In Germany, there is these days (again) a discussion about whether the German State shall buy data about fiscal fraud. There is someone from Switzerland who offers illegaly obtained data about German citizens who have transferred illegal earnings to bank accounts in Switzerland, not paying taxes for this. Germany some months ago has bought such data about bank accounts in Liechtenstein, to identify fiscal fraud and to penaltize this.

That leads to some highly interesting questions, and there is a political debate about whether to do that or not. It is obviously illegal to buy stolen goods in the knowledge, that they have been stolen. Data is amongst these goods, for sure. It is highly questionnable whether actions of the attorneys based on such data are legal – I doubt this and I’d expect that the German Federal Constitutional Court will accept this once the first law suits about this are brought to him. Thus it might end up with that any penalties against this fiscal fraud aren’t permittable being based on invalid evidence (or evidence derived from invalid evidence, because the data will allow the attorneys to request the account detail from the swiss banks – it just provides a list of accounts as a foundation for follow-up queries). It might also occur that several of these accounts aren’t about fraud – and again, that it might show up to be illegal to do such mass queries based on too little evidence. And: Buying stolen goods (in case you know that they have been stolen or that you have to assume that they were stolen) is under penalty. Thus, the people deciding on doing that are definitely acting against the law and might be penaltized. That will be up to the courts to decide about.

Read the rest of this entry »

These days I had a discussion with a vendor who sells different security tools which make up sort of an Endpoint Security “suite” about my and his view on that market. He was sort of offended by my critical view on today’s endpoint security market and claimed that his company and many of his competitors are selling large amounts of licenses to customers. Thus I must be wrong when telling people that the market isn’t really mature today.

My view on endpoint security is, by the way, not as sceptic as the one I have on the DLP market (Data Leakage Protection/Prevention). I think that well integrated, feature-rich endpoint security solutions are an important element within security strategies. But the bar is set high. Endpoint Security solutions have to fully protect different types of endpoints. That includes AV, local firewalls, WLAN security, encryption, device control, and other elements. All these features have to be well managed. And well managed means centrally managed, integrated with existing and potential other new elements of the overall strategy. Active Directory integration is key in Windows environments. Integration with SIEM tools or at least open interfaces are a required feature. For sure, there needs to be one set of policies for all security features of the endpoint. Existing system-level features should be as well integrated, starting with Bitlocker on new Windows versions and for sure as well including interfaces to Windows Group Policies. To name just a few of the expectations I have on Endpoint Security Suites.

Endpoint Security thus goes well beyond the point solutions in the DLP market which I see even more critical.

Unfortunately, no vendor today fully supports all requirements I have on Endpoint Security solutions. That might change over time. But even then, Endpoint Security will be only one element within a security strategy, which has to be combined with IAM (Identity and Access Management) as the foundation for most parts of security, with more advanced information protection solutions (shielding information not only at rest, but as well on move and on use), centralized solutions (which might even overlap with endpoint security to some degree – look at what Finjan provides) and so on.

Thus this mean that you shouldn’t invest in Endpoint Security tools? No, for sure not. But a customer should be aware of the shortcomings of today’s offerings. And he should understand that he addresses only part of the overall problem (even while Endpoint Security at least might address a larger part of the problem, compared to many of the point solutions offered under the label of DLP). And vendors might use the bar I have set as sort of benchmark for their solutions and sort of advice for their product management instead of complaining that the bar is set to high. The fact that they are selling their products only proves that there is a strong demand for endpoint security solutions and that customers are even willing to buy immature solutions – it doesn’t prove that their solutions are mature.

My advice for customers: Understand the strengths and shortcomings of today’s offering in endpoint security, understand endpoint security as part of a larger IT security initiative, and define your selection criteria according to that.

My advice for vendors: Don’t rest on your current success but go a step back and think about what will be needed tomorrow and in some years from now. The Endpoint Security market will evolve, there will be significant changes. And it will be more and more understood as part of a bigger IT security approach.

I’ve observed an increase in discussion around data leakage prevention – finally. This discussion is overdue, given the fact that data leaks are common in most corporations. Internal documents, eMails, blueprints aren’t under control in most cases.

The need for data leakage prevention automatically leads to two topics: Information Rights Management (IRM) and Identity and Access Management (IAM). Both are tightly coupled. Identity Management is about managing the identities. Access Management is about controlling access, but mainly to defined “information silos”. Information Rights Management is about controlling access to information in the flow. But, in fact, IRM is nothing else than a specific for of Access Management – isn’t it?

If you look at Microsoft’s advances in IRM with Windows Server 2008, the central role Identity Management has for IRM becomes obvious. The most important improvement is the integration of Identity Federation and IRM, with the result of Federated Rights Management Services. This isn’t surprising, because IRM requires the knowledge of the users, groups, and roles which shall have access to information. That is easy within an enterprise, but it becomes a quite complex issue in the communication with more or less tightly coupled business partners. Federation is the obvious answer to this.

Thus, IAM and IRM will grow together over time, with IRM as a specific application of IAM. Companies which face the data leakage problem – virtually every company – have to define their strategy for IRM in the context of IAM. This context is necessary because IRM requires reliable identity information and because IRM is just another form of Access Management. And a major topic at our European Identity Conference.

The good news is that this dependency is seen by some vendors as well. The bad news for Data Leakage Prevention is that there are neither standards nor implementation which will cover the entire breadth of (electronic) corporate information, e.g. from Microsoft Word to CATIA to Lotus Notes. But the growing demand for solutions might change this over the next two or three years.