Blog posts by Matthias Reinwarth

Stell Dir vor, es ist KRITIS und keiner geht hin

Kritische Infrastrukturen (KRITIS) sind Organisationen oder Einrichtungen mit wichtiger Bedeutung für das staatliche Gemeinwesen, bei deren Ausfall oder Beeinträchtigung nachhaltig wirkende Versorgungsengpässe, erhebliche Störungen der öffentlichen Sicherheit oder andere dramatische Folgen eintreten würden“.

Neun Sektoren und 29 Branchen gelten derzeit als kritische Infrastrukturen, darunter die Gesundheitsversorgung, Energieversorgung, der Verkehr und Finanzdienstleistungen. Krankenhäuser als Teil des Gesundheitswesens fallen bei Erfüllung definierter Kriterien ebenfalls in die Kategorie „kritische Infrastrukturen“.

Für Krankenhäuser haben sich die Umsetzungshinweise der Deutschen Krankenhausgesellschaft (DKG) als maßgeblich erwiesen. Als Bemessungskriterium wurde hierbei die Anzahl vollstationärer Krankenhausbehandlungen im Bezugszeitraum (Vorjahr) definiert. Mit einer Anzahl von 30.000 vollstationären Behandlungsfällen ist der Schwellenwert zur Identifikation kritischer Infrastrukturen erreicht, was deutlich mehr als 100 Krankenhäuser betrifft, Diese werden zur Erfüllung klar definierter Anforderungen verpflichtet, die aus dem das IT-SiG - "Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz)" - zur Sicherung von IT-Systemen und digitalen Infrastrukturen, einschließlich kritischer Infrastrukturen in Deutschland, und der BSI-KritisV  - "BSI-Kritisverordnung" abgeleitet sind. Die genannten Umsetzungshinweise der DKG definieren damit dann auch vorgeschlagene Maßnahmen für den Nachweis einer angemessenen Sicherheit, insbesondere mit Blick auf die eingesetzten IT.

Der 30. Juni dieses Jahres stellte die definierte Deadline für die betroffenen Unternehmen dar, die Anforderungen zu erfüllen und einen geeigneten, vertrauenswürdigen Dritten zur Prüfung und Testierung zu beauftragen.

Einem Bericht des Tagesspiegel Background zufolge liegt genau hier derzeit eine Herausforderung: Branchenverbände weisen seit längerem darauf hin, dass es nicht genügend geeignete prüfende Stellen gibt. Das liegt nicht zuletzt daran, dass Auditoren eine doppelte Qualifikation vorweisen müssen, die neben der IT auch die Kenntnis der Branche, hier also des Gesundheitswesens im Krankenhaus umfasst. Hier, wie in vielen anderen Bereichen, schlägt der berüchtigte Skill-Gap zu, also der Mangel an geeigneten, qualifizierten Mitarbeitern in den Unternehmen oder am Arbeitsmarkt.

Dies führte zu einer Überlastung der zur Prüfung befähigten Unternehmen und damit einer unterschiedlichen Güte und Verfügbarkeit der Prüfungen und der resultierenden Prüfberichte. Das gleiche Schicksal erleiden die Testate dem Pressebericht zufolge bei Einreichung beim BSI, das diese Berichte auswertet. Auch hier führt ein Fachkräftemangel zu einem Bearbeitungsstau. Eine Auswertung lag zum Veröffentlichungszeitpunkt nicht vor. Selbst die Umsetzungshinweise der Deutschen Krankenhausgesellschaft, auf deren Basis viele Umsetzungen in den betroffenen Häusern erfolgten, ist vom BSI noch nicht bestätigt.

Reiht sich damit KRITIS zumindest in diesem Bereich in die Liste der zahnlosen, weil nicht angemessen umgesetzten Richtlinien (wie etwa PSD2 mit seiner Vielzahl nationaler Individualregelungen) ein? Aus heutiger Sicht kann das wohl verneint werden. Die Verpflichtung zur Einhaltung ist nicht aufgehoben, der Personal- und Skillmangel am Arbeitsmarkt verhindert lediglich die konsequente, umfassende Prüfung durch geeignete Stellen wie TÜV, Dekra oder spezialisierte Wirtschaftsprüfungsgesellschaften. Findet eine solche aber statt, werden die notwendigen Richtlinien angelegt und deren Nichterfüllung entsprechend der Prüfberichte auch nachverfolgt. Betroffenen Krankenhäuser ist damit nahegelegt, die Anforderungen schon zum Stichtag erfüllt zu haben und im Sinne einer kontinuierlichen Umsetzung und Verbesserung daran auch weiterhin zu arbeiten.

