Some weeks ago we published a report called “The Future of IT Organizations“. This report talks about how to restructure IT Organizations, following the basic structure we propose for IT in the KuppingerCole IT Paradigm. That paradigm is first described in the KuppingerCole Scenario “Understanding IT Service and Security Management”. From our perspective, IT organizations have to change fundamentally in order to redefine the way we do IT to better deal with challenges like Cloud Computing.

When looking at the future of IT, there is one area which I find particularly interesting. Some of this came to my mind when reading one of the blog posts of Chuck Hollis, Global Marketing CTO of EMC Corporation. The blog post is titled “Why IT Groups will invest in Marketing” and is focused on the need for marketing.

What I liked in that post was the distinction of inbound and outbound marketing for IT – a distinction I picked up and I have to recognize Chuck for. I then aligned it with the KuppingerCole IT model, adding another element which is “product management”.

The IT of the Future is demand-driven. Today’s IT should be as well but reality frequently shows a different picture. Providing the services business really needs is very much about that demand-driven IT. That requires understanding the customers. And that is where the topics of Outbound and Inbound Marketing come into play.

Outbound Marketing is the more common approach. We all are familiar with this in everyday life when getting confronted with advertisements and other types of market communication from vendors. For IT Organizations there are two main aspects for Outbound Marketing:

• Positioning IT as the one and only source of the services business requires
• Selling the IT services which are produced on-premise as part of these business services

The first part is of high importance because IT should remain in control (or get back control) of all the IT services which are either produced on-premise or procured from the Cloud. Without centralized control organizations will, over time, struggle massively with their IT services. Furthermore, there is no way to get a grip on IT cost without such centralized control

The other part of outbound marketing is mandatory as well. The ability to sell the services which are produced on-premise is important. On-premise IT is in competition with cloud services. Thus it is not only about producing the “better” IT services; it is also about selling them. IT Organizations have to change their attitude from being reactive to becoming a proactive provider of services to the business organization.

But there is the other side of the coin as well. That is about Inbound Marketing. Inbound Marketing is even more about the customer’s need – with the customer being the business part of your organization. Inbound Marketing is (amongst other things) about

• The specific needs of your customer
• Identifying the buyers on the customer side (which even in large organizations frequently is not as clear as it should be when it comes to budget discussions)
• Understanding how the customer wants to consume

It is about understanding the customer and driving the IT Organization in a way that the right services are offered. In fact this is about a strategic and standardized approach to providing exactly the services business needs.

From an organizational perspective, IT has to fundamentally change its interaction with business. It is about bringing the demand-supply principle to life, which has been discussed for quite a while. The need to do that is greater than ever.

What do IT organizations need at that level?

• They need to identify the “customer’s customers”, e.g. the persons within the business organization who are requesting the business services. That might require changes in the business organization as well, given that the business needs contact points. Notably, these persons might be less technical than today, given that the ideal of the future IT organization is to provide business services the way business needs them.
• They need, as mentioned earlier, IT Marketing, i.e. persons caring for the outbound as well as the inbound marketing.
• They need “product managers”. If you look at large and successful vendors, product management always plays an important role. They are the link between the customer and software development. They have to translate between customer requirements and development. Sort of the same role applies to them here: They work closely with IT Marketing and the customer’s customers on one side and the Service Management within the IT Service & Security Management Layer to map these.

Simply said: IT Organizations in their changing role as suppliers to the demand of business should act like successful software organizations – with the difference that they don’t need that level of sales but more the marketing and product management parts.

Life Management Platforms will be among the biggest things in IT within the next ten years. They are different from “Personal Data Stores” in the sense of adding what we call “apps” to the data stores and being able to work with different personal data stores. So they allow to securely working with personal data by using such apps which consume but not unveil that data – in contrast to a data store which just could provide or allow access to personal data. They thus are more active and will allow every one of us to deal with his personal data while enforcing privacy and security. Regarding “Personal Clouds”, that might be or become Life Management Platforms. However I struggle with that term given that it is used for so many different things. I thus prefer to avoid it. Both today’s personal data stores and personal clouds have a clear potential to evolve towards Life Management Platforms – let’s wait and see. I’ve recently written a report on Life Management Platforms, describing the basic concepts and looking at several aspects like business cases. This report is available for free.

