In a recent post, I highlighted a new Oracle white paper entitled, “Protecting the Electric Grid in a Dangerous World,” which describes how Oracle Identity Management solutions and the Oracle data security portfolio offer an effective, defense-in-depth security strategy to help meet this challenge, playing a key role in the North American Energy Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cyber security standards.

An Oracle colleague asked appropriately, What about the oil and gas industry?  Isn’t this part of the energy industry also considered part of the critical infrastructure in the United States?  Isn’t the oil and gas industry vulnerable to cyber attack? Aren’t methods for protecting information assets in the oil and gas industry similar to those in the electrical distribution industry? 

The answer to each question is a resounding “Yes,” but with some differences. Let’s explore a bit of history and discuss the focus of Information Security in the Oil and Gas Critical Infrastructure. This post is longer than most of my blog posts, but I felt the length was justified to give a good overview of the topic.

Historical Perspective

The Federal Government official recognition of the vulnerability of critical infrastructure in the US began with the Presidential Decision Directive NSC-63 on Critical Infrastructure Protection, signed by Bill Clinton on May 22, 1988.  The executive summary of that directive reads in part:

The United States possesses both the world’s strongest military and its largest national economy. Those two aspects of our power are mutually reinforcing and dependent. They are also increasingly reliant upon certain critical infrastructures and upon cyber-based information systems.

Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and government. They include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems and emergency services, both governmental and private. Many of the nation’s critical infrastructures have historically been physically and logically separate systems that had little interdependence. As a result of advances in information technology and the necessity of improved efficiency, however, these infrastructures have become increasingly automated and interlinked. These same advances have created new vulnerabilities to equipment failure, human error, weather and other natural causes, and physical and cyber attacks. Addressing these vulnerabilities will necessarily require flexible, evolutionary approaches that span both the public and private sectors, and protect both domestic and international security.

The Homeland Security Presidential Directive – HSPD-7 – entitled “Critical Infrastructure Identification, Prioritization, and Protection", signed by President George W. Bush, on December 17, 2003, served to amplify the focus and attention on Critical Infrastructure Protection.

Terrorists seek to destroy, incapacitate, or exploit critical infrastructure and key resources across the United States to threaten national security, cause mass casualties, weaken our economy, and damage public morale and confidence.

America’s open and technologically complex society includes a wide array of critical infrastructure and key resources that are potential terrorist targets. The majority of these are owned and operated by the private sector and State or local governments. These critical infrastructures and key resources are both physical and cyber-based and span all sectors of the economy.

Critical infrastructure and key resources provide the essential services that underpin American society. The Nation possesses numerous key resources, whose exploitation or destruction by terrorists could cause catastrophic health effects or mass casualties comparable to those from the use of a weapon of mass destruction, or could profoundly affect our national prestige and morale. In addition, there is critical infrastructure so vital that its incapacitation, exploitation, or destruction, through terrorist attack, could have a debilitating effect on security and economic well-being.

While it is not possible to protect or eliminate the vulnerability of all critical infrastructure and key resources throughout the country, strategic improvements in security can make it more difficult for attacks to succeed and can lessen the impact of attacks that may occur. In addition to strategic security enhancements, tactical security improvements can be rapidly implemented to deter, mitigate, or neutralize potential attacks.

In response to this directive, seventeen CIP sectors of national importance were specified:

1. Information technology
2. Telecommunications
3. Chemicals
4. Transportation systems, including mass transit, aviation, maritime, ground/surface, and rail and pipeline systems
5. Emergency services
6. Postal and shipping services
7. Agriculture, food (meat, poultry, egg products)
8. Public health, health care, and food (other than meat, poultry, egg products)
9. Drinking water and waste water treatment systems
10. Energy, including the production refining, storage, and distribution of oil and gas, and electric power
11. Banking and finance
12. National monuments and icons
13. Defense industrial base

The US Department of Energy (DOE) bears responsibility for leadership of the Energy sector, encompassing  the production refining, storage, and distribution of oil and gas, and electric power except for commercial nuclear power facilities.  DOE responsibilities in this sector include:

• collaboration with all relevant Federal departments and agencies, State and local governments, and the private sector, including with key persons and entities in their infrastructure sector;
• conducting or facilitating vulnerability assessments of the sector; and
• encouraging risk management strategies to protect against and mitigate the effects of attacks against critical infrastructure and key resources.

