Posts by Greg Cranley

Greg Cranley is Senior Director, Federal & SLED Sales. A 30 year IT veteran that has specialized in the issues of security and compliance for the public sector market for the last 15 years. An active presenter and blogger on cybersecurity and access management, he focuses on how public sector organizations can best deal with the multitude of federal cyber security compliance requirements while conceptualizing strategies against multi-pronged attacks.


Centrify Perspective

What are CDM and CRED?

By , May 23, 2017

The Continuous Diagnostics and Mitigation (CDM) Task Order for CREDMGMT provides guidance and tools to federal civilian agencies to fulfill the Manage Credentials and Authentication (CRED) Function. This functional area is designed to prevent the binding of credentials the use of credentials by anyone other than the rightful owner (person or service). The approved tools provide careful management of credentials, preventing attackers from using hijacked credentials to gain unauthorized control of resources, especially administrative rights. The CRED capability ensures that account credentials are assigned to, and used by, authorized people or services. This solution relies on the results of the…

Centrify Perspective

Illinois Cyber Security Plan is Only a Partial Solution

By , April 20, 2017

Recently, Illinois Governor Bruce Rauner unveiled a broad-based cyber security plan. He announced the framework of his team’s plan for better cyber security, but it only covers the executive branch agencies. This approach of only implementing a plan to provide cyber security tools to select areas and users because they are deemed more important is known as a “privileged user.” This is only a partial solution because everyone in the organization is a “super user” in today’s technology driven organizations — everyone has a need to access technology that contains some level of meaningful information. All technology in organizations are…

Centrify Perspective

Commission on Enhancing National Cybersecurity: Implement MFA

By , February 7, 2017

At the end of 2016, the Commission on Enhancing National Cybersecurity, a nonpartisan committee charged with developing actionable recommendations for securing and growing the digital economy, presented its report to then President Obama. While Obama has left office, the report still provides a valuable path towards ensuring cybersecurity, mapped out in a series of key action items. The most relevant for readers of this blog are found in Recommendation 1.3, summarized below. Recommendation 1.3: The next Administration should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity…

Centrify Perspective

Time to Take Cybersecurity Seriously

By , January 18, 2017

The recent Institute for Critical Infrastructure Technology (ICIT) White Paper titled “Cybersecurity Show Must Go On: Surpassing Security Theatre and Compliance and Minimal Compliance Regulations,” authored by James Scott, Sr. Fellow, ICIT, and Drew Spaniel, Researcher, ICIT, highlights organizations’ lack of commitment to invest in strong security tools that have real impact to their organization’s security position. Despite the cyber breaches over the last several years that confirm that identities are the root of most breaches, organizations fail to deal with the real problem head on. Organizations leverage technology to increase the productivity of associates that expand the perimeter to…

It's All About Identity

Good Cyber Hygiene: Everyone is a Privileged User

By , December 14, 2016

Yesterday, ICIT published the first in a series of research reports as part of an identity management and cyber hygiene initiative, entitled, “ICIT Analysis: Identity and Access Management Solutions: Automating Cybersecurity While Embedding Pervasive and Ubiquitous Cyber-Hygiene-by-Design.“ Wow, what a title. But worthy of the topic. ICIT Sr. Fellow James Scott and Researcher Drew Spaniel did a thorough job identifying the various pitfalls of cybersecurity and ensuring everyone in the organization cares about cyber hygiene and is on top of their game. They offered several good ideas to meet the needs of today’s environment,  such as use a digital representation…

It's All About Identity

The Myth of Shared Account Password Management (SAPM)

By , April 25, 2016

In a response to the OPM breach and Tony Scott’s 30-day sprint, many agencies invested in a SAPM solution to manage their privileged users. Unfortunately this does not meet the measure of the requirement of HSPD-12 and multi-factor authentication (MFA) everywhere and the CDM authentication and credential requirements. The reality is that SAPM solutions only cover 5%-10% of the problem. The need for a true Super User Privileged Management (SUPM) is the only way to ensure that everyone in every organization is using a smart card (CAC/PIV) and a PIN, plus a third level of authentication to access all resources….

Hot Topics

A Complete Identity Platform Can Reduce Risk for the Healthcare Industry

By , January 21, 2016

As a Fellow of the Institute for Critical Infrastructure Technology (ICIT), I was able to contribute my expertise to the legislative brief entitled “Hacking Healthcare in 2016: Lessons the Healthcare Industry can Learn from the OPM Breach.” In the brief, the ICIT provides a comprehensive assessment of the threats and healthcare trends that have the greatest impact on health sector security, as well as solutions and strategies to improve resiliency. The report draws from the OPM breach, which is a prime example of the enormous consequences an organization can face by not maintaining and protecting integrated systems. Specifically, this brief…

Hot Topics

Plan to Secure Your Big Data Implementation and Meet Federal Compliance Mandates

By , May 21, 2015

For years Centrify has been deployed to help secure access to Hadoop clusters, and my team has helped to configure and deploy Centrify and Kerberos within many of them. Initially our involvement often started as clusters moved from pilot to production. Our sense is that someone in IT asked the questions: “How are we going to secure access?” “How are we going to provision and de-provision?” “How does this fit within our security mandates?” Centrify is called in to address these concerns. In most cases it would have been better if we’d been involved earlier, so as to better understand implementation…