Last week, Microsoft has announced the general availability of the Azure Security Center – the company’s integrated solution for monitoring, threat detection and incident response for Azure cloud resources. Initially announced last year as a part of Microsoft’s new cross-company approach to information security, Azure Security Center has been available as a preview version since December 2015. According to Microsoft, the initial release has been used to monitor over 100 thousand cloud subscriptions and has identified over a million and a half of vulnerabilities and security threats.
So, what is it all about anyway? In short, Azure Security Center is a security intelligence service built directly into the Azure cloud platform.
- It provides security monitoring and event logging across Azure Cloud Services and Linux-based virtual machines, as well as various partner solutions;
- It enables centralized management of security policies for various resource groups, depending on business requirements or compliance regulations;
- It provides automated recommendations on addressing most common security problems, such as configuring network security groups, installing missing system updates or automatically deploying antimalware, web application firewall or other security tools in your cloud infrastructure;
- It analyzes and correlates various security events in near real-tome, fuses them with the latest threat intelligence from own and third party security intelligence feeds and generates prioritized security alerts when threats are detected;
- It provides a number of APIs, an interface to Microsoft Power BI and a SIEM connector to access and analyze security events from the Azure cloud using existing tools.
In other words, Microsoft Azure Security Center is a full-featured Real-Time Security Intelligence solution “in the cloud, for the cloud”. Sure, other SIEM and security analytics solutions provide integrations with cloud resources as well, but, being a native component of the Azure cloud infrastructure, Microsoft’s own solution has several obvious benefits, such as better integration with other Azure services, more efficient resource utilization and much lower deployment effort.
In fact, there is nothing to deploy at all – one can activate the Security Center directly in the Azure Portal. Moreover, basic security features and partner integrations are available for free; only advanced threat detection (like threat intelligence, behavior analysis, and anomaly detection) is priced per monitored resource.
With Azure Security Center now available for all Azure subscribers, offering new partner integrations (for example, vulnerability assessment by companies like Qualys) and new threat detection algorithms, there is really no reason why you should not immediately turn it on for your subscription. Even with the basic free functions, it provides a useful layer of security for the cloud infrastructure, but with the full range of behavior-based and anomaly-detection algorithms and a rich set of integration options, Azure Security Center can serve either as a center of your cloud security platform or as a means of extending your existing SIEM-based security operations center to the Azure cloud.
Martin Kuppinger talks about Cloud IAM and that it is more than CSSO
Back in 2014, a US court decision ordered Microsoft to turn over a customer’s emails stored in Ireland to an US government agency. The order had been temporarily suspended from taking effect to allow Microsoft time to appeal to the 2nd US Circuit Court of Appeals.
I wrote a post on that issue back then and described the pending decision as a Sword of Damocles hanging atop of all of the US Cloud Service Providers (CSPs). While that decision raised massive awareness back then in the press, the news that hit my desk few days ago didn’t get much attention. In the so-called “search warrant case”, the 2nd US Circuit Court of Appeals ruled in favor of Microsoft, overturning an earlier ruling from a lower court.
The blog post Brad Smith, President and Chief Legal Officer at Microsoft, published is very well worth reading, particularly the part about the support Microsoft has experienced from other parties and the section that points out that legislation needs to be updated to reflect the world that exists today. The latter is currently on its way in the EU, with the upcoming EU GDPR, becoming effective in 2018.
From the perspective of US CSPs and their customers, the court decision is definitely good news. Despite the fact that it is “only” a court decision and updated legislation is still missing, it mitigates some of the risk particularly EU, but also, e.g., APAC customers perceived when relying on US CSPs. This helps US CSPs with their business, by removing barriers for rapid cloud adoption. It helps customers, because the risk for data being requested by US governmental agencies while being held in non-US data centers is reduced significantly. So it’s not a Sword of Damocles hanging around. Maybe it’s still a knife, so to speak, but the risk is far lower now.
What I definitely find interesting to observe is the rather low attention the good news received. But that’s not too surprising. Bad news always sells better than good news.
