KuppingerCole

European Identity & Cloud Award 2013: OAuth 2.0 - 70778

Wed, 15 May 2013 20:25:04 +0200

European Identity Award 2013 for „Best Innovation/New Standard in Information Security”: A new standard that rapidly gained momentum and plays a central role for future concepts of Identity Federation and Cloud Security.

European Identity & Cloud Award 2013: Volkswagen Financial Services AG - 70775

Wed, 15 May 2013 20:23:30 +0200

In KuppingerCole

Special Award 2013 for „Bridging the organizational gap between Business and IT”: A project that was far above average when it comes to Business/IT Alignment, by successfully setting up a framework of guidelines and policies plus the required organizational entities and rolling this out into a global organization.

European Identity & Cloud Award 2013: Swiss Reinsurance Company Ltd - 70774

Wed, 15 May 2013 20:22:10 +0200

In KuppingerCole

European Identity Award 2013 in category „Best Access Governance and Intelligence Project”: Holistic IAM/IAG approach following new architectural concepts and enabling Dynamic Authorization Management based on business rules.

European Identity & Cloud Award 2013: Schindler Informatik AG - 70771

Wed, 15 May 2013 20:21:06 +0200

In KuppingerCole

Special Award 2013 for „Rapid Re-Design and Re-Implementation of the Entire IAM”: Moving from a traditional, Active Directory-centric environment to full HR integration on a global scale and full support for automated provisioning, based on a clearly defined roadmap for further improvement.

European Identity & Cloud Award 2013: Deutsche Bank AG - 70772

Wed, 15 May 2013 20:18:12 +0200

In KuppingerCole

European Identity Award 2013 in category „Best Access Governance and Intelligence Project”: Implementing cross-divisional SoD rules on a global scale at business level, with full integration into the existing Access Governance solution.

European Identity & Cloud Awards 2013

Wed, 15 May 2013 20:06:28 +0200

In KuppingerCole

Am heutigen Abend verlieh die Analystengruppe KuppingerCole im Rahmen der siebten European Identity & Cloud Conference (EIC) in unterschiedlichen Kategorien den European Identity & Cloud Award 2013. Dieser Award zeichnet herausragende Projekte und Initiativen in den Bereichen Identity & Access Management (IAM), GRC (Governance, Risk Management and Compliance) und Cloud Security aus. Nominiert waren zahlreiche Projekte, die im Laufe der letzten 12 Monate von Anwenderunternehmen und Herstellern...
more

European Identity & Cloud Awards 2013

Wed, 15 May 2013 20:04:11 +0200

In KuppingerCole

The European Identity & Cloud Awards 2013 were presented tonight by the analyst group KuppingerCole at the seventh European Identity & Cloud Conference. This award is honoring outstanding projects and initiatives in Identity & Access Management (IAM), Governance, Risk Management and Compliance (GRC), and Cloud Security. Numerous projects have been nominated by vendors and end-user companies during the last 12 months. Winners have been chosen by KuppingerCole analysts among the most...
more

Advisory Note: From Big Data to Smart Information - 70750

Tue, 14 May 2013 17:21:48 +0200

In KuppingerCole

Big Data is characterized by three properties: there is now an enormous quantity of data which exists in a wide variety of forms and is being generated very quickly. However, the term “Big Data” is as much a reflection of the limitations of the current technology as it is a statement on the quantity, speed or variety of data. The term Big Data needs to be understood as data which has greater quantity, variety or speed than can be comfortably processed using the technology that...
more

Executive View: Big Data and Information Stewardship - 70744

Tue, 14 May 2013 14:23:11 +0200

In KuppingerCole

Big Data provides many opportunities to solve emerging business challenges and Big Data technologies can create business value. However Big Data also creates security challenges that need to be considered by organizations adopting or using Big Data techniques and technologies. This paper outlines the information security risks involved in Big Data and recommends the responses to these based on the concepts of information stewardship and information centric security...

Advisory Note: Life Management Platforms: Control and Privacy for Personal Data - 70745

Tue, 14 May 2013 14:19:15 +0200

In KuppingerCole

Life Management Platforms will change the way individuals deal with sensitive information like their health data, insurance data, and many other types of information – information that today frequently is paper-based or, when it comes to personal opinions, only in the mind of the individuals. They will enable new approaches for privacy and security-aware sharing of that information, without the risk of losing control of that information. A key concept is “informed pull”...
more

Advisory Note: Top Trends 2013-2014 IAM/IAG, Cloud, Privacy - 70782

Mon, 13 May 2013 22:14:48 +0200

In KuppingerCole

As in the past years, KuppingerCole has worked out the Top Trends in IAM/IAG (Identity and Access Management/Governance), Cloud Computing, and Information Protection and Privacy. The most important trends are the massive increase in demand for support of the “Extended Enterprise” in IAM/IAG, the cloud stratification in various layers, increasing threats imposed by the rise of cybercrime, and the emergence of Life Management Platforms. In the following sections, we name the five...
more

Advisory Note: Typical Risks and Pitfalls for IAM and IAG projects - 70749

Mon, 13 May 2013 22:10:17 +0200

In KuppingerCole

Identity and Access Management (IAM) is a holistic approach to managing identities (both internal and external) and their access within an organisational framework. The key benefit to the business should be to enable people to do their jobs more effectively. If deployed correctly, IAM can help achieve this in a multitude of different ways for different departments and roles within them; internal staff and external partners and customers. However, this also makes it a complex issue which...
more

Another dead body in IT? Or is XACML still alive?

Mon, 13 May 2013 12:48:46 +0200

In Martin Kuppinger

Since my colleague Craig Burton has declared that SAML is dead, it seems to be in vogue among analysts to take the role of the public medical officer and to diagnose the death of standards or even IAM (Identity and Access Management) in general. Admittedly, the latter case was not about diagnosing the death but proposing to kill IAM, but that does not change much. The newest in this series of dead bodies is XACML, according to another Industry Analyst. So we are surrounded by dead corpses now, or maybe by living zombies. But is that really true? My colleague Craig Burton titled his blog – for a very good reason – “SAML is Dead! Long Live SAML!” That is fundamentally different from saying “XACML is dead”.

There are a lot of good answers from experts such as Ian Glazer, Gerry Gebel (OK, he might be a little biased being the President of Axiomatics Americas), or Danny Thorpe.

I am clearly not suspicious being the enthusiastic XACML evangelist wearing blinders. Just ask some of the Axiomatics guys – we had many controversial discussions over the years. However, for me it is clear that neither Dynamic Authorization Management in general nor XACML in particular are dead.

What puzzled me most in this blog post was that part of the initial sentence:

XACML … is largely dead or will be transformed into access control

OK, “access control”. XACML is access control. Access control is everything around authentication and authorization. So what does this mean? I just do not understand that sentence, sorry. XACML is a part of the overall Access Control story.

From my perspective, the two most important concepts within access control are Dynamic Authorization Management and Risk-/Context-Based Access Control (i.e. both Authentication and Authorization). The latter only will work with Dynamic Authorization Management in place. When we know about the context and the risk and make authorization decisions based on that, then we need systems that externalize authorization and rely on rules that can take the context into account.

The challenge with Dynamic Authorization Management, i.e. technologies implemented in a variety of products such as the Axiomatics Policy Server, the Oracle Entitlements Server, the IBM Security Policy Manager, Quest APS, and many others, is that it requires changes in both application code and the mindset of software developers and architects. That is a long journey. On the other hand we see some increase in acceptance and use of such technologies. Notably, Dynamic Authorization Management is not new. You will find such concepts dating back to the mid ‘70s in mainframe environments, and IBM’s good old RACF can be consider an early example for that.

You still can argue that Dynamic Authorization Management is alive but XACML as the most important standard around it is dead. There are good arguments against that, and I will not repeat what the others mentioned above have said. You might discuss where to use XACML and where to rely on proprietary technology. However, do you really want to lock in your entire application landscape into a proprietary Dynamic Authorization Management technology of a single vendor? That would be a nightmare. You need to isolate your applications from the Dynamic Authorization Management system in use, and a standard helps in doing that. Just think about being locked into proprietary interfaces for all of your applications using a specific Dynamic Authorization Management system for the next 30, 40 or more years.

XACML even is the better choice for COTS applications. They can rely on a standard, instead of every vendor building proprietary connectors. Most vendors will do that for Microsoft SharePoint, because SharePoint is so important. But that is the exception, not the rule. And deducing from the fact that vendors support SharePoint with proprietary interfaces (instead of using XACML) that XACML is dead is just a wrong deduction. The problem in that case is not XACML but the SharePoint security model that clearly is not the best I have ever seen (to say the least). XACML is of value. Standards are of value. And I believe you would need much better reasons to diagnose the death of standards.

To learn more about the real trends in IAM, IAG, Cloud Security, and many other topics, just visit the EIC 2013 that starts on Tuesday, May 14^th.

Advisory Note: Selecting your cloud provider - 70742

Mon, 13 May 2013 08:58:46 +0200

In KuppingerCole

The ready availability of cloud services has made it easy for employees and associates to obtain and use these services without consideration of the potential impact on the organization. Therefore, in order to ensure good governance over the use of cloud services, it is imperative that organizations create and communicate a policy for their acquisition and use. This should be supported by a simple, fast and reliable risk based process for cloud service procurement and complemented by...
more

Advisory Note: Maturity Level Matrixes for Identity and Access - 70738

Mon, 13 May 2013 08:53:19 +0200

In KuppingerCole

Most large organizations and a significant number of medium-sized organizations have heavily invested in IAM (Identity and Access Management) and IAG (Identity and Access Governance) during the past few years. Some projects went well; others did not deliver as expected. But even organizations that run successful IAM/IAG projects are challenged by new evolutions, such as the increasing relevance of the “Computing Troika” of Cloud Computing, Mobile Computing, and Social Computing...
more

The Common Credentials Dilemma - How to Get a Grip on Password Sprawl for Privileged Accounts

Fri, 10 May 2013 18:25:18 +0200

In KuppingerCole Podcasts

A lot of organizations still have not mitigated one of the most severe IT security risks: Password sprawl for privileged accounts. Privileged accounts are accounts that have elevated privileges. They can be both personal, such as business users with high-level privileges, and shared, such as administrator, dba, or root � not to speak of all the admin accounts of network equipment etc. Unfortunately, a large portion of accounts with highly elevated privileges is shared. To manage these account...

Watch online

When three As are better than four

Tue, 07 May 2013 10:25:02 +0200

In Dave Kearns

For years we’ve spoken about the 4 “A”s of identity & security – Administration, Authentication, Authorization, and Audit, but maybe it’s time to drop an “A”. Maybe it’s time to speak of “Access Control” which encompasses Authentication (sometimes referred to as “AuthN”) and Authorization (referred to as “authZ”).

In many instances authorization is binary and tied directly to authentication – if a person is authenticated, then they get access to a resource. The authorization is tied only to the authenticated entity. Consider building security, for example – swipe your proximity card and you’re allowed in. Or, in rather more ancient practice, unlock the door with your key and get access. In the former case, the use of the proximity card (the “token”) is probably recorded someplace, so there is at least a rudimentary audit trail. When the key is the “token”, then there is no trail.

Until recently, the same was true concerning access to digital resources – if you authenticated to the system (network, server, application, etc.) then you got access as defined for the username you are using – most typically to a group of resources.

Note that there’s no actual proof that the person being authenticated is the same person for whom that particular account was created. The standard username/password combination that comprises the vast majority of authentication transactions today gives absolutely no assurance that the “proper” user (whatever that means) is the one being granted access. For example, I do password protect my computer (it’s a laptop that travels with me). But my wife knows the password, and has had to use it on rare occasions when I’m not available, but information is needed. The computer has no idea that it’s her and not me who is accessing those resources. Tokens do not improve this situation and biometrics provide only slightly more proof since, in practice, it isn’t the biometric (a picture of your fingerprint, for example) but a key or token created with the parameters of the biometric.

I could, of course, set up a separate account for her so that she could authenticate as herself. But for the purposes she might need to access the PC, she would need at least the exact same authorizations that I have. Creating that second account, though, reduces the security of the system. With two accounts, the risk that a breach could occur is actually doubled – the risk of my account being compromised PLUS the risk that my wife’s account could be.

The usual method of controlling authorizations for a single user is to have multiple authentications for that user, multiple identities if you will. On my Windows system, I need to sometimes authenticate as the Administrative user when I need to access system resources, install/remove software, etc. Most of the time, I authenticate as a User with a more limited set of authorizations. The same is true of ‘nix systems, where the root account is used sparingly, and only when needed. Even within applications, a similar system is observed – most of the time, I would authenticate to a database as a user, but occasionally I need to be the database administrator (DBA) in order to, well, do administrative stuff. Again, in reality, most people don’t do this – although they should – choosing the “ease of use” that authenticating as the more powerful user brings.

The bottom line is that the important thing is the authentication. Get that right (which usually means enter the correct password) and the authorizations flow: it’s all or nothing, black or white, good or bad. But with data breaches, especially the theft of usernames and passwords, seemingly coming more frequently as each day goes by (and you’d think organizations would have learned by now, wouldn’t you?) we need to do something different.

For a dozen years or so what the “thing we need to do” has been identified as is to replace the username/password combination with something “stronger”. But we’ve learned from study after study that there really isn’t anything strong enough – tokens, biometrics, “hardened” passwords are all flawed. While stealing a biometric is tougher than guessing a password, it’s a whole lot more difficult to replace a fingerprint than it is to change passwords.

As I’ve said for many years, and as I hope to re-iterate strongly at the upcoming European Identity & Cloud Conference (EIC), context, as part of a well thought out risk-based access management system, is what we need. Some use the phrase “adaptive authentication” to mean, in essence, a dynamic authentication which may require one, two or more factors depending on the circumstances. Still, this is really just one part of risk-based access control. It’s unfortunate that RBAC has come to mean Role-based AC, so we’ll need to come up with a different term – perhaps Risk Managed Access Control (RMAC).

The authentication continues as we’ve always done it – username/password, token, biometric, what-have-you, singly or in combination – but we collect context data (location, platform, date and time, and so on) and evaluate it giving it a risk metric. Alternatively we could use the inverse and call this a “trust metric” – the amount of trust we have in the validity of the identity of the person attempting the authentication. Based on that metric, we grant authorization on a sliding scale, which can be as fine-grained as your rules engine will allow.

We aren’t there yet, but we need to be. The presentations at this month’s EIC can bring us closer. You really should be there.

10.05.2013: The Common Credentials Dilemma � how to get a grip on password sprawl for privileged accounts

Mon, 06 May 2013 09:39:10 +0200

In KuppingerCole

A lot of organizations still have not mitigated one of the most severe IT security risks: Password sprawl for privileged accounts. Privileged accounts are accounts that have elevated privileges. They can be both personal, such as business users with high-level privileges, and shared, such as administrator, dba, or root � not to speak of all the admin accounts of network equipment etc. Unfortunately, a large portion of accounts with highly elevated privileges is shared. To manage these...
more

The FIDO Alliance – game changer for Internet Security?

