I guess it became unpopular to read printed news in some societies but I really enjoy reading WELT KOMPAKT, a smaller printed formfactor of well-known daily WELT. Today, the more or less entertaining “Internet” section had a lead article called “Safe in the Web 2.0″ or “Sicher im Web 2.0″ by author Peter Zschunke. Eager to learn more about how “the general public” is informed about the dangers that lurk in the web, I read the mid-size article, featuring a James Bond-like shot of what seems to be Security Ops Center. My interest turned into surprise, ending in a sort of rage when I finished the article.
It takes quite some time and effort to make me angry, but I instantly – for the first time in my life – wrote a letter to the author and the editors, and went like this:
Sehr geehrte Damen und Herren, sehr geehrter Herr Zschunke!

Ich habe anfangs mit Interesse, später mit zunehmender Verwunderung das gelesen, was die Welt Kompakt als redaktionellen Beitrag in der Internet Rubrik hat drucken lassen. Für mich klingt diese doch sehr einseitige, leider wenig von journalistischer Qualität sprechende Berichterstattung eher nach Advertorial, denn nach guter Recherche und umfassender Information. Dem Format und dem Umfang sei geschuldet, dass hier nur ein Bruchteil der Problematik von Datensicherheit und Datenschutz im Web 2.0 beleuchtet werden kann – aber dann ernsthaft dem Leser zu vermitteln, die Firma RSA hätte „die Lösung im Schrank“ und könne diese Probleme quasi „wegzaubern“ wenn sich die sozialen Netzwerker denn endlich mal aus dem Sessel bequemen würden? Das halte ich nicht nur für inkorrekt, ich halte es für gefährlich! Zumal „RSA“ nun wirklich nicht das Produkt sondern der Firmenname ist und Sie, wie ich annehme, eigentlich von einer Kombination der enVision Produktlinie mit anderen Werkzeugen sprechen. Zumindest die Nennung einiger vergleichbarer Technologien oder Anbieter wie Novell, ArcSight, CA etc. hätte der Neutralität gut getan… Die Produkte und Lösungen der RSA sind sicher anerkannt und wirkungsvoll – sowohl bei der Analyse von (Fehl-)Verhalten als auch beim Zugriffsschutz und der Verschlüsselung. Aber, um es sinngemäß mit den Worten von Bruce Schneier zu sagen:
„Wer denkt, dass Technologie seine Probleme lösen kann, der hat weder die Technologie noch die Probleme verstanden.“

Das Problem mit der sehr einseitigen Berichterstattung bleibt – es gilt eher am Konzept der sozialen Netzwerke, ihrer Datensammlung und Datenverwaltung zu arbeiten und den Anwender besser aufzuklären. Meiner Meinung nach steht Ihr Artikel der Aufklärung der Anwender eher im Weg, da hier ohne Sinn nach Technologie verlangt wird obwohl der eigene Menschenverstand ein viel besseres Mittel zum Schutz vor Missbrauch wäre. Bei mir hinterlässt dieser Artikel einen sehr faden Beigeschmack.

There is nothing wrong with a good advertorial or product related story, but this was so blatently single-sided, I just could not resist! I would love to discuss this with alll of you – feel free to comment, mail or call me!

