NC Identity Management (NCID) Identity Management, Authentication, Authorization.
Identity Management: Challenges and Opportunities€¦ · • Identity and access management is...
Transcript of Identity Management: Challenges and Opportunities€¦ · • Identity and access management is...
1
Identity Management: Challenges and Opportunities
Session #213, February 22, 2017
Brian Decker, MBA, CISSP, PMP
Muna Khan, MBA, MPH, CSSBB, CPHIMS
2
Speaker IntroductionBrian Decker, MBA, CISSP, PMP
Senior Manager, Identity and Access Management
Office of Information Security
Mayo Clinic
Muna Khan, MBA, MPH, CSSBB, CPHIMS
Sr. Principal Health System Engineer
Management Engineering and Internal Consulting
Mayo Clinic
3
Conflict of Interest
Brian Decker, MBA, CISSP, PMP
Muna Khan, MBA, MPH, CSSBB, CPHIMS
Has no real or apparent conflicts of interest to report.
4
Agenda• Learning Objectives
• Key Takeaways
• Definitions
• STEPS
• Problem Statement
• Identity Management Program
• Organizational Change Management/Communications
5
Learning Objectives• Explain the importance of identity management as a central tenant of
an organization's security strategy
• Discuss the opportunities and challenges in creating an identity management program
• Describe the process of establishing an identity management program with effective governance
• Demonstrate the challenges encountered for implementing an identity management system
• Identify organizational change management and communications challenges with new identity management operational infrastructure
6
Realizing the Value of Health ITThrough Identity Management• Satisfaction
• Providing the right access to the right users at the right time allows users to be functional and effective in their work (as quickly as possible)
• Providing managers with the appropriate tools to manage access
• Savings
• The wrong user or a compromised credential getting access to critical data (patient/financial) poses a significant risk to organizations
7
Key Takeaways• Identity and access management is central to reducing
organizational risk, both internal and external.
• Long-term success comes from identity and access management being a business initiative, not a technology project.
• Understanding identity relationships is an important first step in planning an effective program
• Governance must align with business initiatives and identified risks.
• Work hard to know how the organization works to create a long-term sustainable program (think: lifestyle change)
8
Identity Management System
• An Identity Management System is any system that creates, issues, uses, and terminates electronic identities. In other words, an Identity Management System provides lifecycle management for the digital credential sets that represent electronic identities.
- NIST• http://csrc.nist.gov/groups/SMA/ispab/documents/minutes/2009-
04/ispab_apopowycz_april2009.pdf
9
Identity and Access Management• An identity and access management (IAM) system is a framework for
business processes that facilitates the management of electronic identities.
- TechTarget• http://searchsecurity.techtarget.com/definition/identity-access-
management-IAM-system
• Definition simplified:
Ensuring the right “subjects” have the right access to the right “objects” at the right time and nothing else.
10
Computer Viruses Are "Rampant" on
Medical Devices in Hospitals
FDA Safety Communication: Cybersecurity
Vulnerabilities of Hospira Symbiq Infusion System
Cyberattack at Appalachian Regional
Healthcare keeping EHR down after six
daysFBI Investigating: Hollywood hospital pays $17,000
in bitcoin to hackers
https://www.washingtonpost.com/local/medstar-health-turns-away-patients-one-day-after-cyberattack-on-
its-computers/2016/03/29/252626ae-f5bc-11e5-a3ce-f06b5ba21f33_story.html?utm_term=.62e32cd980f9
http://www.healthcareitnews.com/news/cyberattack-
appalachian-regional-healthcare-keeping-ehr-down-
after-six-days
https://www.technologyreview.com/s/429616/computer-viruses-are-rampant-on-medical-
devices-in-hospitals/
http://www.latimes.com/business/technology/la-me-ln-hollywood-
hospital-bitcoin-20160217-story.html
More Than 11 Million Healthcare Records
Exposed in June 2016
http://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm456815.htm
http://www.hipaajournal.com/major-2016-healthcare-data-breaches-mid-year-summary-3499/
Healthcare is being targeted
11
Today’s Hostile Environment• Threat actors have multiple levels of skills
• Insiders (Current & Ex)
• Script Kiddies
• Hacktivists
• Organized Crime
• Nation State
• Active adversary must be assumed
• Unlimited time and resources
• Skill level to cause harm is going down
• Tools to compromise and harm systems are readily available and cheap (free)
• Harm or disruption could be deliberate or collateral
• We are way past relying upon firewalls
12
Attack Motivations• Revenge
• Personal Gains
• Bragging Rights / Status
• Expression of Political or Social Views
• Intellectual Property Theft
• $$$$$ (ransomware, theft, etc.)
