According to the Ponemon Institute - cyber incidents that take over 30 days to contain cost $1m more than those contained within 30 days. However, less than 25% of organizations surveyed globally say that their organization has a coordinated incident response plan in place. In the UK, only 13% of businesses have an incident management process in place according to a government report. This appears to show a shocking lack of preparedness since it is when not if your organization will be the target of a cyber-attack.
Last week on January 24th I attended a demonstration of IBM’s new C-TOC (Cyber Tactical Operations Centre) in London. The C-TOC is an incident response centre housed in an 18-wheel truck. It can be deployed in a wide range of environments, with self-sustaining power, an on-board data centre and cellular communications to provide a sterile environment for cyber incident response. It is designed to provide companies with immersion training in high pressure cyber-attack simulations to help them to prepare for and to improve their response to these kinds of incidents.
The key to managing incidents is preparation. There are 3 phases to a cyber incident, these are the events that led up to the incident, the incident itself and what happens after the incident. Prior to the incident the victim may have missed opportunities to prevent it. When the incident occurs, the victim needs to detect what is happening, to manage and contain its effects. After the incident the victim needs to respond in a way that not only manages the cyber related aspects but also deals with potential customer issues as well as reputational damage.
Prevention is always better than cure, so it is important to continuously improve you organization’s security posture, but you still need to be prepared to deal with an incident when it occurs.
The so-called Y2K (Millenium) bug is an example of an incident that was so well managed some people believe it was a myth. In fact, I like many other IT professionals, spent the turn of the century in a bunker ready to help any organization experiencing this problem. However, I am glad to say that the biggest problem that I met was when I returned to my hotel the next morning, I had to climb six flights of stairs because the lifts had been disabled as a precaution. There were many pieces of software that contained the error and it was only through the recognition of the problem, rigorous preparation to remove the bug as well as planning to deal with it where it arose that major problems were averted.
In the IBM C-TOC I participated in cyber response challenge involving a fictitious international financial services organization called “Bane and Ox”. This organization has a cyber security team and so called “Fusion Centre” to manage cyber security incident response. This exercise started with an HR Onboarding briefing welcoming me into the team.
We then were then taken through an unfolding cyber incident and asked to respond to the events as they occurred with phone calls from the press, attempts to steal money via emails exploiting the situation, a ransom demand, physical danger to employees, customers claiming that their money is being stolen, a data leak and an attack on the bank’s ATMs. I then underwent a TV interview about the bank’s response to the event with hostile questioning by the news reporter, not a pleasant experience!
According to IBM, organizations need a clear statement of the “Commander’s Intent”. This is needed to ensure that everyone works together towards a common goal that everyone can understand when under pressure and making difficult decisions. IBM gave the example that the D Day Commander’s Intent statement was “Take the beach”.
The next priority is to collect information. “The first call is the most important”. Whether it is from the press, a customer or an employee. You need to get the details, check the details and determine the credibility of the source.
You then need to implement a process to resolve where the problems lie and to take corrective action as well as to inform regulators and other people as necessary. This is not easy unless you have planned and prepared in advance. Everyone needs to know what they must do, and management cover is essential to ensure that resources and budget are available as needed. It may also be necessary to enable deviation from normal business processes.
Given the previously mentioned statistics on organizational preparedness for cyber incidents, many organizations need to take urgent action. The preparation needed involves the many parts of the organization not just IT, it must be supported at the board level and involve senior management. Sometimes the response will require faster decision making with the ability to bypass normal processes - only senior management can ensure that this is possible. An effective response need planning, preparation and above all practice.
- Obtain board level sponsorship for your incident response approach;
- Identify the team of people / roles that must be involved in responding to an incident;
- Ensure that it is clear what constitutes an incident and who can invoke the response plan;
- Make sure that you can contact the people involved when you need to;
- You will need external help – set up the agreement for this before you need it;
- Planning, preparation and practice can avoid pain and prosecution;
- Practice, practice and practice again.
KuppingerCole Advisory Note: GRC Reference Architecture – 72582 provides some advice on this area.
This week I had an opportunity to visit the city of Tel Aviv, Israel to attend one of the Microsoft Ignite | The Tour events the company is organizing to bring the latest information about their new products and technologies closer to IT professionals around the world. Granted, the Tour includes other cities closer to home as well, but the one in Tel Aviv was supposed to have an especially strong focus on security and the weather in January is so warm, so here I was!
