Podcasts about role based access control rbac

Send us a textDiscover the game-changing strategies to strengthen your company's cybersecurity posture with our latest episode on CISSP Cybersecurity Training and Board Expertise. We reveal shocking insights: only 5% of company boards have cybersecurity expertise, a glaring gap that can jeopardize risk management and financial stability. Listen as we advocate for the integration of cybersecurity professionals into risk committees, a move proven to enhance security measures and boost shareholder confidence. Get ready to transform your board's approach to cybersecurity.Unlock the secrets to effective Role-Based Access Control (RBAC) and learn how to shield your organization from credential creep threats. Long-term employees and contractors like Sean are especially vulnerable, but with well-defined roles and responsibilities, you can assign privileges with precision and prevent conflicts of interest. This episode unpacks the complexities of role hierarchy and the importance of role lifecycle management, emphasizing regular audits and compliance to keep your security framework airtight and aligned with business needs.Managing employee transitions is a critical challenge, and we discuss how deprovisioning and offboarding are vital components in maintaining security integrity. Prompt account deactivation, asset retrieval, and data retention management are just the beginning; delve into the role of identity and access management tools like single sign-on systems and multi-factor authentication. Discover how adaptive authentication and compliance considerations ensure your protocols meet regulatory standards while safeguarding your company's digital assets and data. Prepare to step up your cybersecurity game with expert insights and proven strategies from our podcast.Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don't miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!

Send us a textCould the lack of hardware and firmware knowledge be the Achilles' heel of today's cybersecurity efforts? Join me, Sean Gerber, on the CISSP Cyber Training Podcast as we unpack the critical challenges faced by IT and security leaders, particularly in hardware-intensive sectors like manufacturing. We expose the concerning gaps in understanding that are leaving organizations vulnerable, and propose actionable solutions like fostering stronger collaboration between IT teams, security personnel, and suppliers. Tackling the prevalent issue of BIOS password sharing, we recommend secure password management tools, like CyberArk, and advocate for a shift from the culture of replacing devices to one of repair and repurposing, all while ensuring data is securely erased to prevent breaches.Shifting focus to authentication and password security, this episode dives into the essentials of Role-Based Access Control (RBAC), two-factor authentication, and the power of identity federation with protocols like SAML or OAuth. We dissect the benefits of Single Sign-On (SSO) for seamless multi-application access, while highlighting the necessity of identity proofing during onboarding. Finally, we take a hard look at common password pitfalls, stressing the importance of robust security practices. Our mission? To empower listeners with the knowledge and resources they need to bolster their cybersecurity measures—visit CISSP Cyber Training and ReduceCyberRisk.com for a deeper dive into fortifying your defenses.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Send us a textUnlock the secrets of safeguarding your digital empire with an urgent cybersecurity update from Sean Gerber on the CISSP Cyber Training Podcast. Imagine a vulnerability so severe it's rated at a critical level of 10—this is the reality for Atlassian Confluence users, and immediate action is non-negotiable. Arm yourself with strategies from CISSP domain 5.5.1 that shape the provisioning, onboarding, and maintenance of systems. Learn how to craft robust account management plans that are the keystone in your organization's defense against breaches.Transform your team into a frontline defense force with our insights on creating impactful employee security awareness training. We tackle the power of a simple one-page document to revolutionize your approach, especially if you're the lone security warrior in your firm. Discover how understanding industry standards like GDPR and CMMC can empower your workforce to act as vigilant sensors against potential threats. We also touch on how to navigate the complexities of multinational teams, ensuring inclusive and effective cybersecurity dialogues.Close the doors on security threats by mastering the deprovisioning and offboarding processes. Elevate your knowledge with the significance of automating the removal of stale accounts, reducing the risk of hackers exploiting overlooked credentials. Dive deep into Role-Based Access Control (RBAC) and password management strategies that align permissions with job roles, simplifying security while mitigating risks. With compelling insights into password policies and the need for senior leadership buy-in, you'll be equipped to advocate for enhanced security measures that protect your organization.Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