Wed, 01 May 2013 11:41:32 +0200

In Martin Kuppinger

Last week, Google announced that it has joined the FIDO Alliance. FIDO stands for Fast Identity Online. The alliance was formed in July 2012. The mission is to change the nature of online authentication by providing interoperability among strong authentication devices. The alliance is working on specifications for an open, scalable, interoperable set of mechanisms that allow secure authentication of users to online services without the need for passwords for each of these services. It wishes to become a standard that allows using both existing and future strong authentication devices (those that support the FIDO standard), in an interoperable way.

This is in fact about “versatile authentication” from scratch, enabled in any device. Currently, many organizations are investing in versatile authentication technology that allows them to flexibly change and combine different authentication mechanisms. With FIDO, that could become a standard.

Users can use a choice of different mechanisms for strong authentication, including hardware tokens, embedded hardware such as TPMs (Trusted Platform Modules), biometrics, etc. The website will recognize the devices as “FIDO devices” and enable them. Once a strong authentication device is connected to a site, it can be used the same way it has always been used.

FIDO requires a browser plugin, which is the simple part of the story. It also requires a device-specific module that must be installed to use the “FIDO authenticator”, i.e. the strong authentication device of choice. The website or online service must also support FIDO.

Success of FIDO will depend on two factors. There must be a critical mass of online services supporting FIDO. Given that several large service providers already are members of the FIDO alliance, that might happen. Secondly, there is the need for a critical mass of users that use strong authentication devices with FIDO support. The challenge in that area will be a simple enablement of FIDO through browser-plugins (even better if they are pre-installed) and especially the availability and simple deployment of device-specific modules.

On the other hand there clearly is the question of whether FIDO will gain sufficient support and acceptance amongst the vendors. What will the vendors of strong authentication devices do? What will the vendors of versatile authentication platforms do? And what will the providers of online authentication services do?

From my perspective FIDO could help all of them. It provides the opportunity for “strong authentication for the masses”, for a ubiquitous approach that works for everyone, with flexible choice of strong authentication devices. The providers of Versatile Authentication Platforms can still provide the server-side interfaces, but with more flexibility in supporting different devices. And providers of online authentication services can still act as brokers and service providers – for many online services that will remain the better choice than direct support for FIDO. There might even be services that are brokers for “non-FIDO clients” and act as FIDO clients.

Overall, there is a good potential for the FIDO Alliance, despite the fact that it requires the installation of a client component. I greatly appreciate everything that makes the Internet more secure. I will closely watch the progress of the FIDO Alliance. However, I have seen so many concepts in that area that I would not bet on their success.

Product Report: Beta Systems Software AG SAM Enterprise Identity Manager - 70274

Tue, 30 Apr 2013 14:55:02 +0200

In KuppingerCole

SAM Enterprise Identity Manager from Beta Systems Software AG (Beta Systems) belongs to the category of enterprise provisioning systems with integrated access governance functions. Its core function is to reconcile identity information among different access control systems based on defined processes and connectors in a structured, automated and traceable manner. It also supports common provisioning features such as the implementation of workflows for request and approval procedures, user...
more

Product Report: Microsoft FIM 2010 R2 - 70106

Tue, 30 Apr 2013 12:49:37 +0200

In KuppingerCole

In 1999 Microsoft entered the Identity and Access Management space with the introduction of Active Directory in Windows NT and the purchase of Zoomit Via which was renamed to Microsoft Metadirectory Server (MMS). MMS was eventually retired and Microsoft re-wrote the system from ground up and named it Microsoft Identity Integration Server 2003 (MIIS) with one of the major changes being the support of the .NET framework. In 2007 MIIS was combined with the Certificate Lifecycle Manager (CLM)...
more

Benutzer- und Berechtigungsmanagement f�r den Mittelstand leicht gemacht

Tue, 30 Apr 2013 10:15:52 +0200

In KuppingerCole Podcasts

Das Benutzer- und Berechtigungsmanagement ist ein Thema f�r Unternehmen jeder Gr��enordnung. W�hrend gro�e Unternehmen meist schon seit l�ngerer Zeit den Schritt hin zu einer zentralen Infrastruktur f�r IAM (Identity and Access Management) gemacht haben, ist die Situation im Mittelstand h�ufig noch durch das Fehlen einer Gesamtl�sung gepr�gt. Systeme wie das Active Directory, SAP, Produktionssysteme und andere wichtige Business-Systeme werden unabh�ngig voneinander verwaltet. Das Risiko f�r d...

Watch online

Smarter Security Spending

Tue, 30 Apr 2013 10:06:39 +0200

In Martin Kuppinger

On Thursday, I was moderating a panel discussion at infosecurity Europe (InfoSec), the leading UK security fair, which hosts a program of keynotes and panel discussions. My panel was titled “Smarter security spending: Optimising spend without exposing the business”. Panelists were Dragan Pendić, Chief Security Architect, Global Information Management and Security, at Diageo; Michelle Tolmay, Security Officer, ASOS; Cal Judge, Information Security Head, Oxfam; and Graham McKay, CISO, DC Thomson.

We had a very interesting, well-attended session with some interesting questions during the Q+A following the panel discussion. Key take-aways for smarter security spending we came upon during the discussion were

People
Common Language
Risk
Big Picture

Getting the users on board was one of the most important themes of the discussion. Without increasing involvement and understanding of people for Information Security, it is hard to get the buy-in and support you need, from both management and the end users. This is an important element within what KuppingerCole calls Information Stewardship.

Involvement of people is tightly related to the need of a common language – talking in business terms instead of tech talk. Information Security is about the I in IT, not primarily the T – business is interested in protecting information, not technology. The latter is just a means to protect information.

For that common language, the concept of “risk” is of central importance. Business thinks in risks. Managers are used to basing their decisions on risk. Mitigating and taking risks is part of their daily job. Risks also help in moving IT from the role of the notorious naysayer to the business enabler. If business requests a service, instead of pointing at all the technical challenges and no-gos, it is better to show some options, their benefits, their cost, and the associated risks. That enables the business to make informed decisions.

Risk, on the other hand, is the foundation for smart spending when investing in Information Technology – the T in IT. Understanding the risk mitigation impact of such technology and the benefit for the business helps in making better decisions. It helps in moving from point solutions and decisions made in “panic mode” after an incident towards structured, well-thought-out decisions based on the best risk/reward ratio (RRR). This always includes understanding the big picture – how do new solutions fit into the bigger picture? Smart spending requires a smart balance between defining and understanding the big, strategic picture and tactical steps towards this that provide the best RRR.

To learn more about that, join us at EIC 2013 – the European Identity and Cloud Conference, Munich, May 14^th-17^th. Starting with my opening keynote, the topics discussed in that Infosec panel will play an important role throughout the entire conference.

What happened recently in Security?

Mon, 29 Apr 2013 11:56:03 +0200

In Martin Kuppinger

The number one issue in the past weeks is the LivingSocial hack, where attackers reportedly have stolen massive amounts of personal data, including names, eMail addresses, birthdates, and encrypted passwords. LivingSocial has confirmed an attack, but not the reported number of 50 million stolen data sets – which would be the vast majority of all LivingSocial users.

However, there still is relatively little information about the details. It is still unclear whether all non-Asian accounts are actually affected. (LivingSocial holds the Asian accounts on another server.) It is not publicly known how the passwords have been encrypted and thus it remains unclear to what extent the attackers might use them for subsequent attacks on other websites. Fortunately, it appears that the credit card information of the LivingSocial users is held in separate databases and is not affected by the attack.

Given that this sort of attack against large sites happens regularly, the question becomes what lessons are learned and what defenses should be taken. The lessons for the companies running such sites clearly are to invest in security, for both protection and monitoring. However, successful attacks will happen and, in contrast to some former incidents at other sites, LivingSocial at least encrypted the passwords and used a separate database for credit card information.

For the users, the answer is also straightforward: raise the bar for authentication. Reconsider using sites and services if they do not provide options for stronger authentication such as (good) 2FA approaches. Clearly using different hard-to-guess passwords is an option, but that is fairly inconvenient – my colleague Craig Burton once stated that you do not have such thing as a password muscle you can simply strengthen by training.

FIDO Alliance and Google

Another interesting bit of news is the uptake of the FIDO Alliance. Google now is also a member of this alliance and there is some chance that the FIDO Alliance might gain sufficient momentum to become a success. I will cover this in a separate upcoming blog post.

Reported number of attacks

During the past few weeks, several companies such as Symantec, IBM (X-Force Report), or Akamai have published their security reports talking about the observed number of attacks. I found two actually interesting aspects in these numbers. One is that the numbers are highly inconsistent. Some companies report massive increases in attacks, others some decrease at least for certain types of attacks.

The other interesting finding is one in the Symantec Internet Security and Threat Report 2013. The report says that the number of targeted attacks increased by 42 percent. This number stands for a shift towards industrial espionage, with small business being affected in 31 percent of those attacks. Direct attacks differ from the large-scale phishing attacks in that the attackers are looking for specific data or to cause concrete harm against specific targets, instead of just trying to phish as much data from their rather anonymous victims.

Data Broker Acxiom to sell data back to real owners?

You may not have heard of Acxiom, a company that describes itself as an “enterprise data, analytics and software as a service company” that is “known worldwide for our marketing database and consumer data”. There was a report that Acxoim plans to introduce a service that allows individuals to reveal the information Acxiom knows about them. In Germany, such services are mandated by law. For instance Schufa, a company that provides information about the financial credibility, offers such service. This is considered a part of your fundamental rights, in that case the “right for informational self-determination”.

Making a business out of this is a somewhat strange thing from a European perspective. In fact what Acxiom is said to plan is that people have to pay to learn about their data. The fundamental difference here obviously is whether “data about you” is “your data” per se or not.

Product Report: Qiy Independent Trust Framework - 70640

Fri, 26 Apr 2013 12:40:00 +0200

In KuppingerCole

The ongoing trend of IT consumerization driven by growing adoption of mobile, social and cloud computing has made a profound impact on our society. It has brought many new challenges for both consumers and businesses, which are now struggling to adapt to the new demands for storing, sharing, and processing sensitive digital information and to comply with increasingly harsh privacy-related regulations. An emerging revolutionary trend that is turning the Internet upside down and making...
more

Executive View: ServiceMesh Agility Platform - 70639

Fri, 26 Apr 2013 12:28:10 +0200

In KuppingerCole

ServiceMesh is a company out of Santa Monica, CA that fields a platform in the category of Enterprise Cloud Management, and places a heavy emphasis on policy-based cloud governance. This is a relatively new category and in particular the focus on “Enterprise Cloud Governance” needs some explaining. KuppingerCole agrees with the interpretation ServiceMesh uses for Governance in the classic sense of IT Governance.

IT Governance is...
more

Vendor Report: Atos DirX - 70741

Thu, 25 Apr 2013 11:00:19 +0200

In KuppingerCole

Atos is one of the largest IT Service Providers worldwide, with more than 70.000 employees and global reach. Following the acquisition of Siemens IT Solutions and Services (SIS), the company changed its name from Atos Origin to just Atos. The company is listed on the Paris Stock Exchange.

This vendor report focuses on a specific part of the Atos portfolio, the DirX products. These are part of the Systems Integration division at Atos and within that division grouped into the...
more

Bridging (the gap between) Access Governance and Privileged User Management� and they lived happily ever after!

Thu, 25 Apr 2013 08:20:51 +0200

In KuppingerCole Podcasts

Access Governance (modeling a desired state, then detecting and remediating risks deriving from any deviation from such a model) and Privileged User Management (controlling the activity of the SysAdmins, operating at the system level) have been historically taught as a single mantra within Identity Management lectures, but ultimately treated as different technologies and implementation projects.

Watch online

More Consolidation for the API Economy

Wed, 24 Apr 2013 21:00:57 +0200

In Craig Burton

CA Technologies acquires Layer 7, MuleSoft acquires Programmable Web, 3Scale gets funding

It is clear that the API Economy is kicking into gear in a big way. Last week, Intel announced its acquisition of Mashery, this week, CA Technologies announced its acquisition of Layer7 , MuleSoft announced its acquisition of ProgrammableWeb and 3Scale closed a round of funding for 4.2M.

Money is flooding into the API Economy as the importance of APIs only heightens. Expect this trend to continue.

The upside of this flurry of activity is the focus being given to the API Economy.

But here is my assessment.

CA’s acquisition of Layer7 doesn’t necessarily bode well for Layer7 or its customers. CA as a large vendor will probably take longer than Layer 7 would do independently for defining and delivering on the roadmap, but they might put far more power behind such roadmap and its execution. Layer7 needs an upgrade and needs to move to the cloud. CA has a clear Cloud strategy it executes on – look at IAM and Service Management where a large portion of the products is available as cloud service; there is a strong potential for CA putting far more pressure behind the required move of Layer 7 to the cloud. Let’s see what happens there.

MuleSoft’s acquisition of ProgammableWeb is a little weird. John Musser is an independent well-spoken representative of the API Economy. MuleSoft has an agenda with its own platform. Does MuleSoft let Musser continue to be an independent spokesperson? Where does this lead to? All answers unknown.

3Scale gets a round of funding for 4.2M. It plans to add more extensions to the product and grow its international distribution with the funds.

Lots of activity here. Curious to see what happens next.

However, one thing is clear: The API Economy is going mainstream.

More Unsmart Infrastructures

Tue, 23 Apr 2013 13:38:40 +0200

In Joerg Resch

In my last post I mentionned the motor driven door locks I have at my home. A frequent question I get from friends visiting me is, wether that doorlock system, which works with pincodes, RFID, remote conrols and over the Internet, is connected to the KNX/EIB bus system I also have in my house to control lights, shutters, air circulation, music and some other features. And the answer is no. Because, no joke, EICB/KNX, which seems to be the most spread “standard” for home automation, does not provide any security feature. no encryption, no authenication. If you get access to the 2 wires of a bus, then you can control anything which is connected to it.

Luckily, EIB/KNX installations are so incredibly expensive (my installation is a DIY one), that it will never spread on a large scale…

Unsmart Infrastructures

Tue, 23 Apr 2013 13:29:12 +0200

In Joerg Resch

My colleague Martin Kuppinger recently (and quite a while ago) has posted some critical articles on smart infrastructures in his blog.Yes, security is a big issue there.�However, it is not only about security�in these more or (in most cases) less smart infrastructures. It is also about making these infrastructures work at all and, last but not least feasible for a large audience.

In my home, which is a so called passive house�(well insulated, large, south bound windows for passive solar heating, saving 98.5% of heating energy compared to a standard building…)�I have a smart meter. I have solar panels on my roof and the sun also is producing the warm water. Altogether, the house is producing more energy than we are consuming, so that we can sell electric energy back�to the supplier during the day.�The utility company, which had to� install such smart meters by law,� would not have done that if I had not insisted on doing that. And I know now why.