Auch Krankenhäuser, die heute diesen Schwellwert knapp nicht erreichen, sind heute schon aus Vernunftgründen angehalten, sich auf Anpassungen der Anforderungen oder steigende Patientenzahlen vorzubereiten. Und das bedeutet, auch ohne Notwendigkeit eines formalen Testats schon die sinnvollen Rahmenbedingungen, etwa den Aufbau eines Informationssicherheits Management Systems (ISMS) nach ISO 27.001 als Grundlage zu schaffen.

Darüber hinaus gibt die Verfügbarkeit eines allgemeinen Rahmens für die Verfügbarkeit und Sicherheit der IT in dieser und anderen Branchen weiteren Branchenteilnehmern (etwa Gemeinschaftspraxen oder fachlich spezialisierte Institute) eine belastbare Basis, angemessene Rahmenbedingungen zu schaffen, die einem aktuellen Stand der Anforderungen und der Technik entsprechen. Das gilt auch, wenn sie absehbar nicht KRITIS-relevant sind oder werden, aber ihren Patienten einen vergleichbar guten Sicherheitsstandard und die daraus resultierende Vertrauenswürdigkeit bieten wollen.

KuppingerCole bietet umfangreiche Unterstützung in Form von Research und Advisory für Unternehmen in allen KRITIS-relevanten Bereichen und darüber hinaus. Reden Sie mit uns, um Ihren Herausforderungen in den Bereichen Cybersecurity, Zugriffskontrolle und Compliance angemessen zu begegnen.

Cognitive! - Entering a New Era of Business Models Between Converging Technologies and Data

Digitalization or more precisely the "digital transformation" has led us to the "digital enterprise". It strives to deliver on its promise to leverage previously unused data and the information it contains for the benefit of the enterprise and its business. And although these two terms can certainly be described as buzzwords, they have found their way into our way of thinking and into all kinds of publications, so that they will probably continue to exist in the future. 

Thought leaders, analysts, software and service providers and finally practically everyone in between have been proclaiming the "cognitive enterprise" for several months now. This concept - and the mindset associated with it - promises to use the information of the already digital company to achieve productivity, profitability and high innovation for the company.  And they aim at creating and evolving next-generation business models between converging technologies and data.​  

So what is special about this cognitive enterprise“? Defining it usually starts with the idea of applying cognitive concepts and technologies to data in practically all relevant areas of a corporation. Data includes: Open data, public data, subscribed data, enterprise-proprietary data, pre-processed data, structured and unstructured data or simply Big Data). And the technologies involved include the likes of Artificial Intelligence (AI), more specifically Machine Learning (ML), Blockchain, Virtual Reality (VR), Augmented Reality (AR), the Internet of Things (IoT), ubiquitous communication with 5G, and individualized 3D printing​.  

As of now, mainly concepts from AI and machine learning are grouped together as "cognitive", although a uniform understanding of the underlying concepts is often still lacking. They have already proven to do the “heavy lifting” either on behalf of humans, or autonomously. They increasingly understand, they reason, and they interact, e.g. by engaging in meaningful conversations and thus delivering genuine value without human intervention. 

Automation, analytics and decision-making, customer support and communication are key target areas, because many tasks in today’s organizations are in fact repetitive, time-consuming, dull and inefficient. Focus (ideally) lies on relieving and empowering the workforce, when the task can be executed by e.g. bots or through Robotic Process Automation. Every organization is supposed to agree that their staff is better than bots and can perform tasks much more meaningful. So, these measures are intended to benefit both the employee and the company. 

But this is only the starting point. A cognitive enterprise will be interactive in many ways, not only by interacting with its customers, but also with other systems, processes, devices, cloud services and peer organizations. As one result it will be adaptive, as it is designed to be learning from data, even in an unattended manner. The key goal is to foster agility and continuous innovation through cognitive technologies by embracing and institutionalizing a culture that perpetually changes the way an organization works and creates value.  