In June 2006, the U.S. Department of Homeland Security (DHS) announced completion of the National Infrastructure Protection Plan (NIPP) Base Plan, including a sector-specific plan for the Energy Sector.  The Vision statement for the energy sector stated:

The Energy Sector envisions a robust, resilient energy infrastructure in which continuity of business and services is maintained through secure and reliable information sharing, effective risk management programs, coordinated response capabilities, and trusted relationships between public and private security partners at all levels of industry and government.

Relevant Systems

The following diagrams included in the Energy Sector plan highlight the components in the relevant systems addressed by this sector.  Each of these sectors is highly dependent of information systems to administer and control complex, interconnected systems.

The descriptions accompanying each diagram came from the National Infrastructure Protection Plan (Energy Sector).

The electrical distribution grid

The U.S. electricity segment contains more than 5,300 power plants with approximately 1,075 gigawatts of installed generating capacity. Approximately 49 percent of electricity is produced by combusting coal (primarily transported by rail), 19 percent in nuclear power plants, and 20 percent by combusting natural gas. The remaining generation is provided by hydroelectric plants (7 percent), oil (2 percent), and by renewable (solar, wind, and geothermal) and other sources (3 percent). Electricity generated at power plants is transmitted over 211,000 miles of high-voltage transmission lines. Voltage is stepped down at substations before being distributed to 140 million customers over millions of miles of lower voltage distribution lines. The electricity infrastructure is highly automated and controlled by utilities and regional grid operators using sophisticated energy management systems that are supplied by supervisory control and data acquisition (SCADA) systems to keep the system in balance.

 The Petroleum System

The petroleum segment entails the exploration, production, storage, transport, and refinement of crude oil. The crude oil is refined into petroleum products that are then stored and distributed to key economic sectors throughout the United States. Key petroleum products include motor gasoline, jet fuel, distillate fuel oil, residual fuel oil, and liquefied petroleum gases. Both crude oil and petroleum products are imported, primarily by ship, as well as produced domestically. Currently, 66 percent of the crude oil required to fuel the U.S. economy is imported. In the United States, there are more than 500,000 crude oil-producing wells, 30,000 miles of gathering pipeline, and 51,000 miles of crude oil pipeline. There are 133 operable petroleum refineries, 116,000 miles of product pipeline, and 1,400 petroleum terminals. Petroleum also relies on sophisticated SCADA and other systems to control production and distribution; however, crude oil and petroleum products are stored in tank farms and other facilities.

The Flow of Natural Gas

Natural gas is also produced, piped, stored, and distributed in the United States. Imports of liquefied natural gas (LNG) are increasing to meet growing demand. There are more than 448,000 gas production and condensate wells and 20,000 miles of gathering pipeline in the country. Gas is processed (impurities removed) at over 550 operable gas processing plants and there are almost 302,000 miles of interstate and intrastate pipeline for the transmission of natural gas. Gas is stored at 399 underground storage fields and 103 LNG peaking facilities. Finally, natural gas is distributed to homes and businesses over 1,175,000 miles of distribution pipelines. The heavy reliance on pipelines highlights the interdependency with the Transportation Sector and the reliance on the Energy Sector for power means that virtually all sectors have dependencies with the Energy Sector.

Interdependencies across the economy

Although the electricity, oil and gas sub-sectors are complex in and of themselves, we must also recognize that these systems interact with other key CIP sectors.  The networked connectivity among these sectors amplifies increases the probability of an attack in one sector to directly affect multiple other sectors.

It is interesting to note that even small and medium size U.S. companies included in this interconnected network:

…  are more and more exposed to cyber threats from organized crime, foreign intelligence services, and probably terrorist organizations; 85 percent of U.S. critical infrastructure is owned and operated by private companies — and these companies are especially vulnerable to determined attacks which may ruin or seriously disrupt company operations.… (source: Homeland Security Newswire: “Cyber threats now targeting traditional companies”)

In recognition of the importance of addressing information security issues, the Energy sector plan states:

Today’s developing “information age” technology has intensified the importance of CIP, in which cyber security has become as critical as physical security to protecting energy CI/KR. The Energy Sector has rapidly responded to the increasing need for enterprise-level physical and cyber security efforts and business continuity plans. Voluntarily conducted vulnerability assessments have not only improved sector security but have also demonstrated industry commitment to a secure and resilient Energy Sector. Many asset owners and operators conduct self-assessments or contract with third parties to perform energy vulnerability assessments and implement protective programs at their facilities.

