Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx...
-
Upload
henry-blake -
Category
Documents
-
view
217 -
download
0
Transcript of Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx...
![Page 1: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/1.jpg)
Single Sign-on for Healthcare
Catherine Waldron, Novell Field Sales ExecutiveGabriel Waters, Carefx Channel Director
![Page 2: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/2.jpg)
© March 9, 2004 Novell Inc.2
The Healthcare Security Problem
A Multitude of Applications and Access PointsICU, Labs, Pharmacy, X-Ray, Billing, Scheduling…Kiosks in hospitals and clinics, personal workstations in offices and homes
Patient SafetyAdministration of user ids, passwords, and access across so many applications with such a complex user population is a challenge.
Users Need Easy and Quick AccessPhysicians particularly will not use computerized systems otherwise. Multiple user ids and passwords create security problems and cost time.
HIPAA RegulationsAs many as 150 people including doctors, nurses, x-ray technicians and billing clerks have access to a patient’s medical record. Access must be secure and audited.
![Page 3: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/3.jpg)
© March 9, 2004 Novell Inc.3
Secure Identity ManagementUser Complexity – Multiple ID’s and passwords
![Page 4: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/4.jpg)
© March 9, 2004 Novell Inc.4
The Business Case
“Password management products provide a high, easily demonstrated return on investment (ROI) and meet various business goals, including user convenience, system security and reduced IT or help desk overhead.” (Giga, May 2002)
• A quantifiable ROI can be achieved with Secure Identity Management and CCOW.
• Addresses the HIPAA requirements and minimizes the regulatory impact.
![Page 5: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/5.jpg)
© March 9, 2004 Novell Inc.5
Solution Set
User Management• Users• Roles• Security Policies• Centralized admin
Healthcare Security – Identity Management
Auditing• Patient Record Access• User management
Application Management• Web model where possible• Desktop mgmt (ZenWorks)
Single Sign-On• API-Integrated (Carefx)• Automated (Novell) • Firewall issues (iChain)
![Page 6: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/6.jpg)
© March 9, 2004 Novell Inc.6
Achieving single sign-on
CCOW enabled applications provide the single sign-on and context management, but require the application to be CCOW-enabled, which may not make sense for all applications
Single sign-on products provide single sign-on to legacy applications, but aren’t CCOW aware
Until now …
![Page 7: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/7.jpg)
© March 9, 2004 Novell Inc.7
The Novell® & Carefx solution – Providing single sign-on to health care
By bringing together enterprise single sign-on and the context management, organizations can have single sign-on to all their applications.
![Page 8: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/8.jpg)
© March 9, 2004 Novell Inc.8
Novell and Carefx solution featuresUser logs in once
• User gets single sign-on to all CCOW and non-CCOW applications
• Fusion User Channel sets user context for CCOW applications
• Novell SecureLogin sets user context for non-CCOW applications
CCOW user authentication application• Obtains user id from Novell Client™ for Windows
(configurable)• Or can obtain user id from Microsoft Windows™ login • Leverages familiar Windows and Novell login
![Page 9: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/9.jpg)
© March 9, 2004 Novell Inc.9
How we enable single sign-on
Novell SecureLogin for enterprise applications• Web• Windows• Terminal server/Citrix• Host/Terminal Emulator-base• Java applications and applets based on Swing
and AWT
Carefx Fusion User Channel• CCOW enabled applications
![Page 10: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/10.jpg)
© March 9, 2004 Novell Inc.10
How it works:Login experience – before NSL
ApplicationServer
ClientWorkstation
CredentialChallenge
2
LaunchApplication
1
1
2
ProvideCredentials
3
Log-in
3
ApplicationStarts
4
4
![Page 11: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/11.jpg)
© March 9, 2004 Novell Inc.11
How it works:Login experience – with NSL
DirectoryApplicationServer
ClientWorkstation
Authenticateto eDirectory
1
1
SecureLogin retrieves credentials from directory
2
2
Launch application
3
3
Credential challenge
4
NSL presents credentials to application
5
54
![Page 12: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/12.jpg)
© March 9, 2004 Novell Inc.12
Does this mean I have one userid and password for all the applications that a user may access?•No, Novell SecureLogin manages a unique set of credentials for each application the user accesses•Passwords are not synchronized, allowing the enforcement of a password policy specific to each application•One userid and password is used to authenticate to the directory and the user’s credential store
Management of unique credentials
![Page 13: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/13.jpg)
© March 9, 2004 Novell Inc.13
Defends against the rogue administrator
• When a user’s eDirectory password is reset, access to
the application secrets are locked• The user must provide a pass phrase answer to gain
access to the secrets, or• SecretStore administrator can unlock passwords
• If an administrator were to try to copy a users secret to another user object, the secrets are locked
• Credentials are encrypted with 168-bit 3DES encryption with a unique key for each credential
How does Novell SecureLogin defend against the rogue administrator?
![Page 14: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/14.jpg)
© March 9, 2004 Novell Inc.14
How does Novell SecureLogin prevent inappropriate access to applications?
