Disclaimer: The opinions of the columnists are their own and not necessarily those of their employer.
IT Security World 2008 - Sept 15 - 17

Draining the Swamp written by Patrick Foley

Patrick Foley

After career path that wound through journalism, secondary school administration and coaching, Pat Foley, while managing several customer service groups in Harvard University’s financial administration, began an increasing involvement in solving business challenges by linking extended technology with better transparency of business intelligence and enhanced operational processes. Several positions managing and implementing enterprise technology projects followed until he became the Program Manager for Fidelity Investments’ fledgling identity management program in 1999.

Armed with a management mandate to deploy a universal identifier, Pat worked closely with a small, talented technical team and an a large number of initially bemused business stakeholders to extend the CorpID program across Fidelity’s global reach and in three years had provided the “one number that does it all” for the widely distributed and diversified financial services firm.

Once CorpID was fully deployed, Pat became, first, the Principal Information Security Risk Analyst and later, Technical Risk Advisor for FMR Co., Fidelity’s investment arm. In these roles, Pat conceived, designed, documented and oversaw the delivery of an integrated access control tool called ARROW that combined fine-grained authorization for Web and fat client applications, databases and an AS400. ARROW enabled on-line access certifications, collected resource metadata and managed the company’s RBAC program.

After leaving Fidelity in 2006, Pat worked briefly in Symantec Corporation’s consulting group before becoming Senior Manager of Access Control and Risk Assessment at Starwood Hotels and Resorts Worldwide where he was involved in securing SOA deployments, identity management, data protection, and application and vendor risk assessments. He is now Director of Global Technology Compliance for Starwood and Program Manager of the Payment Card Industry (PCI) technology remediation program currently underway there.

Pat, his wife, Judi, and daughter, Micaela, live in Milton, MA, near Boston.

Crossing the Metrics Rubicon: Quest for the Perfect Measurement

– Security metrics represent a great untamed wilderness for organizations trying to determine both their risk profile and the effectiveness of the resources they have allocated to their security program. When I first became a security person after a career managing customer service, finance, and…

Provisioning: Security’s First Step to Measuring Organizational Impact

– Security is often accused, occasionally with merit, of being an obstacle to an organization’s business. While the drumbeat of cyber threats has at least raised the technology risk consciousness of many business managers, security professionals still have the challenge of quantifying how big an…

RBAC For More

– Organizations that face significant regulatory scrutiny — or have large numbers of disparate systems containing highly sensitive data — are most likely to have, or at least to need, Roles-Based Access Controls (RBAC). These organizations are usually trying to accomplish two ends by…

R U RBACing?

– Roles-Based Access Control is so basic a security control, like keeping your anti-virus definitions updated, that it hardly seems worth discussing. Even the least security-minded among us are unlikely to question the motherhood and apple pie concept of only giving associates those tools required…

The Final Step in a Homegrown IDM Solution (pt. 3) - So, let’s start hammering

– To recap briefly, we have identified and analyzed all our primary sources of user data and the system and service providers who consume those data.  We have funding, developers, and a project plan to follow.  We understand our provisioning process, have identified or built a directory of user…