In the last weeks, I had a number of interviews and product / vendor briefings about GRC related products. And as you may have noticed, the marketplace is yet pretty unstructured. Since there is still no generally accepted common definition or reference architecture for GRC (altough I have developed one, see my reports), anyone touching functionality related to GRC assumes it is in the core. And so you can find extended document management solutions there (for policy managemnet) as well as controls and IT controls management tools, besides access governance and financial risk management applications.

I believe though that it makes only sense to actually implement a holistic GRC management framework in an enterprise, if there is a common, integrated and standardized way of managing policies, controls, risks, improvement projects. There is no value in buying a multitude of isolated, on certain aspects extremely well performing solutions, because then the integration know-how still relies with the people – and isn’t GRC actually exactly about reducing the risk that the enterprise is exposed to by people involvement, for personal, political or financial motivation?

The real value of implementing GRC projects only comes – very similar to ERP, history repeating – with an integrated framework. There are two ways of achieving this: first, by standardization (such as SOA), and second, by market dominance (such as R/3) . And to be true, none of the vendors I have been able to listen to is in my view in a position to advance the standardization path in that market.

With the recently announced partnership between SAP and CA, SAP pursues – similarly to Oracle – a pretty intelligent move: they will be able to integrate real-time information from SIEM and other solutions from CA, one of the established players in the IT infrastructure environment. The simple annoucement will shake up the space: until now, GRC was about prevention, mitigating activies, but the reaction part was left to the IT respectively other reaction facilities (fraud management, corporate security, e.g.). But with that partnership, GRC actively covers a “real-time” view on the threat / risk situation.

Another aspect is with the partnership of two giants, there will automatically be a de-facto-standardization happening. If, say, RSA now wants to provision SAP GRC too, they will need to adopt the interface definitions that the two have defined…

So: good move, SAP and CA.

Last week I was invited to the IT-Security Analyst & CISO Forum Event in London, with a few vendors and a few CISOs. The form of the event is unique, and thanks to Eskenzi PR it is an excellent opportunity to gather the expectations from CISOs and the answers to these by vendors. Here are a few impressions and take-aways:

- “Most of the vendor’s products are crap, they are fundamentally flawed in the sense that they do not increase security a pence”, as one of the CISOs said (Chatham House rules applied). More specifically, asking for more details, most of the tool and product vendors are still relying on the wrong assumption that CISOs want to “extend the border of the enterprise” or “secure the perimeter”. But this is good for nothing, for businesses to be productive, information has to flow, and must be protected there – and not retained “within” the enterprise.

- Consequently, DLP (Data Leakage Prevention) is a market which does not really exist. Those that are buying DLP do this for compliance purposes, just like buying Anti-Virus products (although they do not even discover 40% of the more recent attacks…). So the chance of using actual DLP products to really detect resp. prevent information leakage is pretty low.

- Secure software development is still to a large extent not understood, neither by vendors nor by the CISOs. They mostly think that they are done with the subject when they employ white box testing and use an application level firewall. Oh man – so much work ahead to communicate what this is really about.

- Top-notch on their priority list (very interesting): the “bring in your own device” policy. How to enable business infrastructure and applications to securely support personal devices (from notebooks to smart phones) as endpoint. Very interesting direction, finally we got the “all in the internet” type of assumption for company information access through a more financial motivation…  Still, many questions around legal responsibilities and technical capabilities are to be solved.

Now to the vendors (just a few interesting notes):

- FaceTime (the name needs to change, after Apples announcement that their VideoConferencing on the iPhone is called that way) basically does compliance-driven monitoring and management of the usage of social media for enterprises. Seems low profile. But driven by customer innovation they have built a strong capability of detailed authorizations for internet apps, so they do in fact “GRC Access Control” for internet apps… Interesting development.

- S21Security from Spain, currently perceived as a SIEM vendor in the financial vertical, is actually able to detect fraud on the basis of log information of core banking systems, with first experiences in the SCADA world. So they actually do interesting GRC analytics…

- BeCrypt has a nice application to simply, but securely extend the enterprise using bootable USB sticks. Defence-grade!

- M86Security, one of the largest vendors of realtime threat detection for web, with a footprint of 24000 (!) customers, seem to be a pretty useful  solution – what if they would offer this “as a service” for consumers, that route their web traffic through one of their servers? Would be pretty cool…

All in all: the market slowly changes from pure compliance products towards real protection solutions. This is definitively a sign that the customers get more educated about the real threats. But on the other side (see the note on secure software above), still a long way to go…

My last blog on the future necessities to really, really secure applications in the cloud was heavily discussed, which I think is a good sign, obviously there is something to discuss…

But let’s get a bit more down to the real problems. Of course, DRM is not the same thing as ERM (let me stick to ERM for the time being), and most of the companies having integrated DRM technology into their content offering have absolutely no clue about the potential complexity of access rights one might need in a company context – just look at the average number of enterprise roles for a medium-sized company. BUT: they are successful for two reasons:

a)  they are simplifying the processes and interfaces to the user as much as they can, and

b) they use one specific business process.

