After the CIO Frankly Speaking Breakfast event in Toronto on November 17th, Michelle Dennedy and I fielded questions about Identity Management from John Pickett of IT World Canada on camera.  A short video emerging from that interview was published on the IT World Canada website today.

I couldn’t figure out how to embed the video on this blog post, but clicking on the image will take to you to the IT World Canada website where you can view the video.

In our recent CIO Roundtable tour, a question about Identity and Access Management that emerged in every session was, “where do I go from here?”  It is one thing to talk about the theory of IAM; it is quite another thing to actually implement it in your enterprise.

My advice to the Roundtable participants and to you is this, “IAM is a journey, not a short-term event. Enterprises must begin to approach compliance as a long-term program, not a single project.  Take stock of where you are now, set objectives for where you want to be in the future, and execute your strategy in stages.”

To illustrate this process, the white paper I recently wrote, Identity and Access Management: Enabling HIPAA/HITECH Compliance, proposes thirteen best practices for approaching the application of IAM to HIPAA/HITEC compliance efforts.  Recognizing that IAM is a journey, not a project, is one of the best practices.

Think program, not project. HIPAA/HITECH compliance is a journey, not a short-term event. Enterprises must begin to approach compliance as a long-term program, not a single project. An effective and holistic compliance program should also incorporate governance and risk management. Boards of directors and executives are frequently being held to higher standards than ever before as they are expected to be knowledgeable about, and held liable for, everything going on within the enterprise.

The step-by-step process depicted above doesn’t fit everyone.  It only serves to illustrate the need to for defining your IAM journey as a series of phases subdivided into measureable steps.  Our experience has shown that those enterprises who follow this basic process usually succeed, while those who attempt to do much all at once, or focus on one small tactical project, often fail to realize the benefits of a well-executed IAM strategy.

Happy trails!  (I couldn’t resist that last comment, even though the “happy trails” comment in my previous post dealt with airline travel, not IAM journeys.)

I read a disturbing article by Dan Schwab of Fox Chicago News this morning entitled “Probe: ID rules lax at Chicago airports.” Perhaps the fact that I will board my 13th flight segment in two and a half weeks this afternoon fueled my interest in the article, which reported “a Fox Chicago News investigation discovered a major loophole at TSA checkpoints at O’Hare and Midway.”

During the past two months, Fox flew multiple employees – male, female, black, white, and Muslim – to different destinations around the country on different airlines.

The only requirement: They were not allowed to bring a photo ID. No passport. No driver’s license.

On every occasion, these Fox employees were allowed through security without a hitch as long as they showed that the name on their boarding pass matched the name on a couple of credit cards, according to Fox Chicago News.

Credit cards for identification?  What happened to the requirement of a photo ID?  This shows a remarkable lack of TSA compliance with recommended policy:

The federal Sept. 11 Commission’s final report included 10 pages that focused solely on the issue of terrorism and identity fraud. The report states: “Travel documents are as important as weapons. Fraud is no longer just a problem of theft. At many entry points to vulnerable facilities, including gates for boarding aircraft, sources of identification are the last opportunity to ensure that people are who they say they are.” …

By checking credit cards rather than a photo ID, TSA simply was following its own rules, which vaguely state that passengers without an acceptable ID will have to provide “information” to verify their identity, according to Fox Chicago News.

I’m not a big fan of the TSA.  To me, it is at best a huge, bumbling bureaucracy, and at worst, a huge, oppressive police force.  I really don’t feel safer because of them.  However, regardless of my feelings, this is a clear example about how poorly executed identity policy can lead to easily exploited security breaches, even as a false aura of safety is provided for the law-abiding majority, who obediently shed shoes and jackets, empty pockets and briefcases, and subject themselves to humiliating searches while many obvious loopholes remain.

Just one example … next time you go through the TSA screening process, notice how closely (or not) airport employees’ ID badges are examined. 

Happy trails!

PS.  The Dave Granlund cartoon reminds me of the time I brought exercise weights with me on a trip.  My luggage was manually searched every time – on each of four flight segments that week.  I now keep those dastardly weights safely at home with my horribly dangerous one-inch pocket knife.  Bitter?  Nah!