Specific efforts to address information security in the Electricity subsector include:

NERC has developed Cyber Security Standards CIP-002 through 009,37 which have been filed with FERC for approval and address the following requirements:

• Data and information classification according to confidentiality
• Identification and protection of cyber assets related to reliable operation of the bulk electric systems
• Process control, SCADA, and incident reporting

NERC’s CIPC has issued a summary of several electric power vulnerability assessment methodologies, including a variation of DOE’s Vulnerability and Risk Analysis Program methodology, in a suite of potential vulnerability assessment tools that electric power companies should consider using.

Specific work to address information security in the Oil and Natural Gas subsectors include:

Establishing goals for vulnerability identification, detection and response:

• Assess  security vulnerabilities at single-point assets such as refineries, storage terminals, and other buildings, as well as networked features such as pipelines and cyber systems and
• Work toward resilient and secure cyber networks and SCADA systems to detect and respond to cyber attacks.

The AGA, the Interstate Natural Gas Association of America (INGAA), and APGA worked together to develop and release Security Guidelines: Natural Gas Industry, Transmission and Distribution. These guidelines provide an approach for vulnerability assessment, a critical facility definition, detection/deterrent methods, response and recovery guidance, cyber security information, and relevant operational standards. The industry security guidelines incorporate a risk-based approach for natural gas companies to consider when identifying critical facilities and determining appropriate actions, and are based on the DHS Homeland Security Advisory System (HSAS). The TSA, along with the PHMSA, is currently conducting onsite reviews based on these guidelines.

Importance of Energy Sector

So, just how important is the Energy Sector as a Critical Infrastructure? Though somewhat outdated, the 2006 DCSINT Handbook No. 1.02,  Threats and Terrorism states:

Energy is the infrastructure that supplies the driving force in most of American life today. Energy of some kind heats our homes, moves us for one point to another and drives our businesses and industry. The energy sector is critical to the well being of our economy, national defense and quality of life. The sector is divided into to areas, electricity and oil/natural gas. Electricity is required to operate and maintain homes, hospitals, schools, businesses and industrial plants; it is also necessary to refine oil. Disruption of electrical flow or a power grid would impact the economy and defense as well as response and recovery. Natural Gas consists of three major components: exploration and production, transmission, and distribution, with the U.S. producing 20% of the world’s natural gas supply. Oil’s infrastructure consists of five components: production, crude oil transport, refining, product transport and distribution, and control and other external support systems. The thousands of miles of pipelines offer an endless list of targets for terrorist attacks, and during transport there are opportunities for impacting more than one critical infrastructure. Over 43% of the total U.S. oil refining capacity is clustered along the Texas and Louisiana coasts. This area is subject to natural attacks as well as those of terrorists.

…

Recently the oil industry occupied the headlines, and the criticality of this infrastructure is not lost on terrorists. In mid-December 2004, Arab television aired an alleged audiotape message by Usama bin Laden in which he called upon his followers to wreak havoc on the U.S. and world economy by disrupting oil supplies from the Persian Gulf to the United States. The U.S. uses over 20.7 million barrels a day of crude oil and products and imports 58.4% of that requirement. On 19 January 2006 al-Qaeda leader Osama bin Laden announced in a video release that, “The war against America and its allies will not be confined to Iraq…..”, and since June of 2003 there have been 298 recorded attacks against Iraqi oil facilities. Terrorists conduct research as to the easiest point to damage the flow of oil or to the point where the most damage can be done.

Scenarios involving the oil fields themselves, a jetliner crashing into the Ras Tanura
facility in Saudi Arabia could remove 10 percent of the world’s energy imports in one
act. Maritime attacks are also option for terrorists; on October 6, 2002 a French tanker carrying 397,000 barrels of crude oil from Iran to Malaysia was rammed by an explosive laden boat off of the port of Ash Shihr, 353 miles east of Aden. The double-hulled tanker was breached, and maritime insurers tripled the rates. Energy most travel often long distances from the site where it is obtained to the point where it is converted into energy for use, a catastrophic event at any of the sites or along its route can adversely impact the energy infrastructure and cause ripples in other infrastructures. The security of the pipeline in Alaska increases in importance as efforts are made to make America more independent on energy use.

