I recently contributed a blog post to SOAtotheCloud.com. Please take a look and share your thoughts, and be sure to sign up for my August 27 webinar, “Bridging Modern API Architectures with Your Enterprise Security Infrastructure“!
Architecture metaphors can be useful to understand some of the challenges related to identity management. Everyone knows what a bridge or a gateway is. So let’s look at one of the problems which we encounter when deploying mobile apps.
By Ruby Raley, Director of Healthcare Solutions, Axway
If you’re like many who work in health IT infrastructure, you’re probably scrambling to create patient portals for providers and modern gateways for health plans. You’re probably getting feedback about how the providers’ and health plans’ users are fed up with juggling multiple logins across various devices and platforms. And you’re probably realizing that what their users really want is an integrated experience not unlike the one they enjoy in their personal lives, where their Facebook, Twitter, or Google credentials double as federated identities across countless third-party websites.
To manage the edge of your enterprise and the complexity that’s sure to result from satisfying these demands, you should strive to keep the following three items top-of-mind.
- Identity management: Loading thousands of users into a credentialing system, just to deliver an application, is a considerable nuisance nowadays. Instead, grant users access by using the credentials they’ve established elsewhere. This is called federation, and a prime example is the way customer-relationship-management companies enable their users to move freely between the companies’ cloud applications and the users’ own internal applications. Health plans can emulate this template by offering claims teams federated identities across ASP sites, thereby reducing challenges, workloads, risks, and costs while enabling a solid, world-class user experience for everyone involved.
- Mobile and cloud application integration: A routine patient activity like appointment scheduling can become hopelessly complicated if your enterprise application can’t answer the patient’s request in a format their mobile device can accept. To avoid this, you need to convert that appointment into a text stream the device can handle, and ensure your organization’s gateway can talk to (1) cloud structures that use lightweight, web-based messages that don’t require long sessions, and (2) mobile devices that use compact, stateless APIs (i.e., APIs that have no information about what occurred previously).
- Compliance: The ability to prevent unauthorized personnel from looking up individual patient information (e.g., inhibiting searches for celebrities, persons of interest in a criminal case, etc.) is valuable. To establish it, you need to build a policy structure that lives at the front door of your organization, ensures that data is properly redacted, and guarantees that — whether accessed via a mobile account or an enterprise login — roles and rights are managed consistently. That front door must be easy to manage, update, and inspect; align and normalize your activities with your compliance mandates and strategies; and keep your organization agile. Also, the tools used to monitor this activity should be visual so that:
- Your teams can easily recognize the values of specific messages.
- Your teams can readily confirm that they’ve implemented policy correctly.
- A compliance officer can monitor your teams’ actions (a difficult prospect if the policy is embedded in XML statements!)
The users’ patience has been tried long enough – juggling multiple logins across various devices and platforms simply won’t do. Instead, resolve to give users the integrated experience they’ve come to understand and appreciate in their personal lives. Take measures to federate their identities so they don’t have to worry about credentials. Accommodate the devices they prefer to use when interacting with your enterprise. Tighten your policy structure to protect their privacy and comply with regulations robustly. And finally – and perhaps most importantly – rest assured that, once you take these measures, the daily challenges your organization will inevitably face will be unavoidable matters in the natural course of business, rather than avoidable matters that are the result of your own inaction.