With all that is being said about cloud computing nowadays, perhaps we should pause and listed to what Dilbert has to say on the subject

… as he receives the assignment …

… and starts the project.

Ten years ago, while employed by Oracle, I worked on a project where we tried to convince the large North American telcos to act as Application Service Providers (ASP) and host Oracle applications for their customers.  We proposed that the combination of existing telco data centers, network connectivity, business customer base and billing infrastructure provided an ideal foundation for such services.  At that time, we didn’t get much traction with the telcos, but Oracle went ahead and launched their own ASP service, now known as "Oracle On Demand.”

Now, as Sun awaits acquisition by Oracle, it is interesting to see telco participation in what we now term “Cloud Computing.”  On Monday, AT&T announced “Synaptic Compute as a Service(SM), its latest innovative global cloud-based service, designed to give companies of all sizes simple on-demand access to scalable computing capacity.”  Ironically, the press release was entitled, “AT&T Unveils Network-Based 'On Demand' Computing for Companies of All Sizes.”  I’m not sure what Oracle might think of AT&T’s use of the “On Demand” term.

AT&T is working closely with Sun to use the Sun Cloud Open Cloud Platform, Sun Cloud APIs, cloud reference architecture and design expertise to create an environment to make it easy for developers to build and deploy value-added services.

"Sun is committed to helping our customers and partners deliver public and private clouds that are cost effective, open and interoperable," said Dave Douglas, senior vice president, Cloud Computing, Sun Microsystems. "AT&T's network and operational excellence coupled with Sun's Open Cloud Platform and Sun Cloud APIs delivers a revolutionary cloud offering. We're excited to be working with AT&T to bring an enterprise-class, highly scalable offering that delivers choice and flexibility to market."

The trend towards cloud computing marches on.  I think we will see more telco participation in this market. We have long accepted utility telephony services from telecom operators.  Offering computing utility services is a logical next step.

The white paper I mentioned several days ago, Identity and Access Management – Enabling HIPAA/HITECH Compliance, is now hot off the press and ready for download.  Thanks to all the great people at Sun Microsystems that contributed to this project and made it a reality.  Hopefully, the paper will be beneficial to those who are facing the challenges of how to comply with the increasing regulations surrounding management of healthcare data and information systems.

The paper’s abstract reads:

As healthcare organizations and vendors become more reliant on digital information technology, complying with increasing regulatory requirements presents a range of challenges. This paper explores the requirements that these organizations face, best practices for implementing identity management systems that help ensure compliance, and how Sun’s pragmatic approach to identity management simplifies the technology environment.

The table of contents:

1. Executive Summary
2. Healthcare Information Technology Challenges
3. Health Insurance Portability and Accountability Act (HIPAA)
4. Health Information Technology for Economic and Clinical Health Act (HITECH)
5. Impact of HIPAA, HITECH and Related Regulations
6. The Role of IAM in HIPAA/HITECH Compliance
7. Sun IAM Product Introduction
8. Best Practices for the IAM/Compliance Journey
9. How to Get Started with HIPAA/HITECH and IAM
10. The Sun IAM Workshop
11. References

Please let me know if you have any questions or would like to discuss the content in more detail.

Whenever you are feeling deprived,  consider the technological advantages we enjoy today and count your many blessings!

Thanks to the Lighter Side of Technology page on ITWorldCanada.com for this gem.

It was nice to see a short piece covering the CIO Frankly Speaking Breakfast event in Toronto yesterday, where Michelle Dennedy and I fielded questions about Identity Management and Cloud Computing from John Pickett of IT World Canada.  I particularly liked the statement made by Michelle, “Identities are now being realized as the true assets for the organization.”

About a month ago, I received an invitation to join a new LinkedIn group, “Canadiam – IAM in Canada,” hosted by Mike Waddingham, whom I had never met in person.  Mike had recently launched a new blog of the same name, and formed the LinkedIn group to complement his blog. Mike asserted:

"Identity and Access Management in Canada is different. American identity issues are complicated by their obsession with national security. British data and privacy laws are decidedly different than ours. Identity and Access Management (IAM) implementations vary greatly from country to country. We need a ‘conversation’ about IAM in Canada. Canadiam is that conversation.”

