The new ABC: Agile businesses – connected

05.03.2014 by Martin Kuppinger

Agility is a key capability of successful organizations. Agility is the ability to quickly adapt the organization and the business model to new customer demands, innovations, and a changing competitive landscape. We live in a time where virtually all business relies on IT. Whether this is retail, finance, or life sciences – business requires IT. The consequence is, that IT has to support business agility. No IT agility = no business agility.

One of the biggest changes we are currently observing is the evolution from stand-alone to connected businesses. New collaborative business models, tighter and more flexible integration of customers and business partners, and the upcoming IoEE (Internet of Everything and Everyone) are driving the evolution of businesses. Cloud Computing, Mobile Computing, and Social Computing, the so-called “Computing Troika”, are already consequences of the business demand for agile and connected IT.

The challenge in this evolution is finding the balance between the business demand for agility and connectivity on the one hand and the IT and Information Security requirements on the other. Information Security can no longer think in terms of perimeters, devices, and system security. There is no closed perimeter anymore. Devices are under constant change. Systems might become Cloud services the next day.

The other part of the challenge is managing the users. Instead of focusing on the employees and a few business partners, there is a demand for rapid on-boarding and off-boarding of customers and business partners in changing business and collaboration models. And there is the need to on-board employees to business partner systems, to manage users in industry collaboration networks, and to manage user access to Cloud services.

Information Security in these days of the new ABC are primarily driven by two evolutions. First there is flexible user management that allows IT to manage the access of all types of users to all types of services – external users and internal users, on-premise IT and Cloud services. Having a (one!) user and access management infrastructure in place to support this change is a key success factor. This infrastructure commonly consists of a mix of on-premise and Cloud IAM.

The other fundamental shift is in what we protect. As the term “Information Security” implies, it is about securing information. In the new ABC, securing information is at the centre of attention. Technologies such as Information Rights Management allow for Secure Information Sharing.

IT that will succeed in supporting the business demand for agility and connectivity will have to move from traditional perimeter and device security towards information-centric approaches and a flexible user management for all types of users. Identity and Information are the new perimeters for security, not the firewall or the device. Rethink your IT and Information Security – get ready for the new ABC.

Sachar Paulus: Security Leadership in the Connected Enterprise

Secure Information Sharing: Which approach to choose?

28.02.2014 by Martin Kuppinger

There are various approaches to Secure Information Sharing (SIS), as I have explained in previous posts. However, which one is the best? As always, there is no simple answer. It depends on the requirements of the customers. Nevertheless, the various product categories have their strengths and limitations.

Let’s look at the categories within SIS first:

  • IRM: Information Rights Management is about technologies that encrypt documents and assign entitlements. Users can only open the documents if they are entitled. Applications enforce the entitlements such as limitations on printing, sharing, editing, etc.
  • Secure Data Rooms: This category provides secure data stores. These data stores can be accessed by various persons, allowing them to share information. A typical use case is sharing data in merger & acquisition processes. Typically, online editing is allowed but downloading is restricted, so that these solutions also can enforce restrictive entitlements on documents.
  • Collaborative Networks: These networks typically are focused on industry collaboration and provide environments that enable not only information sharing but also the management of the users and other functions. The obvious limitation is that they do not enforce entitlements on documents once these are downloaded. However, combination with IRM is potentially feasible.

When looking at these three concepts, IRM appears to be the best choice. The challenge for now has been, that IRM solutions had their challenges in managing (external) users, that they were lacking broad application support, and that most of them were rather complex to implement. As mentioned in a previous blog post, Microsoft has removed these barriers with its Azure RMS service. Thus, IRM is now an approach that any organization should consider to fulfill its need for SIS. Aside from Microsoft, there are some other players in the market, such as Nextlabs, Covertix, Watchful Software, or Seclore. They might work well for specific requirements.

The strength of Secure Data Rooms is primarily that they are “ready to use”. Instead of setting up an IRM infrastructure – which even based on Cloud offerings requires some planning – they can be used immediately. Thus they are a good solution for rapid deployment. However, IRM appears to be the more sustainable concept.

Collaborative Networks have a somewhat different role, because they provide value-add services for communities within industries. They are not only a tool but a service. The larger the community, the higher the value.

All approaches to SIS have their strengths and their weaknesses. However, there is good news: There are sufficient mature options now for SIS to finally start the SIS program in any organization. There is no argument anymore for collaborating with business partners without SIS in place.