• Identity Theft – Financial / Medical
13
Threats to Identity and Access
• Nation State
• Organized Crime
• Hacktivists
• Individuals
• Insiders
• Snoopers
• Phishing (to get credentials)
• Lateral movement (using credentials to move around and find data)
• Malware (use credentials to get foothold)
• Ransomware (use credentials to access and then encrypt data)
• Viewing sensitive data (use access inappropriately)
• Drug diversion (inappropriate access)
• Etc.
IAM
14
Simplified Problem Statements
• Who actually are our users?
• Are they appropriate users?
• Who has access to what and why?
• Who is accountable for user’s access?
???
16
Real World Scenarios
• Identities have different relationships to Mayo Clinic depending upon their immediate needs. The different relationships require appropriate and specific levels of security.
• Example 1:
1. Physician – outpatient clinic in the AM & PM
2. Physician – surgery late AM
3. Physician – administrative leader at noon
4. Physician – researcher late afternoon
5. Physician – professor in the evening
• Example 2:
1. RN – Hospital nursing primary job function (with floating)
2. RN – Nurse Anesthetist in School of Health Sciences
17
Identity & Access as a Central Tenet of Information Security• Business enabler – the right access to the right information
• Can’t manage what you don’t know or can’t see – what identities actually have access to
• Enables visibility and transparency
• Drives accountability
• Requires organizational behavior change
18
Identity Management ProgramMayo Clinic began creating our Identity Management Platform to support all population types across all sectors (B2E, B2B, B2C)
Primary objectives:
1. Security
2. Experience
3. Scalability and Sustainability
Core elements:
1. Identity and Account Management
2. Authorization and Access Management
3. Authentication Centralized
4. Accountability - Access Certification / Validation
19
Common Challenges
Identity and Population Management Knowledge and appropriate management of user populations
Appropriate Roles
Accountability / Audit Holding Managers, role owners, data owners accountable for access and access
decisions
Account and Credential Management Privileged accounts (IT and other users)
Appropriate authentication
Access Management Appropriateness Authorization
Identity Lifecycle (joiner, movers and leavers)
Lack of access visibility into platforms and applications
20
Individual
ExternalPartners
Employee Friends
Customer
Employee Friends
ExternalPartners Customer
ResearchPartners
Etc.
Collaborators
Allied Health Contacts
Information Seekers
Web
site
Vis
ito
rs
Pa
tients
Identity
Relationships
21
Identity and Population Management
Diverse Challenges: Populations
What people do
Where people do it
Multiple personas
Multiple types of accounts
Multiple managers
Thousands of applications
22
Employee Populations
Allied Health
Allied Health 2
Consultant
Research
Associate
Clinical
Resident
Hospital
Resident
Spec. Project
Resident
Graduate
Students
Health
Sciences
Medical School
Union
Visiting
Scientist
v
> 3K
1K-3K
< 1K
Legend
Job Class Unique Job Families & Size
23
Non-Employee Populations
Identity Hub
Visiting Clergy
External Access to
Medical Record
Emeritus Staff
Volunteers
Non-
Employees –
All Sites Convent Residents
Site Specific
Nursing Homes
Site Specific
Nursing Students
Visiting
Scientists &
Appointments
IT
Contractors
Some Interns
Vendors
Public Committee
Member
Contract
Physicians
Health Club
***100+ non-employee populations
24
1900Drs. Will& Charlie
1
2
3
4
56
7
8
9
10
11
12 13
1925
12
3
4
5
6
7
8
9
10
11
12
1314
151617181920
2122
23
24
25
26
27
28
29
30
31
32
33
3435
3637 38 39 40
4142
2015
Neurology
Dental Specialties
Dermatology
Emergency Med
Family Med
Medical Genetics
Internal Medicine
Oncology
Physical Med
Psychiatry & Psychology
Radiation Oncology
Radiology
Anesthesiology
Neurosurgery
Obstetrics & Gynecology
Ophthalmology – Head & Neck Surgery
Orthopedics
ENT
Surgery
Urology
Anatomy
Biochemistry & Molecular Biology
Comparative Med
Health Sciences Research
Immunology
Lab Med & Pathology
Molecular Med
Molecular Pharm
Physical & Biomedical Engineering
Nursing