The call for a Canadian IAM conversation is certainly timely, and I think the blog/group name is great, reminiscent of the legendary Molson Beer commercial, "I am Canadian", which Mike embedded within the maiden post on the Canadiam blog and I include here for your enjoyment.

Back in 2000 when this commercial was first released, I was employed with Oracle and doing quite a bit of work in Canada, so watching it again brought back fond memories of choice experiences I have had with great friends north of the border.

So, I joined Canadiam as an “honorary” Canadian, and enjoyed reading Mike’s posts, including “Canada’s top court enforces license photos,” and “Canadian Identity Assertion.”  Even though I don’t quite fit the qualifications specified in the Canadian Identity Assertion, I am honored to be associated.

Fast forward to yesterday morning.  I had arrived in Vancouver to participate as a panelist in the CIO Magazine / Sun Microsystems breakfast event, “Identity Management - Pathway to Enterprise Agility.”  Before joining my colleagues at the event, I took a moment to post a short message on the Canadiam LinkedIn group that I was in town and would participate in a similar event in Toronto next Tuesday.

We had a great session, moderated by John Pickett, VP & Community Advocate at IT World Canada. Michelle Dennedy and I fielded questions about Identity Management, Privacy, Security and Cloud computing from John and members of the audience.  After the session, a man from the rear of the room, who had offered several insightful comments and excellent questions, came forward to introduce himself.  It was none other than Mike Waddingham himself!  I hadn’t recognized him from his LinkedIn photo and certainly didn’t expect him to be in attendance.  I had assumed he lived in the Toronto area.  But Mike had travelled to Vancouver from his home base in Edmonton to attend the event.

I never cease to be amazed at the surprise personal encounters I have at almost professional gathering I attend, where I meet people in person for the first time after connecting previously on line.  The magic of online interaction, while valuable and delightful in and of itself, always seems to be amplified by face-to-face interaction.

So, Mike and all you Canadiams, thanks for the privilege of being numbered among you as an honorary Canadian.  Thanks for giving me another treasured “social networking moment.” I look forward to participating further in the Canadian IAM discussion.

It’s after 11pm in my San Francisco hotel room, where I arrived after a successful meeting in New York City, a transcontinental flight and late dinner.  But I can’t go to sleep without sharing a wonderful video pointed out to me by Twitter acquaintance Mame Hampton (@momthebom).

Thanks to all the wonderful soldiers and veterans who have done so much and are continuing to serve so well to keep us free!

And thank you, Mame, for sharing this wonderful message with us.

As explained in my recent post, I am awaiting final publication of a white paper I recently authored, entitled, “Identity and Access Management – Enabling HIPAA/HITECH Compliance.”  This post is a excerpt from that paper.

In the thirteen years since the initial passage of the HIPAA act, practical experience in the field has yielded several recommended best practices for implementing IAM systems to enable HIPAA/HITECH compliance. We recommend the following:

1. Understand requirements. By developing a better understanding of compliance requirements, how compliance affects information technology (IT), and how IT in general and IAM specifically can help support the privacy, security and notification requirements of HIPAA/HITECH, companies can establish efficient, cost-effective, and sustainable programs that address all of these complex requirements within a holistic compliance framework.

2. Recognize IT's critical role. In many companies, IT has evolved to become the critical backbone behind almost every operation, but many people still view technology as a cost rather than an investment or asset. By understanding the key roles that IT plays in support of HIPAA/HITECH compliance, enterprises can maximize the value of their technology investment.

3. Understand the role of IAM. IAM plays a critical role in compliance with HIPAA/HITECH privacy, security and notification requirements.. However it does not automatically satisfy all HIPAA/HITECH requirements. Recognizing the value and the limitations of IAM in the entire spectrum of HIPAA/HITECH compliance is essential.

4. Think program, not project. HIPAA/HITECH compliance is a journey, not a short term event. Enterprises must begin to approach compliance as a long-term program, not a single project. An effective and holistic compliance program should also incorporate governance and risk management. Boards of directors and executives are frequently being held to higher standards than ever before as they are expected to be knowledgeable about, and held liable for, everything going on within the enterprise.

5. Establish privacy and security policy. A success privacy and security program requires a documented set of principles, policies, and practices. Using the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information as a guide, the enterprise's privacy and security principles should be documented as a foundation upon which to build policies, practices and strategies.

