Are you prepared for a software license audit?

Are you expecting a software license audit in the coming year? Are you concerned that the number of licenses you have purchased deviates greatly from the number of software applications actually used? If you do not have a good overview of the correlation between purchased and actually used licenses, your organization runs the risk of incurring a substantial fine. Added to which, your software costs may turn out higher than necessary because of some licenses not being used at all.

The latter is a common problem for many companies, and occurs when new employees enter service and the privileges of employees in similar functions are copied to their user accounts. This often includes rights to applications the employee may not actually require. In other cases, temporary access rights to applications that employees require for a particular project are not revoked once the project has been completed. Even worse, accounts by employees who have left the organization are not terminated. As you can see, there are plenty of reasons why the number of licenses actually used might not match the number of purchased licenses.

So how can you solve this problem and manage your license costs more effectively to be better prepared for future software license audits? Tools4ever offers various options:

• Automated user provisioning & role-based access control: Using the HR system as the source system for creating, modifying and removing user accounts and authorizations, employees can be assigned temporary access to the network and the applications they need. In the licensing context, this also ensures that the rights of former employees are revoked in a timely fashion. Combined with Role Based Access Control (RBAC) – a solution that lets you assign rights based on the role or title of employees – rights will only be assigned once a consensus has been reached on the applications that employees actually require for their daily work.

• Real Use Dashboard: Tools4ever provides IT managers, systems administrators and application administrators with a dashboard that lists the number of times an application has been launched by an employee, the number of minutes the application has been used as well as the idle time in minutes. If an application remains unused for a long period, the application can be revoked or the user can be given a warning. The total license costs and the status of used applications can be mapped out using an interface with a facility management system or IT service management system.

• Passive auditing: UMRA offers an option to periodically send managers an overview of the rights and applications to which the manager´s team have access. This reporting can take place, for instance, once a quarter or once a year for the software license audit. Managers can conveniently check whether everything is in order and give their approval. They can also make changes that will be implemented automatically.

To make a long story short, if you are expecting a license cost audit in the near future and want to prevent fines or to cut your license costs, make sure to take the correct precautions. For more information, please visit our website.

Bring Your Own Device and Security

As the trend of bring your own device (BYOD) continues to gain traction in the corporate world, the education arena, colleges and universities especially, have been dealing with this concept for years. Their experiences can certainly lend ideas to the business world in securing the devices and the network.

• The following are some ideas and suggestions to insure a safe BYOD environment:
• Limit the types of devices allowed. Instead of trying to have the IT group support everything under the sun, provide guideless to employees on the types of devices that will be supported under a BYOD policy.
• Register the devices MAC address and/or NetBIOS name.  Instead of making this a burden on the IT staff, put up a website on the intranet with very detailed instructions and require end users to register and secure their devices.  
• Require up to date virus protection software. Most companies purchase bulk licenses for anti-virus programs and requiring end users to have the latest versions on their devices is an important aspect of security.  
• Require users to set passwords / lock screens or hard drive encryption, if applicable, on devices to insure that a lost or stolen machine will not result in the access of potentially secure data. 
• Shut access off immediately upon termination. Make sure that when an employee leaves, their network accounts are disabled and email accounts are locked immediately. Removing the device profile is also important to prevent access to company wireless networks.

The reasons for getting in on the BYOD trend are numerous and provide a definite benefit to the company, including:

• Lowering hardware costs. Employees bring their device and are responsible for any upgrades or maintenance on their devices.
• Lower software costs. Corporations are no longer on the hook for massively time consuming and expensive OS rollouts. 
• Encourages work after hours.  Employees are more likely to check email or perform other work if the ability to access the information available on their personal devices.

In general, the BYOD trend is here to stay and will likely escalate as tablets, smartphones and other devices perform more like the desktops of old. For more information on setting up a system to ease the transfer from corporate devices to company owned, please visit our website
.

