Category Archives: News and Info

AoIS Resurrection… to

As you may have noticed there has been no activity on Art of Information Security for a long time. Things got really busy in my work and personal lives, and well, something had to give.

One of those changes is a move to the Security and Risk Management Strategies team at Gartner. I will be blogging on at So, if you have been a fan of the content on Art of Information Security please keep an eye there.

My current coverage areas include:

1. IT GRC practice strategy
2. IT Risk Management (and measurement)
3. Assessing cloud risk decisions
4. Cryptographic controls and key management
5. Application security

All the best.

Cheers, Erik

((AoIS Webcast)) Cryptography: Issues and Insight from Practical Implementations

Kevin Flanagan and I delivered a presentation on Cryptography at this year’s RSA 2010. Now, doing a cryptography presentation at RSA is a bit like putting a target on yourself that says “please shoot me down!”. Well, the presentation was very well received, and the RSA conference folks have asked Kevin and I to do a encore presentation via Webcast.  A few quick facts:

This is not your math teacher’s Cryptography presentation !
The core of this presentation is about discussing the various points in an application where a cryptographic control, primarily encryption, can be applied. Kevin and I walk through an expanded version of the 3-tier application architecture. We go beyond discussing the encryption controls available to the web server, application server, and database backends, to expand our scope to include the PC, storage, backup, and file systems. At each point we will discuss the kinds of controls that can be applied, the risks that those controls help manage, and risks which are ofttimes overlooked and remain.

This presentation is more focused than the RSA Version from March.
In our presentation in March we tried to also include an introduction to Key Management. This proved to be too much to bite off, so we have pruned that material from the presentation that is planned for the Webcast. Kevin and I may be submitting a presentation proposal for RSA 2011, 100% dedicated to Key Management. (Feedback on that idea would be of great value… Feel free to comment below.)

In fact, I am always interested in feedback from readers of AoIS. So, if you tune in the the WebCase, please drop me a note. I personally find web and teleconference presentations much more difficult than in the in-person kind…

When and Where ?
The Webcast in this Wed (June 23, 2010) at 1:00 PM EST, 10:00 AM PST, 5:00 PM GMT.
Here is a link to the registration: Webcast: Cryptography: Issues and Insight from Practical Implementations

Cheers, Erik

Add Some Architecture to RSA 2010

Once again the RSA Conference is giving Dan Houser and I the opportunity to provide a one-day Identity Management Architecture tutorial. One-day tutorials can be added to your RSA Conference registration for a small fee. These sessions are designed to provide more depth and detail on particular important topics.

This year’s program is titled “Foundations for Success: Enterprise Identity Management Architecture”, and the content follows the successful pattern of past years. The morning will focus on establishing a base of understanding, and the afternoon will be spent covering modules selected by the attendees (the description from the RSA website is attached below).

This year I am especially excited as I am leading a major Information Security infrastructure initiative that involves the complete build out of the Information Security stack for a new company (actually a $2.4B spin-off). I have just completed full requirements, RFP, and the product selection cycle for an Identity Management solution. At the time of the class, I will be at the mid-point of the provisioning system’s deployment, and will have Password Vaulting in production. This project has been a source of great challenges and new insights, all of which I hope to bring with me on March 1st (well, the insights anyway).

Identity Management is at the core of a successful Information Security program. In many ways, it is the primary technical control for policy enforcement and oversight. In addition to the important role Identity Management plays in risk management and oversight, many of your business partners think of Identity Management “as” Information Security. The question of “how do I get access to X” is a question near and dear to the heart of your business partners. Many of the security controls we all work with day to day are largely invisible to business partners, but password problems, access request delays, and audit findings are very visible to them.

Information about the tutorial is available form the RSA 1-Day Tutorials page, but here is a copy of the tutorial description:

Tutorial ID : TUT-M21

Foundations for Success: Enterprise Identity Management Architecture

Identity and Access Management is the foundation for access controls in the Enterprise, a mission-critical IT function that is both the lifeblood of your business, and a frustrating and difficult beast to tame. Your IdM infrastructure is more complicated, with more moving parts, and more partners across the enterprise, than any other security related service.

This interactive session, taught by experienced IdM veterans and practitioners, provides an architectural view to resolving identity challenges, and will provide detailed and informative discussions on directory services, web access management, Single Sign-on, federated identity, authorization, provisioning and more. The morning session will provide an overview of the foundations of IdM, while the afternoon will provide a customized, detailed and interactive session to focus on the specific identity disciplines they find most challenging.

