What is the future of trust?

29.09.2011 by Martin Kuppinger

Trust is a fundamental concept of today’s IT. Security is based on trust.

We have (or better: had, after DigiNotar?) trust that a web server which has a valid SSL certificate is the server it claims to be.

We had trust that RSA SecurID tokens are secure (whích they still are to some degree, but a lower than before).

We have trust that our authentication in the Active Directory is done in a secure way.

We trust the identity provider when using identity federation.

However, especially the first two examples raise the question whether the concept of trust still is a foundation to build on. On the other hand: Are there any alternatives?

I think we will further need to build on trust as a concept. There is no real alternative. However, we need to be much more careful regarding this concept and add to other approaches:

  • Mistrust
  • Risk

Mistrust means that we shouldn’t take things for granted. We might challenge “facts” – e.g. authentication decisions and so on. In fact, mistrust is not really new. We might check the URLs behind links which are suspicious – are they really pointing to eBay, PayPal or whomever they claim to do? We add additional tiers of authentication or stronger authentication mechanisms for sensitive interactions and transactions. But in the light of what happens these days, with more cyber-attacks and even the well-secured, experienced ones like RSA becoming victims of successful attacks, mistrust becomes more important.

That is related to the concept of risk. Risk relates to

  • interactions and transactions performed and the information assets affected
  • the level of mistrust and the “objective”, factual security risks

This relation is fundamental. We need to understand what could happen to our information assets (and the real assets behind them). And we need to understand how much mistrust we need. Based on that we can define what we need beyond the trust we might have today.

Technically, this leads to the need for flexibility and versatility. It’s not about a specific type of solution, it is about the ability to combine multiple technologies (for authentication, fraud detection,…) depending on the risks and the level of mistrust. The bad news however is: Mistrust will increase, trust will decrease, which will make it more complex to achieve an acceptable level of security for specific risks. And some of the concepts – like SSL – are obviously not sufficient by themselves to address today’s and the future’s security challenge. However: SSL++, e.g. SSL plus other approaches, might suit our needs. And approaches like the ones of convergence.io might help us as well in better rating the risks and applying the concept not only of trust but as well of mistrust. And, despite the mistrust we might feel for rating agencies in the finance world, having rating agencies for organizations like CAs we have to trust might be another approach.

Symlabs now part of Quest

08.06.2011 by Martin Kuppinger

Quest just acquired another vendor in the IAM market. Symlabs is definitely more sort of a “hidden gem”, a vendor not being very well-known. That isn’t that surprising given that Symlabs mainly focuses on Federation (somewhat popular) and Virtual Directory Services (not as popular as they should be).

From a Quest perspective, Symlabs adds some missing pieces to the more and more complete puzzle of the Quest Identity Management portfolio, the Quest One Identity solutions. Starting with some Active Directory-centric solutions some time ago, Quest has managed to build one of the broadest IAM portfolios in the entire industry by selectively acquiring vendors like Völcker Informatik or Symlabs – by the way both being European vendors.

The virtual directory technology allows to access data out of various sources like directories and databases and to flexibly consolidate this data to virtual directories, e.g. at runtime and without building yet another physical directory through (more complex) synchronization. I’m a strong believer in virtual directory services for several (not all!) use cases and my experience from a large number of advisory workshops with end users is that they all are interested in virtual directory services once they have learned about that type of technology. Thus, this non-intrusive technology not only enhances the capabilities of Quest to integrate with different directory services and to access the data therein but might also become a door-opener to new customers.

In addition Quest has now some own federation technology available, another cornerstone of IAM technologies. This will help Quest to expand its Single Sign-On and authentication offerings, but might as well help Quest to add (incoming) federation support as a standard feature to their other solutions.

From my conversations with Quest I know that they have a plan for IAM – and they are successfully on this, at least when it comes to acquisitions. However, the more Quest acquires, the more they will have to work on integration and on positioning themselves not as the vendor of a set of tools but of solutions. It will be interesting observing how Quest executes on that part of what should be in the plan.