Don’t miss EIC 2014 – it will be the place to learn more about Secure Information Sharing.

Why Apple’s culture of secrecy is your biggest risk in BYOD

27.02.2014 by Martin Kuppinger

The news of the bug in Apple operating systems has spread this week. As Seth Rosenblatt wrote on cnet, Apple’s culture of secrecy again has delayed a security response. While there is a patch available for iOS, the users of OS X still have to wait.

I have written before about the risks Apple’s culture of secrecy imposes for users. There are two major issues:

  • Apple does not inform either adequately or in a timely manner about security issues. Doing that is mandatory, including providing detailed information about workarounds and patches.
  • Apple still does not have an adequate patch policy in place.

It is well worth reading Ropsenblatt’s article, as it provides a number of examples for the consequences Apple’s culture of secrecy has from a security perspective. I can wholeheartedly agree with his final paragraph:

“With its history of lengthy response times to critical security problems, Apple is equally long overdue for a serious re-evaluation of how they handle their insecurities.”

However, the culture of secrecy is just a consequence of Apple’s “we are the best and don’t make errors” hubris – a long tradition of Apple. They positioned themselves as the counterpoint to the error-prone Microsoft Windows products a long time ago. While Microsoft has learned its lessons in software quality, patch management, and security response and patching, Apple did not. Apple has to learn that continuous improvement and a good approach to security response and patching is required for any vendor, even Apple.

This attitude of Apple also impacts the risk evaluation of BYOD strategies. If you can’t trust the vendor, you have to protect yourself. So what can you do, if you do not want to simply ban Apple devices until Apple provides an enterprise-class approach on security responses and patching?

The simple yet expensive answer is: Invest in additional BYOD security measures. There are various options out there, none of them being the “holy grail” for mobile security. However, if you combine information- and identity-centric approaches for security with mobile security, you should be able to better know and mitigate your risks. Unfortunately, doing that means spending even more money to secure expensive hardware without an added value. That’s a high price to pay for the users being allowed to use Apple devices.

There will be a price to pay in terms of restricted use. This might be by limiting access from insecure apps (and there are some that are affected by the current bug) or by temporary access restrictions in case of newly detected bugs, unless these are fixed. There might be a need for relying on other, more secure apps, for instance for accessing e-mail, instead of the built-in apps. As always: there is a price to pay. If you don’t want to carry the risk Apple puts on you with its inadequate security policy, you have to invest in security and you will have to restrict use of these devices, impacting user’s convenience.

Unless Apple changes its security culture and overall attitude of “we are the best and don’t make errors”, the advice must be: don‘t trust any organization that relies on a culture of secrecy. And care for security yourself.

Is there still a need for keeping Identity Provisioning and Access Governance separate?

25.02.2014 by Martin Kuppinger

When looking at the core IAM (Identity and Access Management) market with its main product categories of Identity Provisioning and Access Governance, some customers and vendors currently raise the question of whether there is still a need to keep these product categories separate or whether a single, combined view on these is the better choice.

Looking at the vendor landscape, some vendors such as CA Technologies or Beta Systems still have two distinct offerings. Others merged their product line from either Access Governance towards integrated Identity Provisioning, such as SailPoint did, or the other way, by adding more and more Access Governance features to Identity Provisioning products. Dell is a good example of that. Oracle, as another example, focuses on increasingly integrating its product portfolio into one suite. Aside from that, there are various vendors that, for instance, have strong Access Governance capabilities with some Identity Provisioning, but also the opportunity to still integrate well with existing Identity Provisioning solutions of other vendors. Examples for that strategy include RSA/Aveksa and CrossIdeas.

But that is only the vendor view on what is happening in the market. The more important question is: What serves the customer’s needs best? There is not a single right answer on that question.

It depends, perhaps, on where these customers are today. Customers that have already successfully deployed an Identity Provisioning solution might opt for a separate Access Governance tool for various reasons, such as reducing vendor lock-in or just because the Access Governance capabilities of their Identity Provisioning solution are not good enough. However, replacing an established Identity Provisioning tool might be too huge an effort to be considered economically feasible.

I also see many organizations, including large organizations, that want to proceed step by step and feel that they should first do the Identity Provisioning basics right. On the other hand, there are many organizations that need a rapid solution for Access Governance, without all the overhead that the technical elements of Identity Provisioning might cost.

