Problem / Challenge: The client’s technology platform is very complex with a core system and multiple systems interconnected. The security management and control access policies for around 800 end-users required compliance with HIPAA requirements and other local and federal regulations. The integrity, availability, and confidentiality of key software systems, databases, and data networks were major concerns throughout all functional areas.
The corruption, unauthorized disclosure, or theft of corporate resources could disrupt an organization’s operations and have immediate, serious financial, legal, human safety, personal privacy and public confidence impact. Access to each system is addressed in a role-based criteria and taking into account compliance. The principle of least privilege requires that a user be given no more privilege than necessary to perform a job. Due to problems during granting access privileges, removing or changing access to end-users must be quick and in compliance with regulations, the client requested software development services in order to develop an integrated security system to manage multiple applications from a single point. This new system should authenticate end-users against the Windows Active Directory.

Our Role: We worked on this project in close coordination with a Business Partner. One of our offshore teams was assigned to develop the application using Agile software development methodology. Compliance to regulations and integration with all applications of the client’s production environment were key factors to ensure a successful implementation. The developed system lets manage the access control and security for all applications from a single point of control. The administrative task consists of granting and revoking membership to the set of specified named roles within the system. When a new person enters the organization, the administrator simply grants membership to an existing role. When a person’s function changes within the organization, the user membership to his existing roles can be easily deleted and new ones granted. Finally, when a person leaves the organization, all memberships to all Roles are deleted. For an organization that experiences a large turnover of personnel, a role-based security policy is the only logical choice. Some of the direct tasks performed by our team included:

• Developing and maintaining software code (.NET, Java, Web Services, Database procedures)
• Implementing new functionalities considering local and federal regulations
• Research and development of new technologies and implementation techniques for integration into the security system and technology platform

Key Outcomes: 

• Compliance with federal and local regulations
• Process optimization and workload reduction
• Implementation of check and balance procedures

Technologies used: .NET, ASP, MVC, Web Services, Java, J2EE.