KuppingerCole

The Future of IT Organizations – why IT needs a marketing department

Wed, 16 May 2012 15:30:48 +0200

Some weeks ago we published a report called “The Future of IT Organizations“. This report talks about how to restructure IT Organizations, following the basic structure we propose for IT in the KuppingerCole IT Paradigm. That paradigm is first described in the KuppingerCole Scenario “Understanding IT Service and Security Management”. From our perspective, IT organizations have to change fundamentally in order to redefine the way we do IT to better deal with challenges like Cloud Computing.

When looking at the future of IT, there is one area which I find particularly interesting. Some of this came to my mind when reading one of the blog posts of Chuck Hollis, Global Marketing CTO of EMC Corporation. The blog post is titled “Why IT Groups will invest in Marketing” and is focused on the need for marketing.

What I liked in that post was the distinction of inbound and outbound marketing for IT – a distinction I picked up and I have to recognize Chuck for. I then aligned it with the KuppingerCole IT model, adding another element which is “product management”.

The IT of the Future is demand-driven. Today’s IT should be as well but reality frequently shows a different picture. Providing the services business really needs is very much about that demand-driven IT. That requires understanding the customers. And that is where the topics of Outbound and Inbound Marketing come into play.

Outbound Marketing is the more common approach. We all are familiar with this in everyday life when getting confronted with advertisements and other types of market communication from vendors. For IT Organizations there are two main aspects for Outbound Marketing:

Positioning IT as the one and only source of the services business requires
Selling the IT services which are produced on-premise as part of these business services

The first part is of high importance because IT should remain in control (or get back control) of all the IT services which are either produced on-premise or procured from the Cloud. Without centralized control organizations will, over time, struggle massively with their IT services. Furthermore, there is no way to get a grip on IT cost without such centralized control

The other part of outbound marketing is mandatory as well. The ability to sell the services which are produced on-premise is important. On-premise IT is in competition with cloud services. Thus it is not only about producing the “better” IT services; it is also about selling them. IT Organizations have to change their attitude from being reactive to becoming a proactive provider of services to the business organization.

But there is the other side of the coin as well. That is about Inbound Marketing. Inbound Marketing is even more about the customer’s need – with the customer being the business part of your organization. Inbound Marketing is (amongst other things) about

The specific needs of your customer
Identifying the buyers on the customer side (which even in large organizations frequently is not as clear as it should be when it comes to budget discussions)
Understanding how the customer wants to consume

It is about understanding the customer and driving the IT Organization in a way that the right services are offered. In fact this is about a strategic and standardized approach to providing exactly the services business needs.

From an organizational perspective, IT has to fundamentally change its interaction with business. It is about bringing the demand-supply principle to life, which has been discussed for quite a while. The need to do that is greater than ever.

What do IT organizations need at that level?

They need to identify the “customer’s customers”, e.g. the persons within the business organization who are requesting the business services. That might require changes in the business organization as well, given that the business needs contact points. Notably, these persons might be less technical than today, given that the ideal of the future IT organization is to provide business services the way business needs them.
They need, as mentioned earlier, IT Marketing, i.e. persons caring for the outbound as well as the inbound marketing.
They need “product managers”. If you look at large and successful vendors, product management always plays an important role. They are the link between the customer and software development. They have to translate between customer requirements and development. Sort of the same role applies to them here: They work closely with IT Marketing and the customer’s customers on one side and the Service Management within the IT Service & Security Management Layer to map these.

Simply said: IT Organizations in their changing role as suppliers to the demand of business should act like successful software organizations – with the difference that they don’t need that level of sales but more the marketing and product management parts.

EIC 2012 Session: Database Firewalls - Advancing Security for Enterprise Data

Wed, 16 May 2012 12:58:42 +0200

In KuppingerCole Podcasts

Martin Kuppinger, KuppingerCole
Dr. Steve Moyle, Oracle
Sebastian Rohr, KuppingerCole

April 19, 2012 16:30

Watch online

EIC 2012 Session: Exchanging Metadata through Different Federations on a Global Scale

Tue, 15 May 2012 15:49:42 +0200

In KuppingerCole Podcasts

Nicole Harris, Head of Identity Management, JISC Advance

April 19, 2012 15:40

Watch online

EIC 2012 Session: Federation or Synchronization � the Future of the Cloud

Tue, 15 May 2012 15:48:15 +0200

In KuppingerCole Podcasts

Andrew Nash, Google
Darran Rolls, SailPoint
Travis Spencer, Ping Identity

April 19, 2012 15:20

Watch online

EIC 2012 Session: What Federation is About � in Theory and in Practice

Tue, 15 May 2012 15:47:01 +0200

In KuppingerCole Podcasts

Dave Kearns, KuppingerCole

April 19, 2012 15:00

Watch online

EIC 2012 Session: Security for Virtualized Environments, Privileged Users and PCI Compliance

Tue, 15 May 2012 15:45:50 +0200

In KuppingerCole Podcasts

Guy Balzam, CA Technologies
Stephan Bohnengel, VMware
Giovanni Ciminari, Telecom Italia

April 19, 2012 14:30

Watch online

EIC 2012 Session: From Virtualization to the Cloud and Beyond

Tue, 15 May 2012 15:44:37 +0200

In KuppingerCole Podcasts

Craig Burton, KuppingerCole
Martin Kuppinger, KuppingerCole

April 19, 2012 14:00

Watch online

Intention and Attention – how Life Management Platforms can improve Marketing

Tue, 15 May 2012 14:38:33 +0200

In Martin Kuppinger

Life Management Platforms will be among the biggest things in IT within the next ten years. They are different from “Personal Data Stores” in the sense of adding what we call “apps” to the data stores and being able to work with different personal data stores. So they allow to securely working with personal data by using such apps which consume but not unveil that data – in contrast to a data store which just could provide or allow access to personal data. They thus are more active and will allow every one of us to deal with his personal data while enforcing privacy and security. Regarding “Personal Clouds”, that might be or become Life Management Platforms. However I struggle with that term given that it is used for so many different things. I thus prefer to avoid it. Both today’s personal data stores and personal clouds have a clear potential to evolve towards Life Management Platforms – let’s wait and see. I’ve recently written a report on Life Management Platforms, describing the basic concepts and looking at several aspects like business cases. This report is available for free.

The other big thing around this topic is the book “The Intention Economy”, written by Doc Searls. It is a must read and even while it mainly focuses on the relation between vendors and customers, there is a big overlap between what Doc has written there and what we at KuppingerCole expect to happen with Life Management Platforms.

Doc’s basic point is that the Intention Economy will change the relationship between vendors and customers. I like these two quotes:

„Relationships between customers and vendors will be voluntary and genuine, with loyalty anchored in mutual respect and concern, rather than coercion. So rather than „targeting“, „capturing“, „acquiring“, „managing“, „locking in“, and „owning“ customers, as if they were slaves or cattle, vendors will earn the respect of customers who are now free to bring far more to the market‘s table than the old vendor-based systems ever contemplated, much less allowed.“

„Likewise, rather than guessing what might get the attention of customers – or what might „drive“ them like cattle – vendors will respond to the actual intention of customers. Once customers‘ expressions of intent become abundant and clear, the range of economic interplay between supply and demand will widen, and its sum will increase. The result we will call the Intention Economy.“

„This new economy will outperform the Attention Economy that has shaped marketing and sales since the dawn of advertising.“

Yesterday I did a presentation at an event organized by doubleSlash, a German Consulting and Software Company focused on Sales and Marketing. The so called “slashTalk” had the title “After the Social Media Bang” and focused on what companies will have to do now. There were several marketing executives and experts from different companies in the room.

Before my presentation on Life Management Platforms there was another presentation which I found extremely interesting. Bj�rn Eichst�dt, founder and managing partner at Storymaker, a company which originally started as a PR agency, talked about his view on attention and why today’s marketing fails (in most cases). Bj�rn has a degree in neurobiology, so he is far more than just a PR guy. He talked about “attention” and the small period of time within which you can catch someone’s attention. But it could be done, as with what today’s social networks provide. However, it isn’t easy today. On the other hand, providing what fits to the current target of attention is much more promising than trying to change the attention, like traditional marketing is doing.

Taking this view, the one of Doc Searls, and the idea of Life Management Platforms the way we at KuppingerCole have it in mind shows that this is where things become really interesting: A Life Management Platforms allows expressing your Intention. The Intention is nothing other than a vital part of where your current Attention is focused. In other words: Knowing the Intention is about knowing at least an important part of the current Attention, which is much better than trying to change the Attention. Furthermore, Life Management Platforms could provide more information about the current Attention in real-time, but in a controlled way – controlled by the individual. That allows getting even more targeted information and makes this concept extremely attractive for everybody – the vendors and the individuals.

Imagine a world in which you can allow others to provide you exactly that piece of information you are interested in. Let’s give an example:

Your profile on a social network might provide the information that you just arrived at the airport in a specific city. Some vendors might track this information and send you welcome messages, pointing to their local assistance, or other offerings. That could be done based on what today’s social networks provide. And this is nice if you receive only one message or offers which really suit your needs. But if you receive 20 messages from companies which detected that your attention might be on that, it is just annoying.

In a Life Management Platform you can control whom to inform about such a “social” event. That can be specific companies or industries. They know that someone arrived at the airport and needs some specific information, about directions, the next ATM, or the next public WLAN hotspot – or whatever else. The system provides that information to you and you use the service. This obviously is the better approach.

You might ask how this differs from typing “MUC ATM map” or “IAD WIFI” into a search engine? The fundamental difference is that the Life Management Platform can express your intention once it has learned about it – and you might have the same intention every time you arrive at an airport. It acts for you and consumes your preferences like for example the personal data about the mobile phone providers you have contracts with and you prefer for roaming or the banks you have accounts at to find the ATMs without additional fees or even without fees. Entering all that information into a search engine is annoying. And selecting the results in mind is annoying as well. So there is an obvious value even in that simple use case. And for sure you might not want to give all that information about your bank accounts away – you might want something (the app in Life Management Platforms) to act upon without unveiling that information. You might want minimal disclosure.

Life Management Platforms will enable that, amongst many other things. Given that they are a vehicle to fundamentally change the way marketing is done, moving from changing the attention to using attention and intention in a controlled and targeted way. Thus, everyone responsible for marketing should start looking at the ideas around Life Management Platforms, the Intention Economy, and Bj�rn’s understanding of what Attention really is about. It is a simple way to get much better in Marketing and save money.

IIW and VRM Report

Tue, 15 May 2012 12:09:59 +0200

In Craig Burton

At the first of the month I attended IIW 14 in Mountain View. I also attended the VRM workshop on the 30^th. The VRM workshop was hosted by Ericsson. The IIW was held at the Computer History Museum.

Before I summarize what happened at those events, I want to give a little background on IIW.

IIW

IIW uses a format referred to as an “unconference.” The main purpose of an unconference is to avoid the traditional design of a conference. A way I have heard it described is the format developed by Harrison Owen. Legend has it that Owen noticed that during a conference, most of the real activity and deals were going on out in the hall during the breaks.

He questioned “why can’t we create a conference that works like being out in the hall all of the time?” IIW is more about that.

Here are the main operational points:

In the morning of the first day, everyone attending introduces themselves and tells all of the other attendees who they are, who they represent, why they are there and what they expect to get out of the conference.

After that, anyone is invited to create a session and a topic. Each person with a topic stands up and says what the topic is and the purpose of the session. Everyone then rushes to the open space scheduling wall and gets a particular space and time slot during the day. This is self-managed. Figure 1 shows a portion of the scheduling wall.

Figure 1: Open Session Scheduling Wall

Each time slot is 50 minutes long. Each session starts at the top of the hour. Anyone can attend any session they desire.

At the end of the day, the session leader—or someone that attended the session—gives a summary of the session. Session notes are to be emailed and posted on the IIW Wiki later.

In closing, there is an acknowledgement ceremony.

Figure 2: Acknowledgement Ceremony

In this ceremony, anyone is invited to stand up and acknowledge anyone else for anything that is relevant to the workshop. This is done by giving the person a choice of wine or chocolates. Figure 2 shows the acknowledgement ceremony and shows Doc Searls acknowledging someone.

Each day then follows the same format except that only new people who did not introduce themselves the first day are introduced.