There are various other scenarios I have described in detail in a report on Access Governance architectures. My perspective and experience is that there are varying customer requirements. While some need only Identity Provisioning (for instance to replace existing products, having Access Governance already deployed), while others need integrated solutions or only Access Governance (for rapid deployment or to integrate with existing provisioning tools).

Aside from the different customer requirements, there are pros and cons of integrated solutions. On the positive side there is that customers only need one tool and that the potential complex integration of Identity Provisioning and Access Governance is already done. On the other hand, there are scenarios where it is about integrating with existing Identity Provisioning tools. Aside from that, solutions that try to cover everything have a tendency to become more complex, while sometimes lacking the depth of features specialized solutions provide. Some vendors manage that well, while others are not as perfect.

Beyond that, there is another argument that speaks for keeping Access Governance and Identity Provisioning separate. While Access Governance focuses on business users and bridging the gap between business and IT, Identity Provisioning is far more a technical solution for interfacing with target systems. There might be different owners; there are definitely different user requirements.

These are just some of the reasons why we still keep these segments separate. We are currently updating our Leadership Compass on Identity Provisioning and will do so for the one on Access Governance. We are also working on a Leadership Compass on IAM Suites, looking at the overall IAM market well beyond Provisioning and Access Governance.

Importantly, in both our Identity Provisioning and our Access Governance Leadership Compass, we already evaluate the strength of Identity Provisioning products to support Access Governance requirements and vice versa. However, that is just one view that is kept separate, allowing customers to make their own decisions, depending on their requirements. Putting everything into one basket appears, from our perspective, to be inadequate for that complex market.

The need for Secure Information Sharing

24.02.2014 by Martin Kuppinger

A while ago, I wrote about the changing market for Secure Information Sharing. I also recently published a report on Microsoft Azure RMS, one of the most important products in that market segment, and further reports will follow.

The first question is: What is Secure Information Sharing (SIS) about? It is about technologies that allow sharing information across the boundaries of an organization in a secure manner. Such technologies ensure encryption of the document both in motion and at rest. Furthermore, they apply and enforce access control, restricting access to the documents and (ideally) enforcing entitlements for editing, printing, forwarding, etc.

SIS has been a requirement of many organizations for years now, especially organizations that need to share information with a broad number of business partners and have complex supply chains. Some, such as the automotive industry, aerospace & defense, or life sciences, have been looking for such solutions for several years. In some of these industries, collaboration networks that enable SIS are established. These industries also are the ones who have been most active in demanding improved IRM (Information Rights Management) solutions.

So why do we need SIS? There are some reasons:

  • Agile, connected businesses lead to new requirements for collaboration. A good example is the life sciences industry, where success and time-to-market frequently depend on efficient collaboration with various external parties. Such collaboration, especially in a competitive environment with strong regulatory requirements and tough competition, requires the ability to securely share information.
  • Regulatory compliance is a strong driver for SIS. The ever-increasing requirements push the demand for SIS in various industries – again life sciences is a great example.
  • The fear of organizations regarding industrial espionage also increases the demand for solutions that seamlessly protect information at rest, in motion, and in use – and that’s where SIS comes into play.
  • Finally, traditional IT security such as firewalls and Data Leakage Prevention (DLP) are not sufficient to fulfill these requirements. New types of solutions are required.

From my perspective, the potential for Secure Information Sharing (SIS) technologies is based on these considerations and the fact that SIS focuses on the right perimeter. This perimeter is not the server system, it is not the end user’s device, and it is not the firewall. It is the information. Information Security, as the name implies, is about securing information – and that is what SIS does.

My next post on this topic will dive a little deeper into the strengths and weaknesses of various approaches.

Microsoft RMS Security and Confidentiality

21.02.2014 by Martin Kuppinger

Microsoft Rights Management Services (RMS) is a solution that might help Secure Information Sharing become a topic for the masses, at least at the enterprise level. I just recently wrote a report on the product. However, as with any Information Security technology – especially ones that are Cloud-based – there are questions about security details.

For Microsoft Azure RMS specifically, it is worthwhile to look at this post. It describes in detail how RMS protects and consumes documents. The other document worth having a look at is a whitepaper Microsoft published a while ago. That whitepaper goes (among other topics) into detail regarding two important aspects:

  • The various deployment options from fully Cloud to “pretty much on premises”
  • The BYOK (Bring Your Own Key) approach that allows doing a lot of things based on local HSMs (Hardware Security Modules)

These might answer some of the questions you might have concerning security and confidentiality of Microsoft RMS.

