2 December 2014

Strong Authentication among Healthcare Players

By Frédéric Lefebvre
Pre-Sales Engineer
With the legislative developments and the PGSSI-S framework set by the ASIP Santé organisation notably, hospital centres have to implement a General Policy for the security of their Information Systems.

As a matter of fact, the establishment can be held legally liable in case of breaches in the processing and handling of medical data (patient's rights law of 4th March 2002).

Moreover, a growing number of establishments mutualise their equipment and exchange sensitive data about their patients. Practical issues then rapidly arise on how to ensure the confidentiality of exchanges and restrict access to hospital centre users who would be tempted to access sensitive information about patients with no authorisation...

To secure a hospital IT system, strong authentication must be implemented with a CPS smart card (Healthcare Professionals Card) or an establishment badge.

As a reminder, strong authentication (two factor authentication) combines a physical device (the user's card) with information known from the user (the card's PIN code).

The PGSSI policy defines 3 security levels for healthcare establishments, according to the practices to implement. Strong authentication is based on the CPS card which is distributed by the ASIP organisation. It contains a certificate with the professional's national identifier. It is one of the most currently used authentication means: it enables verification of the card holder's identity and allows authentication operations on medical applications and on the hospital IT system.

The CPS card offers multiple advantages:
  • It embeds ASIP Santé certificates for strong authentication: no need to manage a PKI infrastructure internally.
  • CPS cards are issued and renewed by ASIP Santé.
  • Devices are free.
  • The CPS card allows public authentication to be performed outside of the hospital IT system.
  • And above all, CPS cards v3 embed a contactless chip and are thus multiservice cards!
This type of device allows to centralise all of the services offered by the establishment within a single card. Over with badges dedicated to a specific use: access to the establishment restaurant, car park or premises, authentication to the hospital IT system...

This "multiservice" device is easily adopted by the hospital staff: people use it for their daily needs, which considerably reduces cases of forgotten or lost badges.

A single sign-on (SSO) solution is the ideal complement to strong authentication. It helps turn regulatory constraints into real assets. The card is felt as a real improvement in terms of comfort in everyday life as all the operations on the various medical applications are made easier thanks to the automatic injection of the connected user's login/password pairs. Locking/unlocking the workstation is more simple and faster, as users only have to present their cards to open a work session or get back to it.

The hospital staff is more efficient, saves time and can therefore concentrate on more important tasks, for the patient's benefit.

The hospital IT system reinforces traceability and anticipates future needs in terms of mutualisation or sharing of applications, specifically with the support of identity federation. Take for example a professional wishing to access a service on a healthcare regional portal: federation can be implemented between this portal and the user's establishment in order to save this user from having to reauthenticate to the portal which requires strong authentication. The federation implements standard protocols such as SAML or Interops in order to exchange the user's identity securely.

To meet these challenges, each establishment must therefore be pro-active to secure its hospital IT system and focus on the following key points:
  • Conduct an audit to find out what the hospital IT system lacks in terms of access control and traceability, based on the guidelines set by ASIP Santé.
  • Implement a strong authentication solution using a smart card (CPS card or establishment badge).
  • Use an access control and single sign-on (SSO) system to enhance traceability and address all password issues related to applications.

Such securing operations will also bring along more comfort and ergonomics to hospital workers who use multiple medical applications daily
: they will only have to remember one PIN code instead of numerous passwords... And they will be grateful to you.

23 April 2014

CLUSIF launches a new work group: "Identity and Access Management and Governance"

In July 2007, CLUSIF published a technical file titled "Identity Management". This was 7 years ago, and although the concepts presented in this file are still valid of course, it seemed necessary to work on a new file integrating the following changes:
  • Technologies and uses have changed: in the 2007 file, there was obviously no mention of "Cloud" nor "BYOD" however today, the notions of identity and access are fundamental. It is the same with all issues related to authentication techniques, for example, or social networks and interactions with the business world.
  • The law has changed: in 2007, the technical file referred to "Basel 2", for example. Since then, there has been "Basel 3". Laws and recommendations have also changed at the national level (CNIL, RGS, Confidentiality Decree, LPM).
  • The IS has developed, and identity federation projects and offerings are common now. In the 2007 file, this notion was brought up from a relatively technical standpoint. Although in most cases this is essentially a "business" issue. At a time when a lot of solutions are widely developed based on this notion of identity federation, this point deserves to be further examined.
  • These past years, a number of significant identity management projects have failed. The approach and the way of looking at things have considerably changed since 2007: the approach is now more pragmatic, with iterations, etc.
  • In 2007, identity governance was not dealt with. Though today, this is a mature and fundamental topic. In the last Magic Quadrant related to these themes, Gartner, for example, has united both the IAM and IAG magic quadrants.
  • In 2007, the emphasis was essentially placed on identity management. In the current context, access management must not be disregarded.