I do have to confess however that the first day was somewhat boring– although I could imagine that around 2000 visitors were enjoying the show, for me as an analyst most of the information presented in sessions wasn’t really that new. But on the second day, we have visited the Microsoft Israel Development Center in nearby Herzliya and had a chance to talk directly to people leading the development of some of the most interesting products from Microsoft’s security portfolio.
At this moment some readers would probably ask me: wait a minute, are you suggesting that Microsoft is really a security vendor, let alone the best one? Well, that’s where it starts getting interesting! In one of the sessions, the speaker made a strong point for the notion of “good enough security”, explaining that most end-user companies do not really need the best of breed security products, because they’ll eventually end up with a massive number of disjointed tools that need to be managed separately.
Not only does it further increase the complexity of your corporate IT infrastructure that is already complex enough without security; these disconnected tools fail to deliver a unified view into everything happening within it and thus are unable to detect the most advanced cyber threats. Instead, he argued, a perfectly integrated solution covering multiple areas of cybersecurity would be more beneficial for most, even if it’s not the best of breed in individual areas. And who was the best opportunity to offer such an integrated solution? Well, Microsoft of course, given their leading positions in several key markets like on endpoints with Windows, in the cloud with Azure and, of course, in the workplace with Office 365.
Now, I’m not sure I like the term “good enough security” and I definitely do not believe that market domination in one area automatically translates into better opportunities in others, but there is actually a grain of truth behind this bold claim. First of all, being present on so many endpoints, cloud computers, mail servers, and other connected systems, Microsoft is able to collect vast amounts of telemetry data that end up in their Intelligent Security Graph – a single database of security events that can provide security insights and threat intelligence.
Second, even though many people still do not realize it, Microsoft has been a proper security vendor for quite some time already. Even though the company was a late starter in many areas, they are quickly closing the gaps in areas like Endpoint Protection or Cloud Security and in others, like Information Protection, they are already ahead of competitors. In recent years, the company has acquired a number of security startups, primarily here in Israel, and making these new products work together seamlessly has been one of their top priorities. This will certainly not happen overnight but talking to the actual developers gave me a strong impression of their motivation and commitment.
Now, Microsoft has an interesting history of working hard for years to win a completely new market, with impressive successes (like Azure or Xbox) and spectacular failures (remember Windows Mobile?). It seems also that technology excellence plays less of a role here than quality marketing. Unfortunately, this is where the company is still falling short – for example, how many potential customers are even considering Windows Defender Advanced Threat Protection for a shortlist of EDR solutions? Do they even know that Windows Defender is a full-featured EPP/EDR solution and not just a basic antivirus it used to be?
It seems to me that the company is still exploring their marketing strategy, judging by the number of new product names and licensing changes I’ve seen during the last year. We’re down to 4 product lines now, but I really wish they’d choose one name and stick to it. In the end, do I think that Microsoft is the best security vendor of them all? Of course not, they still have a very long way to go towards that, and there is no such thing as the single “best” security vendor anyway. But they are definitely already beyond the “good enough” stage.
Last week I attended the Oracle Open World Europe 2019 in London. At this event Andrew Sutherland VP of technology told us that security was one of the main reasons why customers were choosing the Oracle autonomous database. This is interesting for two reasons firstly it shows that security is now top of mind amongst the buyers of IT systems and secondly that buyers have more faith in technology than their own efforts.
The first of these reasons is not surprising. The number of large data breaches disclosed by organizations continues to grow and enterprise databases contain the most valuable data. The emerging laws mandating data breach disclosure, such as GDPR, have made it more difficult for organizations to withhold information when they are breached. Being in a position of responsibility when your organization suffers a data breach is not a career enhancing event.
The second reason takes me back to the 1980s when I was working in the Knowledge Engineering Group in ICL. This group was working as part of the UK Government sponsored Alvey Programme which was created in response to the Japanese report on 5th generation computing. This programme had a focus on Intelligent Knowledge Based Systems (IKBS) and Artificial Intelligence (AI). One of the most successful products from this group was VCMS a performance advisor for the ICL mainframe. This was commercially very successful with a large uptake in the VME customer base. However, one interesting observation was that it boosted customers to upgrade their mainframes. It became apparent that the buyers of these systems were more ready to accept the advice from VCMS than from the customer service representatives.
