Transcript “End Point Security”?

End Point Security and HIPAA
Gary Christoph, Ph.D.
Sr. VP Government and Healthcare
[email protected]
410-884-1313
Session 4.05 10:30am
April 8, 2005
A Blumberg Capital, Valley Ventures and Intel Capital Funded Security Company
Seclarity, Inc.
11705 Lightfall Court
Columbia, MD 21044
© by Seclarity Inc. 2005, Slide: 1
Why is Network Security hard?
• Network Security perimeter solutions are
inadequate
– New technologies, like wireless, render the “perimeter”
fuzzy
– Insider threat persistently at the 50-70% level
– Management of the collection of perimeter point solutions
is complex
• Historically, network security was never “designed
in” to IP networks—a new approach is needed
© by Seclarity Inc. 2005, Slide: 2
What do we mean by “End Point
Security”?
Instead of the Bastion perimeter model:
–
–
–
–
Install a trusted “guard” at every host in your network
Let this individual “guard” have the power of a firewall
Let the “guards” mediate all user access to the network
Make the “guards” be under central management, rather
than under user control
– Let the “guards” authenticate to each other
– Allow the “guards” to encrypt traffic between legitimate
users, wherever they may be
© by Seclarity Inc. 2005, Slide: 3
A Simplified View of a Contemporary
“Secured” Network:
Wireless
Unencrypted Traffic
Remote users
With Software
VPN agents
Firewall
Internet
Unencrypted Traffic
VPN
IDS
Encrypted Traffic Proxy
© by Seclarity Inc. 2005, Slide: 4
A Simple view of an Endpoint-Secured Network:
Wireless
Encrypted Traffic
Encrypted Traffic
Firewall
Remote user
Internet
Encrypted Traffic
© by Seclarity Inc. 2005, Slide: 5
What Does HIPAA Really Require?
YOU MUST:
• Think about the risks you face
• Develop coherent, enforceable policy
• Write it down
• Implement/operate whatever controls
this requires
• Train/educate staff
• Periodically test & document
© by Seclarity Inc. 2005, Slide: 6
HIPAA
Title II
Administrative
Simplification
Transaction
Standards
Standard
Code Sets
Security
Unique Health
Identifiers
Privacy
Limitations
Administrative
Procedures
• Chain of Trust Agreement
• Certification,
• Internal Audit, Training,
Written Policies &
Procedures, etc.
Physical Safeguards
• Secure Workstation
• Physical Access Controls,
Media Controls, etc.
• Security Awareness
Training
•• Training
Technical Security
Services
• Access Controls
• Authorization
• Data Authentication
EntityAuthentication
Authentication
••Entity
Technical Security
Mechanisms
•• Basic
Basic Network
Network
Safeguards
Safeguards
•• Integrity
Integrity and
and Protection
Protection
Electronic Signature
• Covers Protected Health
Information (PHI) transmitted or
stored, in any medium (electronic,
paper, oral)
General Rules
• PHI data elements defined
• Notice of Privacy Practices mandated
Minimumnecessary
necessarydisclosure/use
disclosure/useof
•• Minimum
of
data
data
• Consent required for routine use
• Authorization required for non-routine
use
• Business associate contracts required
• Designated Privacy Officer
• Not currently required
© by Seclarity Inc. 2005, Slide: 7
HIPAA NW Security/Privacy Issues:
• People are involved
– People are neither repeatable nor logical
– People on the job make inappropriate assumptions
• Technical Solutions are too complex
– Point products do not tile the floor
– Management of many solutions is not easy or cheap
– Pace of technological change adds new vulnerabilities (e.g.,
wireless)
• Administrative Solutions that are not
– Processes get in the way of work
– Controls violated without your knowledge or without
consequence
© by Seclarity Inc. 2005, Slide: 8