#SAPTechEd – SAP Netweaver & GRC Identity Management
During the last 30 month I was rather critical towards SAP´s approach on how to position and further develop the technology acquired from Norwegian MaXware in 2007. The visit to SAP TechEd 2009 in Vienna showed through several technical presentations and direct interviews with people such as Keith Grayson, that SAP did a really job in not only integrating MaXware into the Netweaver group but also coming up with a sound strategy on how to move forward with whole offering. Besides the fact that Business Objects GRC systems still has some valuable functionality as provisioning tool for complex environments, the capabilities regarding the “Netweaver to SAP application” provisioning can now safely be called “unparalled” in the market. If you have access to the SDN platform, make sure to get your hands on the numerous slides in the SIMxyz track of TechEd. You can learn how to easily implement SAP Netweaver Identity Management, integrate with SAP Business Objects GRC and much more. As pointed out above, the joint deployment of the “standard provisioning engine” and the GRC one does have some benefits, especially if the Compliant User Provisioning (CUP) features are needed due to strong GRC requirements. It has been stressed in the sessions, that such a design needs to be planned very carefully and that cross-competence teams should be in charge of this to get all requirements and stakeholders represented in the final architecture.
Regarding 3rd party system integration, the ongoing standardization plays into SAPs hands, as Keith and I discussed the growing relevance of SPML and SAML 2.0, which, by the way, has now been tested and certified to be working with SAP ID management solutions and might find its way into the core product in the future. More and more provisioning targets become easier to integrate, as the corresponding ISVs now see openness towards IAM solution as a benefit.
To sum the impressions up: Keith and all the others did a great job in “turning around a skeptical analyst”. I am positive, that the current setup and strategy will result in a good position in the ever changing Enterprise Identity Management market for SAP.

I already pointed out my personal satisfaction about the recently announced cooperation between SAP and Novell in the GRC market. This morning I had the opportunity to discuss the whole approach with Jay Roxe of Novell and Ranga Bodla of the SAP GRC group, operating both out of the US.
Besides my enthusiasm about the materialization of something I suggested to be beneficial (every once in a while, analysts DO show that they are humans, too!), the discussion of business opportunities, market pull and demand for GRC in general were almost identical between the three of us.
First let´s check the market pull: both companies said they received multiple requests by existing customers to provide insight on how to couple the more business-GRC oriented SAP solutions and the more IT-GRC oriented SIEM tool Sentinel of Novell. As open APIs were already available and Novell had their products on the path to SAP certification, taking the next step and analyzing the related business opportunity was only a matter of weeks. The joint approach beyond using and testing the APIs was then tested by a large consulting and system integration company in their labs. Looks like when there is a proven market, everybody is interested in providing a solution.
Second, the demand for End-to-End GRC solutions: as KuppingerCole indicated during last year`s GRC event in Frankfurt, more general and broader oriented solution would be necessary and on offer soon. Only 10 month later, not a single-product but a joint solution IS available! SAP and Novell beat our projections and I guess it will take another 6-9 month before we either see another co-op or even a merger between two niche-players to offer a competing solution or product.
Third, the business opportunity: SAP being the Business Intelligence provider they are, quickly was able to provide Novell with numbers on SAP GRC customers and quite a few hundred of them were identified as possible candidates to be addressed for a joint deployment. Vice versa, existing Novell customers with SAP deployments turned out to be of a significant magnitude, thus both groups form a considerable target. We at KuppingerCole can only second, that both the identified customers and the remaining “white space” in the market would benefit from a joint and integrated deployment – the former generating added value almost instantly – the latter reaping the benefits from the then (expectedly) available best practices generated by the early adopters.
General perspective: KuppingerCole sees their own projections and analysis fulfilled ahead of time! SAP and Novell now have a considerable head-start in the market and thus have potential to counter offerings such from Enterprise GRC vendors such as BWise, OpenPages or Mega due to the breadth and depths of the combined solution.
If you like to receive further insight, which GRC approach now makes sense for you, feel free to contact us and make sure to attend our upcoming related webinars http://www.kuppingercole.com/webinars

Communication & Collaboration – that is what email is all about – or should be.
The GoogleWave concept mimics the snail-mail and a wiki at the same time, while being a protocol and an application also.
The demo looks like a cooperative instant-message chat, but showing character by character, making an almost f2f chat impression…
Who used OneNote online before, may be used to see the joint changes of multiple participants in one document – but it is amazing to see even uploads of photos and other material into the wave in a blink of a eye.
To see somebody adding a Google-map into the wave and have it adjusted to show the right location IS amazing!