The decision, from my perspective, can have a significant impact on further speeding up the shift of customers from on-premise solutions to the cloud. Most are on their way anyway. Each risk that is mitigated eases customer’s decisions. Anyway, the next challenge to solve for US CSPs (and all other CSPs that do any business with the EU) will by to comply with EU GDPR. But there at least we have the legislation and do not rise or fall with court decisions.
IBM and the French Crédit Mutuel Arkéa recently launched the completion of a blockchain project that helps the bank verifying customer identities and remain compliant with KYC (Know Your Customer) requirements.
In contrast to common, transaction-focused use cases for blockchain implementations, the focus in that case is on having a tamper-resistant, time-stamped ledger that supports the bank in identifying their 3.6 million customers. Customers, even more in banks with a lot of branch offices, have a variety of systems for managing customer identities.
With the blockchain implementation based on IBM technology and the open-source Hyperledger project, the bank has realized a solution that federates information from various existing banking systems and delivers a (logically) centralized ledger that supports the consistency, traceability, and privacy requirements.
Blockchains are by nature ideal for such use cases, given that they create a tamper-resistant, time-stamped, and distributed ledger. In that implementation, a permissioned ledger is used, given that it is a bank-internal project that does not have to deal with specific requirements for anonymous users and public use cases such as e.g. the Bitcoin-Blockchain.
The ledger provides all information about e.g. all relevant identifying documents customers have signed with the bank. Thus, customers don’t need to re-sign when using other services or in different branch offices – plus the advantage, that the bank has a unique view on the customer, which is relevant from both a compliance and a customer service perspective.
The project has been implemented in rather short time. From my perspective, it is a great example for the breadth of use cases blockchains can serve. Blockchain will increasingly become a standard infrastructure element, as e.g. relational databases are today. This is greatly demonstrated by that particular project. Crédit Mutuel Arkéa has further plans for expanding the capabilities, e.g. by providing verification services to 3rd parties.
I strongly recommend analyzing the potential of blockchains for your business. There are many interesting use cases in virtually every industry. Blockchains will not solve everything, and it needs a thorough understanding of blockchain technology to identify the right blockchain type with the appropriate consensus model, depending on use cases and specific requirements. But clearly, there are far more use cases for blockchains than just cryptocurrency and smart contracts. Start analyzing the business potential of blockchains now. There is plenty of KuppingerCole research available, with a number of new reports to be published within the next few days – and you also can rely on KuppingerCole advisory services when starting to look at blockchains.
The Brexit-Leave-Vote will have substantial influences on the economy inside and outside of the UK. But the impact will be even higher on UK-based, but also on EU-based and even non-EU based organisations, potentially posing a major threat when it comes to various aspects of business. Especially seen from the aspects of data protection, security and privacy, the future of the data protection legislation within the UK will be of great interest.
When asked for his professional view as a lawyer, our fellow analyst Dr. Karsten Kinast replied with the following statement:
"On the 23rd June, UK carried out a referendum to vote about UK´s EU membership. About 52% of the participants voted for leaving the EU. The process of withdrawal from the EU will have to be done according to Art. 50 of the Treaty on the European Union and will take about two years until the process is completed.
The withdrawal of the UK´s membership will also have an impact on data protection rules. First of all, the GDPR will enter into force on the 25th May 2018, so that by this time, the UK will still be in process to leave the EU. This means that UK businesses will have to prepare and be compliant with the GDPR.
Additionally, if UK businesses trade in the EU, a similar framework to that of the GDPR will be required in order to carry out data transfers within the EU member states. The British DPA, ICO, published a statement regarding the existing data protection framework in the UK. According to ICO, 'if the UK wants to trade with the Single Market on equal terms we would have to prove adequacy – in other words UK data protection standards would have to be equivalent to the EU´s General Data Protection Regulation framework starting in 2018'.
Currently, the GDPR is the reference in terms of data protection and organizations will have to prepare to be compliant and, even if the GDPR is not applicable to UK, a similar framework should be in place by the time the GDPR enters into force."
