English   Deutsch   Русский   中文    

KuppingerCole Blog

The Glorious Return of the Albanian Virus

Sep 23, 2015 by Alexei Balaganski

When I first read about the newly discovered kind of OS X and iOS malware called XcodeGhost, quite frankly, the first thing that came to my mind was: “That’s the Albanian virus!” In case you don’t remember the original reference, here’s what it looks like:

I can vividly imagine a conversation among hackers, which would go like this:

- Why do we have to spend so much effort on planting our malware on user devices? Wouldn’t it be great if someone would do it for us?

- Ha-ha, do you mean the Albanian virus? Wait a second, I’ve got an idea!

Unfortunately, it turns out that the situation isn’t quite that funny and in fact poses a few far-reaching questions regarding the current state of iOS security.

What is XcodeGhost anyway? In short, it’s Apple’s official developer platform Xcode for creating OS X and iOS software, repackaged by yet unknown hackers to include malicious code. Any developer, who would download this installer and use it to compile an iOS app, would automatically include this code into their app, which is then submitted to the App Store and distributed to all users automatically as a usual update. According to Palo Alto Networks, which published a series of reports on XcodeGhost, this malware is able to collect information from mobile devices and send them to a command and control server. It would also try to phish for user’s credentials or steal their passwords from the clipboard.

Still, the most remarkable is that quite a few legitimate and popular iOS apps from well-known developers (mostly based in China) became infected and were successfully published in the App Store. Although it baffles me why a seasoned developer would download Xcode from a file-sharing site instead of getting it for free directly from Apple, the list of victims includes Tencent, creators of the hugely popular app WeChat that has over 600 million users. In total, around 40 apps in the App Store have been found to contain the malicious code. Update: another report by FireEye identifies over 4000 affected apps.

Unfortunately, there is practically nothing that iOS users can do at the moment to prevent this kind of attack. Surely, they should uninstall any of the apps that are known to contain this malicious code, but how many have not yet been discovered? We can also safely assume that other hackers will follow with their own implementations of this new concept or concentrate on attacking other components of the development chain.

Apple’s position on antivirus apps for iOS has been consistent for years: they are unnecessary and create a wrong impression. In fact, none of the apps remaining in the App Store under a name “Antivirus” is actually capable of detecting malware: there are no interfaces in iOS, which would allow them to function. In this regard, user’s safety is entirely in Apple’s hands. Even if they upgrade the App Store to include better malware detection in submitted apps and incorporate stronger integrity checks into Xcode, can we be sure that there will be no new outbreaks of this kind of malware? After several major security bugs like Heartbleed or Poodle in core infrastructures discovered recently (and yes, I do consider Apple Store a critical infrastructure, too), how many more times does the industry have to fall on its face to finally start thinking “security first”?


Cloud Security: IBM not only protects but detects, connects, and responds

Sep 22, 2015 by Martin Kuppinger

With the announcement of the IBM Cloud Security Enforcer, IBM continues its journey towards integrated solutions. What had started a while ago in the IBM Security division with integrating identity and analytical capabilities, both from the former IBM Tivoli division and the CrossIdeas acquisition, as well as from the Q1 Labs acquisition, now reaches a new level with the IBM Cloud Security Enforcer.

IBM combines capabilities such as mobile security management, identity and access management, behavioral analytics, and threat intelligence (X-Force) to build a comprehensive cloud security solution that raises the bar in this market.

Running as a cloud solution, IBM Cloud Security Enforcer can sit between the users and their devices on the one hand and the ever-increasing number of cloud applications in use on the other hand. It integrates with Microsoft Active Directory and other on-premise services for user management. While access of enterprise users can be controlled via common edge components, routing traffic to the cloud service, mobile users can access a mobile proxy (World Wide Mobile Cloud Proxy), including support for VPN connections.

The IBM Cloud Security Enforcer then provides services such as application management, a launchpad and an application catalog, entitlement management and policy enforcement, and a variety of analytical capabilities that focus on risks and current threats. It then can federate out to the cloud services.

Cloud security services are nothing new. There are cloud security gateways; there is Cloud IAM and Cloud SSO; there is increasing support for mobile security in that context; and there are Threat Intelligence solutions. IBM’s approach differs in integrating a variety of capabilities. When looking at the initial release (IBM plans to provide regular updates and extensions in short intervals) of IBM Cloud Security Enforcer, there are several vendors which are stronger in single areas, but IBM’s integrated approach is among the leading-edge solutions. Thus we recommend evaluating that solution when looking at improving cloud security for employees.