Because the utility company is not able to “meter smartly”. During the past few weeks we had repeated visits by their employees trying to collect the data the smart meter has collected. They are using the human interface between their central and my house with somebody making an appointment and then visiting me, bringing along some small device for�infrared for communication between the smart meter and�his own mobile device. That�infrared�device than should send the data via Bluetooth to an iPhone app. So the interface looks like this: phone-appointment — car — walk — doorbell — visiting the smartmeter — attaching the infrared device to the smart meter — waiting with the iPhone in hands until something happens — and waiting — and waiting — and back to start. This obviously is a perfect mix of unsecure devices and unsecure and inefficient communication standards and processes.

However, the risk is limited given that it just does not work. The utility companies’ employees are waiting for minutes in front of the smart meter, hoping that something shows up in their app. That did not happen. On the other hand, he was not able to manually read the data from the smart meter because he just had no clue what the different values shown on the smart meter’s display are about. Eh — I didn�t mention before — it is more than one smart meter. We have a separate one for the solar energy we sell to the utility and we have one that counts the solar energy we user ourselves. But those meters are read by a different person and not together with the reading of the meter measuring the inbound energy consumption.

Now, luckily enough, I have a door with motor lock at my home, which I can operate remotely though my windows phone, so that I don�t necessarily need to be at home when somebody from the local utility company�makes appointment (or just rings the doorbell). Until the day I got these smart meters in my home, I thought that they are built to be connected and read remotely. But this is not the case. The meter would be able to, but oviously the infrastructure for accessing those meters remotely does not exist.�And also, having experienced the skills level of the person operating the reading device,�it probably is better for me if�the utility�don�t even try to remotely connect to my meters.�Being smart is definitely being something different. And no one needs to wonder why I’m the only one in my neighborhood with a smart meter.

This story and the topic of smart metering is not only about security. It is about building an infrastructure that works smart. It is about having smart, well educated, and informed employees that can handle that new infrastructure. Both security and the lack of usability are symptoms of a horribly planned entry into smart infrastructures. This is probably one of the very big misses over here in Europe and the main reason why we are now entering a period of ultra-high hacking damages ….

Consumers, credentials and context

Tue, 23 Apr 2013 09:48:10 +0200

In Dave Kearns

Larry Ponemon, of the Ponemon Institute, is well known for excellent surveys about technology issues. And Larry didn’t disappoint when he recently released “Moving Beyond Passwords: Consumer Attitudes on Online Authentication, A Study of US, UK and German Consumers” (warning: pdf file).

In summary, the report of the survey concludes:

“The majority of consumers would use a multi-purpose identity credential to verify who they are before providing secure access to data, systems and physical locations.
Banking institutions are considered the best for online validation and strong authentication and identity verification. Consumers in all countries believe banks would be the best to issue and manage a multi-purpose identity credential.
The benefits of a multi-purpose identity credential are convenience (US & UK consumers) and security (German consumers). Identification and authentication when traveling, accessing the Internet and using social networks are the most popular reasons to have single ID.
There is no clear consensus on what devices would be preferred to manage their multipurpose identity credential. However, in the US more consumers would prefer their mobile devices for identification purposes. In the UK, it is RFID chips. German consumers seem to favor biometrics.
If consumers trust the organization, biometrics is acceptable to use for authentication.
Voice recognition and facial scan are the most acceptable types of biometric authentication. Least acceptable in the US and UK is an iris scan. In Germany, least favored are fingerprints.
Authentication is important when sharing devices with other users. The majority of consumers believe it is important to have authentication that securely verifies their identity on devices that are shared with other (multiple) users.”

So what we’re seeing here is that users favor stronger authentication, but also easier to use authentication (thus the preferences for mobile devices, RFID and biometrics as opposed to passwords). There’s also a strong feeling that the identity provider be trustworthy, or be seen as trustworthy: “Industries and organizations considered by consumers in all three countries as most trustworthy to safely issue and manage a multi-purpose identity credential are: banking institutions, credit card and Internet payment providers, telephone, wireless or cable services companies, healthcare providers and postal and delivery services. Least trusted are educational institutions, Internet service providers and retailers. “

The bottom line appears to be that users are looking for ease-of-use coupled with security and trust and these are exactly the issues we will be exploring next month at the European Identity & Cloud Conference (EIC). In particular, I’ll be moderating a track on Authentication & Authorization featuring a detailed look at “Versatile Authentication, Risk- and Context-Based Authentication: Why you need these Concepts”. Risk-based Access Control �using context is a subject near and dear to my heart. It appears to be what the consumers in Ponemon’s survey are groping towards, without being able to articulate exactly what they want. It’s also something that seems to be gaining more traction in the marketplace, at least if I can judge by what I’m reading lately.

Chris Zannetos, CEO of Courion, recently wrote a blog post called “Context is everything”. In this look at what he calls “security intelligence,” Zannetos says:

“The activity and traffic monitors such as SIEM and deep packet inspection products have been looking at streams of information flows without the context to make sense of them. This is a bit like analyzing a baseball game by looking only at the types of pitches and result (hit, walk, out) — without understanding who is pitching, who is up to bat, what their past patterns have been, the ballpark, or the weather. In other words, the ‘Moneyball’ factor has been missing.”

< for my non-North American readers, substitute “football” (or “futbol”) for “baseball”>

And, of course, context is about more than a single packet – it’s the Who, What, When, Where, Why, and How of a transaction. Chris even alludes to a deeper context – the history of the context of similar transactions, which should be included in the analysis much like a Bayesian spam filter is used with email.

The second piece I read about context was from Jeff Rosenberg, a technical instructor in the Client Services group at Ping Identity. He didn’t use the word “context” in his blog entry called “Identity as a Rental (IDaaR),” but he did describe context-based authentication when he wrote:

“Did the user authenticate via password, certificate or one-time code? Is this user within the corporate network or coming in externally? Which training level or security clearance is required? Perhaps attribute-level permission is involved, such as LDAP group membership. When these questions are satisfied, the user checks out and the service is provided.”

Rosenberg then goes on to talk about the short-term use of particular attributes which are appropriate for the context of a given transaction, but that’s more appropriate for KuppingerCole’s discussions of Life Management Platforms, another subject that will be well covered at EIC next month.

Context, as a contributor to Risk-based Access Control, as collected for SIEM and for packaging identity attributes for short-term use is definitely a winner. And it is readily – and easily – available to most of you who use some form of SAML-based authentication/authorization system. You might wish to read (if you’ve nothing else to do right now) “Authentication Context for the OASIS Security Assertion Markup Language (SAML) V2.0” (another PDF file), all 70 pages of it.

But for today, the introduction should be sufficient: “If a relying party is to rely on the authentication of a principal by an authentication authority, the relying party may require information additional to the assertion itself in order to assess the level of confidence they can place in that assertion. This specification defines an XML Schema for the creation of Authentication Context declarations – XML documents that allow the authentication authority to provide to the relying party this additional information. Additionally, this specification defines a number of Authentication Context classes; categories into which many Authentication Context declarations will fall, thereby simplifying their interpretation.” In other words, this is a way to provide context to the transaction. Once you take context into account, then allowing a simple, easy-to-use factor (password, fingerprint, hardware token, etc.) is no longer a problem. Guessing someone’s password doesn’t get you the context in which it’s used and thus raises the risk factor for that transaction.

We have the tools, all we need is the effort to provide more secure, yet easy-to-use authentication ceremonies. What’s stopping us? Let’s talk about that at EIC next month in Munich.

Intel Announces Mashery Acquisition

Tue, 23 Apr 2013 05:36:02 +0200

In Craig Burton

From partnership to acquisition Let there be no confusion. Intel is a hardware company. It makes microchips. This is its core business. History shows that companies do best when they stick to their roots. There are exceptions. At the same time, Intel has always dabbled in software at some level. Mostly in products that support the chip architecture. Compilers, development tools and debuggers. From time to time, however, Intel ventures into the software business with more serious intentions. Back in 1991, Intel acquired LAN Systems in attempt to get more serious into the LAN utility business. This direction was later abandoned and Intel went back to its knitting as a chip vendor. Recently, Intel has started again to be serious about being in the software business. Its most serious foray was with the purchase of McAfee in 2010 to the tune of some 7.6 billion. A pretty serious commitment. We wrote recently about Intel’s intent to be a serious player in the Identity Management business with its composite platform Expressway API management. With that approach, Intel was clear that it had an “investment” in Mashery that would remain an arm’s length relationship best supporting the customer and allowing maximum flexibility for Mashery. In general, I like this approach better than an acquisition. Acquisitions by big companies of little companies are don’t always turn out for the best for anyone. Since then, it is clear that Intel management has shifted its view and thinks that outright ownership of Mashery is a better plan. While we agree that outright ownership can mean more control and management of direction, it can also mean the marginalization of and independent group that could possibly act more dynamically on its own. It is still too early to tell exactly how this will turn out for Intel and its customers, it will be important to watch and see how the organization is integrated into the company.

The Dark Side of Cloud Computing

Fri, 19 Apr 2013 17:00:27 +0200

In Craig Burton

When things go bad, it goes really bad

At KuppingerCole we use Office365 extensively to manage our documents and keep track of document development and distribution.

On April 9, 2013, Microsoft released a normal sized Tuesday update to Windows and Office products. The only thing is, this time the update completely broke the functionality of Office 365 and Office 2013. Trying to open a document stored in SharePoint would result in a recursive dialogue box asking for you to authenticate to the SharePoint server. Same thing would happen when trying to upload a document. Excel and PowerPoint documents had the same problem.

Going to the Office365 forum resulted in a bevy of customers complaining about the problem. A Microsoft tech support person was offering possible solutions, all of which were just time wasters and solved nothing.

“First, please run desktop setup by following Set up your desktop for Office 365
If the issue persists, please remove saved login credentials from the Windows credential manager and then sign into the MS account.
http://windows.microsoft.com/en-IN/windows7/Store-passwords-certificates-and-other-credentials-for-automatic-logon”

Finally, two days later a customer posted a solution.

“KB2768349 is definitely the culprit. I uninstalled this on Windows RT and login worked again across all Office 2013 RT apps. Reinstalling broke it. Uninstalling again fixed it.
Replicated on my Windows 8 desktop with Office 2013.
For the time being I have hidden KB2768349 from Windows Update until this is fixed.”

As soon as I deleted the KB2768349 update the problem went away. I also learned what “hiding” an update entails.

For those of you dying to know, here is how you fix this thing.

control panel>windows update>view update history>installed updates

Scroll down thru the Office 2013 updates until you find KB2768349. Select and then uninstall.

Of course once you uninstall an update, it’s going to show back up again and try to update. The way you prevent this is to “hide” the update so it doesn’t keep showing up. To hide and update, you open Windows Update and right mouse the update you want to hide and select “hide update.” There you go.

So for two days the normal operation of Office365 was frustratingly broken. Now this was not just for me and my colleagues, but for everyone on the planet that used Office365 and installed these updates. At the same time, the fix applies to everyone on the planet using Office365 as well. In other words, critical apps in the cloud that go bad, go bad hard. They also heal big. Part of the deal.

I was surprised that I was the only one tweeting and complaining about it. I didn’t see one article or public view on this major screw up. The only place I saw any complaining was on the Office365 forum. So glad that was happening.

When are technologies really disruptive?

Fri, 19 Apr 2013 14:05:29 +0200

In Martin Kuppinger

A few days ago I read an article about “disruptive technologies” in the (glossy) customer magazine of a large system integrator. The article mentioned technologies such as Big Data, Cloud Computing, or Mobile Computing. But are these technologies really disruptive?

The definition of “disruptive innovation” in Wikipedia is as follows:

A disruptive innovation is an innovation that helps create a new market and value network, and eventually goes on to disrupt an existing market and value network (over a few years or decades), displacing an earlier technology. The term is used in business and technology literature to describe innovations that improve a product or service in ways that the market does not expect, typically first by designing for a different set of consumers in the new market and later by lowering prices in the existing market.

Amongst the most prominent examples of disruptiveness are the replacement of sailing ships by steamboats in transportation or of horse-drawn carriages by automobiles. Sailing ships play virtually no role at all in transportation anymore, at least not in the western hemisphere and across long distances. The same is true for horse-drawn carriages.

When looking at the technologies mentioned at the beginning, Cloud Computing is the most disruptive one from my perspective. Cloud Computing has massive impact on licensing models, even for on-premise IT technology. However, is “Cloud Computing” really disruptive? Or are just some parts of Cloud Computing such as SaaS vs. on-premise software disruptive – and maybe even some areas therein such as Office applications?

And where is the disruptiveness in Big Data? I do not see technologies being replaced by Big Data. Big Data allows for new types of solutions, but it is not disruptive at all.

When looking at Mobile Computing, one might argue that the recent drops in sales of PCs is a clear indicator of disruptiveness. And yes, there is some likeliness that the classical PC market will shrink further. However, Mobile Computing appears to be too unspecific as the disruptive innovation. There are tablets, smartphones, phablets, etc. that are challenging the PC market. But do we really know how the future will look? I just recently switched back from the Apple iPad to more productive devices, i.e. a tablet PC (ultrabook), and, in addition, Microsoft Surface RT that at least comes with Office apps and is able to display a Word document or Powerpoint in correct formatting. And I have a classical PC under my desk, with three 27” displays attached – mail to the left, Word in the middle, browser and Skype to the right. The different trends within Mobile Computing are disruptive for traditional PC technology. But what will be the result? We just do not know yet.

Overall, not defining everything as disruptive might be helpful. Many things that appear to be disruptive during the hype turn out to be not that disruptive. The reality of most organizations will be hybrid environments for the foreseeable future – and not pure Cloud Computing. There will remain a significant need for on-premise IT, for desktop PCs, and for classical databases and BI (Business Intelligence). It is important to look at new opportunities, but doing it with some realistic distance helps – especially in IT.

Another Case for IDMaaS

Wed, 17 Apr 2013 16:32:06 +0200

In Craig Burton

Identity Management is a universal problem

When I pay my electric bill I usually just call the power company and give them my credit card. This month I decided that I should go set up auto payments on the web site and be done with it. So I opened the power company web site and attempted to login. Clearly the site recognized me, the login name I usually use was being recognized, but I just could not remember my password. I tried all of the normal passwords I use and none of them were working.

So I attempted to retrieve my password, it gave me an option of having the password reset sent to my email address or answering secret questions. I opted to have it sent to my email address. I waited. Nothing showed up in my email box. I looked in the spam folder, still nothing. I went back to the web site and this time I opted for being asked the secret question…..”What is your favorite color”. Oh man, I don’t know. Depends on my mood and what day it is. I don’t remember what I put in there for my favorite color. Ok. Let’s try “Blue.” Good, that worked. Wow. I am in. Hey. This isn’t my account? WTF?