Beyond the fact that journalists, marketing departments and even analysts tend to outdo each other in the creation and propagation of hype terms, where exactly is the difference between a cognitive and a digital enterprise?  Do we need yet another term, notably for the use of machine learning as an apparently digital technology?  

I don't think so. We are witnessing the evolution, advancement, and ultimately the application of exactly these very digital technologies that lay the foundation of a comprehensive digital transformation. However, the added value of the label "cognitive" is negligible.   

But regardless of how you, me or the buzzword industry really decide to call it in the end, much more relevant are the implications and challenges of this consistent implementation of digital transformation. In my opinion two aspects must not be underestimated: 

First, this transformation is either approached in its entirety, or it is better not to do it at all, there is nothing in between. If you start doing this, it's not enough to quickly look for a few candidates for a bit of Robot Process Automation. There will be no successful, "slightly cognitive” companies. This will be a waste of the actual potential of a comprehensive redesign of corporate processes and is worth little more than a placebo. Rather, it is necessary to model internal knowledge, to gain and to interconnect data.  Jobs and tasks will change, become obsolete and will be replaced by new and more demanding ones (otherwise they could be executed by a bot again). 

Second: The importance of managing constant organizational change and restructuring is often overlooked. After all, the transformation to a Digital/Cognitive Enterprise is by far not entirely about AI, Robotic Process Automation or technology. Rather, focus has to be put on the individual as well, i.e. each member of the entire workforce (both internal and external). Established processes have to be managed, adjusted or even reengineered and this also applies to processes affecting partners, suppliers and thus any kind of cooperation or interaction.  

One of the most important departments in this future will be the human resources department and specifically talent management. Getting people on board and retaining them sustainably will be a key challenge. In particular, this means providing them with ongoing training and enabling them to perform qualitatively demanding tasks in a highly volatile environment. And it is precisely such an extremely responsible task that will certainly not be automated even in the long term...

PSD2 in a Europe of Small Principalities

Europe’s consumers have been promised for some years now that strong customer authentication (SCA) was on its way. And the rules as to when this should be applied in e-commerce are being tightened. The aim is to better protect the customers of e-commerce services.  

This sounds like a good development for us all, since we are all regular customers of online merchants or providers of online services. And if you look at the details of SCA, this impression is further enhanced. Logins with only username and password are theoretically a thing of the past, the risk of possible fraud on the basis of compromised credentials is potentially considerably reduced.

The Payment Services Directive (PSD II) requires multi-factor authentication (MFA) as the implementation of SCA for all payments over €10. MFA stands for Multi Factor Authentication, i.e. all approaches involving more than one factor. The most common variant is Two Factor Authentication (2FA), i.e. the use of two factors. There are three classes of factors: Knowledge, Possession and Biometrics – or “what you know”, “what you have”, “what you are”. For each factor, there might be various “means”, e.g. username and password for knowledge, a hard token or a phone for possession, fingerprint or iris for biometrics.  

The use of this results in improved protection for virtually all parties involved: E-commerce site, payment processors and customers can be more confident that transactions are legitimate and trustworthy.

A short look at the history: On November 16, 2015, the Council of the European Union passed the PSD2 and gave Member States two years to transpose the Directive into their national laws and regulations. It should be expected that the broad and comprehensive implementation of SCA as part of the PSD2 will be achieved in a timely manner, as the benefits are obvious. Of course, purchasing processes become a little more complex, because card data and account number or username and password for payment services are no longer enough for checkout. A second, different feature such as a fingerprint or an SMS to your own registered smartphone becomes necessary to increase security.  

But shouldn’t we value this significantly increased security and the trust that goes with it? On the contrary, retailers, for example in Germany, are far from positive about stricter security standards. Every change and especially increase in complexity of the purchasing process is regarded as an obstacle, a potential point for dropping out of the customer journey.

And yet the development now emerging was not unexpected. As early as July 2019, the European Banking Authority (EBA) stated that some players were not sufficiently prepared for the PSD2, SCA and thus the required protection of consumers.  

