How much security is enough?

With the increased importance of outsourcing, cyber collaboration, information sharing, and legally binding digital signatures, your partners and clients share your risks and are now key stakeholders in this equation.

Prudent and transparent security is now a cost of doing business. Those that modernize now survive, those that don't, won't.

To modernize efficiently and effectively 1) Find a community that defines cyber security prudence and 2) Adopt enterprise architecture and project management practices to control your modernization initiatives.

Sunday, January 6, 2008

Certified Concrete Rafts - Don't let HSPD-12 become one at your agency

One of my favorite sayings is "You can certify a concrete raft, but would it float?" I picked this saying up some time ago when ISO 9000 was the big thing. Certifications are great, but they are often don't tell us that we will get real results.

The saying is equally applicable to HSPD-12 today. Your agency is being measured by OMB based on the number of cards deployed. Your HSPD-12 system, whether turnkey or through GSA's managed service, is C&A'd, which means it is also certified.

So, your progress is certified by OMB and your system is certified by security, but are you getting real results from your identity management capability?

I am going to pick on one of many identity-related metrics to think about; the time it takes to revoke a contractor's smart card after they leave the service of your agency. Is it 1 minute, 1 day, 1 month, 1 year, or rarely?

I don't have actual numbers to back this up, but my SWAG is that agencies probably hit 1 day 5% of the time and 95% of the time it is closer to 1 year. Imagine the press if a terrorist were to obtain a super secure smart card that wasn't revoked and then used it to gain remote access to your agency, or even worse, use it to gain access to another agency that trusts your credentials.

Don't get me wrong. FIPS 201 smart cards are brilliant and are the biggest success story since the Internet. But if we stop short on our identity management capabilties now, then we can claim that 1) we deployed smart cards enterprise wide and 2) we invented the first open standards smart card. This is okay. But, what we can't claim is that 3) we heightened government security, signficantly cut operating costs, and increased customer satisfaction.

What a powerful thing to say. Only clever ideas could satisfy such divergent goals simultaneously.

If you are like me, you would rather be known for #3. To get to #3, we must be persistent and carry on with modernizing our identity management capabilities. This won't be easy work. There are a lot of processes to tune, systems to link together, and data to cleanse. It can be done and it is worth doing well. If we stop short we won't achieve real results, and HSPD-12 becomes a concrete raft.

Posted by James Ryan