Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim.

Slides:

Advertisements

Similar presentations

RBAC and HIPAA Security Uday O. Ali Pabrai, CHSS, SCNA Chief Executive, HIPAA Academy.

Advertisements

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

HIPAA Security Standards Emmanuelle Mirsakov USC School of Pharmacy.

UDDI v3.0 (Universal Description, Discovery and Integration)

Increasing public concern about loss of privacy Broad availability of information stored and exchanged in electronic format Concerns about genetic information.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

 Physical Logical Access  Physical and Logical Access  Total SSO and Password Automation  Disk/Data Encryption  Centralized management system  Biometric.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

Access Control Methodologies

Implementing and Administering AD FS

Lecture 23 Internet Authentication Applications

Authentication & Kerberos

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Case Study: Password Authentication in eHealth Applications

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (

Identity and Access Management: Strategy and Solution Sandeep Sinha Lead Product Manager Windows Server Product Management Redmond,

Identity and Access Management

Beyond HIPAA, Protecting Data Key Points from the HIPAA Security Rule.

Integrating CRM On Demand with the E-Business Suite to Supercharge your Sales Team Presented by: Tom Connolly, Jason Lieberman Company: BizTech Session.

CAMP Med Mapping HIPAA to the Middleware Layer Sandra Senti Biological Sciences Division University of Chicago C opyright Sandra Senti,

Access and Identity Management System (AIMS) Federal Student Aid PESC Fall 2009 Data Summit October 20, 2009 Balu Balasubramanyam.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Session 11: Security with ASP.NET

Catalyst 2002 SAML InterOp July 15, 2002 Prateek Mishra San Francisco Netegrity.

Identity Management Report By Jean Carreon and Marlon Gonzales.

Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Philadelphia Area SharePoint User Group Building Customer/Partner Extranets Designing a Secure Extranet with Sharepoint 2007 Russ Basiura RJB Technical.

Dr. Bhavani Thuraisingham October 2006 Trustworthy Semantic Webs Lecture #16: Web Services and Security.

» Jun 9, 2003 Speaker Verification Secure AND Efficient, Deployments in Finance and Banking Jonathan Moav Director of Marketing

ArcGIS Server and Portal for ArcGIS An Introduction to Security

Using AS 10g with EBS What are the Benefits of Integrating AS 10g with Oracle Applications?

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.

Catalyst 2002 SAML InterOp July 15, 2002 San Francisco.

Copyright © 2003 HealthTrio, Inc. 1 Achieving HIPAA and E-Business Objectives in Less than 90 days Ralph A. Korpman, MD CEO, HealthTrio 6 th Annual HIPAA.

Identity Management: A Technical Perspective Richard Cissée DAI-Labor; Technische Universität Berlin

An XML based Security Assertion Markup Language

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

W3C Web Services Architecture Security Discussion Kick-Off Abbie Barbir, Ph.D. Nortel Networks.

Portal-based Access to Advanced Security Infrastructures John Watt UK e-Science All Hands Meeting September 11 th 2008.

Shibboleth: An Introduction

U.S. Department of Agriculture eGovernment Program July 9, 2003 eAuthentication Initiative Update for the eGovernment Working Group eGovernment Program.

Oracle Application Server Portal: Advanced Content Management for Custom Integration John Dunne (Deputy CTO, HPHC) Anton Nielsen (Technical Director,

Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.

Advanced CAMP: BoF Summaries. 2 Role-based Access Control (RBAC)

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

Web Services Security Patterns Alex Mackman CM Group Ltd

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.

Security Assertion Markup Language (SAML) Interoperability Demonstration.

Chapter © 2012 Pearson Education, Inc. Publishing as Prentice Hall.

15 Copyright © 2004, Oracle. All rights reserved. Adding JAAS Security to the Client.

User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.

WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.

The FederID project The First Identity Management and Federation Free Software.

L’Oreal USA RSA Access Manager and Federated Identity Manager Kick-Off Meeting March 21 st, 2011.

Access Policy - Federation March 23, 2016

Secure Single Sign-On Across Security Domains

Using Your Own Authentication System with ArcGIS Online

Federation made simple

Data and Applications Security Developments and Directions

ESA Single Sign On (SSO) and Federated Identity Management

2016 Annual CPNI Training CPNI & PI Awareness Beth Slough,

Matthew Levy Azure AD B2B vs B2C Matthew Levy

Presentation transcript:

Implementing an Enterprise Security System for Internet Authentication and Authorization Ken Patterson, CISSP Information Security Officer Harvard Pilgrim Health Care Fifth National HIPAA Summit October 31, 2002

Harvard Pilgrim Health Care  Medium size health plan serving MA, NH, and ME  750,000 members  20,000 Providers  As a Multiple Function Covered Entity, HPHC must comply with HIPAA as a(n): –Health Plan – HMO, PPO, Medicare+Choice –Employer –Self Insured Health Plan –Provider – Nashua Medical Group –TPA – we provide this function for some of our Self insured groups

eHealth Program  Leverage the web to meet demands for data and transaction simplicity –Better tools, better data, better decisions to create value –Internet may help with customer service - In response to plans offering Internet access, growing numbers of consumers access benefits info online

