This week, Stephen Ibaraki, I.S.P., has an exclusive interview with Michael Coady, a world-renowned security
Michael Coady is a Vice President with
Computer Associates Int. Security Practice with 17 years of Privacy and
Technology experience. During the past 12 years he has worked with two
Big Five Firms and led Forensics and Security investigations both in the public
and private sector. Michael has worked with Computer Task Forces around the
world and has developed an enterprise security methodology to help mitigate
risks to companies.
Mr. Coady has worked with many U.S. and
European based clients implementing the European Privacy Directive in the early
1990’s. He is a renowned International Speaker
for Privacy and Security, and widely acknowledged US expert as it relates to HIPAA, GLBA, EUPD and PIPEDA compliance. Due to his
notable expertise, Michael
is a keynote speaker at a variety of industry conferences and events including
at the 2005 e-Financial WorldExpo, October 27-28 in Toronto.
Michael has managed over 60+ Health
Insurance Portability and Accountability Act (HIPAA), EU Privacy Directive
(EUPD) and Gramm-Leach-Bliley Act (GLBA) engagements in the US for
clients in the public and private sector.
Q: Considering your very heavy schedule, thank you for taking the time to share
your unique and valued expertise with our audience.
A: You’re welcome, thank you for having me.
Q: What were three of the most significant
events in your career that led to your current position and international
profile as an elite expert in the field? What lessons can you pass onto those
who are building their careers?
A: I was very fortunate to be given an opportunity when
I was hired by KPMG 12 years ago as a manager. During my tenure at KPMG I had a
great partner, (Art Serafine). who taught me some basic lessons about the
consulting industry that continue with my approach to my professional career
1. Clients have to trust you.
2. Clients have to like you.
3. If they want to know how technically brilliant you are they will ask,
never present your credentials to them.
So going forward a couple of years, KPMG started developing an
Enterprise approach to solving security problems for their clients, and again I was
involved in driving this methodology out to the field. I gained great
experience and insight into the business components that drive companies to spend
the money they do on security. So within a short four year period working with
some very large clients, I became very experienced in deploying security
architecture that involved people, process and technology in that order.
During my next stint I was at Deloitte
& Touché and again I had fantastic counsel from a very strong partnership
that existed during my tenure there. During that timeframe HIPAA and GLBA all came
to fruition. I spent many hours learning these
laws so I could assist companies in implementing policy that mapped the laws to
that same security architecture mentioned above. By doing all this in a 12 year period,
I set the
stage for my career and my approach to the clients I still work with
around the world today. The main thing I would
pass onto others would be not to forget that companies must run their business
first and that security is the piece that safeguards that business. People often throw out compliance as a
compelling event to do something, and in many cases that’s true. However, I
have also seen many companies pass their compliance initiatives manually, so they don’t
spend the money to protect themselves with technology when
they can achieve the same with human intervention. What people should be saying
is how much time and effort does it take to produce an audit report manually,
and how can you achieve compliance with the use of technology so you can deploy
your resources more efficiently.
Q: What are the current threats facing
enterprises, governments, and financial institutions and how can the risks be
A: Threats are coming
in many forms today both electronic and physical: Spyware, Phishing, and the newest trend, Botnets. This is a term for a collection of software robots, or bots,
which run autonomously. A botnet's originator can control the group remotely,
usually through a means such as an IRC, and
usually for nefarious purposes.
A botnet can comprise a
collection of cracked machines
running programs, (usually referred to as worms, Trojan horses, or backdoors), under a common command and control
infrastructure. Individual programs manifest as IRC "bots". Often the
command and control takes place via an IRC
server or a specific channel on a public IRC network. A bot
typically runs hidden, and complies with the RFC 1459
standard. Generally, the perpetrator of the botnet has compromised a series of
systems using various tools (exploits, buffer overflows, as well as others; see
also RPC). Newer bots can automatically scan their
environment and propagate themselves using vulnerabilities and weak passwords.
Generally, the more vulnerabilities a bot can scan and propagate through, the
more valuable it becomes to a botnet owner community.
A Botnet can also be a group
of IRC Eggdrops.
Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to
most conventional IRC networks taking measures and blocking access to
previously-hosted botnets, owners must now find their own servers. Oftentimes,
a botnet will include a variety of connections, ranging from dial-up, DSL,
cable, educational, and corporate. Sometimes, an owner will hide an IRC server
installation on an educational or corporate site, where high-speed connections
can support a large number of other bots. Exploitation of this method of using
a bot to host other bots has proliferated only recently, as most script kiddies do not have the knowledge to take
advantage of it.
Q: Can you provide three case studies that
illustrate the process of designing a secure organization, Identity &
Major Bank and Financial Services
- Address audit issues related to segregation of duties amongst
UNIX system administrators
- Streamline user administration to eliminate bottlenecks
- Implement workflow with access approval points
- Eliminate expired and dormant accounts from UNIX servers
- Employee longevity yielded excessive access
- Access cloning was the predominant access granting approach
- No central repository of the information assets
- CA eTrust Admin and Audit implementation
- Account clean up during the implementation (eliminated hundreds
of duplicate and invalid accounts)
- Centralized auditing capabilities
- Developed approximately 3500 roles for over 60,000 users in 20
- Developed a comprehensive enterprise-wide application
- Centralized user management solution
- Automated workflow providing for accountability over access
- Role based access solution eliminating segregation of duties
International Technology Company
- Consolidate view of customers across business units and
- System designed to support tens of millions of users
- Create a seamless web experience for customers
- Support international users on six continents
- LDAP-based consolidated user directory
- Multi-language single sign-on system based on CA eTrust
- Customer-driven registration/enrollment process
- Capability to synchronize data between central directory
existing applications (web-based and conventional)
- Security surrounding the entire system
- Improved customer experience
- More accurate and up-to-date customer information
- Better ability to target and cross-sell to customers
- Full integration of customer-facing websites across multiple
Q: Profile a good Identity Management
be successful with deploying an Identity Management Architecture, fundamentals
need to exist. My opinion is that a strong
directory such as a Virtual or Meta directory needs to be in place for the Identities to be managed more
efficiently. From there the provisioning
process is next by aggregating, correlating and then eliminating many
identities so your environment gets to a place where using a Global Identity
for the access required is in place for the next phase. Single Sign-On or Reduced Sign-On is
generally the next phase, so appeasing the user community becomes a big selling
point internally. This makes lives easier and passwords are not stored in
obvious places causing a weakness in the environment. From there, the last phase
involves Access Control technologies being deployed to lock down production
environments, and limiting access to data with auditable events also being
managed in the environment.
- Directory infrastructure
- Provisioning (Centralizing Administration)
- SSO/RSO (Authentication)
- Access Control
- Auditing (Event Management and Reporting)
Q: What do you see as the biggest crisis in
security for 2006 and 2007 and how should enterprises prepare?
continued rise in the “Spyware Wars” which in itself leads to theft of
intellectual property. Centralizing
event management will be critical to control this and also a movement to
stronger use of forensic tools to be prepared for legal battles that may ensue.
Q: You have spoken at many forums and
events. Which ones would you recommend our audience to attend, and for what
A: For a reality check into what the external world of where new threats
are coming from, the DEFCON conference in Las Vegas is very
informative. Also many of the SANS
conferences give you a great look into new education forums, or learning
fundamentals all the way to becoming an expert.
Q: You have a number of certifications:
- Microsoft Certified Systems Engineer (MCSE)
- Certified Novell Engineer (CNE)
- Certified Information Systems Security Professional (CISSP)
- Certified Information Systems Auditor (CISA)
- Certified Fraud Examiner (CFE)
- Certified Technology Forensics Investigator (CTFI)
Can you comment on these and make
recommendations about the certification marketplace for the future?
SANS certifications and the CISSP
certification would be the right place to start for anyone getting started, or
for persons who may be looking to jump into the security space.
I have always valued IP Architecture
classes which give people good fundamentals on how information flows throughout
Q: Michael, thank you for sharing your
considerable wisdom and experiences with our audience. We are indeed fortunate
to have an expert of your elite standing speak with us.
A: It has been my pleasure again; thank you
for asking me to participate.