Guest: Ahmad Salehi Shahraki, Lecturer (Assistant Professor) in Cybersecurity, La Trobe UniversityOn LinkedIn | https://www.linkedin.com/in/ahmad-salehi-shahraki-83494152/Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesDuring this "On Location" podcast episode at AISA CyberCon 2024, host Sean Martin welcomed guest Ahmad Salehi Shahraki to discuss cutting-edge developments in access control, identity management, and cybersecurity infrastructure.Ahmad, a lecturer at La Trobe University specializing in authentication, authorization, applied cryptography, and blockchain, shared insights into transitioning from traditional access control models like Role-Based Access Control (RBAC) to more advanced Attribute-Based Access Control (ABAC). Ahmad emphasized that while RBAC has served as the backbone of organizational security for decades, its centralized nature and limitations in cross-domain applications necessitate the shift to ABAC. He also highlighted a critical aspect of his research: leveraging cryptographic primitives like attribute-based group signatures to enhance security and privacy while enabling decentralization without relying on blockchain.Sean and Ahmad explored the technical and operational implications of ABAC. Ahmad described how this model uses user attributes—such as location, role, and organizational details—to determine access permissions dynamically. This contrasts with RBAC's reliance on predefined roles, which can lead to rule exploitation and administrative inefficiencies.Ahmad also discussed practical applications, including secure digital health systems, enterprise environments, and even e-voting platforms. One innovative feature of his approach is "attribute anonymity," which ensures sensitive information remains private, even in peer-to-peer or decentralized setups. For example, he described how his system could validate an individual's age for accessing a service without revealing personal data—a critical step toward minimizing data exposure.The conversation expanded into challenges organizations face in adopting ABAC, particularly the cost and complexity of transitioning from entrenched RBAC systems. Ahmad stressed the importance of education and collaboration with governments and industry players to operationalize ABAC and other decentralized models.The episode closed with Ahmad reflecting on the robust feedback and collaboration opportunities he encountered at the conference, underscoring the growing interest in decentralized and privacy-preserving solutions within the cybersecurity industry. Ahmad's research has attracted attention globally, with plans to further develop and implement these models in Australia and beyond.Listeners are encouraged to follow Ahmad's work and connect via LinkedIn to stay informed about these transformative approaches to cybersecurity.____________________________This Episode's SponsorsThreatlocker: https://itspm.ag/threatlocker-r974____________________________ResourcesLearn more and catch more stories from Australian Cyber Conference 2024 coverage: https://www.itspmagazine.com/australian-cyber-conference-melbourne-2024-cybersecurity-event-coverage-in-australiaBe sure to share and subscribe!____________________________Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverageTo see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcastTo see and hear more Redefining Society stories on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-society-podcastWant to tell your Brand Story Briefing as part of our event coverage?Learn More

Guest: Ahmad Salehi Shahraki, Lecturer (Assistant Professor) in Cybersecurity, La Trobe UniversityOn LinkedIn | https://www.linkedin.com/in/ahmad-salehi-shahraki-83494152/Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast & Audio Signals PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesDuring this "On Location" podcast episode at AISA CyberCon 2024, host Sean Martin welcomed guest Ahmad Salehi Shahraki to discuss cutting-edge developments in access control, identity management, and cybersecurity infrastructure.Ahmad, a lecturer at La Trobe University specializing in authentication, authorization, applied cryptography, and blockchain, shared insights into transitioning from traditional access control models like Role-Based Access Control (RBAC) to more advanced Attribute-Based Access Control (ABAC). Ahmad emphasized that while RBAC has served as the backbone of organizational security for decades, its centralized nature and limitations in cross-domain applications necessitate the shift to ABAC. He also highlighted a critical aspect of his research: leveraging cryptographic primitives like attribute-based group signatures to enhance security and privacy while enabling decentralization without relying on blockchain.Sean and Ahmad explored the technical and operational implications of ABAC. Ahmad described how this model uses user attributes—such as location, role, and organizational details—to determine access permissions dynamically. This contrasts with RBAC's reliance on predefined roles, which can lead to rule exploitation and administrative inefficiencies.Ahmad also discussed practical applications, including secure digital health systems, enterprise environments, and even e-voting platforms. One innovative feature of his approach is "attribute anonymity," which ensures sensitive information remains private, even in peer-to-peer or decentralized setups. For example, he described how his system could validate an individual's age for accessing a service without revealing personal data—a critical step toward minimizing data exposure.The conversation expanded into challenges organizations face in adopting ABAC, particularly the cost and complexity of transitioning from entrenched RBAC systems. Ahmad stressed the importance of education and collaboration with governments and industry players to operationalize ABAC and other decentralized models.The episode closed with Ahmad reflecting on the robust feedback and collaboration opportunities he encountered at the conference, underscoring the growing interest in decentralized and privacy-preserving solutions within the cybersecurity industry. Ahmad's research has attracted attention globally, with plans to further develop and implement these models in Australia and beyond.Listeners are encouraged to follow Ahmad's work and connect via LinkedIn to stay informed about these transformative approaches to cybersecurity.____________________________This Episode's SponsorsThreatlocker: https://itspm.ag/threatlocker-r974____________________________ResourcesLearn more and catch more stories from Australian Cyber Conference 2024 coverage: https://www.itspmagazine.com/australian-cyber-conference-melbourne-2024-cybersecurity-event-coverage-in-australiaBe sure to share and subscribe!____________________________Catch all of our event coverage: https://www.itspmagazine.com/technology-cybersecurity-society-humanity-conference-and-event-coverageTo see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcastTo see and hear more Redefining Society stories on ITSPmagazine, visit:https://www.itspmagazine.com/redefining-society-podcastWant to tell your Brand Story Briefing as part of our event coverage?Learn More

