By user12603048 on Jun 20, 2012
- Understanding EUS basics
- Understanding EUS and directory integration options
- Avoiding common EUS deployment mistakes
... the Titanic was fully compliant with all marine laws. The British Board of Trade required all vessels above 10,000 tonnes to carry sixteen lifeboats. The White Star Line ensured that the Titanic exceeded the requirements by four boats.But we all know that twenty lifeboats were not nearly enough for this ship. The article continues:
But the ship was 46,328 tonnes. The Board of Trade hadn't updated its regulations for nearly 20 years. ... The lifeboat regulations were written for a different era and enforced unthinkingly."Enforced unthinkingly." Therein lies our little lesson. In discipline of information security, we may be tempted to think that "compliant" means secure. But we must not accept that at face value. We must really understand what regulations mean and how they apply to our enterprises. PCI DSS or HIPAA compliance may go part way, but do they really go far enough to protect our vital information that is the lifeblood of our businesses? Let's make sure we have adequate "lifeboats" and not rely completely on those who write regulations to protect our businesses.
I read a disturbing article by Dan Schwab of Fox Chicago News this morning entitled “Probe: ID rules lax at Chicago airports.” Perhaps the fact that I will board my 13th flight segment in two and a half weeks this afternoon fueled my interest in the article, which reported “a Fox Chicago News investigation discovered a major loophole at TSA checkpoints at O’Hare and Midway.”
During the past two months, Fox flew multiple employees – male, female, black, white, and Muslim – to different destinations around the country on different airlines.
The only requirement: They were not allowed to bring a photo ID. No passport. No driver’s license.
On every occasion, these Fox employees were allowed through security without a hitch as long as they showed that the name on their boarding pass matched the name on a couple of credit cards, according to Fox Chicago News.
Credit cards for identification? What happened to the requirement of a photo ID? This shows a remarkable lack of TSA compliance with recommended policy:
The federal Sept. 11 Commission’s final report included 10 pages that focused solely on the issue of terrorism and identity fraud. The report states: “Travel documents are as important as weapons. Fraud is no longer just a problem of theft. At many entry points to vulnerable facilities, including gates for boarding aircraft, sources of identification are the last opportunity to ensure that people are who they say they are.” …
By checking credit cards rather than a photo ID, TSA simply was following its own rules, which vaguely state that passengers without an acceptable ID will have to provide “information” to verify their identity, according to Fox Chicago News.
I’m not a big fan of the TSA. To me, it is at best a huge, bumbling bureaucracy, and at worst, a huge, oppressive police force. I really don’t feel safer because of them. However, regardless of my feelings, this is a clear example about how poorly executed identity policy can lead to easily exploited security breaches, even as a false aura of safety is provided for the law-abiding majority, who obediently shed shoes and jackets, empty pockets and briefcases, and subject themselves to humiliating searches while many obvious loopholes remain.
Just one example … next time you go through the TSA screening process, notice how closely (or not) airport employees’ ID badges are examined.
PS. The Dave Granlund cartoon reminds me of the time I brought exercise weights with me on a trip. My luggage was manually searched every time – on each of four flight segments that week. I now keep those dastardly weights safely at home with my horribly dangerous one-inch pocket knife. Bitter? Nah!
As explained in my recent post, I am awaiting final publication of a white paper I recently authored, entitled, “Identity and Access Management – Enabling HIPAA/HITECH Compliance.” This post is a excerpt from that paper.
In the thirteen years since the initial passage of the HIPAA act, practical experience in the field has yielded several recommended best practices for implementing IAM systems to enable HIPAA/HITECH compliance. We recommend the following:
Understand requirements. By developing a better understanding of compliance requirements, how compliance affects information technology (IT), and how IT in general and IAM specifically can help support the privacy, security and notification requirements of HIPAA/HITECH, companies can establish efficient, cost-effective, and sustainable programs that address all of these complex requirements within a holistic compliance framework.
Recognize IT's critical role. In many companies, IT has evolved to become the critical backbone behind almost every operation, but many people still view technology as a cost rather than an investment or asset. By understanding the key roles that IT plays in support of HIPAA/HITECH compliance, enterprises can maximize the value of their technology investment.
Understand the role of IAM. IAM plays a critical role in compliance with HIPAA/HITECH privacy, security and notification requirements.. However it does not automatically satisfy all HIPAA/HITECH requirements. Recognizing the value and the limitations of IAM in the entire spectrum of HIPAA/HITECH compliance is essential.
