Solving security & privacy challenges for businesses since 1995
Phone: 617_216_6563
[Marlena] provided actionable recommendations to meet immediate needs as well as presenting a long term roadmap...Two years later, Marlena's recommendations are still on point. ...[Her] work is considered invaluable by the information technology decision makers. Both internal and external resources had previously attempted the project but were unable to make progress due to the complexity and scope of the system, processes, and requirements.
—Jeffrey Parker, Software Engineer, Harvard Medical School
My technical areas of expertise include software architecture, security, privacy, identity management, federated systems, and software development (especially dealing with other people's tangled code). Specific technologies and standards I've worked with include REST API's, LDAP, SQL databases, servlets, HTTPD, HIPPA, GDPR, crypto systems, low-level networking tools, OAUTH/OIDC, and SAML/Shibboleth.
I can help you quickly get to a point where you are ready to do design. Then I can help you create a secure design that is practical and manageable. Case Studies provides real-life examples of my analysis and design work.
I have a laser-like ability to cut through vendor claims and identify the actual pros and cons of a product given your circumstances. I'll help you get a product that meets your needs.
Accurate requirements are the foundation of a successful project. I can tease out requirements from the sometimes vague descriptions expressed by your customers and/or staff members. Requirements generation is its own art. Even gurus in your project's area don't necessarily have the skill set to figure out requirements. Reason: the requirements person has to be able to communicate with people who are not experts. As I'm sure you know, gurus don't always do end user-speak—or CIO-speak. I do.
"Accountability" in an IT security context is your ability as a system owner to figure out WHO did WHAT to WHICH resource. Many legacy IT systems have their own authentication and authorization subsystems built in. How do you put together new applications with legacy data and still keep the overall system secure?
Among the issues here are identity mapping, and credential (or attribute) mapping. Some solutions leave you without the ability to know who/what/which. Overly complex solutions are a nightmare to manage, but some typical simple solutions make accountability fly out the window.
Privacy is a hot topic, particularly in the medical field, private banking, and higher education. I've done significant work in privacy over the last fifteen years, including creating a policy language for user consent. Consent, in particular, is highly relevant to new data protection rules from the EU (the GDPR). The rules are European but affect US institutions. Upshot: I can help you design or enhance systems so that you can address your privacy and related compliance needs (as well as your security needs).
Feel confused by "security"? I can help you understand. For a quick look on how I think about security and how I explain things (for lay people) take a look at my essay A Wake-up Call on Risks and Consequences. You'll learn something important and might be amused along the way.
I did extensive work while at IBM on RFID. This work led me to write an article on "RFID and Authenticity of Goods". This article was published as chapter in RFID: Security, Privacy, and Applications ed Garfunkel and Rosenberg 2005. Since I'm the copyright holder, you can read this chapter (as a PDF) here.
I have significant experience in regulatory compliance. Specifically, I served as the "technology lawyer' (more about this below) for IBM's SOA Appliance Group's successful completion of certification that met a stringent US and international government security standard. This standard is called the Common Criteria (CC).
I interpreted the CC rules for the rest of the team and read tens of thousands of lines of pre-existing code so I could write the required documents. I also developed and implemented the CC-required test plan, and did most of the interaction with the government-approved overseers who held the fate of the certification in their hands. I had a lot of success in persuading these overseers to accept rule interpretations that made sense in the context of the product. (That's why my fellow team members dubbed me the "technology lawyer.")
My skill set and experience can help you with your regulatory compliance needs. I can deeply understand both the rules and your product—and how the two fit together.