6. Develop a strategy. The only way to effectively address the wide spectrum of compliance requirements is to integrate them into a common compliance strategy that is intertwined with the business itself. A business-driven, risk-based, and technology-enabled compliance strategy can help create enterprise value by rationalizing unnecessary complexities, driving consistency and accountability across the enterprise, and identifying opportunities for a possible enhancement of operational performance and information quality.

7. Collaborate. HITECH extends compliance responsibility and penalties to all business associates. Work closely with your vendors and business partners to form an overall security and privacy framework, including updating legal relationship documents as ncessary.

8. Establish a governance process. Compliance efforts affect a broad spectrum of an enterprise. Stakeholders from many organizations, often with conflicting priorities, have vested interests in the outcomes of a compliance strategy. The governance process must provide representation from the impacted functional areas of the organization. A governance board should have appropriate representation from IT, security, audit, application owners, human resources, business process owners and applicable business associates. The board should be accountable for the project objectives and be vested with authority to make program decisions. The board should be empowered to 1) establish a statement of purpose for the program, 2) promote and give visibility to the program throughout the larger organization, 3) act as a mechanism for quickly making decisions regarding program scope, issues, and risks, and 4) monitor the program health on an ongoing basis.

9. Implement your strategy in phases. By segmenting the overall solution into manageable parts, an organization can realize quick, visible business benefits and progressively realize overall program objectives in an orderly, measurable way. Implementing in manageable phases also makes it easier to battle issues such as scope creep or requirements drift.

10. Standards. Follow the NIST and other applicable standards for electronic healthcare records. Adjust to form a compliance model with this emerging standard. Focus on open standards and vendors that are open standards compliant to insure long-term flexibility of computing platforms and security frameworks.

11. Give real-time visibility. Real-time views into the functioning of controls across these systems and across the enterprise, through job-specific dashboards or portal views, can provide insight into compliance status, progress, and risks. Effective communications with all stakeholders is essential.

12. Unify disparate compliance efforts. Many companies are beginning to realize the potential of technology to support sustained compliance and are actively looking to combine existing fragmented, reactive, and inefficient governance and compliance efforts into a single sustainable compliance program. Bringing together compliance, governance, and risk management under a holistic framework, can result in a centralized compliance organization with the understanding, structure, and ability to help optimize the company’s compliance efforts in a sustainable, strategic, and cost effective manner.

13. Assess progress and adjust as necessary. Each phase of the progressive implementation of the compliance strategy will yield more in-depth understanding about the compliance process as it pertains to the specific enterprise. Implementing methods of continual process improvement will yield progressively refined results.

Please let me know what you think.  What have you found that really works in this IAM/Compliance Journey?

Tomorrow is the first of five “CIO  Roundtables” sponsored by CIO Magazine and Sun Microsystems to be held in Washington DC, New York, San Francisco, Vancouver and Toronto.  It will be a good experience to participate in each event with Michelle Dennedy, Chief Governance Officer of Cloud Computing for Sun Microsystems, and dozens of CIOs and IT management folks in what promises to be a lively and invigorating discussion of Identity Management issues facing modern enterprises and government institutions.  We will address the subject, “Identity Management - Pathway To Enterprise Agility.”

A list of locations and further information are included in a previous post.

I recently authored a white paper entitled, “Identity and Access Management – Enabling HIPAA/HITECH Compliance.”  The paper is now in the final editing and formatting process.  As we awaiting the final publishing date, let me share an excerpt from the paper, focused on the key ways IAM enables HIPAA/HITECH compliance.

HIPAA/HITECH requirements for privacy, security, auditing and notification are supported directly by IAM. By streamlining the management of user identities and access rights and automating time-consuming audits and reports, IAM solutions can help support strong privacy and security policies across the enterprise and throughout Health Information Networks while reducing the overall cost of compliance.

IAM provides the following key enablers for HIPAA/HITECH compliance:

1. Assign and control user access rights. Securely managing the assignment of user access rights is critical to HIPAA/HITECH compliance, particularly in distributed and networked environments typical of modern healthcare business. Decentralized provisioning is not only inefficient and costly, it also increases the risk of security and privacy violations. Automated provisioning allows centralized control of resources and applications that have historically existed in silos. This provides a much greater level of control over access to those resources. Checking audit policy at the time or provisioning ensures regulatory compliance, thus preventing audit policy violations.

