Versatile authentication is one of the hot topics in IT – more and more vendors start to support it in some way or another. Versatile, a not that common term, means the ability to flexibly switch between different authentication methods. In practice, versatile authentication solutions shall support at least the following features:

• Flexible use of different authentication methods.
• Simple plug-in of additional authentication methods, e.g. extensibility.
• Flexible interfaces for applications OR integration with existing technologies which interface with other apps.
• Support for step-up authentication and other more advanced approaches.

Other aspects like fallback methods, management support for handling the token logistics and so on are value-adds, depending on the implementation of the versatile authentication technology.

Read the rest of this entry »

In these days the industry talks a lot about IT GRC, Risk Management, Access Governance, Identity for the Cloud, and so on. However, we should keep in mind that the vast majority of organizations still have to do a lot of homework around basic Identity and Access Management.  And, even more: That’s the foundation for many of the other things like Access Governance, because it’s not only about auditing but as well about managing (and, honestly, it’s much more about managing and enforcing preventive controls than of auditing in a reactive way, isn’t it?).

Thus, you shouldn’t ignore Identity Provisioning, Virtual Directory Services (still one of the most valuable technologies in IAM and one of the best hidden secrets at the same time), or Enterprise SSO. You will find a lot of Podcasts of Webinar recordings at our website. Thus, I won’t analyze everything around that but focus on some few points why we still should consider the core IAM market as relevant:

• Provisioning tools have matured over the past years – and they support many of the “new” features like access certification frequently. Thus you can do a lot of things relying only on these “basic” tools instead of adding too much on top of them. Not all, but a lot. That has to be carefully analyzed but in several cases, one tool definitely is the better solution than multiple tools. That’s like in real life: There are advantages for the multi-tool, there are advantages for the specialized tools.
• If you look at the market, than there are relatively few really big organizations. Most of them have some IAM. But, correctly, most of them have more than one IAM approach and implementation. Thus, they have integration issues which is an important market, with many architectural options to solve this. And, beyond that, in these large organizations you frequently can observe a tendendy to implement some point solutions in some areas – for example an additional provisioning tool for some specific systems. Given that, there is still a lot of work to do and a lot of potential, for example in providing the provisioning tool which integrates other provisioning tools.
• The medium-sized businesses frequently don’t have much provisioning and other IAM solutions in place. Thus, there is a huge market opportunity, as well for on-premise as cloud-based solutions.
• Some implementations might be worth a review with respect to today’s requirements and solutions. There is always room for updates and even replacements.

The reason why there is somewhat fewer attention of the marketing departments of vendors on that segment (at list when looking at some vendors which have not only provisioning) is simple: Provisioning is hard to sell. E-SSO is easier to sell. Access Governance might be even easier than that. Thus, looking at the low-hanging fruits instead of focusing on products with a long sales-cycle and a lot of competition, appears to be logical from a sales perspective. However, that leaves a large portion of the market blank and it doesn’t fill the pipeline sufficiently for a time where the low-hanging fruits might have been picked.

It’s not up to me to judge about vendor marketing and sales strategies. But it is interesting to observe what is happening in the market. And that might be one reason for the relative success of several of the smaller vendors in many markets (by the way: some large vendors are very active in the “classical” segments – innovative, focused,…).

From a customer perspective, the buzz and fuzz around the new topics might divert the focus from the things which have to be done as a foundation, on which other things can be built. Thus customers always should keep in mind that they can’t be successful without doing their homework. And that includes to provide a solid foundation for provisioning – with an adequate architecture for the customer’s requirements. I’ll blog about these architectures soon but you might as well look here - I’ve touched the topic in this webinar.

Don’t miss the European Identity Conference 2010 and its Best Practice presentations to learn more about this. See you in Munich, May 4th to 7th.

Yesterday, the German Federal Constitutional Court declared the German law on “Vorratsdatenspeicherung” for illegal. That wasn’t a real surprise, given that this is overall well aligned to other decisions of the Federal Constitutional Court. Two interesting annotations: There where some 35.000 suitors against this law. And the German Minister of Justice, Sabine Leutheusser-Schnarrenberger, was amongst them. She started the law suit when being in opposition – right now she had the interesting situation that there was a lawsuit by her against Germany, represented by her – so she would have been a winner in that case anyway.