Send us a Text Message.Can quantum computing break your encryption overnight? Discover the profound impact of this emerging technology on cybersecurity as we decode the recently introduced FIPS 203, 204, and 205 standards. Join me, Sean Gerber, on this week's electrifying episode of the CISSP Cyber Training Podcast to understand how the US government is preemptively tackling "harvest now, decrypt later" threats. Learn why these standards are crucial for federal entities and contractors and why mandatory adoption by 2035 is a game-changer for cybersecurity professionals, especially those engaging with the Cybersecurity Maturity Model Certification (CMMC).Unlock the secrets to mastering access control models essential for fortified cybersecurity. We'll explore the nuanced features and ideal applications for Attribute-Based Access Control (ABAC), Discretionary Access Control (DAC), Role-Based Access Control (RBAC), and Mandatory Access Control (MAC), as well as the fine-grained Rule-Based Access Control (RBAC). Beyond the technical knowledge, we dive into the critical mindset required for true CISSP mastery—one that transcends the exam and empowers real-world application. Plus, your participation supports adoptive families, making our journey together even more impactful. Tune in and transform your cybersecurity strategy today!Gain access to 60 FREE CISSP Practice Questions each and every month for the next 6 months by going to FreeCISSPQuestions.com and sign-up to join the team for Free. That is 360 FREE questions to help you study and pass the CISSP Certification. Join Today!

In this episode, Jeff and Jim discuss various Identity and Access Management (IAM) topics with their guest, Chris Power, Senior Manager of IAM at Sallie Mae. They tackle the evolution and challenges of non-human identities, the potential sunsetting of Role-Based Access Control (RBAC) in favor of policy-based methods, and the organizational design of IAM teams and the importance of governance and cybersecurity measures. The episode rounds off with a light discussion about Marvel movie news, focusing on Robert Downey Jr.'s return to the Marvel universe as Dr. Doom. 00:00 Introduction and Casual Banter 2:07 Exploring Digital Identity Trends 5:01 Conference Highlights and Discount Codes 8:35 Introducing the Guest: Chris Power 12:11 Deep Dive into Non-Human Identities 29:20 The Future of RBAC in IAM 30:42 Challenges in HR Systems and RBAC 32:21 The Complexity of Implementing RBAC 33:23 Exploring Alternatives to RBAC 34:13 The Role of Attributes in Access Control 37:35 Policy-Based Access Control (PBAC) 42:59 Organizational Design in IAM 52:34 Future of IAM with AI and Big Data 55:55 Marvel Universe Discussion 63:42 Conclusion and Final Thoughts Connect with Chris: https://www.linkedin.com/in/jameschristopherpower/ Chris' LinkedIn Post: https://www.linkedin.com/pulse/trying-something-new-chris-power-ysmdc/ Attending Identity Week in America, or Asia? Use our discount code IDAC30 for 30% off your registration fee! Learn more at: America: https://www.terrapinn.com/exhibition/identity-week-america Asia: https://www.terrapinn.com/exhibition/identity-week-asia/ Authenticate Conference - Use code IDAC15 for 15% off: https://authenticatecon.com/event/authenticate-2024-conference/ Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at http://idacpodcast.com and watch at https://www.youtube.com/@idacpodcast

In this engaging episode, hosts Jim McDonald and Jeff Steadman wrap up their Identiverse 2024 experience with a thought-provoking panel discussion. Joined by Alex Bovee, CEO and Co-Founder of ConductorOne; Ian Glazer, Founder and President of Weave Identity; and Lance Peterman, Identity Lead at Dick's Sporting Goods and Professor at UNC Charlotte, the conversation dives deep into the future of identity management. The panel explores the concept of Zero Standing Privileges (ZSP) as the evolution of least privilege, discussing its feasibility, operational challenges, and the maturity curve required for organizations to adopt such a model. Ian shares his perspective on the future of identity governance, while Alex and Lance provide insights into practical implementations and the role of automation in achieving ZSP. The discussion also touches on the importance of context, policy, and the need for better data orchestration to make identity management more effective. Tune in for an insightful conversation on the next frontier of identity management and the steps needed to get there. Connect with Alex Bovee - https://www.linkedin.com/in/alexbovee/ Learn about ConductorOne - https://www.conductorone.com/?utm_source=identityatthecenter&utm_medium=podcast&utm_campaign=c1-brand⁠ Connect with Ian: https://www.linkedin.com/in/iglazer/ Learn about Weave Identity - https://weaveidentity.com/ Connect with Lance - https://www.linkedin.com/in/lancepeterman/ Attending Identity Week in Europe, America, or Asia? Use our discount code IDAC30 for 30% off your registration fee! Learn more at: Europe: https://www.terrapinn.com/exhibition/identity-week/ America: https://www.terrapinn.com/exhibition/identity-week-america Asia: https://www.terrapinn.com/exhibition/identity-week-asia/ Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at http://idacpodcast.com and watch at https://www.youtube.com/@idacpodcast