In short, the idea behind this new CLUSIF "work group" is to produce a file on "Identity and Access Management and Governance". The purpose is not to review/amend the existing document but to create a new one. Olivier Morel, Ilex Pre-Sales Director, has been appointed at the head of this work group.

You will find the description of the work group on the CLUSIF site: http://www.clusif.fr/fr/clusif/gt/gt.asp?gid=53

To join the work group, you must first be a CLUSIF member (http://www.clusif.fr/fr/clusif/adhesion/), you should also have things to say on IAM/IAG and be motivated!

19 February 2014

Managing cloud users

Cloud or SaaS applications are increasingly used in enterprises. This is a strong market trend, as this technology makes it easier to provide applications and helps service providers be closer to their consumers, with no need to go through IT.
Enterprises must take into account these new application management modes. Indeed, companies are decentralised and although they use state-of-the-art interfaces, the people in charge of these applications have to manage users "manually" which, potentially, is a source of errors. The consequences of this type of management are well known in terms of security (passwords forgotten by users, multiple dormant accounts, weak password policy generating security holes), and in terms of cost (the price of the use of the service depends on its usage). The IAM solution (Identity & Access Management) which integrates support of cloud or SaaS applications is key as it gives control to people operating at a functional level.

How to perform cloud provisioning?
Today, there is no unique standard to manage provisioning for SaaS applications. The SPML (Service Provisioning Markup Language) standard has failed in this segment. As far as the SCIM (System for Cross-domain Identity Management) standard is concerned it is currently rarely used, even by those who promote it (Google, Ping Identity and SalesForce, for example do not use it for their application provisioning) or, it is used as a marketing argument by new entrants on the IAM market. Nevertheless, the SCIM standard, which will be enhanced in the 2.0 version, offers many advantages for the future since it is easy to use via its REST interface, easier to configure than SPML and finally, since it provides more possibilities for the user definition.
As a matter of fact, provisioning management for these applications is based on non-standard connectors, for example:
·        GoogleApps provisioning is based on REST APIs. The initial versions also had Java and Python implementations, but this is no longer supported by the current version. Google provides a very comprehensive API and enhances it constantly: so it is necessary to keep up to date. Note that the API has limitations in terms of use (frequency of use, for example) and that Google disclaims any responsibility concerning the use of the service.
·        The provisioning of Office 365 and Exchange Online is really operational only when using the PowerShell APIs, the REST interface is used for queries more specifically. The complexity lies in mastering the execution of the PowerShell from the dedicated Microsoft servers. Salesforce is interesting from an account creation management perspective as it can be performed on the fly, at connection time. For this, an identity federation must be implemented, where the identity server indicates to the Salesforce service the parameters required for the creation of the user, thus performing Just-In-Time (JIT) provisioning. Concerning the management of account modifications and deletions, the REST API must be used.

How to implement cloud provisioning in enterprises?
Cloud computing revolutionises business practices and the way enterprises use and manage their services. As far as identity management is concerned, it must continue to guarantee the company’s security policy that must be unique and centralised while flexible at the same time. Tools promoting identity management for cloud computing only are on the wrong track (or simply not good enough). Identity management tools must be adapted in order to manage cloud applications in the same way as internal applications. The level of service and ease of use of identity management functions do not depend on the location of servers!

We should also mention how Identity Federation mechanisms can also strengthen the security of these systems. This will be the topic of a future post.


As a conclusion, IAM solutions have a great future because if we want to control security and costs, we must be able to manage internal as well as external users – internal and external service consumers – in the best possible way.

14 February 2014

Welcome to the Ilex Blog!

As a software provider specialising in IAM, our favourite topics are: identity management, governance, access control and more generally, IT security. Ilex has developed real expertise in IT security for more than 25 years.
We will use this blog to discuss with you about market trends and technologies and to keep you informed on Ilex news.


We hope you will enjoy reading our posts!