Blog posts by Martin Kuppinger
When you’ve ever been involved in discussions between IT Security people and OT (Operational Technology, everything that runs in manufacturing environments) people – the latter not only security guys – you probably observed that such discussions have a tendency of not being fruitful because they start with a fundamental misunderstanding between the two parties.
IT security people think about security first, which is essentially about protecting against cyber-attacks and internal attackers and the “CIA” – confidentiality, integrity, and availability. OT people don’t think about security first, even if they are OT security people. They first think about safety, which is about physical safety of humans and machines, which is about reliability, and about availability.
Understanding this dichotomy is essential, because there are different requirements, but also a different history in both areas. OT has always focused on safety, reliability, and availability of production environments. Physical damage of humans, but also of machines, due to software issues (such as a non-working patch) is inacceptable. Mistakes in production are inacceptable, because they can lead to massive liability issues and cost. And availability is key for manufacturing. A production line not working can cause very high cost in a very short period of time. In fact, that is where high availability is really critical, far more than for the very most of the IT systems, even the ones that are being considered as critical.
Unfortunately, the world is changing rapidly. Buzzwords such as “Industry 4.0” or “Smart Manufacturing” stand for that change – the change from an isolated to a massively connected world of manufacturing. The quintessence of these changes is that manufacturing environments become connected; and they increasingly become connected bi-directionally, unless regulations prohibit this. The golden rule to keep in mind here is simple: “Once something is connected, it is under attack.” Computer search engines that scan for everything including IoT devices (and including Industrial IoT or IIoT devices), automated attacks, advanced attacks against manufacturing environments: The risk for these connected environments is massive.
Thus, it is time to overcome the dichotomy between security and safety. We need figuring out new ways of both connecting and protecting manufacturing environments against attacks, while keeping them safe, reliable, and available. The answer to this challenge can’t be leaving everything as is. This will not work. Outdated operating systems, a lack of regular patches, a lack of fine-grain security models in OT equipment – all this will not work anymore. On the other hand, it will take years, probably even tens of years, to modernize all these environments.
Thus, we need to find a mix of new, more modern approaches that combine security by design with the specific requirements of OT environments, while protecting all the old stuff – with unidirectional firewalls, with privilege management technologies to protect shared administrative accounts, with advanced analytical tools to identify potential attacks.
However, we will only succeed when both groups, the IT and the OT people, end their culture of not understanding each other and start working on joint initiatives – and that must start by defining a common understanding of the vocabulary, but also understanding that the requirements of both groups are not only valid but mandatory. Let’s start working together.
There are good reasons for the move towards “Cognitive Security”. The skill gap in Information Security is amongst the most compelling ones. We just don’t have sufficient skilled people. If we can computers make stepping in here, we might close that gap.
On the other hand, a lot of what we see being labeled “Cognitive Security” is still far away from really advanced, “cognitive” technologies. Marketing tends to exaggeration. On the other hand, there is a growing number of examples of advanced approaches, such as IBM Watson – the latter focusing on filtering the unstructured information and delivering exactly what an Information Security professional needs.
A challenge we must not ignore is the fact that these technologies are based on what is called “machine learning”. The machines must learn before they can do their job. That is not different from humans. An experienced security expert first needs experience. That, on the other hand, leads to two challenges with machines.
One is that machines, if used in Information Security, first must learn about incidents and attacks. With other words: They only can identify attacks after learning. Potentially, that means that there must occur some attacks until the machine can identify and protect against these. There are ways to address this. Machines can share their “knowledge”, better than humans. Thus, the time until they can react on attacks can be massively shortened. Furthermore, the more “cognitive” the machines behave, the better they might detect new attacks by identifying analogies and similarities in patterns, without knowing the specific attack.
On the other hand, training the machines bears the risk that they learn the wrong things. Attackers even might systematically train cognitive security systems in wrong behavior. Botnets might be used for sophisticated “training”, before the concrete attacks occur.
While there is a strong potential for Cognitive Security, we are still in the very early stages of evolution. However, I see a strong potential in these technologies, not in replacing humans but complementing these. Systems can run advanced analysis on masses of data and help finding the few needles in the haystack, the signs of severe attacks. They can help Information Security professionals in making better use of their time, by focusing on the most likely traces of attacks.