VRM Day Overview

The entire day was discussing projects and products that are finally starting to use VRM as their underpinnings.

We also talked about Doc Searl’s new thinking about VRM. The best place to review that is by watching his presentation given at the KuppingerCole EIC 2012 conference.

Here were some of the topics discussed.

Open API Economy
FreedomBox
Commercializing VRM
Life Management Platforms
Selling the first Vendors – Who Goes First
VRM and CRM
IntentCasting Networks – beyond the cliche: vertical use cases
UI and UX for�VRM, PDS, R-buttons, ToS, Cheese
Personally Asserted Terms and Conditions
Sovereign ID vs. Admin ID
Customer Commons: Live!

IIW Overview

This year’s sessions were very diverse, but there were some consistent themes every day.

VRM
APIs
Protocols
Privacy
Personal Data and Life Management Platforms

For a complete list of all of the sessions, you can look at the IIW wiki at http://iiw.idcommons.net/IIW_14_Notes

VRM

There were more VRM sessions this year than I have ever seen. I attribute this explosion of sessions to the release of Doc’s Book—The Intention Economy. Usually there was an entire day of VRM sessions every day of the workshop. On the first day, I attended almost all of the sessions. The VRM community is very broad and does not lean so much on Doc for its progress. Everyone was very excited about the book and the concepts there.

For a list of all of the sessions and some of the notes, see the VRM blog post about IIW. http://blogs.law.harvard.edu/vrm/2012/05/09/vrm-at-iiw/

In several of the sessions I focused on the link of the Open API Economy, the Life Management Platform and the roles of these two trends as they relate to VRM. From our opinion at KuppingerCole it is important to point out that VRM is much more than the counterpart to CRM and includes many more things that just e-commerce and shopping. People were very responsive to these perspectives.

Another cool result of all this is the new post that Doc Searls put up on the VRM Wiki adding and attributing KuppingerCole to the term Life Management Platform.

http://cyber.law.harvard.edu/projectvrm/Main_Page

APIs

There was much talk about APIs and Open APIs. The Open API Economy session was packed and generated great discussion.

The link to my Prezi used in the session is here.

http://prezi.com/rt07gxj02hf8/open-api-economy-ii/

Almost a thousand people (998) have viewed this presentation since the workshop – I’m really impressed.

Other API discussions were around OpenID Connect and SCIM.

Protocols

The three most active protocol discussions centered around OpenID Connect, SCIM and XDI. In addition, every discussion talking about any type of service, from privacy to personal data stores, talked about their status and intent to provide API access.

The Open API meme is clearly on fire and KuppingerCole is viewed as the thought leader around this topic.

The entire community is very excited about Open ID Connect and SCIM as they are protocols seen to solve serious problems, programmatic access to endpoints through the SAML namespace, and programmatic protocols for automated provisioning.

Privacy

There was a lot of discussion concerning privacy and the meaning of privacy. Scott David contributed significantly to this discussion with legal definitions and implications. The question kept coming up on how to build products that satisfy personal and legal privacy requirements across international boundaries. Especially since the requirements, laws and social conventions are not well defined. Again, KuppingerCole’s approach of Life Management Platforms provides some interesting thoughts (and maybe answers) on that.

Personal Data

Personal Data Stores, Personal Data Lockers, Personal Clouds, Freedom box and on and on.

The meme about Personal Data is very much on the move and in flux. Almost everyone who says they are working with Personal Data has a different notion of what it is and how it should work.

One of the presenters opened with a great joke from Steven Wright that is a useful analogy about personal data. It goes “I have a large seashell collection which I keep scattered on the beaches all over the world. Maybe you’ve seen it.”

One of the most fun and interesting personal data sessions was around the freedom box. Markus Sabadello managed this session.

http://blog.projectdanube.org/2012/05/freedombox-at-the-internet-identity-workshop/

This link gives a review of the session. He also brought up the Life Management Platform. He didn’t quite get it right, but I like it that the term is being inserted in the discussion. Life Management Platforms are much more than just data stores; there is much in it about how to ensure the secure and privacy-aware use of personal data – e.g. not just storing, but using them the right way and enabling new (and improved) forms of business.

Summary

IIW is well run and is mature and consistently meets it purpose of quality discussion and advancement of personal identity issues.

IIW 14 topics were spot on, fresh and informative.

The biggest complaint I have about IIW is that there are no notes posted for many of the sessions.

The VRM Workshop was well attended and reflects the interest shown at the KuppingerCole EIC 2012 conference.

Perhaps this year we will finally see some products that are VRM oriented.

EIC 2012 Session: API Economy - The Provider View

Mon, 14 May 2012 12:18:21 +0200

In KuppingerCole Podcasts

Dr. Steven Willmott, 3Scale
April 19, 2012 12:10

Watch online

EIC 2012 Session: API Economy - The Consumer View

Mon, 14 May 2012 12:17:12 +0200

In KuppingerCole Podcasts

Fulup Ar Foll, KuppingerCole
April 19, 2012 11:50

Watch online

EIC 2012 Session: How the API Economy Leverages our Capabilities for Delivering Business Services

Mon, 14 May 2012 12:16:12 +0200

In KuppingerCole Podcasts

Craig Burton, KuppingerCole
Kim Cameron, Microsoft
Martin Kuppinger, KuppingerCole

April 19, 2012 11:30

Watch online

EIC 2012 Session: VRM and the Intention Economy - Now What?

Mon, 14 May 2012 12:14:30 +0200

In KuppingerCole Podcasts

Craig Burton, KuppingerCole
Scott David, K&L Gates LLP
Marcel van Galen, Qiy
Drummond Reed, Connect.Me
Doc Searls, Berkman Center for Internet and Society
Phil Windley, Kynetx

April 19, 2012 10:30

Watch online

EIC 2012 Session: IT Strategies and Information Security in Banks - The Regulator�s View

Fri, 11 May 2012 13:21:49 +0200

In KuppingerCole Podcasts

Dr. Markus Held, Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin)
April 18, 2012 11:30

Watch online

Entitlement Management – has it really been an academic exercise?

Thu, 10 May 2012 19:27:54 +0200

In Martin Kuppinger

Recently I read a blog post from my appreciated and well known analyst colleague Kevin Kampman at Gartner Group talking about entitlement management. That post had some points which made me wonder. I’ll pick some of the quotes:

“One of access control’s biggest challenges is that it has often been an academic exercise. Maybe we can move the discussion forward by thinking about what is needed, not just what is possible.”
�“For any object, a set of conditions should be met to provide access such as time, attribute, role, etc. it seems we need a more flexible way to characterize all of the conditions that need to be met for access to be granted. Not attributes about the object itself but what you need to bring to the party to play.”
�“A lot of the focus in the *-BAC world is what attributes IT can provide to represent these conditions. It might make more sense to describe the conditions needed to characterize access.”

There are more, but these are some which I feel the need to comment on. Let’s start with the first one. I would agree that role management in its early days, when it first became mainstream, sometimes really was too much of an academic exercise. But if I look at the reality of projects today, that’s no longer the case. Role management is well understood and there is a lot of knowledge available on how to successfully implement role management in practice.

Going further to what dominates the evolution of Entitlement Management today, we have to look at Dynamic Authorization Management. Here neither the evolution of XACML as the key standard nor of claims as a related and somewhat overlapping approach is driven by theorists. Furthermore, most of the products in the Dynamic Authorization Management market like the ones of CA Technologies, CrossIdeas, IBM, or Oracle are derived from projects and the customer needs therein. They were built for practitioners from the very beginning. Even while they might not be perfect yet, they definitely are not the result of academic exercises. Consider also that Axiomatics, which started with strong focus on the XACML standard (and is one of the most active supporters of defining the XACML standard) is strongly led by customer feedback and experience from real world implementation projects.

My perspective is that the biggest challenge for Entitlement Management today is the organizational and process maturity of the customers, when it comes to defining business roles and business rules and when it concerns identifying the players in the business organization which have to participate. IT has become better in supporting IT business/alignment but still has some work to do on that especially with simple interfaces for defining business rules in Dynamic Authorization Management products and further improving the business interface of Access Governance tools. But this again is not the result of being too academic.

Regarding the second aspect: Despite the criticism I sometimes have articulated regarding XACML as being a standard which is too complex for the end users (which I still believe is true), the underlying concept of implementing business rules is simple. Yes, it is annoying to write XACML, but that is true for any type of XML. Still, any business user can easily define the rules in a structure that can be used by XACML – this is straightforward and simple to understand.

And in that concept (and other approaches for Dynamic Authorization Management) it is very simple to express the full variety of rules, from more technical ones to pure business rules using business-provided constraints or competencies. This is focused on objects – but the objects can again be anything, from a piece of information (like a document) or its representation (like a share) to business activities within business processes. This is all there – so it is fairly simple to use it. And the same concepts can be used for all types of use cases. You can rely on a subset of the same set of policies for versatile, context-based authentication and authorization (which again provides attributes for other decisions) and for the internal authorization in a business application which needs to enforce complex business rules such as for the approval of new insurance contracts.

Having said this, we arrive at the third quote. Don’t we describe the conditions today? I’d say we can do it and we frequently do it, not only within Dynamic Authorization Management but also in more advanced concepts around Access Governance . These concepts go beyond roles today and can use concepts of constraints or competencies. Some implementations are tightly coupled with business activities and business processes.

By the way: Introducing a term of *-BAC doesn’t seem to provide much value to the customer. We have RBAC (which, in the NIST approach, is somewhat academic – but not in real world). We have used the term ABAC (Attribute Based Access Control) sometimes in the industry, with attributes describing any attribute which can be used within policies, including roles as a specific type of attribute. So ABAC covers everything and *-BAC only leads to babel.

Simply said: My view on the state of Entitlement Management, Access Governance, and Dynamic Authorization Management is fundamentally different from the one in that other blog post mentioned above. It think that the industry is much more mature. And not too academic.

EIC 2012 Session: Access Governance Case Study - Friends Life Realizes Quick Time To Value

Thu, 10 May 2012 19:06:04 +0200

In KuppingerCole Podcasts

Julia Bernal, Group Business Security & Data Protection Manager, Friends Life
April 18, 2012 17:30

Watch online

EIC 2012 Session: Identity & Access Management as a Key Element for a Value focused Security Strategy

Thu, 10 May 2012 19:04:50 +0200

In KuppingerCole Podcasts

Ralf Knöringer, Atos IT Solutions and Services GmbH
Hassan Maad, Evidian
Shirief Nosseir, CA Technologies
Christian Patrascu, Oracle
Peter Weierich, iC Consult GmbH

April 18, 2012 17:00

Watch online

EIC 2012 Session: How to successfully get business to participate in IAM and Access Governance

Thu, 10 May 2012 19:01:24 +0200

In KuppingerCole Podcasts

Dr. Martin Kuhlmann, Omada
Edwin van der Wal, Everett

April 18, 2012 15:30

Watch online

EIC 2012 Session: Delivering Actionable Recommendations to Senior Management based on a Structured Risk Identification and Evaluation Process

Thu, 10 May 2012 18:59:34 +0200

In KuppingerCole Podcasts

Dr. Waldemar Grudzien, Association of German Banks
Berthold Kerl, Deutsche Bank AG
Prof. Dr. Sachar Paulus, KuppingerCole

April 18, 2012 15:00

Watch online

EIC 2012 Session: Munich Re�s Identity & Access Management - Experience Report and Best Practices

Thu, 10 May 2012 18:57:58 +0200

In KuppingerCole Podcasts

Wolfgang Zwerch, MunichRe
April 18, 2012 14:30

Watch online

EIC 2012 Session: IAM Governance in the New Commerzbank

Thu, 10 May 2012 18:56:35 +0200

In KuppingerCole Podcasts

Dirk Venzke, Director, Commerzbank AG
April 18, 2012 14:00

Watch online

EIC 2012 Session: How to Address Regulatory Needs Fast and Lean

Thu, 10 May 2012 18:53:45 +0200

In KuppingerCole Podcasts

Dr. Waldemar Grudzien, Association of German Banks
Dirk Venzke, Commerzbank AG
Dr. Horst Walther, Kuppinger Cole
Wolfgang Zwerch, MunichRe

April 18, 2012 12:00

Watch online

EIC 2012 Session: Facing the Online Threats against Retail and Banking Customers - What are the Future Perspectives?

