April 2011 Archives

U.S. Commerce Secretary Gary Locke last week announced the release of the National Strategy for Trusted Identities in Cyberspace (NSTIC) during an event sponsored by the U.S. Chamber of Commerce. The event appears to have been your standard hoopla affair, and comes a couple months after circulation of the initial draft. You can read the NSTIC strategy in its entirety here.

Overall, NSTIC is an interesting effort undertaken by the federal government in recognition of the myriad failures limiting the growth of safe, secure online transactions today. In particular, the report puts a major emphasis on the continued use of passwords, and in the need for individuals to have unique credentials for the dozens of sites they interact with on a regular basis. Most people make use of unsafe computing practices, reusing passwords and/or choosing week, but easily remembered, credentials.

I had an epiphany while researching an upcoming talk on cloud security. As part of my research I decided it was time that I finally dig into the Cloud Security Alliance (CSA) efforts to find out what exactly was out there and to become a bit more knowledgable. It turns out, unsurprisingly, that it's mostly straightforward. However, one thing really jumped out at me: GRC is fundamental to managing cloud-based services!

I've known for a while that legal - and, by extension, legal compliance - was an important component to a cloud security strategy, but I'd never really thought about the overall role of GRC. Now that I've had a little time to mull things over, it's really struck me that GRC is extremely important - possibly even the most important - part of your cloud security strategy. Let me explain...

I've already written a bit about how we've gotten to where we are today in the infosec industry, as well as having talked a bit about my definition of GRC as a discipline. However, I think there's value in taking things a step further to delve into what exactly is meant by these three little letters. Specifically, there are some differing opinions on what GRC really means, for which I think it's instructive to spend some time reviewing these definitions with an eye toward finding some practical guidance.

For those who might be wondering, we're again talking here about GRC the discipline and not so much GRC the platform, though we certainly need to consider the platform in a historical context. Most organizations come to GRC as a buzzword-compliant topic via vendor solutions, even though they've been doing some, if not all, of the GRC activities for quite some time. It's from this point that we will start.