As a measure, the member states were offered an extension of the deadline. First and foremost, this was used extensively by the UK, but also by some other countries. In Germany, the new regulations for payments without cash will enter into force on 14 September 2019, almost four years after the European Directive PSD2 was approved. This means that only payment services that implement SCA and are therefore PSD2 compliant can be used for online purchases using credit cards.  

And, you guessed it, just recently BaFin (Germany’s financial watchdog) announced in a press release that “As a temporary measure, payment service providers domiciled in Germany will still be allowed to execute credit card payments online without strong customer authentication after 14 September 2019”.  

This does not only mean an immense delay of unclear duration; the otherwise rather homogeneous European market is now being chopped up into a multitude of different regulations and exceptions. The direct opposite of what was planned has been achieved, since it is unclear when and where which requirements will apply, in the European Union and in a global Internet. The obvious losers are the customers and online security and trust in reliable online purchases, at least for the short to mid-term.

Forward-looking organizations who value their customers and their security and trust are now able to implement security through SCA, even without BaFin checks. Those companies that benefit from a short delay to meet PSD2 requirements soon should quickly seize this opportunity and join the latter group. But those companies that, since the release of PSD2 and its requirements, have preferred to complain about more complex payment processes and lament EU regulations should reconsider their relationship to security and customer satisfaction (and thus to their customers). And they should rapidly start on a straight path to comprehensive PSD2 compliance. Because temporary measures and extended deadlines are exactly that, they are temporary, and they are deadlines.

To meet them successfully and in time, KuppingerCole Analysts can support organizations by providing expertise through our research in the areas of PSD2, SCA and MFA. And our Advisory Services are here to support you in identifying and working towards your individual requirements while maintaining user experience, meeting business requirements and achieving compliance. And our upcoming Digital Finance World event in Frankfurt next week is the place to be to learn from experts and exchange your thoughts with peers.

How Do You Protect Your Notebook?

The other day I found a notebook on a train. It was in a compartment on the seat of a first-class car. The compartment was empty, no more passengers to see, no luggage, nothing.

And no, it wasn't a laptop or tablet, it was a *notebook*. One made of paper, very pretty, with the name of a big consulting company printed on it. So, it was either a promotional gift or one that employees use. Two thirds of it had been used, which could be seen from the edge of the paper.

Everyone knows these notebooks, from simple A4 college pads with cheap ballpoint pens to expensive, leather-bound prestige models combined with an equally expensive writing device such as a fountain pen.

They serve as brain extensions in meetings, for planning and conducting conversations. They contain details about the owner. And they contain sketches, meeting minutes, information about contact persons (--> GDPR), your business, the business of your partners. You can find sales figures, business plans, product developments, vulnerability analyses and architectural plans. The private mobile phone number of the important point of contact, the passwords to company infrastructure along with computer addresses. Confidential and critical data is thoughtlessly recorded on paper and then elaborated on the way home on the train, at home on the couch or the next day in the office.

Everyone worries about the loss of their computer or of the still ubiquitous, unencrypted USB stick. Rightly so. And today you also have to think about the cloud, because it bears a multitude of risks, which you have to address consistently, comprehensively and correctly (and yes, we can help you with that, but that's not the point here).

However, leakage of sensitive data does not necessarily require a nation state hacker or a violation of the confidentiality of credentials. Clumsiness, haste and forgetfulness can sometimes be enough. And that's why you should be particularly concerned about your paper notes.

You can encrypt a USB stick (yes, you can). You can encrypt whole computers, too. Your corporate laptop should be, anyway, and the encryption of your private computers and data carriers is your own personal responsibility. Most mobile phones and tablets today come with biometrics and also with potential encryption.

But this notebook is still beautiful and has so many free pages, so on to the next meeting? - So let me ask you: What is written in your current notebook? Would you have wanted me to have read all that on the train? Got a bad conscience now? Rightly so.

Paper cannot be encrypted. So, there are only the following two main approaches of data avoidance and data deletion to mitigate these risks: Give the next promotional notebook to a child for drawing (--> avoidance). Destroy all the notebooks you still have (and possibly still use) by means of your home or office shredder (--> deletion). What is still important can be scanned before and stored safely and of course encrypted.

I did not open this notebook and instead handed it over to the conductor and thus to the Deutsche Bahn "lost and found" service. But we can't expect everyone to handle it that way.

