31.01.2010 by Martin Kuppinger
Today, some influential German politicians started argueing against the upcoming German eID card in a sunday newspaper. The eID card is planned to be available by November, 1st. The main argument is that the costs of the project are increasing – there is the request for some additional 7 million Euro for advertising. The politicans claim as well that experts doubt about the need for the eID card. They propose to shift the introduction to 2020.
There are for sure some points with the German eID card which you can discuss. However, the arguments of these politicians just show that they don’t understand anything of what they are talking about. No big surprise, you might claim – they are politicians. To provide my view on this:
- Yes, the eID card costs a lot of money. However, new things typically aren’t for free. And given that the eID card is a government project, there is a lot of politics and lobbying in, which never ever saves money. Anyhow, it doesn’t appear to be excessively costly.
- The concept of the German eID card might not be perfect, but it goes beyond most other approaches when looking at principles like “minimal disclosure of information” and the supported use cases as well for public as for private use.
- Security is well solved. There are some people claiming that fingerprints aren’t secure. Yes – there might be some fraud. But the eID card is way beyond the alternatives we have today and which could be used in a mass market. I personally think that it is much better to do some (significant) step forward in security instead of staying still and looking for the Nirvana.
- The concepts have to be explained to the public. That is an educational effort which will take time and which will cost money. However, we should look not only at potential downsides but might concentrate on the positive things – and there are many interesting use cases. There is a lot of potential within the German eID card.
- There are experts (I thought about putting the term into quotas…) – no surprise, you will always find experts which support your opinion, especially as a politician.
- You definitely can wonder about why we need a health card and an eID card on a national basis – one card might be sufficient (especially given that you have to educate people on the privacy concepts for both cards and thus you might reduce the efforts on this…).
I could add many more points to that list. However, I think that this is just another example of politicians talking about things they don’t understand at all. There is some value in the German eID card. It is based on a well-thought concept. There are things which might be improved – and many of the shortcomings we might observe at the beginning will be solved. It will take some time for the mass adoption – again no surprise. But overall, it is absurd to stop this project now and to restart it in some ten years. That would mean that much more money then it will ever cost to bring the project to an successful end will be destroyed and will have to be spent again in some years. Thus, there is definitely no sense at all in stopping this project now. But there is a lot of sense in spending some extra money in education of the citizens, to make it successful.
31.01.2010 by Martin Kuppinger
In Germany, there is these days (again) a discussion about whether the German State shall buy data about fiscal fraud. There is someone from Switzerland who offers illegaly obtained data about German citizens who have transferred illegal earnings to bank accounts in Switzerland, not paying taxes for this. Germany some months ago has bought such data about bank accounts in Liechtenstein, to identify fiscal fraud and to penaltize this.
That leads to some highly interesting questions, and there is a political debate about whether to do that or not. It is obviously illegal to buy stolen goods in the knowledge, that they have been stolen. Data is amongst these goods, for sure. It is highly questionnable whether actions of the attorneys based on such data are legal – I doubt this and I’d expect that the German Federal Constitutional Court will accept this once the first law suits about this are brought to him. Thus it might end up with that any penalties against this fiscal fraud aren’t permittable being based on invalid evidence (or evidence derived from invalid evidence, because the data will allow the attorneys to request the account detail from the swiss banks – it just provides a list of accounts as a foundation for follow-up queries). It might also occur that several of these accounts aren’t about fraud – and again, that it might show up to be illegal to do such mass queries based on too little evidence. And: Buying stolen goods (in case you know that they have been stolen or that you have to assume that they were stolen) is under penalty. Thus, the people deciding on doing that are definitely acting against the law and might be penaltized. That will be up to the courts to decide about.
Read the rest of this entry »
28.01.2010 by Martin Kuppinger
There is a constant pressure not only on IT but all areas of organizations to reduce costs. However, that frequently ends up with higher risks and potentially higher costs due to these risks. The problem is: Most organizations, especially in controlling and management, think much more about cost than risk. But cost savings (which are not necessarily negative) without a risk view are a risk – somewhat of a tautology, I know…
That is why Risk Management should be a standard and central element in management, as well for business as IT.
