About trademarks in the IAM business

30.07.2009 by Martin Kuppinger

These days I have learned that Fischer International Identity has trademarked to pretty generic terms:

  • Identity as a Service (TM)
  • IaaS (TM)

I wondered (and still wonder) about that. Fischer declared that they have invented that type of business (“a services-based architecture built from the ground-up for the express purpose of cost-effectively delivering identity management capabilities via the Software as a Service (SaaS) model”), built on a SOA architecture, supporting multi-tenancy, being able to work across firewalls. Honestly: Yes, they are an innovator in that space.

Unfortunately, that isn’t the only technology to which the terms mentioned above are applied. There are many different identity services. External identity providers for OpenID, strong authentication services, SSO for the cloud,… – to all these services the terms IaaS (TM) and Identity as a Service (TM) are frequently applied. And if you look at Application Security Infrastructures, then it is as well about providing identity services.

Thus, I agree with Fischer that they are sort of a pioneer in providing “provisioning as a service” (which would be PaaS) but I don’t agree with their view on that they have invented they entire market space for which these terms are used today. Anyhow, it is a little like Daimler having trademarks on “car”, “Automobil”, and other related terms, isn’t it!?

On the other side: Maybe I shouldn’t bash on Fischer for trademarking (why not try to get them?), but the ones on the governmental side which have agreed to trademark these very common terms. What will be next? SaaS (TM)? Cloud Computing (TM)? I really can’t understand that such common terms are trademarked (and I will use some related but somewhat different terms in the future). However, anyone who uses these terms has to attribute ownership of the mark to Fischer International Identity, like they have stated. Let’s look how they deal with the trademarks in practice. And be careful when using these terms.

To comply with the trademarking stuff: Identity as a Service (TM) and IaaS (TM) are trademarks owned by Fischer Internation Identity.


Many test cases for German eID card

22.07.2009 by Martin Kuppinger

Some days ago the German government announced a list of 30 companies with test cases for the upcoming eID card, which will be available starting November, 2010. The good news is that the BMI (Federal Ministry of the Interior) has managed to get a good number of test scenarios outside of eGovernment. The identification of flight passengers at airports, hotel check-in, online shops, and some use cases for age verification are on the list of published test cases.

For sure there are as well many eGovernment applications amongst these 30+ scenarios but the real important thing is that there are obviously many partners outside the eGovernment which are interested to use the eID card for identification (or age verification) purposes within their specific business use cases. If they succeed, there will be a lot more partners once the eID card is officially issued – and the more companies will use the eID card, the more momentum will be there for “buying” the eID card and switching to it from the current conventional ID card. That is about “buying” because the eID card is mandatory when renewing the current eID card (which is valid 10 years from the date of issuance). That fee will be accepted more likely when the card can be used for many use cases.

Overall it appears that the German government is doing a good job in creating some interest in and momentum behind the eID card. And doing a broad test with many partners more than one year before the card is distributed widely is definitely important – there will be many lessons learned. Anyhow, the biggest threat for the eID card still will be the acceptance. Test cases are one thing – the other aspects are usability (make the eID card as easy to use as possible, even from home) and trust. There will be a lot of discussions around the eID card, and educating users about the security and privacy (which is pretty good in the eID card concept) is extremly important for the success of the German eID card. But there will be a lot of FUD (fear, uncertainty, doubt) raised around this issues, like “the fingerprints aren’t fully secure”. Yes, in fact, there is some slight chance of abuse – but what the eID card provides is a big step forward for most of the users. Thus, we should look at it more positive and understand it as an important improvement for security in the Internet – with some shortcomings (national, time-to-market,…).

It will be definitely interesting to observe the different test cases and the lessons learned there. Despite all doubts, the German eID card has a good chance of becoming a successful project.


Vendors might sell even in immature markets

16.07.2009 by Martin Kuppinger

These days I had a discussion with a vendor who sells different security tools which make up sort of an Endpoint Security “suite” about my and his view on that market. He was sort of offended by my critical view on today’s endpoint security market and claimed that his company and many of his competitors are selling large amounts of licenses to customers. Thus I must be wrong when telling people that the market isn’t really mature today.

