RisknCompliance Blog

Thoughts On Delivering Meaningful Outcomes in Security and Privacy

Tag: Access Governance

Docs turn up the heat on ONC! – Security Commentary

HealthcareITNews reported yesterday on this letter that was written by several physician organizations to the ONC.

I wanted to write a couple of quick thoughts on the security aspects raised in the letter. I highlighted relevant parts on pages 1 and 2 of the letter with annotations #1, #2 and #3.

Here then are my thoughts on the three items…



We agree with this point. We have talked about our security related concerns around the EHR Certification process and the Meaningful Use program previously. Here and here are a couple of posts for example.

The first link has our commentary we published on the OIG report being referred to in the letter.

The second linked post on Patient Portals has specific details of our thoughts on the security criteria in the MU and Certification programs. We also discussed specific due diligence recommendations for providers. These recommendations should also apply to Electronic Health Records (EHRs) for the most part.


#2 and #3



These two paragraphs in the letter speak to the Identity and Access Management (IAM) related concerns, in particular around stronger authentication and usability.

We couldn’t agree more on these points. I am also glad the letter highlights the need for strong authentication.

It is no secret that IAM programs in general haven’t lived up to the promise and expectations. Healthcare provider settings in particular provide specific challenges, primarily because of the need for IAM to really be “transparent” and support clinical workflows seamlessly. We know this continues to be a challenge at most healthcare provider organizations. The point being made in the letter should come as no surprise to anyone.

In our view, an effective solution to this problem requires the IAM/HealthIT product vendors as well as IAM/Security consultants to “up” the game.

And then,  healthcare providers (especially the larger ones who have the power and influence to move their vendors to act) have an important role to play in bringing the IAM and HealthIT vendors to the table so we have viable technology options available to us. We first talked about it  at this webinar back in 2013, but I don’t think we are anywhere close to seeing viable technology options yet in leading vendor solutions.


In summary, I think these security related arguments being made in the letter are very valid. However, I am not sure how much ONC can do to move us forward. At best, I think the ONC can only “take the horse to the water” as it were. I really think we need both the IAM and HealthIT vendors to step up and collaborate actively to deliver viable solutions. And the healthcare providers need to push the vendors to do it.

I hope this has been a helpful read. Please don’t hesitate to leave your thoughts below, good or bad.

Wise Words To Avoid Horror Stories in Identity and Access Management

It is no secret that Identity and Access Management (IAM) continues to be a challenge for many organizations. As a witness and practitioner in the space for over 10 years now, it is not clear to me that we are getting any better at delivering to expectations and needs. What makes it more painful is the fact that IAM is often the most expensive component of a security program which means that failures of IAM initiatives come at a heavy cost to these programs.


If you were at the Gartner IAM Summit in Las Vegas last week, you probably got a closer look at the current state of IAM.  I wasn’t there myself but I did get an opportunity to review some of the sessions on demand at http://www.gartnereventsondemand.com. There were several good sessions but I thought two sessions in particular provided a good insight into the challenges from planning, governance and execution perspectives. They were “Horror Stories: Why IAM Programs Fail” and “Stop the Finger Pointing: The IAM Role Ecosystem”.

I tweeted some quotes from these sessions as well as some of my own thoughts last weekend. I thought a compilation of those tweets might be a quick and useful read for managers and executives responsible for delivering IAM initiatives everywhere. The tweets are presented below. The tweets with the #GartnerIAM hastag are quotes from the analyst presentations (I also added my own comments to add/clarify a few) and the ones without the hashtag are my own thoughts. Also, please note that these tweets are not in any particular order.

I hope you find these useful.  Getting IAM right is not only a security imperative, it is also fast becoming an even bigger business imperative than it ever was in certain industries, thanks to the uptick in use of mobile and rapid consumerization among other things.

I think healthcare provider space is a very good example of such a rather abrupt change. For an industry that has historically not done very well with security in general and IAM in particular, getting your IAM program to be a business enabler in support of your clinician and patient engagement will be critical to how competitive your organization is in the marketplace. We’ll probably have more to say in terms of details in a later post.

So, yes … getting our IAM strategies right and executing them well should no doubt be a top priority for many of us.

I welcome your thoughts and feedback. Thank you!

I’ll have what she is having. Not a good way to select a IAM product or a vendor #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

They are in the Leaders Quadrant. Not yet a good reason to select a IAM product or vendor. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

We have someone else to blame if the project goes sidewards. Not a good IAM strategy. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

More the customization you need to do to meet your requirements, the lesser of a fit it is. That of course assumes you have detailed use cases of your current and future requirements #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Designing your #IAM strategy or program around a product.  Not a good idea #HorrorStories

Not understanding and documenting your business, operational, security/privacy risk or compliance use cases. The first step of an expensive misadventure in #IAM. #HorrorStories

Assuming HR data is accurate and automating life-cycle processes based on the data without appropriate validation  #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Trying to “boil the ocean” and not focusing adequately on your most important requirements #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Treating automation as your top priority is another step on your way to a certain failure #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Trying to get ideas from your SIs on what may have worked elsewhere and “hoping” they will work for you. Not a good idea.  #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

