MITRE’s ranks include several female cyber experts who’ve been leaders in the field for more than 30 years. Many helped to create early cyber doctrines, processes, and breakthroughs that the cyber community still uses today. Lorrayne Auld, who recently retired after three decades, discusses why sometimes the “less sexy” sides of cybersecurity are often among the most important.
Beyond the Password: Cyber Expert Dedicates Life’s Work to Identity Management
Decades ago, before the term “cybersecurity” was coined, a couple of dozen employees became MITRE’s earliest cyber practitioners. Well before we created our Early Career Cyber Professionals program to introduce individuals to countless tracks within the cyber world, there was just one department focused on computer security.
Thirty years ago, that’s where Lorrayne Auld found herself with no idea of where it would take her or where she wanted to go. Auld’s father, Marvin Schaefer, had encouraged her to apply after having positive experiences collaborating with several MITRE staff throughout his career in the Intelligence Community.
Schaefer's pioneering efforts in the cyber domain included work on the Trusted Computer System Evaluation Criteria. More commonly known as "The Orange Book," the landmark computer security publication also included contributions by MITRE’s Grace Hammonds Nibaldi and Peter Tasker.
Paving Her Own Path in Identity Management Security
Lorrayne Auld
In 1994, three years into her MITRE tenure at our McLean, Va., campus, Auld had her first experience with the nascent World Wide Web through our independent research program, on a project initiated by Mindy Rudell (now director, Cyber Solutions Innovation Center). Auld’s task was to study web and browser security features and the protocols and standards used to secure web pages.
She helped stand up mechanisms that issue PKI (public key infrastructure) certificates and enabled an early implementation of identity management. That work involved enabling access control by parsing fields in a PKI certificate. In simpler terms: “We distinguished what roles and rules to assign an individual or resource to grant or restrict access to certain pages,” Auld says.
The work was an early iteration of what is now commonly referenced as Identity, Credential, and Access Management (ICAM). It resonated with Auld as the crux of safeguarding data hosted on web servers.
On her next project in the mid-90s, she leveraged the early implementation of ICAM while working on an intranet for the intelligence community called Intelink. Auld’s team interfaced with a variety of vendors through the project, and over time encouraged them to improve the security posture of their tools. “It was really cool seeing the fruits of our labor incorporated into product lines,” she says, noting Netscape, one of the first successful internet browsers, was an early adopter.
Auld later moved to San Diego to support a Navy security work program. She returned to McLean after spending 12 years supporting the Navy’s cyber and ICAM-related projects. For the last five years of Auld’s career, she worked with the Internal Revenue Service, Department of Homeland Security, National Institute of Standards and Technology (NIST), and others.
Are You Really You? When Passwords Aren’t Enough
Robust identity management security is the first line of defense against identity theft and fraud. Applicable technologies and best practices empower an individual or organization to block entrances to unintentionally disclose lots of information.
“It’s a hard and broad problem space,” Auld says. “Passwords simply aren’t enough.”
The importance of digital identity is finally being noticed, and people are recognizing its critical role in cybersecurity.
Add to that the “different applications, devices, and providers, which need to have infrastructure in place to protect identities, and it becomes a real group effort,” she notes.
The user is also a factor. “You have this wide mixture of education and computer savviness. We have to account for all of that,” she says.
Mechanisms to restrict access to what users can and can't do require different policies. Auld gives an example of a bank. If an account holder just wants to look at their bank balance, a password may be sufficient. But if they want to transfer $10,000, “You need more due diligence to prove who they are and to ensure they are authorized to perform that transaction,” she explains.
Advice to Women Up and Coming in the Cyber Field
Auld acknowledges some workplaces can be hard for women to navigate. Over the years she’s mentored many young people at MITRE, including Neha Singh, who describes her as “highly respected and well known for her deep and unbiased expertise in the ICAM community.”
Singh credits Auld for her success, especially during a time when very few women were in the field. “I consider Lorrayne to be my big sister personally and my mentor professionally,” she says. “She’s always offered me the best of both worlds.”
Auld balances a calm disposition with an authoritative presence, which has been key steering her through challenging environments. That said, she tells her mentees to practice patience and according to Singh: “Always be yourself, be honest, and do what your gut tells you.”
Retiring While You’re Ahead
Auld isn’t a huge fan of presenting in front of crowds. The self-proclaimed “lab rat” would much rather be in front of her computer screens crunching data, applying emerging technologies, developing best practices, and devising implementation strategies.
But she knows the value of visibility, so for the past several years she has frequented the conference circuit spreading knowledge and speaking about the ICAM mission.
Although Auld officially retired from MITRE a few months ago, she will continue her volunteer work with non-profits Women In Identity, ID Pro, and the Kantara initiative, which establishes conformance criteria for the NIST digital identity guidelines, SP 800-63. She also hopes to continue her role as a member of the content committee for Identiverse, a vendor-neutral conference for ICAM practitioners.
It’s all been part of her goal for the past 25 years to get the word out. “These days young people want to fight hackers in cybersecurity instead of being an identity practitioner, but in actuality it’s much less sexy than it seems.” Auld often jokes: “You can't compete with Hollywood.”
She’s been pleasantly surprised to see identity management get its due, making it the opportune time to bow out. “The importance of digital identity is finally being noticed, and people are recognizing its critical role in cybersecurity,” she says.
“I'm very happy and proud of that.” For the record, her father is too.
Join our community of innovators, learners, knowledge-sharers, and risk takers. View our Job Openings.