The other big thing around this topic is the book “The Intention Economy”, written by Doc Searls. It is a must read and even while it mainly focuses on the relation between vendors and customers, there is a big overlap between what Doc has written there and what we at KuppingerCole expect to happen with Life Management Platforms.

Doc’s basic point is that the Intention Economy will change the relationship between vendors and customers. I like these two quotes:

„Relationships between customers and vendors will be voluntary and genuine, with loyalty anchored in mutual respect and concern, rather than coercion. So rather than „targeting“, „capturing“, „acquiring“, „managing“, „locking in“, and „owning“ customers, as if they were slaves or cattle, vendors will earn the respect of customers who are now free to bring far more to the market‘s table than the old vendor-based systems ever contemplated, much less allowed.“

„Likewise, rather than guessing what might get the attention of customers – or what might „drive“ them like cattle – vendors will respond to the actual intention of customers. Once customers‘ expressions of intent become abundant and clear, the range of economic interplay between supply and demand will widen, and its sum will increase. The result we will call the Intention Economy.“

„This new economy will outperform the Attention Economy that has shaped marketing and sales since the dawn of advertising.“

Yesterday I did a presentation at an event organized by doubleSlash, a German Consulting and Software Company focused on Sales and Marketing. The so called “slashTalk” had the title “After the Social Media Bang” and focused on what companies will have to do now. There were several marketing executives and experts from different companies in the room.

Before my presentation on Life Management Platforms there was another presentation which I found extremely interesting. Björn Eichstädt, founder and managing partner at Storymaker, a company which originally started as a PR agency, talked about his view on attention and why today’s marketing fails (in most cases). Björn has a degree in neurobiology, so he is far more than just a PR guy. He talked about “attention” and the small period of time within which you can catch someone’s attention. But it could be done, as with what today’s social networks provide. However, it isn’t easy today. On the other hand, providing what fits to the current target of attention is much more promising than trying to change the attention, like traditional marketing is doing.

Taking this view, the one of Doc Searls, and the idea of Life Management Platforms the way we at KuppingerCole have it in mind shows that this is where things become really interesting: A Life Management Platforms allows expressing your Intention. The Intention is nothing other than a vital part of where your current Attention is focused. In other words: Knowing the Intention is about knowing at least an important part of the current Attention, which is much better than trying to change the Attention. Furthermore, Life Management Platforms could provide more information about the current Attention in real-time, but in a controlled way – controlled by the individual. That allows getting even more targeted information and makes this concept extremely attractive for everybody – the vendors and the individuals.

Imagine a world in which you can allow others to provide you exactly that piece of information you are interested in. Let’s give an example:

Your profile on a social network might provide the information that you just arrived at the airport in a specific city. Some vendors might track this information and send you welcome messages, pointing to their local assistance, or other offerings. That could be done based on what today’s social networks provide. And this is nice if you receive only one message or offers which really suit your needs. But if you receive 20 messages from companies which detected that your attention might be on that, it is just annoying.

In a Life Management Platform you can control whom to inform about such a “social” event. That can be specific companies or industries. They know that someone arrived at the airport and needs some specific information, about directions, the next ATM, or the next public WLAN hotspot – or whatever else. The system provides that information to you and you use the service. This obviously is the better approach.

You might ask how this differs from typing “MUC ATM map” or “IAD WIFI” into a search engine? The fundamental difference is that the Life Management Platform can express your intention once it has learned about it – and you might have the same intention every time you arrive at an airport. It acts for you and consumes your preferences like for example the personal data about the mobile phone providers you have contracts with and you prefer for roaming or the banks you have accounts at to find the ATMs without additional fees or even without fees. Entering all that information into a search engine is annoying. And selecting the results in mind is annoying as well. So there is an obvious value even in that simple use case. And for sure you might not want to give all that information about your bank accounts away – you might want something (the app in Life Management Platforms) to act upon without unveiling that information. You might want minimal disclosure.

Life Management Platforms will enable that, amongst many other things. Given that they are a vehicle to fundamentally change the way marketing is done, moving from changing the attention to using attention and intention in a controlled and targeted way. Thus, everyone responsible for marketing should start looking at the ideas around Life Management Platforms, the Intention Economy, and Björn’s understanding of what Attention really is about. It is a simple way to get much better in Marketing and save money.

