Kenneth Myers
School of Technology and Business
Marymount University
March 21, 2021
Literature Review Workbook
Table of Contents
- Reflecting on Research
i. Historical Background
ii. Contemporary Context
iii. Theories and Concepts
iv. Previous Research and Limitations
v. Significance of the Issue - Tracking and Recording Search Results
Reflecting on Research
My Research Topic: Where have all the Identirati gone? An Identity and Access Management Competency Model
Research Questions:
- What are the foundational identity and access management architecture areas?
- How can a curriculum incorporate identity and access management training modules into a broader cybersecurity program?
- With the importance of Identity and Access Management identified with its own OMB memo 2019, why doesn’t the U.S. government have identity and access management work roles and competencies?
Historical Background
| # | Relevant points to include in relation to your own research topic | Key references |
|---|---|---|
| 1 | Obama Administration wrote a Federal Cybersecurity Workforce Strategy | Donovan, S., Cobert, B., Daniel, M., and Scott, T. (2016, July 16). Strengthening the Federal Cybersecurity Workforce. The White House President Barack Obama. https://obamawhitehouse.archives.gov/ |
| 2 | There are wide variations in the quality and security of identification used to gain access to secure facilities where there is potential for terrorist attacks. In order to eliminate these variations, U.S. policy is to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (including contractor employees). This directive mandates a federal standard for secure and reliable forms of identification. | White House. (2020, April 23). Homeland security presidential directive 12. Department of Homeland Security. https://www.dhs.gov/ |
Contemporary Context
| # | Relevant points to include in relation to your own research topic | Key references |
|---|---|---|
| 1 | Success in [both public health and cybersecurity] ultimately depends not only on technical progress but on reaching a political agreement about the relative value of some public good in comparison to other societal values and the institutions granted authority to resolve conflicts (along with the methods they might use). | Schneider, F. B., & Mulligan, D. K. (2011). A Doctrinal Thesis. IEEE Security & Privacy Magazine, 9(4), 3–4. https://doi.org/10.1109/msp.2011.76 |
| 2 | The Office of Management and Budget requires all agencies to implement a specific identity architecture called the Federal Identity, Credential, and Access Management Architecture. | (OMB). (2019). Enabling Mission Delivery through Improved Identity, Credential, and Access Management. Office of Management and Budget Memo Series. https://www.whitehouse.gov/ |
| 3 | Of the seven domains required by CISSP, Domain 5 is Identity and Access Management | ISC2. (2021). CISSP – the world’s premier cybersecurity certification. ICS2. https://www.isc2.org/ |
| 4 | Adversary tactics and techniques | MITRE ATT&CK®. (2021). MITRE Att&ck. https://attack.mitre.org |
Theories and Concepts
| # | Relevant points to include in relation to your own research topic | Key references |
|---|---|---|
| 1 | NIST NICE Framework | Petersen, R., Santos, D., Smith, M., Wetzel, K., and Witte, G. (2020). National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework. National Institute for Standards and Technology Special Publication. https://doi.org/10.6028/NIST.SP.800-181r1 |
| 2 | A cyber competency model | Furnell, S. (2020). The cybersecurity workforce and skills. Computers and Security, 100. |
| 3 | Federal government identity and access management reference architecture | General Services Administration (GSA). (2020). Federal Identity, Credential, and Access Management Architecture. Retrieved on October 11, 2020, https://arch.idmanagement.gov/ |
| 4 | Zero trust identity approaches | Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero trust architecture. NIST Special Publication, 800(207), 1–50. https://doi.org/10.6028/nist.sp.800-207 |
| 5 | Cybersecurity curricula | Association for Computing Machinery, IEEE Computer Society, Association for Information Systems Special Interest Group on Security, & International Federation for Information Processing Technical Committee on Information Security Education. (2015). Cybersecurity curricula 2017. https://cybered.hosting.acm.org/wp/ |