Two Proven Methods to Increase Network Security and Productivity

In today’s healthcare environment, two of the primary technology focuses are on increasing network security by restricting access to data and applications, as well as increasing employee productivity by deploying user friendly solutions. Several technologies are rapidly being adopted by healthcare providers to assist in these arenas.

In reference to the security component, employees need to be given the correct security permissions based on their job roles. Ensuring that employees have the proper access rights greatly improves security, though doing so requires setting controls that can take the IT department months to implement.

Consider using a role based access control (RBAC) solution to assist with this process. The RBAC matrix is populated with departments, titles, locations and other pertinent information. This allows for a proven methodology to define which employee should have access to what applications and data.

In many cases it is feasible to populate much of the required data by taking an extract from the HR application. Additional extracts from Active Directory, Lightweight Directory Access Protocol (LDAP) and other healthcare systems can provide a snapshot of the way access is currently configured. Reviewing this data and finding employees with appropriate access, in each role, can be the basis for propagating that access to other employees in that role. An access request system can insure that any deviations from the norm are approved by the appropriate managers and system owners.

As a predecessor to an RBAC implementation, it is critical that each user have an individual network account. A common practice in healthcare is the use of shared accounts – nurses or clinicians log into a shared workstation with a generic account and access any number of applications. Occasionally, these applications, such as EHRs, will require a second set of credentials, but employees often use a shared account for access, as well.

This makes it difficult to determine who viewed what data and when. An identity management solution, often linked with the HR system, provides an easy answer to creating individual user accounts and can insure they are kept up to date with any changes in titles and departments, for example, thus insuring access is modified when appropriate. Employee departures, also reflected in the HR systems, can easily be detected to insure all network and application access is revoked in a timely fashion.

One downside of switching to individual accounts is that employees will now need to remember credentials – user names and passwords – for a multitude of systems. A recent survey found that the average clinician spends nearly 10 minutes a day logging in and out of applications. When coupled with the need to remember six or eight sets of credentials, tremendous productivity gains can be accomplished by reducing or eliminating these factors. Implementing a Single Sign On (SSO) application in conjunction with Fast User Switching is a cost effective approach to resolve this potential downside.

Single sign on allows users to login once to the network and all of their authorized application credentials are cached and provided on an as needed basis. While on the surface this seems to present a security risk, a concept known as strong authentication – for example, providing a piece of information you know, like a PIN code, and using something you have, like possessing a card to scan -- can mitigate the risk. By using an access card – likely the same one in used for time and attendance or security -- users can log into computers with this card and by entering a PIN code, much like going to an ATM. Removal of the card can force an immediate log out of all applications and closes the network account.

Fast user switching takes this concept one step further. Imagine a resident making rounds, logging into several computers, usually the closest one to a patient’s room. Fast user switching allows the resident to utilize her access card and PIN code to access the machine and any open applications previously used are immediately available to her, at the same point as when closing out of the last machine. A similar solution is available for the Citrix and Microsoft terminal services environment and is commonly referred to as “Follow Me.”

In summary, using individual network accounts and defining access to systems and data using an RBAC matrix increases the overall security of the hospital information systems, while using an SSO solution allows users to painlessly access the network and have more productive time for patient care.

For ore information, please visit our website.

Auditing of the Network in the Education Environment

In today’s electronic learning environment, access to appropriate systems and data are of the utmost importance to students, and the faculty and staff. Having the incorrect access to the school’s internal systems could mean a teacher is unable to access an online learning system or a student is not able to submit coursework projects to an online folder.

Equally important, though, for the security of the system is ensuring that individual access rights are updated and removed when appropriate for all users of the system.

The educational market certainly faces unique challenges in this arena. A typical k-12 system will provide individual access account to students once they reach 4th grade, meaning the turnover approaches 15% per year. Students transferring from one district to another, or to another school within the district, add to the daily challenges of accurate account management.

One recent example that shows how important it is for educational entities to purge their internal systems follows: A Pennsylvania school district was recently was preparing for a migration from an in-house Exchange email system to Google Apps. While Google does not charge schools for student accounts, the goal of the school was to go into the new system with data that was a clean as possible. During the migration it was discovered that graduating students had not been removed from Active Directory for the last 3 school years. This meant about 6,000 records needed to be purged from AD. The school also made a decision to leave email accounts active for matriculated students but remove them from the Active Directory.