2. Adjust user access rights when responsibilities change. Business risk is introduced when employees change jobs and access isn’t appropriately adjusted or removed. Failing to appropriately adjust or remove users’ access when job changes occur can result in superuser-access and SOD violations. Automated provisioning effectively eliminates many of these risks, especially when combined with auditing and role management capabilities.

3. Revoke user access upon termination. IAM systems can automate the process of immediately revoking user access rights upon termination or suspension. This eliminates a commonly-exploited security gap and opportunity for policy violation that may occur after an employee or contractor has been dismissed.

4. Manage allocation of user credentials. Managing user names, passwords and other user access credentials is essential to assuring that only authorized users are granted access to information systems. IAM technology can provide enterprise-wide control of user credentials, including the enforcement of uniform password policies (e.g. password strength, periodic change).

5. Enforce segregation of duties (SOD) policies. Segregation of duties (also known as separation of duties), has as its primary objective the prevention of fraud and errors. This objective is achieved by disseminating the tasks and associated privileges for a specific business process among multiple users. IAM methods can prevent, detect, and resolve access rights conflicts to reduce the likelihood that individuals can act in a fraudulent or negligent manner. Once violations are identified, notification and remediation steps are automatically initiated based on corporate policies.

6. Provide uniform access policy. IAM can provide administration and enforcement of common user access policies across a wide span of diverse systems, improving executive confidence in how the enterprise complies with HIPAA/HITECH requirements.

7. Manage access based on business roles. Provisioning and auditing at the business role level, rather than just at the IT access control level, ties user access rights more closely to business processes. With a role management solution, managers can approve access rights that have a meaningful business context, thus reducing the risk of managers inadvertently creating SOD violations by granting carte blanche access to their direct reports.

8. Enforce secure access policies. While automated identity administration, provisioning and auditing are essential to HIPAA/HITECH compliance, these methods don't actually enforce the use of security policies when a user accesses the controlled systems. IAM Access Management technology can enforce user access policy at the point of entry to an application or other system, in harmony with established policy. Examples of such enforcement include Web access management (including single sign-on or SSO), enterprise single sign-on (ESSO), and Web service security.

9. Enforce informed consent principles. Informed consent principles (e.g. opt-in, opt-out, notice) can be enforced, based on identities of individual patients and potential users of personal information associated with such data.

10. Extend access control to business associates. Identity Federation can extend access control beyond enterprise boundaries to enable secure access to electronic records while safeguarding the privacy of sensitive information. This is essential to complied with extended requirements of HITECH.

11. Verify access rights. While automated user access provisioning is designed to accurately assign access rights, such access rights should be confirmed by audit. IAM can provide the ability to both assign access rights according to established polices and then periodically verify that access rights are still compliant with those same policies.

12. Conduct periodic compliance assessments. Periodic audits of access rights and privileges can assure that security and privacy policies are consistently enforced. Re-certification is a process where managers approve direct reports’ access to enterprise resources and applications. IAM can provide the ability to automatically present managers with the correct information to attest to each employee's access rights needs. By applying role management principles, this re-certification process can enable the approving manager to work at the business-role level, attesting to those entitlements quickly and accurately because they are given in a meaningful business context.

13. Provide automated reports. The delivery of accurate, timely and complete reports can assess compliance with established requirements. IAM can provide scheduled and ad-hoc compliance reports, including automated violation notifications, comprehensive work flow processes, and audit assessment reports. Such reports can generated across multiple systems and enterprise applications and be submitted to appropriate people within the enterprise, to business associates and to appropriate regulatory agencies.

I’ll share more excerpts soon and let you know when the full paper is ready for download.  Please stay tuned.

Over the past several weeks, I have posted a series of articles about Identity Management Trends and predictions.  This brief post provides an index to that series of posts.

Overview article: Identity Management Trends and Predictions

Individual articles:

1. Market Maturity
2. Authentication
3. Authorization
4. Identity Assurance
5. Roles and Attributes
6. Identity Federation
7. Regulation and Compliance
8. Personalization and Context
9. Identity Analytics
10. Internet Identity
11. Identity in the Cloud

Thanks for joining me in this little exploration.  Any feedback you might have would be most welcome.