This workshop will cover:

  • Principles of Identity and Access Management and implementation strategies
  • Infrastructure architecture — critical underlying processes to run a successful enterprise
  • Web-based authentication & Web Access Management
  • Selling Identity strategy in the C-suite
  • Directory Services – Enterprise, meta-directories and virtual directories
  • Provisioning – managing the processes of Identity and Access Management
  • Identity mapping and roll-up
  • Detailed Single Sign-on strategies: Getting off Identity islands
  • Detailed Federated Identity discussion and case studies
  • Gritty Reality of Federation SSO: Lessons learned from 14 major federation projects
  • Multi-factor authentication: biometrics, tokens & more
  • Functional IDs – real world considerations of this often forgotten access control
  • User Access Audit: Proving only authorized users have access
  • Auditing the identity systems

Key Learning Objectives:
Participants should have a basic background in Information Security, IT systems, and identity management. After the class, participants should feel well grounded in identity management, understand the broad landscape from both a technical as well as a business perspective, and have gained practical insight into the strategies which will enable them to meet identity challenges in their organization.


Max the Identity & Access Management in Your RSA 2009…

If you are attending the Pre-Conference 1-day Tutorial, Building an Enterprise-Strength Identity & Access Management Architecture, that Dan Houser and I are co-teaching at RSA 2009 please take a moment to drop me a note (using the “Contact Erik” link from the site). This years class is going to be much smaller than last year and should allow for more interaction. As a result, I would like to take the opportunity to maximize the value of that increased interaction, and knowing what topics are top-of-mind for participants in advice will help. 

If you are attending RSA 2009, and plan to be in San Francisco all day on Monday, take a look at the available Pre-Conference 1-day Tutorials (RSA has added a number, and there are many to choose from). There is an additional fee for these Tutorials but based on the feedback from last years class, it was worth it.

Neither Dan nor I work for a vendor or supplier in the space.  We both work for Fortune 500 corporations that have real-world Identity and Access Management challenges (with real-world obstacles). If you are a Linked In member, profile (link) has some endorsements related to this class, as well as other presentations.

Cheers, Erik

Lie Detector Libel

I noticed a posting on Slashdot (link) this morning regarding a gag order on an article that was to be published in a peer reviewed scientific journal but has been suppressed. The article was critical of lie detector technology, and evidently provided information debunking it.

More information is available her:  Stockholm University article.

The thing I find most interesting about this is that the US Supreme Cort has already determined that Lie Detectors are unreliable. From Wikipedia article on the polygraph:

In the 1998 Supreme Court case, United States v. Scheffer, the majority stated that “There is simply no consensus that polygraph evidence is reliable” and “Unlike other expert witnesses who testify about factual matters outside the jurors’ knowledge, such as the analysis of fingerprints, ballistics, or DNA found at a crime scene, a polygraph expert can supply the jury only with another opinion…”.

One of the things I find most interesting about the challenge of “testing” lie detectors is that no testing, such as the tests performed my Emily Rosa to debunk Therapeutic Touch, have ever been offered with can objectivity demonstrate the that they even work.

Cheers, Erik

AoIS upgrade to Ubuntu 8.10 Complete !

My apologies for the slight outage of Art of Information Security last night, I had an almost flawless transition from the older version of Linux to Ubuntu 8.10.

The Beauty of Virtualization
AoIS is hosted by Linode, which is a Linux virtual host service provider. The beauty of this was the fact that I could:

  • Spin up a new host in 10 min
  • Configure and test the box, without interrupting the “hot” server
  • Move the configuration, data, sites, etc.
  • Test, test, test
  • Transition the IP addresses

All of the advantages of having a clean freshly build physical server, but with a pro-rated cost of under $5 !

FYI… As this is a security blog, you can image that I am somewhat obsessed with OS system protection, more on that soon…

Cheers, Erik

Congratulations Rebecca !

Rebecca Harold (aka The Privacy Professor) has just been recognized by a Computer World survey as one of the “Top Privacy Advisors in 2008 (link to article)“. Congratulations Rebecca !

I had the pleasure of working with Rebecca on a paper earlier this year. Rebecca and I were among the collaborators on a  paper focused on generating organizational support for Information Security Awareness efforts (link to paper) for ENISA (The European Network and Information Security Agency). The effort greatly benifited from her participation. And after collaborating with her is it clear to me why should would have been nominated for and received the high marks she did in the Computer World survey.

Rebecca is also the author of Managing an Information Security and Privacy Awareness and Training Program. I purchased a copy of this book while working on the ENISA paper, and wow is it a detailed guide to managing these programs. Rebecca has included information from the high-level “concepts” down to detailed sample checklists and plans.

Congratulations again !

FYI, for additional information:

Cheers, Erik