Securing Information and Control Systems

Of course, the business of oil and gas production and distribution relies heavily on security information management systems, the systems which control energy production and distribution represent widely points of access for potential cyber attacks.

In a report entitled, “21 Steps to Improve Cyber Security of SCADA Networks,” the US Department of Energy stressed the importance of security in control systems:

The U.S. energy sector operates the most robust and reliable energy infrastructure in the world. This level of reliability is made possible by the extensive use of Supervisory Control and Data Acquisition (SCADA), Distributed Control System (DCS), and other control systems that enable automated control of energy production and distribution. These systems integrate a variety of distributed electronic devices and networks to help monitor and control energy flows in the electric grid and oil and gas infrastructure.

Automated control has helped to improve the productivity, flexibility, and reliability of energy systems. However, energy control systems communicate with a multitude of physically dispersed devices and various information systems that can expose energy systems to malicious cyber attacks. A successful cyber attack could compromise control systems and disrupt energy networks and the critical sectors that depend on them.

Securing control systems is a key element in protecting the Nation’s energy infrastructure. The National Research Council identified "protecting energy distribution services by improving the security of SCADA systems" as one of the 14 most important technical initiatives for making the nation safer across all critical infrastructures.

In addition, the National Strategy to Secure Cyberspace states that "securing DCS/SCADA is a national priority".

Athough the NERC CIP standards apply specifically to electricity generation and distribution, the major categories could just as well apply to the Petroleum and Natural Gas subsectors:

1. Identification and documentation of the critical cyber assets associated with the critical assets that support the reliable operation of the [oil or gas distribution system].
2. Minimum security management controls in place to protect critical cyber assets.
3. An appropriate level of personnel risk assessment, training, and security awareness for personnel having authorized cyber or unescorted physical access to critical cyber assets, including contractors and service vendors.
4. Identification and protection of the electronic security perimeter(s) inside which all critical cyber assets reside, as well as all access points on the perimeter.
5. Implementation of a physical security program for the protection of critical cyber assets.
6. Defined methods, processes, and procedures for securing those systems determined to be critical cyber Assets, as well as the non-critical cyber assets within the electronic security perimeters.
7. Identification, classification, response, and reporting of cyber security incidents related to critical cyber assets.
8. Recovery plans for critical cyber assets that follow established business continuity and disaster recovery techniques and practices.

Recognized best practices for data security that are aligned with and answer the demands of these requirements include:

1. Critical asset identification and documentation.
2. Data classification.
3. Encryption of data at rest and in transit.
4. Data masking to hide information, for example, in test and development environments.
5. Access control to assure robust identification, authentication and authorization of system users.
6. Separation of duties to define administrative roles according to need.
7. Privileged user access control, closely tied to separation of duties, allows administrators only that access required to perform their jobs.
8. Database access monitoring, alerting and reporting.
9. Change control and configuration management.
10. Audit controls for all security processes.

Oracle Data Security Solutions

Oracle provides a wide range of information security products to meet the needs of industry requirements and information security best practices, including:

1. Encryption (for data at rest and in transit)
2. Data Masking
3. Privileged Database User Access Control
4. Identity and Role Administration
5. Access Control
6. Audit and Compliance Management
7. Label Security
8. Information Rights Management

In addition, complementary products from other vendors can be combined with the Oracle suite of products to implement a Defense-in-Depth Critical Infrastructure Protection security strategy strategy for the oil and gas industries.

Phew!  That’s a lot of information from many sources.  I hope you find this helpful.

A partial list of sources I used:

1. Oracle White Paper: Protecting the Electric Grid in a Dangerous World
2. Energy: Critical Infrastructure and Key Resources Sector-Specific Plan as input to the National Infrastructure Protection Plan (Redacted)
3. North American Energy Reliability Corporation (NERC)
4. NERC Critical Infrastructure Protection (CIP) cyber security standards
5. Presidential Decision Directive NSC-63 on Critical Infrastructure Protection
6. Homeland Security Presidential Directive – HSPD-7
7. DHS Sector-specific plan for the Energy Sector
8. National Infrastructure Protection Plan (Energy Sector)
9. DCSINT Handbook No. 1.02,  Threats and Terrorism
10. 21 Steps to Improve Cyber Security of SCADA Networks
11. National Strategy to Secure Cyberspace (February 2003)

Thanks for getting this far!  If you have any input or suggestions, please submit a comment or drop me an email.