Thu, 10 May 2012 18:51:19 +0200

In KuppingerCole Podcasts

Prof. Dr. Sachar Paulus, Senior Analyst, KuppingerCole
April 18, 2012 11:00

Watch online

EIC 2012 Session: Cyber Crime, Cloud, Social Media... - IS Threats for Banks are Constantly Increasing. What Should We Be Doing?

Thu, 10 May 2012 18:44:53 +0200

In KuppingerCole Podcasts

Berthold Kerl, Deutsche Bank AG
April 18, 2012 10:30

Watch online

Preventing, or surviving, data leaks

Thu, 10 May 2012 16:54:16 +0200

In Dave Kearns

Just last week it was reported in The Guardian that “Computer hackers have managed to breach some of the top secret systems within the [UK] Ministry of Defence.” If the department charged with protecting the country can’t protect its own secrets then what chance does your organization have?

This is just the latest (at the time I’m writing this) in a seemingly ever escalating number of security breaches, data thefts and data losses. So much so, in fact, that Data Loss Prevention (DLP – also called Data Leak Prevention) is the fastest growing segment of the Security, Identity and Access Management (SIAM) market. Multiple press releases cross my desk every week touting the latest and greatest apps and services to protect your sensitive, privileged, and proprietary data as well as the Personally Identifiable Information (PII) of your employees, customers, vendors and partners – the data that begins the path to so-called Identity Theft.

So with so much DLP software available, why is there still a problem with data loss/leakage – and why are organizations seemingly so surprised when it occurs?

To me, one telling point is that almost all DLP packages include audit modules. The main purpose of these audit modules (other than to satisfy some compliance directive from government (e.g., HIPAA) or other organization (e. g., PCI)) is to let you know that a data loss/leak has occurred! It’s like having a sensor outside the barn that emails you with the message “By the way, the horses just got out through that unlocked barn door.”

So is there any hope?

The short answer is “no, not the way we’re doing things today.”

Early DLP software concentrated on border protection and intruder detection. The idea was that individual hackers were constantly probing your network looking for “barn doors” that weren’t locked. It was assumed that these hackers had no definite target in mind, but simply tested for easy targets. If your “door” was harder to get through than another organization’s, then they’d go to that one and leave you alone.

But the attackers have changed. The Guardian story cited above notes “China and Russia have been accused of being behind most of the sophisticated cyber-attacks, with state-sponsored hackers targeting military secrets from western governments, or intellectual property from British and American defence firms.” Additionally, organized cybercrime gangs (the so-called “Digital Mafia”) have been cited as constantly attempting to penetrate systems to obtain data for financial gain. Individual hackers have fallen far down the list of potential threats.

The DLP vendors have tried to keep up with the ever more sophisticated penetration attacks, and do a good job. But even if they can block 99.99% of penetration attempts, how many get through? It’s hard to find data, but one blogger tracked intrusion attempts a few years ago and noted 2556 in a two week period. This is not a high value target, yet even using the best available DLP products this site would still get penetrated once every 8 weeks, 6-7 times per year. A major corporation or government entity could see hundreds, even thousands times the number of attacks with a concomitant number of successful ones.

And that’s just one threat vector.

Borders, fences, firewalls, and the like are intended to protect your data from outsiders who have no legitimate right to it. But what about insiders? What about those who have the right to view and manipulate the data as part of their job?

Recently in South Carolina an employee of the state Medicaid program (a health program for certain people and families with low incomes and resources) was charged with collecting PII (Names, addresses, phone numbers, and Social Security numbers, which also double as Medicaid ID numbers) of over 200,000 clients and transferring it to his personal storage via email. This was done in small pieces over the course of several months. The employee had a legitimate right to access the data as individual records – he just amalgamated these records over time!

Many current DLP packages will monitor outgoing data (email, web postings, social networks, etc.) to see if privileged or protected data (or PII) is leaving the organization and alerting security personnel. This can minimize the data loss/leakage, but not eliminate it. In the best case scenario the data can be recovered before damage is done.

But, of course, not all insider data leakage is caused by rogue employees.

In the now classic case of RSA Security, data was stolen that allowed the hackers (believed to be state sponsored) to foil the vaunted (and ubiquitous) SecureID hardware tokens from the company. These hackers didn’t find an open door, nor did they obtain a willing accomplice on the inside. Rather, they used sophisticated phishing techniques to persuade one user to open an attachment to an email, which installed a backdoor Trojan allowing these criminals to get into the system, pose as legitimate users, and get the data they came looking for. Yes, audit software discovered the breach. But that horse was already out of the barn, in the wild and doing damage. It’s generally believed that attacks on a number of defense contractors later resulted from this breach.

And that still doesn’t cover all the possibilities.

We still read about lost laptops, notebooks and tablets; mislaid (or stolen) USB drives (it used to be floppy disks); unwiped hard drives getting recycled – all with proprietary or personal data on them. No intruder detection system, data monitoring system or any number of audit logs are going to let you know that this has occurred.

So what should you do – short of throwing up your hands and simply releasing all of your own data before someone else does?

You need a plan. Today’s DLP software should be a part of it, of course, but you need more. You need to be prepared, now, for what will happen when the data leakage occurs. Too often, when the worst happens, the organization that lost data sends out a spokesperson, who looks like a deer trapped in the headlights with no ready answers as to how they are going to cope with the disaster that’s befallen them.

Most large organizations – commercial entities, governments, university systems and the like – have well-developed disaster recovery plans. They know exactly what they’ll do in case of fire, flood, insurrection, or other disruptions to their normal flow of business. Few, if any, though, have plans to deal with the devastating disaster that data leakage and data loss can be. How devastating? Just ask the folks at VASCO Data Security. When their subsidiary, Diginotar (a Dutch security Certificate Authority), was breached and fraudulent certificates issued it was first taken over by the government and then declared bankrupt.

The reality is that you need a three-pronged approach to protect your data, determine if it’s been leaked and react promptly, efficiently and appropriately when the leak occurs. I call these three DLP, DLD and DLR.

DLP – Data Leak Protection, which includes data encryption, firewalls, intruder detection systems and the like. These systems are designed to thwart intruders and can do a good job of that. Additionally, these systems can protect data that is inadvertently sent “into the wild” (lost, stolen or strayed computers and drives).
DLD – Data Leak Detection; when DLP fails, this part of the solution will let you know. DLD is also the area where you monitor legitimate users (employees, contractors, vendors, partners, clients, etc.) to discover criminal behavior or fraudulent account usage. DLD systems can also be configured to trigger automatic responses shutting down the avenue through which data is leaking.
DLR – Data Leak Resilience, or how to recover and bounce back from data leaks. In essence, this is a disaster recovery plan for data leaks and includes hardware and/or software modifications (to thwart the leak vector), notification protocols (to inform data owners or regulatory authorities as well as the press) and recovery methods (to, as much as possible, restore the situation as it existed pre-leak).

Many call this three-pronged approach Data Loss Mitigation (although at least one of my colleagues abhors the term) and I’ll stick with it for now (but your suggestions are welcome).

In any event, you need to work on the DLR portion; you need that disaster recovery plan for data leakage – so get to work on it now.

Advisory Note: Dealing with privacy risks in mobile environments - 70224

Wed, 09 May 2012 13:23:00 +0200

In KuppingerCole

The ongoing trend of IT consumerization and deperimeterization has a profound effect on modern society. Mobile devices are becoming increasingly sophisticated and their numbers are growing exponentially. Social networking has made sharing information all too easy and controlling its spread nearly impossible. Growing adoption of cloud-based services, while having obvious advantages, means that more and more sensitive information is now stored and managed by third parties, and users are no...
more

Dynamic Authorization Management Best Practices

Wed, 09 May 2012 09:47:29 +0200

In Martin Kuppinger

Due to a last minute speaker change I had to prepare a short presentation on „Dynamic Authorization Management – Best Practices from our Advisory“ for EIC 2012. When we found a replacement for the speaker, I didn’t give that presentation. However I will do a webinar on that soon and I want to provide some of the content here, as sort of an appetizer.

Dynamic Authorization Management is about dynamically deciding to approve or not authorization requests provided by services (like applications) based on policies and attributes (roles, application used, context, whatever,…). It includes policy definition and management, the access to sources for these attributes like directory servers, databases, ERP systems, and systems for context- and risk-based authentication and authorization. A key standard is XACML. The role of Dynamic Authorization Management within overall IAM (Identity and Access Management) is defined in the KuppingerCole Scenario Understanding Identity and Access Management.

A key success factor in Dynamic Authorization Management is to bring participants from all the different siloes involved to the table. You need people from the business organization, you need application architects and developers, you need IT Security, and you need others. This is a complex challenge.

Another key success factor is to set the right scope and to start small enough to be successful. The design has to cover coarse-grain and fine-grain authorization. It has to look at all types of applications and users. And thinking about the “Identity Explosion”, that means that it has to cover authorization not only for employees, but for many other types of users.

When planning the environment, the positioning of the Policy Enforcement Point (PEP) and Policy Decision Point ( PDP) (more information on XACML, PEPs, and PDPs here) is one of the challenges. Vendors provide a lot of flexibility – and you need to understand the different options to meet the performance and scalability requirements of your environment. This becomes increasingly complicated in cloud environments given that it is hard to run a large number of queries across long distances in an efficient way. So approaches like providing access controls statically to systems might come into play. Clearly, putting a lot of thought into the concepts is a key success factor, especially given that Dynamic Authorization Management has to cover more or less all of your distributed environment.

Acceptance by developers is directly related to simplicity. Keeping things simple for developers is also one of the key success factors. You should start thinking about applying the paradigms of the Open API Economy here.

The same is true for policy definition. The good thing is that the way policies are described in XACML from a conceptual perspective (so without the XML stuff around) is pretty straightforward, simple to understand, and powerful. Nevertheless you have to educate your business users in expressing their business policies and translate this for the IT level. And you shouldn’t underestimate the complexity of auditing and analyzing policies in a dynamic environment.

However, when putting sufficient work into the concepts, you can design a Dynamic Authorization Management environment today which is future-proof. You should also do it because that will help you to become much more efficient in the management of Information Security and much more agile in fulfilling today’s and tomorrow’s audit requirements.

Business Report: Key Risk/Performance Indicators IAM and GRC - 70204

Tue, 08 May 2012 13:41:48 +0200

In KuppingerCole

The concept of Key Performance Indicators is well established at the corporate level, using scorecards as a tool for providing a quick overview on the progress of organizations towards their goals. Key Risk Indicators add risk metrics to that view, relating the progress of indicators to changes in risks.

The report provides selected Key Risk Indicators (KRI) for the area of IAM and GRC. These indicators are easy to measure and provide a quick overview of the risk status and its...
more

Bring Your Own Identity? Yes. And No.

Tue, 08 May 2012 10:34:21 +0200

In Martin Kuppinger

Recently I read a blog post� by Nick Crown, Director of Product Marketing at UnboundID. He talked about “Bring Your Own Identity” which he thinks is more groundbreaking and disruptive than BYOD (Bring Your Own Device). I would say yes, there is a value in BYOI, but:

-�� this is definitely not as groundbreaking and disruptive as BYOD

-�� this is only a small piece in a much larger puzzle and it definitely will not end with a two-tiered identity infrastructure as proposed in Nick Crown’s blog post

-�� there’s definitely no need to introduce yet another marketing buzzword and acronym like BYOI

Certainly, just �like every other vendor’s blog, posts like the one by Nick Crown are driven by the wish to position the company as “the primary vendor” in the specific area. But the question from a customer perspective (and from an analyst perspective) is: Does it really make sense?

So I want to focus on the three points above:

BYOD is one of the trends which are fundamentally changing the way we need to do IT, as well from the system management as from the information security perspective. It is about moving away from device-centric security to information-centric security approaches. That is a massive change, much bigger than any around identities. BYOD is directly related to the big changes we commonly call Mobile Computing and Consumerization of IT. And it relates also to the “Deperimeterization of IT”. BYOI (when defined as the user bringing its own identity) is, of course, related to big trends such as Social Computing. But it isn’t as new as some people claim. Federation as one approach to deal with this has been out for quite a while and is still evolving – look at OpenID Connect, recently awarded a European Identity Award by KuppingerCole for being the best new standard.