This post is the last in a series of eleven posts I have written about trends in the Identity Management industry. 

I am certainly not an expert in the entire field of cloud computing, but find it fascinating to learn about this significant trend in computing technology. I recently read a book entitled, “The Big Switch:  Re-wiring the World, from Edison to Google,” by Nicholas Carr, which proposed that the shift from traditional data center computing to a utility-based computing model will follow the same general trend that electricity generation followed – from a model of each individual factory maintaining its own electricity generation capability to our current utility-based electricity generation and grid delivery model.  While I agree that the general direction is correct, there are several factors which make a move to utility computing much more difficult than a move to utility electricity generation.  I’ll address some of my thoughts about those differences in a future blog post.

Nevertheless, we can see that just like Identity is a core platform technology for computing in traditional enterprise IT environments, Identity is a critical foundation for cloud computing or utility computing.  Identity may be a component of cloud computing infrastructure, or exposed as a separate set of services in the form of Identity as a Service (IDaaS).

In some ways, the challenges and solutions about Identity in the Cloud are similar to Identity in traditional data center.   However, there is increased technical and administrative/legal complexity because of the locations and increased number of physical and virtual components involved. 

A few of the areas of increased complexity include:

• Scale and distribution: Large numbers of accounts on large numbers of servers distributed globally.
• Division of responsibility: The different levels of cloud computing – Infrastructure as a Service, Platform as a Service and Software as a Service  - may be split between different service providers.
• Security Policy: Logging and auditing are essential to assure that cloud providers are not circumventing or compromising security policy.
• Risk Management: Risk profiles are different for cloud users, depending on type of company (e.g. difference between SMB and high profile public company).
• Legal and administrative: Control of Identity is often be delegated to external parties, so more complex trust relationships must be put in place.
• Pricing.  How will Identity Services in the cloud be priced? How can the business value of Identity Services be quantified?
• Governance.  How will Identity governance procedures become more complex as the number of stakeholders and individual companies increases?

One example of this increased complexity was highlighted in a recent legal case, where a lawsuit filed against eBay in Pennsylvania was transferred to Santa Clara, California because of a clause in eBay’s user agreement.  As with many areas of technology advancement, I expect that legal and procedural issues associated with cloud computing will be a challenging as the technologies involved.

A number of companies are emerging with the express emphasis of Identity Management in Cloud computing.  A couple of such companies I have recently connected with are Symplified and Conformity.  I expect many more will emerge and that existing vendors of Identity Management software will release software versions specifically tailored for cloud computing.

For example, some interesting discussions about cloud computing have been held with Oracle recently.  When asked about cloud computing by Ed Zander at the Churchill Club on September 21, 2009, Larry Ellison remarked, “just a lot of water vapor – nothing new!”

On the surface, it would seem that Larry was denigrating the whole idea of cloud computer.  However, further discussions revealed that Larry thinks that cloud computing is just another label for technology that has been around for awhile.  Oracle has been offering their ERP applications in a hosted, pay-as-you-go model for a decade.  I actually worked on that initiative while employed by Oracle nearly a ten years ago.

Coincidentally, the day I heard about Larry Ellison’s comments at the Churchill Club, I learned that Nishant Kaushik of Oracle had recently given an interesting presentation entitled “Identity Services And The Cloud.”  He also gave a follow-on presentation at Oracle Open World, entitled, “Identity Management in the Cloud: Stormy Days Ahead?”  Clearly, Oracle is right in the middle of addressing the issues surrounding Identity in the Cloud.

Questions to consider:

As you consider the implications of Identity Management as it applies to cloud computing, perhaps these questions will help:

1. How does your enterprise use cloud-based computing now?
2. What are your plans for the future?
3. How do you plan to leverage your existing Identity infrastructure as you adopt more cloud-based computing models?
4. What information security challenges do you see in extending Identity and Access Management into the cloud?
5. How will inclusion of multiple cloud computing vendors affect your privacy protection methods?
6. How will you will you comply with internal and external audit requirements as you adopt cloud computing principles?