The law on “Vorratsdatenspeicherung” (a nice term, isn’t it, as long as the name of the Minister of Justice) is about the collection of data at ISPs and other types of service providers – about connection logs  in internet and telephony services. They had to be kept for six months to allow investigations. The law has been formulated based on an EU guideline, but exceeded the minimum requirements of that guideline. The fact that this law has been declared illegal might affect as well the EU guidelines because they are critizised not only in Germany but in other countries as well, it probably will affect other instances of massive and undifferentiated data collection of the German state.

The Federal Constitutional Court doesn’t forbid the collection of information. However, the current law didn’t fulfill the requirements of data security, didn’t comply with some other laws (like the protection of preachers, doctors,… and their confidentiality requirements), and didn’t restrict the use of the information sufficiently. Interestingly, the Federal Constitutional Court also decided that the information has to be deleted immediately (or at least as fast as possible), thus the decision goes beyond other decisions which allowed the government to first improve the law, without changing the status quo.

After the decision of the Federal Constitutional Court had been unveiled the discussions about the next steps started immediately – and that’s where IPv6 comes into play. Within its decision, the Federal Constitutional Court declared that connection data of churches, some governmental organizations, and other specified parties must not be stored. That led to the argument of the lobbyists of the “internet economy” (e.g. ISPs and so on) that this can’t be implemented. Given that IP addresses are usually assigned dynamically it wouldn’t be feasible to exclude some groups. But, honestly, that isn’t true. It is true as long as you rely on IPv4 and dynamic IP addresses (and given that they are limited, we have to). But it isn’t true with IPv6. With other words: When relying on IPv6, you can comply with the decision of the German High Court. Given that the technology supporting IPv6 is out in most areas – client operating systems, servers,… – at least in most cases, the answer is simple: Finally switch to IPv6 as the standard protocol and you’re done. Overall, we’ve been waiting way to long for IPv6 becoming the primary protocol and IPv4 being used only for backwards compatibility. This decision, with its impact on the entire European legislations in that field, thus might become a push towards IPv6.

We’re talking a lot about the need for IT to align with business. But it’s not about a one way road. There is no doubt that IT has to think much more “business”. Risk focus (here and here), performance management, the understanding of IT as Information Technology instead of Information Technology, the path towards an ERP for IT,… I think that many CIOs and CISOs are well aware of this and many of them are working towards that goal.

However, if I look at the business side, it appears to me that IT still is somewhat ignored when it is about alignment. Two examples out of many from my practice:

• When talking about GRC initiatives at the IT level, customers frequently complain about risk management initiatives with focus on organizational risks where they are not even able to start a discussion about integration. However, any IT risk is just a risk because its associated with organizational and (sometimes) strategic risk. Thus, you can’t ignore the IT risk perspective from an “Enterprise” GRC perspective (which, by the way, is sort of an arrogant term, ignoring exactly the fact I’m discussing here – “Business GRC” would be much more appropriate). You can’t run a business without IT. It’s part of the operations. And IT risks might have severe impact on your overall business performance – look at fraud in financial institutions, data theft, and so on.
• When talking with the Business GRC vendors – look at the upper layer here – some of them (not all!!!) show an attitude of “we’re doing the relevant business GRC instead of the irrelevant IT things” and claim that they don’t need to provide integration or to support the IT part of the business.

However, given that IT is an important part of every business (the German Bafin – the government agency responsible of auditing and controlling the financial institutions – explicitly claims that IT is a core part of banking business and has to be understood that way), that means ignoring risks. And, even more, it means ignoring that there are elements in risk management which are provided by IT. You need automated controls besides the manual controls. And all the Business GRC tools are IT tools, by the way.

The problem from my perspective is that as well some vendors as many responsibles in the organizations don’t want to play with the IT guys. However, they could not only do a much better job by better executing their controls but they as well could do their job correctly, by really adressing the whole breadth of (operational and strategic) risks.

That’s just one example where business has to learn to better align with IT – and it’s not the only one. Look at the description of business services. For sure there has to be a translation into IT services at some point of time. But before you can do that, you have to have something which can be translated. And frequently, the problem isn’t the translation but what has to be translated. If the original text isn’t sufficient, the translation result never will be. Everyone dealing with software development probably has made this experience: Many issues in software development are caused by an insufficient descriptions of the requirements.