So it is adequate to distinguish between the phase before the UK actually leaving the EU and the time afterwards. In the former phase, starting right now EU legislation will still apply, so in the short term organisations might be probably well advised to follow all steps required to be compliant to the GDPR as planned anyway. With the currently surfacing reluctance of the British government to actually initiate the Art. 50 process according to the Lisbon treaty by delaying the leave notification until October, this first phase might even take longer than initially expected. And we will most likely see the UK still being subject to the GDPR as it comes into effect by May 2018 and before the actual exit.
For the phase after the actual exiting process the situation is yet unclear. What does that mean for organisations doing business in and with the UK as soon as GDPR is in full effect?
- In case they are UK-based and are only acting locally we expect them to be subject to just the data protection regulations as defined in Britain after the exit process. But any business with the EU will make them subject to the GDPR.
- In case they are based in the EU they are subject to the GDPR anyway. In that case to have to be compliant to the rigid regulations as laid out in the EU data protection regulation.
- In case they are based outside of the EU but are doing business with the EU as well, they are again subject to the GDPR.
- We expect the number of companies outside the EU doing business only with a post-Brexit UK (i.e. not with the EU at all) to be limited or minimal. Those would have to comply with the data protection regulations as defined in Britain after the exit process.
Reliable facts for the post-Brexit era are not yet available. Nevertheless, CEOs and CIOs of commercial organisations have to make well-informed decisions and need to be fully prepared for the results of the decisions. An adequate approach in our opinion can only be a risk-based approach: organisations have to assess the risks they are facing in case of not being compliant to the GDPR within their individual markets. And they have to identify which mitigating measures are required to reduce or eliminate that risk. If there is any advice possible at that early stage, it still remains the same as given in my previous blog post: Organisations have to understand the GDPR as the common denominator for data protection, security and privacy within the EU and outside the EU for the future, starting right now and effective latest by May 2018. Just like Karsten concluded in the quote cited above: To facilitate trading in the common market the UK will have to provide a framework similar to the GDPR and acceptable to the EU.
So any organisation already having embarked on their journey for implementing processes and technologies to maintain compliance to all requirements as defined by the GDPR should strategically continue doing so to maintain an appropriate level of compliance by May 2018 matter whether inside or outside the UK. Organisations who have not yet started preparing for an improved level of security, data protection and privacy (and there are still quite a lot in the UK as well, as recent surveys have concluded) should consider starting to do so today, with the fulfilment of the requirements of the GDPR adapted to the individual business model as their main goal.
We expect stable compliance to the regulations as set forth in the GDPR as a key challenge and an essential requirement for any organisation in the future, no matter whether in the EU, in the UK or outside of Europe. Being a player in a global economy and even more so in the EU single market mandates compliance to the GDPR.
Every one of us, whether a security professional or not, is also a part-time online customer or a subscriber of digital services. Providing personal information to a service organisation, to a social media platform or a retailer is a deliberate act. This will be even more the case with the upcoming GDPR being in full effect soon. Ideally the disclosure of potentially sensitive information should always lead to a win-win-situation with both directly involved parties, the customer and the provider of services benefiting from information provided by the end user.
So organisations need to make sure that managing customer information needs to be performed at an utmost level of diligence to the benefit of both the customer and the organisation. That means that the customer identity is to be put into the centre of all processes. And organisations need to understand that there are more sources available within (and outside of) the organisation, where information about a single customer is available, providing social, behavioural, interest, transactional and much more data, including historical data. Combining and consolidating this data into a single unified customer profile while maintaining scalability, security and compliance is most probably one of the essential challenges organisations will have to solve in the future.
Customers interacting with a service provider or any other internet-facing organisation typically start with eight registration process, either from scratch by creating a new account or by reusing and complementing existing 3rd party account information, e.g. from social logins. From that moment on they are interacting with the system and thus they implicitly provide a constant flow of information through their behaviour. But Customer Identity and Access Management strategically goes far beyond that. Information about a single specific customer might already be available in the enterprise CRM system, providing in-depth insight into former interactions, e.g. with helpdesk. Previous purchases or subscriptions will be documented in their respective systems and more information might be available in the enterprise IAM system (especially when the organisation needs to understand, that a customer is also an employee) or the corporate ERP system.
