KuppingerCole Blog

Decentralized Identity 101: What It Is and Why It Matters

Guest Author: Vinny Lingham, CEO, Civic Technologies

Bitcoin. Blockchain. Crypto. Decentralization. Tokens. A lot of buzzwords have emerged alongside the rise of blockchain technology. Yet, there is often a lack of context about what those terms actually mean and the impact they will have.

Decentralized identity re-envisions the way people share access, control, and share their personal information. It gives people power back over their identity.

Current identity challenges all tie back to the way we collect and store data. The world has evolved from floppy disks to the Cloud, but now, every single time that data is collected, processed, or stored, security and privacy concerns emerge. With the rise of the digital economy, consumers have unintentionally turned banks, governments, and stores into identity management organizations, responsible for the storage and protection of an unprecedented amount of personal data. Unfortunately, as recent hacks have shown, not all of them were ready to deal with this new role.

Decentralized identity puts that power and responsibility back in the hands of the individual, giving them the ability to control and protection their own personal information. This concept is made possible by the decentralized nature of blockchain and the trust created by consensus algorithms.

How Blockchain Creates Trust

The most prominent blockchain application to date is Bitcoin, a technology that emerged following the U.S. financial crisis of 2008 when trust in institutions was at an all-time low. Blockchain technology, specifically the public blockchain, has several unique characteristics that solve problems of trust and make it a great fit for identity solutions.

First, blockchain is immutable, or unchangeable. Blockchain transactions are processed by a network. Computers work together to confirm a transaction, and every computer in the network must eventually confirm every transaction in the chain. These transactions are processed in blocks, and each block is linked to the preceding block. This structure makes it reasonably impossible to go back and alter a transaction. Additionally, blockchain is transparent. Every computer in the network has a record of every transaction that occurred.

Decentralization is the essence of blockchain: no one party control the data, so there is no single point of failure or someone who can override a transaction. Second, it is reasonably impossible to alter blockchain transactions. And this is how blockchain builds trust: when data cannot be modified and is independently verifiable, it can be trusted.

How Blockchain Helps Decentralized Identity

Currently, there is a presumption that knowledge of information is identity. If a person knows a social security number or password, they are presumed to be the person who that information represents. And if a person knows your personal information, they can impersonate you.

Using blockchain technology to decentralize identity is about digital validation and keys. For example, a digital wallet with cryptographic keys that cannot be recreated. You must have physical access to a device to validate identity. With a decentralized identity system, a remote hacker might have access to pieces of personal information but being able to prove an actual identity would require physical possession of that person’s device. Decentralized identity is literally putting the power back in the hands of the people.

Why It Matters

In 2017, Equifax became one of the worst data breaches in corporate history, exposing personal information of over 147 million people, including Social Security numbers, dates of birth, home addresses, driver’s license numbers, and credit card numbers.

In 2018, the Cambridge Analytica scandal about user data misuse has continued to unfold, as the F.B.I and Justice Department are investigating Facebook for failing to safeguard 87 million user profiles.

Equifax and Cambridge Analytica are two prime examples of how current systems for sharing and storing personal information have proven to be not as safe, secure, or trustworthy as previously thought.

And everyone feels this impact.

Governments are implementing more stringent laws and regulations for consumer protection. In May, the General Data Protection Regulation (GDPR), a standard for data collection and storage, went into effect. In July, California passed the California Consumer Protection Act enacting similar standards. And this is probably the first in a wave of consumer protection and privacy policies that will come to life.

Consumers are concerned as well. In a recent Deloitte study, 81 percent of U.S. respondents feel they have lost control over the way their personal data are collected and used. 

The ability to prove you are who you say you are is critical to engaging with the world and being a part of the economy. Decentralized identity gives that control back to people. 

Get to know more about Blockchain and listen to my Keynote "Practical Examples of Decentralized ID's in the Real World" at the Consumer Identity World USA in Seattle in September.