I think that it is time that not only IT understands that it exists only because it provides value to the business but that businesses rely on IT and thus have to align with IT. And that Business/IT alignment is definitely not only something where IT has to learn a lot. Businesses have to do as well – to understand the operational impact of IT (and IT risks), to describe their service requirements, to accept that the operational risk associated with an IT risk has to be balanced with the opportunities of a business service. Just think about all the insecure applications we have in organizations just because a department required them and IT security concerns have been ignored. That has not only been because IT wasn’t able to translate the IT risk into an operational risk – it has been as well because business didn’t understand IT.

Thus, both have to learn. And sometimes it appears to me that business has to learn even more than IT. Not only the people within organizations, but as well the consultants at the different levels. So if your consultant for risk management hasn’t yet covered the operational impact of IT risks and how to deal with that, you should ask him why – and if he doesn’t provide a valide answer, you should re-think the engagement…

Last week I had an interesting briefing with IBM regarding their Guardium acquisition. With that acquisition of a company specialized on database security, IBM becomes the second large vendor investing in that area, following Oracle who has Database Security products in its portfolio for some years now. The IBM/Guardium deal fits pretty well in the current time, when looking at the increasing problem of information theft. Besides IBM and Guardium there are some smaller vendors in that market which I will cover in another post near-time.

IBM Guardium, in contrast to the Oracle approach, is not tied to a specific database management system but works as an external solution. There are obviously pros and cons for both approaches. Performance, administration, flexibility regarding the defined policies and other aspects differ significantly. Thus, before choosing solutions, a detailed analysis of these approaches should be performed (and KuppingerCole will provide a market overview for database security around April which might be a good starting point for such an analysis).

The entry of IBM in that market shows an increasing maturity and relevance of this particular IT market segment. And it raises the question of which role database security can play within IT security. From my perspective, it is an interesting area which is mandatory to protect sensitive information. Information in databases is at risk, and cases like BKK or the stolen data from Swiss banks offered to the German government prove that. However, this is just one element within an IT security strategy focusing on authorized access to data. Securing the database with the wrong policies or with giving away privileged accounts to untrustworthy parties won’t help much. Thus, database security projects never ever should be driven by the database guys but must be understood as an element within IT security blueprints. Only a consistent approach to security will really reduce the security risks and thus the related operational risks.

Even more I think that database security always will be somewhat limited in its scope. Once data is outside the database, it doesn’t protect the data anymore. On the long run we might have to fundamentally rethink the concepts of today’s databases and make them “security-aware”. What do I mean by that? Data within databases should be inherently protected. Think about applying concepts we find today in Information Rights Management (IRM) at the document-level at a much more granular level to data within databases, ensuring that any record (or part of a record) can only be accessed according to defined policies. Such an approach would have massive impact on the existing technology. How to index? How to deal with encrypted information? How to define these policies? However, if you look at database security from a very fundamental point-of-view, it becomes obvious that applying database security to existing databases won’t fully solve the problem because it is only about “data at rest”.

Nevertheless I think that any organization has to think about implementing database security in the meantime, until we have better solutions sometimes in the far future – I’d expect fundamental changes to database technology to take at least 10-15 years to become ready for mass adoption. It might take even a little longer. To cite John Maynard Keynes, the famous economist who focused on theories with a short-term view when being critized for not looking at long-term evolutions: “On the long term we are all dead”. Given that, short-term we should evaluate and implement existing database security approaches, rethink the authentication and authorization approaches within databases (using the GRANT statement a little bit more detailed…) and integrate this with our overall IT security and governance approaches (and especially IAM). In the meantime, the vendors have to think about how to do the next fundamental step to make DBMS inherently security-aware.

Last week, the German health insurance company BKK had to unveil a severe information leak. The company has become blackmailed because someone had stolen masses of sensitive patient records. Besides the fact, that the way that this happened shows an astonishing carelessness when dealing with IT security and privacy at the BKK and raises many questions (see below), there are some interesting new options for the German government to work with this data.