On this episode of Identity at the Center, Jim McDonald and Jeff Steadman are joined by Chad Wolcott, Managing Director at RSM US LLP, to peel back the layers of the identity industry. They delve into the complexities of identity consulting, discussing the challenges and triumphs of implementing and managing IAM solutions. From Chad's early days of designing robots to Jim's arcade escapades, the trio shares their most unusual jobs and the lessons learned from their unique experiences. They also tackle pressing topics like the future of passwordless authentication, the role of AI and analytics in identity, and the evolution of authorization from RBAC to dynamic access models. The conversation takes a turn into the realm of IAM horror stories, highlighting the pitfalls of over-engineering solutions and the importance of aligning with organizational change. As they gear up for Identiverse, they share their excitement for reconnecting with industry peers, diving into sessions on AI and identity security, and enjoying the Vegas experience. Tune in for an insightful and candid discussion on the state of identity security, the potential of AI, and the power of automation in the ever-evolving IAM landscape. Connect with Chad: https://www.linkedin.com/in/chad-wolcott/ Meet up with our RSM team at Identiverse 2024! Schedule at https://rsmus.com/events/2024-events/join-rsm-at-identiverse-2024.html Learn more about RSM Digital Identity consulting: https://rsmus.com/services/risk-fraud-cybersecurity/cybersecurity-business-vulnerability/identity-and-access.html Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at idacpodcast.com and follow @IDACPodcast on Twitter.

In this episode of Identity at the Center, hosts Jim McDonald and Jeff Steadman delve into the intricate world of authorization within the IAM space with Omri Gazit, co-founder and CEO of Asserto, and co-chair of the AuthZEN working group at the OpenID Foundation. They tackle the evolution of authorization, from the days of basic role-based access control to the current landscape of fine-grained authorization, including policy and relationship-based access control models. Omri shares his insights on the importance of standards in authorization, the role of developers in adopting these standards, and the journey towards a single authorization control plane for multiple applications. He also discusses the challenges organizations face with over-provisioned access and the potential of AI in enhancing authorization decisions. Listeners will also get a personal glimpse into Omri's life outside of IAM, learning about his passion for kung fu and how the discipline and journey of martial arts have influenced his professional ethos. Tune in for a comprehensive discussion on the future of authorization and the steps IAM practitioners can take to evolve their organization's approach to this critical aspect of identity security. Connect with Omri: https://www.linkedin.com/in/ogazitt/ Learn more about Aserto: https://www.aserto.com/ AuthZEN: https://openid.net/wg/authzen/ Google Zanzibar: https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system/ Identiverse 2024: As an IDAC listener, you can register with 25% off by using code IDV24-IDAC25 at https://events.identiverse.com/identiverse2024/register?code=IDV24-IDAC25 Meet up with our RSM team! Schedule at https://rsmus.com/events/2024-events/join-rsm-at-identiverse-2024.html Attending the European Identity and Cloud Conference in Berlin? Use Discount Code: EIC24idac25 for 25% off. Register at https://www.kuppingercole.com/events/eic2024 Attending Identity Week in Europe, America, or Asia? Use our discount code IDAC30 for 30% off your registration fee! Learn more at: Europe: https://www.terrapinn.com/exhibition/identity-week/ America: https://www.terrapinn.com/exhibition/identity-week-america Asia: https://www.terrapinn.com/exhibition/identity-week-asia/ Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at http://idacpodcast.com and follow @IDACPodcast on Twitter.