Protects access to the applications
• When used with NMAS™, the AAVerify capability enables NSL to challenge for another authentication before SecureLogin will pass the credentials to the application
• Supports any combination of Novell Modular Authentication Service partners biometric, smart card, token, digital certificate, proximity card, or password for authentication
• Provides password policy enforcement
![Page 15: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/15.jpg)
© March 9, 2004 Novell Inc.15
With the Secure Workstation component of SecureLogin...
Secure Workstation
• Administrators can setup policy in the directory to secure the workstation
• Automatically locking the workstation based on a trigger such as• Inactivity• Proximity card removal• Smart card removal• Single click
• Automatically shut down applications, logout user, and present new login dialog for next user
![Page 16: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/16.jpg)
© March 9, 2004 Novell Inc.16
With the Quick Login/Logout GUI, users can...
Quick login/logout
• Login or out with a single event• Proximity card removal• Smart card removal• Single click• Have applications automatically closed and the user
logged out
![Page 17: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/17.jpg)
© March 9, 2004 Novell Inc.17
Clinical Context Object Workgroup(API-Integrated Single Sign-On)Health Level 7 (HL7) Standard (ISO Organization)Context Management ArchitectureSynchronize participating applications at the point of use by establishing a common clinical context
• The user accessing the applications• The patient whose data the user is accessing• A particular encounter the user is accessing• Other relevant clinical ‘subjects’
The application must be ‘CCOW-enabled’
![Page 18: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/18.jpg)
© March 9, 2004 Novell Inc.18
Carefx Context Manager
Carefx provides a context manager implementing the HL7 CCOW standard that
• Synchronizes diverse applications around a common clinical desktop context
• Enables users to control the context creating a patient-centered, user-driven clinical workspace
• Coordinates fat client, Citrix/WTS, and web-based applications on the same desktop
• Provides single sign-on and common patient selection to CCOW-enabled applications
![Page 19: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/19.jpg)
© March 9, 2004 Novell Inc.19
2. Kevin starts NorthMed-Labs. Kevin’s user id is already set.
Kevin’s Windowsdesktop appears.
Fusion User Channel user experience
![Page 20: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/20.jpg)
© March 9, 2004 Novell Inc.20
Fusion User Channel client setup
Fusion User Channel(Fuser) shortcut is installed in Startup Folder for All Users.
At Windows login time, Fusion User Channel starts,locates the context
manager,joins the context and sets
theuser to the Novell login id.
Fusion User Channel is installed on each client desktop.
![Page 21: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/21.jpg)
© March 9, 2004 Novell Inc.21
Setup
Login script edited to start Fusion User Channel Sync (FuserSync) when a Novell login occurs. This program will notify Fusion User Channel of the login event.
ConsoleOne is usedto set up the Novelllogin script for
users.
![Page 22: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/22.jpg)
© March 9, 2004 Novell Inc.22
API-Integrated Single Sign-On With Carefx’s Context Manager (CCOW Standard)
Context Manager
Login to 1 app, no login prompt for other apps
No script necessary
Applications must be CCOW enabled (to talk to Context Manager)
Applications can switch to new user on the fly
HL7 Standards based (Clinical Context Object Workgroup)
ClientWorkstation
Launch application
1
Application obtains user id from context manager
2
A new user logs in, all applications switch to new user.
3
2
![Page 23: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/23.jpg)
© March 9, 2004 Novell Inc.23
Automated Single Sign-On WithNovell Secure Login (NSL)
Must create single sign-on script for each application
Suitable for legacy applications that will not be upgraded
DirectoryClientWorkstation
Launch application
1
Credential challenge
2
NSL retrieves credentials from directory
3
NSL fills in credentials
4
24
![Page 24: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/24.jpg)
© March 9, 2004 Novell Inc.24
Mixed Single Sign-on Solution
DirectoryClientWorkstation
Mixed environment of automated and API-integrated single sign-on apps
Combines Novell and Carefx technologies
Context Manager
User logs in to Directory and user id is sent to Context Manager
1
User launches a automated single sign-on app, NSL fills in credentials
2a
User launches an api-integrated single sign-on app, app fetches user id from Context Manager
2b
1
![Page 25: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/25.jpg)
25
Novell iChainNovell SecureLogin
Novell Modular Authentication Service
Novell/Carefx architecture
Browser-based apps
Carefx User Channel
CCOW app
Carefx Context Manager
Novell Nsure Resources/DirX
ML
Authentication
Applications & Context Management
Provisioning
Non-CCOW Web, Win32, Citrix/TS, and
host-Based apps
![Page 26: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/26.jpg)
26
Fusion Architecture With Novell SSO
NovelleDirectory
™(LDAP)
CM-ProxyCM-
Director
Fusion User Channel
CCOW I/F
Fusion Context Server(CCOW Context Manager)
COMHttpNDS/LDAP
Fusion User Channel Sync
Novell
I/F
Obtains the Novell login through system calls. Sets the user context.
Executes when Novell login occurs and notifies Fusion User Channel.