You could for example take such patient records and combine them with the recently acquired stolen data from Switzerland about potential tax fraud. If you take for example people who recently showed insomnia or started bed-wetting, that should be fully sufficient for an initial suspicion by the attorneys. And that is just the tip of the iceberg. There are so many other interesting opportunities of combining patient records with other types of information… Thus the thief probably should have approached the German government instead of the BKK. They are always willing to buy stolen things and to make use of that, like they have proven recently.

Some words about the BKK case itself: The BKK had outsourced some tasks to a call center. There hasn’t been an auditing about the privacy, IT security, or data protection approaches of that outsourcer. In fact, it appears that there have been other outsourcers and freelancers involved. Besides this, there was an IT company involved which did the support for the outsourced call center. The employees of that IT company had some privileged accounts with access to massive amounts of sensitive patient records.

Overall, there has obviously been a lack of understanding of IT security and privacy issues I seldomly have seen before, at least not in the healthcare and finance industry. No valid concept for differentiated access controls, no privileged access management, no data leakage prevention, nothing. Incredible – but true.

My colleague Jörg Resch recently blogged a lot about approaches for “lightweight” authentication and the risks associated with them. There are many companies out there with new or claimed-to-be-new approaches on more or less strong and more or less valid authentication. Whether that’s the approach of isec, of GrIDsure, of Yubikey or one of the many other vendors out there, I doubt that there is the holy grail of authentication amongst. Some of them are definitely interesting, some of them not.  Many of them are interesting as one element in an authentication strategy – like GrIDsure, which is OEMed by other vendors as part of their solutions. There is no doubt that many of these solutions can provide value in specific use cases – Multifactor Corp. provides something for and from the cloud, Yubikey is lightweight, GrIDsure as well. There are other approaches where I doubt that they really provide the required usability. I’m not a friend of approaches where you have to recognize pictures or faces, but they appear to have their market as well.

However, what’s really important around all these approaches for strong authentication are two other aspects:

1. How do they integrate and work together?
2. Are they adequate to protect the transactions and interactions within a specific use case?

My point is: It is not about choosing the authentication mechanism but it is about choosing the best mix of few mechanisms, depending on your use cases. That requires an authentication (and authorization) strategy. That requires platforms for versatile authentication like the ones offered by vendors like ActivIdentity, Entrust, Oracle, and others. That requires a clear understanding of the risk and thus the security requirements of different use cases. Than it is about choosing the appropriate mechanism or a mix of them, to use step-up authentication if required and so on.

The biggest risk is that authentication is either not usable or to simple. That might happen when relying on a single mechanism. By mixing several ones, things become muh easier.

To learn more about that, you definitely should visit the European Identity Conference in Munich, May 4th to 7th. And there will be a market overview on the strong authentication market by KuppingerCole within the next few days – have a look at www.kuppingercole.com/reports.

My colleague Jörg Resch blogged today about the ignorance regarding layered security approaches. Yes, there is no absolute security. Security is something which is tightly related to risk. Given that we can’t have the perfect security, especially not with people using systems, it’s always about the balance between the security-imposed risk and the cost of risk mitigation.

That’s a very simple balance: The higher the risks are the more you can and should spend on risk mitigation – as long as risk mitigation is feasible (which is not always the case – a life insurance doesn’t help you mitigating the risk of dying…). I thoughtfully used the term “security-imposed risk”. It is NOT about security risks, but about the consequences of security-related incidents. Stolen data and their abuse, illegal transactions, customer loss due to a decrease in credibility,… – that’s what it is about.

But that doesn’t change the fundamental: When thinking about security we have to think about risks. I’ve blogged about Risk Management before. What we have to understand is that there is not THE information or system which has to be protected. We have different types of systems, information, and transactions which are at different risk. And we have to apply security (technology and organization) according to the risk associated with these different systems, information, and transactions.

There is not THE level of security you need. You need appropriate security for different types of transactions and interaction (and the related systems). Using risk as the main criteria in decisions about security investments helps to optimize what is done in IT security. And focusing on few consistent approaches at different levels (for example few different types of authentication with step-up features and so on, based on a versatile authentication platform; for example a consistent authorization strategy with few consistent levels of management and protection) will be much cheaper than spending too much money for point solutions like many (not all) of the DLP tools out there.