As a recommendation: For the future, for all notes that go beyond your private poems (and perhaps for your own self-protection include those as well), use mechanisms that meet your company's security requirements. Notebooks for sure don’t.

Technology Trend: The Road to Integrated, Hybrid and Heterogeneous IAM Architectures

Requirements for - and context of - the future Identity Fabric. 

We call it Digital Transformation for lack of a better term, but it consists of much more than this buzzword is able to convey. Digital technologies are influencing and changing all areas of a company, and this is fundamentally reshaping the way communication takes place, how people work together and how customers are delivered value. 

IT architectures, in turn, are undergoing profound structural transformations to enable and accelerate this creeping paradigm shift. This evolution reflects the changes resulting from the changing challenges facing companies, government agencies and educational institutions. These challenges, which virtually every organization worldwide has faced for a long time, change processes and systems in the same way that they affect the underlying architectures.

In order to survive in this highly competitive environment, companies are striving to be as agile as possible by adapting and modifying business models and, last but not least, opening up new communication channels with their partners and customers. Thanks to the rapidly growing spread of cloud and mobile computing, companies are becoming increasingly networked with each other. The very idea of an outer boundary of a company, the concept of a security perimeter, have practically ceased to exist.

And with that the idea that different identities can be treated fundamentally isolated in one enterprise has come to an end. 

The Road to Integrated, Hybrid and Heterogeneous IAM Architectures​Figure: The Road to Integrated, Hybrid and Heterogeneous IAM Architectures

Managing identities and access in digital transformation is the key to security, governance and audit, but also to usability and user satisfaction. The challenges for a future-proof IAM are complex, diverse and sometimes even contradictory:

  • We need to integrate consumers into the system, but they often want to retain control over their identity by bringing their own identity (BYOID).
  • We want our employees (internal and external) to be able to use the end-user devices they prefer to use to gain secure access to their work environment, wherever they are.
  • We need to link identities and model real-life dependencies within teams, companies, families or our partner organizations.
  • Maybe we even want to trust identities that are maintained in other organizations and reliably integrate them and authorize them in our IAM.
  • We need to integrate identity, payment and trade.
  • We need to comply with laws and regulations and yet eliminate annoying KYC processes making site visitors leave without completing registration.
  • We want to use existing data to enable artificial intelligence for ongoing business transformation, while ensuring compliance, consent and customer security.
  • We need to extend identities beyond people and integrate devices, services and networks into our next-generation IAM infrastructure.

Workforce mobility, rapidly changing business models and business partnerships are all contributing to a trend where companies need to be able to seamlessly provide access for everyone and to any digital service. These services can be in a public cloud, they can be web applications with or without support of federation standards, they can solely be backend services accessed through APIs, or even legacy applications accessible only through some kind of middleware. However, the agility of the digital journey requires IT to provide seamless access to all these services while maintaining control and enforcing security.

In a nutshell: We need to reconsider IAM as a whole and step by step transform it into a set of services which allow to connect everything via an overarching architecture, making our services available to everyone, everywhere, without losing control.

KuppingerCole Analysts strongly support the concept of Identity Fabrics as a logical infrastructure that enables access for all, from anywhere to any service while integrating advanced approaches such as support for adaptive authentication, auditing capabilities, comprehensive federation services, and dynamic authorization capabilities. In this context, it is of no importance where and in which deployment model IT services are provided. These can be legacy services encapsulated in APIs, current standard services either “as a service” or in your own data center and future digital offerings. Identity fabrics are designed to integrate these services regardless of where they are provided, i.e. anywhere between on-premises, hybrid, public or private clouds, managed by MSPs or in outsourcing data centers, or completely serverless.

We expect Identity Fabrics to be an integral part of current and future architectures for many organizations and their IT. Future issues of KuppingerColes Analysts' View on IAM will look at this topic from multiple perspectives, with particular emphasis on architectural, technical and process-related aspects. KuppingerCole Analysts research will explore this concept of "One IAM for the Digital Age" in detail and KuppingerCole Advisory clients will be among the first to benefit from sophisticated identity fabric architectures. Watch this space, especially our blogs and our research for more to come on all things “Identity Fabric”. And remember: You’ve heard it here at KC first.