For a deep dive into the Blockchain topic please find the following blog posts:

Entrust Datacard Acquisition

Entrust Datacardfounded in 1969 and headquartered in Minnesota, announced today that it is making a strategic investment in CensorNet and acquiring the SMS Passcode business from CensorNet (originally a Danish company). Entrust Datacard is a strong brand in IAM, with card and certificate issuance, and financial and government sector business. 

CensorNet was founded in 2007 in the UK. Their original product was a secure web gateway. It now includes multi-mode in-line and API-based CASB service. It also has an email security service, which utilizes machine learning algorithms to scan email looking for potential malicious payloadsEntrust Datacard already has substantial capabilities in the adaptive and multi-factor authentication areas, and the SMS Passcode product line will add to that. With this investment and acquisition, Entrust Datacard plans to move beyond digital transformation to realize continuous authentication and enhance its e-government offerings. 

The results of the acquisition will be reflected in product roadmaps, likely starting in 2019. Entrust Datacard products and services will continue to handle initial authentication, and CensorNet’s capabilities will be able to add user activity monitoring through the CASB piece. The integration of identity-linked event data from CensorNet CASB will help security analysts to know, for example, which files users are moving around, and who and what are users emailing. This functionality will help administrators reduce the possibility of fraud and data loss.  

Broadcom acquires CA Technologies in a ‘Broadest’ ever shift of acquisition strategy

Broadcom, after having denied the acquisition of Qualcomm earlier this year by Trump administration based on national security concerns, has decided to acquire CA Technologies showing one of the greatest shifts in an acquisition strategy from a semiconductor business to an IT Software and Solutions business. The proposed Qualcomm acquisition by once Singapore-based Broadcom had the likelihood of several 5G patents passing beyond US control. 

The CA Technologies acquisition still gets over 1200 patents and mission-critical software deployments by CA Technologies at US Govt sites in the hands of Broadcom, and yet appears getting a green signal from the Trump administration. Negating the basics of acquisition with absolutely no or very little commercial synergies, the Broadcom’s objective to acquire ‘established mission-critical technology businesses’ is fully satisfied by this move which could be considered one of the most ambitious acquisitions of this size and scale in the recent times. Not to forget the Intel’s acquisition of McAfee which didn’t work well for the company due to little synergies between McAfee’s endpoint protection business and Intel’s core hardware strategy, finally resulted into a divestment of McAfee after seven years of rough marriage. 

CA Technologies itself is built on a series of smaller acquisitions done in almost every segment of IT software – ranging from IT operations management, application performance, mainframes, DevOps, IT security and automation to analytics. CA Technologies has, however, had a good overall success rate of driving product and roadmap integrations to achieve expected synergies out of the acquisitions done in the pastBroadcom must consider using some of the CA management’s expertise gathered over a decade and more to drive this acquisition towards a successful business integration. There’s no similar business unit at Broadcom that delivers IT software or services, which should make it even easier for CA Technologies to continue operating under the larger shed without the need to make any immediate shift to operating strategy. 

The dissimilarity of businesses and customer-base would only offer limited cross-sell opportunities arising from this acquisition in short to mid-term. However, CA Technologies’ recurring profitable bookings are guaranteed to bring stability by the increased future cash flow for Broadcom in the short term to accommodate for the expected fluctuations to its business due to the uncertainties arising from the recent (though still proposed and under review) US trade tariffs against semiconductor goods manufactured in China. 

Besides mainframes which remain majority revenue stream, and some other areas such as IT project & portfolio management, CA Technology has invested significantly in building its IT Security portfolio over the last decade, starting with NetegrityIDFocusEurekifyArcot, Layer 7, XceediumIdMLogic and Veracode – all within the Identity and Access Management (IAM) domain alone. CA’s aggressive acquisition strategy has kept innovation out of the company’s door for a long time and now with the Broadcom’s acquisition of CA Technologies there’s little hope that innovation will be the key to revenue generation for the new entity anytime in near future. With numerous acquisitions, CA’s Identity and Access Management portfolio has taken a bumpy ride over the past decade but despite all the challenges and long-term ramificationsits excellent IAM product and engineering team has ensured a seamless absorption of acquired products into its IAM and broader security software portfolio.  

