Post on 24-Feb-2016
description
Patient Protection – Ensuring Trust in the Electronic Health Record
John WeigeltNational Technology OfficerMicrosoft Canada
The Evolving Threat
Vandal
Trespasser
Thief
Spy
Author
National Interest
Personal Gain
Personal Fame
Curiosity
Script-Kiddy Undergrad Expert Specialist
Expertise
Mot
ivat
ion
Increasingly Challenging Security ConcernsThreats are more
dangerous than everFragmentation of
security technologyDifficult to use,
deploy and manage
More advancedProfit motivatedMore frequentApplication-oriented
Too many point products Poor interoperability among security productsLack of integration with IT infrastructure
Multiple consolesUncoordinated event reporting & analysisCost and complexity
“All security frameworks should include a comprehensive, layered approach...” Understanding the Nine Protection Styles of Host-Based Intrusion PreventionGartner – May 2005
“Integration and simplified manageabilityare important drivers when purchasing security” The State of Security in SMB & Enterprises,Forrester Research, Inc. – Sept. 21, 2005
Viruses, Spyware and WormsBotnets and RootkitsSPAM, Phishing, Evil Twins and Fraud
Deploying Security UpdatesSystem Identification and ConfigurationSecurity Policy Enforcement
Identity Management and Access ControlManaging Access in the Extended EnterpriseSecurity Risk of Unmanaged PCs
Regulatory ComplianceDevelop and Implement of Security PoliciesReporting and Accountability
Virus & MalwarePrevention
BusinessPractices
ImplementingDefense in Depth
SecurityManagement
Top Security Challenges
Security: Solution Enabler Better Patient Outcomes for Citizens Secure Wireless Secure Mobility Reliable Client Machines Healthcare Community Interoperability Inter-jurisdictional Collaboration Trusted Digital Communities
Implement Defence in Depth
Engages the entire organization for success
Allows for the allocation of controls outside of IT
Supports a multidisciplinary approach
Legislation
PoliciesProcedures
Physical Controls
Native Application Features
SpecializedCapabilities
Security and Privacy Foundations
SecurityData
Marking
Rules based
Approach
Bell-Lapadula Biba
Risk Management
Approach
Data Marking
For Privacy
Rules based
approach
PrivacyLegislation
PrivacyEnhancing
Technologies
Privacy Impact
Assessement
PrivacyPolicies
Threat Risk
Assessment
SecuritySafeguards
EvaluationScheme
Security Policies
1973 1975Late 60s1940 1980s
1994 200220011996 20021983
19861983 199350BC
Security
Privacy
Privacy Challenges Spotlight on PIPEDA / PHIPA / FOIPPA Policy interpretations are still emerging Relationship to Security services misunderstood Privacy often implemented in a binary manner Privacy Metrics Developing Privacy often driven by popular opinion Focus on privacy enhancing technologies
Designing for Privacy
Implement for all privacy principles Privacy implementations require defence in depth A risk managed approach should be taken Solutions must provide privacy policy agility Privacy and security must be viewed as related but
not dependent Use existing technology in privacy enhancing ways
http://www.microsoft.com/downloads/details.aspx?FamilyId=C48CF80F-6E87-48F5-83EC-A18D1AD2FC1F&displaylang=en
Secure against attacksProtects confidentiality, integrity and availability of data and systemsManageable
Protects from unwanted communication Controls for informational privacyProducts, online services adhere to fair information principles
Dependable, AvailablePredictable, consistent, responsive serviceMaintainable Resilient, works despite changesRecoverable, easily restoredProven, ready
Commitment to customer-centric InteroperabilityRecognized industry leader, world-class partner Open, transparent
Microsoft’s Security Vision is Much More…
Establishing trust in computing to realize the full potential of an interconnected world
Fundamentally secure platforms enhanced by security products, services and guidance to help keep customers safe
Excellence in fundamentals
Security innovations
Best practices, whitepapers and tools
Authoritative incident response
Security awareness and education through partnerships and collaboration
Information sharing on threat landscape
Microsoft’s Security Focus
Microsoft’s Security Development Lifecycle Corporate process and standard for security in engineering Evangelized internally through training Verified through pre-ship audit The Security Development Lifecycle book Privacy Guidelines for Developing Software Products and Services
Shared with ISV and IT development partners Documentation and training Learning Paths for Security Active community involvement
Automated with tools in Visual Studio PREfast FxCop
Engineering for Security
Run More Securely User Account Protection Browser Anti-Phishing and Low-rights IE Windows service hardening
Communicate More Securely Network Access Protection Inbound/outbound firewall PnP Simple Smart Cards Pluggable Crypto
Stay More Secure Anti-malware Restart Manager Client-based Security Scan Agent Fine-grained Audit Control
Start More Securely Hardware-based Secure Startup Bit-Locker Full Volume Encryption Code Integrity
Summary of Vista Security
Visu
al S
tudi
o
Windows Server, Enterprise Servers (SQL, BizTalk, Exchange, MMIS, CMS…)
Passport, Alerts, Messenger
Windows Vista, Windows Mobile 5, Smartphone
Mainstream MobilityO
ffice, MSN
…
Integrated mobile support throughout the platform
Guidance
Developer Tools
SystemsManagementActive Directory
Federation Services (ADFS)
Identity
Management
Services
Information Protection
Encrypting File System (EFS)
BitLocker™Network Access Protection (NAP)
Client and Server OS
Server Applicatio
ns
Edge
Comprehensive Security
EHRS Blueprint
Connected Healthcare Framework
Microsoft architecture and solution collateral collected from national eHealth initiatives around the world
Solution patterns, reference architectures, reference implementations and best practices being distilled into a set of eHealth reference architecture collateral
Result will be a core healthcare reference architecture capable of supporting a number of eHealth scenarios “Your User Processes” “Your Business Processes”
Password Fatigue
Have we been conditioned to be phished?
