
  5. Impact of HIPAA, HITECH and Related Regulations
  6. The Role of IAM in HIPAA/HITECH Compliance
  7. Sun IAM Product Introduction
  8. Best Practices for the IAM/Compliance Journey
  9. How to Get Started with HIPAA/HITECH and IAM
  10. The Sun IAM Workshop
  11. References

Please let me know if you have any questions or would like to discuss the content in more detail.

Monday Nov 09, 2009

Best Practices for the IAM/Compliance Journey

As explained in my recent post, I am awaiting final publication of a white paper I recently authored, entitled, “Identity and Access Management – Enabling HIPAA/HITECH Compliance.”  This post is a excerpt from that paper.

In the thirteen years since the initial passage of the HIPAA act, practical experience in the field has yielded several recommended best practices for implementing IAM systems to enable HIPAA/HITECH compliance. We recommend the following:

  1. Understand requirements. By developing a better understanding of compliance requirements, how compliance affects information technology (IT), and how IT in general and IAM specifically can help support the privacy, security and notification requirements of HIPAA/HITECH, companies can establish efficient, cost-effective, and sustainable programs that address all of these complex requirements within a holistic compliance framework.

  2. Recognize IT's critical role. In many companies, IT has evolved to become the critical backbone behind almost every operation, but many people still view technology as a cost rather than an investment or asset. By understanding the key roles that IT plays in support of HIPAA/HITECH compliance, enterprises can maximize the value of their technology investment.

  3. Understand the role of IAM. IAM plays a critical role in compliance with HIPAA/HITECH privacy, security and notification requirements.. However it does not automatically satisfy all HIPAA/HITECH requirements. Recognizing the value and the limitations of IAM in the entire spectrum of HIPAA/HITECH compliance is essential.

  4. Think program, not project. HIPAA/HITECH compliance is a journey, not a short term event. Enterprises must begin to approach compliance as a long-term program, not a single project. An effective and holistic compliance program should also incorporate governance and risk management. Boards of directors and executives are frequently being held to higher standards than ever before as they are expected to be knowledgeable about, and held liable for, everything going on within the enterprise.

  5. Establish privacy and security policy. A success privacy and security program requires a documented set of principles, policies, and practices. Using the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information as a guide, the enterprise's privacy and security principles should be documented as a foundation upon which to build policies, practices and strategies.

  6. Develop a strategy. The only way to effectively address the wide spectrum of compliance requirements is to integrate them into a common compliance strategy that is intertwined with the business itself. A business-driven, risk-based, and technology-enabled compliance strategy can help create enterprise value by rationalizing unnecessary complexities, driving consistency and accountability across the enterprise, and identifying opportunities for a possible enhancement of operational performance and information quality.

  7. Collaborate. HITECH extends compliance responsibility and penalties to all business associates. Work closely with your vendors and business partners to form an overall security and privacy framework, including updating legal relationship documents as ncessary.

  8. Establish a governance process. Compliance efforts affect a broad spectrum of an enterprise. Stakeholders from many organizations, often with conflicting priorities, have vested interests in the outcomes of a compliance strategy. The governance process must provide representation from the impacted functional areas of the organization. A governance board should have appropriate representation from IT, security, audit, application owners, human resources, business process owners and applicable business associates. The board should be accountable for the project objectives and be vested with authority to make program decisions. The board should be empowered to 1) establish a statement of purpose for the program, 2) promote and give visibility to the program throughout the larger organization, 3) act as a mechanism for quickly making decisions regarding program scope, issues, and risks, and 4) monitor the program health on an ongoing basis.

  9. Implement your strategy in phases. By segmenting the overall solution into manageable parts, an organization can realize quick, visible business benefits and progressively realize overall program objectives in an orderly, measurable way. Implementing in manageable phases also makes it easier to battle issues such as scope creep or requirements drift.

  10. Standards. Follow the NIST and other applicable standards for electronic healthcare records. Adjust to form a compliance model with this emerging standard. Focus on open standards and vendors that are open standards compliant to insure long-term flexibility of computing platforms and security frameworks.

  11. Give real-time visibility. Real-time views into the functioning of controls across these systems and across the enterprise, through job-specific dashboards or portal views, can provide insight into compliance status, progress, and risks. Effective communications with all stakeholders is essential.

  12. Unify disparate compliance efforts. Many companies are beginning to realize the potential of technology to support sustained compliance and are actively looking to combine existing fragmented, reactive, and inefficient governance and compliance efforts into a single sustainable compliance program. Bringing together compliance, governance, and risk management under a holistic framework, can result in a centralized compliance organization with the understanding, structure, and ability to help optimize the company’s compliance efforts in a sustainable, strategic, and cost effective manner.

  13. Assess progress and adjust as necessary. Each phase of the progressive implementation of the compliance strategy will yield more in-depth understanding about the compliance process as it pertains to the specific enterprise. Implementing methods of continual process improvement will yield progressively refined results.