While the uncertainties will continue to loom over its acquisition objectives and alignment of synergies for some more timeit will be interesting to see how Broadcom would decide to nurture CA’s enterprise software and services business and where would that lead its still very well-positioned IAM product line. 

BOMGAR acquires Avecto to expand its PAM portfolio

BOMGAR, owned by PE firm Francisco Partners has recently announced that it has acquired Avecto, a UK based Endpoint Privilege Management (EPM) company. The move coming within 6 months of Lieberman Software’s acquisition by BOMGAR clearly depicts the quest to strengthen its position in the PAM market by offering a full-featured PAM suite.

Originally a provider of ‘remote support’ solutions, BOMGAR offered remote session management capabilities in the market for a while until it acquired Argentina based Pitbull Software in late 2015 to enter the PAM market with its password management technology. Since then BOMGAR has been on an acquisition spree to expand its portfolio of PAM technologies to compete more effectively against the market leaders.

Avecto has been a market leader in the niche market of Endpoint Privilege Management (EPM). Its flagship product Avecto Defendpoint offers capabilities to manage threats associated with local administrative rights on windows and mac endpoints by offering controlled and monitored escalation of admin privileges. Avecto Defendpoint also offers effective application whitelisting and sandboxing capabilities for enhanced endpoint protection which has positioned it uniquely in the market with almost twice the number of managed endpoints than its closest competitor. For a couple of years before acquiring Viewfinity in late 2015, CyberArk embedded Defendpoint as a technology licensed through an OEM agreement with Avecto to sell a more complete PAM solution in the market for its customers and compete against then leading EPM product BeyondTrust PB for Windows.

Endpoint Privilege Management (EPM) has become one of the fastest growing sub-segments of PAM market, closing in on approximately 28% YoY growth. With EPM capabilities, PAM solutions are poised to offer effective second-in-line defense mechanism for endpoint threat protection in coming years. The increased demand of better EPM capabilities embedded in PAM solutions has led many market leading vendors to acquire or develop their own EPM capabilities in the recent past. CyberArk, for example, acquired Viewfinity and Thycotic acquired Arellia in recent years to bring EPM capabilities in their PAM portfolios.

At KuppingerCole, we define EPM solutions to primarily offer three distinct technologies:

  1. Application Control: This allows organizations to control what applications can be allowed to run on an endpoint. This is usually achieved through application whitelisting in which only known good applications are placed on the pre-approved list and allowed to run. Application control provides effective protection against shadow IT challenges for most organizations.
  2. Sandboxing: This technology uses the approach to isolate the execution of unknown applications or programs by restricting the resources they can access (for eg., files, registries etc.). This technology, also known as application isolation, provides an effective protection against cyberattacks by confining the execution of malicious programs and limiting their means to cause the harm.
  3. Privilege Management: This technology encompasses user and application privilege management. For user privileged management, it deals with controlled and monitored elevation to local admin privileges. Application privilege management deals with exception or policy-based elevation of administrative rights for known and approved applications to execute successfully.

Avecto DefendPoint offers a good mix of these EPM technologies in the market to provide effective endpoint protection against a range of cyber threats. The acquisition of these EPM capabilities make a natural fit for BOMGAR offering great cross-sell opportunities in the short to mid-term. While their integration under a common PAM platform should begin soon, no immediate changes are expected to either product lines. In the short term, Avecto will continue to operate under the rebranded entity as Avecto, a BOMGAR company until its fully integrated into BOMGAR organization through the remainder of 2018.

The BOMGAR’s approach to obtain additional PAM capabilities through acquisitions is expected to bring rapid growth and deliver quick synergies but is also accompanied by the risks of integration failures and long-term effects of dampened organic growth. No doubt, the Lieberman Software’s and now Avecto’s acquisition places BOMGAR on the list of top 5 PAM vendors by revenue but not necessarily on the list of market leaders for technology innovation. As the PAM market continues to evolve, consolidation is inevitable, however, a stronger focus of vendors on completeness of features as compared to innovation in order to compete can stiffen the healthy market growth by failing to deliver on opportunities created by innovation.

