Security Partners
Software consulting and solutions providerCambridge MA
Final presentation - Team 4Chris Dalton, Amir Kashani, Mugur Roz, Jamie Symonds
AUTHORIZED ENTERPRISE
● integrating three legacy websites● enable Role Based Access control● centralize user/security management● allow single sign-on● facilitate security auditing
1
EXECUTIVE SUMMARY – THE PLAYERS
Gloco● largest supplier of “smart” medical
devices● record revenue in 2014● increased staff costs hurting bottom line
Security Partners● industry leader in security and identity
management software2
EXECUTIVE SUMMARY – THE PROBLEM
● Legacy web application - Gloco Health Cloud
● Legacy web application - B2B Orders● acquired HealthBit - wearable device● inherited HealthBit application and staff ● external and internal users for all systems● poor user experience - no single sign on● poor user experience - no integration● inefficiency for internal users costs money
3
EXECUTIVE SUMMARY – REAL PROBLEM($)
● inefficient to support and maintain● password resets● inflexible security● user rights management● no ldap integration● security visibility & audit ● developers re-inventing the wheel● penetration testing and vulnerability
assessments4
EXECUTIVE SUMMARY - SOLUTION
● Authorized Enterprise suite (RBAC)● console, portal, embedded code, db● Single sign on, Application integration● LDAP import & sync for internal users● Unified Security - testers, developers● Centralized security● Flexible, fine-grained security● Auditing at the user, application, db level
5
ASSUMPTIONS, IN SCOPE, & OUT OF SCOPE
A. This project is not about feature enhancements for external web applications. No new functionality will be bundled together with this initiative.
B. Current application features will work as is and no code changes will be needed other than making applications RBAC aware and improving identity and access rights management.
C. Only 3 external applications are being RBAC enabled at this time. 9
FUNCTIONAL REQUIREMENTS
Single User Identity Across All Websites (SSO)
● Users should login to all Gloco sites using a single identity.● Users should be able to link their disparate identities
together.● When users have logged in to one Gloco external site they
should not have to enter username and password again if they visit another Gloco site during the same session.
Self Service● Users should be able to self-register to Gloco external
applications.● Users should be able to reset their passwords.
10
FUNCTIONAL REQUIREMENTS CONT’D.
Simplified User Roles & Access Rights Management
1. Retail Users - access to HealthBit and GHC menus from home page
2. B2B Users - access to B2B web site menus.
3. A Doctor, who is a B2B User, should have a single identity
4. Customer Service - able to all users from one console
5. Customer Service - able to easily identify user roles
6. Fine-grained authorization i.e. help desk to reset passwords without system admin privileges 11
FUNCTIONAL REQUIREMENTS CONT’D.
Centralized Administration
1. Maintain all external users in a central location Make sure user roles are consistent and centralized across all applications
2. Make sure users only see actions/menus for which they are authorized
Security & Compliance
3. Reports available for any unusual activities to enhance security.
4. System should expedite HIPAA audit compliance.
12
NON-FUNCTIONAL REQUIREMENTS
1. Use open standards whenever possible.
2. Solutions should be able to integrate with existing Gloco Infrastructure.
3. Systems should perform to current usability standards.
4. Systems should comply with Gloco’s software architectural standards.
5. System should be available 99% of the time.
6. System should comply with Gloco’s legal and compliance policies. 13
BUSINESS BENEFIT JUSTIFICATION
● Reduced CSR costs
● Reduced account administration and security costs
● Improved system adoption
● Improved customer satisfaction
● Improved business-to-business collaboration
● Improved security and compliance
● Improved future integration14
SUCCESS METRICSCost reduction by reducing CSR expenses.
Reduce number of support calls by 25%
Reduce time per call by 25%
Cost reduction by reducing administrative expenses
Reduce number of hours for system administrators by 66%.
