Stronger and simpler authentication

30.06.2009 by Martin Kuppinger

I’ve seen many approaches for strong authentication – most of them are either too expensive, too complicated, or they aren’t really appealing. The latter is true for approaches like “passfaces” have to pick one or some known faces from different pictures. Many approaches are complicated to deliver. And many of the token-based approaches are complex from a logistics perspective and are expensive. However, many of these approaches and especially combinations of for example hardware tokens and soft-tokens will work for many use cases.

But there are other approaches which are interesting as well. One which looks pretty interesting is GrIDsure, provided by an UK vendor and implemented by several OEMs right now. The idea is to provide a grid of numbers and to define a pattern within this grid per user. One user might decide on picking the numbers in the corners, clockwise. The next one might pick numbers from the second line from the right to the left. Even a relatively small grid allows for many different combinations. And due to the fact that the numbers within the grid change every time, there is a very high number of changing PINs which then can be entered. The concept is easy to understand, doesn’t require additional hardware and works with any type of device with a display.

Despite being really reluctant when a new vendor appears and likes to tell me that he has found the solution for strong authentication, the conversation with GrIDsure was definitely interesting. At least interesting enough to cover it in my blog and to do further research on that solution.

Pricing models for the cloud

24.06.2009 by Martin Kuppinger

Even while I don’t share his understanding of the term “private cloud” (I don’t believe in that term) , I like what Chuck Hollis of EMC has blogged about “Monetizing the cloud“. There are so many open questions around the valid business models for as well cloud providers as consumers for cloud services. And everyone will have to learn a lot – and learning from others might help to avoid mistakes.

By the way I also wouldn’t limit the cloud discussion to “providing infrastructure” – it goes well beyond that and covers virtually any type of IT service.

There will room to discuss thinks like the correct terminology around the cloud as well as valid business models at Cloud 09, to be held 2nd to 4th of December in Munich – the cloud counterpart to our European Identity Conference.

Posted in Cloud | Comments Off

Why is IBM TIM 5.1 just a minor release?

24.06.2009 by Martin Kuppinger

IBM yesterday has announced its Tivoli Identity Manager 5.1. If you read the list of new features you might end up with the same question like me: Why is it only version 5.1, e.g. a minor (.1) release instead of TIM 6? Amongst the new features are fundamental things like Role Management, SoD support, attestation and, last not least, support for some Privileged Account Management (or Privileged Identity Management, the term IBM is using). With other words: IBM has significantly expanded the feature set of its product, mainly adding a lot of IAM-GRC features to what TIM delivers. Given that they have some other interesting solutions in the GRC space, especially for analytics and dashboards, IBM definitely improves its positioning in that emerging market segment.

So the GRC stuff is one of the new areas in TIM 5.1. That’s nice, but we have seen that before. Many vendors have either added such features to their products or have released separate GRC platforms – with advantages and disadvantages in both approaches. IBM in fact has tied in that area.

Much more interesting is the addition of PIM capabilities to a provisioning solution. Even while not every aspect of PIM will be solved by what TIM 5.1 delivers, that fulfills my expectations of PIM becoming more and more part of provisioning tools – which is just logical, given that it is about managing accounts. IBM is the first vendor in the market who delivers an integration in that area. Novell might become a close follower given that they have recently acquired a PIM vendor.

With these additions, IBM would have gould reasons to name the release of TIM as version 6.0 instead of 5.1. But understanding the reasons for version numbers is definitely amongst the hardest things in IT.

However, IBM shows that they are intensively acting to improve their positioning in the IAM and GRC market space. Being one of the first big companies which had entered that market, there hasn’t been that much evolution for some time. But now IBM is definitely back and moving forward significantly, acting as a strong competitor for the other players in the market. And once they deliver on full GRC solutions, beyond IAM-GRC and access controls (and IBM is amongst the ones who might deliver on that given their strengths in areas like SIEM, ITSM, and others…) IBM might even further improve its positioning.

It’s not about the cloud – it’s about Cloud IT

18.06.2009 by Martin Kuppinger

The biggest problem around cloud computing is the lack of a valid and well accepted definition. Definitions like “scalable services delivered via the internet” fail for example when thinking about “private clouds” which aren’t used via the internet (but at least based on using the same standards). And, by the way, not every cloud service will have to be highly scalable – there will be more and more very specialized services where functionality is key, not a massive scalability.

But the more you dive into the topic of cloud computing it becomes obvious that this cloudy thing of “cloud” (usually associated with the Internet and things which are provided there) isn’t the key thing. The key to success is that companies understand the value of Cloud IT.

What does this mean? Cloud IT stands for consequently using cloud principles in IT – and in every part of IT, not only for consuming some external services. That includes

  • well defined services (SLAs!!!)
  • a consistent service management across all services, regardless of where they are running (and, based on that, consistent approaches to cloud governance)
  • applications which are agnostic of where they are run or which hardware resources are available – there have to be parameters which might limit the ability to run applications everywhere and the application has to accept the currently available hardware resources but as well should understand that these resources can change dynamically

Defining everything in IT as services in a consistent manner is a fundamental change and the foundation for a flexible use of cloud services. Once you have made that move you can decide (based on parameters of a service) which service provider (internal or external) you will use. Thus, the first step is making your IT “cloud-ready”, e.g. moving towards a Cloud IT. Without that, using cloud services will always be sort of tactical and not strategic.

Posted in Cloud | 2 comments
© 2015 Martin Kuppinger, KuppingerCole