This week, Stephen Ibaraki, I.S.P., has an exclusive interview with Michael Coady, a world-renowned security expert.

Michael Coady is a Vice President with Computer Associates Int. Security Practice with 17 years of Privacy and Technology experience. During the past 12 years he has worked with two Big Five Firms and led Forensics and Security investigations both in the public and private sector. Michael has worked with Computer Task Forces around the world and has developed an enterprise security methodology to help mitigate risks to companies.

Mr. Coady has worked with many U.S. and European based clients implementing the European Privacy Directive in the early 1990�s.� He is a renowned International Speaker for Privacy and Security, and widely acknowledged US expert as it relates to HIPAA, GLBA, EUPD and PIPEDA compliance. Due to his notable expertise, Michael is a keynote speaker at a variety of industry conferences and events including at the 2005 e-Financial WorldExpo, October 27-28 in Toronto.

Michael has managed over 60+ Health Insurance Portability and Accountability Act (HIPAA), EU Privacy Directive (EUPD) and Gramm-Leach-Bliley Act (GLBA) engagements in the US for clients in the public and private sector.

Discussion:

Q: Considering your very heavy schedule, thank you for taking the time to share your unique and valued expertise with our audience.

A:� You�re welcome, thank you for having me.

Q: What were three of the most significant events in your career that led to your current position and international profile as an elite expert in the field? What lessons can you pass onto those who are building their careers?

A:� I was very fortunate to be given an opportunity when I was hired by KPMG 12 years ago as a manager. During my tenure at KPMG I had a great partner, (Art Serafine). who taught me some basic lessons about the consulting industry that continue with my approach to my professional career today:

1. Clients have to trust you.
2. Clients have to like you.
3. If they want to know how technically brilliant you are they will ask, never present your credentials to them.

So going forward a couple of years, KPMG started developing an Enterprise approach to solving security problems for their clients, and again I was involved in driving this methodology out to the field. I gained great experience and insight into the business components that drive companies to spend the money they do on security. So within a short four year period working with some very large clients, I became very experienced in deploying security architecture that involved people, process and technology in that order.

During my next stint I was at Deloitte & Touch� and again I had fantastic counsel from a very strong partnership that existed during my tenure there. During that timeframe HIPAA and GLBA all came to fruition.  I spent many hours learning these laws so I could assist companies in implementing policy that mapped the laws to that same security architecture mentioned above.� By doing all this in a 12 year period, I set the stage for my career and my approach to the clients I still work with around the world today.� The main thing I would pass onto others would be not to forget that companies must run their business first and that security is the piece that safeguards that business.� People often throw out compliance as a compelling event to do something, and in many cases that�s true. However, I  have also seen many companies pass their compliance initiatives manually, so they don�t spend the money  to protect themselves with technology when they can achieve the same with human intervention. What people should be saying is how much time and effort does it take to produce an audit report manually, and how can you achieve compliance with the use of technology so you can deploy your resources more efficiently.�

Q: What are the current threats facing enterprises, governments, and financial institutions and how can the risks be mitigated?

A:� Threats are coming in many forms today both electronic and physical:  Spyware, Phishing, and the newest trend, Botnets.� This is a term for a collection of software robots, or bots, which run autonomously. A botnet's originator can control the group remotely, usually through a means such as an  IRC, and usually for nefarious purposes.

A botnet can comprise a collection of cracked machines running programs, (usually referred to as worms, Trojan horses, or backdoors), under a common command and control infrastructure. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet owner community.

A Botnet can also be a group of IRC Eggdrops.

Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, owners must now find their own servers. Oftentimes, a botnet will include a variety of connections, ranging from dial-up, DSL, cable, educational, and corporate. Sometimes, an owner will hide an IRC server installation on an educational or corporate site, where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently, as most script kiddies do not have the knowledge to take advantage of it.

Q: Can you provide three case studies that illustrate the process of designing a secure organization, Identity & Access Management?

Case #1

Major Bank and Financial Services Company

Need

• Address audit issues related to segregation of duties amongst UNIX system administrators
• Streamline user administration to eliminate bottlenecks�
• Implement workflow with access approval points
• Eliminate expired and dormant accounts from UNIX servers
• Employee longevity yielded excessive access
• Access cloning was the predominant access granting approach
• No central repository of the information assets

Solution

• CA eTrust Admin and Audit implementation
• Account clean up during the implementation (eliminated hundreds of duplicate and invalid accounts)
• Centralized auditing capabilities
• Developed approximately 3500 roles for over 60,000 users in 20 business unites
• Developed a comprehensive enterprise-wide application information repository

Benefits

• Centralized user management solution
• Automated workflow providing for accountability over access privileges
• Role based access solution eliminating segregation of duties issues

Case #2

International Technology Company

Need

• Consolidate view of customers across business units and geographies
• System designed to support tens of millions of users
• Create a seamless web experience for customers
• Support international users on six continents

Solution

• LDAP-based consolidated user directory
• Multi-language single sign-on system based on CA eTrust SiteMinder
• Customer-driven registration/enrollment process
• Capability to synchronize data between central directory existing applications (web-based and conventional)
• Security surrounding the entire system

Benefits

• Improved customer experience
• More accurate and up-to-date customer information
• Better ability to target and cross-sell to customers
• Full integration of customer-facing websites across multiple regions

Q: Profile a good Identity Management Architecture.

A:� To be successful with deploying an Identity Management Architecture, fundamentals need to exist.� My opinion is that a strong directory such as a Virtual or Meta directory needs to be in place for the Identities to be managed more efficiently.� From there the provisioning process is next by aggregating, correlating and then eliminating many identities so your environment gets to a place where using a Global Identity for the access required is in place for the next phase.� Single Sign-On or Reduced Sign-On is generally the next phase, so appeasing the user community becomes a big selling point internally. This makes lives easier and passwords are not stored in obvious places causing a weakness in the environment. From there, the last phase involves Access Control technologies being deployed to lock down production environments, and limiting access to data with auditable events also being managed in the environment.

1. Directory infrastructure
2. Provisioning (Centralizing Administration)
3. SSO/RSO (Authentication)
4. Access Control
5. Auditing (Event Management and Reporting)

Q: What do you see as the biggest crisis in security for 2006 and 2007 and how should enterprises prepare?

A:� A continued rise in the �Spyware Wars� which in itself leads to theft of intellectual property.� Centralizing event management will be critical to control this and also a movement to stronger use of forensic tools to be prepared for legal battles that may ensue.

Q: You have spoken at many forums and events. Which ones would you recommend our audience to attend, and for what reasons?

A:� For a reality check into what the external world of where new threats are coming from, the DEFCON conference in Las Vegas is very informative.� Also many of the SANS conferences give you a great look into new education forums, or learning fundamentals all the way to becoming an expert.

Q: You have a number of certifications:

• Microsoft Certified Systems Engineer (MCSE)
• Certified Novell Engineer (CNE)
• Certified Information Systems Security Professional (CISSP)
• Certified Information Systems Auditor (CISA)
• Certified Fraud Examiner (CFE)
• Certified Technology Forensics Investigator (CTFI)

Can you comment on these and make recommendations about the certification marketplace for the future?

SANS certifications and the CISSP certification would be the right place to start for anyone getting started, or for persons who may be looking to jump into the security space.

I have always valued IP Architecture classes which give people good fundamentals on how information flows throughout the environment.

Q: Michael, thank you for sharing your considerable wisdom and experiences with our audience. We are indeed fortunate to have an expert of your elite standing speak with us.

A: It has been my pleasure again; thank you for asking me to participate.