In this episode, Jim and Jeff welcome back Sandy Bird, the CTO and Co-Founder of Sonrai Security, for a sequel to their first sponsor spotlight. Sandy returns to discuss the groundbreaking Cloud Permissions Firewall with Permissions on Demand. The trio dives into how this new solution revolutionizes the way organizations can clamp down on excessive cloud permissions, streamline operations, and secure their cloud environments with unprecedented speed and efficiency. The discussion illuminates the concept of "default deny," the exhilaration of zapping "zombie" identities, and the seamless integration with cloud native tools. Sandy also shares insights on how customers can measure success with Sonrai's solution and the significant security benefits provided. For a visual walkthrough of Sonrai's Cloud Permissions Firewall, visit http://sonrai.co/idac to see the demo in action and learn how you can try it out with a 14-day free trial. And if you're at RSA, AWS re:Inforce, or Gartner IAM, look for the Sonrai Security booth and experience the epiphany moment for yourself. Connect with Sandy on LinkedIn: https://www.linkedin.com/in/sandy-bird-835b5576 Learn more about Sonrai Security: https://sonrai.co/idac Introducing the Cloud Permissions Firewall (YouTube): https://www.youtube.com/watch?v=ffQbM6KGDbY Connect with us on LinkedIn: Jim McDonald: https://www.linkedin.com/in/jimmcdonaldpmp/ Jeff Steadman: https://www.linkedin.com/in/jeffsteadman/ Visit the show on the web at idacpodcast.com and follow @IDACPodcast on Twitter. Episode Keywords Identity And Access Management (Iam), Cloud Security, Aws, Azure, Gcp (Google Cloud Platform), Least Privilege, Identity Risk, Cloud Permissions Firewall, Infrastructure As Code, Security Operations (Secops), Cloud Operations (Cloudops), Permissions Management, Excessive Privileges, Zombie Identities, Identity Governance, Access Analyzer, Sensitive Permissions, Role-Based Access Control (Rbac), Service Control Policies (Scp), Cloud Native Security

In this episode, we're diving into the realm of identity and access management in the cloud. Our guest is Dr. KVN Rajesh, a multi award-winning trainer focused on Microsoft Azure security.With a PhD in deep learning and over 10,000 individuals trained, Dr. Rajesh is a cloud security expert you won't want to miss.Dr. Rajesh explains the concept of identity and access management (IAM) and how it helps protect our digital resources.Imagine your username as your digital ID and access as your role within the organization – all controlled through IAM. IAM helps protect critical data, data privacy, and ensures compliance.Dr. Rajesh talks about creating and managing IAM users, from provisioning to authentication, authorization, lifecycle management, and continuous monitoring.He then explores the power of IAM policies. These digital blueprints govern user permissions and actions, safeguarding the principle of least privilege. Dr. Rajesh sheds light on architecture best practices of these policies and their role in maintaining the balance between security and user experience.As our episode focus pivots to cloud environments, Dr. Rajesh showcases the pivotal role of IAM in Microsoft Azure. You will learn how Azure IAM centralizes access control, leveraging Azure Active Directory and Role-Based Access Control (RBAC) for seamless user identity management.Dr. Rajesh also addresses emerging trends shaping the future of IAM.He discusses zero trust, AI integration, and blockchain-backed identity verification.But every coin has two sides.Dr. Rajesh shares some common pitfalls to avoid – from generic passwords to excessive privileges – and offers a roadmap for troubleshooting IAM issues.Dr. Rajesh recommends a comprehensive IAM strategy to enforce granular permissions, track user activities, and ensure regulatory compliance.In this ever-connected world, cloud-based IAM solutions come with scalability, centralized management, and seamless integration. Dr. Rajesh digs into common benefits and challenges with cloud IAM solutions, to help your organization identity "right fit" solutions.Dr. Rajesh also emphasizes the urgency of implementing IAM best practices because of emerging threats and the reduced barrier to entry for cyber criminals.Be sure to like and subscribe for more episodes of the

Whether for personal use or accessing your corporate network, authentication and authorisation are two critical concepts in access control. At times confused with authorisation, authentication is the process of verifying the identity of an entity before access or authorisation is given.Authentication may involve the use of passwords, access tokens, and biometric verification while authorization uses processes like Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC).So with all the innovations placed around authentication and authorisation, why do systems still get hacked? And as more organisations move to the cloud, what can we expect from these two facets of access control in the years ahead?With us on PodChats for FutureCISO is Jayavignesh Reddy, Senior IAM Evangelist, ManageEngine.1.       What is the biggest issue influencing/impacting authentication?2.       How has authentication (technology and practices) evolved during the pandemic?3.       How CISOs and CIOs position authentication as an enabler for digital business?4.       There are those who suggest that passwords be dropped altogether. Is this a good idea in the current state of technology?5.       Do you see zero trust as changing the landscape of authentication?6.       Our topic is Future of authentication. How do you see the future of authentication evolving?

