What will it mean when Windows operating systems reject encryption keys smaller than 1024 bit soon?

10.08.2012 by Martin Kuppinger

Microsoft will soon release an update to its current operating systems (Windows XP and higher; Windows Server 2003 and higher), which will block the use of cryptographic keys that are less than 1024 bits in length. This announcement was made quite a while ago, but most links go to a rather specialized place, the “Windows PKI blog”. And honestly, who besides some geeks are really reading such a blog?

The consequence is that certificates with key lengths of 512 bits will be blocked, leading to error messages. These errors can occur when browsing the web, when trying to enroll certificates, when creating or consuming S/MIME secure eMail, when installing ActiveX controls, or when installing applications. Most things will work smoothly, but some legacy components and applications might fail.

That might cause some trouble in organizations once the update – which clearly makes sense from a security perspective – is deployed. Unfortunately, it is not that easy to handle this issue. Microsoft’s approach described in the blog post mentioned above is not what I’d call straightforward. There is a lot of valuable information on how to deal with that issue, but it requires a lot of administrative work.

However, some vendors like Entrust and Venafi offer solutions to discover certificates used across your network. Both are tools that provide you a sort of “Enterprise Certificate Management” as part of the Enterprise Key Management initiatives you should have running anyway. If you haven’t started with such an initiative, it is long past the time to do so – EKM/ECM makes a lot of sense for discovering, managing, and protecting all your certificates and keys across the enterprise. More at the lower end of the set of available tools you find the Qualys SSL Labs SSL Server Test, which allows you to run an in-depth analysis of SSL keys used by publicly available websites. That at least might provide some information for troubleshooting.

The reason behind this all is simple: Certificates with a key length of 512 bit have been successfully cracked. This is related to the Flame malware, the reason why Microsoft finally decided to block the 512 bit keys. Some information about the relationship between Flame and the Microsoft security update are found in the Microsoft blog post mentioned above.

A question that could be raised is whether 1024 bit key lengths then will be sufficient or whether we will face the next update soon. An important fact is that encryption strength is exponential to the key length, due to the algorithms used. So it is not about just doubling computing power. However, there is some likelihood that we will see larger algorithms being cracked over time. That requires a lot of knowledge and computing power because there is no simple algorithm known yet. There might be one (which would make virtually all of today’s security useless) but most security experts doubt that. So we will have to wait and see. In the meantime, you should try to get a better grip on all the keys and certificates used in your organization – that at least will allow you to react quicker and with less work on the Microsoft update and future changes in that area.


Posted in Uncategorized | Comments Off

EIC 2012 – some take-aways

23.04.2012 by Martin Kuppinger

EIC 2012, the European Identity and Cloud Conference, is history now. We had a week fully packed with a lot of great keynotes, sessions, panels, and workshops. For me, it definitely was the year in which the EIC was most influential to my own thinking. The reason for that was simply that we had a lot of very good panels and other types of sessions related to some research we published around EIC or are currently working on. The three key topics were:

  • The KuppingerCole IT Paradigm which we have described as a model for developing IT infrastructures and organization in a way that it is fit for the large changes we are facing, like Cloud Computing, the impact of Mobile Computing, and others.
  • The Open API Economy, a concept which Craig Burton had started writing about quite a while ago and which is fundamentally changing the way service providers, organizations, app providers, and even individuals will work together.
  • Life Management Platforms, a concept which goes well beyond the limited reach of most of today’s Personal Data Stores and Personal Clouds. It will fundamentally affect the way individuals share personal data and thus will greatly influence social networks, CRM (Customer Relationship Management), eGovernment, and many other areas.

These topics all are tightly related. Doing IT with focus on services and information security allows consuming services much more efficiently. The Open API Economy provides these services and is increasingly successful, with massive growth of available APIs and their use. Life Management Platforms will require organizations to deal differently with services that affect individuals – and individuals will be able to expose their personal data in a privacy-aware and secure way that they never have been able to before.

There are several KuppingerCole reports available around these topics – and we are working on new ones which will be published soon. Some of them will go into more detail. One of the documents will cover the consumer view on the Open API Economy. There will be more scenarios, looking at the impact of the KuppingerCole IT Paradigm for other areas of IT, like Access Governance, Enterprise GRC, or IT Service Management.