These types of information and valuable when it comes to understanding customer identity as a whole. The actual task of retrieving and leveraging this information should not be underestimated: in many organisations these different systems are usually run by different teams and different parts of the organisation and this often leads to so-called information silos. Getting to a unified customer profile necessarily requires breaking up the barriers between those organisational and technical silos. Cross-organisational and cross-functional teams are typically required to consolidate the information already available within a single enterprise. Aligning different sources of information and different semantics resulting from different business purposes to get to a meaningful pool of consumer profiles requires expertise from various teams.
After having done their“homework”(by exploiting their already existing knowledge about each customer identity), many organisations are also looking into integrating information available from third parties, which means data sources outside of the organisation. Potential sources are manifold: they range from social media (Facebook, Twitter, Google+ and many others, including regional and special interest social media services) and the reuse of profile data (including likes, recommendations, comments) to sources of commercial marketing data, and from existing sources for Open Data to credit rating organisations.
When it comes to comparing effort and benefit, it becomes obvious, that greedily collecting each and every information available cannot be effective. Identifying the right set of information for the right business purpose is one of the major challenges. Having the right information available for the end user to improve his user experience and for the organisation to support decision-making processes has to be the key objective. Nevertheless, the definition of an adequate set of “right” information is a moving target that needs to be adjusted during the life time of a customer identity and the underlying CIAM system.
However, it must be made sure that the reuse of all the above mentioned information is only possible, when the owner of this data, i.e. the customer, has agreed to this processing of the information for additional purposes. User consent is key, when it comes to recombining and analysing existing information.
Know and Serve Your Customer: Why KYC is not enough
Today’s connected businesses need to communicate, collaborate and interact with their customers in a way that’s more flexible than ever before. Knowing and, based on that knowledge, optimally serving the customer is key to success in the Digital transformation.
Customer-facing IAM needed
With the accelerating digital transformation, we intrude deeper into the subject of customer identity management than ever before. Several external drivers change economic partnerships, such as a different competitive landscape, ever-changing regulation and at the same time an increasing number of cyber-attacks. There are also internal drivers such as the need for more agile, innovative and flexible organizations. Both internal and external drivers are encompassed in overarching core topics like smart manufacturing, the Internet of Things (IoT) and Know Your Customer (KYC). To be successful in digital transformation we need to change our customer contacts. For this we need to deploy a string of key enabling technologies, e.g. identity relationship management, security and privacy, big data, right up to blockchain and distributed ledgers.
In order to reach a competitive advantage, we also have to improve our customer relationships and the way we handle data. We need to be able to deal with customers and their identities better than ever before. In times of the cloud advantages can’t be reached simply by better IT and lower costs any more. The cloud delivers equal services to everyone at an affordable price.
What’s needed is a customer-facing IAM (Identity & Access Management). While companies were traditionally only looking at employees and some external business partners in their IAM deployments, with focus on administrative efficiency and compliance, in recent times federation and the management of partners became more and more important as a B2B element. Now, finally, the customers play a role as well. And they should, obviously, given that the customer is where the money comes from. There are also, e.g., ecommerce processes that have to supported. In the future, we need to take all resources into focus. How can we, for instance, serve the customer better and safer in the cloud? How can we deal with the customer with ever-changing business partnerships and in new business models?
Besides cloud services and the access to them, we also need to manage mobile devices such as computers, tablets, smartphones and wearables as well as logins to social networks and, last but definitely not least, IoT and operational technologies (OT) in manufacturing environments. We also need ways to protect the ownership of customer data. This requires the further development and perfection of identity relationship management (IRM), as one important element. In a sense this is the advancement of IAM in the digital context. How can I still steer and control access in this much more complex world?
Holistic look at identity
Identity Relationship Management (IRM) means having a single identity model across different identities, from employees, customers, partners, but also services, things and devices. It needs to be scalable internet-wide, not only on an enterprise dimension. Most companies have many more customers than employees. Customers often deploy a number of various devices. This means other quantity structures and thus performance and scalability requirements. The people responsible for CRM (Customer Relationship Management) need to see their system in a context of IAM, since this is the biggest identity store in most companies. It provides a whole customer history. This is actually a point I already wrote about ten years ago. Other IAM sources are, for instance, ERP, Finance (credit history) and Governance. We need to add and understand context information, social logins and access paths. What is really happening there? What does the customer look like and how can he get access? Is he at the same time an employee of the company? Are there any conflicts arising out of this, e.g. when employees manage their own customer data sets?
