I was reading about the former Coke employees trying to sell secrets to Pepsi. I don't know what they were thinking. I mean do you really think that two corporations that have been in business for decades, with a global presence, and a lot to lose would participate in something like this? The competition may be fierce, but it is done above board. That's the way most companies have to operate if they want to stay in business.
This incident as well as every data breach that has happened in the past few years points out - Identity and Trust are the compenents that make up the next iteration of Identity - Enforcement.
Once we determine identity and ultimately trust, we move into a reactive psoture/mode of assessment, validation, authentication, and making sure that things are as they need to be. If something happens, we react, put out fires, sign up for identity theft credit monitoring, add some new technology into the mix, scream at vendors until some other poor organization grabs the headline and takes the spotlight. Reactive is OK, but it it doesn't use the power of identity which I believe ultimately is enforcement of access to data where it lives.
I have stayed off my TNT soapbox on this blog but with the headlines I've seen in the past 24 hours from the IAPP
, and a host of other places I am going to go on a rant here - you can stop the madness, you can protect your assets, you can become proactive in your access management, and you can do it very quickly with a single platform solution
The concept is simple, the technology deploys in hours or days depending on size of organization, and is competitively priced at $25-250K for most deployment scenarios. So what do you get?
You protect servers, applications, and data from unauthorized access
You control who, from what device, has access to what servers and applications
You report on all valid and invalid connections and connection attempts
You report on who accessed what by user, by group, and/or by device
You enforce IDENTITY BASED access policy in the network layer. If you aren't a known or trusted USER or a known or trusted MACHINE you can't see, ping, or access the IT assets of the organization.
Case in point: Coke's secrets are kept on a handful of servers that sit behind the TNT appliance. Only specific individuals
from specific machines
can even see, let alone access the servers and the apps and data contained on them. In their specific case that executive would have access to the secrets, but their Admin would not, even if the Admin had the username and password for the Executive.
I could go on about this all day long and discuss at least a dozen scenarios where I can help. The bottom line is get serious about identity management and figure out how you will add value to the organization beyond an IdM deployment. Look at enforcement - it will keep you out the papers, and cost SIGNIFICANTLY less than even the spin control on a breach. And by the time the next company grabs the headlines, your solution will be deployed.
identitystuff @ gmail.com