24.07.2012 by Martin Kuppinger
Apple recently removed the app Clueful, provided by the IT security software vendor Bitdefender, from its App Store. That at first glance isn’t momentous news. However, when looked at in a little more detail, it raises some questions.
The iOS app Clueful had been available in App Store for about two months. It had been approved by Apple back then. Bitdefender, even while being pretty cautious in what they are telling the public, says:
Apple informed Bitdefender’s product development team of the removal – for reasons we are studying – after it was approved under the same rules.
This is a pretty interesting statement. There are things which are studied. But it looks like Apple decided to let this app pass and then removed it based on the same set of rules.
Clueful is an app which checks other apps. It analyzes whether apps are sending personal data unencrypted, whether they access the contacts, whether they track the current location of the user, and so on. It shows that information and explains what these facts mean to the user. Simply said, and in context of all the things that have happened in iOS, this is obviously a useful app for the users.
Bitdefender also had sent out a press release that, according to their research, 42.5% of the apps do not encrypt users’ personal data, even when accessed via public Wi-Fi. 41.4% of the apps track user locations unbeknownst to them. And almost 20% of the apps still can access the entire Address Book, some not even notifying the user.
However, from the Apple perspective and the view of many other app providers, it is dangerous app because it reveals “too much”. So what are the reasons for removing that app from App Store? Bitdefender doesn’t tell exactly and Apple doesn’t comment at all.
However, what shall I say? Honi soit qui mal y pense.
It is at least worthwhile to further follow this issue and to see what Bitdefender and Apple will say about it in the future – and whether the Clueful app (or other apps with that functionality) will be available in the App Store again soon.
And it is time to let the user decide about privacy. At least they should be kept informed so that they can make decisions. And once they’ve made a decision, that should be accepted – unlike for example in the Twitter app, which doesn’t take a no for a no but asks again and again, whether users don’t want to allow access to “Twitter contacts” and so on.
18.07.2012 by Martin Kuppinger
If you’ve ever struggled with finding the argument for an investment in information security, here it is: According to a survey recently published by Symantec, 40% of the worth of organizations is derived from the information they own. The link goes to a German site and the extract of that survey specific to Germany but the report is in English. The global version can be found here. There are other interesting numbers: 57% of the German respondents expect a loss of customers and 48% brand damage in case of a leak of information (and breach notification). The global numbers aren’t that different. On a global basis, information is estimated to be 49% of the organizations total value, while 49% expect loss of customers and 47% brand damage in a data leak event.
These are numbers that help to argue better with business managers. They also prove what we’ve been observing over the past few years: Information Security is a hot topic again. Business cares about information security (and notably not about “technology security” – it’s about the I in IT, not the T). And thus, business needs information security. One of the reasons is simply that some years ago when sensitive or valuable data leaked this was only mentioned on page 7 or so of a computer magazine. Nowadays you might make it to the opening headline of the daily news on TV, or the business newspapers (Wall Street Journal, Financial Times, etc.).
Numbers like the ones from the Symantec report help in showing the value of Information Security investments, by first showing that it is about information security and then showing the potential impact of leaks and breaches to the business. The numbers also clearly indicate that this “IT risk” of leaking information is about business risks: Operational risks, reputational risks, and even strategic risks, if you lose too many customers or damage the brand too much – or if you’re competitor gains access to your most valuable intellectual properties.
There is a good reason that information security is one of the two key drivers for what we at KuppingerCole have worked out as the KuppingerCole IT paradigm, our approach on structuring IT to deal with the fundamental changes like Cloud Computing, Social Computing, and Mobile Computing and to deliver what business really wants:
- Business wants the (IT) services they really need when they need them – and they want to order business services, not technology services for which they then wait endlessly for IT to deliver
- Business wants their information secured appropriately – this is where information security comes into play and, over the past few years, became a real concern of business managers
There is a comprehensive report on this KuppingerCole IT paradigm available with some additional KuppingerCole Scenario reports like “The Future of IT Organizations” diving deeper into the details.