While a clear integration roadmap for Lieberman Software was still awaited, the acquisition of Avecto adds to the growing pipeline of product and engineering teams to develop an integrated PAM platform to realize the essentials of these acquisitions. With a good track record of delivering growth and profitability as well as driving operational excellence, we expect BOMGAR to steer clear of any such challenges in the short to mid-term by delivering on the actual synergies created by these acquisitions.

The Digital Transformation and the Role of the CISO

Cybersecurity needs to be at the heart of the digital transformation, but organisational models will have to evolve

Cybersecurity is in the process of becoming an essential component of any organisation’s digital transformation journey. There is no way around this, especially as policymakers start dipping their toes into privacy and security issues, and societal norms are shifting on the topic.
Most new technology layers enabling the digital transformation need to be protected from interference, intrusion, or corruption. This is especially the case across industry sectors seeking to take advantage of the enormous opportunities offered by driverless vehicles and the logistics sector – amongst others - could be unrecognizable in ten years’ time.

New technologies will also generate and feed on massive amounts of data - most of it sensitive or private - that will need to be collected, processed, and safeguarded in a way that is both sensible and ethical. The concepts of security by design and of privacy by design will inevitably become any organisation’s best allies in its innovative endeavours and must be taken seriously by all digital transformation players, especially as the regulatory and social contexts become harder to navigate.
There is no doubt – in our opinion – that organisations which put information security and privacy at the heart of their digital transformation from the start could obtain a real competitive advantage in the mid-to-long run.

As a matter of fact, the recent launch of the General Data Protection Regulation (GDPR) in the EU is changing dramatically the incentives landscape for all businesses active in Europe. In addition to the fines of 4% of the global turnover, firms are now required to report any relevant data breach to the regulator within 72 hours. This will require capabilities of detection, analysis and reaction, which go far beyond the scope of the security teams and will force many corporate stakeholders to work together on those matters (security, IT, legal, DPO teams, senior management etc…). As such, the GDPR could be a painful lesson as to why cybersecurity is necessarily a transversal matter for organisations of all sizes.
Finally, and perhaps most importantly, respect for privacy and the protection of personal data is likely to become a true competitive advantage as our societies become increasingly warry of these issues.

This shift is well illustrated by the first complaints filed under the GDPR framework. Privacy activists such as Max Schrems or the French Quadrature du Net, for example, have already started to drag high-profile tech companies (Facebook, Google, Instagram, etc…) into what could become lengthy legal proceedings. Depending on how the regulators react, this could have deep implications on how data-driven businesses are to operate in Europe.

Increasingly, security and privacy become intertwined, but it makes little sense from a corporate governance perspective to allow a new privacy organisation under a DPO to grow in parallel to – or in conflict with – existing security structures. Synergies are obvious and need to be leveraged, and where security practices are deemed dysfunctional or in need of improvement, this could provide an ideal opportunity.

In fact, it could be the start of a major evolution around corporate perceptions of security and privacy, from burden, annoyance and costs, towards becoming central management functions. But organisational models will have to evolve as a result to accommodate the truly transversal nature of security and privacy matters and carve out a niche for those new corporate functions.

A New Transversal Organisational Model

At this junction, the traditional role of the CISO – heavily influenced by a technical bias, tactically-oriented and project-driven in many firms – could become exposed.
Not in its functional existence – IT security is more essential than ever – but in its corporate prominence. Having failed to project their roles beyond the tactical and technical fields for the best part of the last decade, many CISOs could find themselves pushed down the organisation while CSO and DPO roles take centre stage at the top.

With those new roles should come new people and a new focus, and probably a different way to approach security matters and talk about them.

We could be at the start of an exciting decade for all security professionals.

Learn more about this topic in my session at the Cybersecurity Leadership Summit 2018 Europe, November 12-14, 2018 in Berlin.