Please let me know what you think.  What have you found that really works in this IAM/Compliance Journey?

Tuesday Oct 27, 2009

Identity Trend 9: Identity Analytics

This post is the ninth in a series of eleven posts I am writing about key trends in the Identity Management industry.

Whenever data is amassed and made available for analysis, the odds are great that someone will  figure out ways to derive new meaning from this data.  So it is with data related to personal Identity.  I believe we will see an explosion of data analytics being applied to Identity-related data for a number of applications.  Three emerging areas are briefly described in this post.

Authentication/Discovery

imageConsiderable evidence is available to show how each of us is progressively establishing a historical, logical  “fingerprint” based on our personal patterns of accessing online resources.   In a blog post entitled, “Anonymized Data Really Isn't,” I discussed how correlating “anonymized” data with seemingly unrelated publicly available data can pinpoint personal identities with frightening accuracy. 

In his address at Digital ID World, Jeff Jonas’ discussion about using data analytics to discover space-time-travel characteristics of individuals was both challenging and disturbing.  Mobile operators are accumulating 600 billion cellphone transaction records annually and are selling this data to third parties who use advanced analytics to identify space/time/travel characteristics of individual people, to be used for authentication and focused marketing activities.

I expect we will soon see many ways data analytics will be used for both positive and negative purposes, to very accurately identify individual people and leverage that identification for authentication and personalization purposes.

Context/Purpose

imageJust like data analytics can be used to identify who we really are, these methods can be leveraged to personalize the experience online users have with each other and with online applications.  As I discussed in my Identity Trend blog post about Personalization and Context, personalization increases the value of online user experience by presenting relevant content to a specific user at a particular time and tailoring the user experience  to fit what a user is doing at that time.  Data analytics can be used to evaluate both real time and historical information to answer questions such as:

  • What are you doing now?
  • What did you do recently in a similar circumstance?
  • Will historical patterns predict your preferences?

Perhaps the best-known example of this is Amazon.com’s recommendation service illustrated in the photo above.  In this case, based on my historical purchase pattern, Amazon recommended two books to me.  Ironically, Amazon recommended I purchase Seth Godin’s book entitled “Permission Marketing, which addresses some of these very issues we are addressing in this post.  In the next few years, we will most likely see more powerful and refined recommendation engines based on complex data analytics, adapted to a wide variety of user interfaces.

Auditing

imageThe big question surrounding IT auditing is, “Who really did what, when and where?”  While many tools exist for maintain audit trails and evaluating compliance with audit policy, I believe we will see and emerging class of tools to evaluate audit trails and logs in ways not anticipated by current tools.  A few examples:

Sophisticated ad hoc analytics may make it easier to discover patterns of fraudulent access that may be missed by more structured audit tools. 

Enhanced analytics may help improve the business role discovery process by detecting obscure usage trends in log data.

Recommendations:

Some questions you may consider to explore how Identity Analytics may affect your enterprise include:

  1. What Identity data do you currently store?
  2. What related data do you store that could be correlated with Identity data?
  3. Can data analytics be used to correlate data you store with publicly-available data to provide value to your enterprise and your customers?
  4. What additional business value could accrue to your organization base on such analytics?
  5. That privacy and security threats may exist to your employees and your organization if advanced analytics are used to correlate publicly-available data with data you make available?
  6. How could data analytics related to Context and Preference be used to enhance the way users interact with your organization?
  7. How can advanced analytics help you combat fraud or other cybercrime?
  8. How can you use advanced analytics to improve corporate processes?

Identity Trend 7: Regulation and Compliance

This post is the seventh in a series of eleven posts I am writing about key trends in the Identity Management industry.

imageGovernment regulations have been enacted to address problems problems with fraud, governance, security and privacy arising in various industries.  For example, the Sarbanes-Oxley Act of 2002 (Sarbox) was intended to make corporate governance practices more transparent and to improve investor confidence. It addressed financial control and financial reporting issues raised by the corporate financial scandals, focusing primarily on two major areas: corporate governance and financial disclosure.

Government regulations tend to become more complex and far-reaching over time.  For example, to address the challenges of security and privacy, the Health Insurance Portability and Accountability Act (HIPAA) was enacted by Congress in 1996 to establish national standards for use of health care records. HIPAA provided a foundation upon which multiple regulations have been based to address issues with the administration and protection of sensitive medical records information.

Title XIII of the American Recovery and Reinvestment Act of 2009 (ARRA), also known as the Health Information Technology for Economic and Clinical Health Act (HITECH) includes a section that expands the reach of HIPAA by introducing the first federally mandated data breach notification requirement and extending HIPAA privacy and security liability to business associates of "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions on behalf of individuals).

