April 2011 Archives

Identity Crisis: The Delusion of NSTIC

U.S. Commerce Secretary Gary Locke last week announced the release of the National Strategy for Trusted Identities in Cyberspace (NSTIC) during an event sponsored by the U.S. Chamber of Commerce. The event appears to have been your standard hoopla affair, and comes a couple months after circulation of the initial draft. You can read the NSTIC strategy in its entirety here.

Overall, NSTIC is an interesting effort undertaken by the federal government in recognition of the myriad failures limiting the growth of safe, secure online transactions today. In particular, the report puts a major emphasis on the continued use of passwords, and in the need for individuals to have unique credentials for the dozens of sites they interact with on a regular basis. Most people make use of unsafe computing practices, reusing passwords and/or choosing week, but easily remembered, credentials.

GRC and Cloud Security

I had an epiphany while researching an upcoming talk on cloud security. As part of my research I decided it was time that I finally dig into the Cloud Security Alliance (CSA) efforts to find out what exactly was out there and to become a bit more knowledgable. It turns out, unsurprisingly, that it's mostly straightforward. However, one thing really jumped out at me: GRC is fundamental to managing cloud-based services!

I've known for a while that legal - and, by extension, legal compliance - was an important component to a cloud security strategy, but I'd never really thought about the overall role of GRC. Now that I've had a little time to mull things over, it's really struck me that GRC is extremely important - possibly even the most important - part of your cloud security strategy. Let me explain...

GRC: What Does It Mean?

| 2 Comments | 1 TrackBack

I've already written a bit about how we've gotten to where we are today in the infosec industry, as well as having talked a bit about my definition of GRC as a discipline. However, I think there's value in taking things a step further to delve into what exactly is meant by these three little letters. Specifically, there are some differing opinions on what GRC really means, for which I think it's instructive to spend some time reviewing these definitions with an eye toward finding some practical guidance.

For those who might be wondering, we're again talking here about GRC the discipline and not so much GRC the platform, though we certainly need to consider the platform in a historical context. Most organizations come to GRC as a buzzword-compliant topic via vendor solutions, even though they've been doing some, if not all, of the GRC activities for quite some time. It's from this point that we will start.

About this Archive

This page is an archive of entries from April 2011 listed from newest to oldest.

March 2011 is the previous archive.

May 2011 is the next archive.

Find recent content on the main index or look in the archives to find all content.

Monthly Archives


  • about
Powered by Movable Type 6.3.7