17.07.2012 by Martin Kuppinger
Germany has, in contrast to many other countries, a mandatory citizen registration. One side effect is the national ID card (now an eID). Another is that there are registration offices at every local authority. And there is a law called “Melderechtsrahmengesetz” (MRRG) which rules everything about this registration. A few days ago the German Bundestag passed a revision of this law, and did it during the semi-final of the European Football Championship (Real football, played by feet and with a ball; not American football, played by hand and with an egg) between Germany and Italy. That explains why it took a little while for the outcry of the masses to develop.
The MRGG revision at first glance appears to be a success for the lobbyists of the marketing industry and the ones dealing in addresses. In a draft of November 2011 the law required explicit consent of the citizen for the registration offices to pass the data to someone else. In the revision which recently passed the Bundestag, the citizen has to explicitly withhold consent – and the “opt-out” is only accepted if the party requesting the data didn’t already possess it (which for example would be the case if someone participated in a contest and gave away his address data) and simply wants to validate or change data. In addition, the range of attributes which can be requested by 3rd parties is now much larger than before.
However, the MRGG had these provisions quite some time ago. The ability to request data of others without consent had been introduced in 1938 by the former minister of the interior Frick (who was sentenced to death in the “Nürnberger Prozesse”) by order, bypassing the parliament. Its purpose was, amongst others, to push denunciation. The current MRGG still allows basic requests of anyone about everyone at the registration offices without unveiling a purpose. There is neither an opt-in nor an opt-out in the current version of the law. This is in contrast to the basic right of self-determination regarding personal data which has been defined by the German Federal Constitutional Law. The revision of the law isn’t intended to remove data protection from the MRGG but, for the first time, adds data protection to that law.
Today organizations like the Schufa (providing financial “health” information about individuals to banks and others), the Federal Office of the Protection of the Constitution (“Bundesamt für Verfassungsschutz”) and private investigators are the main “customers” of the registration offices. This is, by the way, not for free – a single query costs in the range for 5 € to 10 € per registration office – and it might require to ask a number of registration offices to find someone. So it is somewhat unlikely that address dealers and the marketing industry in general will use the new options on a broad scale. There is just no valid business model behind this.
Obviously, there is a need to find a balance between privacy and the interests of marketing and others to access some data. Besides, there has been a strong need to update the law which dated back to 1980 in its current version, but which still was based on the 1938 law. So the current, very emotional discussion appears a little extreme to me – and it isn’t based on facts. There are things which need to be changed: There is a need for consent. This is introduced for the first time with this revision of the MRGG. The amount of data should be carefully evaluated, thinking of “minimal disclosure” instead of providing masses of data. That is an area for improvement of the law. Access shouldn’t be for free – it isn’t for free today and it won’t be for free in future. But on the other hand, no one should complain if he gave his data to a company when participating in a contest – there was a price paid for that data in some way.
Given that this law has not only to pass the Bundestag but also the Bundesrat (the upper house of the German parliament), it is very likely that some parts will be changed before it becomes effective. That is the positive thing with privacy being back in public discussion. The critical aspect is that the discussions are emotional and sometimes even hysterical, not fact-based. And, in the case of the MRGG, that there is no real need to make changes to version which passed the Bundestag.
The lesson we could learn from this is to work based on facts and not on emotions – even when it comes to privacy discussion. Not every access to personal data is bad per se.
16.07.2012 by Martin Kuppinger
Kim Cameron recently blogged about his view on SCIM and the Microsoft Graph API. Kim explains his view as to why SCIM and the Microsoft Graph API, which is related to the WAAS (Windows Azure Active Directory), are complementary. That reminded me of two older posts in my own blog:
Even while I didn’t focus explicitly on relationships in the second post but more on the management of entitlements, there is much about relationships in there implicitly. And when looking back at the concept of system.identity (which, from what I see, influenced WAAD and the Microsoft Graph API) it is also about a concept which is much more about dealing with relationships and the ability to model a more complex reality than simply access protocols via LDAP.
