There are both enterprise and point PAM solutions available to organizations. With that said, as many organizations transition to a cloud-first and federated model, an enterprise solution may be the wiser choice.
While CyberArk, CA PAM, Centrify, etc. are expensive solutions, an organization may see a better return on investment (ROI) in the long run than an organization deploying multiple pointed (e.g., MSFT LAPS) solutions.
So, deploy PAM in a phased manner for AD, EUC, ERP / EHR, cloud, social media, etc. to make the cost palatable for the enterprise.
Wednesday, December 14, 2016
Tuesday, December 6, 2016
Are passwords going away?
With the introduction of additional associations and research organizations (e.g., FIDO: https://fidoalliance.org/) focused on negating the need for passwords, one might ask if they are going away.
The answer is no, not really. Password-based credentials will still be around, especially within enterprises, for years to come. Especially for legacy systems, and administrative access.
With that said, business-to-consumer (B2C) authentication for enterprises will morph considerably, as it already has. And for that matter, so has business-to-business (B2B) authentication with PKI / x.509 certificate-based authentication for point-to-point VPN / RESTful API.
So, compensating controls in the way of conditional access (CA), multi-factor authentication (MFA: biometrics, OTP, voice, security challenge / questions), etc. will take the lead in identity verification, but passwords will be around for a long time.
The answer is no, not really. Password-based credentials will still be around, especially within enterprises, for years to come. Especially for legacy systems, and administrative access.
With that said, business-to-consumer (B2C) authentication for enterprises will morph considerably, as it already has. And for that matter, so has business-to-business (B2B) authentication with PKI / x.509 certificate-based authentication for point-to-point VPN / RESTful API.
So, compensating controls in the way of conditional access (CA), multi-factor authentication (MFA: biometrics, OTP, voice, security challenge / questions), etc. will take the lead in identity verification, but passwords will be around for a long time.
Monday, November 21, 2016
Identity & Access Management (IAM / IdAM) Programs
IAM / IdAM / Single Sign-On (SSO) / Privileged Access Management (PAM) / Multi-Factor Authentication (MFA) / Identity Providers (IdP) / Identity Federation are all part of a program that enterprises should focus on these days. And, these programs need to be able to extend to multiple technologies: cloud, mobile, IoT, ERP, etc.
However, these endeavors are treated as one-offs.
As organizations wrestle with business transactions (merges, acquisitions, divestitures), the need to have a formal, organized IAM / IdAM program grows in need.
However, these endeavors are treated as one-offs.
As organizations wrestle with business transactions (merges, acquisitions, divestitures), the need to have a formal, organized IAM / IdAM program grows in need.
Saturday, October 29, 2016
Best Control Framework for HIPAA / HITECH Audits / Reviews
While many are adamant about using NIST SP 800-53a Rev 4~ for HIPAA / HITECH there is precedent for using alternatives.
Preference should be given to hybrid frameworks that use HITRUST CSF and / or ISF SOGP as they use a combination of 800-53, COBIT, and / or ISO.
The genesis for building on controls are the new technologies, new attack vectors / threats, and a renewed emphasis on deeper dives into the proper deployment of controls / safeguards.
Preference should be given to hybrid frameworks that use HITRUST CSF and / or ISF SOGP as they use a combination of 800-53, COBIT, and / or ISO.
The genesis for building on controls are the new technologies, new attack vectors / threats, and a renewed emphasis on deeper dives into the proper deployment of controls / safeguards.
Tuesday, October 18, 2016
Corporate IT & the Leadership Paradox
With over a decade of experience in consulting, one can see the leadership paradox, especially in corporate IT departments.
Corporate IT executives and managers often move into consulting to embrace their experience while negating the office politics, while many middle managers move into corporate IT from Big 4 consulting firms.
Furthermore, many corporate IT shops ship out work to consulting firms instead of training their own people, while many consulting firms leverage people more junior than their client's staff.
Add to that, the reticence for IT shops to send junior managers to leadership training, and we see a revolving door of poor leaders who focus on leveraging external parties to get the work done.
No wonder IT outsourcing is so strong.
Corporate IT executives and managers often move into consulting to embrace their experience while negating the office politics, while many middle managers move into corporate IT from Big 4 consulting firms.
Furthermore, many corporate IT shops ship out work to consulting firms instead of training their own people, while many consulting firms leverage people more junior than their client's staff.
Add to that, the reticence for IT shops to send junior managers to leadership training, and we see a revolving door of poor leaders who focus on leveraging external parties to get the work done.
No wonder IT outsourcing is so strong.
Monday, October 10, 2016
Data Breach Fatigue & Security Training
Apparently, there is "data breach fatigue" out there and recommendations on cutting down security education, training, & awareness (SETA) is gaining traction.
The question comes with to scale back SETA activities due to this fatigue?
The answer is based on the maturity of the information security (InfoSec) program, jurisdiction / market, industry, and the organization's culture. Frankly, a CISO / CIO / CTO should negotiate freedoms (e.g., local administrative access, open Internet / Web / email access) pursuant to SETA. Meaning, that if users have carte blanche then SETA is required, necessary, and regularly conducted.
Also, less SETA should equate to more budget for preventive / detective capabilities.
The question comes with to scale back SETA activities due to this fatigue?
The answer is based on the maturity of the information security (InfoSec) program, jurisdiction / market, industry, and the organization's culture. Frankly, a CISO / CIO / CTO should negotiate freedoms (e.g., local administrative access, open Internet / Web / email access) pursuant to SETA. Meaning, that if users have carte blanche then SETA is required, necessary, and regularly conducted.
Also, less SETA should equate to more budget for preventive / detective capabilities.
Monday, September 19, 2016
SaaS AI & Privacy
Salesforce's AI platform, Einstein (https://www.salesforce.com/products/einstein/overview/), may present some privacy concerns.
As a SaaS service the question begs on whether multi-tenancy data will be included in the analysis.
Will GDPR, U.S., Privacy Shield, HIPAA, PCI DSS requirements be included? If so, it would behoove Salesforce to include details on de-identification.
As a SaaS service the question begs on whether multi-tenancy data will be included in the analysis.
Will GDPR, U.S., Privacy Shield, HIPAA, PCI DSS requirements be included? If so, it would behoove Salesforce to include details on de-identification.
Subscribe to:
Posts (Atom)