From an AI point of view managing computer systems is relatively easy. This is because computer systems are deterministic, and their behaviour can be described using rules. These rules may be complex and there may be a wide range of circumstances that need to be considered. However, given the volume of metered data available and the rules an AI system can usually make a good job of optimizing performance. Computer systems manufacturers also have the knowledge needed.
That is not to diminish the remarkable achievements by Oracle to make their database systems autonomous. Mark Hurd, CEO of Oracle (who had to present via a satellite link because he had been unable to renew his passport because of the US government shutdown) described how the Net Suite team had spent 15 years creating 9,000 specialized table indexes for performance. The autonomous database created 6,000 indexes in a short time, and which improved performance by 7%.
Oracle’s strategy for AI extends beyond the autonomous database. Melissa Boxer, VP Fusion Adaptive Intelligence, described how Oracle Adaptive Intelligent Apps (Oracle AI Apps) provide a suite of prebuilt AI and data-driven across Customer Experience (CX), Human Capital Management (HCM), Enterprise Resource Planning (ERP), and Manufacturing. These use a shared data model to provide Adaptive Intelligence and Machine Learning across all the different pillars. They include a personalized user experience OAUX and intelligent chat bots.
So, to return to the original question – can Autonomous Systems (as defined by Oracle) improve security posture? In my opinion the answer is both yes and no. The benefits of autonomous systems are that they can automatically incorporate patches and implement best practice configuration. Since many data breaches stem from these areas this is a good thing. They can also automatically tune themselves to optimize performance for an individual customer’s workload and, since they discover what is normal, they can potentially identify abnormal activity.
The challenge is that AI technology is not yet able to defend against adversarial activity. Machine Learning is only as good as its training and, at the current state of the art, it is does not provide good explanations for the conclusions reached. This means that sometimes, the learnt behavior contains flaws that can be exploited by a malicious agent to trick the system into the wrong conclusions. Given that cyber crime is an arms race and we must assume that the cyber adversaries are working with the same technology we must assume that this will be deployed against us as well as for us.
For security – AI can help to avoid the simple mistakes – to defend against a concerted attack still needs a human in the loop.
2019 started off with a very noteworthy acquisition in the identity and security space: the purchase of Janrain by Akamai. Janrain is a top vendor in the Consumer Identity market, as recognized in our recent Leadership Compass: https://www.kuppingercole.com/report/lc79059. Portland, OR-based Janrain provides strong CIAM functionality delivered as SaaS for a large number of Global 2000 clients. Boston-based Akamai has a long history of providing web acceleration and content delivery services. Last year, they entered into a partnership whereby Akamai provided network layer protection for Janrain assets.
Akamai has lately been focusing on increasing its market share of web security services in order to grow revenue. This acquisition will add identity layer functionality and increase visibility for the infrastructure company.
New account fraud and account takeover fraud are two of the chief concerns that companies in many industries, particularly finance and retail, must guard against. Bot management has been one of Akamai’s fastest growing services. The further integration of Akamai’s threat intelligence capabilities with Janrain’s CIAM solution has the potential to enhance consumer security for their clients.
As with all such acquisitions, there are two major possible routes their combined service roadmap can take:
- Integrate Janrain's CIAM functionality into Akamai services in a purely supportive way, or
- Integrate Janrain's CIAM functionality into Akamai services while continuing to promote and sell the CIAM services as a standalone solution
In many cases, purchasers in the IT business take the first option. The second option is more difficult to execute, but often offers a better long-term investment for both the purchaser and their clients. Akamai has a defined, well thought-out plan to pursue option 2, to extend the Janrain solution and continue to market it as a CIAM SaaS branded under Akamai.
Given the size of the CIAM market, KuppingerCole expects to see additional M&A activity as well new entrants in this space in the next 12-18 months. Keep up to date with the latest developments and research in cybersecurity and identity management by watching our blog: https://www.kuppingercole.com/blog.
It wasn't too long ago that discussions and meetings on the subject of digitization and consumer identity access management (CIAM) in an international environment became more and more controversial when it came to privacy and the personal rights of customers, employees and users. Back then the regulations and legal requirements in Europe were difficult to communicate, and especially the former German data protection law has always been belittled as exaggerated or unrealistic.
