Tuesday, October 30

Surviving an Identity Audit

Smaller companies can feel overwhelmed by big company issues. Although they don't have the reach of the Fortune 500, they still feel the effects of governmental and industry regulations. They have similar requirements with much fewer resources to get the job done.

In this whitepaper titled Surviving an Identity Audit, I tried to help people at smaller organizations get their arms around some of the big challenges related to compliance. Specifically, the focus is on the identity portion of an IT audit.

Regulations such as SOX, HIPAA, GLBA and PCI-DSS have requirements and/or guidance that relate directly to IT – more specifically to information security. And digital identities are at the core of information security. So, an audit of an organization's identity infrastructure is a vital component of an IT audit or a larger regulatory audit.

In this paper, I cover the Identity Audit project lifecycle, leveraging a multi-regulatory approach, and creating a culture of compliance.

For more info:

Tuesday, October 9

Securing borderless networks

Here's a nice blog entry on 10 ways to secure borderless networks. It could have been written by EMC/RSA as it covers many of the capabilities they've been talking about for the past year (and for which they have pretty nice solutions).

The reason I mention this article is to re-raise the point that security needs to be handled from numerous directions and in numerous ways. There's no single security solution that will prevent against every type of attack or breach. People are mobile and our information is mobile. A good security strategy needs to cover many fronts - from remote user authentication to data encryption.

One note to the author: MIIS/ILM is not a federation solution. And while I'm on that subject, I wouldn't have even included Federation as a solution to make systems more secure. Although the argument can be made that it provides greater control over user accounts by the identity provider, it's primarily a solution that enables ease-of-use in a secure way rather than a solution for increased security.

And since there's an empty spot on the list, we could replace it with real-time user behavior monitoring as another good way to enhance security in a borderless environment.