Let us put it like this:
As a digital nomad and “never in the own office” worker, I want this, and I want it NOW!
Now for Enterprise 2.0:
adding a SAP Business Process Design tool Gravity to Wave enables cooperative work on new process designs inside the Wave.
Re-designing processes to adjust changes caused i.e. by Mergers & Acquisitions now becomes easier due to real-time collaboration between subject matter experts. Cool user experience…

Again, sorry for bothering you with non-IAM information, but this is heavily interesting for those looking into Business-GRC.
Jut now, Nokia, SAP and Gieseke+Devrient announced the JointVenture calles Original1, which will offer SaaS solutions for anti-piracy and anti-conterfeiting projects.
Goal is to enable customs officers, supply-chain service providers and possible whole-sale customers to check and verify if a certain batch or delivery is actually original product or counterfeited merchandise.
The solution will leverage technology by all three vendors, comprising SAP ERP back-end information, Nokia mobile device extensions for on-site reading/scanning of products and Gi+De technology to secure the process steps and information. The company will be led by Claudia Alsdorf as CEO and will be located in Frankfurt, Germany. As to specific requirements, the solutions will be technology agnostic and available on devices and systems not offered by the contributing parties.
Target customers will be the brand-owners and vendors of high-value or high-risk products, e.g. luxury goods, pharmaceuticals or the like.

Did you find yourself adding hash-tags in emails or “old-fashioned” blog posts recently?
Well, I think we are all tweeting quite a lot (except for me, I do not spend to much time on it) and organizing tweets that way is a good thing, for sure…

In between two Netweaver security tracks I just wanted to give you an update on the cool show, SAP put together once again! I already met so many friends and colleagues and usual suspects, I almost felt like visiting EIC in Munich.
Novell made some great announcements recently and – to no surprise for me – their now combined SAP/Novell offering for end-to-end GRC does add a lot of value for customers of both companies.
Just a few weeks ago, doing an invited talk at the SAP Partner Port in Waldorf with Loren Heilig, Managing Director of IBSolutions, I claimed that SAP does have a big advantage when it comes to Business GRC, while they really lack the depth needed to control everything down to the system-level, aka “more technically”. As a complimentary solution vendor, I showed some Novell slides, and the reactions were pretty … ambigious.
While the customer audience seemed to like the idea, the vendor representatives seemed a bit uncomfortable. Today, I find my self to be proven by reality – my own little “analyst crystal ball” only had a “warning period” of roughly 4 month, though. Maybe I should get to London and place some bets, before making my next presentations…
SAP and Novell: congratulations! You now offer the most complete GRC approach in the market today (at least from my humble perspective!)

Ok, this should be a blog about insights to the general Identity & Access Management and Governance, Risk Management & Compliance Markets. Sorry to bother you guys with technology details (like the one about Win7 and 3G(UMTS) on netbooks, every once in a while, but I think one blog is enough to maintain and publish stuff to ;- )
So, who ever started using Win 7 in a secure environment may have come across the issue that smartcard log-in works like a breeze in these days, but you may be as puzzled as I was, when I pulled the card from the reader and the system did NOT lock itself…
Well, as my friend Walter Hofer of IDpendant was kind enough to investigate the issue (and let me know right after he found out):
Even with a corresponding GPO in the AD set, Win 7 will refuse to lock the computer after the smartcard has been removed from the reader as Microsoft chose to create a new system service called Smartcard Removal Policy – and it is set to MANUAL. Unless you look that service up in the “Services” menu and change its start behaviour to “Auto”, you will not get the expected results—
Just to get you a faster solution if this should occur to you, too!
Keep up the safe&secure computinge experience!