Recently I read a blog post from my appreciated and well known analyst colleague Kevin Kampman at Gartner Group talking about entitlement management. That post had some points which made me wonder. I’ll pick some of the quotes:

1. “One of access control’s biggest challenges is that it has often been an academic exercise. Maybe we can move the discussion forward by thinking about what is needed, not just what is possible.”
2.  “For any object, a set of conditions should be met to provide access such as time, attribute, role, etc. it seems we need a more flexible way to characterize all of the conditions that need to be met for access to be granted. Not attributes about the object itself but what you need to bring to the party to play.”
3.  “A lot of the focus in the *-BAC world is what attributes IT can provide to represent these conditions. It might make more sense to describe the conditions needed to characterize access.”

There are more, but these are some which I feel the need to comment on. Let’s start with the first one. I would agree that role management in its early days, when it first became mainstream, sometimes really was too much of an academic exercise. But if I look at the reality of projects today, that’s no longer the case. Role management is well understood and there is a lot of knowledge available on how to successfully implement role management in practice.

Going further to what dominates the evolution of Entitlement Management today, we have to look at Dynamic Authorization Management. Here neither the evolution of XACML as the key standard nor of claims as a related and somewhat overlapping approach is driven by theorists. Furthermore, most of the products in the Dynamic Authorization Management market like the ones of CA Technologies, CrossIdeas, IBM, or Oracle are derived from projects and the customer needs therein. They were built for practitioners from the very beginning. Even while they might not be perfect yet, they definitely are not the result of academic exercises. Consider also that Axiomatics, which started with strong focus on the XACML standard (and is one of the most active supporters of defining the XACML standard) is strongly led by customer feedback and experience from real world implementation projects.

My perspective is that the biggest challenge for Entitlement Management today is the organizational and process maturity of the customers, when it comes to defining business roles and business rules and when it concerns identifying the players in the business organization which have to participate. IT has become better in supporting IT business/alignment but still has some work to do on that especially with simple interfaces for defining business rules in Dynamic Authorization Management products and further improving the business interface of Access Governance tools. But this again is not the result of being too academic.

Regarding the second aspect: Despite the criticism I sometimes have articulated regarding XACML as being a standard which is too complex for the end users (which I still believe is true), the underlying concept of implementing business rules is simple. Yes, it is annoying to write XACML, but that is true for any type of XML. Still, any business user can easily define the rules in a structure that can be used by XACML – this is straightforward and simple to understand.

And in that concept (and other approaches for Dynamic Authorization Management) it is very simple to express the full variety of rules, from more technical ones to pure business rules using business-provided constraints or competencies. This is focused on objects – but the objects can again be anything, from a piece of information (like a document) or its representation (like a share) to business activities within business processes. This is all there – so it is fairly simple to use it. And the same concepts can be used for all types of use cases. You can rely on a subset of the same set of policies for versatile, context-based authentication and authorization (which again provides attributes for other decisions) and for the internal authorization in a business application which needs to enforce complex business rules such as for the approval of new insurance contracts.

Having said this, we arrive at the third quote. Don’t we describe the conditions today? I’d say we can do it and we frequently do it, not only within Dynamic Authorization Management but also in more advanced concepts around Access Governance . These concepts go beyond roles today and can use concepts of constraints or competencies. Some implementations are tightly coupled with business activities and business processes.

By the way: Introducing a term of *-BAC doesn’t seem to provide much value to the customer. We have RBAC (which, in the NIST approach, is somewhat academic – but not in real world). We have used the term ABAC (Attribute Based Access Control) sometimes in the industry, with attributes describing any attribute which can be used within policies, including roles as a specific type of attribute. So ABAC covers everything and *-BAC only leads to babel.

Simply said: My view on the state of Entitlement Management, Access Governance, and Dynamic Authorization Management is fundamentally different from the one in that other blog post mentioned above. It think that the industry is much more mature. And not too academic.

Due to a last minute speaker change I had to prepare a short presentation on „Dynamic Authorization Management – Best Practices from our Advisory“ for EIC 2012. When we found a replacement for the speaker, I didn’t give that presentation. However I will do a webinar on that soon and I want to provide some of the content here, as sort of an appetizer.

Dynamic Authorization Management is about dynamically deciding to approve or not authorization requests provided by services (like applications) based on policies and attributes (roles, application used, context, whatever,…). It includes policy definition and management, the access to sources for these attributes like directory servers, databases, ERP systems, and systems for context- and risk-based authentication and authorization. A key standard is XACML. The role of Dynamic Authorization Management within overall IAM (Identity and Access Management) is defined in the KuppingerCole Scenario Understanding Identity and Access Management.