There will be research which looks on the changing economics for CRM and the impact Life Management Platforms will have there. There will be other research looking at the very interesting and promising economics of Life Management Platforms. And there will be research looking at how concepts like the Open API Economy and Life Management Platforms are essential to the “real world”, such as making the Connected Car/Vehicle really work.

However, EIC was for certainly not only about these new hot topics. An important topic at EIC, more down to earth, was modern architectures for IAM (Identity and Access Management). We’ve had interesting sessions around this topic, including a workshop focusing on whether, when, how and where to migrate legacy identity provisioning systems.

EIC again was a great mix of thought leadership and best practices, with some very interesting and well attended workshops on Friday. Organization for EIC 2013 Europe has begun. The conference will be again in May (instead of April). The details will be announced soon. But you should block mid May 2013 now for the next EIC.


Posted in Uncategorized | Comments Off

The rationales behind the Oracle-Sun deal

28.04.2009 by Martin Kuppinger

The (planned) Oracle/Sun deal has gained a lot of attention. There was a lot of discussion of the rationales behind. But most of them didn’t really touch the point why Oracle will spend so much money for Sun. Have a look at the rationales:

The hardware?

Not really. Oracle never has done hardware business before. That is another type of business. For sure there are some advantages. It is a little easier for Oracle to offer appliances, but they could have done this with standard hardware and some flavour of Linux. For sure, for big shops that might become interesting – highly scalable hardware and the database or application server or a business system. But on the other hand, the overall margins will decrease for these deals. And the aspect that it becomes cheaper for Oracle to equip its own cloud data centers in the future isn’t worth to take the risk of a hardware business.

The Solaris operating system?

As well – some few advantages but no real one. With hardware and a high-level server operating system, Oracle is more competitive with companies like IBM and Oracle, the (from a revenue perspective) real big guys in the industry. And Oracle might even bring some market share back to Solaris, by preferring that OS. But overall, there is not that much value in there. Solaris is fine for large cloud data centers, but it is overkill for many appliances. The overall value of obtaining an OS thus is somewhat limited for Oracle.

The IAM and GRC tools?

Even while we are experts around IAM and GRC – that wasn’t the reason behind. In contrast, that is one of the areas with a huge overlap and thus a lot of potential problems in defining a roadmap and migration paths for existing customers.

The cloud?

Again – not really. There are some advantages in having own hardware and an operating system for high scale cloud data centers. But Oracle would have been well able to manage the move towards the cloud without that. And if it were about the cloud, there probably would have been better choices than Sun.

The psychology?

Yes, to some degree. Oracle now really competes with IBM at any level. It has an own operating system. But that is not the real rationale behind the deal, even while that thought might have influenced the decision making.

The market share?

Which market share? Oracle is buying market share, no doubt. They have done this with acquisitions like PeopleSoft, they have done this especially when acquiring BEA. But there is a rationale behind that about which I will talk later.

The Java stack?

No. There are probably more risks than advantages. Improving the stack itself is an investment without direct return. That might improve the position of Oracle in the application server field. But given that Sun has “owned” Java and nevertheless hasn’t been the leader in the market of application infrastructures shows that this is not the main reason. Besides this, there might be sort of a trust issue in Oracle owning that stack – Sun has been more trusted in supporting open source than Oracle is. And other companies like IBM and SAP which are heavily relying on Java might as well be somewhat disappointed. Oracle is a much more heavyweight competitor for them than Sun has been.

And yes. Oracle will be able to drive some things forward in the stack. Think about an integration of JAAS (Java Authentication and Authorization Service) with Oracle’s concept of SOS (Service Oriented Security). By doing this, Oracle might gain some advantage for their “engines” which provide these services and some tighter integration than others can provide.

The application server?

Yes, to some degree. The market share of what Sun provides around application infrastructures (development tools and so on) is somewhat relevant but not the main reason. But overall there is the question whether Oracle really wants to maintain Glassfish, Fusion, and WebLogic. And for sure Oracle expands its grip on that market.

The expanded lead in application infrastructures?

