SAP invests in security technology

20.01.2011 by Martin Kuppinger

SAP recently announced that the they will buy most technology assets from the Swiss-German security specialist SECUDE. The developers and other resources will as well move to SAP, ensuring that as well the software as the “brain”ware is available to SAP. SECUDE provides solutions around SAP for strong authentication, single sign-on, and event management specifically to SAP environments. There is a long-term relationship between both companies, SECUDE being a supplier for many SAP customers in the areas mentioned.

One might argue that this acquisition isn’t a real big deal, compared to BusinessObjects or others. However, it is a strategically important one. SAP will deliver the core functionality of the SECUDE SecureLogin product as standard feature, thus the first time providing front-end security. Overall, the deal appears to be part of a strategic shift towards more “security out-of-the-box” at SAP. Other vendors like Microsoft (out-of-the-box), Oracle or IBM (separate products) have heavily invested in security products in the recent years, in many cases through acquisitions. In the press release SAP mentions that customers demanded additional security functionality. And that is what is really interesting with that deal: Security can’t be left to third parties, vendors have to provide solutions by themselves. Security isn’t the core business (in most cases), but the core business requires security.

However, there will still be enough room for third parties, as long as they focus on security for heterogeneous environments or the niches left by the big players. But providing comprehensive security features is increasingly a must for software vendors in the non-security business. When looking at many products out there, there is still a long way to go to provide security out-of-the-box at an acceptable level. By acquiring SECUDE, SAP has made a significant step forward towards this.

Oracle acquires Passlogix

06.10.2010 by Martin Kuppinger

Oracle has announced that they are acquiring Passlogix. That is no real surprise to me. Oracle has been the last large OEM partner of Passlogix for their E-SSO (Enterprise Single Sign-On) solution. Others like IBM had decided for own solutions in the past. Passlogix had some success in direct sales, but being a niche vendor they probably had to decide between an exit strategy or significant investments to expand their own portfolio.

From an Oracle perspective, the acquisition definitely makes sense. Oracle mentions “tighter integration” as the opportunity behind that deal. And that exactly is what the deal is about. E-SSO currently is in a transition phase, from a very focused and specialized solution towards an integrated element within authentication and authorization concepts. Versatility, e.g. the capability to flexibly support different authentication methods in sort of a plug-and-play approach, combined with step-up authentication and other concepts, is just one example of new trends in the SSO market. Integrating E-SSO and Web Access Management as well as Identity Federation is another. And the potential of bringing together Oracles Adaptive Authentication Manager, e.g. risk-/context-based authentication, with E-SSO (e.g. E-SSO based on risk and context) is obvious as well.

With the acquisition, Oracle opens the door for new, integrated approaches beyond classical, pure-play SSO. That fits into what IBM has done when acquiring E-SSO technology or Novell with buying a source code license from ActivIdentity – all players want to better integrate E-SSO with other solutions and all want to have the flexiblity in their product strategy they never can have with an OEM product. What can be done with integrated approaches has been demonstrated by Evidian for quite a while – one consolidated access management.

Thus it will be interesting to observe where Oracle starts to deliver on the idea of integrating E-SSO with other technologies. Even while I overall rate integrating E-SSO positively, there is one aspect which should be kept in mind: A strength of the pure-play E-SSO solutions is that they aren’t intrusive with respect to the existing IT infrastructure. Thus they are very easy to deploy and provide a quick win potential. This advantage shouldn’t be given away.

VeriSign VIP – back again?

24.09.2009 by Martin Kuppinger

It has been pretty quíet around the VIP (VeriSign Identity Protection) solution. I have played around with that solution some two years ago, when support for eBay and PayPal had been added. But after that I didn’t see much of VIP (and didn’t hear much of VeriSign, honestly). Until these days, when TriCipher and VeriSign announced a strong authentication solution for Google Apps. They call it “triple-sec” given that three different factors are used – the two provided by TriCipher and an out-of-band authentication based on VeriSign VIP Access for Mobile.