“If we build it,  they will come” approach by the technical IAM folks. Not a good idea. Business folks don’t care. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Beware! Using ROI for a IAM business case could be a slippery slope in some instances #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

“What (Process) Re-engineering? We don’t need no Re-engineering.” You just took a big step towards failure. #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

DIY only if you know what you are doing,  have learned your lessons and are capable enough not to repeat the key mistakes #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

The right sequence is Principles, Policies, Practices, Processes, People and Products.  #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

If you are thinking products before you have figured out people and processes, you have it wrong #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

An exclusive group of technical #IAM folks developing your strategy? They are likely thinking products ahead of people and processes #HorrorStories

Beware of hiring your SI to develop your strategy as well. There may be a conflict of interest not to mention that they may just not be qualified enough to develop your strategy #IAM #HorrorStories

“Through 2016, enterprises without formal IAM programs will spend 40% more and experience twice as many failures than those with formal programs” #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

What constitutes a #IAM strategy? Vision, program objectives and a two or three year roadmap that satisfies stakeholder expectations #GartnerIAM #HorrorStories http://www.gartnereventsondemand.com

Remember detection and containment are at least just as important as prevention in #security today. Does your #IAM #Strategy meet the test? #HorrorStories

Effective #IAM strategy today needs active collaboration between traditional security silos #DLP #SIEM #operations #HorrorStories

#IAM stakeholders must include leaders from:
Leads from other security verticals
Vendor Management
Help Desk

Top #IAM #Strategy priorities today :
Business Enablement
User Experience
Security/Privacy Risk Management
… in that order.

Your new application is designed to use its own access credentials? You may need to get back to the drawing board #Federation #StrongAuthentication #SSO #OpenIDConnect

Trying to enforce your password policy on your customer facing application? That is yesterday’s #IAM #Strategy. #OpenIDConnect

Your #DLP #SIEM leads don’t know what your #IAM plan is? May be time for #security #leadership to show up. #HorrorStories

Trying to solve #IAM problems solely with IAM solutions? That is yesterday’s IAM #Strategy. #HorrorStories

#GartnerIAM says “There will always be shared passwords & that’s okay. You just have to have the proper controls around them.” Agreed, but does your #IAM team understand all viable workarounds? #Strategy

#Mobile and #Consumer not key components of your #strategy? That is yesterday’s #IAM

Remember #consumer includes internal users in addition to customers #IAM #Strategy

Shying away from #BYOI for customer access? You may still be on yesterday’s #IAM #Strategy. #OpenIDConnect #SocialMedia

Not educating your customers about using #StrongAuthentication on their #SocialMedia ids when accessing sensitive data? You may like to. #BYOI #OpenIDConnect #IAM #Strategy 

That Odd Authentication Dichotomy Needs To Change

By now, it should be clear that we need to consider strong (multi factor) authentication for access to anything of value. In an age and time when most public email services (Gmail, Hotmail, Yahoo etc.) provide for strong authentication, it would seem inexplicable to allow access to corporate email or remote access to your organization’s systems with just the basic (user-id: password) authentication.

Think about this… Your personal Hotmail account uses 2 Factor, but your organization’s Office 365 email doesn’t.  I am sure you agree that this odd dichotomy needs to change.

(Note: I am not suggesting the privacy of your personal email is any less important than the security of your corporate email. By dichotomy, I am referring to your organization not being at least as much concerned about their security as you are concerned about your personal privacy)

And, if your organization does find itself in a situation where you have no way but to continue with the basic authentication, some testing and studies of passwords like this one should be considered for making your password policies (truly) stronger. Don’t continue with your password standard established years ago (or based on some arbitrary best practice or external standard)  forcing users to have a complex combination of alphanumeric/symbols, change passwords every 60 days or not allowing them to reuse the last 6 or 24 passwords or something. You may be only making their user experience miserable without making your password security any stronger. Also, don’t forget to take a look at your password hash we talked about here as a case in point.

Let’s talk some “real” insider threat numbers – How can Access Governance and SIEM be useful as effective safeguards?

If you have been following some of our posts, you probably realize that we don’t advocate security for the sake of security. Nor do we like to do compliance for the sake of compliance though you may not have much choice there if the compliance requirements are mandated by external regulations such as industry regulations (e.g. PCI DSS, NERC CIP etc.) or government regulations (e.g. HIPAA, GLBA, SOX etc.). On the other hand, we think that every investment in security projects or operations (beyond what is required for routine business support) must be justifiable in terms of the risk(s) that we are trying to mitigate or eliminate. And the allocation of IT resources and budgets must be prioritized by risk level which in turn requires every IT organization to conduct periodic risk assessments  and rank the risks by severity.  This probably sounds all too obvious but we still see a lot of security purchasing decisions being made that are not based on formal risk assessments or discernable risk-aligned  priorities. BTW, I talk about the quality of risk assessments in another post.

