Layer 3: Identity and Access ManagementBy John Moore | Posted 2007-05-14 Email Print
As attacks on enterprise systems grow more sophisticated and diverse, companies need to rethink their defense strategies. In this special report, experts offer new and better ways to protect vital information resources.
Layer 3: Identity and Access Management
Security isn't just about blocking intruders mechanisms for permitting access are required as well. That's where the identity and access management layer comes in. This field includes technologies that house information on user identities and credentials user names and passwords, for example that let workers utilize I.T. resources. Identity and access management products may also enforce role-based policies that permit or restrict access to specific networks, applications and data based on an employee's job function.
CA, Courion, Imprivata, Oracle and Passlogix are among the vendors in this area. Some charge per user; others charge per server.
Some I.T. departments aim to make the access task easier for users, who may need multiple passwords to sign on to different applications.
That was the case at Southwest Washington Medical Center in Vancouver, Wash. A typical employee at the 360-bed hospital uses between six and 12 applications every day. And personnel in departments such as the hospital's intensive-care unit might deal with up to 20 computer systems, says Christopher Paidhrin, security compliance officer at Affiliated Computer Services Healthcare Solutions. The medical center has outsourced its entire I.T. department to Affiliated Computer Services, with the exception of the chief information officer post.
The hospital also sought to address the access needs of mobile users 500-plus external physicians in addition to more than 3,000 on-site staffers.
Paidhrin proposed a solution based on Microsoft's Active Directory and Imprivata's OneSign access management appliance. Active Directory serves as the hospital's single authentication data store, replacing several identity information repositories including Novell eDirectory Server; a Remote Authentication Dial-In User Service (Radius) server, which provides authentication for remote users; and a McKesson proprietary password database to McKesson's core hospital information systems for patient, clinicial and financial applications.
Imprivata's OneSign allows users to swap myriad access codes for a single password.
Paidhrin wanted assurances that the solution would live up to expectations and win over users. The ability to provide network-level authorization, meanwhile, would help the hospital maintain compliance with the Health Insurance Portability and Accountability Act's patient data security requirements.
"We knew the user experience would make or break the tool in terms of its acceptance," Paidhrin recalls. "We had to make sure it was fast enough for them."
Physicians and nurses put single sign-on to the test in a 2005 technology demonstration. The testers were sufficiently impressed.
Paidhrin also sought the support of the hospital's top brass. He says Kerry Craig, then Southwest Washington's chief information officer, was the lead champion, supported by a director-level Information Security Council. The council, which includes Paidhrin, advises the hospital's executive staff on security issues. The team was sold on two factors: reduced log-on hassles and the solution's compliance with HIPAA.
Since the system was rolled out, starting in early 2006, it has given credence to the notion that time is money.
The system's pair of single-sign-on appliances cost around $100,000.
And, Paidhrin estimates time savings per log-on session at 15 to 30 seconds, or about 5 minutes or 18 to 25 cents per person per day, not including physicians. With 3,200 staffers working an estimated 240 days a year, Southwest Washington stands to save between $576 to $800 a day, or $138,000 to $192,000 a year, meaning that it saw a return in its investment in six months to one year.
"Every little bit adds up," Paidhrin concludes.