When I woke up this morning, I read an intriguing tweet from my son Eric, who lives about a mile away from our house:

“Power has been out for 30 minutes. We have like 15 candles lit… And it’s starting to heat up.”

Well, for young Eric and his wife, a temporary power outage might be a romantic diversion, but we are all tremendously dependent upon available, reliable electricity distribution.  We simply expect the lights to go on when we flip a switch or power our laptops when we plug them in.

In order for that to happen, the national electrical grid or Bulk Electrical System (BES) must reliably carry energy from generating plants to our homes and places of business.  We have grown to rely on that happening, 24x7x365.

However, according to a new white paper published by Oracle,

“there is mounting evidence that North America’s bulk power systems are dangerously exposed to threats from both within and abroad.” 

A few warning signs include:

• In June 2007, the Department of Homeland Security (DHS) leaked a video that showed how researchers launched a simulated attack that brought down a diesel electrical generator, leaving it coughing in a cloud of smoke, through a remote hack that was dubbed the Aurora vulnerability.
• In January 2008, a CIA analyst revealed that a number of cyber attacks had cut power to several cities outside the U.S.
• In May 2008, the Government Accountability Office (GAO) issued a scathing report on the number of security vulnerabilities at the Tennessee Valley Authority, the nation’s largest public power company.
• In April 2009, The Wall Street Journal reported, according to unnamed current and former national security officials, that Russian and Chinese attackers penetrated the U.S. power grid, installing malware that could potentially be used to disrupt delivery.
• In July 2009, NERC CSO Michael Assante told the House subcommittee on Emerging Threats, Cyber security, and Science and Technology, “Cyber threats to control systems are

In response to these and other conditions:

”the federal government has responded to this threat with a set of security standards for protecting cyber assets that comprise the BES, and set an aggressive schedule for mandatory compliance, beginning in 2007, with all covered entities required to be in ‘audit compliance’ by June 2010. Non-compliance could cost power companies up to $1 million per day in penalties.

“The North American Energy Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) cyber security standards, mandated through the approval of the Federal Energy Regulatory Commission (FERC), provide a broad, though not very prescriptive guide to implement a comprehensive cyber security program, stressing responsibility and accountability for protecting the organization’s critical assets.”

The new Oracle white white paper, entitled, “Protecting the Electric Grid in a Dangerous World,” describes how Oracle Identity Management solutions and the Oracle data security portfolio offer an effective, defense-in-depth security strategy to help meet this challenge, playing a key role in NERC CIP compliance, security and efficient use of resources.

Identity Management:

“Oracle Access Manager, Oracle Identity Manager, Oracle Identity Analytics and other products in the suite of Oracle Identity Management solutions provides application and system-level security, giving power providers and distributors the tools to create sustainable, manageable and auditable controls over access to their critical assets. Identity management and access control are essential components in CIP-003, CIP-004, -005, -006, -007, and are applicable in -008, -009.”

Data Security:

“Oracle’s comprehensive data security portfolio, including Oracle Advanced Security, Oracle Data Masking, Oracle Database Vault, Oracle Label Security and Oracle Audit Vault, allow managing critical information throughout the data protection lifecycle by providing transparent data encryption, masking, privileged user and multi-factor access control, as well as continuous monitoring of database activity. Database security, especially data access controls and privileged user management are essential in CIP–003, -004, -005, -006, -007, -008 and -009.”

It’s great to be a associated with a company whose products can play a major role in the protection of our electrical grid upon which we depend so much.

However, I must admit, lighting a few candles after dark may be enjoyable as well!

PS:  The grid map shown above comes from an interesting interactive map on the NPR.org website.  Enjoy!

I had a conversation with a colleague this morning about the tension between two sales approaches:

1. Focusing on business value derived from implementation certain technology
2. Focusing on technical capabilities (AKA speeds and feeds) of certain technology

Our unified position was that the the second position only really made sense if aligned with the first.  Technology by itself is certainly interesting, but in real world markets, it is becoming increasingly difficult to justify purchase of any technology unless it is very clear how that technology can deliver business value.

Therefore I spend most of my time focused on the business value of various Identity and Security technologies, rather than the technical details of how they are implemented.  Unless we can really make a positive impact on the business whom buy our products and services, our market is not sustainable.