*** Please note this is a guest blog post and does not necessarily represent the opinion of KuppingerCole ***

Blockchain, Identity, Trust and Governance

On June 15th, 2018 I attended an OIX Workshop in London on this subject. The workshop was led by Don Thibeau of the Open Identity Exchange and Distributed Ledger foundation and was held in the Chartered Accountants’ Hall, Moorgate Place, London.

Blockchain and Distributed Ledger Technology (DLT) is often associated with crypto-currencies like Bitcoin. However, it has a much wider applicability and holds the potential to solve a wide range of challenges. Whenever a technology is evolving, the governance is often neglected until there are incidents requiring greater participation of involved parties and regulators to define operating guidelines. Governance is a wider subject and covers markets, laws and regulations, corporate activities as well as individual projects, the workshop covered many of these areas.

One question that often arises while evaluating or adopting a new technology is whether the existing legal framework is sufficient to protect your interests. According to the technology lawyer Hans Graux (time.lex) existing EU legislation on electronic signatures works well for blockchain. However, where blockchain is sold as technology there is no guarantee of governance to it back up. EU law allows the prohibition of electronic contracts for certain forms of transaction (e.g. real estate) so there are regional variations to the applicability of blockchain within EU. Some countries have created laws but, in his opinion, these are intended to show that these countries are open for business rather than because they are needed. He recommended that organizations should take a risk-based approach, similar to that for GDPR to gauge their readiness for blockchain and document the risks arising from an early adoption of blockchain as well as the controls required to manage these risks.

There was a panel on Smart Contracts and the legal framework surrounding the Smart Contracts. A key takeaway from the panel was the fact that Smart Contracts are not deemed legal contracts and so how can Smart Contracts be made legally enforceable? Tony Lai (CodeX & Legal.io) outlined the Accord project from the CodeX Stanford Blockchain Group. The initial focus of this group is in the areas of:

1. Regulatory frameworks and ethical standards around token generation events (also known as ICOs or Initial Coin Offerings);

2. Legal issues and opportunities presented by blockchain technologies and their intersection with existing legal frameworks;

3. Smart contracts and governance design for token ecosystems; and

4. Legal empowerment and legal services use cases for blockchain technologies.

The panel then discussed the ‘Pillars of Trust’ – Governance, Identity, Security and Privacy in DLT. During this panel Geoff Goodell (UCL) provided an interesting set of perspectives including the need for people to have multiple identities. He described how electronic funds transfer systems provide best surveillance network in the world. He stated that it is only now coming to the point where the risks associated with linking peoples’ activities is becoming clear. To ensure privacy only the minimum information needed should be required to be disclosed. Systems need to be accountable to their users. DLTs are not immutable – the people in control can decide to make changes (for example a code fork) in a way that is unaccountable. Peter Howes then discussed the evidentiary value of IoT data – he expressed the view that Blockchain will not obviate disputes but will reduce the number of areas for dispute.

During the afternoon some Real-World Use-Cases for blockchain and DLT were discussed:

Laura Bailey (Qadre & British Blockchain Association) – described how Qadre has developed their own blockchain system “PL^G” and how this is being prototyped for pharmaceutical anticounterfeiting in support of the EU Falsified Medicines Directive.

Jason Blick (EQI Trade) described how they are aiming to launch the world’s first offshore bank that bridges fiat and cryptocurrencies using blockchain technologies. He announced that they will shortly launch KYC blockchain based system EQI Check.

Brian Spector (Qredo) described a Distributed Ledger Payments Platform for the telecoms industry. This could not use proof of work because of the compute overhead instead they will use the network with a “proof of speed” consensus algorithm.

KuppingerCole is actively researching blockchain and DLT including its applications to identity, privacy and security. Recently at EIC (European Identity & Cloud Conference), in Munich there were several workshops and sessions devoted to practical implementations of blockchain. In the opening keynote at EIC, Martin Kuppinger described the areas where Blockchain technology has the potential to help to solve real-world identity challenges. There are already so many KYC (Know Your Customer) use cases based on Blockchain with valid business models that this is now a reality or at least close to becoming one. Blockchain also has the potential to simplify authentication by having various authenticators and IDs associated with a wallet. Its application to authorization, privacy and smart contracts also has obvious potential.