Well, unlike Falco in his famous hit single, this time it is SAP, who´s calling the worlds´ERP elite to Austrias capital next week – and I am happy enough to participate in this one-in-a-thousand events that really stand out. My very high expectations regarding the expertise I am planning to meet is only paralleled by the curiousity if (and if yes, who) there is gonna be a star like Zucchero performing as part of the event
Ok, back to the real issues, because there is lot of work to be done while I am at the event. First of all, I will try to get as much in-depth technology insight as possible and my agenda is bustling with activity around Netweaver Identity Management and SAP security. Especially the second, more general topic has some relevance as I am looking into the SAP and 3rd party audit and compliance solutions available today. Besides SAP´s own offering in the GRC arena, I am about to dive deeper into CheckAud of ibs Schreiber, a tool I came across in several Master´s thesis I have been advisor for. Next is “mesaforte” of Swiss Wikima4 AG and last not least the SAST System Audit and Security Toolkit, of Akquinet, especially since they now co-operate with my valued friends at Virtual Forge (some of my former Fraunhofer SIT colleagues are the founders).
Do you have expertise in one of those? Are you at TechEd in Vienna? Make sure to meet me over a cup of coffee or a Stiegl Bräu beer!
Looking forward to meet you in Vienna!

Asa tech savvy person and all-time traveller I recently acquired a mobile network data flat of one of the local German and international providers – the one with pink logo. For every contract/subscription you sign, you usually get some perks, extra stuff, a mobile handset or – in my case – one of those netbooks. The Acer Aspire One 531 I was sent does feature an integrated 3G modem by OPTION Wireless ad comes with Windows XP Hometo my demise. Failing in preparing a proper backup (Acer gives you a backup software to burn media – but a netbook does not have an optical drive, and maping the DVD burner in my home Vista machine is not acceptable use of the software – and thus deactivated) I killed XP home anyway and installed Win 7 fresh of a 8 GB USB flash (see here for a geek howto, or here for the DAU help with prepping the USB stick). All worked well – even a complete Office 2007 and Visio2007 found its way on the device – no driver problems, except… for the 3G!

I spent way too much time to figure this out, so here are the resources needed:
Driver handling & tweaking plus driver links

http://www.itgrl.de/2009/03/31/aspire-one-3g-treiber-fur-umts-modem/

Driver Links Acer
http://global-download.acer.com/GDFiles/Driver/3G/3G_Option_5.0.12.0_XPx86_A.zip?acerid=633776034442008284&Step1=Netbook&Step2=Aspire One&Step3=AO531h&OS=X01&LC=de&SC=EMEA_8
Driver Links Option (IMEI required!)

http://www.option.com/en/support/software-download/product-list/

After trying desperately to use the T-Mobile web´n´walk software for a while (even the EMBEDDED Version taken from the mysterious FTP server in Czech Republic) did always UNINSTALL the Option drivers leaving my netbook without connectivity.
Using the ACER Software DOES the trick though, but yu have to tweak it:
the Acer 3G Connection wil fail to connect (it finds the device, SIM is entered, network is acquired) but the it get stucks while “connecting” aka “Verbinden…”.
Again, calling the friendly mobile provider support, we quickly analyzed that we are only one step away. Simple solution:
create a new modem connection with *99# as the number to be dialed and all works well suddenly!

Now, back to real work… message me if you have a working setup with w´n´w software on Win 7 and internal Option MOx40 cards… or actual stand alone drivers for Win 7 that are NOT deleted when installing w´n´w

Dear readers, the following post is provided bi-lingual but does not represent a one-to-one translation. Most information is for German speaking readers, so the English version is comparably short! Still, there is some general info in the English part, so please make sure you read both parts…
The ICF German Chapter Inauguration Meeting
www.informationcard.de
Participants: Corisecio, Fraunhofer FOKUS, Deutsche Telekom, Oracle, Novell, Arcot, Microsoft, Siemens, fun Communications, Hasso-Plattner-Institut, Azigo, KuppingerCole and MANY more!