My former Sun colleague Brad Wheat just alerted me about an interesting service from Acxiom, “Identity-X Authenticate”:

According to Acxiom’s brief product description:

Verification is the process of substantiating that someone is in fact who he says he is, and verifying the validity of the information he has provided as authentic or genuine. Often times this is the first step in a risk management strategy. The Acxiom Identify-X Authenticate process uses unique data generated questions to identify an individual and then verifies these individuals through our high quality database, offering greater security to the end user.

Acxiom’s identification platform utilizes demographic and geographic data in challenge questions with nearly 900 data elements for more than 300 million individuals. Identify-X Authenticate data comes from public, publicly available and non-public proprietary databases. Identify-X Authenticate data is current and regularly updated daily, weekly and monthly, depending upon the data source.

Reading further in the product fact sheet, I discovered:

Examples of some of the data generated questions that Acxiom uses include:

• Based on your driver’s license do you wear corrective lenses?
• What professional licenses do you hold?
• What subdivision do you currently reside in?
• What state does your relative Joe live in?
• How many fireplaces did you have in your last residence?

Acxiom claims to leads the industry with a collection of more than 115 unique authentication
questions.  I didn’t realize I knew that many answers myself!

When I visited the Acxiom corporate headquarters in Arkansas about a dozen years ago, they claimed to have data on 95% of the population of the United States.  I think the coverage has grown in both depth and breadth by now.

This approach to authentication both encourages and unnerves me.  On one hand, it appears to be an effective method to reduce fraudulent access to information and systems.  On the other hand, it is more than a bit scary to realize that all this information about individuals resides in a single private database.

I just wonder … do they know what injury nearly killed me when I was four years old?  Do you? Do you care?

Dave Kearns indentified three separate focus areas for Identity and Cloud Computing in his Network World post today:

Identity-in-the-cloud, or Identity as a Service:

IdM services such as provisioning, governance, role management, compliance, etc. are hosted "in the cloud."

Identity-for-the-cloud:

Provisioning services for cloud apps provided by traditional, on-premise, provisioning vendors as well as other identity services (privileged user management, compliance, etc.) extended to the cloud from your data center.

Meshed, or integrated, on-premise/in-the-cloud:

Linking on-premises Identity Management infrastructure and cloud identity data from cloud-hosted applications.

More than anything, this points out that Identity Management and Cloud Computing is a multi-faceted issue.  “Cloud” may refer to where the Identity Management services are hosted, as well as where the applications reside that consume Identity Management services – or a combination of both.

Certainly worth further exploration.

I dedicate a column in my laptop TweetDeck application to the search term “Identity Management.”  It is enjoyable to scroll through now and then to see what folks have to say about this important topic.   Tonight, I was intrigued by a tweet from @susanguarneri “Online Identity Management: Get Found! http://bit.ly/djdFRm”.

It was interesting to find that Susan Guarneri, AKA the Career Assessment Goddess, defines Identity Management this way:

“Online identity management is career management for the employed and unemployed. Online identity management is also business management, particularly if your small business centers on you. Rather than waiting and hoping that your career or business future plays out successfully, why not take back control? Find out how you can get found online, differentiate yourself, and stand out positively from your competition.”

That is quite a bit different than what Wikipedia’s definition:

“Identity management or ID management is a broad administrative area that deals with identifying individuals in a system (such as a country, a network or an organization) and controlling the access to the resources in that system by placing restrictions on the established identities.”

It all goes to show how different perspectives may yield different definitions.  To Susan, Identity Management is all about taking control of one’s personal Identity in cyberspace.  To the unknown Wikipedia author (by the way, that article is begging for a re-write), Identity Management is all about some organization controlling the Identities of others.

Both are valid viewpoints.  It just pays to understand the perspective of each user of a phrase before passing judgment.

My blogging efforts have been on an extended hiatus recenlty as I have focused on becoming familiar with the new Oracle landscape.  Perhaps there is no better way to return to the blogosphere than to announce the winner of the Sun VBOF Stork naming contest.

A bit of explanation is in order …

In December and January, I hosted a short-lived series of “Virtual Birds of a Feather” (VBOF) sessions, held via teleconference and Webex.  These sessions, which were open to Sun employees and SI partners, covered such interesting topics as:

• Identity Roles and Personae
• Current Trends and Issues around Entitlements Certification
• Identity and Access Management in Cloud Computing

We had people from literally around the world participating in these live sessions, and collectively learned much through cooperative discussion of Identity Management topics.