HPHConnect Employer Member Web-Based Application Server Broker & Providers

Access Control Review  Security Standard - Access Control –Context, Role Based or User Based Access –Emergency Access  Security Standard - Authorization control –Role Based Access; –User Based Access  Privacy Rule –Role-based access is required –Identify person needing access to what

Authentication Rule Review  Entity authentication –Auto logoff –Unique user identification  At least one of the following: –Biometric identification system –A password system –A personal identification number (PIN) –Telephone callback –A token system

What’s the Problem  Multiple security models and tools used for authentication and authorization  High cost of support  Different systems = different roles and different identification  Multiple logins using Intranet & Internet  Policy change = changing many systems

Solution  Implement an Internet Authentication and Authorization Project –Centralize management and administration of the external user access to we applications –Select commercial software and hardware –Migrate users of web applications for Subscribers, Employers, Brokers, and online billing.  Continue as HPHC Enterprise Security System –Extend to Providers & Member model –Require all new web applications to use –Add Federated Services for web affiliations –Legacy systems integration later on

Initial Adoption Plan Integrated with new HPHC Enterprise Security System Not yet integrated with new HPHC Enterprise Security System

Component Definitions  Netegrity –Site Minder - overall operational and development environment –Web Agent – Protects secured resources –Policy Server – Maps user roles, security policies, and data to determine privileges –Policy Store – data store for Policy information –Advance Password Services (APS) – complex password rules for specific policies –Identity Management Services (IMS) – User administration delegation - Planned for FY 2003

Component Definitions  Novell eDirectory – end user data store, LDAP structure  Why Netegrity & Novell –Industry Leaders in respective functions

Directory Structure HPHC Employees Subscribers Employers Brokers  Flat structure allows for different security policies and better performance  Different Ids - Business decision to bound user environments  Flat structure allows for different security policies and better performance  Different Ids - Business decision to bound user environments

Advanced Password Services  Different rule by constituent  Minimum 8 characters  Can not use username, first name, or last name combinations  Must use at least 1 numeric & 1 alpha  Can not use dictionary word  Can not use strings  Password lockout  Password change & aging

Subscriber vs. Member Model  Subscriber – owner of the health plan account –One account for subscriber that contains all family members –Self-service account creation –Supply the following to create an account Social Security Number Date of Birth HPHC Member Number –Re-enter if password is forgotten

Subscriber vs. Member Model  Members are individuals identified on a health plan account that have a relationship to a valid subscriber  Member model –Each adult member has own account with health information –Self-service member registration –Send letter with one-time password –Member creates ID & password

Federated Identity T he ability to correlate user names between different security infrastructures, is the core technology behind Internet single sign-on (I ‑ SSO), and it also applies to secure Web Services and to SSO solutions within an enterprise.” Giga 2002

Protocol and Security Standards  SSL (Secure Socket Layer) –Data encryption (SAML assertions are communicated over bilateral SSL)  SOAP (Simple Object Access Protocol) –Provides an envelope for the SAML messages exchanged between a portal and its affiliates  SAML (Security Assertion Markup Language) –Standard way to describe Web access-control with an open framework for sharing security information on the Internet through XML documents

Assertion Authentication Entitlements Internet Initial Authentication SSO Doctor(s) Federated Identity Service for eHealthcare Primary site with Netegrity SiteMinder deployment Affilaite partner with Netegrity SAML Affiliate Agent deployed Affilaite partner with Netegrity SAML Affiliate Agent deployed Assertion Authentication Entitlements Goal Automate a time consuming and costly manual process (using phone, fax and mail) that Doctors use to review medical images and send in prescriptions Solution Link existing applications into a cross enterprise single sign-on environment while ensuring proper security Solution Link existing applications into a cross enterprise single sign-on environment while ensuring proper security

Federated Services Scenario Primary (Source Site)Affiliate (Destination Site) 1. User authenticates at Primary Site directly or through redirection from Affiliate. 2. Primary Site generates SAML authN assertion, stores it in session server, creates SAML artifact. 3. When user clicks on Affiliate link, Primary Site puts SAML artifact on URL query string, followed by target Affiliate resource, e.g., &target= 4. Affiliate intercepts request and determines source site’s information from SAML artifact. 5. Affiliate requests full-fledged SAML assertion from Portal thru SOAP message. 6. Portal fetches SAML assertion and sends it to Affiliate thru SOAP message. 7. Affiliate extracts SAML assertion from SOAP message and creates Affiliate’s session. (1) (3) (2) (4) (7)(6) (5) User SOAP Message

Future  Web services and web sites managed by one security resources Enterprise Security System Web Site Web Services IVR Legacy

Interactive Voice Response (IVR)  An electronic system  Do you disclosure PHI?  If yes, must use authentication  Can be integrated with Netegrity as part of the Enterprise Security System

Budgeting For Security: copyright 2002 john klossner,

Questions?