Identity and Access Management Framework Book

Americans like to think we lead the free world in everything. And for many years, we did. “Made in Japan” used to mean cheap and crappy. “Made in China” really didn’t, until lead started showing up in the baby formula and the drywall. Those are the growing pains of capitalism, I suppose, and I presume they’ll get quality control under, uh, control. We invented the Internet, the browser (civilians don’t really understand that the Web isn’t all there is to the Internet), the assembly line, the atomic bomb (oops), Heather Locklear (in your face, Putin), and Lindsay Lohan (double oops).

But the USA has been dragging on several fronts for years. Manufacturing has been drying up like crazy, because it’s actually cheaper to import stuff by boat than it is to build it right here. A whole lotta innovation is coming from overseas. Other countries even take stuff invented by Americans and figure out how to launch it commercially, then sell it right back to the states. What the hell!

Another place the USA lags is in computer security. More than ten years ago, I had a HUGE customer that was bought by a German parent. The Germans had their own security standards that dwarfed those of their child companies. A big component of it was the use of tokens, plus digital signing. The Germans wanted non-repudiation of every transaction. Accountability. And this was pre-Enron, pre-Andersen, pre-shred-a-palooza.

Asians, Australians, Europeans, Indians, they all came up with security standards pre-dating Enron, and the stuff they came up with AFTER Enron were still better than those in the USA, even though Enron was a uniquely American economic disaster.

In India, they enacted a data protection law that was so stringent and so nasty that people went to jail, almost immediately, and in fact there were demands to back off a little. Those guys were not screwing around. In the USA, HIPAA was enacted in tiny little stages, with lots of warning, and even then the penalties amounted to a slap on the wrist. PCI can be ugly, but it’s not ugly enough, given the awful damage that can be done to people if their credit and other data escape. Contrast these to NERC, at least, and you get the equivalent of a sound beating with a stick.

Once again, the Germans are in the forefront. They build better cars, and they build better privacy laws. The European Privacy Directives are pretty good standards already, and in fact I use them as my privacy model in the compliance section of my book. I have a European client that is getting beaten up by their German contingent on privacy. No screwing around here. If I could summarize the model over there, it’s “collect only the data you’re supposed to, expose it only to the people who need it, use it only for what it’s meant for, then get rid of it.” No selling it to telemarketers, so analyzing it for other purposes, no keeping it around just in case you think you might want it later. Whatever you collect, put it in the right bucket for the right period of time, then it gets irretrievably dumped.

Maybe I admire the Germans’ attitude because I’m mostly German. But really, I deal with my clients’ audit requirements all the time, and the healthcare guys, where the data SHOULD be in a lockbox, seem to get away with murder. Other people skate by because even after a slap in the face audit, they only have to provide a letter indicating that they were at least semi-aware of their deficiencies, and they promise never to do it again.

Sorry, USA, but we’re way behind on green energy, making stuff, educating our children, and securing our data assets. Time to buckle down.