Why recertification isn’t sufficient anymore – time to look at user behavior and detect anomalies

Sep 08, 2015 by Martin Kuppinger

Imagine you have well thought-out processes for IAM (Identity and Access Management) that ensure that identities are managed correctly and all the challenges in particular of mover and leaver processes are handled well. Imagine you also have a well-working recertification approach implemented and rolled out to your organization. Are you done? Unfortunately not.

Even when you succeed in implementing the core IAM and IAG (Identity and Access Governance) processes including recertification – and not everyone does so – you still are far from the end of your journey.

Why? Because you at best will know that entitlements are assigned correctly and that you meet the “need to know” principle. Unless your joiner, mover, and leaver processes are really well-implemented, you still might be in a situation where users might have excessive entitlements for e.g. 11 months and 29 days, based on a yearly recertification. Yes, you might shorten that period, but that will not solve the problem – it might be 5 months and 29 days at maximum then, but the basic problem remains. That is a good reason for trying to fix the cause (implementing good IAM processes) instead of the symptoms (recertifying).

Furthermore, you still don’t know whether correctly assigned entitlements are abused. What if your backup operator (who must be entitled for backups) does two backups instead of one? One for the business, one to take it home or somewhere else? What if your front office worker accesses all the customer records he has access to within a short period of time, all data ending up at an USB stick? What if a privileged account is hijacked by an attacker who runs privileged actions?

Knowing that the state is correct is no longer sufficient. We need to understand whether entitlements are used correctly. There is no technology in traditional static access management, i.e. creating accounts, assigning them to groups or roles and thus entitling them, which also limits or audits the use of these entitlements. Logging and SIEM provides a little insight.

However, what we really need are more sophisticated approaches. User Activity Monitoring (from the perspective of monitoring and logging) and User Behavior Analytics (the perspective of analyzing collected data) must move to the center of our attention. We need becoming able in identifying anomalies in user behavior. We need setting up processes to deal with suspicious incidents properly – not blocking the business from what it needs to do, not violating worker’s rights, but mitigating risks.

Technology is there, from privileged threat analytics to user behavior analytics and, beyond identities, Real Time Security Intelligence. Such technology can be implemented in a compliant way, even in countries with strong emphasis on privacy and mighty worker’s councils.

When we really want to mitigate access risks, we have to go beyond traditional approaches and even beyond Access Intelligence. We must become able identifying anomalies in user behavior, not only of administrators but also business users (oh yes, there are fraud management solutions for that available as well – so we are not talking about something entirely new). Time to move to the next level of IAM. From preventing (setting correct entitlements) and detecting (recertification and Access Intelligence) to responding, based on better detection and well thought-out, planned incident handling.

This article has originally appeared in KuppingerCole Analysts' View newsletter.


Adaptive Policy-based Access Management (APAM)

Sep 08, 2015 by Graham Williamson

Attribute-based Access Control (ABAC ) has been with us for many years; it embodies a wide range of systems that control access to protected resources based on attributes of the requesting party. As the field has developed there are three characteristics that are most desirable in an ABAC system:

  • it should externalise decision making i.e. not require applications to maintain their own access control logic
  • it should be adaptive i.e. decisions are made in real-time
  • it should be policy-based i.e. access permissions should be determined based on after evaluation of policies
  • it should be more than just control i.e. user access should “manage” user’s access control.

Most access control environments today are role-based. Users are granted access to applications based on their position within an organisation. For instance, department managers within a company might get access to the HR system for their department. When a new department manager joins the organisation they can be automatically provisioned to the HR system based on their role. Most organisation use Active Directory groups to managed roles within an organisation. If you’re in the “Fire Warden” group you get access to the fire alarm system. One of the problems with role-based systems is the access control decisions are coarse-grained, you’re either a department manager or you’re not. RBAC systems are also quite static, group memberships will typically be updated once a day or, worse still, require manual intervention to add and remove members. Whenever access control depends upon a person to make an entry in a control list, inefficiencies result and errors occur.

