Identity and Access Management (IAM) is the art and science of ensuring that someone is who they say claim to be. This ensures that they have the correct level of access to systems and data – enough to do their job, but no more. IAM systems cover a wide range of features, but typically include:

Cybersecurity assessment initiatives and frameworks abound in the US government, the most important being the Federal Information Systems Management Act (FISMA), passed in 2002.  The law’s broad scope included a mandate to the US National Institute of Standards and Technology (NIST), charging it to create methods and standards to assess and optimize the cybersecurity posture of US government agencies.

“Hope for the best, plan for the worst”. This ancient principle still applies, especially for systems with high availability requirements. Principles are easy to quote, but how does an organization implement them effectively?

Cybersecurity endures as a top priority for federal agencies, the Trump administration, and Congress. So whatever other budget battles that might lie ahead, cyber will remain an important opportunity. In fact, two recent reports ought to scare the heck out of not just agency managers but pretty much every American.

The “Internet of Things”, or IOT: we’ve all heard the term, but what does it really mean? More importantly, how do we secure all of these … “things”?

Cell phones, tablets, wearables, and other mobile devices dominate our lives. I personally bring my trusty iPad to everywhere, and, like everyone else, have my phone with me at all times. The biggest attack surface for any enterprise, then, may well be these devices. How can we assess the threats? What are the components in need of protection? What are some key methods of protecting them?

Earlier this month, I wrote about the Zero Trust model for security. As I proceed through these daily blogs, I find many of them complement the ZT model; data security is one. Outside the IOT world, the goal of cybersecurity is to protect data. The Zero Trust model recognizes this and focuses on keeping security close to the asset, and portable.

Configuration management is a many-headed beast, but the biggest beast with the sharpest teeth is the patch monster.  Every day, a new vulnerability, a new patch – and an old decision:  patch and maybe break something (I’m looking at you, Spectre and Meltdown), or stay online and be vulnerable.  This model – “panic patching” -- is in wide practice, but not sustainable.  For now, an efficient and reliable system is essential; for the long term, we need an entirely new model.

By now, you’ve heard it a hundred times: the perimeter is breaking down, no more “crunchy outside” to protect a “chewy inside”, no more castle-and-moat model of network infrastructure security. If there is no inside and outside, then where do defenses belong? What security architectures make sense for such amorphous network?

Once upon a time, endpoint security was just a hall monitor: it watched for known bad files identified with a simple signature and sent you an alert when the file was blocked. To be safe, it would scan every machine daily, an intrusive activity that slowed down machines, and sped up the heart rates of affected users and hapless analysts at help desks.