BYOI is much smaller than BYOD in its impact because of the second point mentioned above, something we at KuppingerCole have been talking and writing about for a pretty long time now. The reality is that there will be multiple identity providers. This is about things like trust frameworks, about concepts like claims, and about the need to become flexible enough in the days of Identity Explosion. It is about gaining the ability to deal with multiple pieces of information provided by different providers, instead of one provider or two tiers of providers. There will be many different types of Identity Providers – and they are already here, in fact. What changes is the ability to deal with these providers. That is about federation, about claims, about concepts like IDMAAS (Identity Management as a Service) the way Kim Cameron has presented it in his keynote at EIC 2012. However, it is not that much about directory services or technical synchronization. The fact that someone brings his own identity is just a little piece. And more important than accepting a BYOI ID is the ability to accept many different providers and to convert them into other IDs once the type of transaction and interaction with the individual requires such a conversion.

I’d also recommend you have a look at our report “Life Management Platforms”, which is available for free. This report explains a concept which will fundamentally influence the way we deal with “own identities”, which then really could be something you’d like to call BYOI, even while it is not only about bringing but also about controlling.

So even with Life Management Platforms, there is no need for the BYOI buzzword. It is not mainly about bringing your own identity (and, by the way, a Facebook ID is anything but an “own identity” when looking at the Facebook terms and conditions), but about enabling the flexible use of different identities. So BYOI is far too narrow to describe the changes we see these days. And thus we really should avoid using that buzzword and focus on what really is changing around identities.

Advisory Note: Migration Options and Guidelines for Oracle Waveset - 70610

Mon, 07 May 2012 09:57:47 +0200

In KuppingerCole

This document extends the Advisory Note #70,607 “Migration Options for your Legacy Provisioning” and focuses on Oracle's Waveset Identity Provisioning system which is also historically known as Sun Identity Management/Manager or, in short, SIM, which before the acquisition of Waveset by Sun was named Waveset Lighthouse. The product will usually be called Waveset IDM (Identity Management) throughout this report, using Sun Identity Management or Waveset Lighthouse only when it is...
more

The digital divide in Identity Management

Sun, 06 May 2012 16:09:32 +0200

In Sebastian Rohr

My dear friend Mia Harbitz of the Interamerican Development Bank (www.iadb.org) has recently linked me to of what I felt to be one of the most important papers on “Identity Management” since I work in this field. The paper does not analyze the pros and cons of doing bottom-up or top-down role design, nor does it dive into the depths of Access Governance and streamlining reconciliation efforts in your organization.
It investigates what any of you claim (and probably experienced yourself) to be a birth-right: your own personal identity! We all know the fuzz around Google+ and the headache it gave Kaliya “Identity Woman” when she was blocked from using G+ due to not using her “real name” but a moniker she was widely known under – at least better known as under her real name (which I only found out during the discussion around G+!). The paper – I recommend you all read – does not care about these problems which seem SO huge to us, but merely touch a small fraction of all mankind (which is, by the way, true to about 99% of the problems I solve during my work…) . It cares about the problems of billions of people not even HAVING an identity, because they did not get registered by their mother upon birth and thus do not have a valid a birth certificate.
Without further ado, please all read the paper “Travelling the Distance: a GPS-based study of the access to birth registration services in Latin America and the Caribbean” … It is an eye-opener to the problems of the “real world of identity management” and we as the crusaders of the digital world should not leave behind our fellow humans on the side of the “digital divide” …

EIC 2012 Keynote: Interview - What are the Privacy and Information Security Challenges 2012 and Beyond?

Sat, 05 May 2012 13:33:53 +0200

In KuppingerCole Podcasts

Roy Adar, Vice President of Product Management, Cyber-Ark
Dr. Nigel Cameron, CEO, Center for Policy on Emerging Technologies
Martin Kuppinger, KuppingerCole
Shirief Nosseir, Marketing Manager, CA Technologies
Jim Taylor, VP Identity and Security Management, NetIQ
April 17, 2012 15:40

Watch online

EIC 2012 Keynote: Conflicting Visions of Cloud Identity

Sat, 05 May 2012 13:31:59 +0200

In KuppingerCole Podcasts

Kim Cameron, Creator of the Laws of Identity and Microsoft Identity Architect, Microsoft
April 17, 2012 15:20

Watch online

EIC 2012 Keynote: eID new challenges with Digital Agenda and Cloud Computing

Sat, 05 May 2012 13:30:37 +0200

In KuppingerCole Podcasts

Prof. Dr. Reinhard Posch, CIO for the Austrian Federal Government, Republic of Austria
April 17, 2012 15:00

Watch online

EIC 2012 Keynote: "Che cosa sono le nuvole?� (What are the clouds?)

Sat, 05 May 2012 13:29:20 +0200

In KuppingerCole Podcasts

Dr. Emilio Mordini, CEO, Centre for Science, Society and Citizenship CSSC
April 17, 2012 14:40

Watch online

EIC 2012 Opening Keynote

Sat, 05 May 2012 13:28:00 +0200

In KuppingerCole Podcasts

Dr. Nigel Cameron, CEO, Center for Policy on Emerging Technologies
Martin Kuppinger, KuppingerCole
April 17, 14:00

Watch online

EIC 2012 Closing Keynote

Thu, 03 May 2012 14:40:43 +0200

In KuppingerCole Podcasts

Dave Kearns, Senior Analyst, KuppingerCole
Prof. Dr. Sachar Paulus, Senior Analyst, KuppingerCole
April 19, 2012 17:30

Watch online

EIC 2012 Keynote: Trust and Complexity in Digital Space

Thu, 03 May 2012 10:37:28 +0200

In KuppingerCole Podcasts

Dr. Jacques Bus, Secretary General, Digital Enlightenment Forum
April 19, 2012 9:30

Watch online

EIC 2012 Keynote: The Future of Attribute-based Credentials and Partial Identities for a more Privacy Friendly Internet

Thu, 03 May 2012 10:36:11 +0200

In KuppingerCole Podcasts

Prof. Dr. Kai Rannenberg, T-Mobile Chair of Mobile Business & Multilateral Security, Goethe University in Frankfurt
April 19, 2012 9:00

Watch online

EIC 2012 Keynote: How Identity Management and Access Governance as a Service make your Cloud Work and your Business more Agile

Thu, 03 May 2012 10:35:02 +0200

In KuppingerCole Podcasts

Ralf Knöringer, Manager Business Unit IAM, Atos IT Solutions and Services GmbH
April 19, 2012 8:30

Watch online

EIC 2012 Keynote: How to build a Secure and Open Cloud

Wed, 02 May 2012 18:18:28 +0200

In KuppingerCole Podcasts

Stephan Bohnengel, Sr. Specialist Systems Engineer Security, VMware
April 18, 2012 18:40

Watch online

EIC 2012 Keynote: Top Challenges and Threats Security Managers Should Watch Out For

Wed, 02 May 2012 15:55:01 +0200

In KuppingerCole Podcasts

Prof. Dr. Eberhard von Faber, Security Strategy and Executive Consulting, T-Systems
April 18, 2012 18:20

Watch online

EIC 2012 Keynote: How Mobility Clouds the Future and SOA / Web 2.0 gives way to the Cloud API

Wed, 02 May 2012 15:54:04 +0200

In KuppingerCole Podcasts

André Durand, Founder & CEO, Ping Identity
April 18, 2012 18:00

Watch online

EIC 2012 Keynote: Information Security Governance in Banks: Delivering Actionable Recommendation to Management

Wed, 02 May 2012 15:47:35 +0200

In KuppingerCole Podcasts

Berthold Kerl, Managing Director, Head of Information & Technology Risk Governance, Deutsche Bank AG
April 18, 2012 9:30

Watch online

EIC 2012 Keynote: Securing Critical Banking Infrastructures in the Age of Cyber Warfare

Wed, 02 May 2012 15:46:21 +0200

In KuppingerCole Podcasts

Dr. Waldemar Grudzien, Director, Department Retail Banking and Banking Technology, Association of German Banks
April 18, 2012 9:00

Watch online

EIC 2012 Keynote: Leveraging Identity to Manage Enterprise Change and Complexity

Wed, 02 May 2012 15:45:15 +0200

In KuppingerCole Podcasts

Jim Taylor, VP Identity and Security Management, NetIQ
April 18, 2012 8:30

Watch online

Videos from the EIC 2012

Tue, 01 May 2012 21:57:15 +0200

In European Identity Conference Blog

The first keynote videos from the European Identity & Cloud Conference 2012 have been published on our website. Over the course of this week we’re planning to make all keynotes and selected conference sessions available as podcasts.

Please note that most of these videos can only be viewed by the conference participants or users having a KuppingerCole Research subscription.

However, we’re going to make some videos accessible for everyone on our YouTube channel, and the first one is the keynote “Free Customers: The New Platform” by Doc Searls.

European Identity & Cloud Conference 2012 videos �

EIC 2012 Keynote: Identity Management & Cloud Security - There�s a Workflow for That

Tue, 01 May 2012 18:37:28 +0200

In KuppingerCole Podcasts

Patrick Parker, Founder and CEO, The Dot Net Factory
April 17, 2012 19:10

Watch online

EIC 2012 Keynote: Scaling Identity, Access, and Audit Controls to Internet Proportions

Tue, 01 May 2012 18:35:56 +0200

In KuppingerCole Podcasts

Mike Neuenschwander, Sr. Director, Oracle
April 17, 2012 18:50

Watch online

EIC 2012 Keynote: Free Customers: The New Platform

Tue, 01 May 2012 18:23:20 +0200

In KuppingerCole Podcasts

Doc Searls, Berkman Fellow, Berkman Center for Internet and Society at Harvard University
April 17, 2012 18:30

Watch online

EIC 2012 Keynote: What About Bring your own Device?

Tue, 01 May 2012 18:19:48 +0200

In KuppingerCole Podcasts

Dr. Barbara Mandl, Senior Manager, Daimler AG
April 17, 2012 18:10

Watch online

EIC 2012 Keynote: How do Today�s Technology Challenges make Real IAM Possible?

Tue, 01 May 2012 18:11:32 +0200

In KuppingerCole Podcasts

Jonathan Sander, Director of IAM Business Development, Quest Software
April 17, 2012 17:50

Watch online

EIC 2012 Keynote: What Standards Have Done and Will Do for Cloud Identity

Tue, 01 May 2012 18:06:34 +0200

In KuppingerCole Podcasts

Dr. Laurent Liscia, Executive Director, OASIS
April 17, 2012 17:30

Watch online

EIC 2012 Keynote: Externalized Authorization - What is it Good for?

Tue, 01 May 2012 18:03:36 +0200

In KuppingerCole Podcasts

Peter Weierich, Senior Strategy Consultant, iC Consult GmbH
April 17, 2012 17:10

Watch online

EIC 2012 Keynote: Cloud, Consumerization & Identity: Time to Transform the Security Model

Tue, 01 May 2012 18:01:08 +0200

In KuppingerCole Podcasts

Shirief Nosseir, Marketing Manager, CA Technologies
April 17, 2012 16:50

Watch online

EIC 2012 Keynote: Ripped from the Headlines � The �Privileged� Connection � Solved!

Tue, 01 May 2012 17:50:45 +0200

In KuppingerCole Podcasts

Roy Adar, Vice President of Product Management, Cyber-Ark
April 17, 2012 16:30

Watch online

CLOUD COMPUTING DEADLY SINS

Tue, 01 May 2012 11:45:32 +0200

In Mike Small

Adopting Cloud computing can save money, you need to avoid the seven deadly sins.

The Cloud provides an increasingly popular way of procuring IT services that offers many benefits including increased flexibility as well as reduced cost. It extends the spectrum of IT service delivery models beyond managed and hosted services to a form that is packaged and commoditized. However – many organizations are sleepwalking into the Cloud. Moving to the Cloud may outsource the provision of the IT service, but it does not outsource the customer’s responsibilities. There are issues that may be forgotten or ignored when adopting the cloud computing.