Think program, not project. HIPAA/HITECH compliance is a journey, not a short term event. Enterprises must begin to approach compliance as a long-term program, not a single project. An effective and holistic compliance program should also incorporate governance and risk management. Boards of directors and executives are frequently being held to higher standards than ever before as they are expected to be knowledgeable about, and held liable for, everything going on within the enterprise.
Establish privacy and security policy. A success privacy and security program requires a documented set of principles, policies, and practices. Using the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information as a guide, the enterprise's privacy and security principles should be documented as a foundation upon which to build policies, practices and strategies.
Develop a strategy. The only way to effectively address the wide spectrum of compliance requirements is to integrate them into a common compliance strategy that is intertwined with the business itself. A business-driven, risk-based, and technology-enabled compliance strategy can help create enterprise value by rationalizing unnecessary complexities, driving consistency and accountability across the enterprise, and identifying opportunities for a possible enhancement of operational performance and information quality.
Collaborate. HITECH extends compliance responsibility and penalties to all business associates. Work closely with your vendors and business partners to form an overall security and privacy framework, including updating legal relationship documents as ncessary.
Establish a governance process. Compliance efforts affect a broad spectrum of an enterprise. Stakeholders from many organizations, often with conflicting priorities, have vested interests in the outcomes of a compliance strategy. The governance process must provide representation from the impacted functional areas of the organization. A governance board should have appropriate representation from IT, security, audit, application owners, human resources, business process owners and applicable business associates. The board should be accountable for the project objectives and be vested with authority to make program decisions. The board should be empowered to 1) establish a statement of purpose for the program, 2) promote and give visibility to the program throughout the larger organization, 3) act as a mechanism for quickly making decisions regarding program scope, issues, and risks, and 4) monitor the program health on an ongoing basis.
Implement your strategy in phases. By segmenting the overall solution into manageable parts, an organization can realize quick, visible business benefits and progressively realize overall program objectives in an orderly, measurable way. Implementing in manageable phases also makes it easier to battle issues such as scope creep or requirements drift.
Standards. Follow the NIST and other applicable standards for electronic healthcare records. Adjust to form a compliance model with this emerging standard. Focus on open standards and vendors that are open standards compliant to insure long-term flexibility of computing platforms and security frameworks.
Give real-time visibility. Real-time views into the functioning of controls across these systems and across the enterprise, through job-specific dashboards or portal views, can provide insight into compliance status, progress, and risks. Effective communications with all stakeholders is essential.
Unify disparate compliance efforts. Many companies are beginning to realize the potential of technology to support sustained compliance and are actively looking to combine existing fragmented, reactive, and inefficient governance and compliance efforts into a single sustainable compliance program. Bringing together compliance, governance, and risk management under a holistic framework, can result in a centralized compliance organization with the understanding, structure, and ability to help optimize the company’s compliance efforts in a sustainable, strategic, and cost effective manner.
Assess progress and adjust as necessary. Each phase of the progressive implementation of the compliance strategy will yield more in-depth understanding about the compliance process as it pertains to the specific enterprise. Implementing methods of continual process improvement will yield progressively refined results.
Please let me know what you think. What have you found that really works in this IAM/Compliance Journey?
I recently authored a white paper entitled, “Identity and Access Management – Enabling HIPAA/HITECH Compliance.” The paper is now in the final editing and formatting process. As we awaiting the final publishing date, let me share an excerpt from the paper, focused on the key ways IAM enables HIPAA/HITECH compliance.
HIPAA/HITECH requirements for privacy, security, auditing and notification are supported directly by IAM. By streamlining the management of user identities and access rights and automating time-consuming audits and reports, IAM solutions can help support strong privacy and security policies across the enterprise and throughout Health Information Networks while reducing the overall cost of compliance.
IAM provides the following key enablers for HIPAA/HITECH compliance:
Assign and control user access rights. Securely managing the assignment of user access rights is critical to HIPAA/HITECH compliance, particularly in distributed and networked environments typical of modern healthcare business. Decentralized provisioning is not only inefficient and costly, it also increases the risk of security and privacy violations. Automated provisioning allows centralized control of resources and applications that have historically existed in silos. This provides a much greater level of control over access to those resources. Checking audit policy at the time or provisioning ensures regulatory compliance, thus preventing audit policy violations.
