As part of my studies at the University of Oklahoma Masters in the Public Administration Program, we were given access to exit poll information from the November 2020 Presidential Election. Coming into December, we can’t officially call the election over, at least until the lawsuits stop, but we can maybe start to examine how we got here. The reality is that faith in mass media has been declining for over 20 years with no real end in sight. The lack of trust impacts our country’s ability to trust other core institutions like our election infrastructure or health and safety programs. Who are the people that mistrust traditional news, and how did they come to be this way?
A while back, a tweet flashed across my timeline, and it got me thinking about ERP (Enterprise Resource Planning) security. An ERP system, a class of software, dominated by SAP and Oracle’s PeopleSoft, is a tremendously large and complex collection of applications that drives nearly everything modern businesses do. Material management, financial transactions, operational systems, customer service, and human resources are all examples of business processes that are managed by ERPs.
- Identity is the modern perimeter and updating controls to account for changes in how organizations operate is required
- Coding / Scripting / API integration skills will make or break an IAM implementation
- Establishing RBAC is a skill an organization will have to grow into if the practice doesn’t already exist
- Using integrators or partners may get a deployment done faster but the price paid on the back end will be substantial
Defining the Problem
Identity sprawl both within an organization and throughout the various SaaS (Software as a Service) and IaaS (Infrastructure as a Service) is challenging how most organizations manage access to data, processes, and administration interfaces. The phrase “identity is the new perimeter” may sound cliche but it is entirely accurate when describing the boundary by which business systems are segregated from public access. While technologies such as MFAs (Multi-Factor Authentication) and CASBs (Cloud Access Security Broker) help fill gaps in the detection and prevention processes the reimagination of existing identity processes for an organization can establish long term security stability by ensuring users are given access only to what is needed and thus reducing the overall attack surface of the organization. However, this is easier said than done. Refreshing an identity management process is fraught with risks and challenges for organizations. While there are many excellent tools that exist today it’s important to prepare your organization for the difficulties that lay ahead so that they may be in the best possible position to succeed. Below are some thoughts and reflections on what our journey has looked like as we have labored to redefine how we manage identities both inside and outside of our organizational environment.Continue reading “Refreshing an Identity and Access Management Program – 1 Year Later”
Technology has become ubiquitous across both private and public sectors as well as culturally within our nation. Technology enables those that wield it the ability to operate at a scale never before experienced. Advances in the utilization of technology have given organizations, to include those in the public sector, the ability to deliver core services more efficiently and effectively than ever before. Recently, companies in the technology sector have begun to migrate their services to a model where their applications are hosted in the cloud and licensed on an annual subscription basis. The rapid migration to the new licensing type has created a problem for organizations with tight definitions and controls around how certain types of services receive funding. Namely, the migration from capital expenditures to a model dependent on operational and maintenance dollars has created a significant issue for the public sector and public sector dependent organizations.
Focus on ICS (Industrial Control System) security is higher now than it has ever been before. It seems nearly every security company on the planet now offers “ICS” capabilities to protect against threats in pretty much the same manner as IT (Information Technology). The growth in support is happening for a multitude of reasons, but primarily we see IT interacting more and more with OT (Operational Technology) as systems are upgraded to take advantage of newer technologies. Problems from integrating IT with OT arise, but what we need to consider is the impact on our friends in OT. The mere act of plugging in a blinking box within an ICS environment can only get you so far. Without a robust relationship infrastructure with OT, your security program is going to struggle to operationalize your security efforts within the ICS environment. Getting OT to work with you is easier said than done because in general… OT doesn’t trust IT.
There’s a cliche running around that all companies are turning into tech companies. While many may not agree with that statement, what is undeniable is that technology continues to be a driving force for companies seeking to produce more, at a faster rate while paying less. Finding efficiencies is the primary objective for organizations big and small, young and old. The rapid adaptations of business practices and services raise the level of difficulty for Information Security programs. Security is asked to provide visibility, prevention, and response services for environments that are ever changing and the truth is that technology itself is not enough to help us address our problems. We all instinctively know this, but it’s worth repeating. Human relationships are the cornerstone of an effective Information Security program.
Originally posted on February 24, 2018 at medium.com
In cyber security you can’t throw a rock without hearing a sales engineer mutter something about their platform and how, when fully implemented, leads to a state of total Nirvana with unicorns, puppies, and absolutely no bad guys doing bad things. This isn’t a gripe about platforms. Honestly they are really useful because properly implemented tools that are designed to work together can do great things. Platforms can reduce engineering overhead and simplify how business units view a security posture. Trust me… It’s much easier to get an additional feature through a license purchase than through an acquisition of new software / hardware.
Originally posted on August 17, 2017 at medium.com
I recently had the privilege of interviewing a handful of young future cyber security professionals for a security internship at my present employer. It is exciting to get to meet the next generation of engineers who will take the things that we have made into the future and combat threats that we cannot even begin to understand in terms of complexity and scale. Their journey starts now and with us, the existing cyber security community.