Assuming High Criticality: Resilience, Continuity and Security for Organizations and Infrastructures

Acronyms are an ever-growing species. Technologies, standards and concepts come with their share of new acronyms to know and to consider. In recent years we had to learn and understand what GDPR or PSD2 stand for. And we have learned that IT security, compliance and data protection are key requirements for virtually any enterprise. The following acronyms and more importantly the concepts behind them can teach us about what forward-looking organizations and their leaders should be thinking of. 

MTPD stands for "Maximum Tolerable Period of Disruption". Its value determines the longest possible amount of time an organization can endure until the impact of an incident leading to a partial or complete disruption of service becomes inacceptable or a recovery becomes more or less useless. Determining this period is an exercise every reader of this text might want to do just now. It might be surprisingly low.

MBCO, closely related to the MTPD, is short for "Minimum Business Continuity Objective". It describes the baseline of services that are necessary for an organization to survive during a disruption. Another important aspect for all of us to think of. MTDL describes the “Maximum Tolerable Data Loss”. It is usually defined as the largest possible amount of data in IT systems (or analog media, like files and binders) an organization can accept to lose and still be able to recover successful operations afterwards. These terms (and many more related and relevant concepts) stem originally from the area of Business Continuity Planning, but they become increasingly important also to management and staff of IT security departments.  

One reason for that is yet another acryonym, namely “KRITIS”, which is an abbreviation of „KRITische InfraStrukturen“ (“critical infrastructure”). Critical infrastructure is defined as organizations or institutions of major importance to the state community whose failure or degradation would result in sustained supply shortages, significant public safety disruptions or other dramatic consequences.  

Originating from an EU Directive in 2008 the term is closely linked to the Federal Republic of Germany, its legislation and its efforts to reduce potential vulnerabilities of critical infrastructure. The concept aims at improving protection and resilience as a result of the increasing extent of pervasiveness and dependence of almost all areas of life with and from critical infrastructure. A German law (“IT-SiG”), and a regulation “BSI-Kritisverordnung” (“Kritis regulation”) issued in 2015/2016 are the foundation for the specification and enforcement of this significant set of requirements.  

Many countries are already looking at regulating and securing critical infrastructure as well, including  the US (Department of Homeland Security), so this is far from being just yet another German or European issue. But taking Germany as an example, the overall picture of critical infrastructure includes Energy, Information Technology and Telecommunications, Nutrition and Water, Healthcare, Finance and Insurance, Transport and Traffic. The actual scope of organizations affected can be looked up online. The core legislation is the same for each critical infrastructure, the challenge for individual industries is that sector-specific requirements need to be identified individually. The definition of industry-specific requirements is the responsibility of the individual industries, their industry associations and key corporations as exemplary representatives of their sector. However, these documents need to be government-approved.

Implementing these requirements requires organizations to think in more than just in terms of IT security. While the industry-specific requirement documents often have some IT security specific bias (usually starting with implementing an ISO 27xxx ISMS), organizations also need to consider the acronyms in the beginning of this text. This “paradigm shift” that critical infrastructure has to deal with now (and obviously had to deal with before already) is an important step for any organization. Extending security towards resilience, business continuity will be essential for almost any organization within a world of increasing challenges, including but not limited to cyber threats.

To make systems, processes and organizations future-proof, it is highly recommended to consider security, safety and business continuity more holistically. Why not use related KRITIS-requirements as a benchmark that could help you to increase your organizational maturity? Just because you are not obliged to comply does not mean that going beyond your individual, mandatory requirements cannot improve your overall security posture and business continuity approach.  

The definitions and requirements concerning critical infrastructure as they exist at an European and, in particular, German level can be regarded as exemplary in many respect. Even if they have direct relevance primarily for operators of critical infrastructure in Germany, they can serve as a basis for the design, operation and documentation of resilient architectures in Europe and beyond, due to the degree of detail and their comprehensive coverage of a multitude of sectors and industries.

And as a heads up for German readers, the update of the IT-SiG (“IT-Sicherheitsgesetz 2.0”) could be yet another game changer, so they should be prepared for more major changes in systems, processes and organization.