However, a practical realization of these potentials requires trustworthiness which takes us back to the question of governance. Good governance remains vital to avoid traditional challenges of DLT and to ensure that these inherent problems are not exacerbated in blockchain implementations due to a lack of governing principles.

Cross-Border Data Management and Cybersecurity: Walking the Tightrope of Compliance and Business Efficiency

Guest Author: Jordan L. Fischer, Esq., Co-Founder & Managing Partner of XPAN Law Group, LLC

Technology is changing rapidly, correlating in an increasing amount of data collected every second.  These technologies cross-borders and allow businesses to operate on a global scale, at a rate never before seen.  However, the corresponding legal infrastructures operate with borders -- hard borders -- that make the exchange of data, both internally and externally, complicated and challenging. 

In the last two years, new data protection regulations have gone into effect in a number of different regions:  Japan, China, Australia, and most recently (and with the largest “bang”), the European Union.  Each of these regulations imposed  nuanced requirements on companies, often asserting data localization requirements, implementing the principle of transparency and including consent initiatives when these organizations collect and process data. Most importantly, companies need to proactively be aware of the implications of the technology they use and the data they collect which depending on the regions in which they operate.  

This changing legal landscape is no more apparent than in the European Union (EU), with the General Data Protection Regulation (GDPR).  The GDPR imposes a number of proactive privacy measures on entities, both within the EU and outside of the EU, that are poised to drastically change the way businesses maintain and exchange data from within the EU.  At its core, the GDPR asserts data privacy and security principles on companies.  The GDPR does not discriminate depending on the industry or the size of the organization.  It universally and equally requires  data minimization, data localization, transparency, and accountability by all organizations.  The GDPR empowers data subjects to take control of the data collected by companies about them, and to require that those companies to account for all processing of that data, and all third-parties who have access to that data.

The “GDPR model” is becoming the de facto standard.  Canadian data protection laws are changing this fall, bringing them more in line with the the GDPR.  Even individual states are moving more towards providing similar data protections as the GDPR:  California is in the midst of a debate of how much control to give data subjects regarding their data.  What started as a potential ballot to be included in the fall elections has now become a bill in the California state legislature and appears to provide similar data protections as many of these international regulations.     

These varying principles of data privacy and cybersecurity converge when organizations exchange, transfer and process sensitive information across borders and, as such, implicate a number of different regulations. Take for example the growing prevalence of cloud storage, with companies opting to store data and systems off premise, in a data center located in a specific location, or in multiple data centers. Either option directly correlates with a legal obligation and potential ramifications for regulatory compliance and contractual agreements.

When addressing cross-border data management, companies should take key steps in order to better understand any legal obligations or liabilities, before an issue arises.  The first step is knowledge:  What data is collected? What is done with that data? Where is that data stored? These regulations increase the power of the data subject, which dovetails into a burden on companies to provide the necessary transparency, both prior to and after the collection of data.  In order to provide accurate information to meet these obligations companies need to know, before collecting the data, what it intends to do with that data.      

Second, a company needs to know who has access to that data.  This is both internal access -- a company’s own employees-- and external access -- third-parties or partners.  Understanding the “who” is involved in a “data transaction” is key to ensuring security along that entire chain and providing the necessary transparency to the data subject.  The use of processors and sub-processors is common -- but, companies need to ensure that each party involved understands its obligations and adequately protects and secures the data.

Third, a company needs to understand the data lifecycle: how long is the data needed? What happens when we no longer need the data? Data storage is expensive, especially if additional security measures are needed such as encryption or redundancy.  Often, companies are not even aware of all of the “old” data that it maintains -- old data that is no longer useful but remains a liability in the event of a breach.  Creating “house cleaning” policies (i.e. data destruction and retention policies) is key to decreasing costs and potential legal ramifications.