Adjust user access rights when responsibilities change. Business risk is introduced when employees change jobs and access isn’t appropriately adjusted or removed. Failing to appropriately adjust or remove users’ access when job changes occur can result in superuser-access and SOD violations. Automated provisioning effectively eliminates many of these risks, especially when combined with auditing and role management capabilities.
Revoke user access upon termination. IAM systems can automate the process of immediately revoking user access rights upon termination or suspension. This eliminates a commonly-exploited security gap and opportunity for policy violation that may occur after an employee or contractor has been dismissed.
Manage allocation of user credentials. Managing user names, passwords and other user access credentials is essential to assuring that only authorized users are granted access to information systems. IAM technology can provide enterprise-wide control of user credentials, including the enforcement of uniform password policies (e.g. password strength, periodic change).
Enforce segregation of duties (SOD) policies. Segregation of duties (also known as separation of duties), has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. IAM methods can prevent, detect, and resolve access rights conflicts to reduce the likelihood that individuals can act in a fraudulent or negligent manner. Once violations are identified, notification and remediation steps are automatically initiated based on corporate policies.
Provide uniform access policy. IAM can provide administration and enforcement of common user access policies across a wide span of diverse systems, improving executive confidence in how the enterprise complies with HIPAA/HITECH requirements.
Manage access based on business roles. Provisioning and auditing at the business role level, rather than just at the IT access control level, ties user access rights more closely to business processes. With a role management solution, managers can approve access rights that have a meaningful business context, thus reducing the risk of managers inadvertently creating SOD violations by granting carte blanche access to their direct reports.
Enforce secure access policies. While automated identity administration, provisioning and auditing are essential to HIPAA/HITECH compliance, these methods don't actually enforce the use of security policies when a user accesses the controlled systems. IAM Access Management technology can enforce user access policy at the point of entry to an application or other system, in harmony with established policy. Examples of such enforcement include Web access management (including single sign-on or SSO), enterprise single sign-on (ESSO), and Web service security.
Enforce informed consent principles. Informed consent principles (e.g. opt-in, opt-out, notice) can be enforced, based on identities of individual patients and potential users of personal information associated with such data.
Extend access control to business associates. Identity Federation can extend access control beyond enterprise boundaries to enable secure access to electronic records while safeguarding the privacy of sensitive information. This is essential to complied with extended requirements of HITECH.
Verify access rights. While automated user access provisioning is designed to accurately assign access rights, such access rights should be confirmed by audit. IAM can provide the ability to both assign access rights according to established polices and then periodically verify that access rights are still compliant with those same policies.
Conduct periodic compliance assessments. Periodic audits of access rights and privileges can assure that security and privacy policies are consistently enforced. Re-certification is a process where managers approve direct reports’ access to enterprise resources and applications. IAM can provide the ability to automatically present managers with the correct information to attest to each employee's access rights needs. By applying role management principles, this re-certification process can enable the approving manager to work at the business-role level, attesting to those entitlements quickly and accurately because they are given in a meaningful business context.
Provide automated reports. The delivery of accurate, timely and complete reports can assess compliance with established requirements. IAM can provide scheduled and ad-hoc compliance reports, including automated violation notifications, comprehensive work flow processes, and audit assessment reports. Such reports can generated across multiple systems and enterprise applications and be submitted to appropriate people within the enterprise, to business associates and to appropriate regulatory agencies.
I’ll share more excerpts soon and let you know when the full paper is ready for download. Please stay tuned.
This post is the first in a series of eleven posts I am writing about trends of key importance to the Identity Management industry.
As the following series of photos shows my son Eric progressing from infancy to young adulthood, the Identity Management market has matured, but still has a bright future ahead.
The Identity Management industry has been building for about a decade. The market is definitely maturing out of adolescence into young adulthood. Key characteristics of this maturing market include:
In light of this maturing industry, I recommend that enterprises concentrate primarily on the business value Identity Management can deliver. Questions such as these are appropriate:
I enjoy watching re-runs of the television drama, NCIS, where a dysfunctional little group of crime-fighting superstars often analyze divergent bits of data to solve seemingly unsolvable mysteries. Last night, Agent McGee correlated data from phone records, automobile registrations and police station activity records to pinpoint a bad cop in collusion with an international drug lord. Far fetched? Perhaps not.