Attribute-based systems have several advantages: decisions are externalised to dedicated infrastructure that preforms the policy evaluation. Decisions are more fine-grained: if a user is a department manager an APAM system can also check a user’s department code and so decide, for instance, whether or not to give them access to the Financial Management system. It can check whether or not they are using their registered smartphone; it can determine the time of day, in order to make decisions that reduce the risk associated with an access request. Such systems are usually managed via a set of policies that allow business units to determine, for instance, whether or not they want to allow access from a smartphone, and if they do, to elevate the authorisation level by using a two-factor mechanism. The benefits are obvious: no longer are we dependent upon someone in IT to update an Active Directory group, and more sophisticated decisions are possible. APAM systems are also real-time. As soon as HR updates a person’s position, their permissions are modified. The very next access request will be evaluated against the same policy set but the new attributes will return a different decision.

So what’s holding us back from deploying APAM systems? Firstly, there’s the “if it’s not broken don’t fix it” syndrome that encourages us to put up with less than optimal systems. Another detractor is the requirement for a mature identity management system, since access to attributes is needed. There is also a need to manage policies but often business groups are unwilling to take on the policy management task.

It’s incumbent on C-level management to grapple with these issues. They must set the strategy and implement the requisite change management. If they do, not only will they be reducing the risk profile associated with their access control system, they’ll open up new opportunities. It will be possible to more easily extend business system access to their business partners, and customers, for whom it is unsustainable to populate Active Directory groups.

APAM has much to offer, we just need is a willingness to embrace it.

This article has originally appeared in KuppingerCole Analysts' View newsletter.


Different, better and compliant – Business-orientated Access Governance

Sep 08, 2015 by Matthias Reinwarth

Identity Management and Access Management are on their way into the first line of defence when it comes to enterprise security. With changing architecture paradigms and with the identity of people, things and services being at the core of upcoming security concepts, maintaining identity and Access Governance is getting more and more a key discipline of IT security. This is true for traditional Access Governance within the enterprise and this will become even more true for the digital business and the identities of customers, consumers, partners and devices.

Many organizations have already established Access Governance processes as a toolset for achieving compliance with regulatory requirements and for mitigating access-related risks on a regular basis. Identity and Access Management(IAM) processes accompany every identity through its complete life cycle within an organisation: The management of corporate identities and their access to resources is the combination of both IAM technology and the application of well-defined processes and policies. Traditional ways of adding Access Governance to these processes include the implementation of well-defined access request and approval workflows, the scheduled execution of recertification programs and the analysis of assigned access rights for the violation of the Segregation of Duties (SoD) requirements.

While the initial cause for creating such a program is typically the need for being compliant to regulatory requirements, mature organisations realize that fulfilling such requirements is also a business need and fundamental general benefit. The design and implementation of a well-thought-out dynamic, efficient, flexible and swift identity and access management is the foundation layer for an efficient and proactive Access Governance system.

This requires appropriate concepts for both management processes and entitlement concepts: Lean and efficient roles lead to simplified assignment rules. Intelligent approval processes, including pre-approvals as the default for many entitlements reduce manual approval work and allow for easier certification. Embedding business know-how within the actual entitlement definition allows for the specification of more and more processes in a way that they do no longer require any administrative or business interaction.

Aiming at defining and implementing automatable access assignment and revocation processes in fact reduces the need for various Access Governance processes. Once the processes are designed in a manner that they prevent the assignment of undesirable entitlements to identities and that they make sure that entitlements no longer needed are revoked from identities, they make many checks and controls obsolete. On the other hand, the immediate and automated assignment of entitlements whenever required fulfil business requirements in making people effective and efficient from day one. Subsequent business process changes and thus changes in job descriptions and their required access rights can be propagated automatically without further manual steps.

Applying risk assessments to each individual entitlement is a crucial prerequisite when it comes to analysing assigned access. Once all access is understood regarding its criticality, a risk orientated approach towards recertification (i.e. high-risk entitlements more often and faster) can be chosen and by default time-based assignments of critical entitlements can be enforced.

Well-defined access management and Identity Management life cycle processes can help to ease the burden of the actual Access Governance exercises. Before looking into further, often costly and tedious measures, redesigning and rethinking assignment and revocation processes in an intelligent manner within a lean entitlement model might help in improving efficiency and gaining security.

This article has originally appeared in KuppingerCole Analysts' View newsletter.