In medieval times the Christian church created the concept of the seven deadly vices to explain the human weaknesses that lead to sins. These are: wrath, greed, sloth, pride, lust, envy and gluttony sometimes known as the seven deadly sins. Of these vices one above all can lead to problems with Cloud computing. The deadly vice of Cloud computing is sloth which leads to inattention to details like:

Not knowing you are using the Cloud: it is easy to buy a Cloud service using a credit card – your organization may be using the Cloud without you knowing it. When you buy the Cloud service that way it is likely that you have agreed to the terms and conditions set by the provider and these may not be appropriate for your needs. You should to ensure that there is a proper process for obtaining a Cloud service and that this is followed.
Not assuring legal and regulatory compliance: many organizations have invested heavily to ensure that their internal IT systems comply with the legal and regulatory requirements for their type of business. You need to check that if you move these systems into the Cloud that you will not lose this compliance.
Not knowing what data is in the cloud: one of the key legal requirements for many organizations is compliance with data privacy laws. These mandate where personally identifiable data can be held and how it must be processed. If you don’t know what data you are moving to the Cloud you could be in trouble. This problem has become more acute because of the explosion in the amount of unstructured data like spread sheets, presentations and documents. It is essential that you identify and classify data you are moving to the Cloud to manage risks and ensure compliance.
Not managing identity and access to the cloud: controlling who can access what is even more important when data and applications are accessed via the Internet. Managing identity and access remains the responsibility of the customer when the data and application is moved to the Cloud. The best way to achieve this is through the use of identity federation based on standards like SAML and ADFS.
Not managing business continuity and the cloud: organizations adopting the Cloud need to determine the business needs for continuity of any services and/or data being moved to the Cloud. To support this they should have policies, processes and procedures in place to ensure that theses business requirements are met. These involve not only the Cloud Service Provider, but also the customer as well as intermediate infrastructure such as telecommunications and power supplies.
Becoming Locked-in to one provider: it is often claimed that the Cloud provides flexibility but how easy is it to change Cloud Service Provider? There are a number of factors that can make changing provider difficult. There may be contractual costs incurred on termination of the service contract. The ownership of the data held in the Cloud may not be clear and return of the data on termination of contract may be costly or slow. When data is returned it may not be in a form that can easily be used or migrated. Cloud services (built using Cloud Platforms, PaaS in particular) may be based on a proprietary architecture and interfaces making it very difficult to migrate to another provider.
Not managing your Cloud provider: you need to manage your Cloud provider just like any other outsourced IT service provider. This means defining and agreeing metrics via service level agreements and then making sure that these are achieved. You customer may wish to perform an audit of the provider but it may not be practical for the provider to allow every customer to perform their own audit. Certification of providers by a trusted third party is a way to satisfy this need. However it is important to understand what these service organization controls (SOC) reports cover.

Product Report: Virtual Forge CodeProfiler - 70585

Mon, 30 Apr 2012 09:52:16 +0200

In KuppingerCole

Die Analyse der Sicherheit von Programmcode ist eines der bedeutendsten Geschäftsfelder im Bereich der sicheren Software-Entwicklung. Für alle gängigen Programmiersprachen gibt es recht reife Produkte und die wichtigsten Innovatoren wurden von den großen Software-Herstellern aufgekauft.

Es gibt jedoch einen wenig beachteten Bereich der Software-Entwicklung, der nichtsdestotrotz recht wichtig für die Unternehmen ist: das so genannte Customizing von...
more

Quantifying Access Risk: How to Sell the Access Governance Project to your CFO

Thu, 26 Apr 2012 23:16:22 +0200

In KuppingerCole Podcasts

How can Access Risk be measured and made visual? How can it be used to prioritize processes such as Access Certification or Role Modeling? This webinar aims to explain new methodologies for Access Risk scoring to prioritize corrective actions and justify to your CFO why investment done on Identity & Access Governance project is good value for money.

Watch online

European Identity Award 2012 Ceremony

Thu, 26 Apr 2012 14:32:28 +0200

In KuppingerCole Podcasts

The European Identity Awards 2012 honoring outstanding projects and initiatives in Identity Management, GRC (Governance, Risk Management and Compliance) and Cloud Security were presented yesterday by the analyst group KuppingerCole at their annual event, the European Identity Conference 2012 in Munich. Winners were chosen from a shortlist of exemplary projects and initiatives compiled by the analysts at KuppingerCole, end-user companies and vendors during the last 12 months.

Watch online

Advisory Note: Making critical infrastructures in finance industry fit for the age of cyber attacks - 70405

Thu, 26 Apr 2012 11:14:21 +0200

In KuppingerCole

When looking at the topic of this research note, there are two major aspects to look at. One is about “critical infrastructures”; the other is about “the age of cyber attacks”. We’re looking at critical infrastructures in finance industry. However, this is at least to some degree also about finance industry as a critical infrastructure. The finance industry in its role as one of the backbones of the economy and of entire states is a critical infrastructure. If...
more

Photos from the EIC 2012

Wed, 25 Apr 2012 20:52:08 +0200

In European Identity Conference Blog

A selection of photos from the European Identity Conference 2012 has been published on our Facebook page.

All photos (over 400) you can find in our photo gallery. High-resolution photos are available upon request.

In other news, presentations from the conference are now available for download to all participants. If you have problems accessing them, please contact our technical support.

The Identity Explosion – one reason to re-engineer not only our IAM

Wed, 25 Apr 2012 12:11:52 +0200

In Martin Kuppinger

During my Opening Keynote at this year’s EIC (European Identity & Cloud Conference, www.id-conf.com), when talking about the Top Trends in IAM, Mobile Security, GRC, and Cloud Computing I used the term “Identity Explosion” to describe the trend that organizations will continue (or start) to re-define their IAM infrastructures in order to make them future-proof. I talked more about that in my presentation on “Re-engineering IAM to better serve your business’ needs” later during the conference. Interestingly, I heard the term “Identity Explosion” being used several times in other sessions after that, referring to my keynote.

So today I want to look at that buzzword, at what’s behind the buzzword, and the impact of this “Identity Explosion”. When looking at IAM (Identity and Access Management), it’s �about managing users and their access. However, most of the IAM infrastructures in place today were mainly built with the employee in mind. Even today I frequently observe in advisories that projects begin by starting with a focus on some (relatively) small groups of users, like the employees, some temporary workers, or maybe some of the business partners. However, the reality of many organizations is that they have – to use a real-world number – perhaps 28,000 employees and 4.5 million customers to deal with.

Thus one of the initial discussions in such advisories is always about ensuring that the scope is set wide enough: It is about looking at all potential types of users, at least during the conceptual phase. Organizations might start implementing for the internals, followed by business partners, and then the customers (and leads and prospects and suspects). But the design has to have the “Identity Explosion” in mind: This massive growth in the number of of identities to deal with. That starts with simple things like the structure of identifiers and ends with scalability issues and the integration of different technical approaches, for example versatile, risk- and context-aware authentication and authorization. I’ve seen companies struggling with the identifiers they have chosen only with employees in mind spending a lot of money to fix that.

But it is not only – and not even mainly – about the costs. It is about agility. If IT is not prepared to deal with all types of users and provide identity and security services for them, then IT will fail in supporting the business demands. These are about integration with partners and a tight interaction with the customers (and leads and so on). IT has to be prepared for that. It has to understand that there will be this “Identity Explosion” anyway, with a massively growing number of identities to deal with.

An interesting aspect which isn’t yet discussed much in this context is business policies, including segregation of duties. How do you deal with the situation in which the same person (e.g. you or me) could have at the same point in time the identity of a customer, freelance broker, and employee of the same insurance company? Three identities which have to be understood and managed: The same person might sell an insurance contract to himself and approve it, using three different identities.

And what I’ve discussed so far is just a small bang. The big bang is about the “Internet of Things”, at least for many organizations. An automotive vendor has to deal not only with his customers, dealers, employees, and suppliers. He also has to deal with the cars themselves, which again split up into many devices with their own “identity”. This again will increase the number of identities to deal with.

Having the “Identity Explosion” in mind when working on strategies, concepts, and implementation of IAM and all the related technologies helps avoid solutions which can’t scale with the changing business requirements. Thus looking at your current IAM and thinking about how to get ready for that is one of the things you should start doing now.

Advisory Note: IT-Initiativen 2012-2013: Eine 6*3-Matrix - 70609

Tue, 24 Apr 2012 13:46:37 +0200

In KuppingerCole

Welche Initiativen sollen 2012/2013 auf der Agenda von CIOs ganz oben stehen? Diese Advisory Note liefert, basierend auf dem kontinuierlichen Research von KuppingerCole, Vorschläge für die Beantwortung dieser Frage. Im Report werden für sechs Themenfelder jeweils drei Initiativen vorgeschlagen, die für die kontinuierliche Weiterentwicklung der IT besonderen Nutzen versprechen und die eine Reaktion auf laufende und kommende Trends darstellen. Das Ziel ist eine IT, die...
more

EIC 2012 – My Pickings

Tue, 24 Apr 2012 12:54:06 +0200

In Dave Kearns

We’ve just concluded the sixth EIC, the European Identity and Cloud Conference. It was my fifth, but I continue to learn something new each time. Before I get into what I learned this year, a brief note to mention that EIC 2013 will return to Unterschleissheim (just outside Munich) from May 14-17. Begin to book now, it’s sure to be even bigger and better than ever.

I’ve been going to technology conferences, both big and small, for 25 years and it never ceases to amaze me that there’s always something new to learn – either a new technology, or a new way to look at technology. While it’s true that there is really nothing new under the sun – “cloud computing,” for example, has remarkable similarities to datacenter computing from the ‘60s and ‘70s – it’s also true that there is always a different way to look at data, facts, or technology which can give insights into better ways to conduct business. This year there were three such “truths” that stood out for me.

First, Dr. Barbara Mandl, who is Senior Manager of Daimler AG, responsible for the Global Daimler IT-Organization as CoC Identity and Access Management delivered a keynote entitled “What About: Bring your own Device?” Her opinion? It’s not about the device. Rather, it’s about the data, the information. While it’s true that building services to provision users and their myriad devices can be daunting, you should never lose sight of what is really important – protecting the data that is central to the organization. This is also a reminder that we frequently get bogged down in details that – in the end – don’t really matter to the detriment of the things that do.

The second was part of a discussion I had with Deepak Taneja, founder and CTO of Aveksa. We were having a discussion about “the Cloud” (so many of my conversations were about that topic), talking about why people move to Software as a Service (SaaS) or “Cloud Computing” as we now call it. What we concluded was that people were still having the same discussion that they’d had 10 years ago – only the names were different. In the late nineties people argued about Windows, Linux or Macintosh as the “best” platform to install applications on. Today, it’s about “The Cloud” or the datacenter. Now I’m not trying to minimize the differences between the cloud and the datacenter, there are major differences in terms of cost and other resources used, but when talking strictly about applications and services then it should be about the applications and services. Just as when we argued about operating systems, or about whether it was better to install apps on the server or the desktop, when we argue about using “the Cloud” or “the Datacenter” then we’re talking about the wrong thing. The most important decision is to pick the right application or service – that one that best fills our need. Choosing the platform first is like choosing a restaurant because of the color of the plates they use.

As in all computing, pick the app that serves you best, then pick the platform that best supports that app. Take into account the costs of planning, setup, installation, distribution, maintenance, upgrades and so on, but unless there are major disconnects, pick the app or service that does what your business needs it to do, and does it in a way that’s efficient, easy to use and secure.

Finally, last – but far from least – was a statement from Susan Morrow. She’s Head of Research and Development at London’s Avoco Secure Ltd. And is involved in the design of Cloud based, verified, consumer identities for use by governments and commercial organizations. I emphasize that she’s involved in design. Susan is also active in the Kantara Initiative’s User Managed Access protocol, again as part of the design team. She was on a panel I moderated on Consumer Identity (what we used to call User-Based Identity) but caused us – especially me – to sit up and take notice when she offered an opinion near the end of the group discussion. She urged that vendors actively recruit more women for their application (and service and protocol) design teams. Not simply because they’re severely underrepresented (although they are) but because they have (in general) a very different point of view from men. She contends (and, upon reflection, most of the audience agreed) that women, in general, take a more holistic view of things including technology.