A key success factor in Dynamic Authorization Management is to bring participants from all the different siloes involved to the table. You need people from the business organization, you need application architects and developers, you need IT Security, and you need others. This is a complex challenge.

Another key success factor is to set the right scope and to start small enough to be successful. The design has to cover coarse-grain and fine-grain authorization. It has to look at all types of applications and users. And thinking about the “Identity Explosion”, that means that it has to cover authorization not only for employees, but for many other types of users.

When planning the environment, the positioning of the Policy Enforcement Point (PEP) and Policy Decision Point ( PDP) (more information on XACML, PEPs, and PDPs here) is one of the challenges. Vendors provide a lot of flexibility – and you need to understand the different options to meet the performance and scalability requirements of your environment. This becomes increasingly complicated in cloud environments given that it is hard to run a large number of queries across long distances in an efficient way. So approaches like providing access controls statically to systems might come into play. Clearly, putting a lot of thought into the concepts is a key success factor, especially given that Dynamic Authorization Management has to cover more or less all of your distributed environment.

Acceptance by developers is directly related to simplicity. Keeping things simple for developers is also one of the key success factors. You should start thinking about applying the paradigms of the Open API Economy here.

The same is true for policy definition. The good thing is that the way policies are described in XACML from a conceptual perspective (so without the XML stuff around) is pretty straightforward, simple to understand, and powerful. Nevertheless you have to educate your business users in expressing their business policies and translate this for the IT level. And you shouldn’t underestimate the complexity of auditing and analyzing policies in a dynamic environment.

However, when putting sufficient work into the concepts, you can design a Dynamic Authorization Management environment today which is future-proof. You should also do it because that will help you to become much more efficient in the management of Information Security and much more agile in fulfilling today’s and tomorrow’s audit requirements.

Recently I read a blog post  by Nick Crown, Director of Product Marketing at UnboundID. He talked about “Bring Your Own Identity” which he thinks is more groundbreaking and disruptive than BYOD (Bring Your Own Device). I would say yes, there is a value in BYOI, but:

-          this is definitely not as groundbreaking and disruptive as BYOD

-          this is only a small piece in a much larger puzzle and it definitely will not end with a two-tiered identity infrastructure as proposed in Nick Crown’s blog post

-          there’s definitely no need to introduce yet another marketing buzzword and acronym like BYOI

Certainly, just  like every other vendor’s blog, posts like the one by Nick Crown are driven by the wish to position the company as “the primary vendor” in the specific area. But the question from a customer perspective (and from an analyst perspective) is: Does it really make sense?

So I want to focus on the three points above:

BYOD is one of the trends which are fundamentally changing the way we need to do IT, as well from the system management as from the information security perspective. It is about moving away from device-centric security to information-centric security approaches. That is a massive change, much bigger than any around identities. BYOD is directly related to the big changes we commonly call Mobile Computing and Consumerization of IT. And it relates also to the “Deperimeterization of IT”. BYOI (when defined as the user bringing its own identity) is, of course, related to big trends such as Social Computing. But it isn’t as new as some people claim. Federation as one approach to deal with this has been out for quite a while and is still evolving – look at OpenID Connect, recently awarded a European Identity Award by KuppingerCole for being the best new standard.

BYOI is much smaller than BYOD in its impact because of the second point mentioned above, something we at KuppingerCole have been talking and writing about for a pretty long time now. The reality is that there will be multiple identity providers. This is about things like trust frameworks, about concepts like claims, and about the need to become flexible enough in the days of Identity Explosion. It is about gaining the ability to deal with multiple pieces of information provided by different providers, instead of one provider or two tiers of providers. There will be many different types of Identity Providers – and they are already here, in fact. What changes is the ability to deal with these providers. That is about federation, about claims, about concepts like IDMAAS (Identity Management as a Service) the way Kim Cameron has presented it in his keynote at EIC 2012. However, it is not that much about directory services or technical synchronization. The fact that someone brings his own identity is just a little piece. And more important than accepting a BYOI ID is the ability to accept many different providers and to convert them into other IDs once the type of transaction and interaction with the individual requires such a conversion.