Understanding that different types of interactions and transactions have to be protected differently is the key to succesful IT security concepts. Risk is the core criteria to do that. Interestingly, that is not really new. What governmental and military organizations are doing in “information classification” (having started long before the invention of the computer) is nothing else than using risk as a criteria and definining different levels of protection for different interactions and transactions. Such concepts don’t have to be extremly complex. But a differentiated view has to be the guideline for everything which is done in IT security.

To learn more about this and to discuss this with your peers, have a look at our upcoming virtual conferences and our European Identity Conference 2010.

Today, some influential German politicians started argueing against the upcoming German eID card in a sunday newspaper. The eID card is planned to be available by November, 1st. The main argument is that the costs of the project are increasing – there is the request for some additional 7 million Euro for advertising. The politicans claim as well that experts doubt about the need for the eID card. They propose to shift the introduction to 2020.

There are for sure some points with the German eID card which you can discuss. However, the arguments of these politicians just show that they don’t understand anything of what they are talking about. No big surprise, you might claim – they are politicians. To provide my view on this:

1. Yes, the eID card costs a lot of money. However, new things typically aren’t for free. And given that the eID card is a government project, there is a lot of politics and lobbying in, which never ever saves money. Anyhow, it doesn’t appear to be excessively costly.
2. The concept of the German eID card might not be perfect, but it goes beyond most other approaches when looking at principles like “minimal disclosure of information” and the supported use cases as well for public as for private use.
3. Security is well solved. There are some people claiming that fingerprints aren’t secure. Yes – there might be some fraud. But the eID card is way beyond the alternatives we have today and which could be used in a mass market. I personally think that it is much better to do some (significant) step forward in security instead of staying still and looking for the Nirvana.
4. The concepts have to be explained to the public. That is an educational effort which will take time and which will cost money. However, we should look not only at potential downsides but might concentrate on the positive things – and there are many interesting use cases. There is a lot of potential within the German eID card.
5. There are experts (I thought about putting the term into quotas…) – no surprise, you will always find experts which support your opinion, especially as a politician.
6. You definitely can wonder about why we need a health card and an eID card on a national basis – one card might be sufficient (especially given that you have to educate people on the privacy concepts for both cards and thus you might reduce the efforts on this…).

I could add many more points to that list. However, I think that this is just another example of politicians talking about things they don’t understand at all. There is some value in the German eID card. It is based on a well-thought concept. There are things which might be improved – and many of the shortcomings we might observe at the beginning will be solved. It will take some time for the mass adoption – again no surprise. But overall, it is absurd to stop this project now and to restart it in some ten years. That would mean that much more money then it will ever cost to bring the project to an successful end will be destroyed and will have to be spent again in some years. Thus, there is definitely no sense at all in stopping this project now. But there is a lot of sense in spending some extra money in education of the citizens, to make it successful.

In Germany, there is these days (again) a discussion about whether the German State shall buy data about fiscal fraud. There is someone from Switzerland who offers illegaly obtained data about German citizens who have transferred illegal earnings to bank accounts in Switzerland, not paying taxes for this. Germany some months ago has bought such data about bank accounts in Liechtenstein, to identify fiscal fraud and to penaltize this.

That leads to some highly interesting questions, and there is a political debate about whether to do that or not. It is obviously illegal to buy stolen goods in the knowledge, that they have been stolen. Data is amongst these goods, for sure. It is highly questionnable whether actions of the attorneys based on such data are legal – I doubt this and I’d expect that the German Federal Constitutional Court will accept this once the first law suits about this are brought to him. Thus it might end up with that any penalties against this fiscal fraud aren’t permittable being based on invalid evidence (or evidence derived from invalid evidence, because the data will allow the attorneys to request the account detail from the swiss banks – it just provides a list of accounts as a foundation for follow-up queries). It might also occur that several of these accounts aren’t about fraud – and again, that it might show up to be illegal to do such mass queries based on too little evidence. And: Buying stolen goods (in case you know that they have been stolen or that you have to assume that they were stolen) is under penalty. Thus, the people deciding on doing that are definitely acting against the law and might be penaltized. That will be up to the courts to decide about.

Read the rest of this entry »