I have been spending much of my time recently preparing a white paper addressing the issues of HIPAA privacy and security compliance, particularly in light of expanded regulations emerging from the “stimulus bill” signed into law earlier this year. As I have explored privacy issues related to electronic health records, I was particularly intrigued by an article by Nate Anderson entitled “’Anonymized’ Data Really Isn’t and here’s why not”, published in Ars Technica earlier this week.
On the surface, it would seem that removing obvious identifiers such as name, address and Social Security Number from a person’s data record would cause that record to be “anonymous” – not traceable to single individual. This approach is commonly used by large data repositories and marketing firms to allow mass data analysis or demographic advertising targeting.
However, work by computer scientists over the past fifteen years show that it is quite straightforward to extract personal information by analyzing seemingly unrelated, “anonymized” data sets. This work has “shown a serious flaw in the basic idea behind ‘personal information’: almost all information can be 'personal' when combined with enough other relevant bits of data.”
For example, researcher Latanya Sweeny showed in 2000 that “87 percent of all Americans could be uniquely identified using only three bits of information: ZIP code, birthdate, and sex."
Professor Paul Ohm of the Colorado School of Law, in his lengthy new paper on "the surprising failure of anonymization, wrote:
As increasing amounts of information on all of us are collected and disseminated online, scrubbing data just isn't enough to keep our individual "databases of ruin" out of the hands of the police, political enemies, nosy neighbors, friends, and spies.
If that doesn't sound scary, just think about your own secrets, large and small—those films you watched, those items you searched for, those pills you took, those forum posts you made. The power of re-identification brings them closer to public exposure every day. So, in a world where the PII concept is dying, how should we start thinking about data privacy and security?
Ohm went on to outline a nightmare scenario:
For almost every person on earth, there is at least one fact about them stored in a computer database that an adversary could use to blackmail, discriminate against, harass, or steal the identity of him or her. I mean more than mere embarrassment or inconvenience; I mean legally cognizable harm. Perhaps it is a fact about past conduct, health, or family shame. For almost every one of us, then, we can assume a hypothetical 'database of ruin,' the one containing this fact but until now splintered across dozens of databases on computers around the world, and thus disconnected from our identity. Re-identification has formed the database of ruin and given access to it to our worst enemies.
I won’t ask what your “blackmail-able facts” might be, and won’t tell you mine. But it is sobering to think what abuses might emerge from the continued amassing of online data about all of us. This certainly casts new light on the importance of privacy and security protections for all of our personal data.
"A merchant has a point of sale system where customers swipe their credit or debit cards to initiate a payment transaction. Among the information from the magnetic stripe on the back of the card is a 16 digit number called the primary account number (PAN). Any thief who can gain access to the PAN has enough information to use the card data fraudulently. The PAN (i.e., the cardholder data) is sent to a token server where it is encrypted and placed into a secure data vault. A token is generated to replace the PAN data in the merchant's storage systems or business applications. If the merchant needs access to the original cardholder data again -- say to issue a refund on the credit card -- the merchant is authorized to reach into the secure data vault to look up the PAN again."What benefit does this provide to companies?
"First and foremost, it takes highly sensitive data out of the business processes that would use customer data. This reduces the likelihood that the real data can be stolen off of servers or from applications. If a thief steals tokenized data, he can't use it to retrieve the real data, since he isn't authorized to access the secure data vault. Instead, he ends up with a bunch of random numbers that don't mean anything to him."Linda also refers to a post on CreditCards.com by Jay Mcdonald, who explores the potential for tokenization to increase credit card security. Quoting Randy Carr, vice president of marketing for Shift4, developer of a commercial tokenization technology, Jay writes:
"Carr believes the game-changer in the equation is today's hacker. 'These aren't college students doing it anymore; they're ex-Soviet operatives, and they're serious guys. They're not there to get 20 card numbers; they're there to get 100 million card numbers,' he says.
"Their purpose, Carr says, is not to purchase golf clubs, but to fund terrorism, which may explain why the FBI and other intelligence agencies have been inviting Carr and his counterparts for tea."
It will be interesting to see how this technology is deployed or adapted in the next few years. Perhaps the recent hacking of government computer systems will accellerate federal government interest.
Discovering Identity was founded on blogs.sun.com in May 2005 as a means of documenting my exploration of the field of Identity and Access Management. In February, 2010, I switched to hosting the blog at DiscoveringIdentity.com. In March 2012, I began posting Oracle-related information in both places.
Thanks for stopping by.
Please connect with me in cyberspace at LinkedIn or Twitter.