Commentary of Cybersecurity Evangelist Sascha Martens

Imagine being operated on and then this: A hacker attack ensures that all systems in the hospital are paralyzed. No nice idea? That’s why the BSI now demands professional Identity and Access Management (IAM) for KRITIS-relevant areas. What is important here and what is the ideal solution?

It’s been a week since the article in the Security Insider – about how alarmingly password security is still being implemented in hospitals – not far from realistic hacker attack scenarios. Actually, hospitals, financial institutions and other so-called critical infrastructures (KRITIS) had time until the end of June to upgrade. Now the BSI is clearly in favor of integrating identity and access management systems to ensure digital security. We’ll explain what you need to look out for!

A central IAM solution cannot be flexible enough! Many providers, especially in the field of IAM, rely on ‘simple’ solutions that are almost 100% configurable via GUI. With such a solution I have to decide: If I ignore a significant proportion of the systems used (e.g. web services), do I connect them directly to my IAM solution (and probably use poorly developed interfaces) or do I add further solutions to the overall architecture? These still have to be connected, but probably work much better as specialists.

One example is Password Safe as a building block in the IAM architecture: A central solution for credential handling does not only secure the immediate effect of considering passwords. A connection can also create added value! Controlled access to accounts and passwords ensures that only certain persons can access this information. These access rights can be viewed, evaluated and used centrally in the IAM. Automation based on this can also be implemented much more easily if all information is already centrally available. And our biggest concern is no longer IT security when we think of hospitals 😉

Cybersecurity evangelist Sascha Martens is Head of Solutions Architect at MATESO. For the Password Safe Blog he writes regular Tech Diaries, which give an entertaining insight into current topics and events from an IT perspective.