The dictionary defines “holistic” as: “relating to or concerned with wholes or with complete systems rather than with the analysis of, treatment of, or dissection into parts…” What she meant was that men often get bogged down into small parts of the design while losing sight of what the overall plan is. After thinking a moment I realized that this relates directly to something my wife often tells me. Here’s an example. My wife may be cooking and realize that she needs cilantro for the dish, but doesn’t have any in the fridge. She’s aware that sending me out for some means I won’t come back until I’ve found it – even if it means visiting dozens of stores and spending hours in the search. If she goes herself, she’ll go first to the most likely store, but if there isn’t any cilantro she’ll then think about what she can substitute. The difference is that she sees the big picture – delivering a tasty dinner to the table on time – while I see the detail – finding cilantro!

It’s something that all vendors and all software designers need to keep in mind, but it would be easier if a woman was on the design team.

This is analogous to the KuppingerCole theme that IT’s job is to support the business rather than to create beautiful technology. Technology is just a tool of the enterprise; it’s the plumbing on which the services and applications run. But it isn’t really about the services and apps, either. It’s about the output and how that furthers the goals of the business.

The French tells us that the more things change, the more they stay the same (plus �a change, plus c’est la m�me chose). And it is the biblical book of Ecclesiastes (attributed to King Solomon) that tells us that “there is nothing new under the sun.” But I’m telling you that there is always a new way to view what we feel are “truths” and that new way might very well be better that the old way.

See you in Munich in 2013!

EIC 2012 – some take-aways

Mon, 23 Apr 2012 15:57:15 +0200

In Martin Kuppinger

EIC 2012, the European Identity and Cloud Conference, is history now. We had a week fully packed with a lot of great keynotes, sessions, panels, and workshops. For me, it definitely was the year in which the EIC was most influential to my own thinking. The reason for that was simply that we had a lot of very good panels and other types of sessions related to some research we published around EIC or are currently working on. The three key topics were:

The KuppingerCole IT Paradigm which we have described as a model for developing IT infrastructures and organization in a way that it is fit for the large changes we are facing, like Cloud Computing, the impact of Mobile Computing, and others.
The Open API Economy, a concept which Craig Burton had started writing about quite a while ago and which is fundamentally changing the way service providers, organizations, app providers, and even individuals will work together.
Life Management Platforms, a concept which goes well beyond the limited reach of most of today’s Personal Data Stores and Personal Clouds. It will fundamentally affect the way individuals share personal data and thus will greatly influence social networks, CRM (Customer Relationship Management), eGovernment, and many other areas.

These topics all are tightly related. Doing IT with focus on services and information security allows consuming services much more efficiently. The Open API Economy provides these services and is increasingly successful, with massive growth of available APIs and their use. Life Management Platforms will require organizations to deal differently with services that affect individuals – and individuals will be able to expose their personal data in a privacy-aware and secure way that they never have been able to before.

There are several KuppingerCole reports available around these topics – and we are working on new ones which will be published soon. Some of them will go into more detail. One of the documents will cover the consumer view on the Open API Economy. There will be more scenarios, looking at the impact of the KuppingerCole IT Paradigm for other areas of IT, like Access Governance, Enterprise GRC, or IT Service Management.

There will be research which looks on the changing economics for CRM and the impact Life Management Platforms will have there. There will be other research looking at the very interesting and promising economics of Life Management Platforms. And there will be research looking at how concepts like the Open API Economy and Life Management Platforms are essential to the “real world”, such as making the Connected Car/Vehicle really work.

However, EIC was for certainly not only about these new hot topics. An important topic at EIC, more down to earth, was modern architectures for IAM (Identity and Access Management). We’ve had interesting sessions around this topic, including a workshop focusing on whether, when, how and where to migrate legacy identity provisioning systems.

EIC again was a great mix of thought leadership and best practices, with some very interesting and well attended workshops on Friday. Organization for EIC 2013 Europe has begun. The conference will be again in May (instead of April). The details will be announced soon. But you should block mid May 2013 now for the next EIC.

Trend Report: Top Trends 2012-2013 - 70516

Fri, 20 Apr 2012 10:48:14 +0200

In KuppingerCole

As in the past years, KuppingerCole has worked out the Top Trends in IT in general, Cloud Computing, GRC (Governance, Risk Management and Compliance), IAM (Identity and Access Management) and Mobile Computing. The most important trends are, from our perspective, an increasing level of compromise of digital certificates, the proliferation of “Bring your own Device” (BYOD), and the need for better encryption among other preventive measures to ensure Data Loss Prevention (DLP) and...
more

European Identity Award 2012

Thu, 19 Apr 2012 17:43:56 +0200

In KuppingerCole

The European Identity Awards 2012 honoring outstanding projects and initiatives in Identity Management, GRC (Governance, Risk Management and Compliance) and Cloud Security were presented yesterday by the analyst group KuppingerCole at their annual event, the European Identity Conference 2012 in Munich. Winners were chosen from a shortlist of exemplary projects and initiatives compiled by the analysts at KuppingerCole, end-user companies and vendors during the last 12 months. Award winners...
more

Advisory Note: European Identity Award 2012: OpenID Connect - 70706

Thu, 19 Apr 2012 07:42:12 +0200

In KuppingerCole

Best New Standard 2012 in Category „Best Innovation/New Standard in Information Security”: Providing the Consumerization of SAML. Driving the adoption of federation and making this much simpler.

Advisory Note: IT-Initiatives 2012-2013: a 6*3-Matrix Report - 70612

Thu, 19 Apr 2012 07:21:09 +0200

In KuppingerCole

Which initiatives should be top on the agenda of CIOs in 2012/2013? This Advisory note suggests answers to this question, based on the ongoing research of KuppingerCole. The report proposes three initiatives within six areas, which promise specific benefits for the future development of IT. They represent responses to current and future trends. The goal is an IT, which is fit for the future, but at the same time based on what is feasible, and is oriented at the meaningful and the...
more

European Identity Award 2012

Wed, 18 Apr 2012 22:04:34 +0200

In KuppingerCole

Der European Identity & Cloud Award 2012, mit dem die besten Projekte und Initiativen rund um Identity & Access Management, GRC (Governance, Risk Management and Compliance) und Cloud Security ausgezeichnet werden, wurde von der Analystengruppe KuppingerCole im Rahmen der derzeit in M�nchen stattfindenden European Identity & Cloud Conference (EIC) verliehen. Die Jury w�hlte die Gewinner aus Vorschl�gen aus, die von den Analysten der KuppingerCole-Gruppe, von Anwenderunternehmen und Herstellern...
more

Best Practice: European Identity Award 2012: Swisscom - 70705

Wed, 18 Apr 2012 20:54:24 +0200

In KuppingerCole

Special Award 2012 for „Mobile Security”: Swisscom MobileID – secure and easy authentication using the mobile phone with minimal impact on hardware based on ETSI Mobile Signature Standard.

Best Practice: European Identity Award 2012: Sanofi S.A. - 70704

Wed, 18 Apr 2012 20:53:09 +0200

In KuppingerCole

Best Project 2012 in the Category „Best Cloud Security Project”: Implementing Federation quickly to support business requirements. Federation becoming a business enabling technology.

Building the foundation for future business cases. Enabling secure access to Cloud applications.

Best Practice: European Identity Award 2012: Europol - 70703

Wed, 18 Apr 2012 20:51:36 +0200

In KuppingerCole

Best Project 2012 in Category „Best Access Governance and Intelligence Project”: Strategic IAM project adding centralized auditing across all IAM modules.

Ready for further expansion of auditing in an IAM ecosystem in a highly security-sensitive environment, including external collaboration.

Real-time monitoring beyond simple audit logs.

Best Practice: European Identity Award 2012: Siemens AG - 70701

Wed, 18 Apr 2012 20:49:33 +0200

In KuppingerCole

Best Project 2012 in Category „Best Identity and Access Management Project”: Enabling the hybrid Cloud in an audit-proof way.

Based on a flexible, scalable, standards-based architecture. Supporting complex, dynamic approval workflows in a very large scale environment.

Getting Personal: How can Each of us Live in a World of Corporate Silos � While also Building a World that Transcends them?!

Sun, 15 Apr 2012 14:10:05 +0200

In European Identity Conference

This is the title of Doc Searls opening talk in the Life Management Platforms Roundtable at EIC 2012.

Advisory Note: Migration Options for your Legacy Provisioning - 70607

Fri, 13 Apr 2012 12:05:58 +0200

In KuppingerCole

Migrating an existing provisioning system always becomes a red-hot topic once a vendor becomes acquired by another vendor. In these situations - like the acquisition of Sun Microsystems by Oracle, of Novell by NetIQ, of Völcker by Quest Software and all the other acquisitions we’ve seen in the past - customers are anxious regarding the future roadmap and the impact on their own infrastructures. However, when looking at reality, there are far more situations in which...
more

Advisory Note: IAM and GRC Market � the Evolution in 2012/2013 - 70580

Fri, 13 Apr 2012 12:02:22 +0200

In KuppingerCole

IAM (Identity and Access Management) and GRC (Governance, Risk Management, and Compliance) are two of the most important IT market segments these days. They are driven by various factors. One is increasing regulatory pressure. Companies need to manage their risks, including access risks to their corporate information. That has put IAM and GRC on top of the IT agenda.

However, IAM and GRC are also enabling technologies to help enterprises better deal with major trends in overall IT....
more

Advisory Note: Life Management Platforms: Control and Privacy for Personal Data - 70608

Fri, 13 Apr 2012 11:58:53 +0200

In KuppingerCole

Life Management Platforms will change the way individuals deal with sensitive information like their health data, insurance data, and many other types of information – information that today frequently is paper-based or, when it comes to personal opinions, only in the mind of the individuals. They will enable new approaches for privacy- and security-aware sharing of that information, without the risk of losing control of that information. A key concept is “informed pull”...
more

Advisory Note: Rating Methodology for Products and Vendors - 70555

Fri, 13 Apr 2012 11:55:31 +0200

In KuppingerCole

KuppingerCole as an analyst company regularly does evaluations of products and vendors. The results are, amongst other types of publications and services, published in the KuppingerCole Product Reports and KuppingerCole Vendor Reports.

KuppingerCole uses a star rating to provide a quick overview on our perception of the products or vendors. The categories of this rating and the reasons for deciding for a specific number of stars are explained later in this document.

Advisory Note: Privilege Management - 70177

Fri, 13 Apr 2012 11:50:24 +0200

In KuppingerCole

Privilege Management - which, in the KuppingerCole nomenclature, is called PxM - is the term used for technologies which help to audit and limit elevated rights and what can be done with shared accounts. During the last few years, PxM has become increasingly popular. Some vendors have enhanced their offerings significantly, while acquisitions have also led to vendors with broader offerings.

The reason for that growth is the increasing demand in the market.
PxM is on its way...
more

Scenario: The Future of IT Organizations - 70350

Fri, 13 Apr 2012 11:45:03 +0200

In KuppingerCole

When looking at today’s IT, it is driven by some major evolutions. Everything which is done in IT has to take these evolutions into account. One is Social Computing. The second evolution is Mobile Computing. The third evolution is Cloud Computing. All these trends affect IT fundamentally. The consumerization and deperimeterization of IT are logical consequences. Information technology (IT) is available to virtually everyone and virtually everywhere.

When looking at the Future...
more

Scenario: Understanding Cloud Computing - 70157

Fri, 13 Apr 2012 11:41:29 +0200

In KuppingerCole

This research note is one of series of documents describing KuppingerCole’s basic positions and providing insights into IT Service and Information Security Management. It describes the varieties of Cloud services and delivery models, the principal risks associated with Cloud computing and how the Cloud fits within the IT service delivery options for an organization. It relates the Cloud back to the basic building blocks of IT service delivery which together form the basis for...
more

Martin Kuppinger: Dynamic Access Control unter Windows Server 8

Thu, 12 Apr 2012 22:02:40 +0200

In KuppingerCole

Beim Windows Server 8 stellt DAC im Bereich der Sicherheit eine wichtige Neuerung dar. DAC steht f�r Dynamic Access Control und schafft auf Grundlage der Datenklassifizierung eine neue Ebene f�r den Zugriffsschutz von Dateien.
more

EIC 2012 – what I will talk about

Wed, 11 Apr 2012 17:47:32 +0200

In Martin Kuppinger

Next week, EIC 2012 (European Identity and Cloud Conference) will take place in Munich. The conference will again grow significantly, and we will have a mass of interesting sessions there, ranging from keynote sessions to panels, best practices, and several workshops and roundtables. You definitely shouldn’t miss that conference.

