FedRAMP Compliance: Beyond the Letter of the Law

When I mention “compliance” to most people, I often get that cringe — the one that says “ugh, what a pain.” I’m empathetic to folks who are just trying to get the job done, and whose only interaction with compliance is being told somewhere along the line that they have got to jump through more hoops. But having lived information security for several years, and having previously had some experience with risk frameworks and compliance efforts, I’ve developed a different viewpoint. My colleagues in security immediately understand and connect with the statement that with compliance, “there is the letter of the…

What are CDM and CRED?

The Continuous Diagnostics and Mitigation (CDM) Task Order for CREDMGMT provides guidance and tools to federal civilian agencies to fulfill the Manage Credentials and Authentication (CRED) Function. This functional area is designed to prevent the binding of credentials the use of credentials by anyone other than the rightful owner (person or service). The approved tools provide careful management of credentials, preventing attackers from using hijacked credentials to gain unauthorized control of resources, especially administrative rights. The CRED capability ensures that account credentials are assigned to, and used by, authorized people or services. This solution relies on the results of the…

4 Reasons Why Security is Important for Innovation Management

Well, maybe we should start with, “What is innovation management anyways?” At its most basic, it is the purposeful organization and management of ideas within an organization to create meaningful change. Companies use it to gather new product ideas, improve processes and discover new markets and business models. The White House used innovation management processes to cut government spending, Home Depot used this process to identify new product lines, and the DREAMS Challenge used innovation management software to fund new projects that would halt the spread of HIV (just to name a few). But if innovation management often starts by…

Centrify Renews Commitment to Federal Information Processing Standards

The new release of Centrify Server Suite (CSS) 2017 contains an updated version of the Centrify Cryptographic Module, which provides the cryptographic services used within the suite. Just as we did with the previous version, this new crypto module has also received FIPS 140-2 validation, and its certificate #2844 has been posted on the NIST validation list. The Federal Information Processing Standard (FIPS) Publication 140-2 is a standard set by the US Government to approve cryptographic modules, and all software used within federal networks that perform encryption are required to be FIPS 140-2 validated. Centrify has hundreds of federal customers…

Commission on Enhancing National Cybersecurity: Implement MFA

At the end of 2016, the Commission on Enhancing National Cybersecurity, a nonpartisan committee charged with developing actionable recommendations for securing and growing the digital economy, presented its report to then President Obama. While Obama has left office, the report still provides a valuable path towards ensuring cybersecurity, mapped out in a series of key action items. The most relevant for readers of this blog are found in Recommendation 1.3, summarized below. Recommendation 1.3: The next Administration should launch a national public–private initiative to achieve major security and privacy improvements by increasing the use of strong authentication to improve identity…

Centrify Co-Chairs the 2017 ICIT Winter Summit

Once again, we find ourselves at that stage in the political cycle when the new administration is taking office. That means a revised look at everything — from the economy, to the markets, to the health of our industries. And an evaluation of how effectively we’re protecting all of the above. It is no surprise that cybersecurity is top of mind due to several recent high-profile breaches, many of which were mentioned in our end-of-the-year wrap-up. Perhaps no cybersecurity events were as disturbing as those surrounding the 2016 election. It turns out that many of these attacks would have been…

Time to Take Cybersecurity Seriously

The recent Institute for Critical Infrastructure Technology (ICIT) White Paper titled “Cybersecurity Show Must Go On: Surpassing Security Theatre and Compliance and Minimal Compliance Regulations,” authored by James Scott, Sr. Fellow, ICIT, and Drew Spaniel, Researcher, ICIT, highlights organizations’ lack of commitment to invest in strong security tools that have real impact to their organization’s security position. Despite the cyber breaches over the last several years that confirm that identities are the root of most breaches, organizations fail to deal with the real problem head on. Organizations leverage technology to increase the productivity of associates that expand the perimeter to…

Good Cyber Hygiene: Everyone is a Privileged User

Yesterday, ICIT published the first in a series of research reports as part of an identity management and cyber hygiene initiative, entitled, “ICIT Analysis: Identity and Access Management Solutions: Automating Cybersecurity While Embedding Pervasive and Ubiquitous Cyber-Hygiene-by-Design.“ Wow, what a title. But worthy of the topic. ICIT Sr. Fellow James Scott and Researcher Drew Spaniel did a thorough job identifying the various pitfalls of cybersecurity and ensuring everyone in the organization cares about cyber hygiene and is on top of their game. They offered several good ideas to meet the needs of today’s environment,  such as use a digital representation…

Shared Account Password Management in the Federal Government: Then and Now

One of my first consultant jobs involved installing agents on Unix servers, a procedure which required root access. I still remember the first time I was onsite at a military base to help a customer install the software because it was also my first experience with a physical vault that stored computer passwords. When it came time to enter in the root credentials, my client made a phone call, and then this other person comes in from down the hall, opens up a wall safe using a memorized combination and pulls out a folder. This person verifies my client’s badge…