Initiated by Jens Fromm of Fraunhofer FOKUS in cooperation with Axel Nennker, Deutsche Telekom Labs, a local German speaking chapter of http://informationcard.net/ was established. The founding members and supports of www.informationcard.de will try to align their efforts as much as possible to establish an interoperable and easily to adopt exchange network, where not only cross-testing but also fully operational systems can be deployed. Goal: to foster the adoption and usage of infocards in the German speaking countries by bringing together stakeholders such as card-providers, infrastructure providers, service providers and possibly providing info to consumers.
A number of member presentations on technology, background, usage-scenarios and development provided a deeper insight to what is happening in the ICF and between partners. In brief, there where presentations of Deutsche Telekom of a mWallet with Nokia Symbian (NFC, functional) or Apple iPhone (just a UI, not yet fully functional) that showed a P2P (mobile2mobile two Nokias, touching…). Other use-cases besides money transfer comprise cinema ticketing and POS payment in a canteen. There also was a demo on hotel booking again with Nokia/iPhone, that visualized the goal of having the same look & feel on all devices. Additional (and excellent!) demos where provided by Corisicio and fun Communications, showing different ways and methods to access the KuppingerCole Site with IdentityCards. Microsoft rounded it up with showing how to authenticate to special online workspaces using Windows 7 and IE8.
The next month will show how the participants will create their network and infrastructure that will provide a continually usable test-bed and also an environment for real applications. Especially, it will be interesting how removing the language barrier will contribute to creating best-practices that can be handed back to larger InformationCard Community in the ICF. KuppingerCole supports these efforts by serving as a live-site to authenticate with IdentityCards as well as promoting the use of IdentityCards in a broader, more open and public community.

DE
Eine der ersten großen Teilsessions auf der European Identity Confernce in München war das Treffen der deutschsprachigen Abteilung der InformationCard Foundation http://informationcard.net/, das weit über 20 Teilnehmer bewegt hat, sich schon vor den Keynotes am Vormittag des ersten Konferenztages zusammen zu finden. Unter Mitwirkung einiger amerikanischer Vertreter haben sich Mitarbeiter von Corisecio, Fraunhofer FOKUS, Deutsche Telekom, Oracle, Novell, Arcot, Microsoft, Siemens, fun Communications, Hasso-Plattner-Institut, Azigo und von KuppingerCole getroffen, um den derzeitigen Stand der Entwicklung zu zeigen. Wichtigster Punkt war die voll-funktionale Demonstration der Anmeldung an der KuppingerCole Site mit einer InformationCard.
Das Ziel des Treffens war es, alle Beteiligten und Interessierten zusammen zu bringen, die entweder aktiv an der Entwicklung von InformationCard Technologien, Kartenselektoren oder Anwendungsszenarien arbeiten. Neben der bereits angesprochenen live-Demonstration der KCP-Anmeldung wurden mehrere Ansätze zur Verwendung auf Mobiltelefonen (iPhone und Nokia Symbian) mit NFC Anbindung vorgestellt, die insbesondere dem Anwender viele Möglichkeiten zur Mehrfachnutzung bieten. Die Teilnehmer waren sich einig, dass das allgemeine Problem die bisher fehlende Adaption durch die Anwender sei – ein Weg diese Adaption zu verbessern ist eine möglichst niedrige Einstiegshürde. Im Detail bedeutet dies, ein weit reichender Support diverser Endgeräte, eine möglichst einfache Installation und Konfiguration der notwenigen Software auf den Endgeräten und eine ebenfalls möglichst hohe Portabilität bzw. Nutzbarkeit in vielen Anwendungsszenarien. Exzellente Live-Demonstrationen von fun Communications und Corisecio (ebenfalls Anmeldung an der KCP Site, jedoch über Mobiltelefone) untermauerten den hohen Anspruch, den Gruppe an sich selbst stellt.
Die kommende Monate werden zeigen, wie sich die deutschsprachige entwickelt und welche speziell auf den zentraleuropäischen Wirtschaftsraum abgestimmten Konzepte und Lösungen als best-practise an die Mutterorganisation weiter gegeben werden können. KuppingerCole unterstützt die Initiative nach Kräften – unter anderem mit der Möglichkeit zur Anmeldung an der KCP Site mit IdentityCard und natürlich mit allen zur Verfügung stehenden Mitteln um Anwender für die Technologie zu begeistern.