I want to give a sneak peek at what I will talk about this year. The Opening Keynote on Tuesday, April 17^th, 2012 will be about trends in IAM, GRC, Cloud Computing, and Mobile Security. I also will provide a quick view of the KuppingerCole IT Paradigm, which is one of the central themes provided by KuppingerCole at EIC 2012. We have defined that paradigm and the underlying model based on our experiences in research and advisory services to provide a consistent guideline for refining IT and to really become ready for the age of Cloud Computing, Mobile Computing, and Social Computing. This model is about how to provide the services business really wants while securing corporate information adequately. I think it helps a lot in adapting IT organizations to the changing requirements of business.

A little later, I will be part of an interview-style keynote session, which is about the privacy and information security challenges we are facing in 2012 and beyond. This definitely will become an interesting discussion, with Roy Adar of Cyber-Ark, Shirief Nosseir of CA Technologies, and Jim Taylor of NetIQ participating and Dr. Nigel Cameron of the Center for Policy and Emerging Technologies (C-PET) moderating the session.

The following day, I’ll start with a session that explains how the KuppingerCole IT Paradigm helps in increasing the value IT provides to the business. Following that presentation, we will have a panel discussion about how IAM can catalyze the secure enterprise. This panel will definitely become a highlight of EIC 2012, with some Ex-Burton analysts participating: Craig Burton, Gerry Gebel, and Mike Neuenschwander.

After that session, I’ll use the KuppingerCole IT Paradigm to describe what the future IT Organizations should look like – an IT Organization which is much closer to the business and which helps in dealing with changes such as Cloud Computing. There will be a new report describing this topic coming out right before EIC (and there are also new and updated reports on the KuppingerCole IT paradigm available).

Another very valuable report will be the one on “Personal Data – Life Management Platforms”. There will be a roundtable on that topic moderated by Doc Searls, of the Berkman Center for Internet and Society at Harvard University, and myself.

Another session will be about “One IT, One IAM” – this is a session going beyond IAM and linking Cloud, IAM, and the way we structure IT. This is about how to end up with one IT that serves all your needs instead of separate solutions for different types of Clouds and your on-premise IT.

Also pretty interesting is the “Re-engineering IAM” session. I have just written two reports, an update on my view of Access Governance Architectures and another one looking at whether, when, how, and where to migrate existing legacy Provisioning systems you might have.

In a joint session with Craig Burton we will link the KuppingerCole IT Model and the API Economy, a paradigm focusing on the increasing number of available APIs and their use.

Besides these sessions, I’m also involved in some others around virtualization and the security of Big Data. And there will be some other new reports out for EIC, written by several of the KuppingerCole analysts like Craig Burton, Fulup ar Foll, Prof. Dr. Sachar Paulus, Mike Small, Dave Kearns, and me.

So there’ll be a lot of interesting topics at EIC 2012. There will be for sure many more sessions on other topics and there will be virtually all relevant players in the exhibition area. So don’t miss EIC 2012.

You will find all information about EIC here: www.id-conf.com

All current and upcoming KuppingerCole research is available here: www.kuppingercole.com/reports

User-centric Identity – the Ethernet of identity protocols?

Tue, 10 Apr 2012 12:37:49 +0200

In Dave Kearns

Back in the mid 1990’s, Fiber Distributed Data Interface (FDDI) was touted as the networking protocol of the future. It could handle traffic of 100 megabits per second (mbps) and was considered far more reliable than Ethernet (which was only 10 mbps, anyway) as it was a deterministic protocol based on the Token Bus architecture (similar to Token Ring). Standard Ethernet protocol was considered to be unable to provide more than 10 mbps bandwidth and – due to its “collision detection” technology – was also considered unreliable. Yet here we are today with most networks tied together by 100 mbps and even gigabit Ethernet! How is that possible?

Simple, really: what we call “Ethernet” today is vastly different from the protocol Bob Metcalfe invented and that we used in the early to mid 90’s.

Ten years ago we were all agog over what became known as “user-centric identity”, which was effectively launched at the first Internet Identity Workshop when a group of people merged their projects: OpenID, Lightweight Identity (LID), Sxip, and XRI. Microsoft’s CardSpace eventually associated with the group, but CardSpace was never subsumed into OpenID, preferring to define transaction points where the two protocols could interact.

Well, you know the rest of the story. Microsoft appears to have abandoned CardSpace. OpenID was co-opted by Google and Facebook who forked the open source protocol to create their own identity systems. Sxip disappeared into the hungry maw of Ping Identity, and XRI development has, essentially, ceased.

But there’s a new lightweight, user-oriented identity protocol rising, and it’s called “OpenID Connect”! And OpenID Connect bears a relationship to OpenID similar to Gigabit Ethernet’s relationship to Metcalfe’s Ethernet. That is, they share a name.

OpenID Connect goes a long way towards solving some of the problems of OpenID, especially security issues, as it includes a binding to the Secure Access Markup Language (SAML) protocol and is built on top of Oauth, while maintaining a semblance of an easy-to-implement system for developers and easy-to-use for users. As a plus, Google is actively participating in its development while Facebook and Microsoft are looking on to see if the effort to join the party will pay dividends in terms of people’s usage.

And, since SAML is part and parcel of most enterprise identity federation schemes (including those that connect the enterprise to cloud-based platforms) the work on OpenID Connect could bridge the divide between Enterprise Identity and that which we called “User-centric”.

But it’s no longer called “User-centric” identity. Today’s term is “Consumer Identity” and it’s part of the movement called the “Consumerization of IT” (CoIT), which has evolved from the Bring Your Own Device (BYOD) movement.

Not only are enterprise users bringing their own device, they’re connecting to “x-as-a-service” (Software aaS, Platform aaS, etc.) entities on their own, which could compromise corporate data as well as the users own safety and security.

Business protocols in the consumer space, corporate consumers acting as their own IT dept., all thrown together by a few simple protocols. See how it’s all interconnected?

Next week at the European Identity & Cloud Conference (EIC) I’ll be moderating a half-day track on Consumer Identity, while BYOD will be the topic of a webinar we’ll be announcing for early May. More on BYOD in the next issue, today let’s set the table for Consumer Identity.

Joining me at EIC are a number of veterans of the User-centric Identity battles including Microsoft’s Kim Crawford, Tony Nadalin (formerly IBM) & Mike Jones, OpenID’s John Bradley & Don Thibeau, XRI’s Drummond Reed and Google’s Andrew Nash. We’ll be joined by a number of others involved in various aspects of consumer identity and CoIT as we discuss three distinct topics.

First off, we’ll do an overview of current trends in Consumer Identity Systems. Microsoft’s Cameron, & OpenID’s Bradley will be joined by Colin Wallis (New Zealand Government), Susan Morrow (Avoco Secure Ltd) and Malcolm Crompton (Information Integrity Solutions) to look at trends in the face of consumer expectations concerning their online experience which is becoming ever more sophisticated. At the same time, the negative aspects of online privacy are becoming better understood and more frequently questioned by those consumers. These issues are impacting the design and development of consumer identity systems and it’s a question of whether our current offerings, such as SAML with OpenID Connect, can provide the type of identity system that will perform to the expectations of this increasingly sophisticated audience in terms of user control, privacy and security.

The second session will be a review of the status of key internet identity protocols including OpenID Connect, OAuth 2.0 and Account Chooser. Here I’ll be joined by Axel Nennker (Telekom Innovation Laboratories) as well as Microsoft’s Jones, OpenID’s Bradley and Google’s Nash. This promises to be a high level overview of the protocols, and an explanation of why major technology companies have standardized on them. One topic we will surely discuss is how the functionality of the OpenID v2 protocol has been re-implemented on top of OAuth to create OpenID Connect. The session will also delve into the security problems of websites that run their own password based login systems, and what they can do to improve their security as well as their users’ experience.

Finally, Microsoft’s Nadalin, OpenID’s Thibeau, & Google’s Nash along with Drummond Reed (Connect.Me), Scott David (K&L Gates LLP) & Jeff Stollman (Secure Identity Consulting) will gather to toss around the topic “Barn-Raising At Internet Scale: Trust Framework Development for Open Identity”.

This will be a fascinating look at how a group of people came together in response to the US Government’s call for development of a safe, secure identity framework for the internet. In April 2011, the US Department of Commerce released its National Strategy for Trusted Identities in Cyberspace (NSTIC) which called for a public-private partnership to create a secure commercial, social, and civic identity ecosystem. The Open Identity Exchange (OIX) has taken the lead in constructing both the rules and tools for the rapid, internet-scale creation of such an ecosystem: the Trust Framework. Other governments have now joined in the call for secure public protocols that protect citizen identities and we’ll touch on those as we see how they relate to NSTIC. The question, then, is two-fold: can these systems be created and be effective, and can various national systems inter-relate and coexist.

As always, it promises to be a group of lively sessions with the occasional difference of opinion that can bring about greater understanding. If you’ll be at EIC, mark these sessions on your agenda. If not, we’ll be writing about the conclusions, at least, in future entries. Either way, this will touch on topics and reach conclusions important to each and every one of you.

Identity & Access Management in the Cloud: Real or a Mirage?

Fri, 30 Mar 2012 10:18:23 +0200

In KuppingerCole Podcasts

Traditional IAM solutions have not kept pace with cloud innovation. Therefore, new approaches to identity and access management are gaining ground. Should you move your IAM infrastructure to the cloud? What is the role of related standards? These and more questions will be addressed in this webinar.

Watch online

Pierre Fran�ois Regamey, CIO at Lausanne University Hospital, will speak at EIC 2012

Thu, 29 Mar 2012 18:38:58 +0200

In European Identity Conference

Pierre François Regamey, CIO at CHUV – Centre Hospitalier Universitaire Vaudois, will talk about his experiences from the Deployment of a Role Based Access Identity Management System.

Rabobank International Best Practice at EIC 2012

Thu, 29 Mar 2012 17:36:36 +0200

In European Identity Conference

Jethro Cornelissen, Global Head of Security Operations at Rabobank International, will talk about Identity & Access Governance (IAG): Building the Business Case & Implementation.

Dr. Barbara Mandl: "Bring Your Own Cloud"

Thu, 29 Mar 2012 17:18:41 +0200

In European Identity Conference

Dr. Barbara Mandl from Daimler AG will talk in her keynote about the Future of BYOD.

Product Report: Virtual Forge CodeProfiler - 70583

Thu, 29 Mar 2012 15:56:05 +0200

In KuppingerCole

Code security analysis has become one of the most important business segments servicing the secure development of software. Products are pretty mature for every mainstream programming language, and large IT companies have acquired the major technology innovators in that segment.

There is, though, an area of software development that receives little attention, although being quite important for businesses: the so-called customizing of SAP applications. Customization in SAP...
more

Security > 140 Conversation with Craig Burton

Wed, 28 Mar 2012 15:26:44 +0200

In Craig Burton

I had a conversation with Gunnar Peterson recently. Here is the transcript of the exchange. It is short but worth looking at.

Today’s Security > 140 Conversation is with Craig Burton is a Distinguished Analyst at KuppingerCole, in his� recent work, Craig explores the API Economy and how participating in the API economy reconfigures organizations’ priorities.

Gunnar always asks insightful questions. I really enjoy his presentations each year at the Cloud Identity Summit. Not sure if I will be speaking this year or not.

Technology Report: Access Governance Architectures - 70219

Tue, 27 Mar 2012 14:14:48 +0200

In KuppingerCole

Access Governance is about the governance and management of access controls in IT systems and thus about mitigating access-related risks. These risks include the stealing of information, fraud through changing information, and the subverting of IT systems, for example in banking to facilitate illegal actions, to name just a few. The large number of prominent incidents within the last few years proves the need to address these issues – in any industry. There are an increasing number...
more

Cloud Identity and Synchronization

Tue, 27 Mar 2012 14:09:17 +0200

In Dave Kearns

I saw a marketing brochure the other day that claimed “Today’s average enterprise utilizes 16 different directories,” touting their synchronization engine for provisioning and de-provisioning. The vendor’s take seemed to be that 16 was a huge number, but I merely chuckled to myself. Fifteen years ago, while barnstorming the US for a provisioning vendor I would frequently ask the audience how many identity stores they’d identified in their organization. I still remember one memorable response: “we’ve found 116, but we’ve only just started looking.”