I’d also recommend you have a look at our report “Life Management Platforms”, which is available for free. This report explains a concept which will fundamentally influence the way we deal with “own identities”, which then really could be something you’d like to call BYOI, even while it is not only about bringing but also about controlling.

So even with Life Management Platforms, there is no need for the BYOI buzzword. It is not mainly about bringing your own identity (and, by the way, a Facebook ID is anything but an “own identity” when looking at the Facebook terms and conditions), but about enabling the flexible use of different identities. So BYOI is far too narrow to describe the changes we see these days. And thus we really should avoid using that buzzword and focus on what really is changing around identities.

During my Opening Keynote at this year’s EIC (European Identity & Cloud Conference, www.id-conf.com), when talking about the Top Trends in IAM, Mobile Security, GRC, and Cloud Computing I used the term “Identity Explosion” to describe the trend that organizations will continue (or start) to re-define their IAM infrastructures in order to make them future-proof. I talked more about that in my presentation on “Re-engineering IAM to better serve your business’ needs” later during the conference. Interestingly, I heard the term “Identity Explosion” being used several times in other sessions after that, referring to my keynote.

So today I want to look at that buzzword, at what’s behind the buzzword, and the impact of this “Identity Explosion”. When looking at IAM (Identity and Access Management), it’s  about managing users and their access. However, most of the IAM infrastructures in place today were mainly built with the employee in mind. Even today I frequently observe in advisories that projects begin by starting with a focus on some (relatively) small groups of users, like the employees, some temporary workers, or maybe some of the business partners. However, the reality of many organizations is that they have – to use a real-world number – perhaps 28,000 employees and 4.5 million customers to deal with.

Thus one of the initial discussions in such advisories is always about ensuring that the scope is set wide enough: It is about looking at all potential types of users, at least during the conceptual phase. Organizations might start implementing for the internals, followed by business partners, and then the customers (and leads and prospects and suspects). But the design has to have the “Identity Explosion” in mind: This massive growth in the number of of identities to deal with. That starts with simple things like the structure of identifiers and ends with scalability issues and the integration of different technical approaches, for example versatile, risk- and context-aware authentication and authorization. I’ve seen companies struggling with the identifiers they have chosen only with employees in mind spending a lot of money to fix that.

But it is not only – and not even mainly – about the costs. It is about agility. If IT is not prepared to deal with all types of users and provide identity and security services for them, then IT will fail in supporting the business demands. These are about integration with partners and a tight interaction with the customers (and leads and so on). IT has to be prepared for that. It has to understand that there will be this “Identity Explosion” anyway, with a massively growing number of identities to deal with.

An interesting aspect which isn’t yet discussed much in this context is business policies, including segregation of duties. How do you deal with the situation in which the same person (e.g. you or me) could have at the same point in time the identity of a customer, freelance broker, and employee of the same insurance company? Three identities which have to be understood and managed: The same person might sell an insurance contract to himself and approve it, using three different identities.

And what I’ve discussed so far is just a small bang. The big bang is about the “Internet of Things”, at least for many organizations. An automotive vendor has to deal not only with his customers, dealers, employees, and suppliers. He also has to deal with the cars themselves, which again split up into many devices with their own “identity”. This again will increase the number of identities to deal with.

Having the “Identity Explosion” in mind when working on strategies, concepts, and implementation of IAM and all the related technologies helps avoid solutions which can’t scale with the changing business requirements. Thus looking at your current IAM and thinking about how to get ready for that is one of the things you should start doing now.

EIC 2012, the European Identity and Cloud Conference, is history now. We had a week fully packed with a lot of great keynotes, sessions, panels, and workshops. For me, it definitely was the year in which the EIC was most influential to my own thinking. The reason for that was simply that we had a lot of very good panels and other types of sessions related to some research we published around EIC or are currently working on. The three key topics were:

• The KuppingerCole IT Paradigm which we have described as a model for developing IT infrastructures and organization in a way that it is fit for the large changes we are facing, like Cloud Computing, the impact of Mobile Computing, and others.
• The Open API Economy, a concept which Craig Burton had started writing about quite a while ago and which is fundamentally changing the way service providers, organizations, app providers, and even individuals will work together.
• Life Management Platforms, a concept which goes well beyond the limited reach of most of today’s Personal Data Stores and Personal Clouds. It will fundamentally affect the way individuals share personal data and thus will greatly influence social networks, CRM (Customer Relationship Management), eGovernment, and many other areas.