Now I know there are two other Craig Burton’s living in Utah. Apparently I have just accessed the electricity billing account of one of them by guessing both the user name and secret question. And the secret question was “blue?”

Off the top of my head I would say the Electric Company has a severe security leak in it.

Of course I didn’t do anything to this account. I could see that his email address was just sent another request to change the name and password. I hope he did that.

This was an ugly incident that could have been much uglier if I was malicious.

Here is my point, a uniform cloud-based Identity management system could be used to prevent this kind of thing. As it stands, every single web site has its own set of code used to prevent inappropriate access. A scenario bound to create the blatant hole I ran into.

Of course the other side of the coin is that if the cloud-based identity management system had a hole in it, everybody would have the hole. Then again, the fix would fix everybody. Trade-offs but I still think the cloud-based Identity Management as a Service is where we are headed in the future.

Kill the heating – how smart infrastructures will not work at all

Wed, 17 Apr 2013 16:07:31 +0200

In Martin Kuppinger

This week, I read an article (in German) about a severe security bug in heating systems provided by Vaillant, one of the larger manufacturers in that space. The issue was found in so called “nano block heating systems” that are made for detached houses and duplex houses.

The entities have an IP-Interface that allows both the service technicians of the vendor and the owner of the heating system to remotely manage the device. However, a security bug allows pretty much anyone to easily access, in clear text, the passwords of the owner, the technician (expert), and even the developer. In other words: attackers can easily gain full access and control all settings. That allows increasing the temperature of the outgoing water in summer, which can damage the heating element. It allows stopping heating in winter, which could result in frost damages. There most likely are other types of damages an attacker can cause.

Even worse, these systems communicate with the DynDNS (Dynamic DNS) service of the vendor. That allows attackers to identify all systems in a simple way, just by “trial and error”.

Vaillant has announced that they will inform the customers, update the software – which requires, despite having an IP interface,� that a technician visits the customers – and provide VPN communication for technicians.

This issue is a perfect example of what is happening these days in smart metering and other areas of “smart homes”. Vendors start adding IP interfaces, but they fail in security. In the entire segment of home automation, which is based on standards such as EIB/KNX, understanding of security issues appears to be rather limited. Security is understood as “availability”, not as being secured against attackers. That is, by the way, true for other standards as well – most bus systems in manufacturing are not secure at all. EIB/KNX does not even have a security layer. These bus systems typically rely on simple broadcasting. Who has access to the bus, has access to everything. Once you connect the bus to the Internet, things become obviously highly insecure.

The obvious solution for that is protecting the IP interface. However, as long as that is not done perfectly well, the problem remains. The entire manufacturing industry, but also the automotive industry and others that rely on rather primitive bus systems, have to fundamentally rethink their security approaches. Not doing this is wantonly negligent.

Smart infrastructures require smart security. Not having well-thought-out and well-implemented security approaches in place but relying on stone-aged security approaches for (sometimes) stone-aged bus systems puts us all at risk. There is a good reason for the massive potential of Stuxnet: It arises by opening up unsecure environments – unsecure by design – to the Internet, without appropriately changing the security approaches.

Rapidly Evolving Identity & Access Management to Meet Today�s B2C & Cloud Challenges

Wed, 17 Apr 2013 10:55:19 +0200

In KuppingerCole Podcasts

The world of Identity and Access Management is growing in scope, and must change and adapt faster than ever before. CIOs are under pressure to shift from employee-centric IAM to consumer-facing IAM that drives top-line revenue. As a result, they are quickly learning that legacy enterprise IAM solutions are not designed to solve today�s web challenges (enterprise, cloud, social, mobile).

Watch online

Whitepaper: Information Classification: Information Stewardship in Practice - 70740

Fri, 12 Apr 2013 10:20:58 +0200

In KuppingerCole

Information stewardship uses good governance techniques to implement information centric security for all of your data. Information Stewardship involves the business as well as the IT services group. It creates a culture where the people in the organization understand the sensitivity of information and the ways in which this information can be put at risk.

A key concept within Information stewardship is that it “creates a culture where the people in the organization...
more

23.04.2013: Bridging (the gap between) Access Governance and Privileged User Management � and they lived happily ever after!

Thu, 11 Apr 2013 10:38:25 +0200
In KuppingerCole

Access Governance (modeling a desired state, then detecting and remediating risks deriving from any deviation from such a model) and Privileged User Management (controlling the activity of the SysAdmins, operating at the system level) have been historically taught as a single mantra within Identity Management lectures, but ultimately treated as different technologies and implementation projects.
more

EIC 2013 Keynote: Peter Boyle, BT�s Head of Identity Services

Wed, 10 Apr 2013 12:09:01 +0200
In European Identity Conference

If Your Customers Don´t Feel Safe, They Will Leave You.

European Identity & Cloud Conference 2013 Preview

Wed, 10 Apr 2013 09:35:35 +0200
In KuppingerCole Podcasts

The European Identity & Cloud Conference (EIC) 2013 once again will be Europe�s most important event exploring the future of information technology. Join us in this webinar for a compehensive preview on this year�s key topics and speakers.

Watch online

Just the fact(or)s, ma’am

Tue, 09 Apr 2013 13:56:09 +0200
In Dave Kearns

2FA, it’s an abbreviation (word? acronym?) I see a lot these days. But it’s not, as I first thought, teenage texting slang (“OMG, that’s 2FA!”) for “too freakin’ amazing”. No, it’s a shortened version of “two factor authentication” which has been a hot topic and buzzword since Google announced it (although they call it “two step verification”) after the now infamous case of hacking which struck Wired magazine’s Mat Honan (see “The Honan Hack and the BYOI meme”) last summer. Suddenly everyone is writing about 2FA. Of course, they rarely mention that two weak factors can be worse than one strong factor, e.g. Google.

But two-factor authentication is really only one case within the more established paradigm of multi-factor authentication (MFA), where “multi” stands for “more than one” and might be two but could be three, four or more. And multi-factor authentication is hardly the new kid on the block – I’ve been writing about it since last century.

Yes, it was in January, 2000 that I wrote two newsletters about Novell’s new release, NMAS – Novell Modular Authentication Services. As I said at the time:

“NMAS lets network administrators choose among different authentication methods, including traditional password control and adding biometric and smart card methods. While biometric and smart card access isn’t new, it’s the control over the methods used, and the subsequent access granted, which makes NMAS a major addition to NDS security.”

With NMAS, you could specify one, two or even three factors to use for authentication and the factors could be any of What you know (password), What you have (smart card) or What you are (biometric). Depending on the factor or factors used, the administrator could further restrict the user’s access rights. Nice to see that Google, Apple and others are finally climbing onto the MFA bandwagon.

MFA is, of course, an integral part of Risk-Based Access Control (RBAC) especially when it can be optionally used depending on the risk factors involved in an authentication session.

You’ll remember, I hope (if not, go read “Passwords & Tokens & Eye Scans, Oh My!,” we’ll wait) that the calculated risk factor for an authentication/authorization event can be used to trigger multiple factors for verification in the authentication ceremony. It might simply be that someone is requesting access to high value resources, or they may be requesting access from an unfamiliar location or platform. It could simply be that the access requested is not within the user’s standard pattern of time of day or time of year (e.g., tax season). Whatever the case, a calculation of high risk should lead to multi-factor authentication for that user at that time.

In some cases (attempts to login as root or admin, for example) you should always look to MFA because the risk is always going to be high.

But it’s not just hardware tokens, biometrics and passwords that should make up the MFA mix. A lot of the contextual items you look at when evaluating risk can also be considered a 2^nd (or 3^rd) factor in the authentication ceremony.

If, for example, the user is accessing the network from their typical endpoint (office desktop PC, home pc, laptop, smartphone, etc.) then that can count almost as much as a hardware token. If your system then sends an out-of-band SMS to the user with a one-time password (OTP) to be entered during authentication, you might say this was a 3FA.

But how secure is 2FA, or MFA?

Noted security expert Bruce Schneier wrote (back in 2009, and referenced something else he wrote in 2005!) about hacking two-factor authentication and noted

�“Here are two new active attacks we’re starting to see:

Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website. User types in his password, and the attacker in turn uses it to access the bank’s real website. Done right, the user will never realize that he isn’t at the bank’s website. Then the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user’s banking transactions while making his own transactions at the same time.

Trojan attack. Attacker gets Trojan installed on user’s computer. When user logs into his bank’s website, the attacker piggybacks on that session via the Trojan to make any fraudulent transaction he wants.”

Then why does everyone, it seems, believe that using two factors for authentication is better than using only one? It’s simple, if implemented properly, 2FA does reduce the risk of unauthorized access. Let’s say that the risk of unauthorized access using just a password is 1 chance in 20 (5%), which is probably a little high. Then let’s say that the risk when using a different factor (let’s say a hardware token) is lower, perhaps 1 in 1000 (.1%). What’s the risk when both are used? Statistical theory says you multiply the first factor (5%) by the second (.1%) which yields .005%, or 1 in 20,000 – a much better risk factor, I think you’ll agree! Of course, if you use a higher risk second factor (say, 1% or 1 in one hundred) then the overall risk is 1 in 2000 (5% times 1%) which isn’t as secure as the hardware token we postulated.

The important thing to remember, though, is that you need to set a realistic risk factor for each authentication factor in your ceremony. The same realistic view should also govern how you look at the various context factors when weighing the risk involved in any particular transaction.

The bottom line is that it’s all about the risk, and your job is to minimize the risk either through strengthened authentication protocols or through reduced authorization rights – or both. I’ll be going into more depth on this when I present “Versatile Authentication, Risk- and Context-Based Authentication: Why you need these Concepts” along with some lively panel discussion on the topic at the European Identity & Cloud Conference 2013 coming up next month. I hope you’ll be there.

Advisory Note: Privilege Management - 70736

Tue, 09 Apr 2013 09:05:46 +0200
In KuppingerCole

Privilege Management - which, in the KuppingerCole nomenclature, also is called PxM for Privileged Access/Account/Identity/User Management- is the term used for technologies which help to audit and limit elevated rights and what can be done with shared accounts. During the last few years, PxM has become increasingly popular. Some vendors have enhanced their offerings significantly, while acquisitions have also led to vendors providing broader offerings, moving from niche players to market...
more

Keynote-Speaker at EIC 2013: Dr. Peter Herrmann, Bayer Cropscience AG

Mon, 08 Apr 2013 10:11:57 +0200
In European Identity Conference

IAM Services @ Bayer

Kantara Panel at EIC 2013: Federating Communities, Nations and Markets in a Big-Data Economy: Lessons learned from Academia to Governments a

Thu, 04 Apr 2013 18:14:16 +0200
In European Identity Conference

Joni Brennan (Kantara), Dave Kearns (KuppingerCole), Aljosa Pasic (Atos Research & Innovation), Colin Wallis (New Zealand Government)

EIC 2013 Best Practice: Daniel Frei, Swiss Reinsureance

Wed, 03 Apr 2013 10:13:34 +0200
In European Identity Conference

Risk-based Access Management @Swiss Re

What happened recently in Security?

Tue, 02 Apr 2013 11:11:59 +0200
In Martin Kuppinger

During the past few days, there have been at least two notable events in security. One was the attack on South Korean banks and TV networks. The other was the “Spamhaus incident”. I will talk about these two more in detail further down that post.

Besides that, it was interesting to observe that iOS and OS X seem to become increasingly the malware targets of choice.That is not surprising, however, since there are masses of iOS and OS X devices out there. Thus, the platform is far more attractive than in the past. Combined with the fact that Apple’s patch policy still is not convincing, this results in an increasing number of attacks. When I count the platform related news of the past two weeks in my CNET RSS feed, then 5 out of 6 articles were related to the two Apple operating systems. That just confirms what I have been saying for a long time: It is not that much about whether a platform is secure or insecure; it is about reaching a critical mass to become a target of choice for attackers. They will always find weaknesses, because complex systems never will be perfect. By the way: It would only be fair if the castigators of Microsoft Windows security from the past would act the same way now regarding Apple. Microsoft has learned a lesson. Has Apple already learned its lesson? I doubt that.

One other interesting news article was about Java updates. According to a new Websense report, 94% of endpoints running Java are vulnerable to at least one exploit. This shows that Java Updates do not work well as of now. One of the issues clearly is that Java runs on a variety of devices. While updating PCs is straightforward, other devices – especially the ones where Java is deeply embedded – are hard to update, due to a lack of a simple, standardized approach for patching these devices. From my perspective, Oracle should concentrate on adding sort of “patch support by design” capabilities to all future Java versions. While many people criticize the Microsoft Update concept, it is – from my perspective – by far the best approach that is currently in place across the entire industry.

South Korea vs. North Korea

Last week, some South Korean companies – TV broadcasters and banks – were hit by a massive cyber-attack run by a group that calls itself “Whois Team”. There were clear signs that the attack was part of the ongoing “cold war” between South Korea and North Korea, which currently is escalating again. Despite the fact that it is still unclear where the attack originated, I think that this is another indicator for the emerging risks of cyber-attacks in conflicts between nations.

The “Spamhouse incident”

Finally, a cyber-fight between Spamhouse, a spam-fighting organization, and a group of attackers even made it to the TV news over here in Germany and in other countries. This attack is reported to be the largest DDoS (Distributed Denial of Service) attack ever. It reportedly affected the whole Internet, especially in the U.K., Germany, and the Netherlands (Spamhouse is based in the Netherlands). There are two lessons we can learn from that. One is that the Internet, despite its distributed nature, is not immune to attacks. The second is that obviously cyber-criminals are well prepared to counter attacks against them, having large botnets on hand to place such DDoS attacks.

Physical Attacks on Critical Infrastructure

What I also found interesting were some articles about the Egyptian police arresting three men that tried to cut through some cables for Internet connectivity owned by the Egypt Telecom network. Some days ago, other cables of the Seacom network, being a part of the Internet connecting various countries under the Mediterranean Sea, were destroyed. The Egyptian police arrested the divers that tried to cut through the cables of the Egypt Telecom in action, from what was reported. I have not read anything about the motivation of these attackers. However, this clearly is another indicator of the massive risk for Critical Infrastructures these days.

Do we really want an unsecured connected vehicle?

Wed, 27 Mar 2013 13:16:06 +0100
In Martin Kuppinger

I read an interesting article about the future of vehicles and their connectivity in the Geo magazine, sort of the German counterpart to the National Geographic magazine. The article was quite interesting; however, I did not find anything about security. This is not a new experience: most of the articles and discussions about the concept of connected vehicles and their integration into the smart grid (plus all the discussions about smart grids and smart infrastructures) still are security-agnostic.

Do we really want to drive unsecured connected vehicles? Do we really want to live in a smart but unsecured world? How smart will that world really be? I have blogged about this way before. In these days of increasing cyber-attacks and of an increased understanding of the risks of critical infrastructures, agnosticism regarding security is not acceptable anymore.