A split decision on subjects for Episode 63 sees Steve and Marijn bring both their ideas together.  Looking at the key structures that build content architectures, Sites and Structures, Governance and Processes combined with Marijn's thoughts on the 5 reasons that Business transformation fails and looking at how you can plan for failure and identify the solutions for success.Opinions vary in this podcast with the usual disagreement on Architecture coming first but we hope the different opinions, thoughts and discussions help you work out what's best for you.The boys disagree on the readability of URLs and naming convention for Sites Marijn is a believer in identifiable and named url's and whilst Steve is a believer in a Code or number for the Intranet, we look at the pro's and con's of a readable url.    The One-Inch Party is defined as 3 days before Commsverse with a reminder that September 12th is the Office365 Distilled One-Inch party and September 15th and 16th is Commsverse the Hybrid MS teams conference.Role-Based Access Control (RBAC) is discussed and the involvement of Leadership to support the solutions around RBAC and Steve identifies some of the difficult steppingstones for success which will change but solid processes and dynamic groups make this a real success possibility.A blended whisky again is selected to finish off the podcast with an independent bottler taking great whiskies from the lowlands creating ‘The Epicurean' blended whisky from Douglas Lang. 

With us today is Derly Gutierrez, Head of Security at 1010 Data, and veteran. Derly is here with us today to talk about the journey to passwordless authentication and the flaws and strenghts of today's authentication methoods. Allan and Derly refer to studies and surveys about the problems with passwords and the challenges of implementing passwordless approaches. Derly emphasizes the need for other complementary technologies such as Role-Based Access Control (RBAC), Privileged Access Management (PAM), and system-to-system communications. The two discuss corporate and personal use of passwordless solutions, talk about legal precedence and the future of passwordless approaches. Key Takeaways 1:14 How Derly got into cyber 1:58 About Derly's day job as Head of Security 2:34 Allan quotes the 2017 Verizon DBIR on how many breaches involve weak or stolen passwords 3:35 Allan cites NIST 800-63b 4:15 Derly talks about CAC cards in the US DoD 4:50 Derly sides with vendor innovations over NIST guidance 5:56 Allan clarifies the distinction between PINs and passwords 6:52 Derly points out the flaws with biometrics in terms of reliability and assurance 9:09 Allan cites a survey regarding WHY organizations choose passwordless 9:52 How many 'passwordless' solutions still include shared secrets 10:38 Derly talks about corporate vs. personal passwordless solutions and shared secrets as backup for reliability issues 11:37 Derly emphasizes a lack of RBAC and PAM foiling all authentication approaches 13:06 Allan points out the value of Identity and Access Management solutions 13:44 Allan references three vendor approaches towards passwordless for legacy systems such as RADIUS 14:50 Derly takes these methods apart 16:05 Many companies are not doing Role-Based Acces Control, system-to-system communication and Privileged Access Management correctly 17:02 Allan brings up the presence of push attacks 17:38 Allan's definiton of true passwordless authentication 17:56 Derly's definition of true passwordless authentication 21:29 For personal use of biometrics, Allan brings up a disturbing precedent of law enforcement accessing an individual's phone with forced facial recognition 23:17 Derly emphasizes that applications on your phone should have a different authentication factor than access to the phone itself 23:47 "Your home is your castle" has become "Your phone is your castle" 25:06 Allan cites one last survey as to how many of us really are passwordless 26:02 How long before we got to passwordless? 28:06 What keeps Derly going in cyber Links: Learn more about Derly on LinkedIn and Twitter Follow Allan Alford on LinkedIn and Twitter Learn more about Hacker Valley Studio and The Cyber Ranch Podcast Sponsored by our good friends at Axonius

A quick summary of new features, updates, and improvements in Confluent Platform 5.4, including Role-Based Access Control (RBAC), Structured Audit Logs, Multi-Region Clusters, Confluent Control Center enhancements, Schema Validation, and the preview for Tiered Storage.This release also includes pull queries and embedded connectors in preview as part of KSQL.EPISODE LINKSConfluent Platform 5.4 Release Notes Introducing Confluent Platform 5.4Download Confluent Platform 5.4Watch the video version of this podcastJoin us in Confluent Community SlackGet 30% off Kafka Summit London registration with the code KSL20Audio