Windows 10: new anti-malware features and challenges

Aug 19, 2015 by Alexei Balaganski

Offering Windows 10 as a free upgrade was definitely a smart marketing decision for Microsoft. Everyone is talking about the new Windows and everyone is eager to try it. Many of my friends and colleagues have already installed it, so I didn’t hesitate long myself and upgraded my desktop and laptop at the first opportunity.

Overall, the upgrade experience has been quite smooth. I’m still not sure whether I find all visual changes in Windows 10 positive, but hey, nothing beats free beer! I also realize that much more has been changed “under the hood”; including numerous security features Microsoft has promised to deliver in their new operating system. Some of those features (like built-in Information Rights Management functions or support for FIDO Alliance specifications for strong authentication) many consumers will probably not notice for a long time if ever, so that’s a topic for another blog post. There are several things however, which everyone will face immediately after upgrading, and not everyone will be happy with the way they are.

The most prominent consumer-facing security change in Windows 10 is probably Microsoft’s new browser – Microsoft Edge. Developed as a replacement for aging Internet Explorer, it contains several new productivity features, but also eliminates quite a few legacy technologies (like ActiveX, browser toolbars or VB Script), which were a constant source of multiple vulnerabilities. Just by switching to Edge from Internet Explorer, users are automatically protected from several major malware vectors. It does, however, include built-in PDF and Flash plugins, so it’s potentially still vulnerable to the two biggest known web security risks. It is possible to disable Flash Player under “Advanced settings” in the Edge app, which I would definitely recommend. Unfortunately, after upgrading, Windows changes your default browser to Edge, so make sure you change it back to your favorite one, like Chrome or Firefox.

Another major change that in theory should greatly improve Windows security is the new Update service. In Windows 10, users can no longer choose which updates to download – everything is installed automatically. Although this will greatly reduce the window of opportunity for an attacker to exploit a known vulnerability, an unfortunate side effect of this is that sometimes your computer will be rebooted automatically when you’re away from it. To prevent this, you must choose “Notify to schedule restart” under advanced update options – this way you’ll at least be able to choose a more appropriate time for a reboot. Another potential problem are traffic charges: if you’re connecting to the Internet over a mobile hotspot, updates can quickly eat away your monthly traffic limit. To prevent this, you should mark that connection as “metered” under “Advanced options” in the network settings.

Windows Defender, which is the built-in antivirus program already included in earlier Windows versions, has been updated in a similar way: in Windows 10, users can no longer disable it with standard controls. After 15 minutes of inactivity, antivirus protection will be re-enabled automatically. Naturally, this greatly improves anti-malware protection for users not having a third party antivirus program installed, but quite many users are unhappy with this kind of “totalitarianism”, so the Internet is full of recipes on how to block the program completely. Needless to say, this is not recommended for most users, and the only proper way of disabling Windows Defender is installing a third party product that provides better anti-malware protection. A popular site AV Comparatives maintains a list of security products compatible with Windows 10.

Since most anti-malware products utilize various low level OS interfaces to operate securely, they are known to be affected the most by the Windows upgrade procedure. Some will be silently uninstalled during the upgrade, others will simply stop working. Sometimes, an active antivirus may even block the upgrade process or cause cryptic error messages. It is therefore important to uninstall anti-malware products before the upgrade and reinstall them afterwards (provided, of course, that they are known to be compatible with the new Windows, otherwise now would be a great time to update or switch your antivirus). This will ensure that the upgrade will be smooth and won’t leave your computer unprotected. 


Windows 10: Finally - Stronger Authentication

Aug 18, 2015 by Matthias Reinwarth

Windows 10 comes with the promise of changing computing from ground up. While this might be marketing speak in many aspects that might be true for one central aspect of daily computing life: secure user authentication for the operating system, but also for websites and services.

Microsoft goes beyond the traditional username and password paradigm and moves towards strong authentication mechanisms. While traditionally this was only possible with having costly additional hardware, infrastructure and processes available, e.g. smartcards, Microsoft does it differently now.

So, although the comparison might be difficult for some readers: improving security by implementing all necessary mechanisms within the underlying system is quite similar to what Apple did when they introduced secure fingerprint authentication with the recent models of the iPhone and the iPad, beginning with the iPhone 5S (in comparison to ridiculously inadequate implementations within several android phones as made public just recently).

