Strategic Planning For Identity Management

Keith Squires, President and CEO PathMaker Group

Strategic Identity and Access Management projects can be difficult and the new challenges with mobile, social, and cloud compound the problem. Protecting the perimeter is not enough anymore. Safeguarding identities are the key to a truly secure enterprise.

The industry has seen way too many train wrecks with IAM. To get beyond basic capabilities and really use IAM systems as a foundation for strategic IT, a company MUST take the time up front to consider the long-term plan. Near-term, immediate priorities can be solved with client-based single sign-on, basic provisioning, simple roles and audit reports. But with a short-term (and maybe short sighted) plan, a company can just as easily limit their ability to solve more complex problems.

IAM in the Cloud is all the rage in the press these days. Surely this approach will fix the problems! Although some aspects of managing an IAM solution can be improved by outsourcing the infrastructure, many other areas within the organization need to line up to make it work. IAM in the Cloud is no silver bullet. A company still has to fix broken business processes. Trying to define, streamline or automate these processes simply brings many current flaws into focus.

Foundational capabilities, architectures, and processes take time to get right. And even when you get it right, organizational adoption is not guaranteed. A company needs CIO-level support, a champion who really understands and advocates for improvement, and a support staff that can really execute to make it happen. And even when everything lines up, unfortunately we’ve seen management changes frequently upset a plan well before it takes hold.

Many companies may decide to choose a perceived safe route and hire the software vendor to also implement the solution. This can work, but we’ve also seen plenty of attempts end with less than stellar results. Does the vendor have a strong, proven implementation methodology, experienced architectural skills, long-term resource teams who have a history working well together? More often than not, a client expecting an experienced cohesive team ends up with a quickly assembled group of contractors from any number of staffing agencies. And even if a strong group of technical resources is assembled, they must also have the analytical skills to identify and solve broken business process issues.

PathMaker Group has been working hard as a systems integrator since 2003. Those early years we spent some time learning and shaping the way we approached these projects. The next few years we worked hard to hire, train and build a long-term staffing model. The last few years we have hit a stride where we have done some of the best work in our history. I would venture to say some of the best work in the industry. Our recent projects have been some of the most involved, complex, and yet still successful, in our ten years of helping our clients.

We have had our hands in almost every IAM vendor solution. These solutions continually evolve with the market and the needs of the customer. New vendor products continually emerge. These market leading products from SailPoint, IBM, Oracle, Centrify and others are extremely capable and complex. Staying current requires the committment to continually train our people. It takes significant investment to learn new vendor products, but this is what our customers require of us as a great partner with the right professional skills.

But implementation problems can occur even with good software solutions. Long-term planning, strong architectural guidance, proven implementation skills, a company champion with management backing these are all essential in the success of a strategic IAM program. If your company can get there, the benefits of a foundational, strategic IAM solution will be clear and your organization will line up to get on board.

Read More

 

Overcoming the Complexities of Securing Health Data

The healthcare industry is rapidly evolving. Among the many significant industry changes are the ongoing mergers and acquisitions, the proliferation of accountable care organizations, and the integration of multiple health IT vendors into day-to-day hospital operations. Couple these changes with the fact that more patients are accessing their healthcare records electronically, and providers must cope with growing demand for sharing highly-sensitive patient data between organizations and individuals. However, with increasing demand comes increasing risk, particularly with information security and regulatory compliance. To ensure timely and proper access to applications, files and data, providers must navigate through a myriad of hurdles.

Multiple Authoritative Sources

Many provider organizations have multiple authoritative sources including human resource applications (HR), electronic health record systems (EHRs), learning management applications (LMS) and physician credentialing applications often referred to as MSOW. These and other systems and applications are deemed by the provider organization as the true source for defining user identity and access rights. However, having to manage multiple identity sources and their access rights creates difficulty in ensuring consistent execution of policies and resource optimization.

Diverse User Population

Within the healthcare-provider setting, there is typically a diverse and transient population that requires access to health information as part of their regular workflow. This may include hospitalists, employed staff, contracted physicians, students, volunteers, vendors, etc. Ensuring the right people have the right access at the right time is a daunting task. However, the consequences for not doing so can create security gaps with serious financial and operational repercussions.

Multiple Roles (Personas)

Personas – individual roles or bundles of entitlements – help to build an identity by defining the different ways in which an individual engages a provider organization. In some cases, an identity may have multiple personas. Consider the healthcare provider ecosystem where physicians, nurses, professors, researchers, contractors, volunteers and students are just a handful of job functions that may be present in one hospital. Yet many individuals can perform more than one function during any given day. To illustrate, a unit clerk in the emergency department may also be a nursing student who is doing a clinical rotation in the ICU. A physician may have an outpatient clinic in the morning and perform research work in the afternoon. Also, nurses may float between departments. To complicate matters, many of these functions can be transient.

Disparate Processes

User access is not always managed by any single department or team. At the same time, it is often managed through functionality native to the specific application. This creates disparity in processes that lead to security gaps and unnecessary burden on IT administrators and application owners. From a workflow perspective, the disparate systems and processes could affect clinical care. For instance, due to accidental oversight, a contracted physician may be given access to the EHR, but not the enterprise content management system where scanned clinical media and photos are stored. As a result, the physician’s efforts to fully-understand a patient’s condition and provide timely care may be delayed.

How to Effectively Address the Complexities

Identity governance is the key to enabling the organization with a single centralized view of an individual identity’s access across the provider organization. It streamlines
processes for determining who should have access to what and when. Identity Governance enables providers to achieve the following:

DISCOVER: Gain visibility and control of the entire spectrum of diverse data users
• Discover and determine who has access to what, when, and how access is to
be granted.
SIMPLIFY: Create a simplified and consistent approach to allow for multiple and desperate authoritative sources
• Eliminate difficulties in ensuring consistent execution of security access policies.
MANAGE: Organize multiple personas of any single identity.
• Avoid critical security gaps (such as segregation of duty violations) that may occur
particularly in the provisioning and deprovisioning process.

Through identity governance, providers can better cope with the complexities associated with the current healthcare IT ecosystem, and successfully scale to future requirements.

To get more details about identity governance for the healthcare environment, Contact PathMaker to coordinate a free demonstration.

 

Source: SailPoint eBook Overcoming the Complexities of Securing Health Data © 2017 SailPoint Technologies, Inc.