However, in the past three years, during which I have given many talks, workshops and advisory sessions on the subject of the European General Data Protection Regulation (EU-GDPR), perception has shifted. Many companies, especially large ones, have adopted the concepts of privacy, data security and data protection and have embraced the principles behind them.
Of course, this is especially true for European and German companies, as the implementation phase of the GDPR is finally over since the end of May 2018 and the GDPR and its obligations are fully effective and enforceable. This also includes the applicability to all companies processing data of European citizens. Thus, this important milestone of data protection regulation has had considerable effects on international enterprises as well, in particular on large US companies.
I myself, as a consumer, an online services user and a customer, have in the meantime perceived the first positive changes toward a new appreciation of trust and respect as the basis of a customer-supplier relationship (instead of “Hands up, give me all your personal data” as before). That went hand-in-hand with the desire and the expectation that the GDPR as a precedent could also act as a role model.
This is exactly what's happening right now. The first important example is the California Consumer Privacy Act (CCPA). The CCPA was passed at the end of June 2018 and will come into force on January 1, 2020, with actual implementation scheduled to begin sometime between January 1, 2020 and July 1, 2020.
CCPA is surely no 1:1 copy of the GDPR, for it it is considerably slimmer, a little more readable, leaves out some central demands of the GDPR and surely benefits from the experiences that have already been made elsewhere.
One thing is obvious: This puts companies in California and the US in a situation comparable to that in which EU companies were at the beginning of the implementation period, May 25, 2015. Those who have already adjusted their business to accommodate the GDPR probably might be better off, because they only have to deal with the differences between the requirements of GDPR and CCPA. Those enterprises, to which the GDPR was perhaps too "far away", must deal now with the requirements of their national legislation and initiate profound changes in their systems, processes and their organization...
If CCPA is relevant for you, right now is exactly the right time to embark on this journey.
Beware, this is where the promotional section of this blog post kicks in: Wouldn't it be good if you were able to draw on the experience of an international analyst company with extensive experience in this area? With a local team in the US that has international experience in handling personally identifiable information (PII) from customers, consumers, employees and citizens? That has been incorporating privacy, security and trust into the design of complex (C)IAM systems for years? Do you want to be prepared for the implementation of the CCPA? Do you want to meet the GDPR and CCPA requirements in equal measure and define a strategic path for implementation? Then get in touch with us to have a first chat with our US team.
2018 was a year of sweeping changes in Consumer Identity Management products and services. CIAM continues to be a fast-growing market. Research indicates that about half of all CIAM deals are still originating outside the tent of the CISO and IAM support organizations. More vendors entered the market and there were some noteworthy acquisitions. Lastly, many innovative improvements occurred across most all solutions, due in part to GDPR.
What is driving CIAM growth? Businesses are realizing that efficient and effective digital identity solutions lead to more consumer engagement and a better consumer experience, which in turn generates additional revenue. CIAM deployments will continue to outpace IAM deployments in 2019.
GDPR took effect on May 25th this year. The response by CIAM vendors in the run-up to GDPR was mixed. Some were proactive, seeing it as a competitive advantage. Others played catch-up. However, by the end of 2018, most vendors offer consent management features that can allow industrious customers to comply with GDPR in terms of consent collection, data export, and data deletion. There is still a wide variety in the approaches taken, and some CIAM services are more advanced and easier to administer in this regard. Meanwhile, the world waits to see if and how GDPR will be enforced.
Consumer identities are a top target for cyber criminals. Consumers are phished for their credentials. Banking trojans are a leading form of malware. Account takeover fraud is growing and is eating into bank profits. Fraud of all types is a growing concern, and not just for the financial sector. Customer loyalty programs (one of the many drivers for deploying CIAM) are increasingly under attack. The recent Marriott/Starwood breach netted 500M accounts for the perpetrators. Airlines’ frequent flyer programs are also regularly stolen. In short, any online asset that is convertible to cash or cryptocurrency is a target. Fortunately, some CIAM vendors put an emphasis on fraud risk reduction by including user behavioral analytics and by real-time processing of compromised credential and other threat intelligence sources. The need to reduce fraud spurred innovation in CIAM in 2018. Biometrics, mobile apps/SDKs, and risk adaptive authentication are “must have” functions within CIAM solutions for 2019.