The mechanism called "Windows Hello" supports various authentication scenarios. So with Windows 10 being an operating system designed to run across a variety of devices, Microsoft is going for multifactor authentication beyond passwords for authentication purposes for mobile phones, for tablets, mobile computers, the traditional desktop and more flavors of devices. One factor can be a device itself and can be enrolled (by associating an asymmetric key pair) to be part of a user authentication process.

The account settings dialog offers new and additional mechanisms for identifying valid users: User authentication with user name and password can be augmented by alternative authentication scenarios using PINs or gestures.

While passwords are typically used globally across all devices, PINs and gestures are specific to a single device and cannot be used in any other scenario.

Picture authentication records three gestures executed with any pointing device (e.g. stylus, finger, mouse) on any desired image (preferably cats, as this is the internet). Reproducing them appropriately logs you into the specific Windows 10 system without the need of typing in a password.

Actually, the combination of your device (something you have) plus PIN or gesture (something you know) can be considered as two-factor authentication for access to your data, e.g. in the OneDrive cloud service.

Other factors deployed for authentication include biometrics like the fingerprint scan, whenever a fingerprint sensor is available or a retina scan when a capable camera is available. Finally, "Windows Hello" adds facial recognition to the login process, although this might be scary for several users to have a camera scanning the room (which of course is nothing new for Xbox users deploying Kinect having their living room scanned all day) while the login screen is active. The requirement for deploying cameras that are able to detect whether it is a real person in 3-D or just the picture avoids simple cheating scenarios.

Once authenticated a user can access a variety of resources by deploying the Microsoft Passport mechanism which deploys asymmetric keys for accessing services and websites securely. A user successfully authenticated towards Microsoft Passport through Microsoft Hello will be able to access information securely by applications acting upon his behalf deploying the necessary APIs. This brings asymmetric key cryptography to different types of end-users, ranging from business users to home users and mobile phone users alike. Depending on the deployment scenario the user Data is then stored within the corporate Microsoft Active Directory infrastructure of the individual organisation, within Microsoft Azure Active Directory for cloud deployments, or -for the home user- within the associated Microsoft Live account, e.g. at Outlook.com.

While Microsoft has been contributing to the standardisation of the FIDO (Fast IDentity Online) protocols for quite some time now, Windows 10 finally claims to come with support for the current versions of the final protocol specifications. This will allow Windows 10 users to connect securely and reliably to Internet sites providing services based on the FIDO standards, especially to prevent man in the middle attacks and phishing scenarios. As of now the FIDO standard implementations were relying on the support from e.g. browser providers like Firefox or Chrome. Support for the FIDO standards built into the Windows 10 operating system might give the standards an enormous boost and allow for a win-win situation for security and the OS.

Windows 10 is now in its early weeks of deployment in the field. It will be interesting to see whether the new authentication mechanisms will be broadly understood as a real game changer for securing identity information and providing stronger authentication. Any appropriately secure way allowing to get rid of password authentication is a chance to improve overall user security and to protect identity data and every connected transaction. So each and every Windows 10 user should be encouraged to deploy the new authentication mechanisms ranging from biometrics to PINs and gestures and to the deployment of the Fido standards through the Microsoft Passport framework. Why not at least once use Windows and be a forerunner in security and privacy?


Windows 10: How to Ensure a Secure and Private Experience

Aug 13, 2015 by Mike Small

Together with many others I received an offer from Microsoft to upgrade my Windows 7 desktop and Windows 8.1 laptop to Windows 10. Here is my initial reaction to successfully performing this upgrade with a specific focus on the areas of privacy and security.

As always when considering security the first and most important step is to understand what your requirements are. In my case – I have several computers and I mainly use these with Microsoft Office, to use the internet for research and to store personal ‘photos. My main requirements are for consistency and synchronization across these systems together with security and reliability. The critical dimensions that I considered are privacy, confidentiality, integrity and availability. Let’s start with availability:


  1. Make sure you back up your files before you start the upgrade! My files were preserved without problems but it is better to be safe than sorry. It is also a good idea to understand how you could roll back if there is a catastrophic failure during the upgrade. One really big improvement over Windows 8 is the ability to restore files from a Windows 7 backup.
  2. Check that your computer is compatible with the upgrade. The Microsoft upgrade tool checks your computer for compatibility and some manufacturers provide information on which systems they have tested. The Dell support site informed me that my new laptop was tested but my old desktop wasn’t. However both upgraded without problems, but I did need to re-install some software – for my HP printer.
  3. Consider whether you want new features as soon as they are available (with the risk that they may cause problems). The default setting for updates is for these to be automatically installed. You can change this through the advanced setting menu by checking the box to defer upgrades. You will still receive security fixes but new features will be delayed.

