Zero Factor Authentication

There is an important difference between “identification” and “authentication.”  Identification is how a particular object (such as a person, a device, or a program) is referenced.  The name badge worn by doctors and nurses in a hospital is a good example.  Because of the way that identities are used to… Continue reading

Define: PCI Service Provider

A PCI Service Provider is a “Business entity that is not a payment brand, directly involved in the processing, storage, or transmission of cardholder data on behalf of another entity. This also includes companies that provide services that control or could impact the security of cardholder data. Examples include managed… Continue reading

Check Multiple AWS S3 Buckets for Missing Default Encryption

Amazon Web Services has made it easy to implement encryption-at-rest for S3 buckets, but older S3 buckets may have predated this feature enhancement.  If you have a large number of buckets, this could be a tedious thing to check via the console.  Here is a simple one-liner to check all… Continue reading

Linux Hardening

From a compliance perspective, organizations need to have a hardening standard derived from an authoritative source with solid engineering-based reasons of why we depart from any of the recommendations.  Most organizations use the Center for Internet Security (CIS) Hardening Benchmarks because that choice is easy to defend.  The CIS benchmarks… Continue reading

FIPS 140-2 in a Nutshell

The US Federal Government requires that its agencies protect sensitive, but unclassified information using cryptographic modules that have been validated to Federal Information Processing (FIPS) Standard 140-2 “Security Requirements for Cryptographic Modules.”  This standard replaced its predecessor, FIPS 140-1.  In this context, the term “validated” means tested by accredited testing… Continue reading

The Encryption Magic Bullet

This post is a response to a variety of discussions that I have had lately with a variety of customers, executives, salespeople, and even engineers that are working on security projects for a variety of companies.  Sometimes, it seems, that encryption is positioned as the “Magic Bullet” that will cure… Continue reading

The Contracting Life Cycle

Just as there is a life cycle for software development, there is a life cycle for contracting and this cycle must be managed as well to assure information security for the organization.  While there are a variety of formal models promoted by contract management software vendors, the typical phases include:… Continue reading