Here you go. That is the real target of Oracle. That is why they have bought BEA, that is why they have been heavily investing in IAM and other areas of the IT market. For a long time, there have been the operating systems and the business applications as the instruments of power in the IT industry. That is changing, with the business processes and the supporting application infrastructure becoming the new instrument of power. That is the reason why companies like Oracle, SAP and IBM (based on Java) as well as Microsoft (based on the .NET Framework) are heavily competing for that market. The one who is in control of the business process platform has managed to achieve the vendor lock-in – the more specific features of the platform are used, the more lock-in.

That is, from my perspective, the real rationale behind that deal. From that perspective, it is not that much a market share deal but a market power deal. That is the reason why Oracle buys several elements of limited value for Oracle (not of limited value from an overall perspective, for sure!). That is the reason why Oracle again spends a lot of money and takes some risks. Java helps, the market share in the application server market helps. But they are not the key reasons for that decision.

Interestingly, most customers haven’t yet understood what is happening in the IT market from a strategic point of view. Otherwise, they wouldn’t leave platform decisions in the area of IT infrastructure to some developers and architects or, in best case, the CIO, but understand that as a decision with a long-term strategic impact on the entire organization.


Posted in Uncategorized | Comments Off

Liberty Alliance moves to Kantara

20.04.2009 by Martin Kuppinger

Today, Liberty Alliance will move to a new organization named Kantara. That is based on the analysis that security, privacy, and minimal disclosure of end users’ personal information are becoming more and more important. In this area, several initiatives are on their way. The idea of Kantara now is to build an umbrella organization for the entire identity industry and to streamline different initiatives. Liberty Alliance will become a part of that bigger effort.

The interesting question will be: Will Kantara become a big umbrella or a small one? There are several interesting initiatives within the Liberty Alliance today, but there are many initiatives outside of that. There are OASIS standardizations like SPML and SAML, there is the Information Card Foundation (ICF), there are many other activities on different levels up to industry specific standardizations.

Thus it might appear that Kantara becomes more sort of a Liberty Alliance relaunch – if they don’t succeed in integrating at least most of the other relevant initiatives. Let’s wait and see…


The effect of the recession on IT security

14.01.2009 by Martin Kuppinger

These days I received a pretty interesting survey compiled by Cyber-Ark, one of the vendors in the market for Privileged Account Management (PAM) or Privileged Identity Management (PIM), like Cyber-Ark calls that market segment. I seldom read such an interesting survey, providing insight in the dark side of many users. The survey which has been carried out amongst 600 workers, mainly from financial districts, in New York, London, and Amsterdam included some really tough questions. People were for example asked whether people would try their hardest to gain access to the redundancy lists if rumors about redundancies were on their way. 46% of all participants – and 57% in the US – answered with yes. And 70% of these US employees said that they would use their IT system to snoop around. On the other hand, 71% of the people from the Netherlands answered that they would preemptively download company and competitive information if their job were at risk. Another interesting number: 62% of the US participants and 54% of the ones from the Netherlands said that they find it easy to take sensitive or valuable information out of the company – with eMail and memory sticks being the easiest approaches to do that.

Honestly, I’m somewhat surprised about the impressively high numbers of people which will do illegal things – even while I would agree that I’m a cynic sometimes, these numbers were somewhat above my expectations. The real important lesson that enterprises have to act. They have to act on Identity and Access Management, GRC, Privileged Account Management, Data Leakage Prevention, and Information Rights Management. And they have to act with a combined strategy which focuses on really closing the gaps – not only some of many doors. PAM is a must in these days, given that privileged accounts impose the highest risks and most companies don’t really know who has access to some of these accounts. Information Rights Management has to become reality. And Data Leakage Prevention has to be performed in the context of the identities – approaches, on which companies like RSA are working in these days. It is time to act – especially in these days, because fear and uncertainty are perfect drivers for computer crime.

I really appreciate the survey compiled by Cyber-Ark. For sure they like to spread their message about the importance of PAM. But even if the numbers where significantly smaller, their message still would be true: It is latest time to really protect the companies valuable intellectual properties and sensitive information – with a mix of PAM and the other technologies mentioned above.