The current trend to more extensive government regulation of industry will likely continue or escalate, placing additional burden on enterprises to comply with increasingly complex compliance mandates.

imageA second source for industry regulations comes from industry itself.  For example, the Payment Card Industry (PCI) Data Security Standard (DSS) is a global security standard for safeguarding sensitive credit card data.  This standard was established by PCI Security Standards Council, an organization founded by industry leading enterprises: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc. The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise.

Identity and Access Management (IAM) is a critical enabler for compliance with government and industry regulations.  For example, Sarbox requirements for fraud reduction, policy enforcement, risk assessment and compliance auditing are supported directly by IAM technology and methods. By streamlining the management of user identities and access rights, automating enforcement of segregation of duties policies, and automating time-consuming audits and reports, IAM solutions can help support strong security policies across the enterprise while reducing the overall cost of compliance.

Similarly, IAM technology and processes, which control user access to data, applications, networks and other resources, can directly support HIPAA/HITECH requirements for privacy, security, auditing and notification.

Recommendations:

Practical experience in the field gained as many enterprises have implemented IAM systems to support compliance efforts has yielded several recommended best practices for implementing IAM systems to enable HIPAA/HITECH compliance.  The following list of best practices will be explored in more detail in a subsequent blog post:

  1. Understand regulatory requirements that apply to your enterprise.
  2. Recognize IT's critical role in the compliance process.

  3. Understand the role of IAM in supporting compliance.

  4. Think of compliance as a long-term program, not a single project.

  5. Establish compliance policies. principles should be documented as a foundation upon which to build policies, practices and strategies.

  6. Develop a business-driven, risk-based, and technology-enabled compliance strategy.

  7. Collaborate with your business partners and associates.

  8. Establish a governance process.

  9. Implement your strategy in phases.

  10. Follow established standards.

  11. Give real-time visibility into compliance status, progress and risks.

  12. Unify disparate compliance efforts.

  13. Assess progress and adjust as necessary.

Thursday Oct 01, 2009

Identity Trend 1: Market Maturity

This post is the first in a series of eleven posts I am writing about trends of key importance to the Identity Management industry.

As the following series of photos shows my son Eric progressing from infancy to young adulthood, the Identity Management market has matured, but still has a bright future ahead.

maturity

The Identity Management industry has been building for about a decade.  The market is definitely maturing out of adolescence into young adulthood.  Key characteristics of this maturing market include:

  1. Much focus is being given to best practices of how to maximize enterprises’ investment in these systems.  Rather than focusing on green field Identity implementations, enterprises are concentrating on system refinement, expansion or replacement.
  2. While the industry quite universally agrees that “quick wins” are essential first steps to implementing Identity Management systems, significant additional value can accrue as enterprises expand the reach and scope of their Identity infrastructure.
  3. The importance of Identity governance is becoming entrenched in enterprise culture, as holistic initiatives to address the broad areas of governance, risk and compliance recognize the critical importance of Identity Management in these processes.
  4. Experience has shown that Identity Management is a journey, not a destination.  Enterprises are recognizing that they must approach Identity Management as a long-term program, not a single project.
  5. The industry continues to consolidate, as we at Sun are well aware.  While there are still several emerging niche companies, larger vendors offer complete suites of Identity Management products.
  6. The major business drivers for investing in Identity Management systems still continue to be regulatory compliance, operational efficiency/cost and information security.  However, more focus is being placed on Identity as a key enabler of customer satisfaction through context-aware personalization.
  7. Identity Management is also moving down market, particularly as vendors and systems integrators are addressing the issues of rapid deployment and reduced pricing for smaller businesses.

Recommendations:

In light of this maturing industry, I recommend that enterprises concentrate primarily on the business value Identity Management can deliver.  Questions such as these are appropriate:

  1. Where am I on the journey to implement Identity Management in my enterprise?
  2. Where has Identity Management already delivered value to my business?
  3. Where else can Identity Management deliver value?
  4. How can Identity Management enable Privacy and Security?
  5. How can Identity Management enable compliance?
  6. How can Identity Management increase efficiency and reduce cost?
  7. How can Identity Management enable a better user experience to my customers?

Wednesday Jul 15, 2009

Dilbert: Best Practices for Compliance

Recently, I have been working on a white paper addressing best practices for using Identity and Access Management software in meeting regulatory compliance requirements.  Sunday morning, I gained a new perspective on best practices for compliance from the Dilbert comic strip.



Perhaps I should publish my white paper in comic strip format!

Technorati Tags: , , , ,

About

Discovering Identity was founded on blogs.sun.com in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at DiscoveringIdentity.com. In March 2012, I began posting Oracle-related information in both places.

Thanks for stopping by.

Please connect with me in cyberspace at LinkedIn or Twitter.


The views expressed on this blog are my own and do not necessarily reflect the views of my employer, Oracle Corporation, or any other person or organization.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today