SCIM as of now has become widely accepted as a concept and has some likeliness not only to become a formal standard but a real one – one that is widely accepted and implemented. However it appears it will remain a narrowly focused standard (to avoid the term “limited”) which addresses a specific problem. That is fine.
The Microsoft Graph API on the other hand addresses a much broader scope, however focused (as of now) on WAAD. As Kim explains in his post, there is a need for a “multidimensional” protocol like the Graph API which allows dealing with an identity and its relationships.
Like Kim, I see both approaches as complementary, not competitive. You should be able to do what SCIM does with an approach like the Graph API (one that is standardized and supported by many vendors). But that isn’t the core target of the Graph API and the concept behind it. So for the fairly simple use cases of SCIM, SCIM appears to be the solution of choice. For many requirements around dealing with information about identities and their relationships, the Graph API (and maybe a standardized successor in the future) will do the job.
There is though, in this discussion, another point which should be considered: RESTful APIs and JSON are far easier to handle than “traditional” approaches in programming. The evolution of what we call the Open API Economy – you might have a look at Craig Burton’s blog and the KuppingerCole report on this topic written by Craig or the video from the EIC session on that topic – shows that the acceptance of such relatively simple interfaces is rapidly growing. So the need for having only one standard for everything diminishes. There is no doubt that we need standards. But standards are also limitations – LDAP is one example for a limited and limiting standard. I know too many cases where LDAP just wasn’t (and isn’t) sufficient for the business’ needs. Notably it never intended to serve many of these use cases. It was built as an expedient, worked well and then suffered as folks tried to pile on grossly inappropriate functions.
So my recommendation is not to artificially create a “battle of standards”. That isn’t of any value. Having a standardized Graph API in addition to SCIM (and maybe some other “lightweight” standards for specific use cases like a next-generation standard interface to XACML fully supporting RESTful APIs and JSON) makes much more sense to me. Even while I think that the name “Graph API” isn’t well chosen (you need to associate the term “graph” with the “graph theory” instead of the “graph” as in “diagram” or “chart” – so it’s more for the geeks), the concept makes a lot of sense. And SCIM (despite my critics) also has a lot of value in itself.
03.07.2012 by Martin Kuppinger
Dell today announced that they have a definitive agreement to acquire Quest Software. Quest Software then would form the core of the software division of Dell, which until now was pretty small. There were some business units like Dell Boomi (www.boomi.com), but no real software business.
The decision to acquire Quest Software is an interesting move which, from my perspective, makes a lot of sense. Quest’s strengths are in the areas of Identity and Access Management/Governance with their Quest One Identity portfolio and around Systems Management, particularly Windows Management, Performance Management, and Database Management. That fits the needs of the market and a company which until now has been mainly a hardware vendor. Aspects like Security (until now Dell SecureWorks and SonicWALL), Data Protection, Systems Management (Dell KACE), and Application “Modernization” (to use the Dell term) will be moved to a much higher level.
In addition, Quest Software as a company with close to 900 Mill. US$ of revenue in 2011 and nearly 4,000 employees is big enough to become a starting point for a quick growth in the software business. For Quest Software, this probably is more an opportunity than a risk – the same is true for Quest customers. The biggest risk is that companies (like Dell) without a history in the software business sometimes struggle with understanding the differences in business models, compared to their existing business. By not only acquiring small vendors and trying to build such an organization from scratch but hunting for a bigger vendor like Quest Software, Dell took another approach. They now have a big enough nucleus to further grow their software division.
On the subject of integrating acquisitions, especially software acquisitions, if Dell can keep Quest’s product management folks they have more experience at integrating acquisitions than anyone, except possibly Oracle. If they can’t keep them, and if hardware people are put in charge, then risks will increase massively. So Quest itself probably is best in integrating themselves into Dell – and potential future acquisitions into the Dell software division.
From our perspective, this acquisition is an important, strategic, and valid move of Dell and it is of little risk for existing Quest Software customers – on the contrary, we expect that Quest will be able to grow faster than before and that there is a good chance of Quest as part of Dell making its way towards a strategic software vendor for larger customers.