At the Assises de la Sécurité 2011, an IT security event held in Monaco in early October 2011, the Information Systems Security Manager from Nantes University Hospital (CHU Nantes) looked back over their project to implement an Identity and Access Management System. A project with major organizational implications that is advancing carefully, but has already won the support of the first group of users.
The project – known as Gaïa (in English: Directory, Identity and Access Management) – was launched in practical terms in 2010. Cédric Cartau, Information Systems Security Manager (ISSM) at Nantes University Hospital, explains that it involved: “totally starting again from scratch when it came to identity management”. In addition, for him, it was: “one of the key objectives of an IAM (Identity and Access Management) project”. Effectively, for CHU Nantes, this involved managing identity and access to IT systems whilst taking account the contractual commitments made by staff to the hospital, a vital point that is “extremely complicated for a teaching hospital”. The aim of the project is also to simplify users’ day-to-day work. Each person uses around six to eight core applications, each with its own password, not to mention the ones needed for a Windows session, Webmail access, etc. “The idea is that there is only one PIN to remember for everything.” In other words: Single Sign-On (SSO). With the prospect of also extending the use of access cards to internal catering facilities and premises.
Initially the project covers “20 key applications for 12,000 users and 2,000 others – people who come to eat at the hospital, those with research agreements, suppliers, etc”. Cédric Cartau gives an idea of the scale of a project that is “more organizational than technical”: in total, five departments at the hospital are involved, including medical affairs, finance, etc. The HR department is the contracting authority. Four full-time equivalent (FTE) staff have been mobilized for the project: one person from each of the departments involved. The ISSM provides program management support, with the IS Department responsible, with five FTEs, for program management.
Evidian’s solution was chosen for the project, with its parent company, Bull, delivering the systems integration. The hospital’s ISSM explains that the selection process was exhaustive, with “endorsements of potential suppliers and presentations of mock-ups to check out usability issues such as the SSO itself, the rapidly changing user environment, etc”. The integrator’s experience also influenced the decision. “I don’t like being the first in those kinds of situations,” explains Cédric Cartau. He also stresses that Bull/Evidian has “a real strategy in the healthcare sector” by comparison with two other (major) software publishers who “we never see in the health world”. Bull was also proposing a project structure led by “their own people on site – so I had people I could go to whenever I had any concerns”.
A major organizational change
The first of the anticipated benefits – the total overhaul of identity management – has already been achieved, even though the project is still only in the pilot phase: “for example, when it came to e-mail, we found accounts of people who had died, but were still receiving messages and that had been transferred. We also discovered someone who was reading the Gmail messages of a deceased colleague.” But addressing those issues was not easy: “historically, the people who had access were those who were paid by the organization, and here we were talking about people with a contractual link with the hospital.”
However, Cédric Cartau is not looking for financial return on investment (ROI) on this project: “In the best case scenario, we will break even. But the qualitative ROI is indisputable. The users are very happy. We could split hairs and work out how much time is saved by everyone, every day, but there’s not much point in that. One thing is certain, and all the staff are saying this: once the card has been introduced, people don’t want to go back to the old ways.” In addition, the IAM system lets us improve data confidentiality: “We’re sure that only people who have a proper contractual relationship with the hospital have access to the IS.” On workstations, implementing the SSO will be combined with a delegation function, so you will be able to ‘lend’ your access to someone – for example if they have forgotten their card or don’t have it any more – albeit “for a short time, but one that is recorded”.
And added to that, improved staff mobility, and great prospects: “802.1x public key infrastructure, administrative signatures – very practical to avoid the need to travel in order to sign a request for hospitalization from a third party.”
A successful pilot phase…
For the time being, despite the success that has been achieved, Cédric Cartau is not envisaging an immediate, general roll out: that will have to wait until “everything has been stabilized in the pilots. That will take however long it takes. Urgency is often pointless and always dangerous,” he explains, stressing the complexity of the project. Moreover, even the contracting authority has committed to carefully scrutinize usage scenarios, “you never spend enough time looking at marginal situations, which it is easy to overlook”. If, for now, the project is progressing well, according to the ISSM that is because “program management is being sponsored by a functional directorate”. But also thanks to “rigorous management by the steering and documentation committees – the amounts of data involved at large and involved a lot of coding,” not to mention “the investigation of organizational issues before decision-makers opinions are sought”.
…although some questions remain
Not all questions have yet been answered. Starting with the transition: “What will happen to someone who moves between an area that has been equipped and one that has not? Or with some applications that have not yet been switched over? We’re discovering a lot of things as we go along.” The many different categories of users and the fact that there are two departments responsible for staff – the HR Directorate and Medical Affairs – doesn’t make the project any simpler. “Who will input people’s identities? After a year and a half, that still has not been decided for everyone, starting with trainees.” There is also the question of managing authorizations: “When it comes to managing appointments, for example, there are almost as many profiles as there are users…” Finally, managing the lifespan of ID cards: “around three years. But who manages the renewals? We considered Technical Services, the HR Department… but finally we settled on the IT Department.”
Taken from LeMag IT, 22 November 2011
Writen by Valéry Marchive
Read the original article (French version) >>