| 6 | NIST Cybersecurity Framework Protect Category for Identity Management and Access Control | NIST. (2018). Framework for improving critical infrastructure cybersecurity version 1.1. https://nvlpubs.nist.gov/ |
| 7 | DHS CDM Phase 2 – Identity – Trust, behave, cred, and privilege | DHS. (2018). PRIVMGMT: The First Step Toward CDM Phase 2 Capabilities. https://us-cert.cisa.gov/ |
| 8 | CYBOK version 1.0 | University of Bristol. (2020). CyBOK version 1.0. CYBOK. https://www.cybok.org/knowledgebase/ |
| 9 | IDPRO BOK | IDPro. (2020, December 16). IDPro’s Body of Knowledge. https://idpro.org/body-of-knowledge/ |
Previous Research and Limitations
| # | Relevant points to include in relation to your own research topic | Key references |
|---|---|---|
| 1 | Cybersecurity is a relatively new field that doesn’t always integrate neatly with other computing programs. Online learning and co-op education, can appear threatening or too difficult to incorporate for universities. | Hoffman, L., Burley, D., & Toregas, C. (2012). Holistically building the cybersecurity workforce. IEEE Security & Privacy Magazine, 10(2), 33–39. https://doi.org/10.1109/msp.2011.181 |
| 2 | To remain up to date with the developments in the area and market needs, cybersecurity master programs evolve. Their evolution includes updating the contents of their courses as well as changing the structure of programs to incorporate more specific security courses into the set of core courses and to offer more elective courses. We point out that this evolution has been aligned with the available faculty and expertise. | Cabaj, K., Domingos, D., Kotulski, Z., & Respício, A. (2018). Cybersecurity education: Evolution of the discipline and analysis of master programs. Computers & Security, 75, 24–35. https://doi.org/10.1016/j.cose.2018.01.015 |
| 3 | A third area of focus is federated identity access management and single sign-on. Online operations increasingly require the use of common credentials to access multiple systems and services, such as the use of Google, Microsoft, or Facebook credentials to log into various websites. Federated identity access management and single sign-on technologies provide this ability. Often, a group of organizations will share identity attributes based on security frameworks, trust, standards, and policies. | Gordon, A. (2016). The Hybrid Cloud Security Professional. IEEE Cloud Computing, 3(1), 82–86. https://doi.org/10.1109/mcc.2016.21 |
| 4 | What we have learned from recent work is how important it is to understand the topology of the application. Our approach considers a separation of duties between a security architect (i.e., who is an expert in security and understands the topology of the application), a Cloud provider, and application developers. We allow the security architect to describe the security infrastructure and express his requirements (the “what”). We let the Cloud provider provision the security infrastructure to protect the application according to the requirements (the “how”). | Vo, T. H., Fuhrmann, W., & Fischer-Hellmann, K.-P. (2017). How to adapt authentication and authorization infrastructure of applications for the cloud. 2017 IEEE 5th International Conference on Future Internet of Things and Cloud (FiCloud), 54–61. https://doi.org/10.1109/ficloud.2017.14 |
| 5 | IAM is a solution to manage the access of resources which includes verifying the user and authorization based on the protected resources and user’s role. | Sharma, A., Sharma, S., & Dave, M. (2015). Identity and access management- a comprehensive study. 2015 International Conference on Green Computing and Internet of Things (ICGCIoT), 1481–1485. https://doi.org/10.1109/icgciot.2015.7380701 |
| 6 | We propose two areas of future research: one, examine which techniques are appropriate for assessing more granular role types, such as breaking security practitioner into security architect and penetration tester, and two, assess cost-effectiveness by including a quantitative metric of cost similar to what has already been done for assurance techniques. | Knowles, W., Such, J. M., Gouglidis, A., Misra, G., & Rashid, A. (2017). All That Glitters Is Not Gold: On the Effectiveness of Cybersecurity Qualifications. Computer, 50(12), 60–71. https://doi.org/10.1109/mc.2017.4451226 |