  4. Windows 10 has a number of recovery options – you can roll back to your previous OS for up to 30 days after the upgrade as well as performing a complete reset. 


  1. Windows 10 automatically includes Windows Defender for protection – make sure this is activated. If you prefer another anti-malware product you will need to install this yourself.
  2. If you already use OneDrive then you will notice some changes. Previous versions of the OneDrive App supported a placeholder function that allowed File Explorer to display files that were held online but not sync’d onto your PC. This is no longer available; any directories that are not sync’d are not visible through file explorer. I experienced sync problems with files that were previously held online only. I was able to resolve this using the OneDrive Setting menu – first uncheck the folder(s) and save the settings. The folders and files are then erased on your device (scary!). Then repeat the process but this time check the folders for sync in the menu. When you save these settings the files in the folders are re-synced from the cloud. 


  1. The user accounts are copied from your previous OS – if these were all local accounts then they remain so. If you have a Microsoft account than you can link this with one of these local accounts. Doing this allows you to use a PIN instead of a password to log-in.
  2. If you are using Office 365 you will already have a Microsoft Account, you can also set up a free account which provides some free OneDrive space. However if you use the Microsoft account it is a good idea to understand and manage your privacy settings.
  3. The files in OneDrive are all held in the Microsoft cloud and you need to accept the risk that this poses bearing in mind that most breaches result from weak user credentials.
  4. If you are using BitLocker to encrypt your files then the encryption key will also be held on your OneDrive unless you opt out. 


  1. You should review the privacy setting from the Express setup and decide what to change. 

    A future blog will provide more detailed advice on what these mean and how best to set things up. My short advice is to go through these settings carefully and chose which Apps you are happy to allow to access the various functions. In particular I would disable the App Connector since this gives access to unknown apps. I would also not allow Apps to access my name, picture and other info – but then I’m just paranoid.
  2. You also need to consider the privacy setting for the new Edge browser. These are to be found under “Advanced Settings”. Consider whether you really need Flash enabled since this has been a frequent target for attacks. Also consider enabling the “Do not Track Requests Button”.

  3. If you decide to use Cortana – this may involve setting region, language and downloading language pack – make sure you check out the privacy agreement:

My personal experience with this upgrade has been very positive. The upgrades went smoothly and the performance especially the boot up time for my old Desktop is much faster than with windows 7. The settings are now much more understandable and accessible but you need to take the time to review the defaults to achieve your objectives for privacy and confidentiality. KuppingerCole plan a series of future blogs that will give more detailed guidance on how to do this.


Trust, security and business benefit – Consumer identities done right

Aug 04, 2015 by Matthias Reinwarth

The Digital Transformation is a game changer for many traditional organisations and a business enabler for many new trading companies and service providers in the digital world. When dealing with consumers and customers directly the most important asset for any forward-thinking organisation is the data provided and collected for these new type of identities. The appropriate management of consumer identities is of utmost importance.

Handing over personal data to a commercial organisation the consumer typically does this with two contrasting expectations. On the one hand the consumer wants to benefit from the organisation as a contract partner for goods or services. This should be as efficient as possible at a sophisticating level of user experience. Customer-facing organizations get into direct contact with their customers today as they are accessing their products and services through various channels and deploying various types of devices. It is essential to know the relevant attributes of that customer at the right time. The reasons for this are obvious: An improved user experience leads to customer satisfaction and thus to returning customers. User self-service leads to high effectiveness and cost-efficiency while speeding up processes.

Selecting the right items of information and a proper understanding of the quality and reliability of that data are essential management tasks. Customer identities are the result of the ongoing consolidation of data from various sources, including initial registration information, payment data, search requests, purchase history or helpdesk interaction. Consumers use various devices to access required services and they use different accounts in different contexts. Data gathered from external sources can be outdated, partially inaccurate or even deliberately wrong or misleading, especially when collected from social media. Business-relevant information is a superset of several types of information, including business-internal information, which has to be consolidated and assessed well.