In this post, I would like to go over some “real” numbers on insider threats, as we know from a few recent survey reports. More importantly, I’ll cover how Access Governance and Security Information and Event Management (SIEM) can be effective safeguards in mitigating risks from insider threats.  If you are not up to speed on what Access Governance (sometimes also referred to as Access Assurance) includes, I would point you here (may need registration).  For SIEM, I would point you here.

It probably needs an explanation as to why I chose Access Governance and SIEM for this discussion. Insider threats, by definition, are caused by people  (employers, contractors, partners etc.) whose identity is known to the organization and have been provided some level of access to one or more of the organization’s information systems.  Access Governance can be both an effective detective control (through access reviews) and preventative control (through role based access provisioning and access remediation) for user access. SIEM can be an effective control for detecting anomalous, suspicious  or  unauthorized user activities. When properly integrated, Access Governance and SIEM  solutions can help achieve substantial reduction of risks from insider threats.

Below is a discussion of findings related to insider threats from recent reports. Also provided are notes on how effective implementations of Access Governance and SIEM processes or technologies can be useful safeguards against these threats. I use findings from three recent reports for the analysis – 2010 Verizon Data Breach Investigations Report (DBIR), 2010 CyberSecurity Watch Survey (CSWS)and Securosis 2010 Data Security Survey (SDSS).

Size and significance of Insider Threats




48% of all breaches were attributed to internal agents


“The most costly or damaging attacks are more often caused by insiders (employees or contractors with authorized access)”

“It is alarming that although most of the top 15 security policies and procedures from the survey are aimed at preventing insider attacks, 51% of respondents who experienced a cyber security event were still victims of an insider attack. This number is holding constant with the previous two surveys (2007 and 2006)

Insider incidents are more costly than external breaches, according to 67% of respondents


Among respondents who knew of data breaches in their own organizations, 62 percent said malicious intentions were behind them. Insider breaches comprised 33 percent of incidents, hackers comprised 29 percent, and the remaining breaches were accidental.

As one can infer from these findings, insider threats are the cause of at least as many security breaches as external threats. It also appears that the cost of breaches caused by internal threats could be higher than those caused by external threats.

Intentional Vs Accidental




90% of these internal agents’ caused breaches were the result of deliberate and malicious activity.


Insiders most commonly expose private or sensitive information unintentionally, gain unauthorized access to/use of information systems or networks and steal intellectual property


Among respondents who knew of data breaches in their own organizations, 62 percent said malicious intentions were behind them. Insider breaches comprised 33 percent of incidents, hackers comprised 29 percent, and the remaining breaches were accidental.

It appears from the findings that insiders could be causing breaches intentionally more often than accidentally. Access Governance can help reduce malicious insider risk  by enforcing “least privilege” user access and "segregation of duties" through role based access provisioning, access reviews and remediation of improper access. On the other hand, a properly implemented SIEM solution can be an effective deterrent (as a detective control) to malicious insider threats by logging user activities, correlation of user activities and alerting on suspicious activities by the user. By suitable integration of SIEM and Access Governance solutions, it is possible to analyze user activities (obtained from SIEM) against a user’s role in the organization and hence what the user is authorized to do (obtained from Access Governance).

Cause and prevention




51% of these internal agents’ caused breaches involves regular users or employees, 12% involved accounting or finance staff and 12% involved network or systems administrators

“In general, employees are granted more privileges than they need to perform their job duties and the activities of those that do require higher privileges are usually not monitored in any real way.”

“Across all types of internal agents and crimes, we found that 24% was perpetrated by employees who recently underwent some kind of job change. Half of those had been fired, some had resigned, some were newly hired, and a few changed roles within the organization.”

“With respect to breaches caused by recently terminated employees, we observed the same scenarios we have in the past: 1) the employee’s accounts were not disabled in a timely manner, and   2) the employee was allowed to “finish the day” as usual after being notified of termination. This obviously speaks to the need for termination plans that are timely and encompass all areas of access (decommissioning accounts, disabling privileges, escorting terminated employees, forensic analysis of systems, etc.)”


“The most costly or damaging attacks are more often caused by insiders (employees or contractors with authorized access)”

“It is alarming that although most of the top 15 security policies and procedures from the survey are aimed at preventing insider attacks, 51% of respondents who experienced a cyber security event were still victims of an insider attack. This number is holding constant with the previous two surveys (2007 and 2006)

The DBIR findings clearly illustrate the need for organizations to enforce least privilege access through business need-to-know (managing user access based on a user’s role), periodic review of user access (access reviews and certification) and prompt remediation of improper user access.  Access Governance solutions can help achieve these objectives effectively as well as efficiently.

The CSWS finding seems to suggest a problem with the enforcement of organization’s policies related to user access.  As mentioned above, a properly implemented Access Governance program and solution can help with effective enforcement of user access policies.

To conclude, it is obvious that risk management of insider threats needs to be a key focus area of any Information Security  or Risk Management program. An effective Access Governance and SIEM program can help with significant mitigation of the insider risk.


RisknCompliance Consulting Services Note

We at RisknCompliance have extensive advisory and implementation experience in the Access Governance and SIEM areas.

Please contact us here if you would like to discuss your needs. We will be glad to talk to you about how we could be of assistance.