Instead of information silos, a cross-system approach for IAM is necessary, along with an improved customer experience, faster time to market and context-sensitive, adaptive security measurements. If someone wants to get access via a relatively weak social login, another risk evaluation is needed than if she or he gets authorization via a registered account or an ID card. We need to understand the respective risk and context and adapt our evaluations accordingly. The more information we have the more precise will be each risk evaluation.
Daily breaches show that passwords are not enough anymore, especially not the same across various services. However, access has to remain user friendly to be accepted by customers. One useful additional security feature could be, for example, adaptive push authentication and notification. A new KuppingerCole Webinar provides more information about this method (in German).
KYC goes beyond CIAM
How can you know and optimally serve your customer during the whole lifecycle? Important elements here are customer self-service and integration of customer data. KYC (Know Your Customer) goes even further than CIAM (Customer Identity & Access Management). It encompasses Customer Tracking & Marketing Automation as well as Analytics (Big Data) and Privacy & Information Protection. The customer needs to give his consent about what’s being done with his data and for which reason it might be used. He must be able to withdraw this consent any time. This brings the concept of Life Management Platforms closer to reality than ever before.
KYC can best be seen as the intersection between CRM (and Marketing automation), IAM and Privacy, i.e. the marketing view of the customer, the technical or identity view of the customer and the (not only) legal perspective. Active interaction plays an important role here as well as governance. The question is: Who in the company may do what in which form with the customer? Drivers of this development are compliance topics such as anti-money laundering (AML). Technologies such as IRM are really helpful in this context to understand how different identities are connected to each other.
The term KYC is also not really accurate, since it is not only about knowing the customer, but also optimally serving him. Thus I’d prefer the term KSYC, Know & Serve Your Customer, an appropriate evolutionary step of doing CRM. If enterprises in addition finally start looking at their employees as a special kind of customers, who are granted access to more applications than others, it will improve enterprise IAM as well, bring different business divisions smoothly under one roof and help getting rid of unnecessary discussions about special applications for the management of consumer identities.
Martin Kuppinger talks about CIAM and explains what Customer IAM means.
The news is already getting quieter around the GDPR, the general data protection regulation as issued by the European Union. Several weeks ago it has been discussed in detail in many articles, and background information has been provided by many sources, including lawyers and security experts, but in the meantime other topics have taken its place in the news.
But unlike some other topics, the GDPR won't go away by simply ignoring it. It is less than two years from now, that it will reach legally binding status as a formal law for example in Germany. Probably one of the most striking characteristics of the new regulation that is constantly underestimated is the scope of its applicability: It actually applies in all cases where the data controller or the data processor or the data subject is based in the EU. This includes all data processors (e.g. cloud service providers) or data controllers (e.g. retailers, social media, practically any organisation dealing with personally identifiable information) which are outside the EU, especially for example those in the US. They, however, seem to be gaining the lead in taking the right first steps already in comparison with European organisations.
So the GDPR will be a major game changer for a lot of customer facing services. For many organisations changing the processes, the applications and the infrastructure landscape to be compliant with the regulations of the upcoming new requirements as laid out in the GDPR will be a massive challenge.
The following image focuses just on some of the “highlights” of the European General Data Protection Regulation. But apart from this each and every organisation should review the current version of the text which goes far beyond that. It is available on the Internet, e.g here, and detailed and profound commentary is available e.g. here. My fellow analyst Dr. Karsten Kinast provided a great short wrap-up during his keynote at EIC 2016 in Munich earlier this year.
While two years sound like a long period of time actually the opposite is true. The requirements as imposed by the GDPR are at least partially substantially different from existing national data protection regulations. Every organisation has to identify, which steps are required to implement proper measures to comply to these regulations for their own processes and business models. When looking at the amount of time required to implement all changes identified, somewhat less than two years no longer appears to be overly plenty of time.