My view on endpoint security is, by the way, not as sceptic as the one I have on the DLP market (Data Leakage Protection/Prevention). I think that well integrated, feature-rich endpoint security solutions are an important element within security strategies. But the bar is set high. Endpoint Security solutions have to fully protect different types of endpoints. That includes AV, local firewalls, WLAN security, encryption, device control, and other elements. All these features have to be well managed. And well managed means centrally managed, integrated with existing and potential other new elements of the overall strategy. Active Directory integration is key in Windows environments. Integration with SIEM tools or at least open interfaces are a required feature. For sure, there needs to be one set of policies for all security features of the endpoint. Existing system-level features should be as well integrated, starting with Bitlocker on new Windows versions and for sure as well including interfaces to Windows Group Policies. To name just a few of the expectations I have on Endpoint Security Suites.

Endpoint Security thus goes well beyond the point solutions in the DLP market which I see even more critical.

Unfortunately, no vendor today fully supports all requirements I have on Endpoint Security solutions. That might change over time. But even then, Endpoint Security will be only one element within a security strategy, which has to be combined with IAM (Identity and Access Management) as the foundation for most parts of security, with more advanced information protection solutions (shielding information not only at rest, but as well on move and on use), centralized solutions (which might even overlap with endpoint security to some degree – look at what Finjan provides) and so on.

Thus this mean that you shouldn’t invest in Endpoint Security tools? No, for sure not. But a customer should be aware of the shortcomings of today’s offerings. And he should understand that he addresses only part of the overall problem (even while Endpoint Security at least might address a larger part of the problem, compared to many of the point solutions offered under the label of DLP). And vendors might use the bar I have set as sort of benchmark for their solutions and sort of advice for their product management instead of complaining that the bar is set to high. The fact that they are selling their products only proves that there is a strong demand for endpoint security solutions and that customers are even willing to buy immature solutions – it doesn’t prove that their solutions are mature.

My advice for customers: Understand the strengths and shortcomings of today’s offering in endpoint security, understand endpoint security as part of a larger IT security initiative, and define your selection criteria according to that.

My advice for vendors: Don’t rest on your current success but go a step back and think about what will be needed tomorrow and in some years from now. The Endpoint Security market will evolve, there will be significant changes. And it will be more and more understood as part of a bigger IT security approach.


Will DMTF deliver on cloud management?

08.07.2009 by Martin Kuppinger

Recently, the DMTF (Desktop Management Task Force) announced an initiative to develop cloud standards for resource management, packaging formats, and security mechanism to facilitate the interoperability of private and public clouds (and amongst public clouds from different providers). Given my recent critics on the term of “private cloud” that means just standards to be able to use different types of service providers, regardless where they are. The announcement can be found here.

The DMTF starts an Incubator to develop such standards, including existing work and standards like WS-Policy and others. From my perspective, DMTF is an interesting player in that field given that they have succeeded with some other standards around desktop management and systems management. And they have a lot of vendors on board, mainly from the virtualization and systems management market segments. Thus it is likely that they are able to drive things forward. Anyhow, they shouldn’t miss to include existing de-facto standards like the APS (Application Packaging Standard) promoted by Parallels.

There is no doubt that we need a lot of standardization for the cloud. The DMTF initiative addresses current needs of managing the “infrastructure cloud” but will as well influence the level of the “platform cloud”, as long as you understand management for systems, identities, and so on as part of that level. Anyhow it will probably take us some years until we can use cloud-ready systems management tools which rely on the potentially upcoming standards in that area.

And we also have to be aware of the fact that even that initiative will cover only a few of the missing standards for the cloud computing of the future. Authorization management, business-level policy management, SLA standards and many other elements are missing today. Anyhow, any initiative for further standardization is welcome from my perspective, as long as it focuses on integration with other initiatives and existing standards and as long as it delivers – the sooner, the better.

And, by the way: Don’t miss the Cloud 09 Conference in Munich, December 2nd to 4th.


Posted in Cloud | Comments Off
© 2015 Martin Kuppinger, KuppingerCole