These topics all are tightly related. Doing IT with focus on services and information security allows consuming services much more efficiently. The Open API Economy provides these services and is increasingly successful, with massive growth of available APIs and their use. Life Management Platforms will require organizations to deal differently with services that affect individuals – and individuals will be able to expose their personal data in a privacy-aware and secure way that they never have been able to before.

There are several KuppingerCole reports available around these topics – and we are working on new ones which will be published soon. Some of them will go into more detail. One of the documents will cover the consumer view on the Open API Economy. There will be more scenarios, looking at the impact of the KuppingerCole IT Paradigm for other areas of IT, like Access Governance, Enterprise GRC, or IT Service Management.

There will be research which looks on the changing economics for CRM and the impact Life Management Platforms will have there. There will be other research looking at the very interesting and promising economics of Life Management Platforms. And there will be research looking at how concepts like the Open API Economy and Life Management Platforms are essential to the “real world”, such as making the Connected Car/Vehicle really work.

However, EIC was for certainly not only about these new hot topics. An important topic at EIC, more down to earth, was modern architectures for IAM (Identity and Access Management). We’ve had interesting sessions around this topic, including a workshop focusing on whether, when, how and where to migrate legacy identity provisioning systems.

EIC again was a great mix of thought leadership and best practices, with some very interesting and well attended workshops on Friday. Organization for EIC 2013 Europe has begun. The conference will be again in May (instead of April). The details will be announced soon. But you should block mid May 2013 now for the next EIC.

Next week, EIC 2012 (European Identity and Cloud Conference) will take place in Munich. The conference will again grow significantly, and we will have a mass of interesting sessions there, ranging from keynote sessions to panels, best practices, and several workshops and roundtables. You definitely shouldn’t miss that conference.

I want to give a sneak peek at what I will talk about this year. The Opening Keynote on Tuesday, April 17^th, 2012 will be about trends in IAM, GRC, Cloud Computing, and Mobile Security. I also will provide a quick view of the KuppingerCole IT Paradigm, which is one of the central themes provided by KuppingerCole at EIC 2012. We have defined that paradigm and the underlying model based on our experiences in research and advisory services to provide a consistent guideline for refining IT and to really become ready for the age of Cloud Computing, Mobile Computing, and Social Computing. This model is about how to provide the services business really wants while securing corporate information adequately. I think it helps a lot in adapting IT organizations to the changing requirements of business.

A little later, I will be part of an interview-style keynote session, which is about the privacy and information security challenges we are facing in 2012 and beyond. This definitely will become an interesting discussion, with Roy Adar of Cyber-Ark, Shirief Nosseir of CA Technologies, and Jim Taylor of NetIQ participating and Dr. Nigel Cameron of the Center for Policy and Emerging Technologies (C-PET) moderating the session.

The following day, I’ll start with a session that explains how the KuppingerCole IT Paradigm helps in increasing the value IT provides to the business. Following that presentation, we will have a panel discussion about how IAM can catalyze the secure enterprise. This panel will definitely become a highlight of EIC 2012, with some Ex-Burton analysts participating: Craig Burton, Gerry Gebel, and Mike Neuenschwander.

After that session, I’ll use the KuppingerCole IT Paradigm to describe what the future IT Organizations should look like – an IT Organization which is much closer to the business and which helps in dealing with changes such as Cloud Computing. There will be a new report describing this topic coming out right before EIC (and there are also new and updated reports on the KuppingerCole IT paradigm available).

Another very valuable report will be the one on “Personal Data – Life Management Platforms”. There will be a roundtable on that topic moderated by Doc Searls, of the Berkman Center for Internet and Society at Harvard University, and myself.

Another session will be about “One IT, One IAM” – this is a session going beyond IAM and linking Cloud, IAM, and the way we structure IT. This is about how to end up with one IT that serves all your needs instead of separate solutions for different types of Clouds and your on-premise IT.

Also pretty interesting is the “Re-engineering IAM” session. I have just written two reports, an update on my view of Access Governance Architectures and another one looking at whether, when, how, and where to migrate existing legacy Provisioning systems you might have.

In a joint session with Craig Burton we will link the KuppingerCole IT Model and the API Economy, a paradigm focusing on the increasing number of available APIs and their use.