 

The Wrong Click: It Can Happen to Anyone of Us

The Wrong Click: It Can Happen to Anyone of Us

Ledger for the Masses: The Blockchain Has Come to Stay

Hype topics are important. They are important for vendors, startups, journalists, consultants, analysts, IT architects and many more. The problem with hypes is that they have an expiration date. Who remembers 4GL or CASE tools as an exciting discussion topic in IT departments? Well, exactly, that's the point...

From that expiration date on, they either have to be used for some very good purposes within a reasonable period of time, or they turn out to be hot air. There have been quite a few hype topics lately. Think for example of DevOps, Machine Learning, Artificial Intelligence, IoT, Containers and Microservices, Serverless Computing, and the Blockchain. All of these will be evaluated against their impact in the real world. The Blockchain can even be called a prototype for hype topics. The basic concept of trust in hostile environments through technology and the implementation of crypto currencies laid the groundwork for an unparalleled hype. However, there are still no compelling new implementations of solutions using this technology, which any IT-savvy hype expert could refer to immediately.

This week I attended the Berlin AWS Summit as an analyst for KuppingerCole. Many important (including many hype) topics, which have now arrived in reality, were looked at in the keynotes, combined with exciting success stories and AWS product and service offerings. These included migration to the cloud, big data, AI and ML, noSQL databases, more AI and ML, containers and microservices, data lakes and analytics, even more AI and ML and much more that is available for immediate use in the cloud and "as a service" to today's architects, developers and creators of new business models.

But if you weren't attentive just for a short moment, you could have missed the first appearance of the Blockchain topic: at the bottom of the presentation slide about databases in the column "Purpose-Built" you could find "Document-DBs", "Key-Value"-, "In-Memory-", "Time series-" and Graph databases as well as "Ledger: Amazon QLDB".

Even the word "Blockchain" was missing. A clear technological and conceptual categorization.

Behind this first dry mention is the concept of QLDB as a fully managed ledger solution in the AWS cloud, announced on the next presentation slide as "a transparent, immutable, cryptographically verifiable transaction log owned by a central trusted authority" which many purists will not even think of as a Blockchain. Apart from that AWS provides also a preview of a fully managed Blockchain based on Hyperledger Fabric or Ethereum.

This development, which has of course already manifested before in several other comparable offers from competitors, is not the end, but probably only the beginning of the real Blockchain hype. It proves that there is demand for these conceptional and technological building blocks and that this technology has come to stay.

This clearly corresponds directly and stunningly accurate to the development depicted in the trend compass for Blockchain and Blockchain Identity that Martin Kuppinger presented in this video blog post. Less hype, less volume in investment, but much better understood.

 Figure 1: The Trend Compass: Blockchain Hype Figure: The Trend Compass - Blockchain Hype

Like every good hype topic that is getting on in years, it has lost a bit of its striking attractiveness to laymen, but gained in maturity for IT, security and governance professionals. In practice, however, it can now play a central role in the choice of the adequate tools for the right areas of application. And we will for sure need trust in hostile environments through software, technology and processes in the future.

The QLDB product offered by AWS and the underlying concept cited above is certainly not the only possible and meaningful form of Blockchain or decentralized, distributed and public digital ledger in general. But for an important class of applications of this still disruptive technology another efficient and cost-effective implementation for real life (beyond the hype) becomes available. Having the Blockchain available in such an accessible form will potentially drive Blockchain in a maturing market on to the upper right sector of the trend compass, as an established technology with substantial market volume, even if might not even be called explicitly „Blockchain“ in every context.

CCPA: GDPR as a Catalyst for Improving Data Protection Outside the EU

It wasn't too long ago that discussions and meetings on the subject of digitization and consumer identity access management (CIAM) in an international environment became more and more controversial when it came to privacy and the personal rights of customers, employees and users. Back then the regulations and legal requirements in Europe were difficult to communicate, and especially the former German data protection law has always been belittled as exaggerated or unrealistic.

However, in the past three years, during which I have given many talks, workshops and advisory sessions on the subject of the European General Data Protection Regulation (EU-GDPR), perception has shifted. Many companies, especially large ones, have adopted the concepts of privacy, data security and data protection and have embraced the principles behind them.