The need to associate IoT device identities with consumer identities is an expanding and evolving use case within CIAM. Not enough has been standardized in this field, so there is a lot of variation in IoT device identity support still. Look for additional growth and perhaps standardization in the years ahead.
From a market perspective, the year started out with a major acquisition of Gigya by SAP. As an independent company, Gigya was a leader in CIAM. The acquisition was beneficial for SAP, which was missing a fully functional CIAM capability. SAP, now powered by a rapidly-integrated Gigya, has become a major player in the consumer identity market. Later in the year Exostar acquired Pirean. This transaction will give Exostar, a secure business collaboration service provider, stronger IAM and CIAM features. The move also serves to increase the reach of both companies. More companies entered the CIAM market as well, and gained prominence in the field. No doubt there will be more acquisitions and entrants in 2019. For the latest information on this market, including technical details on how the solutions differ, see our just-published Leadership Compass.
Usually, when we talk about special compliance and legal requirements in highly regulated industries, usually one immediately thinks of companies in the financial services sector, i.e. banks and insurance companies. This is obvious and certainly correct because these companies form the commercial basis of all economic activities.
Although regulations and their obligations are often formulated on a relatively abstract level, they must be adapted over time to the changing business and technical circumstances. Sometimes they need to be made more concise, more actionable and more specific, to improve their effectiveness. The BaFin (the German Federal Financial Supervisory Authority or "Bundesanstalt für Finanzdienstleistungsaufsicht) as the regulator for the financial services businesses in Germany has recently updated and extended its set of requirements documents. The "Supervisory Requirements for IT in Financial Institutions” (“Bankaufsichtliche Anforderungen an die IT - BAIT" in 2017 detailed the IT-related requirements of §25 KWG (the German Banking Act =„Kreditwirtschaftsgesetz“) and MaRisk ("Minimum requirements for risk management"=”Mindestanforderungen an das Risikomanagement") for the banking sector. An updated version of the BAIT has been subsequently supplemented by specific requirements for critical infrastructures (KRITIS) in this essential sector.
Quite recently as a second step, the BaFin has provided comparable specific requirements for the insurance industry by publishing the "Versicherungsaufsichtliche Anforderungen an die IT" (VAIT) ("Supervisory Requirements for IT in Insurance Undertakings". Both BAIT and VAIT describe what BaFin considers to be the appropriate technical and organizational resources for IT systems. Ultimately these requirements are also used as the benchmarks for audits.
Let’s look at VAIT as an example. Eight focus areas require appropriate consideration and the involvement of suitable stakeholders and experts: Specific guidelines for IT strategy and IT governance define minimum requirements for guidance and implementation in these areas within the organization’s structure and processes. The concept of information risks and their management is integrated into the overall corporate/business risk management. Information security is strengthened by the demand for a widely independent information security officer. With the demand for a uniform authorization management, access management and governance are moving even more into the focus of the auditors. The focus is also on IT projects in addition to traditional IT operations. Application development must now move towards "security by design", to meet the requirements. Outsourcing, the use of third-party services as well as the cloud services that are gradually becoming more relevant are considered part of the "IT services" focus area. Speaking from real life experience: improvements in identity and access management, privileged account management and access governance have proven to be successful controls to implement BAIT and VAIT requirements effectively and measurably. In turn, BAIT and VAIT can provide an excellent justification for finally implementing the improvements to IAM/IAG that have long been needed.
So, the obvious question is who should care about these German regulations for financial services? If you are an insurance company or a bank with a subsidiary in Germany, there is no question about that. Banks and insurance companies face substantial challenges to implement these very concrete requirements into business practice without delay. They must be implemented appropriately, transparently and in a well-documented way by the companies within their scope. (Talk to us, we can help you.)
But what if your organization is not directly in the scope of these regulations? Why not consider them as a benchmark that could help you to increase your organizational maturity. Both BAIT and VAIT are freely available published in English on the Internet. They provide all organizations, even those outside of the financial sector and outside of Germany, with a set of well-elaborated requirements for trustworthy IT. You can use these as a challenge against which to judge the quality of your own overall security and compliance. Going beyond the regulatory requirements as a way to improve your own policies, organization and processes.
And yes, talk to us, we can help you.
What AI is and what not
Where to put your focus on in 2019
Where to put your focus on in 2019
Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year
Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.
AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]