Security Partners

Software consulting and solutions providerCambridge MA

Final presentation - Team 4Chris Dalton, Amir Kashani, Mugur Roz, Jamie Symonds

AUTHORIZED ENTERPRISE

● integrating three legacy websites● enable Role Based Access control● centralize user/security management● allow single sign-on● facilitate security auditing

1

EXECUTIVE SUMMARY – THE PLAYERS

Gloco● largest supplier of “smart” medical

devices● record revenue in 2014● increased staff costs hurting bottom line

Security Partners● industry leader in security and identity

management software2

EXECUTIVE SUMMARY – THE PROBLEM

● Legacy web application - Gloco Health Cloud

● Legacy web application - B2B Orders● acquired HealthBit - wearable device● inherited HealthBit application and staff ● external and internal users for all systems● poor user experience - no single sign on● poor user experience - no integration● inefficiency for internal users costs money

3

EXECUTIVE SUMMARY – REAL PROBLEM($)

● inefficient to support and maintain● password resets● inflexible security● user rights management● no ldap integration● security visibility & audit ● developers re-inventing the wheel● penetration testing and vulnerability

assessments4

EXECUTIVE SUMMARY - SOLUTION

● Authorized Enterprise suite (RBAC)● console, portal, embedded code, db● Single sign on, Application integration● LDAP import & sync for internal users● Unified Security - testers, developers● Centralized security● Flexible, fine-grained security● Auditing at the user, application, db level

5

BUSINESS PROCESS

● Single sign-on and password resets

6

BUSINESS PROCESS

● User rights management and security audits

7

BUSINESS REQUIREMENTS

8

ASSUMPTIONS, IN SCOPE, & OUT OF SCOPE

A. This project is not about feature enhancements for external web applications. No new functionality will be bundled together with this initiative.

B. Current application features will work as is and no code changes will be needed other than making applications RBAC aware and improving identity and access rights management.

C. Only 3 external applications are being RBAC enabled at this time. 9

FUNCTIONAL REQUIREMENTS

Single User Identity Across All Websites (SSO)

● Users should login to all Gloco sites using a single identity.● Users should be able to link their disparate identities

together.● When users have logged in to one Gloco external site they

should not have to enter username and password again if they visit another Gloco site during the same session.

Self Service● Users should be able to self-register to Gloco external

applications.● Users should be able to reset their passwords.

10

FUNCTIONAL REQUIREMENTS CONT’D.

Simplified User Roles & Access Rights Management

1. Retail Users - access to HealthBit and GHC menus from home page

2. B2B Users - access to B2B web site menus.

3. A Doctor, who is a B2B User, should have a single identity

4. Customer Service - able to all users from one console

5. Customer Service - able to easily identify user roles

6. Fine-grained authorization i.e. help desk to reset passwords without system admin privileges 11

FUNCTIONAL REQUIREMENTS CONT’D.

Centralized Administration

1. Maintain all external users in a central location Make sure user roles are consistent and centralized across all applications

2. Make sure users only see actions/menus for which they are authorized

Security & Compliance

3. Reports available for any unusual activities to enhance security.

4. System should expedite HIPAA audit compliance.

12

NON-FUNCTIONAL REQUIREMENTS

1. Use open standards whenever possible.

2. Solutions should be able to integrate with existing Gloco Infrastructure.

3. Systems should perform to current usability standards.

4. Systems should comply with Gloco’s software architectural standards.

5. System should be available 99% of the time.

6. System should comply with Gloco’s legal and compliance policies. 13

BUSINESS BENEFIT JUSTIFICATION

● Reduced CSR costs

● Reduced account administration and security costs

● Improved system adoption

● Improved customer satisfaction

● Improved business-to-business collaboration

● Improved security and compliance

● Improved future integration14

BUSINESS BENEFIT JUSTIFICATION

15

SUCCESS METRICSCost reduction by reducing CSR expenses.

Reduce number of support calls by 25%

Reduce time per call by 25%

Cost reduction by reducing administrative expenses

Reduce number of hours for system administrators by 66%.

Reduce number of hours for security officers by 66%

Decrease account decommissioning time by 66%

Improve system adoption

Decrease time required to get users up and running by 50%

Improve system security

Decrease number of security incidents by 50%

Decrease number of compliance incidents by 50%16

SOFTWARE SOLUTION

● Authorized Portal

● Authorized Reverse Proxy

● Authorized Components

● Authorized Web Services

● Authorized DB Interceptor

● Authorized Console

● Authorized Database17

18

INTEGRATION WITH EXISTING APPLICATIONS

HealthBit, HealthCloud, and Gloco B2B will be retrofitted

● Where the application would query the local user’s table for logins and permissions, the system’s code will now utilize Authorized Components.