Maybe it is just the too-generic approach of most ERM offerings that is the reason for their relatively low usage. Some companies that actually start to “profile” specific ERM usages along the line of certain business processes in verticals (Adobe, Oracle to some extend what I have seen) may have understood this. So again, content context is key for leveraging ERM technology.

But the real hard problem is of course: how will we deal with protected digital documents (including XML “records”) across company boundaries? The myth of being in the center of everything by providing a proprietary format – and thus forcing the users to accept one specific solution – will not work as soon as processes cross multiple companies, just look back at PKI… So there is need for interoperability and standards.

But who will take the lead here? The content providers? Actually, I could imagine a future where a BI-report (sales pipeline e.g., real-time, once a day) is no longer protected by deep complex authorization objects in ERP / BI-report, but, the report is generated as a piece of content (maybe including video) and equipped with consumer-like protection (“this copy is for you, and you can send it to 3 friends…”). Sounds weird, but actually it is not that far from real: it may be simpler to do it that way than to map the complex ERP authorizations and roles via federated identity management and integrated, interoperable ERM to ERM-”authorizations” and to contact Access Decision Servers using standardized formats…

Don’t get me wrong, the “BI as Content Blob” protection concept is far from ideal, and the other mechanism would be the “real” solution… But to avoid such a situation (and I am sure such a model would find vast acceptance, except by the security responsibles ), we need the major players to come together to address the following issues:

1) What needs to be standardized, exactly? Document formats? Authorization semantics? Exchange protocols? Policy mapping? Communication protocols with Access Decision Servers?

2) Who can contribute what? And from where to start? Simple solutions first to get things going, or doing it right from the beginning? Would that be a similar initiative like Liberty Alliance, or more a standardization effort like WS-*?

3) How to integrate the structured with this unstructured world? There are first attempts, but only based on bilateral integrations, without any standardization thinking (back at SAP, I drove this to some point, but only now first results can be seen…).

So the topic is much more difficult in reality than one might think. It is NOT solving the problem to use one of the ERM vendors. That would only solve local issues, and thereby produce others…

This week was very interesting for me. I have had a number of calls and meetings with people dealing with software components and architectures that will make  the cloud secure.

And the most interesting observation is: actually everything is there. We as an industry could simply start doing secure clouds right away. It is of course not so much about the standard stuff that we often hear: trust into the cloud providers, their ability to deal with data privacy requirements, or multi-tenancy capabiltiies of enterprise cloud services.

No. It is actually about how to secure the data between and within cloud services. And the key to achieve this is DRM Technology. Well, it is pretty straightforward when one thinks about data storage in the cloud, obviously Information Rights Management or Enterprise DRM will take over the role of drive encryption in cloud-based models for data sharing and storing.

But what seems to be less obvious is that the same technology can in principle also be used for protecting information within applications. Note that the media industry has already addressed a number of issues, such as streaming with DRM protection or multiple copies of the data.

There is one missing piece, though, well not really a missing piece: interoperability. The formats of DRM protected information are widely different from vendor to vendor, and there are three big players again: Microsoft, Adobe and Apple. It will be interesting to see how especially the battle between to two latter will affect how the protection formats will evolve.

And as with other battles for standardization, there will be room for companies to use this missing interoperability for developing tools helping with that. i’d be curious about who will take on that challenge…

Today, I ordered my new iPad. I am really eager to use it, especially as a multi-purpose information and media home device. So far, so good. Obviously a device like this will be THE front end for the brave new Cloudy Web Services world. Whether via classical http(s) requests or via WS-*, the Apps on these kind of devices will make the Cloud happen to the average home user.

But: I am not sure how this fits into the identity management demands of these services. Haven’t we seen so much integration and convergence trends in the identity space in the last months? How does these actually match the front-end development trends? Obviously, the latter will be making the market, so how will the security guys follow?

Or, simply put: who does care about my credentials on the devices? Do I need a credential per app or what? We have put so much effort to get rid of this problem on standard platforms – how will the mobile market adopt these? Or will it simply be the provider who will take care – he knows our identity anyway…

Lots of unsolved security questions, not mentioning the need for data encryption at rest – rest? What rest? Aeh I mean “in memory encryption”…

So in the end I am not sure whether the iPad will make us more secure. I cannot even give a guess. That is bad.