Reduce number of hours for security officers by 66%
Decrease account decommissioning time by 66%
Improve system adoption
Decrease time required to get users up and running by 50%
Improve system security
Decrease number of security incidents by 50%
Decrease number of compliance incidents by 50%16
SOFTWARE SOLUTION
● Authorized Portal
● Authorized Reverse Proxy
● Authorized Components
● Authorized Web Services
● Authorized DB Interceptor
● Authorized Console
● Authorized Database17
INTEGRATION WITH EXISTING APPLICATIONS
HealthBit, HealthCloud, and Gloco B2B will be retrofitted
● Where the application would query the local user’s table for logins and permissions, the system’s code will now utilize Authorized Components.
● Change database connection to point to the DB interceptor and provide username
● Each of the websites were developed by vendors who are responsible for implementing the proposed changes.
19
INTEGRATION WITH EXISTING APPLICATIONS (2)
As-is application code:...SqlCommand command = new SqlCommand("SELECT canAddDoctor FROM UserPermission WHERE username = ‘“ + args[0] + “‘“, con)) { ...var canAddDoctor = command.ExecuteScalar();if (canAddDoctor != null) result = {canAddDoctor.toString() == “1” ? true : false);...
To-be application code:...string fund = “canAddDoctor”;AuthorizedComponent ac = new AuthorizedComponent();if (ac.canPerformFunction(token, func, appName)) return true;...
20
DATA INTEGRATION
Internal Users - Corporate LDAP will Stay as System of Record
●Initial Data Load
●New Users & Updates
●Terminations
External Users - AE will Become System of Record
●Initial Data
●New Users
23
Single Sign-On
During migration and consolidation After migration and consolidation
SOLUTION DEMONSTRATION
25
Password Self Service
During migration and consolidation After migration and consolidation
SOLUTION DEMONSTRATION (3)
27
Integration and unified menu
Current HealthBit Website After migration and consolidation
SOLUTION DEMONSTRATION (5)
29
Integration and unified menu
Current GLOCO B2B Website After migration and consolidation
SOLUTION DEMONSTRATION (6)
30
Integration and unified menu
Current HealthCloud Website
After migration and consolidation
SOLUTION DEMONSTRATION (7)
31
Risk Summary Impact Likelihood
Mitigation Plan
Lost productivity due to uncertainty for customer service representatives
High High Involve CSR from the beginning and provide training and other career paths.
New User Interface Confusion:Mostly around user login screens.
High High Rollout in a phased approach while learning from user feedback. Pay extra attention to usability and communication.
Application Performance Risks Medium Low Build redundant servers with load balancing. Do load testing to make sure performance meets expectations.
Task Completion Risk:Some work could prove to be difficult and challenging.
High Medium Take a phased approach and create work in smaller chunks. Provide incentives.
AE Software incompatible with application
High Low Confirm compatibility in POC phase. Use web services directly if necessary.
Role and Function Mining Risk:Applications written in a way that it is difficult to isolate roles and functions
High Medium Devote a small team of developers to look at problem application code during POC phase.
36
OPERATIONAL READINESS - COMPONENTS
Authorized Enterprise● roles, functions, permissions, users● role and policy modeling and export● change workflow
Gloco Website● software updates, patches● FAQs, wiki, contact, issue tracking
37
OPERATIONAL READINESS - NEW ROLES
Role Analyst● focal point for policy generation● coordination between business units● owner of change workflow
Role and Application owners● role membership, permissions● functional abilities
38
OPERATIONAL READINESS - CUSTOMER SERVICE● Currently three units. One for each application
● Stated goal: Reduce account calls from 30% to 5%
● Stated goal: Reduce time of these calls 25%
● Train segment of CSRs in Authorized Console
● Route user account calls appropriately
● Allow remaining CSRs to be application experts
● Reduce/repurpose CSR staff
40
OPERATIONAL READINESS - SLA● 24/7 email and web support
● Critical - Severe impact in production. 30 minute response and immediate resolution. 24/7 support
● High - Production severely reduced. 4 hour response. 12x7 support.
● Medium - Partial, non-critical loss in production. 1 business day response. 8x7 support.
● Low - General question, future enhancement. 2-3 business days response. Resolved with patches or software updates
41