VeriSign VIP Accessfor Mobile is in fact an OTP (one time password) generator which runs on mobile phones. Overall, a strong authentication can be achieved that way for TriCipher’s MyOneLogin service which is the tool used. MyOneLogin is a cloud-based SSO solution for other (external) cloud or SaaS services which uses SAML to provide authentication information to Google Apps Premier.

The VIP support is offered for free for Google Apps Premier customers – as long as they use the strong authentication only for Google Apps Premier. If they’s like to extend this to other apps, it’s not free anymore. Anyhow, this is at least an interesting solution for companies who rely on these cloud services and require an relatively easy strong authentication solution. For sure you’d have to accept that you need your mobile phone in addition but the alternative would be to rely on some soft-token approach or to carry another token or device to support strong authentication.

Besides the fact, that the “for free” doesn’t last long in practice, given that most customers probably will secure other apps as well, the biggest question from my perspective is whether a cloud-SSO for cloud only (more or less) is the solution of choice. Customers which further rely heavily on internal (and non-web) applications might benefit more from a traditional E-SSO approach supporting internal as well as external applications of any type. However, integration of these tools with applications like Google Apps typically relies on traditional exchange of username/password in the background instead of the more advanced SAML approach provided for example by MyOneLogin. With other words: There are other options, but at least the TriCipher/VeriSign offering is an interesting approach worth to have a look at.

To learn more about what’s going on in the “cloud”: Attend the Kuppinger Cole Cloud 09 conference, December 2nd-4th, Munich.

The quest for the grail: Identity Providers in the cloud

06.05.2008 by Martin Kuppinger

These days I have had a briefing with John De Santis, Chairman and CEO of TriCipher, about the new myOneLogin service. This service provides strong authentication and Single Sign-On for SaaS applications, supporting many SaaS apps as well as features like SAML-based federation to the few SaaS providers which are already at that level.

One of the things John mentioned was that has allowed Google to be the authoritative source of identity assertion. In that relationship, Google is acting as identity provider. Besides the question whether Google is the best choice to trust on that leads to another question: There is no established identity provider in the so called “cloud” [By the way: Has the term “cloud” been chosen because everything out there is a bit “cloudy” in the sense of “fuzzy”?].

Read the rest of this entry »

Virtual Corporate Business Cards

27.04.2008 by Martin Kuppinger

Yes, I know – it is a little redundant talking about “corporate” and “business” in the context of virtual cards. But it is one of the most obvious, interesting and feasible business cases around Identity 2.0.

What do I mean by that term? My idea is about applying the ideas of Identity 2.0 and especially of InfoCard to the business. Provide every employee with an InfoCard or even some of them and you are better suited to solve many of today’s open issues.

How to issue these cards

I have this in mind for a pretty long time. I remember that I had asked Don Schmidt from Microsoft about the interface between Active Directory and CardSpace some time before EIC 2007. Active Directory might be one source of these cards. Just provide an interface between AD and an Identity Provider for InfoCards and you are able to issue and manage these cards based on information which still exits in the Active Directory. For sure, any other corporate directory or meta directory might work as well.

Today these technical interfaces are still missing, at least in an easy-to-use implementations. But it won’t take that long until we will see them. Thus, it is time to start thinking about the use cases.

How to use these cards

There are at least three types of cards I have in mind:

  • Virtual business cards: They are used when someone represents his company. How do you ensure today that every employee provides current and correct information when he registers with other web sites? How do you ensure that he acts in the web like you expect him to do? How do you ensure that he enters the correct title or the correct information about the size of your business when registering? InfoCards are the counterpart to your paper-based business cards today, but they can contain more information. And there might be different ones for different purposes.
  • Virtual corporate cards: They are used for B2B transactions and interactions. Add information like business roles to the cards and you can provide all these claims or assertions which are required for B2B business. These cards can be an important element in Federation, providing current information on the role of an employee or other data required. For sure there can be as well several cards, depending on the details which are required for interaction with different types of business partners.
  • Virtual employee cards: They are used internally, for example to identify users in business processes. Again, there might be a lot of information on them, like current business roles. You might use them as well to improve internal order processes, identifying the users who request new PCs, paper, or what ever else.

