On February 12, the Obama Administration pressed forward with its executive order on cybersecurity. That day, the clock began ticking for the National Institute of Standards and Technology (NIST), which has one year to develop a Cybersecurity Framework to “reduce cyber risk” to the nation’s critical infrastructure.
What is critical infrastructure? Anything that if wiped off the map would “result in catastrophic regional or national effects on public health or safety, economic security or national security.”
In other words, critical infrastructure is anything that enables our economic prosperity, culture of innovation, personal and corporate privacy, and civil liberties, to say the least. Based on that, I can’t think of a single organization that isn’t somehow integrated with, or impacted by the compromise of, critical infrastructure.
The executive order calls for NIST to build a Cybersecurity Framework that provides a “flexible, repeatable, performance-based, and cost-effective approach for owners and operators of critical infrastructure to identify, assess and manage cyber risk.”
I believe this new framework will only be successful if single sign-on (SSO) and identity and access management (IAM) are an integral part of it. SSO and IAM are valuable on their own, but in combination with other technologies, they enable a more secure overall environment.
When done right, SSO and IAM technologies enable organizations to maintain visibility and control across the growing number of both on premises and cloud-based applications they use to run their business. The right solutions are cost effective and deliver user convenience, but perhaps more importantly they support policy enforcement and compliance, provide detailed application usage audit trails, and enable multifactor authentication for organizations that wish to implement it.
Rest assured, NIST will not be releasing new standards in a year and invalidate anything you’re doing now to protect your own critical infrastructure with IAM and SSO technology; it will be defining ways to best use them. If you make an investment in a standards-based approach today, you won’t be asked to throw it out – you’ll be given guidelines for maximizing your return on investment even further.
I sit on the Identity Ecosystem Steering Group (IDESG), a NIST-funded group that is building the identity ecosystem for the Framework. The group has just completed the exercise of prioritizing the components of the identity ecosystem for the Framework. To the credit of Group chair Bob Blakeley, we’re focusing strongly on end user concerns rather than simply the concerns of vendors and standards bodies. This focus is especially important since IDESG is currently made up mostly of vendors and standards bodies and we need to maintain a balanced perspective as we develop the Framework.
Another key point we’ve identified we need to get more people involved. If you’re interested in contributing to this process by becoming a steering group member, click here to learn more.
IDESG will continue to make progress through ongoing discussions, and as we do, I’ll provide updates right here on the Symplified Blog. Stay tuned.