SaaS and Web Single Sign On

Synchronization enforces control for cloud integrated IDaaS and Access Management (SSO)

When Olympic rowers glide across the water’s surface at speeds of more than 25 mph, it’s because all the crew are in synch with one another. It’s a collaborative effort. As appropriate…if you are of a certain age and watched films from in science class and the guy in the lab coat was speaking but his words would burble out a second of two later. Not only is this synch off, but the power of the message of symbiosis is gone too. And in cloud

Mirror Mirror: the difference between Identity Management & Access Management

One of the biggest misconceptions in cloud security is the perception that identity management (IDaaS) and access management (SSO) are the same thing. They’re not. And it took a viewing of the famous Star Trek episode called Mirror Mirror for me to best illustrate and articulate the difference between the creation and management of a user account and credentialed rights and the funneled applications that entity is allowed to see. For those unfamiliar with the episode, it’s the one where Kirk is transported into an

Erasing the Identity Blind Spot

Security is not an all-or-nothing proposition. And that’s part of the problem. It creates blind spots; gaps in vulnerability. Partly because of the inherent complacency that after a company institutes a new security initiative that hackers will be held at bay, or the employees won’t be tempted to make off with a database or a hundred other internal or external threats. I have long promoted that security is as much about planning and process as it is about the various solutions that are deployed to

Brass tacks: answering the cloud security questions that matter

Enterprise security can be a labyrinthine, complex beast with many moving parts, dozen upon dozen of requirements, needs, implications, options and alternatives. But when we get down to the nitty gritty (the brass tacks if you will), cloud security can be simplified by six simple questions: WHO is logging in? WHAT are they accessing/viewing? WHERE is the device from which that person logs in? WHEN was any asset changed/modified/moved HOW are they authorized/credentialed? WHAT is the impact of the event? Now determining the answers to

The Secret Sauce of User Provisioning

If you want the secret to user provisioning and de-provisioning in an enterprise setting, I’ll give you the one word answer, and then you can get on with the rest of your day… Integration. However, if you need to know why, how and with what…read on. The need to credential authorized users to your network and other proprietary assets is clear. You only want those with the proper rights in…and all others out. Complicating matters is that there are so many users these days…employees, channel

Supporting CIO strategies and priorities from the cloud-Part 1

The biggest eye-opener in Gartner’s recently-published study on the current agenda regarding the digital landscape for Chief Information Officers is that CIO’s recognize that cloud computing will not only be a significant part of the future, but that their own roles and behavior need to be updated to survive in the modern enterprise. “CIOs will have to develop new IT strategies and plans that go beyond the usual day-to-day maintenance of an enterprise IT infrastructure…. technologies provide a platform to achieve results, but only if

Sailing the 7 C’s of security monitoring

What is it your mom used to say? “A watched pot never boils.” This might be true, but a watched pot also never spills; it never allows your younger sister to stick her hand in the hot water; prevents Uncle Jack from tasting before dinner is ready; and if something unforeseen happens, there is time to mitigate the problems. One of the established best practices in InfoSec is monitoring. People, products and companies get paid a great deal of money and expend a great deal

Adaptive Risk: Making sure you are who you say you are

Does this sound familiar? Ann, sitting at her desk eating lunch, is surfing the Net. She checks her personal Yahoo email account and sees a message from a purported survey company asking her about her music preferences. She opens the email and takes the survey. Seems harmless enough, but what Ann doesn’t know is that this survey company doesn’t exist  and embedded in some of the survey prompts  hid an undetected botnet that downloaded onto her desktop. This nasty bugger can record her keystrokes and

My Security Playlist: now playing Access Management

While I peruse my morning inbox, I enjoy listening to music on my iPod. It just so happens this morning’s first random selection served as the inspiration for today’s blog: Let ‘Em In by Paul McCartney & Wings. “Someones knockin at the door Somebody’s ringin’ the bell Do me a favor, Open the door and let em in!” There is nothing more damaging to the overall enterprise operation and business reputation than permissive access policies. Considering the all the entry points from applications to social

So, just what is REACT? And why does it matter?

Last week I published an article about a new unified security platform called REACT (Realtime Event & Access Correlation Technology).  All in all, it received some very positive notices, but also raised some questions as to what exactly the platform is, and why it should matter. Simply put, REACT is an approach whereby an organization leverages the capabilities of several security solutions into one central correlated repository of security intelligence. For instance, key information from an Access Management tool (such as SaaS SSO logins or