Read the rest of this entry »
25.01.2010 by Martin Kuppinger
Last week, there was the news that the Federal Employment Office of Germany will claim for the return of excessive payments from potentially more than a million so called “Hartz 4″ recipients. What appears to be of political and social relevance, is as well interesting for IT – because it’s about the negative impact of archaic software architecture.
Let’s start with the background. Hartz 4 stands for as well social welfare aid as unemployment aid, named after Peter Hartz, a former Volkswagen member of the board and advisor to the German government about how to change and optimize these aids and insurances. There is a significant number of Hartz 4 recipients. Many of them are either families or single parents. Starting Jan 1st 2010, the child allowance has been increased by 20 € per child and month. However, child allowance is charged against Hartz 4, thus Hartz 4 recipients with childrens shouldn’t benefit from that increase – not that social, isn’t it?
Now the problem arises: Many have received the 20 € (or x times 20 €, depending on the number of children) increase – and now that shall be reclaimed. The Federal Employment Office came up with the explanation that this has been because the short period of time between deciding about the increase of child allowance and the due date. However, there were some weeks in between. Regardless of whether the money will be reclaimed or not (there are interesting legal discussions about), that clearly shows, together with other explanations, that there is an IT issue behind.
That issue is a software where such a change obviously has been to complex to perform in time, in a planned, structured manner. That is, looking at topics like “Software Architecture”, “GRC”, and “Externalization of Security”, pretty interesting – especially from the GRC view on software architecture. Obviously, a change of a business policy couldn’t be transferred to the software just in time. That is a typical GRC issue: Business Policies which lead to complex change process in IT, when code has to be adopted to these changes. That leads to issues like time-to-market or, in that case, has a significant social impact. From a GRC perspective, that is an issue – a governance issue IT management has to deal with. IT is a software architecture issue, because such problems occur only due to a non-policy-aware software architecture and due to hard-coding things which shouldn’t be hardcoded. Think about a policy-controlled software and defined request/approval workflows for such fundamental changes. That isn’t hard to architect, it should just be good practice. It would lead to applications which are acceptable from a GRC point of view (with GRC being much more than security…). It were secure. And, most presumably such a software would rely on policies and thus externalization as well for security, especially access controls.
There is little reason to assume that the Federal Employment Office has a software in place that meets these fundamentals of good software architecture. The real bad thing, besides all the unnecessary costs associated with such archaic software, is the negative social impact of that.
13.01.2010 by Martin Kuppinger
For some of you, the acquisition of Burton by Gartner might have been the deal of the year. I (for sure, acting in the same market) will not comment on this. But for me, it hasn’t been the deal of the year even in these first two weeks. Much more important is the acquisition of Archer by RSA. RSA Security, a EMC subsidiary for several years now, has bought one of the leading GRC vendors. In fact it was EMC which acquired Archer but within EMC it has been RSA Security.
Archer is one of the major players in the Enterprise GRC market – I recently discussed the various segments of the GRC market. With the acquisition of Archer, RSA – until now a provider of very specialized components in the SIEM, DLP, and other security related markets – tries to close the gap between the high-level view of Archer (being mainly an Enterprise GRC provider with some level of CCM). That definitely makes sense. And it fits well in EMC/RSAs strategy for Cloud Security. Thus, by integrating the tools of RSA (and other EMC companies), providing information for automated controls, and the high-level view of Archer, the drill-down features, and the manual control capabilities as well as the overall policy and control management, EMC (with RSA and Archer) might be well able to make a big step forward towards an integrated GRC offering.
However, this shouldn’t be limited to security-related IT controls but should cover all types of IT controls, including service management, access governance, and others. Standards like Cobit show how many different controls are relevant. And, from the high-level perspective (the Archer view), it should even go beyond IT controls and IT GRC. Thus the acquisition of Archer shouldn’t be understood as the final but the first step. Integration of what EMC and partners are offering is the logical next step – but to fully deliver on the idea of an integrated GRC, EMC might have to add some other technologies (like access governance and, especially with focus on the cloud, service management).
Anyhow: The acquisition makes sense, no doubt about that. And I’m convinced that it hasn’t been the last one in the GRC market for this year.