Date post: | 18-Jan-2017 |
Category: |
Healthcare |
Upload: | william-gregorian |
View: | 195 times |
Download: | 2 times |
HIPAA Compliant Identity and Access Management
using Active Directory
by Will IAM^
Nerd joke. har har.
Quick Intro
•Omada's Information Security Officer •Recovered System Administrator •Find my on Twitter @WillGregorian
3
I change all my passwords to “incorrect” so whenever I forget, it says “your password is incorrect.”
HIPAA CFR 164.312(a) • (1) Standard: Access control. Implement technical policies and procedures for electronic information
systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in § 164.308(a)(4).
• (2) Implementation specifications: • (i) Unique user identification (Required). • (ii) Emergency access procedure (Required). • (iii) Automatic logoff (Addressable). • (iv) Encryption and decryption (Addressable).
The Alphabet (!=Inc.) Soup!
• LDAP - Lightweight Directory Access Protocol • DC - Domain Controller • RBAC - Role Based Access Control • SSO - Single Sign-on • SAML - Security Assertion Markup Language
So Many Options!
COTS OSS
Active Directory 389 Directory Server
IBM Tivoli Directory Server Apache Directory Server
Novell eDirectory Apple OpenDirectory
Oracle Directory Server Free IPA
UnboundID Directory Server OpenLDAP
ViewDS Directory Server Samba4
CA Directory Server SLAPD
Good • Fire-and-forget setup • Efficient, consistent and accurate • Out-of-box replication • Interoperability (e.g. *nix) • Copious amount of resources
Bad • Added complexity • Expertise and resources • Powershell for automation
Ugly • You’ll be the hero when it works • You’ll be the villain when it breaks!
Active Directory?!
Customers and auditors will LOVE you!
• Helps with CFR 164.312(b) audit requirements • Automatically maps to HITRUST, PCI/DSS, ISO 27002, etc. • Enforces separation of duties • Efficient way to change privileges • Ship logs to SIEM (e.g. SumoLogic, Splunk, etc.)