The article discussed concepts like using electric vehicles as a storage for electric power, as sort of a distributed, large battery for storing power from the large power networks. This is a great idea; however, thinking about the required connectivity for that, just in the context of correct billing alone, shows that this is an interesting topic from both the security and the identity perspective.

At EIC 2012, we held a workshop on the topic of the connected vehicle. We had a very intense discussion there. We quickly identified a complex ecosystem of identities that need to share data. However, most data must be shared only between a few selected parties. There are the owner, the driver, the leasing company, the passengers, the garage, the insurance company, the vendor, and the manufacturer, to name just a few of the possible interested parties. Within the car there are components provided by many different manufacturers which might talk to others – or not. There are other cars, there are traffic management systems, there is the police, etc. Not to mention the utilities companies here… It is an extremely complex ecosystem.

Within that ecosystem, sharing of data must be very tightly managed. Some data might pass to the police only, while other data must not go there. However, that might differ from country to country. Some data is only relevant to the driver or the vendor; other data should be also available for the manufacturer.

However, sharing of data is the smaller part of the challenge. The need for well-controlled security and identity becomes even larger when we are talking about controlling the car or the traffic in general. The idea of cyber-criminals taking control of vehicles is frightening.

I know that several car manufacturers are investing in PKI and related technologies to secure communication among various components. That might work for the components within a car, but it will not be sufficient for the bigger ecosystem of the connected vehicle I have outlined above. What we need are bigger concepts, cross-industry, integrating all the related parties and components. The good thing is that many of the answers to the challenges of a connected vehicle are there. Life Management Platforms are one element, which allow managing a lot of related information in a privacy-aware and security-aware manner. The API Economy and API security is important for managing security of all the interfaces in these complex, connected systems. Identity Federation is an important piece of the puzzle as well. However, what I still miss is both a clear view of the big picture and coordinated initiatives for a secure smart planet, including the connected vehicles.

It is past time to act. At EIC 2013, we will have a roundtable for the Automotive Industry – a good place to connect with others. We will have various sessions around Life Management Platforms, the API Economy and other security topics. So do not miss EIC 2013 when you are involved in securing the smart planet of the future and when you are looking for a more holistic approach instead of point solutions for various pieces.

Dr. Joerg Hladjk, LLM at EIC2013: European Union Cybersecurity Strategy & Network Internet Security (NIS) Directive

Wed, 27 Mar 2013 11:07:27 +0100
In European Identity Conference

The Upcoming Cybersecurity Strategy for the European Union - What does it mean for your Enterprise?

Information Stewardship and BYOD news for you

Tue, 26 Mar 2013 12:59:10 +0100
In Dave Kearns

Two documents crossed my desk this week – a survey and a “planning guide” – which fit nicely with two recent papers from KuppingerCole, illustrating a need and (unknowingly) confirming our conclusions.

The first is about the current buzzword acronym BYOD (for “Bring Your Own Device”) which my colleague Martin Kuppinger just released an advisory note about (“today it’s almost exclusively mobile devices – smartphones, tablets, ‘phablets,’ etc. – that are referred to with BYOD: a focus that is too narrow…”) but which appears to be with us at least for the near term.� The new piece is a survey, commissioned by a group of Cisco partner firms led by Pine Cove (based in Billings, MT).

For this study, The group of Cisco partner firms used a randomized online sampling of full-time American workers. The group analyzed 1,000 responses. The survey population for Americans employed full-time who own a smartphone is roughly 53 million, according to the Bureau of Labor Statistics and the Pew Internet & American Life project. The margin of error of the study is 3 percent.

Among the interesting findings of the study:

62% of U.S. employees who use their own smartphone for work do so everyday;

92% of U.S. employees who use their smartphones for work did so this week;

Only 1 in 10 workers get some kind of work stipend for their smartphone;

39% of workers who use personal smartphones for work don’t password protect them;

52% access unsecured wifi networks;

69% of BYODers are expected to access work emails after hours.

The one glaring number, to me, is that only 10% of the workers who use their smart device to help them work receive any sort of compensation from their employer. What that tells me is that these American organizations are not supplying their employees with the tools they need to do their job efficiently and productively.

The bottom line, though, is that IT departments should not still be discussing whether or not to support BYOD – the devices are going to be used either way. If IT is going to serve the enterprise and protect it’s resources then IT needs to quickly develop additions to their end-point management plan which covers smart devices and also quickly develop policies to bring these devices into the Information Stewardship practice of the organization.

And speaking of Information Stewardship, I just released a white paper called Using Information Stewardship within Government to Protect PII, an offshoot of the advisory note From Data Leakage Prevention (DLP) to Information Stewardship released last fall by my colleague Mike Small and myself. But what excited me was a guide written for The Online Trust Alliance (OTA) called the 2013 Data Protection & Breach Readiness Guide.

The OTA describes its mission as “to enhance online trust and the protection of users’ security, privacy and identity, while promoting innovation and the vitality of the Internet.”

One caveat when viewing the report: the OTA still uses the term “data” where we at KuppingerCole prefer “Information”. As we’ve said, “Loss or leakage of data is not necessarily a loss of information – understanding the difference between data and information is important to ensure protection.” Data might simply be a list of passwords. As such, it’s no more useful than a dictionary. But a list of usernames AND passwords – that’s information, and that could be a problem should it� be leaked into the wild. So, if you read the OTA report, remember that when they speak of data they really mean information.

I bring this up because a large part of the report deals with what the OTA calls “Data Lifecycle Management & Stewardship.” As the report notes:

“OTA advocates the need to create a data lifecycle strategy and incident response plan, evaluating data from acquisition through use, storage and destruction. A key to successful data lifecycle management is balancing regulatory requirements with business needs and consumer expectations. Success is moving from a perspective of compliance, the minimum of requirements, to one of stewardship where companies meet the expectations of consumers.”

Of course, this is exactly what Mike and I outlined as good Information Stewardship.

Further, the report bolsters some of our own conclusions when it notes that “Businesses need to continually evaluate the data through each phase [of the lifecycle] and accept four fundamental truths:

Privacy and use polices need to be continually reviewed and updated.

The data they collect includes some form of personally identifiable information (PII).

If a business collects data it will experience a data loss incident at some point.

Data stewardship is everyone’s responsibility.

These four principles need to be a part of every organization’s Information Stewardship policy.

It’s now long past time for analysts and pundits to be telling you that you need an Information Stewardship policy. It’s also long past the time that you need to incorporate smart, mobile devices into your endpoint policies – and not as a separate “BYOD” policy. Your endpoint strategy should cover these devices along with desktop/laptop machines in the office, at home, and “on the road” (i.e., internet cafes).

If you’re a KuppingerCole client, ask your representative how we can help. If you aren’t – why aren’t you? And, either way, be sure to plan on being at EIC 2013, where BYOD and Information Stewardship will feature prominently.

EIC2013 Best Practice with Dr. Abbie Barbir, VP, Senior Security Architect at Bank of America

Tue, 26 Mar 2013 10:50:57 +0100
In European Identity Conference

Identity and Access Management on a Shoe String, “Best Practices for an Enterprise to Support IDAM Requirements”

How to license Identity and Access Management software?

Mon, 25 Mar 2013 15:24:59 +0100
In Martin Kuppinger

Recently I had some conversations with both vendors and customers about licensing models for IAM (Identity and Access Management) software. Historically, most licensing models were (and still are) based on the number of users, typically “named” users (rather than “concurrent” users). License models based on the number of concurrent users are rather unusual for IAM.

Nowadays, I observe some shift towards models that are based on the number of connections or even processor-based. The number of connections is a metric that shows up in federation products, where the connection typically is defined as “a connection from the federation hub to a target system, either Identity Provider or Service Provider”. However, vendors might also focus on “concurrent connections” in the sense of users federating. I have also seen approaches that are about billing per connection, i.e. based on the actual use of a federation service, in cloud-based offerings.

I also have been involved in discussions between customers and vendors about dealing with externals (contractors, clients, vendors, etc.). When looking for an Identity Provisioning or Access Governance solution with focus on the employees, a licensing model based on named users is straightforward. It is predictable. However, once the number of external identities grows, the question of changing the metric arises. Should an external user that typically has somewhat limited access cost as much as the regular, internal user? I have seen different approaches ranging from the full fee to a percentage of the regular user fee or even flat rates for external users.

Finally, there is the discussion about classical license-plus-maintenance models versus subscription-based models without the initial fee but a constant annually rate to pay.

So what is the best model? Honestly, I do not know what the perfect model is. I even doubt that there is the perfect model for licensing. However, both vendors and customers should concentrate on the characteristics of a “good” licensing model, besides the fact that the vendor wants to earn as much as he can and the customer wants to pay as little as possible. These are, from the customer perspective

Predictiveness

Flexibility for adopting the model as needs change

Flexibility to change the vendor

The first one probably is the most important one. Customers need to be able to calculate the cost in advance. That works well for flat rate models, but it does not work for models where either the user base can grow massively – think about the Identity Explosion – or which rely on the use of a service. Models that are based on a flat fee for external users, an overall flat fee (does not work well for vendors in most cases) or other factors like the number of connections to IdPs and SPs fulfill that requirement. Also processor-based licensing works quite well because it scales slowly and in a predictable manner.

The flexibility to adopt models as needs change – by both scaling up and scaling down – is another important factor. However, this again is about predictiveness. Adding new groups of users, new systems, etc. must be predictive. Doing that right can be rather attractive for customers, when they can start small with a one or two partner case and then add other federation partners or systems subsequently, with a fixed cost per added partner/system.

The flexibility to change the vendor clearly is not in the interest of the vendor, but the customer. The initial license fee is an inhibitor for change. When you have to pay 500,000 € or US$ in advance just for licenses, it is much more difficult to build the business case for switching to another vendor than when relying on subscription-based models with a lower “entry fee”.

I recommend both vendors and customers to consider these criteria when looking at pricing models and rethinking existing business models. The most important question is: will success become too expensive? Or, in other words: will the Identity Explosion destroy my calculation? Overall, I see a shift away from purely user-based licensing in most disciplines of IAM. Dealing with more types of users requires different answers.

Extending Data Governance Beyond the Database

Fri, 22 Mar 2013 14:57:27 +0100
In KuppingerCole Podcasts

Traditionally, enterprise data governance started within your database management system by establishing the appropriate access control and auditing policies to prevent unauthorized access and demonstrate those controls. Now a new generation of database security solutions allow organizations to extend database security policies beyond the database management system and across the enterprise.

Watch online

Craig Burton (KuppingerCole) and Ronnie Mitra (Layer7) at EIC 2013: API Security

Fri, 22 Mar 2013 09:55:51 +0100
In European Identity Conference

Using and Abusing APIs: an Examination of the API Attack Surface

Best Practice on Cloud Computing Risk Management by Nikita Reva, Mars Inc. at EIC 2013

Thu, 21 Mar 2013 17:11:27 +0100
In European Identity Conference

Do you have a handle on your risk strategy for the Cloud? Fast Tracking your Risk Strategy for the Cloud.

26.04.2013: Benutzer- und Berechtigungsmanagement f�r den Mittelstand leicht gemacht

Thu, 21 Mar 2013 13:17:50 +0100
In KuppingerCole

Das Benutzer- und Berechtigungsmanagement ist ein Thema f�r Unternehmen jeder Gr��enordnung. W�hrend gro�e Unternehmen meist schon seit l�ngerer Zeit den Schritt hin zu einer zentralen Infrastruktur f�r IAM (Identity and Access Management) gemacht haben, ist die Situation im Mittelstand h�ufig noch durch das Fehlen einer Gesamtl�sung gepr�gt. Systeme wie das Active Directory, SAP, Produktionssysteme und andere wichtige Business-Systeme werden unabh�ngig voneinander verwaltet. Das Risiko f�r...
more

Protecting Information in an Unstructured World

Wed, 20 Mar 2013 12:22:21 +0100
In KuppingerCole Podcasts

Join KuppingerCole Senior Analyst Mike Small and TITUS CTO Steph Charbonneau in this Webinar to learn the Major causes of information loss and leakage and how to avoid them by bringing structure to Information through Information Stewardship.

Watch online

Marek Bingel, Head of IAM at Volkswagen Financial Services AG - Best Practice on IAM/IAG Maturity

Tue, 19 Mar 2013 12:01:41 +0100
In European Identity Conference

Maturity in IAM/IAG – how to Achieve, how to Measure, how to Improve, in a joint Session with Martin Kuppinger.

Looking at vendors from various angles – KuppingerCole Leadership Compass

Tue, 19 Mar 2013 09:46:09 +0100
In Martin Kuppinger

Having published our second KuppingerCole Leadership Compass (on Access Governance) some ten days ago – with many others in the pipeline – I want to look at a blog post Michael Rasmussen, a former Forrester analyst and now an independent GRC expert, published in October 2012.

I do not want to comment on the Gartner Magic Quadrant and MarketScope or the Forrester Wave. I also do not fully share the opinion of Michael Rasmussen on these. His major complaint is that documents like the ones mentioned tend to be too mono-dimensional for the needs of the customer. From my perspective, there is a value in all of these documents, if used the right way. Clearly, it is not only about picking the upper left vendor – he might be the best in the overall, condensed analyst view. Nevertheless, he is not necessarily the best one for the problem a customer wants to solve. However, for identifying a long-list of vendors, such views are quite helpful.

In our Leadership Compass documents, we take another approach. There are four categories of leaders:

Product Leaders (Product features, maturity, etc.)

Market Leaders (Number of customers, ecosystem, global reach, etc.)

Innovation Leaders (Current – not past – innovativeness, support for upcoming requirements, etc.)

Overall Leaders (Combined rating)

Beyond that, we have matrices that relate product and market leadership, product and innovation leadership, and market and innovation leadership. This allows, for example, identifying vendors that are highly innovative but still have some way to go to become both product and market leaders. For some requirements, these vendors might be the best pick. Others might opt for the ones that are current product and market leaders, even while some of them might not be highly innovative.

Michael Rasmussen illustrated this in his post by noting that some customers might need a GRC vendor that is strong in Risk Management, while others might look for one with a particular strength in Audit or Policy Management.

I fully agree. However, from my perspective the customer not only needs that information, he needs a view that relates a particular strength (or weakness) to the overall product rating. A customer might start with a focus on a particular challenge, like Risk Management for Enterprise GRC products. However, over time he will in most cases need a product offering that serves all other Enterprise GRC aspects as well, at least at an adequate level. We provide that information in the additional matrices we have added to the KuppingerCole Leadership Compass on Access Governance. We will add them to upcoming Leadership Compass documents as well.

The figure above gives one example. This view shows the strength of products for SAP-specific requirements on Access Governance – the depth provided for SAP environment – in relation to the overall product rating. While the Product Leaders are the ones on the right side, the best products for SAP-specific Access Governance are the ones more to the top. SAP GRC is the clear leader when it comes to SAP-specific features, but it is not the leader when it comes to overall Access Governance functionality for heterogeneous environments.