What is a digital identity?
A set of claims someone makes about me
Claims are packaged as security tokens
Many identities for many uses
Useful to distinguish from profiles
Identity is Matched to ContextIn Context
Bank card at ATM Gov’t ID at border check Coffee card at coffee stand MSN Passport at HotMail
Out of Context Coffee card at border check
Maybe Out of Context?• Gov’t ID at ATM• SSN as Student ID• MSN Passport at eBay
1. User control and consent
2. Minimal disclosure for a defined use
3. Justifiable parties
4. Directional identity
5. Pluralism of operators and technologies
6. Human integration
7. Consistent experience across contexts
Join the discussion at www.identityblog.com
The Laws of IdentityAn Industry Dialog
Authentication Spectrum
24
DomainLogin
WebSelf-Asserted
LoginX-Forest
TrustFederation
eIDeAuthentication
EmployeeNetworkAccess
CrossProgram
Authentication
BusinessExtranet
CitizenServiceDelivery
IdentityMetasystem
Products CardSpace
ADFSDomain/Directory
Services CertificateServicesX.500SQL LDAP
ERMCRM
InterjurisdictionalAuthentication
CardSpace
Helps end users avoid many phishing attacks
Support for two-factor authentication
Secure subsystem Self-asserted and
“managed” identities
Reduces reliance on usernames & passwords
Consistent user interface for login and registration
Grounded in real-world metaphor
Built on Web Services Protocols
SaferEasier
Returning Identity Control to the End User
An Industry-Wide Activity
Microsoft Regulatory Compliance Guide
Microsoft’s MITS Compliance Planning Guide
The guide identifies specific Microsoft products and services that can be used to help respond to the 120+ mandatory MITS requirements
While this guide is focused on MITS, it is also designed to provide a generic framework that can be used to:
Evolve with MITS and related GoC IT Security guidelines Respond to other guidelines and legislation, not just MITS Help non-GoC organizations (Provincial, Municipal, Private
Industry)
Table 1 –MITSMapping ü ü ü
üüüü
üü
ü üüü
ü üü
9.2 Senior Management
9.3 Departmental Security Officer
9.4 Chief Information Officer9.5 Business Continuity Planning Coordinator9.6 Program and Service Delivery Managers9.7 IT Operational Personnel
9.8 Other Personnel
9.9 COMSEC Custodian
9.10 IT Project Managers
10. Departmental IT Security Policy ü ü ü ü ü ü ü ü ü ü
üüü
ü üü ü ü ü üü ü ü ü ü ü ü ü ü
ü ü ü ü ü ü ü ü ü
ü ü ü ü ü ü ü ü ü
11. IT Security Resources for Projects12.1 Security in the System Development Life Cycle12.2 Identification and Categorization of Information and IT Assets12.3 Security Risk Management
12.3.2 Threat and Risk Assessment
12.3.3 Certification and Accreditation
12.5 Vulnerability Management
12.5.1 Vulnerability Assessments
12.6 Segregation of Responsibilities
12.8 Continuity Planning
9.1 IT Security Coordinator
12.11.1 Self-Assessment
12.11.2 Internal Audit
12.10 Sharing and Exchange of Information and IT Assets
Document Management
Business Process Management
Project Management
Data Classification and Protection
Risk Assessment
Change Managem
ent
Network SecurityHost Control
Malicious Software Prevention
Application Security
Messaging and Collaboration
Identity Managem
ent
Authentication, Authorization & Access ControlTraining
Physical Security
Vulnerability Identification
Monitoring and Reporting
Disaster Recovery and Failover
Incident Management and Trouble-Tracking
Mobile Computing
ü ü ü ü ü ü ü ü ü ü ü ü
ü ü üü
ü üü
ü
ü ü ü ü ü ü ü ü ü ü ü ü ü ü ü üü üü ü üüü ü ü ü ü ü ü ü ü ü ü üüü ü
12.5.2 Patch Management
12.11 Departmental IT Security Assessment and Audit
ü ü ü ü ü ü üü ü ü ü ü ü ü ü üü ü üü ü ü ü ü ü üü ü ü ü ü ü ü ü üü ü ü
üü ü
ü ü ü ü ü ü üü ü ü ü ü ü ü ü üü ü ü
ü ü ü ü ü ü üü ü ü ü ü ü ü ü üü ü ü
ü ü ü ü ü ü üü ü ü ü ü ü ü ü üü ü üü ü ü ü ü ü ü
ü ü ü üü ü ü ü ü ü ü ü üü ü üü
ü ü ü
ü ü
ü
ü ü üü üü ü
ü ü ü ü ü ü üü ü ü ü ü ü ü ü üü ü ü
ü
ü
üü
üü
üü
ü
üüü
ü
Primary Security Concern
Microsoft Security Collaboration for Governments
Offerings are designed to address different concerns
Security of IT deployments
Productsecurity
Computing safety
Government Security Program (GSP)Source code accessCertification evidenceTrainingFeedbackNew - now includes GSHP
Primary audience:Policy makersPurchasing decision makers
Security mobilizationPrescriptive guidance via on-line content, CD-ROM, on-line training, service offerings
Primary audience:IT managers & professionalsDevelopers
Security Cooperation Program (SCP)Incident response and public safety collaborationCooperative projectsInformation exchange
Primary audience:Policy and national security agenciesPublic safety and incident response agencies
John Weigeltjohnwei@microsoft.com