With these three types I might even have to extend the name for the cards, I assume. But I will stick with the term I have in the title of this post. The interesting aspect is the flexibility which (managed) InfoCards provide and the ability to manage them in context with a leading directory you have.

Due to the fact that you are the Identity Provider when applying these concepts you can ensure that no one uses these cards after leaving the company. You can ensure as well that the data is always up-to-date. That’s by far easier than with some of today’s equivalents for these future type of cards.

I will blog these days about two other ideas I have in mind in this context: The way the concept of claims Microsoft’s Kim Cameron is evangelizing will affect end-to-end security in business processes and SOA applications in general and the idea of using InfoCards for all these personalization and profiling ideas which have been discussed many years ago. I’m convinced that Identity 2.0 concepts like InfoCards and claims are a key element to solve these threats and bring these things to live.

There is a lot of business value in these concepts. And they will affect the way businesses cooperate, because they are much easier to implement and use than many other approaches.

Why SSO is so popular in these days…

26.10.2007 by Martin Kuppinger

Our upcoming Identity Management market report 2007/2008 shows some interesting results. Not to surprising, at least most of them, but nevertheless pretty interesting. One important information is where the money will be spent next year. For sure there is Identity Provisioning. And, as expected, Role Management is a very important area. Besides these both areas there is Single Sign-On as the third topic on which a lot of money will be spent within the next 12 months. More than 30% of the survey participants will implement SSO, will enhance their implementations significantly or will replace the technology which they use today. Another roundabout 30% will optimize their existing implementations. Less than 30% of the companies won’t spend money on SSO.

The question behind is for the reason why. There are some aspects. SSO helps the users. It eases their lifes with less user names and passwords. SSO makes the user the admin’s friend. Another aspect is compliance. SSO might help in achieving some of the targets of compliance, at least in (the strongly recommended) combination with strong authentication.

It is easier to audit who is allowed to access which applications, who actively uses accounts in which system and who has accessed which system when. Upcoming trends like the integration with events from phyiscal access systems, thus doing the step towards context-based authentication and authorization, enhance the support for compliance requirements.

From my perspective, these two aspects – user friendliness and compliance support – are the most important driving factors for the success of SSO. Besides, SSO is pretty mature, at least the Enterprise SSO solutions which are most common today. But also token-based approaches like the use of Smartcards with certificates and other credentials stored on the tokens shows an increasing maturity, lower costs and a broader availabilty of devices.

Thus, if you haven’t solved your SSO issues until know, start thinking about. But when you think about, don’t remain with an internal solution like Enterprise SSO but think about the future. SSO for your customers through support of OpenID, CardSpace and other technologies shall as well be part of your SSO strategy (look at some of our downloads…) as the role identity federation will play in the next years.

VeriSign Identity Protection – an interesting approach

25.10.2007 by Martin Kuppinger

I still remember some tough discussions I had with eBay in 2004 when we had just started KCP around there missing investments in secure, strong authentication. Interestingly eBay and PayPal are amongst the first now to use VeriSign Identity Protection, abbreviated as VIP. And they start in the German market to roll out this technology.

Basically VIP is sort of a combination of strong authentication with a user-centric identity which can be used with different vendors and other companies in the market. The user requires a token which provides an OTP (one time password) which is used for authentication. Nothing new, so far. But: The VIP network is designed to support multiple partners and it uses only one token. Thus it addresses two of the biggest obstacles of OTPs as a means for strong authentication:

  1. The cost of deploying tokens is shared and thus lower.
  2. The user has one token instead of a collection of tokens from different providers.

I really like this approach because it’s a pragmatic one. And I will, for sure, test my VIP card today with my eBay account. Best of all, the token is in credit card form factor and thus very comfortable to take with me, in contrast to some other token I own.

Combine this approach with OpenID and CardSpace and you end up with a solution which isn’t perfect but far more secure and usable than most of the other approaches in the market. Interestingly I had discussing about that approach with VeriSign some 18 months ago the first time. Seems, that today the market is ripe for it.

© 2015 Martin Kuppinger, KuppingerCole