See all links and images for this episode on CISO Series (https://cisoseries.com/whats-worse-culture-of-no-or-no-culture/) We want to put an end to InfoSec negativity, but not at the sacrifice of the soul of the company. We're weighing our options on this week's episode of CISO/Security Vendor Relationship Podcast. This show, like all the previous ones is hosted by me, David Spark (@dspark), founder of Spark Media Solutions and Mike Johnson. Our guest this week is Sean Catlett, CISO of Reddit. Thanks to this week's sponsor, Perimeter 81 Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and mobile workforce. We allow cybersecurity professionals to easily build, manage and secure their organization’s networks in one unified, multi-tenant, cloud-native platform. Learn more at www.perimeter81.com. On this week's episode Why is everybody talking about this now? Helen Patton, CISO at Ohio State University, asked the security community, "What cultural/behavioral influences on Security would you like to see changed?" First 90 Days of a CISO Matt McManus who works in InfoSec at WeWord asks, "What's the ideal information security team make-up and structure?" Sean, you came into Reddit recently as a new CISO. How did you go about determining what you needed for a team? What's Worse?! What needs to be protected? The endpoints or the network? You're a CISO, what's your take on this? Last year I was chatting with a CEO, and he mentioned one common frustration with a scenario that keeps repeating itself. He will have a truly fantastic meeting with a potential buyer. Absolutely everything goes right, but the moment he asks to engage in a PoC, Proof of Concept, the conversation does an about face and everything falls apart. And vendors have unrealistic expectations of the time it will take a potential buyer to conduct a PoC. Ask a CISO With the recent release of the Verizon Data Breach Investigation Report, or DBIR, we brought up a question from Kip Boyle, author of Fire Doesn't Innovate. He asks, "What role do vendors and the media play in determining and prioritizing your cyber risks?" Whether your data is in transit or at rest, it’s vital to remember that neither state is secure. Data must be protected in both states, and encryption plays a major role in this. In addition to encryption standards for in-transit data such as TLS for email, HTTPS and SSL for websites and the use of a VPN when connecting from public Wi-Fi hotspots (even those that say they are secure), there is symmetric and asymmetric encryption, part of the Advanced Encryption Standard. Symmetric encryption happens when the sender and receiver of a message use a single shared key to encrypt and decrypt the message, which is something most internet traffic uses. Asymmetric encryption uses more CPU power and is harder to encrypt, and is used for secure online exchanges via the Secure Sockets Layer. But encryption isn’t the end of the story. There must be network security controls to help protect data in transit as well as securing the transmission networks themselves. Proactivity is key here, which means identifying at-risk data, establishing user prompting regulations and automatic encryption for things like files attached to an email message, and taking stock of, and categorizing all types of data to ensure the right level of security is applied to each. On a human level, Role-Based Access Control (RBAC) ensures different levels of security and permissions, multi factor authentication helps make data a more difficult target, and of course, each company should take ownership of this challenge and not rely on their cloud supplier to do it for them.  

Show: 21Show Overview: Brian and Tyler talk about how Role-Based Access Control (RBAC) is implemented for Kubernetes. Show Notes:Effective RBAC (video) from KubeConUsing RBAC AuthorizationAudit2RBAC ToolTopic 1 - The concept of RBAC is best described as “Can ______ (noun) ______ (verb) on ______ (object) at ______ (location)?” where “noun” is a person/service, “verb” is an action, “object” is a function of the API, and “location” is proximity to a Kubernetes cluster.Topic 2 - RBAC operates on the concept of Roles and RoleBindings, which map actors to actions, and those actors and actions are defined either globally or locally, and the actions are also defined globally or locally.Topic 3 - RBAC can be manually defined, or enabled (by default) by an installer or distribution. It comes with a default set of Roles. Everything is done within the scope of a cluster.Topic 4 - By default, the kube-scheduler, kube-controller-manager, and kube-proxy all have RBAC roles defined. Kubelets (node-level) don’t use RBAC by default, but have their own authorizer, which can then be combined with an RBAC authorizer.Topic 5 - “Add-ons” (networking, monitoring, logging, etc.) can have RBAC defined in their manifests, or you can grant them access to their service account.Topic 6 - “If the element needs to be something other than those default roles, or using default authorizer services, then CustomRoles can be created. Can use audit logs to track the needs of a specific add-on. Can use “audit2rbac” tool to views the logs and create custom RBAC roles. Topic 7 - “Aggregate Roles” are now available in Kubernetes 1.9.Feedback?Email: PodCTL at gmail dot comTwitter: @PodCTL Web: http://podctl.com

The analysis of security policies designed for ICS and SCADA can benefit significantly from the adoption of automatic/semi-automatic software tools that are able to work at a global (system) level. This implies the availability of a suitablemodel of the system, which is able to combine the abstractions used in the definition of policies with the access control and right management mechanisms usually present in the real system implementation. This paper introduces a modeling framework based on the Role Based Access Control (RBAC) technique that includes all the elements needed to support different kinds of automatic security analyses such as policy coherence checks and verifications of correct implementation of policies.

