While it may be convenient to deploy integrated crypto / PKI solutions for sensitive data stores (e.g., PII, ePHI, PKI) via TDE / DDM, more and more data leaves local databases and / data stores & goes to the cloud.
This is where an enterprise PKI solution will help organizations. With holistic solutions, a tokenized, sensitive data element can proliferate / travel through the cloud or w/in an enterprise while still protected.
While expensive, highly visible, and risky, these endeavors will truly protect an organization from data breach / loss, etc.
Thursday, January 5, 2017
Tuesday, January 3, 2017
Why Enterprise DLP Solutions Will Go Away
Large, traditional, enterprise DLP deployments will go away as organizations look to leverage multiple, integrated DLP solutions. The reasons for this include:
With that said, the real question is what else will be migrated away from on premise?
- A focus on cloud & mobile solutions, & a migration away from on premise
- Consolidation of vendor solution capabilities (e.g., CASB, DLP, DCAP, RMS, DMARC, SPF)
- Portable / interoperable policies / rules (e.g., SCAP, CTP)
- A focus on agile deployments
- Cost / economies of scale
With that said, the real question is what else will be migrated away from on premise?
Wednesday, December 14, 2016
Privileged Access Management (PAM) & Approach
There are both enterprise and point PAM solutions available to organizations. With that said, as many organizations transition to a cloud-first and federated model, an enterprise solution may be the wiser choice.
While CyberArk, CA PAM, Centrify, etc. are expensive solutions, an organization may see a better return on investment (ROI) in the long run than an organization deploying multiple pointed (e.g., MSFT LAPS) solutions.
So, deploy PAM in a phased manner for AD, EUC, ERP / EHR, cloud, social media, etc. to make the cost palatable for the enterprise.
While CyberArk, CA PAM, Centrify, etc. are expensive solutions, an organization may see a better return on investment (ROI) in the long run than an organization deploying multiple pointed (e.g., MSFT LAPS) solutions.
So, deploy PAM in a phased manner for AD, EUC, ERP / EHR, cloud, social media, etc. to make the cost palatable for the enterprise.
Tuesday, December 6, 2016
Are passwords going away?
With the introduction of additional associations and research organizations (e.g., FIDO: https://fidoalliance.org/) focused on negating the need for passwords, one might ask if they are going away.
The answer is no, not really. Password-based credentials will still be around, especially within enterprises, for years to come. Especially for legacy systems, and administrative access.
With that said, business-to-consumer (B2C) authentication for enterprises will morph considerably, as it already has. And for that matter, so has business-to-business (B2B) authentication with PKI / x.509 certificate-based authentication for point-to-point VPN / RESTful API.
So, compensating controls in the way of conditional access (CA), multi-factor authentication (MFA: biometrics, OTP, voice, security challenge / questions), etc. will take the lead in identity verification, but passwords will be around for a long time.
The answer is no, not really. Password-based credentials will still be around, especially within enterprises, for years to come. Especially for legacy systems, and administrative access.
With that said, business-to-consumer (B2C) authentication for enterprises will morph considerably, as it already has. And for that matter, so has business-to-business (B2B) authentication with PKI / x.509 certificate-based authentication for point-to-point VPN / RESTful API.
So, compensating controls in the way of conditional access (CA), multi-factor authentication (MFA: biometrics, OTP, voice, security challenge / questions), etc. will take the lead in identity verification, but passwords will be around for a long time.
Monday, November 21, 2016
Identity & Access Management (IAM / IdAM) Programs
IAM / IdAM / Single Sign-On (SSO) / Privileged Access Management (PAM) / Multi-Factor Authentication (MFA) / Identity Providers (IdP) / Identity Federation are all part of a program that enterprises should focus on these days. And, these programs need to be able to extend to multiple technologies: cloud, mobile, IoT, ERP, etc.
However, these endeavors are treated as one-offs.
As organizations wrestle with business transactions (merges, acquisitions, divestitures), the need to have a formal, organized IAM / IdAM program grows in need.
However, these endeavors are treated as one-offs.
As organizations wrestle with business transactions (merges, acquisitions, divestitures), the need to have a formal, organized IAM / IdAM program grows in need.
Saturday, October 29, 2016
Best Control Framework for HIPAA / HITECH Audits / Reviews
While many are adamant about using NIST SP 800-53a Rev 4~ for HIPAA / HITECH there is precedent for using alternatives.
Preference should be given to hybrid frameworks that use HITRUST CSF and / or ISF SOGP as they use a combination of 800-53, COBIT, and / or ISO.
The genesis for building on controls are the new technologies, new attack vectors / threats, and a renewed emphasis on deeper dives into the proper deployment of controls / safeguards.
Preference should be given to hybrid frameworks that use HITRUST CSF and / or ISF SOGP as they use a combination of 800-53, COBIT, and / or ISO.
The genesis for building on controls are the new technologies, new attack vectors / threats, and a renewed emphasis on deeper dives into the proper deployment of controls / safeguards.
Tuesday, October 18, 2016
Corporate IT & the Leadership Paradox
With over a decade of experience in consulting, one can see the leadership paradox, especially in corporate IT departments.
Corporate IT executives and managers often move into consulting to embrace their experience while negating the office politics, while many middle managers move into corporate IT from Big 4 consulting firms.
Furthermore, many corporate IT shops ship out work to consulting firms instead of training their own people, while many consulting firms leverage people more junior than their client's staff.
Add to that, the reticence for IT shops to send junior managers to leadership training, and we see a revolving door of poor leaders who focus on leveraging external parties to get the work done.
No wonder IT outsourcing is so strong.
Corporate IT executives and managers often move into consulting to embrace their experience while negating the office politics, while many middle managers move into corporate IT from Big 4 consulting firms.
Furthermore, many corporate IT shops ship out work to consulting firms instead of training their own people, while many consulting firms leverage people more junior than their client's staff.
Add to that, the reticence for IT shops to send junior managers to leadership training, and we see a revolving door of poor leaders who focus on leveraging external parties to get the work done.
No wonder IT outsourcing is so strong.
Subscribe to:
Posts (Atom)