On the other hand, the act of providing personal information to a commercial organisation will only be possible when the consumer can expect the required level of trustworthiness and security being applied to personal data. Trust is essential and losing this trust will inevitably endanger the business model and thus threaten the existence of an enterprise. This has been made evident by the high number of recent, massive data breaches. And losing trust into e.g. an online picture printing service or the payment card service provider potentially corrupts trust into many types of online services.

The key challenge is finding the right balance between collecting and consolidating all business-relevant data for the benefit of the consumer and the organization itself, while acting as a trusted custodian of data the consumer has entrusted the organization with. When aiming at long-term sustainable customer relationships it is mandatory to integrate the proper handling of collected, personal data into all business processes, while being compliant to regulatory requirements and data protection laws. This has to be accompanied by a continuous review and improvement process as security and compliance are evolving processes themselves.

This article has originally appeared in KuppingerCole Analysts' View newsletter.


Making Use of Consumer Identities

Aug 04, 2015 by David Goodman

Companies across multiple vertical sectors are encountering challenges and opportunities that are shaping the future direction of consumer identity-centric business. Faced with the erosion of revenues from the rapid encroachment of challengers into their traditional market strongholds, many companies are realising that data represents their most significant asset to provide added value to their customers in the future. Key to this transformation will be how companies manage users’ digital identity data better and position themselves as secure identity brokers/providers in a highly competitive market. The enterprise’s data sources are as diverse as billing and payments, the CRM database, web portals, social media and customer services which can then be translated with good analytics into improving the customer experience and relationship as a whole. The most transparent business opportunities are driven by insights based on user behaviour which when connected to business processes can drive actions. When automated and real-time, decision-making becomes quicker and more efficient.

For most businesses, leveraging consumer identity profiles was not seen as a value added service or a revenue generator. But it’s recommended for that to change by:

  • Exploring ways in which to refresh or cement relationships with customers by reaching out and offering new identity-based services.
  • Collating and analysing the data that exists across customer-related databases to provide comprehensive profiles that can be shared with users.
  • Working with regulators to benefit from the new EU legislation on electronic identities, authentication services and data protection that will be mandatory in 2018: those companies that embrace the changes early can turn the regulation to their advantage.

Until recently most users were oblivious to the personal information held by the public and private sectors, which when collated through sophisticated analytics offered comprehensive and often revealing profiles. Or at least they were. With the recent revelations on data breaches, users everywhere are very concerned about the security and the privacy of their online identity personas. The Snowden revelations inter alia have revealed the susceptibility of the records kept by governments as well as the private sector. It is only a matter of time before all organisations’ data handling comes under scrutiny, added to which the EU is bringing in legislation to harmonise how data is handled by all companies operating in Europe.

Today it’s clear that being a formal identity provider would not even cover the necessary infrastructure costs. But, given the revenue shrinkage elsewhere and the fickleness of customer loyalty, with cheaper alternatives emerging to providing key products and services, this is an ideal time for more companies to step forward and embrace the emerging requirements of digital identity management.

All industries are going to be affected by the legislative changes in digital identities, trust services, privacy and data protection that are coming to both the public and private sectors in Europe. Many businesses may consider becoming identity service providers as a luxury rather than a necessity to remain in business and succeed, but, if the opportunity is taken, the results could well turn out to exceed expectations.

This article has originally appeared in KuppingerCole Analysts' View newsletter.


KuppingerCole Blog
KuppingerCole Select
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live training sessions.
Register now
IAM 3.0/4.0
With changing architecture paradigms and with the identity of people, things and services being at the core of upcoming security concepts, maintaining identity and Access Governance is getting more and more a key discipline of IT security.
KuppingerCole Services
KuppingerCole offers clients a wide range of reports, consulting options and events enabling aimed at providing companies and organizations with a clear understanding of both technology and markets.
 KuppingerCole News

 KuppingerCole on Facebook

 KuppingerCole on Twitter

 KuppingerCole on Google+

 KuppingerCole on YouTube

 KuppingerCole at LinkedIn

 Our group at LinkedIn

 Our group at Xing
Imprint       General Terms and Conditions       Terms of Use       Privacy policy
© 2003-2015 KuppingerCole