Traditional SIEM (Security Information and Event Management) will be replaced by such technologies – an evolution that is already on its way, by applying Big Data and advanced analytical capabilities to the field of Information Security. We at KuppingerCole call this Real Time Security Intelligence (RTSI). RTSI is a first step on the journey towards Cognitive Security. Given the fact that Security on one hand is amongst the most complex challenges to solve and, on the other hand, attacks cause massive damage, this is one of the fields where the evolution in cognitive technologies will take place. It is not as popular as playing Go or chess, but it is a huge market with massive demand. Today, we can observe the first examples of “Cognitive Security”. In 2025, such solutions will be mainstream.
Martin Kuppinger talks about firewalls and the fact that they are not really dead.
Today, Ping Identity announced the acquisition of UnboundID. The two companies have been partnering already for a while, with a number of joint customers. After the recent acquisition of Ping Identity by Vista Equity Partners, a private equity firm, this first acquisition of Ping Identity can be seen as the result of the new setup of the company. The initial announcement by Vista Equity Partners already included the information that both organic and inorganic – as now has happened with UnboundID – growth is planned.
The acquisition of UnboundID is interesting from two perspectives. One concerns the capabilities of the UnboundID Platform in managing identity data at scale and to capture, store, sync, and aggregate data from a variety of sources such as directories, CRM systems, and others. The other involves the capabilities UnboundID provides for multi-channel customer engagement. This, for example, includes an analytics engine for analyzing customer behavior trends.
Combined with the proven strength of Ping Identity in the Identity Federation and Access Management market, this allows the companies to extend their offering particularly towards the currently massively growing market of CIAM (Customer Identity and Access Management). Furthermore, the technical platform that Ping Identity provides is complemented with an underlying large scale directory and synchronization service.
Due to the fact that both companies have been working closely together for a while, we expect that existing and new customers will benefit rapidly from Ping Identity’s expanded offering.
There is probably no single thing in Information Security that has been claimed being dead as frequent as the password. Unfortunately, it isn’t yet dead and far from dying. Far from it! The password will survive all of us.
That thesis seems standing in stark contrast to the rise of strong online identities. Also, weak online identities such as device IDs or the identifiers of things as an alternative to username and password will not make the password obsolete.
We all know that passwords aren’t really save. Weak passwords such as the one used by Mark Zuckerberg – it’s said being “Dadada” – are commonly used. Passwords either are complex and hard to keep in mind, or they are long and annoying to type, or they are short, easy to type, and weak.
However, what are the alternatives? We can use biometrics. But even with upcoming standards such as the FIDO Alliance standards, there still are many scenarios where biometrics do not work well, aside of the fact that most also aren’t perfectly save. Then there are these approaches where you have to pick known faces from a number of photos. Takes longer than typing in a password, thus it adds inconvenience.
Yes, we are becoming more flexible in choosing the authenticator which works best for us. Both in Enterprise IAM and Consumer IAM, adaptive authentication and the support of a broad variety of authenticators is on the rise. But even there, the password remains a simple and convenient option. Other options such as OTP hardware tokens (One Time Password) are not that convenient, they are expensive, logistics is complex and in case we lose a device or a token or whatever else, we still might come back to the password (or some password-like constructs such as security questions).
Using many weak authenticators also is an option. But again: What is our fallback in case that there aren’t sufficient authenticators available for a certain interaction or transaction? Not enough proof for the associated risk?
There is no doubt that we can construct scenarios where we do not need passwords at all. There is also no doubt that we will see more such scenarios in future. But we will not get fully rid of passwords. Starting with access to legacy systems that don’t support anything else than passwords (oh, and even if you put something in front, there then will be the username and password of the functional account); with the passwords used for identifying us when calling our mobile phone providers; with the passphrases and security questions; with all the websites and services that still don’t support anything else than passwords: There are too many scenarios where passwords will further exist. For many, many years.
We will observe an uptake of alternative, strong authenticators as well as the use of a combination of weak authenticators e.g. for continuous authentication. But we will not get rid of passwords. Not in one year, not in five years, not in ten years.
Hopefully, we will be able to use better approaches than username and passwords for all the websites we access and the services we use. Today, we are far from that. But even then, the username and password will be a supported approach in most scenarios, sometimes combined e.g. with an out-of-band OTP or whatever else. Why? Simply, because vendors rarely will lock out customers. When you raise the bar too high for strong authentication, this will cost you business. Username and password aren’t a good, secure approach. But we all are used to it, thus they aren’t an inhibitor.
Martin Kuppinger talks about Cloud IAM and that it is more than CSSO
Back in 2014, a US court decision ordered Microsoft to turn over a customer’s emails stored in Ireland to an US government agency. The order had been temporarily suspended from taking effect to allow Microsoft time to appeal to the 2nd US Circuit Court of Appeals.