Web AppWin32 AppCCOW
I/F
CCOW I/F
Client Box
![Page 27: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/27.jpg)
© March 9, 2004 Novell Inc.27
Directory Server
Corporate ScriptsPassword Policies
User ScriptsUser Credentials
SecureLogin Client
MainModule
TLaunch
Notes
Script Engine
WinSSO
WebSSO
Fusion User Channel
Local cache
Novell Single Sign-on Architecture
iChain®
Proxy
Browser
Web Server 1
Web Server 2
Web Server 3
Context Manager
User and Patient Context
Fusion CM Director
![Page 28: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/28.jpg)
© March 9, 2004 Novell Inc.28
Why Carefx and Novell?Experience
Domain Knowledge• Healthcare Information Systems• Over 100+ collective years of experience in the health
care industry
Understanding of Clinical Environment • A common goal of designing solutions that help
clinicians navigate more easily and securely to their applications and data
• Market focused solution
Breadth of Solutions• Secure Access Solution to network and applications• Portal Infrastructure --- Real-time access to specific
patient information• Partners with the leading HIT and access vendors
![Page 29: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/29.jpg)
© March 9, 2004 Novell Inc.29
Why Carefx and Novell?Experience
Implementation Success• Carefx and Novell will work with you to ensure a
successful implementation• Carefx assigns project managers whose sole
responsibility it is to see that the project is a success
• Strong client references
Partnerships • Strong partnerships with key vendors
![Page 30: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/30.jpg)
© March 9, 2004 Novell Inc.30
Why Carefx and Novell?Features
Improved End-User Experience• Graceful logoff allows automated or single event-trigger
logout of a user from all applications leveraging that applications native mechanism
Application Support • Novell’s maturity as a single sign-on vendor results in
application support that surpasses the competitions‐ Supports more terminal emulators, Java applications,
Win32, and web applications
‐ Has provided single sign-on to more applications than the competition
‐ Supports complex application characteristics such as combo boxes, drop down lists, radio buttons, and menu items
‐ Supports recognition of multiple and/or subsequent events within an application
![Page 31: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/31.jpg)
© March 9, 2004 Novell Inc.31
Why Carefx and Novell?Architecture
Directory integration• The competition requires a separate identity store separate
from your existing directory infrastructure ‐ All the directory design must be recreate for a proprietary
directory that is far inferior to the leading directories on the market‐ Multi-master replicas‐ Partitioning
• Carefx and Novell use your existing LDAP directory‐ Allows your organization to leverage best of breed directory
Citrix/Netilla/Terminal Server • For those environments where a workstation can’t have
client software and must provide access to the Citrix/Terminal Server environment
‐ The competition requires software on the client‐ Carefx and Novell can provide full functionality in the Citrix
environment without software on the client‐ Roaming sessions
Hardware• Carefx and Novell are flexible with hardware requirements
and support most server class hardware configurations
![Page 32: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/32.jpg)
© March 9, 2004 Novell Inc.32
Why Carefx and Novell?Architecture
Context Management Performance• The competitions architecture requires that all
communication with the context manager go through the primary server‐ This has proven to be a bottle neck for customers‐ Creates a single point of failure
• The Carefx architecture allows clients to communicate with any available context manager
Scalability• The competitions architecture only supports vertical scaling
‐ Adding bigger servers• The Carefx and Novell architecture supports vertical AND
horizontal scaling‐ Adding bigger and more servers
Fault Tolerance• If one of the competitors server goes down, a standby/hot
swap server must be manually booted • If a Carefx or Novell server goes down, clients will
automatically be redirected to other servers online
![Page 33: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/33.jpg)
© March 9, 2004 Novell Inc.33
Why Carefx and Novell?Architecture
Administration• The competitions architecture requires the
administrator to connect to the client device to configure
• Carefx and Novell can provide automatic upgrades to client workstations and will work with the leading application delivery vendors
Client Impact• The competition requires that their client and GINA
be installed on the desktop in order to provide single sign-on to non-CCOW applications. ‐ No support for third party advanced authentication
vendors‐ All GINA-based services dependent on a standard
client fail
![Page 34: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/34.jpg)
Question and Answer
![Page 35: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/35.jpg)
![Page 36: Single Sign-on for Healthcare Catherine Waldron, Novell Field Sales Executive Gabriel Waters, Carefx Channel Director.](https://reader035.fdocuments.us/reader035/viewer/2022062410/56649d8c5503460f94a7309e/html5/thumbnails/36.jpg)
© March 9, 2004 Novell Inc.36
General DisclaimerThis document is not to be construed as a promise by any participating company to develop, deliver, or market a product. Novell, Inc., makes no representations or warranties with respect to the contents of this document, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Novell, Inc., reserves the right to revise this document and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. All Novell marks referenced in this presentation are trademarks or registered trademarks of Novell, Inc. in the United States and other countries. All third-party trademarks are the property of their respective owners.
No part of this work may be practiced, performed, copied, distributed, revised, modified, translated, abridged, condensed, expanded, collected, or adapted without the prior written consent of Novell, Inc. Any use or exploitation of this work without authorization could subject the perpetrator to criminal and civil liability.