Ultimately, companies need to understand this convergence of domestic and international data obligations and its effect on creating efficient and secure data management practices in order to meet the needs of the business.  Technology and data is like a spiderweb within an organization -- it impacts a number of different business units, and requires a holistic approach.  Taking key steps early-on in the data collection process can drastically minimize long term costs and liabilities. 

Learn more about this topic in my session at the Consumer Identity World September 19-21, 2018 in Seattle.

* * * * *
Nothing contained in this blog post should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.

Future-Proofing Your Cybersecurity Strategy

It’s May 25 today, and the world hasn’t ended. Looking back at the last several weeks before the GDPR deadline, I have an oddly familiar feeling. It seems that many companies have treated it as another “Year 2000 disaster” - a largely imaginary but highly publicized issue that has to be addressed by everyone before a set date, and then it’s quickly forgotten because nothing has really happened.

Unfortunately, applying the same logic to GDPR is the biggest mistake a company can make. First of all, obviously, you can only be sure that all your previous preparations actually worked after they are tested in courts, and we all hope this happens to us as late as possible. Furthermore, GDPR compliance is not a one-time event, it’s a continuous process that will have to become an integral part of your business for years (along with other regulations that will inevitably follow). Most importantly, however, all the bad guys out there are definitely not planning to comply and will double their efforts in developing new ways to attack your infrastructure and steal your sensitive data.

In other words, it’s business as usual for cybersecurity specialists. You still need to keep up with the ever-changing cyberthreat landscape, react to new types of attacks, learn about the latest technologies and stay as agile and flexible as possible. The only difference is that the cost of your mistake will now be much higher. On the other hand, the chance that your management will give you a bigger budget for security products is also somewhat bigger, and you have to use this opportunity wisely.

As we all know, the cybersecurity market is booming, since companies are spending billions on it, but the net effect of this increased spending seems to be quite negligible – the number of data breaches or ransomware attacks is still going up. Is it a sign that many companies still view cybersecurity as a kind of a magic ritual, a cargo cult of sorts? Or is it caused by a major skills gap, as the world simply doesn’t have enough experts to battle cybercriminals efficiently?

It’s probably both and the key underlying factor here is the simple fact that in the age of Digital Transformation, cybersecurity can no longer be a problem of your IT department only. Every employee is now constantly exposed to security threats and humans, not computers, are now the weakest link in any security architecture. Unless everyone is actively involved, there will be no security anymore. Luckily, we already see the awareness of this fact growing steadily among developers, for example. The whole notion of DevSecOps is revolving around integrating security practices into all stages of software development and operations cycle.

However, that is by far not enough. As business people like your CFO, not administrators, are becoming the most privileged users in your company, you have to completely rethink substantial parts of your security architecture to address the fact that a single forged email can do more harm to your business than the most sophisticated zero-day exploit. Remember, the victim is doing all the work here, so no firewall or antivirus will stop this kind of attack!

To sum it all, a future-proof cybersecurity strategy in the “post-GDPR era” must, of course, be built upon a solid foundation of data protection and privacy by design. But that alone is not enough – only by constantly raising awareness of the newest cyberthreats among all employees and by gradually increasing the degree of intelligent automation of your daily security operations do you have a chance of staying compliant with the strictest regulations at all times.

Humans and robots fighting cybercrime together – what a time to be alive! :)

"Archive != Delete": Bring Back the Delete Button

Why does it seem to be getting harder to delete information online? GDPR will take effect in just a few days. GDPR empowers EU people to take control of their personal information. When in force, GDPR will mandate that companies and other organizations which control or process personal information must comply with delete requests. Users around the world are more cognizant of the data they create and leave online. Even outside the EU, people want to be able to delete data which they deem is no longer useful.

Enter the “archive” button. On some social media sites and other popular applications, the archive button appears to have replaced the old familiar “delete” button. Why? It is ostensibly to make it easier for users to retrieve information that they want out of sight. App makers reason that you don’t always want to delete something once you hit delete. Sometimes, they’re right. But most of the time, “delete” should mean delete. If one searches hard enough, one can usually find ways to actually delete data, even though the top-level UIs only show options to archive.