Ten years ago, soon after the Liberty Alliance introduced the concept of “federation” as a way for partners, clients, vendors and others to share authentication and authorization, I discovered – again, by asking users at a conference session – that one of the major uses of the federation technology was to connect the different parties after mergers and acquisitions so that the newly formulated organization could do real business while the IT department caught up with the different, disparate and often unconnectable systems that existed in the various parts of the enterprise. The standout memory here was one of the “big 5” US banks who had acquired a small, community bank in California which was still running one update program on an old (i.e., pre-1980) Z-80 single-board machine which couldn’t be integrated with the bank’s network nor was it viable to re-write the software. They never did find a way to connect it directly to the bank’s systems.

All this is to say that by early in the 21^st century, both synchronization and federation were being used to connect various identity data stores throughout the enterprise. As for data stores located “beyond the firewall” (back in those days there really was a firewall around the enterprise network), very little was being done. What had been called “web services”, and which was now morphing into “software as a service”, wasn’t much involved in the movement of identity data yet, although it was certainly much talked about by analysts and pundits.

At this time, too, simplified sign-on (SSO) was largely confined to systems within the enterprise even though there was a lot of talk about SSO for web services.

Provisioning for what would eventually be called “cloud services” was, essentially, non-existent. Although Business Layers, the pioneer in provisioning apps, had – at the time they announced eProvisionware, provisioning for the enterprise – promised that provisioning for external users and apps would be coming “real soon” it still hadn’t occurred 5 years later when the company was acquired And its products disappeared.

Ten years ago, when Service Provisioning Markup Language (SPML) was launched, one of its tenets was that SPML would enable cross-organizational provisioning with a vague reference to some sort of cloud-like service. Ten years later, we’re still waiting.

Identity services in the cloud-computing arena pretty much boil down to a choice of federation or synchronization.

We’ll be doing a session at the European Identity and Cloud Conference called “Federation or Synchronization – the Future of the Cloud” featuring Patrick Harding from Ping Identity, Andrew Nash from Google and Darran Rolls of SailPoint, three gentlemen very familiar with these two methods. To kick off that session I’ll be speaking about “What Federation is About – in Theory and in Practice.” So for today I’ll concentrate on synchronization.

Synchronization services are part of the bread and butter of cloud computing. Services such as Dropbox which synchronize file shares between and among various client desktops allow us greater freedom when moving about the world. Dropbox in concert with CloudOn allows me to bring my necessary Microsoft Office documents with me on my iPad – and edit them on that device. But that’s for files, what about identity data?

Directory systems, such as Active Directory, have built in replication mechanisms. Some cloud services take advantage of these to enable easy provisioning of cloud service users. One of the better implementations is – what else? – Microsoft’s own Office365.

Office365 is a cloud-based office productivity service with versions for small, mid-sized and large enterprises. The SMB version (approx. $6/user for up to 50 users) includes:

Cloud-based email using your own domain name;
Shared calendars;
Instant messaging, PC-to-PC calling, and video conferencing;
Web-based viewing and editing of Word, Excel, PowerPoint, and OneNote files;
Team site for sharing files; and
External website

For large organizations, you can bundle in licenses for desktop versions of the Office suite as well.

Office365 uses Active Directory synchronization to move user identity information between your datacenter and the cloud space. It should be noted that Office365 can also use a federation mechanism (which Microsoft refers to as single sign-on) which enables your company’s users to sign in to Office 365 by using their corporate credentials. Microsoft recommends you start this way while setting up synchronization – which can take a while.

Synchronization of AD for Office365 takes a bit of preparation, some testing, and a multiphase commit so that you can back away if you want. Once you’ve committed to synchronization it can be difficult to reverse.

In a Microsoft Office 365 environment, source of authority refers to the location where Active Directory directory service objects, such as users and groups, are mastered (an original source that defines copies of an object) in a cross-premises deployment. For example, by running Active Directory synchronization, you are mastering objects from within your on-premises Active Directory. Alternatively, when you create objects by using the Exchange Control Panel (ECP) or the Office 365 portal, you are mastering objects from within the Office 365 cloud.

Office 365 requires a single source of authority for every object. This reduces the likelihood that directory data could be inadvertently overwritten.

By default, Office 365 directory objects are mastered in the cloud, which means they must be edited by using cloud-based tools. You can use the Office 365 portal, Windows PowerShell, or the ECP to create users, mailboxes, contacts, and groups in the cloud directory. All subsequent changes to these objects are also made by using the same tools. In this scenario, the source of authority is in the cloud.

When the directory synchronization tool is activated in the Office 365 Admin page, and after the first sync cycle has been completed, the source of authority is transferred from the cloud to the on-premises Active Directory. In this scenario, users, contacts, and groups are created on-premises and then synchronized to the cloud. All subsequent changes to the cloud objects (with the exception of licensing) are mastered from the on-premises Active Directory tools. The corresponding cloud objects are read-only. Administrators cannot edit cloud objects if the source of authority is on-premises.

Up until the completion of that first sync cycle, you can safely back out of the synchronization scenario.

If you’re interested in the specifics of Microsoft’s synchronization for Office365, you should read “Directory synchronization and source of authority,” which has all the details.

To synchronize your directory data either from a non-Active Directory system in your datacenter or to a non-Active Directory system in the cloud (or both), the cloud service provider needs to invest in a synchronization service such as The UnboundID Synchronization Server. This allows you to synchronize data between and among LDAPv3, RDBMS, and Active Directory data repositories. With the UnboundID server – but not necessarily with others – in addition to synchronizing data with standalone repositories, the server also provides a notification service that allows the service provider’s cloud applications or the customer’s on-premise applications to subscribe to receive messages from each other based upon changes made to monitored directory data, thus providing automated synchronization. Some other vendors’ service requires that synchronization be done manually.

You should investigate whether or not your cloud service provider (or potential cloud service providers) offer directory synchronization services. It’s much cleaner and more complete (as far as supporting the full panoply of IAM services) than federation. But because it can take a bit of time to initiate and fully test before going to production, its best to begin with a federation scheme which at least lets you control adding and removing users via your datacenter provisioning service.

And, remember, you can find out much more about synchronization and federation at the European Identity and Cloud Conference, April 17-20, in Munich. See you there!

Martin Kuppinger: Managing Trust � Wie schafft man Vertrauen?

Mon, 26 Mar 2012 12:33:01 +0200

In KuppingerCole

�Managing Trust� war das Leitthema der diesj�hrigen CeBIT � bei KuppingerCole besch�ftigen wir Analysten uns schon seit vielen Jahren damit. Die Frage des Vertrauens ist aber vor allem auch eine Frage von Informationen und Kontrolle.
more

Product Report: Oracle Database Firewall - 70339

Mon, 26 Mar 2012 10:12:42 +0200

In KuppingerCole

Oracle Database Firewall is part of Oracle’s defense in depth approach to security, providing a first line of defense for databases by analyzing database traffic before it reaches the database. Oracle Database Firewall expands Oracle’s solutions for heterogeneous databases, supporting Oracle Database, SQL Server, IBM DB2 LUW, and Sybase ASE. MySQL support was introduced in the most recent release. Unlike most other products in that area, Oracle Database Firewall accurately...
more

Conducting an Orchestra - The New Role of IAM

Fri, 23 Mar 2012 13:16:11 +0100

In KuppingerCole Podcasts

With the loss of control over many resources through current trends like BYOD (bring your own devices) and usage of cloud services, enterprise IT is going through a radical change. In this webinar, you will learn about the new role of Identity & Access Management as an information security cornerstone.

Watch online

Why the US Cyber Chief is wrong: It’s not a tide of Cyber Criminality – there will be no ebb tide

Thu, 22 Mar 2012 15:22:52 +0100

In Martin Kuppinger

Today I read an article about US investments in cyber security, with the US Department of Defense (DoD) budget requesting 3.4 billion US$ by itself. The US Cyber Chief, Army General Keith Alexander, commander of U.S. Cyber Command and director of the NSA (National Security Agency) is quoted as saying “Nation-state actors in cyberspace are riding a tide of criminality.”

I believe he is wrong in one very important point: It is not about a tide, it is about a continuous rise. So it would have been better had he chosen the comparison to the (potential) long-term rise of the sea-level caused by global warming – with the important difference that the increasing cybersecurity challenge is not happening gradually over a period of dozens of years but more or less as a tsunami, almost immediately. We most likely will see some “decrease in increase” or, in other words, lower growth rates in cybercrime. But I don’t expect to see a decrease in absolute numbers within a foreseeable period of time.

And it is not only about nation-state actors in cyberspace, but about all actors in cyberspace which are causing that rise. States are affected because they are the target of other nation-state actors, but also of organizations like Anonymous or Lulz Sec, and for the classical attackers like script kiddies and other non-organized hackers. On the other hand, they are most likely not the target of that part of cybercrime which is related to organized crime. When looking at other organizations, they are more likely to become the target of all these types of attackers.

The good thing about quotes like the one mentioned is that they prove that at least some states (the U.S. probably more than many European countries) have understood the challenge they are facing. But to me it sounded somewhat too optimistic.

What we have to do is to act on this challenge, by systematically and strategically improving our IT security. That requires a holistic view on the topic. It requires a risk-based approach. We need to understand the risks and act according to these risks. We need to have plans if something happens anyway. It will cost a lot of money. But by doing it right, there is a huge potential for saving at least some of the money which otherwise is thrown out of the window with little or no impact on an improved IT security.

To learn more about Information Security, GRC, and the role IAM plays therein, visit EIC 2012, Munich, April 17^th to 20^th.

Returning (or finally bringing?) Identity and Access Management (IAM) to the User

Thu, 22 Mar 2012 08:01:20 +0100

In KuppingerCole Podcasts

IAM needs the involvement from the end users and their business line managers, because it is there where access related risks can be handled best. Join us in this webinar to discuss, how you can leverage acceptance of your IAM solution.

Watch online

Encryption is only as good as the protection of its keys

Wed, 21 Mar 2012 14:28:21 +0100

In Martin Kuppinger

This morning I received a press release pointing to a blog of John Grimm, who works at Thales e-Security. Thales e-Security is the part of the Thales Group, which specializes in encryption. They offer, amongst several other technologies, HSM (Hardware Security Modules) and Enterprise Key Management solutions.

The blog commented on the recent discovery of the Mediyes Trojan by Kaspersky Lab. Kaspersky is one of the leading vendors in the Anti-Virus/Anti-Malware segment. The touchpoint between them in the case of Mediyes is that the Trojan uses a digital signature based on a stolen private signature key. This key has been stolen from a Swiss company.

This new Trojan proves three points:

Every company is a target for attackers. No single company should feel safe just because it is either small or in an industry which appears not to be that attractive for attackers.
Attacks are getting increasingly sophisticated. Mediyes is just one example of this – they needed to obtain that key in a first attack to start the Mediyes attack.
Encryption relies on the security of keys.

The first two points are covered here, amongst other posts, articles, and podcasts of mine.

The third point is another important one. If the keys aren’t secure, everything relying on them is insecure as well. That is true for compromised CAs (Certificate Authorities), and it is true for every single private key you are using and every key used in symmetric encryption.

Thus it is mandatory to focus more on Enterprise Key Management and overall Information Security. Keys have to be well managed and secured. Not having an appropriate management and security for these keys – for every type of encryption, from digital certificates to symmetric encryption of your communication lines – leaves the doors wide open for attackers. It is necessary when starting with Enterprise Key Management to first of all know which keys are out there and how they have been protected (or not) until now. Then you can start improving the management of these keys.

Notably the term is Enterprise Key Management and not Storage Key Management or anything like that. It is not about looking at some keys, it is about looking at all of them.

To learn more about APTs (Advanced Persistent Threat), the changing threat landscape, about Enterprise Key Management and overall IT Security, you should attend EIC 2012� in Munich, April 17^th to 20^th.