Entitlement & Access Governance – the next generation of core IAM

20.02.2014 by Martin Kuppinger

In my new report “Entitlement & Access Governance”, published yesterday, I introduce a new term and abbreviation: EAG for Entitlement & Access Governance. Thanks to Dave Kearns for proposing that term – I like it because it reflects what this is about.

EAG describes approaches that some vendors currently call “Data Governance,” but enhanced and extended. It is about combining fine-grained entitlement management at the system level and the cross-system Identity Provisioning and Access Governance. We see an increasing number of vendors moving in that direction, closing the gap between Identity Provisioning and Access Governance on the one hand and the system-level, detailed management of entitlements on the other.

There always has been a predetermined breaking point between the Identity Provisioning layer (and the Access Governance layer on top of Provisioning) and the system-level entitlement management. While Identity Provisioning typically works on the level of, for instance, Active Directory global groups or SAP business roles, many systems (including Active Directory and SAP) have another system-specific hierarchical entitlement structure below that level. System administrators manage these. If a system administrator changes low-level entitlements – instance.g., the ACLs of a local group that is part of a global group – the Identity Provisioning system will not recognize that, at least not in most common deployments today. It will also become too complex to manage everything top-down, so there is a reason for system-level solutions.

EAG balances these requirements, by centralizing functions such as request and approval while leaving system-specific tasks local. I expect EAG to become the next big evolutionary step in core IAM, with some preliminary solutions already out there.

The NIST Cybersecurity Framework for Critical Infrastructures

14.02.2014 by Martin Kuppinger

NIST (the US National Institute of Standards and Technology) has now released the final version of their Cybersecurity Framework for Critical Infrastructures. As requested, this is not a set of new regulations or fundamentally new concepts for security, but, to quote my colleague Prof. Dr. Sachar Paulus, a “well-written summary document incorporating different approaches (lifecycle views, maturity views, communication aspects, risk posture analysis…) that helps getting an operational grasp on the necessary activities, and therefore well-suited as a guideline or education piece for technicians / practitioners. It is by no means sufficient (nor meant) to replace an ISMS (Information Security Management System). So: good that it exists, but in essence nothing new.”

However, it is very likely that it will lead, in consequence, to new regulations. Sector-specific agencies are obliged to engage in a consultative process with various governmental agencies to determine whether current regulations are sufficient for the critical infrastructures sector. This in consequence most likely will lead to new regulations.

When looking at the framework and its Appendix A, the fact that there is nothing really new in this framework becomes obvious. That leads to a simple bit of advice: follow common good practices and standards such as ISO 27001:2013 and CoBIT 5. If there will be a need for new regulations in future, this will happen because too many organizations in critical infrastructures do not follow established good practices.

Marketing wants the “social” login – but should they?

10.02.2014 by Martin Kuppinger

It is a common scenario in organizations that the marketing department, business development, or the sales department asks the IT department to support social logins on some of the corporate websites, including eCommerce sites. Admittedly, IT also sometimes proposes such functionality, having technology on hand that allows for simple integration of such social logins.

My colleagues and I have written about that topic before, primarily from an information security standpoint and as part of the BYOI (Bring Your Own Identity) theme. The main reason for social logins is that users want a simple way to login to applications. Social logins are convenient, but limited in their identity assurance.

However, there is another aspect of social logins I have not seen discussed so far, neither by IT nor by marketing people. It is about customer relationships, confidentiality, and competitive advantage.

So let us have a look at what happens when using social logins. Let us assume that there is a customer C that wants to access the eCommerce website E. He might use a social login, maybe using social network F or G. There might be an advertising service A as well in the game and another business B, which as well relies on social logins or works with that advertising service. Finally, there are other websites, let us call them D so that we have all letters A to G in that example.

C logs into F (in fact, he remains logged in there). C accesses E. When he does that, he has the social login and BYOI experience. However, at that time F learns that C is a customer of E. F uses, as part of its business model, that information to provide information to an advertising service A (depending on the social network, that might be its own or an external one). B relies on that service as well. Thus, when C starts looking at other websites (D) that also might work with A, he might see adverts for goods related to his interests – adverts of business E or business B. Even more information might flow, being available in F because C has left a comment somewhere or – as part of today’s or tomorrow’s business models – being sold by A or F to the competitor B.