Development
Education Admin
Finance
Environmental Services
Planning Services
Public Affairs
Legal
Research Admin
Mayo Health System Admin
Human Resources
Finance
Facilities & Support ServicesMayo Clinic
Departments
25
Growth of Subspecialties
at Mayo Clinic
1900Drs. Will& Charlie
1
2
4
56
7
8
9
10
11
12 13
1925
12
3
4
5
6
IM
8
9
10
11
12
1314
151617181920
2122
23
24
25
26
27
28
29
30
31
32
33
3435
3637 38 39 40
4142
2010
Clinical
1
2
3
4
5
6
CV
8
9
10
11
12
13
Internal MedicineDivisions
12
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
2425
26CardiovascularSubspecialties
Cardiomyopathy
+ 13 Specialty Labs
Coronary Physiology & Imaging
Cardiovascular Health
Chest Pain & Coronary Physiology
Congenital Heart Clinic
Electrophysiology
Counterpulsation
Heart Failure
Heart Rhythm Center
Implantable Device Clinic
Pericardial Disease Clinic
Pediatric Cardiology
Pulmonary Hypertension
Thrombophilia Center
Transplant
Cardiovascular Radiology
Ulcer & Wound Care Clinic
Valvular Heart Clinic
Vascular Medicine
Women’s Heart Clinic
Cardiovascular Molecular Biology
Cardiovascular Epidemiology
Marfan Clinic
Nuclear Cardiology
Cardiovascular Surgery
26
Identity, Persona & Roles
Role
Persona
IdentityTraditionally, IAM systems naturally
model identities and roles, but not
persona, a 2-tier model.
How do we map 3-tiers to 2-tiers?
Additionally, how do we bound approvals, certifications and
reporting to the appropriate tier?
27
Role Based Access Control ModelIAM tool manages business
and functional roles
IAM tool is aware of
application roles (as
entitlements) via
business logic and
performs user
assignment through
provisioning
28
EP-
Template
123
EP-Sub-
Temp 123
App role
ABC
App role
XYZ
Enterprise Role Framework
28
OrganizationalAllied Health
OrganizationalConsultant
Cardiology
-Nurse
Cardiology-Surgeon
BirthrightRST-AH
BirthrightRST-CN
System
-Epic
System
-etc.
System
-AD
System
-WTK
System
-EDPAR
System
-Epic
System
-etc.
EP-
Template
987
EP-Sub-
Temp 678
App role
MNO
App role
JKL
Group
XYZ
AH
Employee
CN
Employee
Group
DEF
ETC. ETC.
Organizational
Level Role
Business
Level Role
Business
Application
RoleEn
terp
rise R
ole
sA
pp
lica
tio
n S
pe
cific
Entitlements
Permissions
Pro
vis
ion
ing R
ole
System
-AD
29
3-Tier Access Control Model
1Birthright Roles
& Attributes
2Business Roles
3On-Demand
“Shopping Cart”
Gaining Electronic Access
30
The Role of Identity and Access Governance
• Understand and prioritize IAM related risks and business drivers
• Own identity-related policies
• Ensure risks and drivers are staged and addressed
• Drive the platform and IAM security services into the business and technical environment
• Stakeholder management and communication
31
How do we make change happen?
• Organizational Change Management
– Stakeholder Analysis
– ADKAR
• Communications, Communications, Communications
• Sr. Leadership support, engagement and visibility
32
Organizational Change Management
• Establishing new norms
– Creating a culture of accountability and audit
• Functional role owners
– Behavioral changes
• Supervisors/managers
• Users
• Applications teams (IT/Security Administrators)
33
New Roles & Responsibilities• Information Technology & Information Security
– Provide the necessary tools and policies to maximize security within the organization
– Compliance with new application access protocols
– Participating in roles and application access rights definition
• Business Leaders
– Take full ownership in definition and refining functional roles within organization
– Hold managers/supervisors accountable for access provisions
• Institutional Leaders
– Support an environment for IAM to take hold as a central tenet of security
34
Realizing the Value of Health ITThrough Identity Management• Satisfaction
• Providing the right access to the right users at the right time allows users to be functional and effective in their work (as quickly as possible)
• Providing managers with the appropriate tools to manage access
• Savings
• The wrong user getting access to critical data (patient/financial) poses a significant risk to organizations
35
Questions
Thank you!(Please complete online evaluations)