I wrote a post on that issue back then and described the pending decision as a Sword of Damocles hanging atop of all of the US Cloud Service Providers (CSPs). While that decision raised massive awareness back then in the press, the news that hit my desk few days ago didn’t get much attention. In the so-called “search warrant case”, the 2nd US Circuit Court of Appeals ruled in favor of Microsoft, overturning an earlier ruling from a lower court.
The blog post Brad Smith, President and Chief Legal Officer at Microsoft, published is very well worth reading, particularly the part about the support Microsoft has experienced from other parties and the section that points out that legislation needs to be updated to reflect the world that exists today. The latter is currently on its way in the EU, with the upcoming EU GDPR, becoming effective in 2018.
From the perspective of US CSPs and their customers, the court decision is definitely good news. Despite the fact that it is “only” a court decision and updated legislation is still missing, it mitigates some of the risk particularly EU, but also, e.g., APAC customers perceived when relying on US CSPs. This helps US CSPs with their business, by removing barriers for rapid cloud adoption. It helps customers, because the risk for data being requested by US governmental agencies while being held in non-US data centers is reduced significantly. So it’s not a Sword of Damocles hanging around. Maybe it’s still a knife, so to speak, but the risk is far lower now.
What I definitely find interesting to observe is the rather low attention the good news received. But that’s not too surprising. Bad news always sells better than good news.
The decision, from my perspective, can have a significant impact on further speeding up the shift of customers from on-premise solutions to the cloud. Most are on their way anyway. Each risk that is mitigated eases customer’s decisions. Anyway, the next challenge to solve for US CSPs (and all other CSPs that do any business with the EU) will by to comply with EU GDPR. But there at least we have the legislation and do not rise or fall with court decisions.
IBM and the French Crédit Mutuel Arkéa recently launched the completion of a blockchain project that helps the bank verifying customer identities and remain compliant with KYC (Know Your Customer) requirements.
In contrast to common, transaction-focused use cases for blockchain implementations, the focus in that case is on having a tamper-resistant, time-stamped ledger that supports the bank in identifying their 3.6 million customers. Customers, even more in banks with a lot of branch offices, have a variety of systems for managing customer identities.
With the blockchain implementation based on IBM technology and the open-source Hyperledger project, the bank has realized a solution that federates information from various existing banking systems and delivers a (logically) centralized ledger that supports the consistency, traceability, and privacy requirements.
Blockchains are by nature ideal for such use cases, given that they create a tamper-resistant, time-stamped, and distributed ledger. In that implementation, a permissioned ledger is used, given that it is a bank-internal project that does not have to deal with specific requirements for anonymous users and public use cases such as e.g. the Bitcoin-Blockchain.
The ledger provides all information about e.g. all relevant identifying documents customers have signed with the bank. Thus, customers don’t need to re-sign when using other services or in different branch offices – plus the advantage, that the bank has a unique view on the customer, which is relevant from both a compliance and a customer service perspective.
The project has been implemented in rather short time. From my perspective, it is a great example for the breadth of use cases blockchains can serve. Blockchain will increasingly become a standard infrastructure element, as e.g. relational databases are today. This is greatly demonstrated by that particular project. Crédit Mutuel Arkéa has further plans for expanding the capabilities, e.g. by providing verification services to 3rd parties.
I strongly recommend analyzing the potential of blockchains for your business. There are many interesting use cases in virtually every industry. Blockchains will not solve everything, and it needs a thorough understanding of blockchain technology to identify the right blockchain type with the appropriate consensus model, depending on use cases and specific requirements. But clearly, there are far more use cases for blockchains than just cryptocurrency and smart contracts. Start analyzing the business potential of blockchains now. There is plenty of KuppingerCole research available, with a number of new reports to be published within the next few days – and you also can rely on KuppingerCole advisory services when starting to look at blockchains.
Know and Serve Your Customer: Why KYC is not enough
Today’s connected businesses need to communicate, collaborate and interact with their customers in a way that’s more flexible than ever before. Knowing and, based on that knowledge, optimally serving the customer is key to success in the Digital transformation.
