Modernizing Authentication — What It Takes to Transform Secure Access
Healthcare and life sciences organizations are some of the biggest users of Big Data today. The industry is already beginning to enter the exabyte age. Chris Gladwin, founder of storage solutions company Cleversafe, indicates that organizations are already beginning to store data at the exabyte level. The industry will likely begin using up zettabytes in less than 10 years.
With this growth in data, two things have become extremely important to health and life sciences organizations: collaboration (including externalization) and the cloud. The two go hand in hand.
"If you're going to the cloud, are others going with you?" asked Sebastien Lefebvre, IT platform director of Research and Development for Biogen Idec, during a presentation at the recent Bio-IT World Conference in Boston. "If not, how will you [collaborate]?"
Cloud Security Concerns
Security is still a hurdle for health and life sciences organizations that remain concerned about the difficulties of data privacy in the cloud. While the HIPAA Omnibus Rule helped organizations overcome compliance fears by placing more legal burden on cloud providers, many remain unconvinced that the cloud can be secure enough for them.
John Quackenbush, a Harvard professor of bioinformatics, ridiculed the nephophobes, telling Bio-IT attendees in a keynote address that an on-premises data center "guarded by mall cops" is undoubtedly less secure than the data centers of a major cloud provider like Amazon. He even (only half-jokingly) speculated that Amazon's cloud data centers are guarded by "black helicopters." (After all, the company is apparently poised to deploy drones.)
Ensuring physical security of data centers can be an easy task – depending upon your resources. But what about protecting your data virtually – from hackers, disgruntled employees and ex-employees, or simply from collaborators who should not gain access to certain sensitive data? How do you enable truly secure cloud collaboration?
IAM 'Most Important' Challenge
"Our most important security challenge is identity and access management," Lefebvre told conference attendees.
Whereas prior years have seen lots of focus on subjects such as Big Data, storage and improved search capabilities, identity [and] access management ("IAM" for short) was one of the hottest topics at this year's Bio-IT World Conference – perhaps because the sector feels that most of its other externalization problems have been solved, perhaps because security issues have finally caught up with industry's gluttonous demands for Big Data accessibility, or perhaps because of a genuine lack of effective IAM solutions.
"[There are] very few solutions out there on IAM," Lefebvre said.
Despite (or, alternatively, because of) the putative veracity of Lefebvre's statements, on a trade show floor crowded with booths for cloud, hardware and analytics software businesses, one company – Exostar – stood out for its IAM, "SAM."
Originally formed in 2000 as a collaboration among major companies in the ultra-high-security aerospace and defense sector, Exostar went on to work with the highly-regulated financial services industry. Consequently, Exostar has plenty of experience with IAM in collaborative environments – dealing with compliance matters far more sensitive than those involved with HIPAA.
IAM on the Agenda
Exostar – in collaboration with BT's two-year-old global life sciences research and development cloud arm – is now working to solve cloud security pain points for life sciences companies.
"SAM" stands for Secure Access Manager. Entirely cloud-based, SAM offers turnkey readiness as a full-service authentication portal. With single sign-on (SSO) and other features, SAM presents secure collaborative access to Exostar's specialized Life Sciences Identity Hub and connected applications.
Jon Douglas, marketing director for Exostar, refers to this hub and its more than 500 users as a "community cloud." In speaking with eSecurity Planet, Douglas focused on the trust that is inherent in the term and how that trust is facilitated and managed by Exostar's SAM.
While Exostar's SAM "could be used just for SSO," said Douglas, it offers much more. Dubbing Exostar's offerings "second-factor-as-a-service," Douglas highlighted the multi-factor authentication services that Exostar provides, including one-time passwords, laptop tokens, video links, full-fledged background checks and even in-person authentication. Exostar customers have the option of having the company check with them on new authentications—or outsourcing all clearance processes to Exostar.
Additionally, levels of access can be leveraged via SAM to enforce digital rights management of an organization's intellectual property. This is a particularly important consideration in the health and life sciences sector now that relatively recent patent law reform has changed the US from a "first-to-invent" to a "first-to-file" jurisdiction.
Exostar is far from having a monopoly on cloud IAM – not even when it comes to the health and life sciences. Benjamin Breton, a bioinformatics software engineer at Good Start Genetics, pointed out to Bio-IT attendees in a detailed session on cloud deployment that Amazon Web Services has configurable IAM rules.
As well, numerous other organizations offer IAM frameworks for the health and life sciences sector, including Deloitte LLP and ForgeRock. The tranSMART Foundation, a non-profit organization enabling translational research collaboration among health and life sciences organizations, has IAM tools actively in development.
Joe Stanganelli is a writer, attorney and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.