How much security is enough?

With the increased importance of outsourcing, cyber collaboration, information sharing, and legally binding digital signatures, your partners and clients share your risks and are now key stakeholders in this equation.

Prudent and transparent security is now a cost of doing business. Those that modernize now survive, those that don't, won't.

To modernize efficiently and effectively 1) Find a community that defines cyber security prudence and 2) Adopt enterprise architecture and project management practices to control your modernization initiatives.

Thursday, July 22, 2010

My presentation at TRISC 2010

I had a wonderful time at TRISC 2010 in Texas. Here is the presentation that I gave on the Advanced Persistent Threat.

APT & What we can do TODAY
View more presentations from jaynryan.

Posted by James Ryan

Saturday, January 17, 2009

Reaching beyond FIPS 201

We are encouraged by the efforts of GAO, OMB, and NIST to not stop at producing the card and move towards practical uses of the cards that will deliver on the promise of tangible value to the citizens.

With this momentum built, we shifted our attention the extended enterprise; the ability for Federal, state and local governments and commercial companies to interoperate, trust, and be trusted by each other in the digital age.

This is a gigantic undertaking and it took us away from the blog for some time as we began lashing the relationships together required to make such an effort achievable.

Look for more frequent blogging now that this ball is in motion and moving quickly.

Posted by James Ryan

Monday, April 14, 2008

Bill at NIST recommends PIV termination process

Ron Martin recently published a power point presentation that Bill MacGregor gave a few weeks back. It is a good read and has very important recommendations.

Before we dig into one of his recommendations, I should note that Bill and I were colleagues in a past life. We worked together after 9/11 as a tiger team within SchlumbergerSema to define an approach to information sharing which we ultimately presented to Rumsfeld. We thought alike back then, and it seems we still do.

Now, let's dig through one of his recommendations. Let me draw your attention to one of the slides entitled "Green Lights." Green light activities are those which Bill suggests are important for agencies to consider:His second recommendation is, "Develop and Coordinate a PIV termination process." Bill knows that agencies must work out their termination processes and it is important.

We agree. Termination processes are a hole right now and until it is fixed we will have "Orphaned Credentials." You can read our blog post about orphaned credentials here. To summarize the post:

  1. Orphaned Credentials are those that are still active AFTER an identity (person) is no longer affiliated with the agency
  2. Unless we continue to modernize our identity management capability, we, as a community will have many FIPS 201 Orphaned Credentials.
  3. The root cause is that our identity management processes are NOT FUSED to our credential management processes
As usual Bill, we agree. To follow Bill's advice, we offer agencies the following recommendations:
  1. Consider the termination process in the bigger picture of the offboarding processes. Ask your HR, IT Service Desk, Physical Security, and Information Security staff what they do when someone leaves. Terminating a FIPS 201 smart card is a single thread of many threads that all happen manually today for to offboard an identity. As an example, you might find that the IT service desk reclaims corporate issued laptops and blackberries, and reclaims copies of limited use software (e.g. Visio). This is one of many examples I could give, but you can see that automating as many of the offboarding threads as possible will drive a better ROI and also allows you to avoid the cost of figuring out how to integrate the PIV termination thread with your other offboarding threads at a later date.

  2. To get good identity termination processes, we should start with good onboarding processes. Consider this. A contractor is sponsored for a FIPS 201 credential. Who sponsored him? Is that same person held accountable for notifying the proper persons when the contractor separates? Was and is the sponsor intimate enough with why the contractor is there to determine if the contractor has now left? You see, a good onboarding process will have a rich workflow which tracks who approved the credential and hold this person/people accountable for triggering the separation processes (which in turn trigger then PIV termination thread). Cream of the crop onboarding workflows will avoid orphaned identities--identities that no longer have sponsors that are accountable for triggering the separation processes.

  3. Consider events other than separation for termination. For example, conversion from a contractor to an employee. This conversion process will include the termination process as well a process for creating a new credential. Lost, damaged, or stolen cards also trigger the termination process.

  4. Consider your reporting requirements. Every year the IG comes into your agency and asks for a list of people who left and then they determine if the accounts were terminated or not. By properly automating your onboarding/offboarding processes, you will be collecting this very data and you will be able to prepare this report for the IG in real time. This is a giant leap in Compliance Automation, and it will save the agency time and money each and every year.
We will refer to Bill's other recommendations in future posts. For those that don't have a copy of his PPT, here is a link for your convenience.

Posted by James Ryan
Subscribe to: Posts (Atom)