When looking at that matrix, a customer can opt for a solution that is fairly good in both areas. He might also opt for a combined solution where he picks a specific solution for the SAP environment and another one for “the rest of the world”.

These matrices add information and provide a multi-dimensional view of the market. Michael Rasmussen is right in his complaint that not all of the products in a market segment can be easily put into the same box. However, defining market segments and identifying players therein is important for customers when they start solving a challenge and looking for vendors.

One thing I want to add: Documents such as our KuppingerCole Leadership Compass are just one of many aids customers should use in making decisions. Besides strategy, guidelines, processes, and organization, a vendor selection process needs several stages. Documents like the Leadership Compass assist in identifying long-list vendors and even short-list vendors. However, they cannot replace further evaluation, with request for information based on the specific challenges of the customer or a PoC. That is why we provide both the KuppingerCole Leadership Compass and additional advisory services to support the customer in these subsequent stages.

What happened recently in Security?

Tue, 19 Mar 2013 09:22:59 +0100
In Martin Kuppinger

When looking through the security related news of the past two weeks, there is very little that is surprising. Again, the usual topics such as discussions about whom to accuse of cyber-attacks and about newly found attack vectors have led to a series of news articles. There also have been ongoing discussions around privacy. However, as I have said and stated in my previous security blog post: Most topics remain the same. Some weeks it is about routers, this time reports about security weaknesses in connected HP printers and some other routers (TP-Link) spread the news.

However, there have been news articles on two topics that caught my attention.

Trend Micro on ICS/SCADA security

Trend Micro published results of a test they have run to analyze the real security threats for ICS (Industrial Control Systems) and SCADA (Supervisory Control and Data Acquisition Networks) networks. These environments have been under attack by Stuxnet, Duqu, and Flame over the past years.

Trend Micro chose a small town in California and installed a virtual pumping station with a control system for water pressure. They made the station visible in the Internet. All software components existed, but no water pumps. They created three different “honeypots” with the typical weaknesses found in real world environments.

Within roughly one month, Trend Micro detected 39 attacks out of 14 different countries. The leading countries were China (35%), USA (19%), and Laos (12%). At least twelve attacks appeared to be targeted. One or more attackers repeated 13 attacks on different days. These obviously were targeted and automated. Trend Micro is still investigating the other attacks.

Clearly, there is a well-established ecosystem for espionage and cyber terrorism out there. No single organization with industrial production environments and no single organization in the “critical infrastructure” area can claim that it is not an attack target. It is past time to act and to better protect all IT environments in organizations.

Obama vs. Merkel

I also found some news articles about Obama hosting a meeting on cyber-security with CEOs and on putting cyber-threats amongst the top topics in his call with the Chinese president. This helps increasing awareness in the industry, in governmental organizations, etc.

When looking at Germany, the situation is quite different. There are infrequent statements and activities from some of the ministries. There are some activities by different governmental organizations. However, there clearly is a lack of public statements and attention from Angela Merkel, if I compare this to Barack Obama. At CeBIT fair 2013 she visited, for instance, the booth of a provider of secure smartphones, the “Merkel phone”, which allows her secure, encrypted/scrambled communication. I think that putting the cyber-threats at the top of the agenda would have been far more important than putting the focus on that phone (and the technology provider behind). Time to wake up, I’d say.

Round-Table on Privacy with Doc Searls, Phil Windley, Marcel van Galen at EIC 2013

Mon, 18 Mar 2013 18:50:06 +0100
In European Identity Conference

Weaving Privacy into the Internet of Me and My Things

Expert Talk at EIC 2013 - Dr. David Goodman, Ericsson

Mon, 18 Mar 2013 18:25:06 +0100
In European Identity Conference

Facing The Future: Identity Opportunities for Mobile Operators

Ravi Bindra, Novartis Head of IT Security Architecture, at EIC 2013

Mon, 18 Mar 2013 18:20:53 +0100
In European Identity Conference

Ravi will be joining two panels: It is not only about Root – Integrating Privilege Management with the Rest of IAM and Is it Time to say Goodbye to Old-School Authentication Delivery Models?

Thought Leadership at EIC 2013: Privacy-by-Design in the Era of Big Data

Mon, 18 Mar 2013 18:09:57 +0100
In European Identity Conference

Expert panel with Dr. Ann Cavoukian (remotely), Prof. Dr. Dawn Jutla and Gershon Janssen, moderated by John Sabo and Dave Kearns

The Fa�ade Proxy

Mon, 18 Mar 2013 17:43:10 +0100
In Craig Burton

Securing BYOD

With the rapidly emerging cloud-mobile-social Troika coupled with the API Economy, there are so many questions about how to design systems that can allow application access to internal information and resources via APIs that will not compromise the integrity of enterprise assets. And on the other hand, how do we prevent inappropriate personal information from propagating inappropriately as personal data stores and information is processed and accessed? Indeed, I have read so many articles lately that predict utter catastrophe from the inevitable smart phone and tablet application rush that leverages the burgeoning API economy.

In recent posts, I have posited that one approach to solving the problem is by using an IdMaaS design for authentication and authorization.

Another proposed approach—that keeps coming up—is a system construct that is referred to as the “Fa�ade Proxy.”

A place to start to understand the nature of Facades is in an article by Bruno Pedro entitled “Using Facades to Decouple API Integrations.”

In this article Bruno explains:

A Fa�ade is an object that provides simple access to complex – or external – functionality. It might be used to group together several methods into a single one, to abstract a very complex method into several simple calls or, more generically, to decouple two pieces of code where there’s a strong dependency of one over the other.

Figure 1 – Facade Pattern Design Source: Cloudwork

What happens when you develop API calls inside your code and, suddenly, the API is upgraded and some of its methods or parameters change? You’ll have to change your application code to handle those changes. Also, by changing your internal application code, you might have to change the way some of your objects behave. It is easy to overlook every instance and can require you to double-check multiple lines of code.
There’s a better way to keep API calls up-to-date. By writing a Fa�ade with the single responsibility of interacting with the external Web service, you can defend your code from external changes. Now, whenever the API changes, all you have to do is update your Fa�ade. Your internal application code will remain untouched.

To shed even more light on how a Fa�ade Proxy is designed and can be used to address yet another problem is blog post from Kin Lane. Kin is an API Evangelist extraordinaire and I learn a lot from him in his writings. Kin recently wrote in a blog post entitled “An API that Scrubs Personally Identifiable Information from Other APIs”:

I had a conversation with one UC Berkeley analyst about a problem that isn’t just unique to a university, but they are working on an innovative solution for.

The problem:

UCB Developers are creating Web Services that provide access to sensitive data (e.g. grades, transcripts, current enrollments) but only trusted applications are typically allowed to access these Web Services to prevent misuse of the sensitive data. Expanding access to these services, while preserving the confidentiality of the data, could provide student and third party developers with opportunities to create new applications that provide UCB students with enhanced services.

The solution:

Wrapping untrusted applications in a “Proxied Fa�ade Service” framework that passes anonymous tickets through the “untrusted” application to underlying services that can independently extract the necessary personal information provides a secure way of allowing an application to retrieve a Web User’s Business data (e.g. their current course enrollments) WITHOUT exposing any identifying information about the user to the untrusted application.

I find their problem and solution fascinating, I also think it is something that could have huge potential. When data leaves any school, healthcare provider, financial services or government office, the presence of sensitive data is always a concern. More data will be leaving these trusted systems, for use in not just apps, but also for analysis and visualizations, and the need to scrub personally identifiable information will only grow.

Finally, Intel recently announced its Expressway API Manger product suite. EAM is a new category of service that Intel is calling a “Composite API Platform.” It is referred as such as the platform is a composite of a premise-based gateway that allows organizations to create and secure APIs that can be externalized for secure access through a cloud-based API management service from Mashery designed to help organizations expose, monetize and manage APIs to developers. In its design, Intel has created a RESTful Fa�ade API that exposes APIs to developers for internal information and resources of an organization. It is very similar to the design approach outlined by Kin. This approach looks to be an elegant use of the Fa�ade pattern to efficiently manage authorization and authentication of mobile apps to information that needs to remain secure.

Figure 2 – EAM Application Life Cycle Source: Intel

I am learning a lot about the possible API designs—like the Fa�ade Proxy—that can be useful constructs for organizations to successfully participate in the API economy and not give up the farm.

Advisory Note: BYOD - Bring Your Own Device - 71003

Mon, 18 Mar 2013 08:49:43 +0100
In KuppingerCole

Bring Your Own Device (or “BYOD” for short) may seem like the latest hype, but in fact it isn’t really all that new. Employees have been bringing their smartphones or iPads to work for quite some time now, mostly with their employers’ explicit (or at least implicit) consent. And ever since, IT departments have been worrying about losing control and how to halt the spread of privately owned mobile devices. You could even argue that BYOD started back in the early days...
more

SAP Identity Management und GRC: Miteinander statt nebeneinander!

Fri, 15 Mar 2013 12:44:56 +0100
In KuppingerCole Podcasts

In diesem Webinar beschreibt KuppingerCole Principal Analyst Martin Kuppinger unterschiedliche Architekturkonzepte, verf�gbare Produkte und deren m�gliche Rolle in IAM / GRC-Gesamtl�sungen im SAP-Umfeld. Richtig gemacht, k�nnen Unternehmen durch einen integrativen Ansatz f�r IAM und GRC ihre Audit-Anforderungen besser erf�llen, schlankere Prozesse realisieren, die Arbeitslast f�r Fachbereiche reduzieren und eine schlankere und damit g�nstigere IT-Infrastruktur f�r IAM und GRC umsetzen.

Watch online

09.04.2013: European Identity & Cloud Conference 2013 Preview

Thu, 14 Mar 2013 17:14:34 +0100
In KuppingerCole

The European Identity & Cloud Conference (EIC) 2013 once again will be Europe�s most important event exploring the future of information technology. Join us in this webinar for a compehensive preview on this year�s key topics and speakers.
more

16.04.2013: Rapidly Evolving Identity & Access Management to Meet Today�s B2C & Cloud Challenges

Thu, 14 Mar 2013 08:41:58 +0100
In KuppingerCole

The world of Identity and Access Management is growing in scope, and must change and adapt faster than ever before. CIOs are under pressure to shift from employee-centric IAM to consumer-facing IAM that drives top-line revenue. As a result, they are quickly learning that legacy enterprise IAM solutions are not designed to solve today�s web challenges (enterprise, cloud, social, mobile).
more

European Identity & Cloud Conference 2013 - Agenda Preview

Tue, 12 Mar 2013 18:44:14 +0100
In KuppingerCole Podcasts

The European Identity & Cloud Conference (EIC) 2013 once again will be Europe�s most important event exploring the future of information technology. Join us in this webinar for a compehensive preview on this year�s Agenda and speakers.

Watch online

The future of healthcare

Tue, 12 Mar 2013 12:18:14 +0100
In Dave Kearns

Recently the Massachusetts Institute of Technology (MIT) held a conference on the “Future of Health and Wellness.” One of the major takeaways from the conference (according to CIO magazine) was “6 Innovations That Will Change Healthcare.” These are:

Reality Mining: Using Data to Influence Healthy Behavior

Social Networking: For Best Results, Group Like-Minded People

Usability: Give Users Something Familiar

Home Care: Make It Easy, Involve Everyone

Emotion Sensors: For the Willing, Anything Can Be Monitored

Wellness Counseling: Sometimes, People Like Talking to Computers

That’s certainly a good list, but hardly ground-breaking I suspect. And none of these address the problem I encountered in moving from California to Maryland a couple of years ago which necessitated a change in health providers.

Both my California Health Maintenance Organization (HMO), the Palo Alto Medical Foundation (PAMF), and my Maryland HMO, Kaiser-Permanente (KP), have good on-line presence. Both allow me to make appointments, see test results, contact my medical practitioners, re-authorize prescriptions and more through my web browser. All good, but Kaiser should definitely plan on an upgrade to address a number of usability issues.

What astounded me, though, was that there was no way to transfer information – test results, diagnoses, prescription information, etc. – from PAMF to KP! Nor, for that matter, was it possible to go in the other direction. Likewise, I could not give my KP primary care physician a “proxy” to see my PAMF data. All I could do was to bring up the data in the PAMF site, highlight, copy and paste into a word processor document, then print it and carry it to my KP physician.

That does seem like a 19^th century answer to a 21^st century problem. But I wouldn’t have brought it up if I didn’t have an idea about how to solve it, and the answer is LMP – Life Management Platforms.

My colleague Martin Kuppinger, in his Advisory Note “Life Management Platforms: Control and Privacy for Personal Data, ” says that: “Life Management Platforms will change the way individuals deal with sensitive information like their health data.”

Now one reason why I can’t easily port data from one healthcare provider to another is the requirements of the US Health Insurance Portability and Accountability Act (HIPAA) of 1996. Two major elements of that act are privacy and security. Summaries (if you can call a 25 page document a “summary”) are available from the US Department of Health and Human Services.

The privacy summary states: “A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being,” which is all well and good, but almost all healthcare providers have chosen to not allow the actual individuals described by the data to really have much control in its use – except, as I noted, using 19^th century tools.

Now as Martin will tell you (and keep telling you until the concept sinks in) Life Management Platforms are much more than Personal Data Stores, much more than some personal database of attributes and identifiers. While the LMP does integrate with a full panoply of attributes and identifiers it also – and, indeed, must – interact with what another colleague, Craig Burton, calls “the API Economy.” With an open, accessible Application Programming Interface (API), My LMP could interact with each of my healthcare providers, move data to my personal health record datastore and move it to another healthcare provider as needed. For emergency situations I could foreseeably have an API connection between my healthcare data and an organization such as the MedicAlert Foundation so that up-to-the-minute information was available to first responders and other emergency service providers through the contact details on my MedicAlert bracelet or pendant – whether I was conscious or not.

Of course, most of the “6 innovations” CIO magazine was touting as necessary for modern healthcare are also easily enabled with Life Management Platforms:

Reality Mining (Innovation #1): Using Data to Influence Healthy Behavior – a mobile device collects data, stores it in your health record, then combines it with very large data sets (perhaps with a cloud based service) to correlate activities/lifestyles with both good and bad health effects. Another API-based service can then take this data and formulate a personalized health plan (see innovation #6), or suggest social networking opportunities to reinforce that health plan (Innovation #2).

Usability (Innovation #3): Give Users Something Familiar – the LMP provides a common user interface for all of its functions – a major improvement over today’s mish-mosh of services and applications designed only to stand on their own.