SAP focuses on SAML and SAP NW IdM instead of CUA

17.02.2011 by Martin Kuppinger

These days I’ve met with some of the executives of SAP to talk about their roadmap. Overall, SAP is moving forward with its Identity and Access Management products. e.g. SAP NetWeaver Identity Management (NW IDM). And the integration of the recently acquired SECUDE products and technology will significantly enhance the SAP product portfolio. Some of the new features are improved role management capabilities, reporting via SAP BW (Business Warehouse), and new REST-based APIs for UI creation. No rocket science, but valuable add-ons for their customers. For sure SAP is as well enhancing the integration with their core products and with SAP BO GRC AC (SAP BusinessObjects GRC Access Control).

The most interesting step forward, from my perspective, is the strong focus on SAML 2.0 which shall become the strategic replacement of SAP Logon Tickets, which are some form of proprietary cookies. This allows cross-domain use, in contrast to domain-dependent SAP Logon tickets. And it will provide simpler integration in business processes which span not only the SAP environment but heterogeneous applications. Besides the increased flexibility, SAML can provide much more information about the user. However the step from SAP Logon Tickets to SAML 2.0 won’t be a hard or even quick migration. SAP will further support the SAP Logon Tickets – and SAML 2.0 is supported only in backend systems starting with the 7.0.0 release. However, SAML 2.0 offers significant features and SAP provides (besides the integrated IdP in SAP NW IdM 7.1 and higher) as well SP capabilities at the backend.

Another area of migration is about moving from CUA (Central User Administration) to SAP NW IdM. SAP strongly recommends to use SAP NW IdM instead of the limited CUA capabilities. Again, this is a smooth migration – CUA won’t, according to SAP, be shut down as long as ABAP-based systems (the older SAP systems) are around. However it isn’t recommended anymore to install CUA.

In essence, SAP is continuously enhancing the Identity and Access Management capabilities and strengthens not only the integration into the SAP environment but adds support for heterogeneous environments and standards. Thus, SAP NW IdM is, from a SAP perspective, an enabling technology for the integration within the SAP infrastructure and (especially with SAML 2.0) beyond.

SAP adds an Identity Provider

06.08.2010 by Martin Kuppinger

SAP recently has announced that their SAP NetWeaver Identity Management 7.1 now includes an SAML 2.0 Identity Provider – it requires the Service Pack (or Support Pack) Stack 5 (by the way: who at SAP is responsible for product names??? SAP BusinessObjects GRC Access Control; SAP NetWeaver Identity Management 7.1 SP Stack 5;…).

SAP is commited to SAML (Security Assertion Markup Language) for a while now – and SAML 2.0 support is found at many places in the SAP portfolio. SAP systems can act as service providers in federation scenarios, with SAML 2.0 enabling the Single Sign-On and sharing of identity-related information. Using the identity provider within SAP NW IDM 7.1 SP 5 (to keep the name short and make it even more cryptic) allows to use a centralized view on identities within federation. The product can provide the unified view on identities which is a foundation for federation. Without identity information quality, there is no successful federation: Garbage in, garbage out.

The enhancement of the product shows where SAP is heading: It is a central element within the SAP NW infrastructure which provides all the identity services required in that infrastructure. There is tight integration with SAP products, but as well support for standards to integrate external applications – like with SAML 2.0 and the inherent support for Non-SAP service providers as well.

The other important enhancement in SP 5 are the Identity Reporting Capabilities based on SAP NetWeaver Business Warehouse. That enhances the reporting capabilities of SAP NW IDM 7.1 – but it requires to have the Business Warehouse product in place. Anyhow, the enhancements clearly demonstrate the strategy of SAP for NetWeaver Identity Management: A central piece in the SAP infrastructure, well integrated, and with standards support. The enhancements demonstrate another point: SAP is executing on its strategy consequently. Maybe a little too quiet, but they are moving forward.

© 2014 Martin Kuppinger, KuppingerCole