Customer-facing IAM needed
With the accelerating digital transformation, we intrude deeper into the subject of customer identity management than ever before. Several external drivers change economic partnerships, such as a different competitive landscape, ever-changing regulation and at the same time an increasing number of cyber-attacks. There are also internal drivers such as the need for more agile, innovative and flexible organizations. Both internal and external drivers are encompassed in overarching core topics like smart manufacturing, the Internet of Things (IoT) and Know Your Customer (KYC). To be successful in digital transformation we need to change our customer contacts. For this we need to deploy a string of key enabling technologies, e.g. identity relationship management, security and privacy, big data, right up to blockchain and distributed ledgers.
In order to reach a competitive advantage, we also have to improve our customer relationships and the way we handle data. We need to be able to deal with customers and their identities better than ever before. In times of the cloud advantages can’t be reached simply by better IT and lower costs any more. The cloud delivers equal services to everyone at an affordable price.
What’s needed is a customer-facing IAM (Identity & Access Management). While companies were traditionally only looking at employees and some external business partners in their IAM deployments, with focus on administrative efficiency and compliance, in recent times federation and the management of partners became more and more important as a B2B element. Now, finally, the customers play a role as well. And they should, obviously, given that the customer is where the money comes from. There are also, e.g., ecommerce processes that have to supported. In the future, we need to take all resources into focus. How can we, for instance, serve the customer better and safer in the cloud? How can we deal with the customer with ever-changing business partnerships and in new business models?
Besides cloud services and the access to them, we also need to manage mobile devices such as computers, tablets, smartphones and wearables as well as logins to social networks and, last but definitely not least, IoT and operational technologies (OT) in manufacturing environments. We also need ways to protect the ownership of customer data. This requires the further development and perfection of identity relationship management (IRM), as one important element. In a sense this is the advancement of IAM in the digital context. How can I still steer and control access in this much more complex world?
Holistic look at identity
Identity Relationship Management (IRM) means having a single identity model across different identities, from employees, customers, partners, but also services, things and devices. It needs to be scalable internet-wide, not only on an enterprise dimension. Most companies have many more customers than employees. Customers often deploy a number of various devices. This means other quantity structures and thus performance and scalability requirements. The people responsible for CRM (Customer Relationship Management) need to see their system in a context of IAM, since this is the biggest identity store in most companies. It provides a whole customer history. This is actually a point I already wrote about ten years ago. Other IAM sources are, for instance, ERP, Finance (credit history) and Governance. We need to add and understand context information, social logins and access paths. What is really happening there? What does the customer look like and how can he get access? Is he at the same time an employee of the company? Are there any conflicts arising out of this, e.g. when employees manage their own customer data sets?
Instead of information silos, a cross-system approach for IAM is necessary, along with an improved customer experience, faster time to market and context-sensitive, adaptive security measurements. If someone wants to get access via a relatively weak social login, another risk evaluation is needed than if she or he gets authorization via a registered account or an ID card. We need to understand the respective risk and context and adapt our evaluations accordingly. The more information we have the more precise will be each risk evaluation.
Daily breaches show that passwords are not enough anymore, especially not the same across various services. However, access has to remain user friendly to be accepted by customers. One useful additional security feature could be, for example, adaptive push authentication and notification. A new KuppingerCole Webinar provides more information about this method (in German).
KYC goes beyond CIAM
How can you know and optimally serve your customer during the whole lifecycle? Important elements here are customer self-service and integration of customer data. KYC (Know Your Customer) goes even further than CIAM (Customer Identity & Access Management). It encompasses Customer Tracking & Marketing Automation as well as Analytics (Big Data) and Privacy & Information Protection. The customer needs to give his consent about what’s being done with his data and for which reason it might be used. He must be able to withdraw this consent any time. This brings the concept of Life Management Platforms closer to reality than ever before.
KYC can best be seen as the intersection between CRM (and Marketing automation), IAM and Privacy, i.e. the marketing view of the customer, the technical or identity view of the customer and the (not only) legal perspective. Active interaction plays an important role here as well as governance. The question is: Who in the company may do what in which form with the customer? Drivers of this development are compliance topics such as anti-money laundering (AML). Technologies such as IRM are really helpful in this context to understand how different identities are connected to each other.
The term KYC is also not really accurate, since it is not only about knowing the customer, but also optimally serving him. Thus I’d prefer the term KSYC, Know & Serve Your Customer, an appropriate evolutionary step of doing CRM. If enterprises in addition finally start looking at their employees as a special kind of customers, who are granted access to more applications than others, it will improve enterprise IAM as well, bring different business divisions smoothly under one roof and help getting rid of unnecessary discussions about special applications for the management of consumer identities.
Martin Kuppinger talks about CIAM and explains what Customer IAM means.
Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]