Home Care (Innovation #4): Make It Easy, Involve Everyone – using open APIs, caregivers as well as emergency monitors and providers could have the information they need – and, from a privacy perspective, only the information they need – to insure continued good health without the need for early institutionalization. Health monitoring systems, by the way, as part of the Internet of Things, can easily interface with the Life Management Platform thus satisfying Innovation #5, Emotion Sensors: For the Willing, Anything Can Be Monitored.

Wellness Counseling (Innovation #6): Sometimes, People Like Talking to Computers – this almost perfectly describes a relatively easy to implement LMP service that would ensure individuals understand their prognosis and course of action, but also take a major role in implementing those activities.

Hopefully you’ve seen that Life Management Platforms are just what the doctor ordered for 21^st century healthcare. But the really amazing part is that healthcare is only one small area in which LMPs can improve our lives. Banking, insurance, shopping, travel, lifestyle, food, social and work responsibilities – almost everything we do in our lives can be enhanced through a Life Management Platform.

We’ll be covering LMPs (and the API Economy as well as the Internet of Things) in more depth at the European Identity and Cloud Conference in May. I hope to see you there.

BYOD, Social Networking, Cloud - sicher und kalkulierbar

Mon, 11 Mar 2013 10:29:18 +0100
In KuppingerCole Podcasts

Die Einbindung mobiler Endger�te, seien Sie im Eigentum des Mitarbeiters oder des Unternehmens, die Nutzung von Social Media im Unternehmen und der vielf�ltige Einsatz von Cloud-Anwendungen - all dies ist Alltag geworden und stellt IT-Professionals in den Unternehmen jeden Tag vor neue Herausforderungen.

Watch online

Best Practice at EIC 2013: HypoVereinsbank CSO Ulrich Haumann

Fri, 08 Mar 2013 15:57:52 +0100
In European Identity Conference

IAM Governance Outside IT

Leadership Compass: Access Governance - 70735

Fri, 08 Mar 2013 13:56:37 +0100
In KuppingerCole

Access Governance is as of now the fastest growing market segment in the broader IAM (Identity and Access Management) market. Some vendors also use the term IAG (Identity and Access Governance). Another recent term is Access Intelligence (or Identity and Access Intelligence). While a few vendors try to establish this as a new market segment, we understand enhanced analytical capabilities just as an important feature within Access Governance.

Few years ago, there have been only a...
more

Big Data - Small Privacy? Dr. Karsten Kinast at EIC2013

Thu, 07 Mar 2013 11:35:15 +0100
In European Identity Conference

KuppingerCole Fellow Analyst Dr. Karsten Kinast will talk about the impact Big Data has on privacy.

Best Practice at EIC2013: Deutsche Bank

Thu, 07 Mar 2013 09:36:09 +0100
In European Identity Conference

Access Governance & Intelligence at Deutsche Bank AG. Carolin Pfeil, Head Identity & Access Governance.

Berthold Kerl (Deutsche Bank) Keynote at EIC2013

Thu, 07 Mar 2013 09:31:15 +0100
In European Identity Conference

Access Govenance: A pragmatic Approach on how to deal with almost Unmanageable Complexity

OASIS Panel on Standards at EIC2013

Thu, 07 Mar 2013 09:26:55 +0100
In European Identity Conference

ID Protocols – Out with the Old and in with the New?. David Brossard (XACML), Paul Madsen (SAML), Darran Rolls (SCIM). Moderation: Craig Burton

Ralf Kn�ringer (Atos) Keynote at EIC2013

Thu, 07 Mar 2013 09:15:17 +0100
In European Identity Conference

ONE Identity – Heaven or Hell? Do we need more than one “ME” ?

CeBIT – Shareconomy without connectivity?

Wed, 06 Mar 2013 16:35:32 +0100
In Martin Kuppinger

Yesterday I spent a day at the CeBIT fair, still the world’s largest IT fair. Besides the many interesting meetings I had previously scheduled, I started thinking about the CeBIT “Leitthema” – their “claim of the year”. This year it has been “Shareconomy”. I still do not know what this term shall mean. There is some fuzzy description at the CeBIT homepage, but in contrast to topics like “Cloud” and “Managing Trust” in 2011 and 2012 respectively, Shareconomy – described as “sharing and using information, resources and experience based on new forms of collaboration” – is a very amorphous concept. They then try to associate it with crowd sourcing, smart infrastructures and smart grids, data security, big data, etc.

In fact, I think that there is something behind this rather strange buzzword. Back in September 2012, KuppingerCole hosted an event about the 4Cs: Communication, Collaboration, Content, and Cloud, which was about enabling new ways of collaboration and communication in a secure way. That probably is what the Shareconomy is all about.

When I look at our advisory business, I see another red-hot topic. In German I’d call it “Umgang mit Dritten”, i.e. how to interact with third parties and services provided by these in a consistent, standardized way. That is about Cloud Security, Identity Federation, API Economy and security therein, etc. Opening up the perimeter and supporting business processes that integrate business partners, customers, etc. is highly important. So maybe that is also part of the Shareconomy. For sure, you will be able to learn a lot about this at our upcoming EIC – the real stuff, not the marketing buzz and fuzz. To highlight just some few sessions:

Moving to the Cloud to Improve Customer Experience – Lessons Learnt

People, Process, Product, Partner – the Four P�s of IAM/IAG in the Extended Enterprise

Supporting the Extended Enterprise: Partners, Customers, Mobile Users, and all the Others

The Future of IAM: Do not kill IAM, improve and extend it

However, the thing that confused me most at CeBIT – in the context of their Shareconomy claim – was the lack of free WiFi. Sharing without connectivity? Or at least sharing without free or affordable connectivity? Will that work? I doubt it. I used my UMTS cards in the notebook and iPad respectively, because I otherwise would have had to pay 30 € for a 4-hour WiFi pass. That is far more even than in the old school hotels that still charge for WiFi. Ridiculous.

Why we need Dynamic Authorization Management

Wed, 06 Mar 2013 11:26:25 +0100
In Martin Kuppinger

One of the topics I’ve been evangelizing for years is Dynamic Authorization Management. Dynamic Authorization Management is about externalizing authorization decisions outside of applications. It is about using an “application security infrastructure” which performs the authorization decisions (and manages other aspects of security like authentication, the administration of users etc.). It is about relying on security services instead of implementing security in every application.

Dynamic Authorization Management is often associated with XACML (eXtensible Access Control Markup Language). XACML in fact is a standard to implement Dynamic Authorization Management, but the concept must not be limited to XACML. In fact, Web Access Management systems implement the concept of Dynamic Authorization Management in a coarse-grain approach and some of these systems as well as some of the Policy/Entitlement Server products available provide their own, proprietary APIs.

Before discussing the best approach to implement Dynamic Authorization Management it is important to understand the basic principles and their benefits. Within the concept of Dynamic Authorization Management, an application asks the authorization system for authorization. It provides some information with this request, e.g. the user ID etc. Depending on the implementation, other attributes might be delivered in addition. The authorization systems take this information and collect additional information if required. It might ask an authentication system for more context information, receive roles from a directory service etc. It then uses that information and the business rules (authorization rules) received from a policy repository to decide about authorization. Having done that, it provides the decision back to the requesting system.

The obvious advantage is that applications do not need to manage users, authentications, or authorizations. They just ask a central (logically central, but potentially physically distributed and logically “partitioned”) system. There is no longer a need to manage authorization rules within the application. Thus there is no need to provision that information into that application.

That in consequence means that there is also no on-going need to revoke access. IAM (Identity and Access Management) is not about “ensuring that access is revoked correctly” anymore, because there is nothing to revoke (from applications). There is also nothing to grant anymore within the applications.

Everything is managed centrally. Changes are made centrally and become effective immediately. While Identity Provisioning will decrease in relevance, Access Governance will remain important. Identity Provisioning will have to cover far less targets than today, when few central instances are used as repositories and target systems do no longer hold authorization information locally. Access Governance will have to move from reviewing static access control in target systems to reviewing dynamic business and authorization rules in the central authorization system – a feature which is supported by some early adopters in the Access Governance market.

A strength of this concept is that such systems not only can enforce standard authorization rules but also business rules. Many role management projects suffer when it comes to supporting “competencies” or “constraints”, e.g. limits for the approval of POs etc. This is fairly simple to implement and enforce in Dynamic Authorization Management.

The concept in fact is not really new. In the mainframe world, it has been around at least since the mid ‘70s – you just need to look at tools like RACF, but also several proprietary implementations of large organizations for their “entitlement management systems”.

However, there is no such thing as a free lunch. The obvious challenge is performance – can such a system be fast enough for today’s business needs? The best answer is given by the users of these systems: Large banks and large eCommerce sites are relying on these approaches today.

The biggest challenge in reality is that applications have to change. That in consequence means that the way applications are architected and developed has to change. The mindset of application architects and application developers has to change and these groups have to collaborate closely with the IT Security and IT Infrastructure people. However, done right architecting and coding applications will become easier given that architects and developers no longer need to ‘bake in’ authorization, authentication, etc., but can simply rely on the external service. Obviously, providing lean and simple approaches for Dynamic Authorization Management is a key success factor for this type of technology.

Dynamic Authorization Management is not about a rapid change, it is about moving towards a better model over time. To do that, you should start now. Every single application is a win on that journey. Security risks and complexity of management will be reduced. And Dynamic Authorization Management will allow you to focus on the key issue: Allowing people to do exactly what the business wants them to do (and not more) – instead of technically granting and revoking access per application.

As always, there will be several sessions around Dynamic Authorization Management, XACML etc. at this years’ EIC: Munich, May 14^th to 17^th.

What happened recently in Security?

Wed, 06 Mar 2013 11:03:18 +0100
In Martin Kuppinger

When I’ve started writing this series of blog posts recently I thought that I will have sufficient material for a weekly post. However, when looking consequently at the security news of various sources it becomes obvious that there are a few recurring topics:

New (and old) waves of attacks and new and old types of malware

New exploits – the target of choice differs, the topic always remains the same

Discussions about privacy

Vendors with inappropriate security patch policies

Yes, sometimes there are interesting announcements from vendors. However, besides the new big data approaches of IBM and RSA Security I have covered before, there has not been great news this week, despite RSA Security Conference in the U.S. and the CeBIT fair in Germany starting today (which, by the way, still is the largest IT fair worldwide).

Let’s have a quick look at the most important news.

Java as the new target of choice

It comes to no surprise that there are an increasing number of attacks using Java exploits. This includes some of the known exploits, but also some new ones. This also is not surprising given that hackers look for related weaknesses once a particular type of exploit has been identified. In consequence this means that Java updates have to be performed regularly and that the use of Java (especially within the browser) has to be carefully reconsidered.

Privacy vs. Freedom of Speech?

I read a fairly strange article on a lawsuit Google is facing in Spain these days. The article argues that the privacy debate over here in Europe is around “Privacy vs. Freedom of Speech”. In fact the argument raised therein is that Google is allowed to publish a link based on the Right for Freedom of Speech. Notably, this right exists in Europe as well, not only “Fair Speech” as the author assumes. And the idea behind Freedom of Speech in Europe is to protect the individual, not only the society – which is in stark contrast to what the author says. Maybe the difference is that Europeans do not tend to protect questionable business models and principles through one of the fundamental human rights. From my (European) perspective, the article is based on a fundamental misunderstanding and misconception of what is considered the European position. Notably, there is not the single European position but an intensive debate about these topics.

Ongoing attacks

There is little change in the news around cyber-attacks. There are still masses of attacks and the discussion about who is behind these attacks is continuing. There is good reason to assume that some part of the attacks is state-sponsored, while others are caused by cyber criminals. At the end it is about accepting that there is a severe risk for any organization and any individual and that we need to protect ourselves in a more sophisticated way. In a Trend Micro press release I received yesterday, the author compared it with the “fork” in chess play where you create two threats at a time. The other player can’t defend against both at the same time (but he might threaten you in another way). The argument of the author has been that based on a fork, i.e. multiple defense layers, the attackers are always in danger of being detected. I’m not sure whether the fork is the best pattern in chess to compare with and whether this is not more the approach the attacker could take – but I liked this analogy.

Evernote hack

The victim of the week has been Evernote – they reported that some data has been hacked and asked all of their users to reset passwords. Who will be next?

Do we need to kill IAM to save it?

Thu, 28 Feb 2013 13:56:06 +0100
In Martin Kuppinger

Last week I received a newsletter from Radiant Logic, a vendor of Virtual Directory Services and some other IAM stuff like Federation Services. This newsletter pointed to a video of a presentation of Gartner analyst Ian Glazer titled “Killing Identity Management in Order to Save it,” which had been published on February 7^th, 2013.

In this video he spends a lot of time talking about some topics like

IAM is too static and typically HR driven

IAM is not focused on providing services and integrating with business applications

IAM is based on LDAP (and CSV) and other hierarchical approaches

2013 will be the year of Identity Standards, especially OAuth, OpenID connect, and SCIM

Identity Service like those provided by Salesforce.com

When I read the newsletter of Radiant Logic – which take a fairly different view than Ian Glazer – and listened to the webinar, I started looking for some of the stuff my colleagues and me have written about this.

There is for example an article at our website talking about the fact that HR should not be the only leading system for IAM – the article dates back to 2007 (and is available in German only). And there are more, which are about things like the Identity Explosion and the need to deal with far more users.

I found several articles for example from back in 2008 looking at Identity Services and there were webinars and reports around that topic years ago. Some vendors have been doing integration of Identity Services into business applications, Oracle for example, for years now.

The end of LDAP in its current state was the topic of a blog post back in 2010 and I started discussing this with advisory customers at the same time.

Oh yes, clearly the standards mentioned will become more important this year. My colleague Craig Burton has described this on several occasions, including the KuppingerCole Scenario “The Future of Authentication”. And last year’s EIC hosted a workshop talking about the relevance of all these upcoming standards.

All the topics around identity services hosted by Salesforce.com or Microsoft’s upcoming Windows Azure Active Directory have also been a frequent topic in Craig’s blog posts and in some of our research notes.

There is nothing wrong with these theses. However, there is also not that much new in them.

Below the link to the video of the Ian Glazer presentation, there is the following claim:

The way the industry does identity management cannot incrementally improve to me [sic] future (and current) needs. I believe IAM must be killed off and reborn.

Given the fact I do a lot of advisory work besides research, like all the KuppingerCole analysts, I really struggle with this claim. There is no doubt about the fact that we need to “extend and embrace” what we are doing traditionally in IAM. It is about more than Identity Provisioning. Topics like versatile and context-/risk-based authentication and authorization, together with Identity Federation, are moving towards the center of attention – not only for core IAM challenges. We need to understand that there are new challenges imposed by the Computing Troika and that traditional approaches will not solve these.

However, I do not believe in disruptiveness. I believe in approaches that build on existing investments. IAM has to change, no doubt about that. But there will still be a lot of “old school” IAM together with the “new school” parts. Time and time again it has been proven that change without a migration path is an invitation to disaster. Embrace and extend is the classical migration methodology for classical technical transformative strategies.