Another reason “archive” has replaced “delete” is that all information has some value, or at least that is the guiding principle in Big Data circles. Just because a user wants data removed doesn’t mean that it doesn’t have value for others. Social network operators make money off user data, so they believe it must be retained for historical analysis.

Turbulence in the markets and bad press for social media companies may be a leading indicator as to the importance of personal data control for an increasing number of users worldwide. In advance of GDPR, and for the benefit of all users, we urge app makers to bring back the delete button.

How (Not) to Achieve Instant GDPR Compliance

With mere days left till the dreaded General Data Protection Regulation comes into force, many companies, especially those not based in the EU, still haven’t quite figured out how to deal with it. As we mentioned countless times earlier, the upcoming GDPR will profoundly change the way companies collect, store and process personal data of any EU resident. What is understood as personal data and what is considered processing is very broad and is only considered legal if it meets a number of very strict criteria. Fines for non-compliance are massive – up to 20 million Euro or 4% of a company’s annual turnover, whichever is higher.

Needless to say, not many companies feel happy about massive investments they’d need to make into their IT infrastructures, as well as other costs (consulting, legal and even PR-related) of compliance. And while European businesses don’t really have any other options, quite a few companies based outside of the EU are considering pulling out of the European market completely. A number of them even made their decision public, although we could safely assume that most would rather keep the matters quiet.

But if you really decide to erect a “digital Iron Curtain” between you and those silly Europeans with their silly privacy laws, how can you be sure it’s really impenetrable? And even if it is, is that a viable strategy at all? The easiest solution is obviously geofencing – just block all access to your website from any known European IP range. That’s something a reasonably competent network administrator can do in under an hour or so. There are even companies that would do it for you, for a monthly fee. One such service, aptly named GDPR Shield, offers a simple JavaScript snippet you need only to paste into your site’s code. Sadly, the service seems to be unavailable at the moment, probably unable to keep up with all the demand…

However, before you even start looking for other similar solutions, consider one point: the GDPR protects the EU subjects’ privacy regardless of their geographic location. A German citizen staying in the US and using a US-based service is, at least in theory, supposed to have the same control over their PII as back home. And even without traveling, an IP blacklist can be easily circumvented using readily available tools like VPN. Trust me, Germans know how to use them – as until recently, the majority of YouTube videos were not available in Germany because of a copyright dispute, so a VPN was needed to enjoy “Gangnam style” or any other musical hit of the time.

On the other hand, thinking that the EU intends to track every tiniest privacy violation worldwide and then drag every offender to the court is ridiculous; just consider the huge resources the European bureaucrats would need to put into a campaign of that scale. In reality, their first targets will undoubtedly be the likes of Facebook and Google – large companies whose business is built upon collecting and reselling their users’ personal data to third parties. So, unless your business is in the same market as Cambridge Analytica, you should probably reconsider the idea of blocking out European visitors – after all, you’d miss nearly 750 million potential customers from the world’s largest economy.

Finally, the biggest mistake many companies make is to think that GDPR’s sole purpose is to somehow make their lives more miserable and to punish them with unnecessary fines. However, like any other compliance regulation, GDPR is above all a comprehensive set of IT security, data protection and legal best practices. Complying with GDPR - even if you don’t plan to do business in the EU market - is thus a great exercise that can prepare your business for some of the most difficult challenges of the Digital Age. Maybe in the same sense as a volcano eruption is a great test of your running skills, but running exercises are still quite useful even if you do not live in Hawaii.

Discover KuppingerCole

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected



Compliance, Risk & Security Learn more

Compliance, Risk & Security

Whether public, private or hybrid clouds, whether SaaS, IaaS or PaaS: All these cloud computing approaches are differing in particular with respect to the question, whether the processing sites/parties can be determined or not, and whether the user has influence on the geographical, qualitative and infrastructural conditions of the services provided. Therefore, it is difficult to meet all compliance requirements, particularly within the fields of data protection and data security. The decisive factors are transparency, controllability and influenceability of the service provider and his [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00