Some new Kuppinger Cole surveys on IAM

09.01.2009 by Martin Kuppinger

We’ve compiled some questionnaires on different aspects of the IAM and GRC markets and put them online. We’d greatly appreciate your participation on these surveys. Most of the questionnaires are very lean, consisting of 10 to 12 questions – only the IAM market survey 2009 is quite a bit longer.

Two surveys are about the RoI of IAM, or, more correct, different aspects of IAM. The Identity Administration RoI Survey analyzes the cost of administering Identity Management infrastructures. The IAM Tools RoI survey focuses on the cost of the core tools (mainly directories and provisioning) in IAM environments. Once finalized and analyzed, we will provide free webinars on the results of these surveys.

For the ones of you capable of reading German, there are two more surveys. The questionnaire of the IAM market survey 2009 is the basis for our annual market report. Whilst this survey focuses mainly on the D-A-CH (Germany, Austria, Switzerland) markets, we will soon release an english version for other markets as well.

Another short survey is about the accepted costs of security (especially hardware tokens). This is in German as well.

Thank you in advance for participating!


Posted in Uncategorized | Comments Off

CA acquires Eurekify

17.11.2008 by Martin Kuppinger

Another acquisition in the IAM and GRC has been announced that weekend. CA decided to buy Eurekify, a role management specialist with specific strengths in role mining, based in Israel. That adds to the recent acquisitions in that field, like Sun with Vaau or Oracle with Bridgestream. The CA/Eurekify deal is somewhat special because Eurekify has been more focused on pure role management than Vaau or Bridgestream. Thus, there won’t be much overlap to CAs current portfolio.

The acquisition proves that CA is willing to invest in the IAM and GRC markets. There has been some time after the acquistion of Netegrity where we hadn’t heard that much from CA – but with the R12 release of their Identity Manager, with focus on integration of own and acquired technologies, and now the acquisition of Eurekify, CA is definitely back in the game.

From a market perspective, the acquisition is pretty interesting. First of all, the opportunities for other players in the market to become acquired are less than before. On the other hand there are still some few big players which might to invest in role management and GRC specialists.

On the other hand, there are some new options for companies which are strong in role mining – like the swiss IPG AG or the italian Engiweb. Eurekify had many partnerships with Identity Management vendors. I don’t expect other vendors to stay with Eurekify now that it is CA. Thus, some vendors will have to choose new partners in the not that long list of Role Mining and Role Management specialists (or, in the case of Engiweb, vendors that support Role Mining/Management amongst other functionalities).


Posted in Uncategorized | Comments Off

The identities of core business objects

10.10.2008 by Martin Kuppinger

In our new Roadmap Report Identity Management and GRC 2009, available from Oct 13th 2008, we describe the structured evolution of Identity Management and GRC infrastructures across multiple maturity levels, from basic, administration-focused deployments towards business- and service-oriented implementations.

Within this guideline, I personally think that one of the blocks is particularly interesting. It is about “Identities” (covering the concepts behind and their storage) and moving forward to a business-controlled IAM. What we have in mind there is in fact the integration of Identity Management with the applications which deal with some of the core business objects – like employees, customers, or suppliers.

These objects play a central role within the business applications. And they are identities. Thus, it is obvious that identity management concepts and technologies can provide value in providing a consistent, integrated view on these business objects. From the perspective of business systems, we probably won’t use the term identity management. But we will use it.

In the light of such an approach, it becomes clear as well why vendors like SAP, Oracle, and Microsoft are heavily investing in identity management. In approaches where we business objects are managed and used in service-oriented applications, the consistency of these objects is a core requirement. The vendors which provide application infrastructures and business applications thus require identity management technologies. You can, for example, expect NetWeaver Identity Management thus to play a vital role in SAP’s Enterprise SOA approach, with a much tighter integration than you might expect today.

That integration is consistent with the overall tendency of IAM moving from an administrative technology to the business-level, with the application integration and business support mentioned as well as with GRC (and, in consequence, business roles and rules) as control infrastructure above today’s more or less technical provisioning solutions.


Posted in Uncategorized | Comments Off
© 2015 Martin Kuppinger, KuppingerCole