I plan to do a session on this topic at EIC 2013 – don’t miss it if you want to save your investments and spend your budgets targeted to meet today’s and tomorrow’s challenges in IAM.

Product Report: Layer 7 Technologies - 70627

Wed, 27 Feb 2013 13:38:21 +0100
In KuppingerCole

The emerging API Economy is presenting significant challenges to all industry participants. When coupled with the Computing Troika—Cloud, Mobile, and Social computing—the API Economy is bringing about change in strategy requirements that have not ever been presented to organizations before. For example, the sheer number and nature if personas and identities and the need to give access to internal information and resources is very significant.

The API Ecosystem is made...
more

Pervasive and ubiquitous identity

Tue, 26 Feb 2013 12:10:42 +0100
In Dave Kearns

I read a lot. Mostly about identity, security, the cloud and other tech topics, but because I’m a writer I’m also interested in the tools of the trade. That’s why, every week without fail, I read the World Wide Words newsletter. Through it, I find out about words such as this past week’s “nidicolous” (“If your offspring are proving recalcitrant or obstreperous you may like to hurl the epithet nidicolous at them. It will be accurate and tantalisingly unclear; it might even provoke them to crack open a dictionary to discover whether you’re insulting them.”) No, I won’t tell you. Go to the web site.

The reason I bring up World Wide Words here, though, is that this past week it intersected with what we’re talking about at KuppingerCole: The Internet of Things.

Editor Michael Quinion �says about it that “[t]he reference is to the way that equipment of many kinds is now fitted with embedded computing technology, not only the obvious items like telephones and video recorders but also your car, your washing machine and your refrigerator as well as your lightbulbs. It is no longer futuristic fiction to suggest your refrigerator might be able to report you’re low on bacon or eggs and order up fresh supplies. Or that a bathroom cabinet might monitor your pill consumption to remind you to take the next dose, organise refills and allow your doctor to supervise your case.”

That all seems very reminiscent of a presentation I gave in the fall of 2000, and recalled here last spring in “Back to the (digital) future”. The Internet of Things and Life Management Platforms are inextricably intertwined.

But it’s wrong to think of the Internet of Things as somehow separate from the internet of people. It is really an Internet of People, Things, and Services (IoPTS). In fact anything which can be uniquely identified on the ‘net is part of the mix. It’s a given in the identity business that the use of cloud services is architected on an identity foundation. It’s also fairly evident to all that identity is the basis of regulatory compliance. The reality, which not everyone will admit as yet, is that Identity is the foundation of every transaction that occurs on the internet. But it’s becoming more apparent all the time that it’s not just the “who” identity that is important, but also the “what” and the “where” (i.e., the platform that the “who” uses to do the “what”). In order to deliver cloud services properly, the provider needs to know the user, the user’s permissions, the user’s capabilities and the user’s needs. The “needs” include precise data on the service, its version and its optional components. The “capabilities” reflect the hardware platform the user will use the service on.

In order to correctly log and audit activity for regulatory purposes, the compliance service needs to know precisely who is doing what to which information and where that activity is occurring. All of this requires that we can easily, automatically and uniquely identify the services, applications, and platforms that are being used as well as the attributes of each that are necessary to make a decision (for cloud services) or satisfy a policy (for regulatory compliance).

In order to communicate with others we need to be able to be sure of their identity, and they of ours. That holds true whether we’re talking to another person via email, to our friends and family on Facebook, an ecommerce retailer, our work, our schools or our government – we need to be sure of who they are and they need to� be sure of who we are.

Identifying devices is an outgrowth of both manufacturing and inventory control. A manufacturing bill of materials could be considered an identity document (with a serial number as a unique identifier) containing a list of attributes (the parts specifications) for an identified “thing.” Inventory control, carried to its limits, uniquely identifies not only each desk in an organization but each drawer in each desk – and possibly each pencil in each drawer.

Less tangible items, such as applications and services, don’t have quite the same legacy of identity. When all services were located in the datacenter or server room and IT went from desk to desk doing installations it wasn’t necessary for the user to be able to identify the service in any meaningful way. There’s versioning, but that doesn’t identify a specific instance, just the general code. Each instance of a non-trivial service or application will also include parameters unique to the time, place and users involved in its execution. And when that service is cloud-based it’s all the more important that it can be identified as the specific, and valid, instance we expect it to be.

A full-blown identity management solution will have to understand that it’s no longer just about people. While personal identity will remain important, a new superset of identity will emerge. Prakash Ramamurthy, now Chief Product Officer at LifeLock, called this “entity identity” when he was working on IdM at Oblix (and he said that with a straight face). That’s catchier than IoTPS for sure, but whatever we call it, I expect you’ll be hearing a lot more about these things in the months to come.

At the European Identity and Cloud Conference in May we’ll be talking about IoTPS. Among the topics we’ll explore:

Connected Objects, Real World Internet, Web of Things: Visions and Business Models in the IoTPS World

Reference Models and Initiatives and Architectures for the Internet of Things

IoTPS Security and Privacy Concerns and how to address them

Connected Vehicles, Life Management Platforms & The API Economy

There’ll also be a lot more about Life Management Platforms. The really forward thinkers, the futurists among you, will do everything they can to cover both topic areas. They’re connected now, and they’ll be totally intertwined in the future.� See you in Unterschlei�heim.

Executive View: Cloud standards and advice jungle - 70641

Tue, 26 Feb 2013 10:31:34 +0100
In KuppingerCole

Cloud computing is one of three dimensions in which organizations are moving towards an economy based upon the interconnection IT services. This idea is described in KuppingerCole Advisory Note 70532 “The Open API Economy”. This success of this economy and hence of cloud computing depends on the availability clearly defined interfaces; standards have a key role to play in achieving this.

Cloud services are built using a technical architecture that may include both...
more

Whitepaper: Using Information Stewardship within Government to Protect PII - 71002

Mon, 25 Feb 2013 17:38:29 +0100
In KuppingerCole

Loss and theft of Personally Identifiable Information (PII) from government, military and defense organizations continues to be a significant problem. Given the amount of attention to this area and the wealth of standards and technology available – why do these leaks still occur? This document considers the sources of leakage and describes how better information stewardship based on information centric security is essential to manage these...
more

This Week in Security

Mon, 25 Feb 2013 16:41:13 +0100
In Martin Kuppinger

OK, in fact this is about the last few weeks in security this time – but in future it will be most time about looking back at the previous week.

The permanent threats: Chinese hackers, Anonymous,…

Not a single week goes by without news about attacks from various groups. This includes Chinese hackers that are alleged to have attacked the Wall Street Journal or Anonymous that claimed that they have successfully attacked the US Federal Reserve. In the latter incident, it took four days from the announcement by Anonymous until the official statement of the US Federal Reserve. An additional cyber-attack hit the US Department of Energy, according to another news article.

There have been numerous articles about these attacks since, with different parties in the U.S. linking them to official Chinese agencies and the Chinese Army, while China denies these accusations citing a lack of proof.

Attacking the big ones

In this context, the recent attacks on Apple, Facebook, Twitter, and Microsoft (and possibly several other companies) also gained a lot of public interest. U.S. investigators assume that these attacks were driven by Eastern European cybercriminals rather than being Chinese state-sponsored, according to recent news articles.

Kaspersky kills Internet access for Windows XP users – accidentally

A recent Kaspersky antivirus update this month disabled Internet connectivity for Windows XP users at least partially. There is a workaround and a fix available; however, it takes some manual action to solve the problem – no surprise given that the Internet access does not work as expected anymore. Unfortunately, there is no prominent direct link to the information on this issue at the home page of Kaspersky.

Path app ignores privacy again

An article on CNET unveiled another privacy issue in the social network Path. Information about location data might slip out even when access to the location is disabled. Given that Path had some trouble with the FTC (U.S. Federal Trade Commission) recently and had to pay a fine, this new issue comes at the wrong time for them. It also again sheds light on the ignorance or incompetence of start-up companies when it comes to security and privacy – probably both. It will be interesting to see when the growing awareness and concerns of users finally leads to the consequence of not using such services anymore.

EU Commission introduces Cyber Security Plan

The EU Commission this week announced their Cyber Security Plan to strengthen resistance against cyber-attacks and cybercrime. The plan includes the idea of a European Cyber Defense Policy. It also includes the concept of an “attack notification obligation”. The latter led to some intense discussions because some companies do not want to inform the public about these issues. As of now, virtually all large organizations have experienced some form of attack. However, as of now, this is only discussed behind closed doors between the CISOs of these organizations. An attack notification obligation would change that and provide far more information to the officials. On the other hand, it will increase cyber security concerns in the broad public – which might be seen as a positive effect given that it might also increase caution.

A lot of router security issues

Last week, there were again several news articles about security issues of routers and other network devices, including D-Link. At least D-Link delivered some firmware patches, while other devices remain insecure. Which raises the question: Do you have patch management for the firmware of all your devices in place? Another interesting question: Which of the hardware vendors has a well-defined approach for security alerts and security patches in place? The bad news, when following this issue over the past few weeks, is that most vendors are neither willing nor capable of providing patches fast and in a simple-to-apply way. It is long past time for hardware vendors to start working on such an approach – and it is long past time for customers to have a complete patch management plan in place, from firmware up to applications.

Are stronger passwords really THE trend?

In its Deloitte TMT Predictions (Technology, Media & Telecommunications), the company predicts the end of “strong password only security”. The solution proposed is multi-factor authentication, and a little bit of password vaults. However, most of the text focuses on using stronger passwords, longer than eight characters. My colleague Craig Burton recently made the statement: “There is no such thing as a password muscle you can strengthen by training.” Which is to say: People are limited when it comes to keeping passwords in mind, and recommending the use of longer and more complex passwords is not the ideal solution. You do not get better when you have to keep many long and complex passwords in mind; you just consider workarounds like noting them down or re-using always the same password.

When talking about multi-factor authentication, I would rather say that this has been a topic for a “trend” some years back. Yes, we will observe some more implementations. However, multi-factor authentication by itself is not sufficient. Some two years ago, I blogged about the RSA SecurID incident. My recommendation at that time was to think about versatile authentication, combined with multi-factor authentication. Not that this concept was absolutely new back then…

Clearly, there is a trend towards approaches for strong, simple, and flexible authentication, beyond passwords. However, just talking about multi-factor authentication and password vaults is not sufficient. What organizations should evaluate are versatile authentication and, as the next and logical step, context- and risk-based authentication and authorization. That is the real trend. It is about understanding the bigger picture. Look at this to understand the future of authentication and authorization, not at a point approach.

In this context, it is definitely worthwhile to attend EIC 2013 – the future of authentication and authorization and the trends we observe will be an important part of the agenda.

How to Make an API

Thu, 21 Feb 2013 19:28:29 +0100
In Craig Burton

Introduction

Making an API is hard. It is also a tough question. A small company out of England has figured out how to let anyone make an API with just:

Dropbox

A Spreadsheet

A Datownia SaaS account

Datownia

One of the activities I practice to keep up with what is happening in the world of APIs is to subscribe to the ProgrammableWeb’s newsletter. Every week the newsletter contains the latest APIs that have been added to the rapidly increasing list. While I seldom can get through the whole list, I inevitably find one or two new APIs that are really interesting.

Recently I ran into one that has an incredibly simple and effective method of creating an API out of a spreadsheet.

The Company is Datownia.com

I now have an API with a developer portal that is driven by data in a spread sheet.

I can distribute developer keys to any developer I choose and then that developer can access the data and integrate it into any app.

Further, any change I make to the spreadsheet get versioned and propagated to the API with just a click. To propagate the data, all I do is modify the spreadsheet and drop it into the linked DropBox folder.

Here is what my spreadsheet looks like.

Here is what the JSON look like when you make a restful call to the API location created for me by Datownia.

So simple.

I have been talking a lot about companies that manage already existing APIs. But what about organizations that need to create APIs?

A few weeks ago, I received an email from the CEO of Datownia wanting to give me a small gift to chat with him about what I was doing with their technology.

Of course as an analyst I can’t accept any gifts, but I had a great conversation with William Lovegrove about the technology and where the idea came from.

From one-offs to a SaaS

Basically William’s little consulting firm was busy building and evangelizing APIs to organizations. When a company was confronted with making an API, often progress would screech to halt or at least be diverted while things were sorted out. Often IT departments simply could not deal with making an API for anything. Other times they would be engaged into creating a one-time API for a company.

Complicated, expensive and not very efficient.

Datownia then came up with the idea of building a service in the cloud that automates the process of building and API.

I think this is brilliant.

If you need ana API, or just want to play with a prototype, you should take a look at how simple this is.

Thanks William Lovegrove and crew.

Prof. Dr. Sachar Paulus, KuppingerCole Senior Analyst, Keynote at EIC2013

Thu, 21 Feb 2013 09:24:52 +0100
In European Identity Conference

Software Integrity and Active Defense - The Future of Information Security

Prof. Dr. Kai Rannenberg, Goethe University Frankfurt, Keynote at EIC2013

Thu, 21 Feb 2013 09:23:21 +0100
In European Identity Conference

Can “App” Phones Help Users to Manage their Identity and Privacy?

Marcel van Galen, CEO Qiy Foundation, Keynote at EIC2013

Thu, 21 Feb 2013 09:18:32 +0100
In European Identity Conference

Life Management Platforms – Examples, Prototypes, Best Practices

Dr. Karsten Kinast, LL.M., KuppingerCole Fellow Analyst and Privacy Expert, Keynote at EIC2013

Thu, 21 Feb 2013 09:15:56 +0100
In European Identity Conference

Post-Privacy: Yet to come or has it already arrived?

Jonathan Cogley, CEO of Thycotic Software, keynote at EIC2013

Thu, 21 Feb 2013 09:07:58 +0100
In European Identity Conference

Don’t Let Password Mismanagement Land Your Company in News Headlines

Philip Lieberman, President & CEO, Lieberman Software, Keynote at EIC2013

Thu, 21 Feb 2013 09:06:10 +0100
In European Identity Conference

Securing Privileged Identities in the Real World: A Proposed Maturity Model of Competence and Capabilities

Doc Searls - Keynote at EIC2013

Thu, 21 Feb 2013 08:58:53 +0100
In European Identity Conference

The Internet of Me and My Things

Peter Weierich, iC Consult, Keynote at EIC2013

Thu, 21 Feb 2013 08:56:33 +0100
In European Identity Conference

Consumer IAM - Business Drivers and Challenges

Dr. Laurent Liscia, OASIS, Keynote at EIC2013

Thu, 21 Feb 2013 08:53:19 +0100
In European Identity Conference

You can Shelve your Big Data Startup Plans if you don't have Privacy Covered - A Standards Perspective

Hila Meller, CA Technologies, Keynote at EIC2013

Thu, 21 Feb 2013 08:49:33 +0100
In European Identity Conference

The Day After Tomorrow - Security Challenges of the Future