Unfortunately, especially industry associations appear not to be willing to supply adequate support or advice and often enough end up in commonplace remarks. Instead of providing appropriate guidance often the opposite is done by repeatedly praising Big Data as the basis for next generation business models. While this might nevertheless be true for some organizations, it can only be true when being compliant to the upcoming GDPR in every relevant respect.
Many important decisions will have to be left for court decisions in the end. This might turn out as a difficult challenge with only little practical advice being available as of now. But doing nothing is not an option at all.
Compliance to legal or regulatory requirements is rarely considered as a value in itself, but it is - and will be even more - a sine qua non when it comes to data protection, customer consent and privacy very soon. On the other hand: Assuring a high level of security and consumer privacy ahead of the legal requirements can be a competitive advantage. So if you have not yet started making your organisation and your business ready for the GDPR and its upcoming regulations, today might be a good day to take the first steps.
KuppingerCole has long noted the importance of blockchain technologies, whilst also noting that the key challenges to the adoption of blockchain technologies remained standardisation, privacy & security, as well as dilemmas regarding the types of blockchain technologies to adopt. In regards to these final two points, the main arguments have centred around the use of permissioned vs unpermissioned blockchains, as well as anonymous, pseudonymous or identified blockchains.
Microsoft made some wise decisions in response to these challenges. Initially, by announcing Blockchain as a service (BaaS) offerings on Azure last November, and subsequently announcing many new partnerships with various blockchain technology start-ups and consortiums, it gave organisations the opportunity to quickly begin experimenting with various blockchain tools easily and without the need to make decisions about which specific technology to use at this early stage of maturity of blockchain technologies.
Microsoft now has further progressed its BaaS offering with Project Bletchley. Finally, organisations can begin to make use of concrete benefits of blockchains whilst still remaining agnostic in regards to which specific blockchain used to deliver these benefits.
In short, Project Bletchley enables the use of blockchains-powered middleware solutions. The first of the two major tools offered by this latest announcement are called “Cryptlets”. This blockchain and development-language agnostic tool allows an organisation to leverage the power of time-stamped decentralised ledgers (blockchains) to secure organisational data without compromising the confidentiality of this data. For example, non-repudiation of a transaction between systems which process confidential data can be ensured by referencing some encrypted, time-stamped information stored on an external blockchain, while ensuring that this information remains completely useless to any other third party not engaged in the original transaction.
Cryptlets thus enable a whole new category of Project Bletchley middleware tools that can provide additional security, scalability and performance to typical middleware use cases even if the blockchains used to provide these features do not natively allow such types of features. Some key examples of this toolset include identity, encryption and key management features. This new blockchain-powered middleware stack will work with existing Azure services such as Key Vault and Active Directory.
By using this combination of centralised, authoritative systems such as middleware, public key infrastructure and authentication stores along with features of decentralised, algorithmic consensus-based technologies such as blockchains, it becomes possible to overcome the limitations of both types of technologies whilst also providing new hybrid technologies with better security and performance characteristics.
Centralised systems are necessary to most organisations, yet the authoritative management nodes of these systems often become the targets of malicious actors. Once these key root nodes are compromised, it is often very difficult to recover from a successful attack as it is very difficult to establish the ‘last known good state’ of the sensitive data. By decentralising this information on time-stamped blockchains, it becomes much harder for an attacker to manipulate the information on a compromised authoritative node.
Project Bletchley finally provides some concrete tools for enabling these hybrid centralised/decentralised secure systems which up until now have mostly only been theoretically discussed. What is important again here is that this project is blockchain technology agnostic. Just like TCP/IP, the value from blockchains (or networking for that matter) does not come from the use of a specific blockchain implementation, but how it can support a given use case.
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
When dealing with consumers and customers directly the most important asset for any forward-thinking organisation is the data provided and collected for these new type of identities. The appropriate management of consumer identities is of utmost importance. Handing over personal data to a commercial organisation the consumer typically does this with two contrasting expectations. On one hand the consumer wants to benefit from the organisation as a contract partner for goods or services. Customer-facing organizations get into direct contact with their customers today as they are accessing their [...]