As I was searching for an appropriate artwork to use for VBOF presentations, I stumbled across a photo of a gallant old stork in the Sun artwork collection.  We adopted the old bird as the VBOF mascot and launched a little election to determine what to name him.

The winning name was nominated by Dr. Rene Klomp, Senior Solution Architect  from the Netherlands, who suggested that Apollo is:

“God of the Sun, who had an Oracle in Delphi. Also ‘Apollo’ can be read ‘a pollo’ which means ‘a chicken’ which is of course a virtual stork! Oh well, they’re both birds so what the heck.  Last but not least, Apollo took us to the moon, which gives us light after the Sun has set.”

Today, I finally received a photo of Rene wearing the one and only Apollo/VBOF shirt, which he received as winner of our little contest.

Congratulations to Rene for both nominating the winning name and wearing the shirt so stylishly!

I don’t know yet whether we’ll revive the VBOF concept within Oracle, but if we do, I’m sure Apollo the VBOF Stork will be waiting in the wings.

To support recent discussions about Identity Management and Cloud computing, I divided the types of Identity Services that might be needed to support Application services into three major categories as shown in the following diagram and explained in a bit more detail below:

The specific services provided in each category could include:

Identity Administration Services

• Create, update, delete identities
• Password/credential management
• Entitlement definition/management
• Provision/de-provision access privileges
• Role engineering/management
• Policy definition/management

Identity Enforcement Services

• Authentication
• Authorization
• Access control
• Federation
• Web services security

Identity Audit Services

• Reporting
• Evaluation
• Attestation
• Validation
• Remediation

Did I miss any services that you think should be present?  Any input on the categories or types of services?  Any input or criticism would be most welcome.

The following chart may be helpful as we consider the different types of users that should be addressed by Identity and Access Management (IAM) technology and processes in cloud computing.

At the Platform as a Service (PaaS) and Infrastructure as a Service (IaaS) layers, the only users are administrators of the platform or infrastructure services, respectively.  However, these administrative users may be either on the provider side or on the recipient or enterprise side.  End users, whether within the enterprise (employees or contractors) or external to the enterprise (customers and partners), only exist at the application layer or Software as as Service (SaaS) layer.

This illustrates how cloud computing introduces increased complexity into IAM. Not only do the different layers (PaaS, IaaS and SaaS) have unique requirements, but multiple organizations (e.g. provider and enterprise) need to be considered.

For example, the nature of PaaS services will require provider administrators to have root access to the operating system, while enterprise administrators at the SaaS level may only need access to application configuration functions and external SaaS users only need to access to selected application functions.

Hopefully, this provides food for thought as we explore IAM in cloud computing.  I’d be grateful to hear your comments.

Last Thursday, January 21st, I gave a presentation at the Sun Horizons conference, “Healthcare Integration Through a New Perspective.”  The title of my talk was “Identity Management: Securing Information in the HIPAA Environment.”  I explored how the complementary functionality of Identity Management and Master Patient Index technologies can enable effective Patient Consent Management, a vital requirement for online health information networks.

A copy of my presentation deck is available for download here.

At the heart of my the presentation was the following diagram, which illustrates major components required in a Patient Consent Management system:

A brief explanation of key components follows:

Identity and Role Repository

IAM technology and methods provide the foundation for an effective patient consent management system.  An Identity and Role Repository contains Identities, roles and access control credentials necessary to support the consent system.  This repository includes:

• Patients
• Providers
• Access Rights
• Roles (map business responsibilities to access rights)
• Override Rights (Only users with specific roles can perform override without consent)

Consent Registry

A consent registry is required to specify what permissions have been granted by patients, within the allowable limits specified by each applicable jurisdiction.   Some of the key attributes include:

• Consent Permissions for
• Patients
• Organizations
• Users
• System-wide mask (everyone)
• Fine gained access
• Include or exclude attributes
• Accommodation for multiple jurisdictions

Master Patient Index

A Master Patient Index enables correlation of patient data across multiple repositories.  This is essential because patient records are typically help in multiple locations.  In other cases, if patient records exist in the same physical data warehouse, they are often logically separated. 

Federated Data Access

If patient data is located in physically or logically separate locations, Federated data access controlled allows access across domain boundaries without compromising the privacy or integrity of individual patient record repositories.

Data Access Services

By providing a set of centralized data access services governed by IAM, the Consent Registry and the Master Patient Index, a secure method of patient data access is possible.