This theoretical example shows that supporting social logins could be an excellent way to inform competitors about the interests of customers. Does this really make sense from a marketing perspective?

In essence, social logins obviously are not what marketing should request. But what are the alternatives for BYOI? FIDO Alliance, which we covered several times in our posts, might become a game changer in that area. They are not an IdP, but they support the flexible use of strong authentication methods. Combined for instance with integrated strong authentication in devices such as fingerprint readers in mobile devices, this is a way for users to easily register to websites with strong authentication, without relying on a social login. However, the FIDO Alliance does not provide the user’s attributes in a way social networks can do. Some of the authenticators could, other IdPs (Identity Providers) could also, based on a strong yet simple authentication.

BYOI is not about social logins only. It is about enabling the user to use their “own” identity – a preferred one, chosen by him – with various relying parties (RPs). From a marketing perspective, it might be well worth while to evaluate the alternatives to social logins when requesting support for BYOI.

Learn more about the challenges of social logins in our webinar next week (in German language): “Marketing will das Facebook-Login. Und was ist mit der Informationssicherheit?

Facebook, Google, Apple & Co: NSA’s best friends

06.02.2014 by Martin Kuppinger

Recently, there have been various articles on the NSA and GCHQ (Britain’s Government Communications Headquarter) collecting date from “leaky apps”, including data from Angry Birds, Google Maps, Facebook, Flickr, or Twitter.

Surprise? No!

Look at another story in that context: There have been extensions to Google’s Chrome browser that have started to spam users with advertisements. What happened? Advertisement companies acquired the extensions and used them in a way unintended by the original developers. Once installed, there is no control over what extensions are allowed to do or not. The extensions are updated automatically. How simple would it be for criminals or for national intelligence services to do the same? Clearly, they would not push spam, but pull information.

Back to the apps (by the way, the same applies to the traditional web counterparts of these services, if there are ones)… The combination of a lack of security and the excessive collection of data about users and their behavior is what we would call a “gefundenes Fressen” in German. A ready-to-serve meal for the NSA.

Simply said: NSA and the others just piggyback on these services. Without companies such as Facebook, Google, or Apple, NSA would have a much harder play. The Reform Government Surveillance Alliance, driven by AOL, Apple, Facebook, Google, LinkedIn, Microsoft, Twitter, and Yahoo, probably is the most hypocritical alliance these days. Why did Apple not implement more user control of the collection of data by apps from the very beginning? Less data would have been available to the NSA. Instead of doing that, they removed apps helping the user in controlling app behavior from their appstore. Why did Twitter, Facebook et al not encrypt traffic from the very beginning? Some of the service providers do now, but most started far too late. NSA then still could have requested access to data, but it would have made the life and work of intelligence services tougher.

With more user control, more user consent, more built-in security, and options for the user to choose between free services (paid in the “privacy” currency) and paid services that ensure privacy, this situation would change. Yes, the companies would have to re-think their business models. But that is what will happen anyway, after Edward Snowden has opened the Pandora’s Box. Attention is still mainly on the behavior of intelligence services. But that will inevitably change.

When talking about hypocritical behavior, there are others to blame as well. The users that naively assume that there is such a thing as a free lunch when using free services on the Internet. There isn’t. If you know and accept this, fine. But then you shouldn’t blame the NSA for using that data as well.

However, my favorite example of hypocritical behavior is another one. My daily newspaper – and yes, I still read a print newspaper – is the local “Stuttgarter Zeitung”. Recently, they devoted the entire page 2 to the loss of privacy on the Internet. On the other hand, a few days ago they applauded themselves for having passed the number of 5,000 (or so) Facebook friends for their online presence. They have a Facebook plug-in on the website of their online edition. They support registering for commenting on articles in the online edition based on your Facebook account. Isn’t that the perfect example of hypocritical behavior: on one hand letting Facebook collect more data and on the other bashing on them?

It’s the decision each of us must make, which currency he wants to use to pay for services. However, we should have a choice. And the ones who are the enablers for the NSA collecting masses of data shouldn’t blame NSA – NSA just piggybacks on their business model. They could change this, starting with encryption of traffic and collecting only the minimum of required information, and ending with providing alternatives to “paying in the currency of privacy”. But we should end this hypocrisy. Bruce Schneier recently published two interesting articles that fit in the context here and here.

© 2014 Martin Kuppinger, KuppingerCole