Besides these sessions, I’m also involved in some others around virtualization and the security of Big Data. And there will be some other new reports out for EIC, written by several of the KuppingerCole analysts like Craig Burton, Fulup ar Foll, Prof. Dr. Sachar Paulus, Mike Small, Dave Kearns, and me.

So there’ll be a lot of interesting topics at EIC 2012. There will be for sure many more sessions on other topics and there will be virtually all relevant players in the exhibition area. So don’t miss EIC 2012.

You will find all information about EIC here: www.id-conf.com

All current and upcoming KuppingerCole research is available here: www.kuppingercole.com/reports

Today I read an article about US investments in cyber security, with the US Department of Defense (DoD) budget requesting 3.4 billion US$ by itself. The US Cyber Chief, Army General Keith Alexander, commander of U.S. Cyber Command and director of the NSA (National Security Agency) is quoted as saying “Nation-state actors in cyberspace are riding a tide of criminality.”

I believe he is wrong in one very important point: It is not about a tide, it is about a continuous rise. So it would have been better had he chosen the comparison to the (potential) long-term rise of the sea-level caused by global warming – with the important difference that the increasing cybersecurity challenge is not happening gradually over a period of dozens of years but more or less as a tsunami, almost immediately. We most likely will see some “decrease in increase” or, in other words, lower growth rates in cybercrime. But I don’t expect to see a decrease in absolute numbers within a foreseeable period of time.

And it is not only about nation-state actors in cyberspace, but about all actors in cyberspace which are causing that rise. States are affected because they are the target of other nation-state actors, but also of organizations like Anonymous or Lulz Sec, and for the classical attackers like script kiddies and other non-organized hackers. On the other hand, they are most likely not the target of that part of cybercrime which is related to organized crime. When looking at other organizations, they are more likely to become the target of all these types of attackers.

The good thing about quotes like the one mentioned is that they prove that at least some states (the U.S. probably more than many European countries) have understood the challenge they are facing. But to me it sounded somewhat too optimistic.

What we have to do is to act on this challenge, by systematically and strategically improving our IT security. That requires a holistic view on the topic. It requires a risk-based approach. We need to understand the risks and act according to these risks. We need to have plans if something happens anyway. It will cost a lot of money. But by doing it right, there is a huge potential for saving at least some of the money which otherwise is thrown out of the window with little or no impact on an improved IT security.

To learn more about Information Security, GRC, and the role IAM plays therein, visit EIC 2012, Munich, April 17^th to 20^th.

This morning I received a press release pointing to a blog of John Grimm, who works at Thales e-Security. Thales e-Security is the part of the Thales Group, which specializes in encryption. They offer, amongst several other technologies, HSM (Hardware Security Modules) and Enterprise Key Management solutions.

The blog commented on the recent discovery of the Mediyes Trojan by Kaspersky Lab. Kaspersky is one of the leading vendors in the Anti-Virus/Anti-Malware segment. The touchpoint between them in the case of Mediyes is that the Trojan uses a digital signature based on a stolen private signature key. This key has been stolen from a Swiss company.

This new Trojan proves three points:

• Every company is a target for attackers. No single company should feel safe just because it is either small or in an industry which appears not to be that attractive for attackers.
• Attacks are getting increasingly sophisticated. Mediyes is just one example of this – they needed to obtain that key in a first attack to start the Mediyes attack.
• Encryption relies on the security of keys.

The first two points are covered here, amongst other posts, articles, and podcasts of mine.

The third point is another important one. If the keys aren’t secure, everything relying on them is insecure as well. That is true for compromised CAs (Certificate Authorities), and it is true for every single private key you are using and every key used in symmetric encryption.

Thus it is mandatory to focus more on Enterprise Key Management and overall Information Security. Keys have to be well managed and secured. Not having an appropriate management and security for these keys – for every type of encryption, from digital certificates to symmetric encryption of your communication lines – leaves the doors wide open for attackers. It is necessary when starting with Enterprise Key Management to first of all know which keys are out there and how they have been protected (or not) until now. Then you can start improving the management of these keys.

Notably the term is Enterprise Key Management and not Storage Key Management or anything like that. It is not about looking at some keys, it is about looking at all of them.

To learn more about APTs (Advanced Persistent Threat), the changing threat landscape, about Enterprise Key Management and overall IT Security, you should attend EIC 2012  in Munich, April 17^th to 20^th.