● Change database connection to point to the DB interceptor and provide username

● Each of the websites were developed by vendors who are responsible for implementing the proposed changes.

19

INTEGRATION WITH EXISTING APPLICATIONS (2)

As-is application code:...SqlCommand command = new SqlCommand("SELECT canAddDoctor FROM UserPermission WHERE username = ‘“ + args[0] + “‘“, con)) { ...var canAddDoctor = command.ExecuteScalar();if (canAddDoctor != null) result = {canAddDoctor.toString() == “1” ? true : false);...

To-be application code:...string fund = “canAddDoctor”;AuthorizedComponent ac = new AuthorizedComponent();if (ac.canPerformFunction(token, func, appName)) return true;...

20

DATA DESIGN AND MANAGEMENT.

● Data Entities

● Data Integrations

● Data Migration Plan

21

AUTHORIZED ENTERPRISE DATA ENTITIES

22

DATA INTEGRATION

Internal Users - Corporate LDAP will Stay as System of Record

●Initial Data Load

●New Users & Updates

●Terminations

External Users - AE will Become System of Record

●Initial Data

●New Users

23

24

Single Sign-On

During migration and consolidation After migration and consolidation

SOLUTION DEMONSTRATION

25

Login Consolidation

During migration and consolidation

SOLUTION DEMONSTRATION (2)

26

Password Self Service

During migration and consolidation After migration and consolidation

SOLUTION DEMONSTRATION (3)

27

Unified homepage(post-login)

After migration and consolidation

SOLUTION DEMONSTRATION (4)

28

Integration and unified menu

Current HealthBit Website After migration and consolidation

SOLUTION DEMONSTRATION (5)

29

Integration and unified menu

Current GLOCO B2B Website After migration and consolidation

SOLUTION DEMONSTRATION (6)

30

Integration and unified menu

Current HealthCloud Website

After migration and consolidation

SOLUTION DEMONSTRATION (7)

31

Administrative application

Desktop Administrative Application

SOLUTION DEMONSTRATION (8)

32

ORGANIZATIONAL CHART & KEY RESOURCES

33

TIMELINE

34

35

Risk Summary Impact Likelihood

Mitigation Plan

Lost productivity due to uncertainty for customer service representatives

High High Involve CSR from the beginning and provide training and other career paths.

New User Interface Confusion:Mostly around user login screens.

High High Rollout in a phased approach while learning from user feedback. Pay extra attention to usability and communication.

Application Performance Risks Medium Low Build redundant servers with load balancing. Do load testing to make sure performance meets expectations.

Task Completion Risk:Some work could prove to be difficult and challenging.

High Medium Take a phased approach and create work in smaller chunks. Provide incentives.

AE Software incompatible with application

High Low Confirm compatibility in POC phase. Use web services directly if necessary.

Role and Function Mining Risk:Applications written in a way that it is difficult to isolate roles and functions

High Medium Devote a small team of developers to look at problem application code during POC phase.

36

OPERATIONAL READINESS - COMPONENTS

Authorized Enterprise● roles, functions, permissions, users● role and policy modeling and export● change workflow

Gloco Website● software updates, patches● FAQs, wiki, contact, issue tracking

37

OPERATIONAL READINESS - NEW ROLES

Role Analyst● focal point for policy generation● coordination between business units● owner of change workflow

Role and Application owners● role membership, permissions● functional abilities

38

OPERATIONAL READINESS - ROLE ANALYST

39

OPERATIONAL READINESS - CUSTOMER SERVICE● Currently three units. One for each application

● Stated goal: Reduce account calls from 30% to 5%

● Stated goal: Reduce time of these calls 25%

● Train segment of CSRs in Authorized Console

● Route user account calls appropriately

● Allow remaining CSRs to be application experts

● Reduce/repurpose CSR staff

40

OPERATIONAL READINESS - SLA● 24/7 email and web support

● Critical - Severe impact in production. 30 minute response and immediate resolution. 24/7 support

● High - Production severely reduced. 4 hour response. 12x7 support.

● Medium - Partial, non-critical loss in production. 1 business day response. 8x7 support.

● Low - General question, future enhancement. 2-3 business days response. Resolved with patches or software updates

41

USER ENABLEMENT

42

USER ENABLEMENT

43

SUCCESS METRICS

44

Q&A

45