Technical Solution Target
• Want transparency
– Easy for users to comply
– Easy for admins to enforce
• Want universality
– Everywhere same policy enforced the same
– Use technology to reduce administrative controls
• Want simplicity
– Complexity is the enemy
– Easy to manage
• Want verifiability
– Documentable
• Want cheap
– Do not want to go out of business
© by Seclarity Inc. 2005, Slide: 9
End Point Security Can Help:
Change the paradigm:
– Control access to the network at the
individual End Points
– Give users only the network access they
need
– Give back control to the enterprise of those
access rights
– Eliminate depending on the network
infrastructure to enforce separation
© by Seclarity Inc. 2005, Slide: 10
A More Realistic “Secured” Network:
Unencrypted path
Labs
Unencrypted path
Hospital
IDS
VPN
Proxy GW
IDS
VPN
Proxy GW
Wireless
Internet
Physicians’
Office
Unencrypted path
Encrypted path
Unencrypted path
IDS
VPN
Proxy GW
© by Seclarity Inc. 2005, Slide: 11
An “End Point” Secured Network:
Encrypted path
Encrypted path
Labs
Encrypted path
Hospital
IDS
Wireless
Encrypted paths
Physicians’
Office
IDS
Internet
Encrypted path
Encrypted path
IDS
Unencrypted path
© by Seclarity Inc. 2005, Slide: 12
Vulnerability Scan Results
After Sinic Install
Before Sinic Install
21
21
•
•
•
2
9
4
12
18
Three Generic Windows 2000 Servers
OS Installed from CD Media with SP1
Updated via Windows Update to the
Latest Available Patches
75
Informational
Low
Medium
High
Serious
Blocked
© by Seclarity Inc. 2005, Slide: 13
Securing End Points : Network Virtualization
Set up separate “user communities” – Encrypt All PHI Traffic
Doctor on Rounds
Laboratory Analyst
Doctor’s Office
Accounting
PC’s
Hospital
Internal Network
Network
Accounting Office
Servers
P
Hospital PHI
DB Server
Hospital
Mainframe
Remote User
© by Seclarity Inc. 2005, Slide: 14
Different Kinds of End Point Security
Five kinds based on where the “guard”
resides:
1) Software in the host’s user space
2) Software in the host’s operating system
3) Hardware TPM in the host
4) Hardware at the NIC level
5) Hardware at the Host’s edge
© by Seclarity Inc. 2005, Slide: 15
Different Kinds of End Point Security
OS
Software
Agents
Agent
PHI
INCREASING TRUST
Ex: Sygate
OS Agent
Ex: Microsoft
PHI
OS
Ex: TBA: TCGTPM
Agent
Host on network
PHI
Hardware
Agents
OS
Ex: 14-South, Seclarity
Agent
PHI
OS
Agent
Ex: TBA
PHI
© by Seclarity Inc. 2005, Slide: 16
End Point Security Can Help:
Benefits of Centrally managed End-Point Security
– Not capturable by the user—users only get those rights you
want them to have
– Distributed enforcement can be fine-grained
– Addresses many Insider Threat issues
– Separates security from network management
– Policy enforcement is everywhere the same
– Simplified audit reporting
– Do not have to modify user behavior—reduced training
– Better security at lower overall cost
– Reduces urgency of patch-in-a-hurry
– Secures remote and distant users
© by Seclarity Inc. 2005, Slide: 17
Some Scenarios:
• Secure PHI for mobile users, e.g., Doctor on Hospital Rounds
• Patients/visitors given access to the Internet from Hospital
networks (RJ-45 jacks), without fear of compromise of PHI
• Concessions (e.g., POS devices) can have completely isolated
use of the enterprise network
• Prompt containment of compromised satellite hosts or
workstations
• Securely manage PHI-containing servers from sysadmins at
home or from Starbucks
• Simply demonstrate to auditors that “no connection from PHI
containing servers to unauthorized users has occurred”
© by Seclarity Inc. 2005, Slide: 18
Questions?
© by Seclarity Inc. 2005, Slide: 19