Access control policies in healthcare domain define permissions for users to access different medical records. A Role Based Access Control (RBAC) mechanism allows management of privileges to medical records for users when they assume certain roles thus mitigating the threat of inside attacks. Such a threat emanates from unauthorized users. We can provide a selective combination of policies where sensitive records can be available only to a specific role, say the primary doctor, under Discretionary Access Control (DAC) whereby in turn he/she may share the record with other physicians for consultation after permission from the patient. This mechanism allows not only a better compliance of principle of least privilege but also helps to mitigate the threat of authorized insiders disclosing sensitive information. Our research is being prototyped on the Policy Machine (PM) developed by the National Institute of Standards and Technology (NIST). PM allows integration and co-existence of multiple policies. Currently, we are expanding thecapabilities of PM to provide a flexible healthcare access control policy which has the benefits of context awareness and discretionary access. We will present the newlyimplemented temporal RBAC model on PM and describe initial capabilities for secure management of healthcare data. About the speaker: Zahid Pervaiz is a PhD candidate in School of Electrical and Computer Engineering at Purdue University. He received his bachelor's degree in Electronics engineering from National University of Science and Technology, Pakistan in 2000. Prior to joining Purdue in 2007, he worked with a research organization in Pakistan for five years as a senior design engineer. His research interests include information privacy, data security and access control. His current research work focuses on access control mechanisms for healthcare applications. He can be reached at zpervaiz@purdue.edu.

Federated systems are an emerging paradigm for information sharing and integration. Such systems require access management policies that not only protect user privacy and resource security but also allow scalable and seamless interoperation. Current solutions to distributed access control generally fail to simultaneously address both dimensions of the problem. This talk describes the design of a policy-engineering framework, called xFederate, for specification and enforcement of access management policies in federated systems. It has been designed from the perspectives of both security management and software engineering to not only allow specification of requirements for federated access management but also allow development of standardized policy definitions and constructs that facilitate policy deployment and enforcement in a federated system. The framework also includes the design of an administrative model targeted at access control policy administration in a decentralized environment. Two profiles of the policy language, namely a SAML profile and a WS-Policy profile, have been developed to integrate the framework with industry standards for federation and policy-based management in the emerging Web services paradigm. The talk will include an online demo of a research prototype that illustrates the use of xFederate as an enabling technology for secure Web services with applications in federated digital libraries and federated electronic healthcare management. About the speaker: Rafae Bhatti is a PhD candidate in the Department of Electrical and Computer Engineering and affiliated with the Center for Education and Reserach in Information Assurance and Security (CERIAS) at Purdue University. His research interests include information systems security, with emphasis on design and administration of access management policies in distributed systems. In his M.S. thesis research at Purdue, he developed an XML-based policy specification framework for distributed access control. His PhD research focuses on the access management problems posed by the emerging federated paradigm of information sharing and collaboration, and on specification of XML-based security protocols for Web-based information systems. His work on XML-based access control framework for the Role Based Access Control (RBAC) model have recently been cited by the OASIS consortium in their official announcement of the RBAC standard.

A key issue in computer system security is to protect information against unauthorized access. Emerging workflow-based applications in healthcare, manufacturing, the financial sector, and e-commerce inherently have complex, time-based access control requirements. To address the diverse security needs of these applications, a Role Based Access Control (RBAC) approach can be used as a viable alternative to traditional discretionary and mandatory access control approaches. The key features of RBAC include policy neutrality, support for least privilege, and efficient access control management. However, existing RBAC approaches do not address the growing need for supporting time-based access control requirements for these applications. In this talk, I will present a Generalized Temporal Role Based Access Control (GTRBAC) model that combines the key features of the RBAC model with a powerful temporal framework. The proposed GTRBAC model allows specification of a comprehensive set of time-based access control policies, including temporal constraints on role enabling, user-role and role-permission assignments, and role activations. The model provides an event-based mechanism for providing context based access control, as well as expressing dynamic access control policies, which are crucial for developing secure workflow-based enterprise applications. I will discuss various design guidelines for managing complexity of policy specification as well as an XML-based GTRBAC policy specification language. About the speaker: James Joshi is an assistant professor in the department of Information Science and Telecommunications at the University of Pittsburgh. He is a founder and coordinator of the Laboratory of Education and Research on Security Assured Information Systems (LERSAIS), which has recently been designated as a National Center of Academic Excellence in Information Assurance Education jointly by the NSA and DHS. He received his PhD degree from Purdue University in 2003. He is currently supported by the NSF for establishing security tracks in the University of Pittsburgh. His areas of interest include Access Control Models, Security and Privacy of Distributed Multimedia Systems, and Systems Survivability. He serves as a program committee member in several conferences including ACM Symposium on Access Control Models and Technologies, International Symposium on Multimedia Software Engineering, ACM Workshop on Multimedia Databases, and Annual International Conference on Mobile and Ubiquitous Systems. He was a Program Co-Chair for IEEE Workshop in Information Assurance.