| 7 | First of all, for the inconsistent implementation, someone who is familiar with the protocol specification and has a well understanding of cryptography and information security should be recruited. | Tan, Y., Li, W., Yin, J., & Deng, Y. (2020). A universal decentralized authentication and authorization protocol based on Blockchain. 2020 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), 7–14. https://doi.org/10.1109/cyberc49757.2020.00012 |
| 8 | Our ontological network for the cybersecurity ecosystem is not based off current market trends and behaviors. Further research needs to be done with empirical data from the field. When translating the private sector into KSATs, this came with some subjectivity. We used multiple coders for validation, there is still room for interpretation. | Kim, K., Smith, J., Yang, T. A., & Kim, D. J. (2018). An exploratory analysis on cybersecurity ecosystem utilizing the NICE framework. 2018 National Cyber Summit (NCS), 1–7. https://doi.org/10.1109/ncs.2018.00006 |
Significance of the Issue
| # | Relevant points to include in relation to your own research topic | Key references |
|---|---|---|
| 1 | With billions of devices now on the internet, it has created a greater need to secure devices and stretch existing security and support teams. | Ritchey, D. (2014). Blindspot: Why the security talent gap could be the next big crisis. Security, 51(5), 18-18,20,22,24. Retrieved from https://www-proquest-com.proxymu.wrlc.org/ |
| 2 | Gartner forecasts the Worldwide Public Cloud Service Revenue to increase 50% from 2019 to 2022. | Costello, K. and Rimol, M. (2020, July 23). Gartner Forecasts Worldwide Public Cloud Revenue to Grow 6.3% in 2020. Gartner Newsroom Press Releases. https://www.gartner.com/ |
| 3 | Verizon Data Breach Investigations Report found that phishing and credential theft are among the top threat actions in breaches. | Verizon Enterprise. (2020). 2020 Data Breach Investigations Report. https://enterprise.verizon.com/ |
| 4 | Malicious cyber actors are abusing trust in federated authentication environments to access protected data. | NSA. (2020, December). Detecting abuse of authentication mechanisms. Department of Defense. https://media.defense.gov/ |
| 5 | In the past few weeks, we’ve been witnessing one of the most elaborate supply-chain attacks unfold with a threat actor that infected SolarWinds Orion source code and used the update process to get to around 18,000 victims all around the globe. One of the most (if not the most) innovative techniques used in this attack, now known as Solorigate, is the “Golden SAML” technique. | Reiner, S. (2020, December 29). Golden SAML revisited: The solorigate connection. CyberArk. https://www.cyberark.com/ |
| 6 | Knowledge-Based Verification Poses Risks, but Alternative Techniques Have Been Developed That Are More Secure. | GAO. (2019). Federal agencies need to strengthen online identity verification processes (No. 19–288). https://www.gao.gov/ |
| 7 | RPs do not always implement OAuth 2.0 correctly; as a result, many real-world OAuth 2.0 and OpenID Connect systems are vulnerable to attack. | Li, W., & Mitchell, C. J. (2020). User Access Privacy in OAuth 2.0 and OpenID Connect. 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), 664–672. https://doi.org/10.1109/eurospw51379.2020.00095 |
Tracking and Recording Search Results
| Name of the catalogue, database, search engine, or social bookmarking site | Key word searches conducted, or tags used | Results of search | Date of search |
|---|---|---|---|
| IEEE Computer Society | “identity management” AND “competency” AND year=2015-2021 | 9 | 02/18/2021 |
| IEEE Computer Society | cybersecurity AND workforce | 20 | 02/20/2021 |
| ACM | [All: cybersecurity] AND [All: workforce] AND [All: planning] AND [Publication Date: Past 5 years] AND [Publication Type: Journals] | 19 | 02/20/2021 |
| Proquest Peer-Reviewed | “cybersecurity workforce” AND planning | 15 | 03/2/2021 |
| EBSCO | cybersecurity AND workforce AND planning | 2 | 03/2/2021 |
| Gale | cybersecurity AND workforce AND planning | 0 | 03/6/2021 |
| Gale | cybersecurity AND workforce AND planning | 2 | 3/19/2021 |
| IEE Computer Society | cybersecurity AND workforce AND competency | 19 | 3/20/2021 |