Granting Access Rights: Determining who gets access to What and When
The first step in the process is to determine a baseline of necessary access rights needed and currently allowed by type of user. Numerous products are commercially available to allow a thorough scan of the network and applications to retrieve information on access rights. This information can then be compiled against user profiles -- department, location, titles, majors -- to establish a foundation of who needs to access what and when according to permissions granted currently in your system.

Once this initial review is completed, you are ready to create the “ideal” access for each type of user in the organization. This is a process that typically can be loaded into a Role Based Access Control matrix to insure that new users are created appropriately. Inevitably, though, some of the users will need access that differs from the norm so a procedure must be in place to allow end users to request access and managers to sign off on the enhanced rights. Again, numerous systems are available in the marketplace to allow this process to be handled electronically while providing a complete audit trail.

Equally as important as granting rights is insuring access rights are revoked when appropriate. With alarming regularity, faculty or staff members are transferred between departments and permissions to groups and applications become cumulative. While it may be necessary to allow a transferred user access to everything their previous role required during a transition period, it is imperative that a time limit be set for review and decommissioning of those rights be accomplished.

As free, cloud-based email systems have begun to proliferate in the educational space, one of the most important audit tasks facing educational institutions is to insure accounts are appropriately disabled and or deleted. Many of the cloud-based programs, like Google and Live@EDU, allow schools to maintain an “alumni” folder or domain separate from active accounts. By moving users to these folders when appropriate, the users can be deleted from the network, and all inherent access rights deleted as well, but their email accounts can remain active.

Conducting the Audit Cycle
The next step in the process is to perform an initial audit. You can be assured that new students and employees are being given correct access rights, but what about users that have been in the system for years. There is a good chance that several students and staff will have access to numerous departments or roles with access to more than one area.

By comparing their user type information and the access rights they currently have against the “ideal,” it is usually quite easy to determine the delta. At this stage in the process, every discrepancy must be accounted for. The user should be able to explain why he or she has access to systems outside the norm and the decision must be made to determine if the user may keep access to a system or if access rights should be removed. In most cases, as you’ll find several times during your first audit, that users often have access rights to areas they shouldn’t necessarily have because they served in previous roles and their rights were never terminated from previous access points.

As an ongoing process, regular audits are a necessity for any environment. In the very least, on a semester or quarter basis, managers and system owners should be asked to review access privileges and attest that the current rights meet established internal requirements. The ease of automated systems on the market can also allow for “on demand” audits. This allows the immediate creation of reports detailing accounts that are out of compliance. Some organizations also set up trigger events to allow a senior manager or IT person to review specific actions. For example, any time a user requests or is added to a certain application or group, a manual review of the reasons surrounding the request must be completed before permission can be granted.

An automated user provisioning application can also take data from a Human Resource application and/or a Student Information System to insure that students who graduate, do not return to the institution or are either moved to an alumni folder or removed entirely. This is a type of audit that can be performed on a daily basis without need for manual processing. The results of the daily process can easily be transmitted via email to the appropriate parties for review.

The fact that internal audits are conducted should be public knowledge, and no one should be “caught unaware” of the process. If users know their actions in the systems are being monitored, they are more likely to control their own behavior when accessing the sensitive information that they view as part of their employment.

Summary
To insure access to applications and sensitive data is open enough to allow providers to perform their jobs and restrictive enough to avoid legal complications, it is important to set controls when users join the organization and regularly review any changes to their profiles. These two factors will allow for easy compliance reporting at audit time.

There are numerous vendors offering commercially available solutions for every aspect of a provisioning and audit solution. Some are complicated, expensive propositions that can take months or years to become fully operational. Others offer inexpensive, quick to implement, point solutions that can attend to specific areas of concern that need to be addressed immediately.



For more information on Tools4ever solutions for education, please visit our website.