Of course, this is especially true for European and German companies, as the implementation phase of the GDPR is finally over since the end of May 2018 and the GDPR and its obligations are fully effective and enforceable. This also includes the applicability to all companies processing data of European citizens. Thus, this important milestone of data protection regulation has had considerable effects on international enterprises as well, in particular on large US companies.

I myself, as a consumer, an online services user and a customer, have in the meantime perceived the first positive changes toward a new appreciation of trust and respect as the basis of a customer-supplier relationship (instead of “Hands up, give me all your personal data” as before). That went hand-in-hand with the desire and the expectation that the GDPR as a precedent could also act as a role model.

This is exactly what's happening right now. The first important example is the California Consumer Privacy Act (CCPA). The CCPA was passed at the end of June 2018 and will come into force on January 1, 2020, with actual implementation scheduled to begin sometime between January 1, 2020 and July 1, 2020.

CCPA is surely no 1:1 copy of the GDPR, for it it is considerably slimmer, a little more readable, leaves out some central demands of the GDPR and surely benefits from the experiences that have already been made elsewhere.

One thing is obvious: This puts companies in California and the US in a situation comparable to that in which EU companies were at the beginning of the implementation period, May 25, 2015. Those who have already adjusted their business to accommodate the GDPR probably might be better off, because they only have to deal with the differences between the requirements of GDPR and CCPA. Those enterprises, to which the GDPR was perhaps too "far away", must deal now with the requirements of their national legislation and initiate profound changes in their systems, processes and their organization...

If CCPA is relevant for you, right now is exactly the right time to embark on this journey.

Beware, this is where the promotional section of this blog post kicks in: Wouldn't it be good if you were able to draw on the experience of an international analyst company with extensive experience in this area? With a local team in the US that has international experience in handling personally identifiable information (PII) from customers, consumers, employees and citizens? That has been incorporating privacy, security and trust into the design of complex (C)IAM systems for years? Do you want to be prepared for the implementation of the CCPA? Do you want to meet the GDPR and CCPA requirements in equal measure and define a strategic path for implementation? Then get in touch with us to have a first chat with our US team.

BAIT and VAIT as Levers to Improving Security and Compliance (And Your IAM)

Usually, when we talk about special compliance and legal requirements in highly regulated industries, usually one immediately thinks of companies in the financial services sector, i.e. banks and insurance companies. This is obvious and certainly correct because these companies form the commercial basis of all economic activities.

Although regulations and their obligations are often formulated on a relatively abstract level, they must be adapted over time to the changing business and technical circumstances. Sometimes they need to be made more concise, more actionable and more specific, to improve their effectiveness. The BaFin (the German Federal Financial Supervisory Authority or "Bundesanstalt für Finanzdienstleistungsaufsicht) as the regulator for the financial services businesses in Germany has recently updated and extended its set of requirements documents. The "Supervisory Requirements for IT in Financial Institutions” (“Bankaufsichtliche Anforderungen an die IT - BAIT" in 2017 detailed the IT-related requirements of §25 KWG (the German Banking Act =„Kreditwirtschaftsgesetz“) and MaRisk ("Minimum requirements for risk management"=”Mindestanforderungen an das Risikomanagement") for the banking sector. An updated version of the BAIT has been subsequently supplemented by specific requirements for critical infrastructures (KRITIS) in this essential sector.

Quite recently as a second step, the BaFin has provided comparable specific requirements for the insurance industry by publishing the "Versicherungsaufsichtliche Anforderungen an die IT" (VAIT) ("Supervisory Requirements for IT in Insurance Undertakings". Both BAIT and VAIT describe what BaFin considers to be the appropriate technical and organizational resources for IT systems. Ultimately these requirements are also used as the benchmarks for audits.

Let’s look at VAIT as an example. Eight focus areas require appropriate consideration and the involvement of suitable stakeholders and experts: Specific guidelines for IT strategy and IT governance define minimum requirements for guidance and implementation in these areas within the organization’s structure and processes. The concept of information risks and their management is integrated into the overall corporate/business risk management. Information security is strengthened by the demand for a widely independent information security officer. With the demand for a uniform authorization management, access management and governance are moving even more into the focus of the auditors. The focus is also on IT projects in addition to traditional IT operations. Application development must now move towards "security by design", to meet the requirements. Outsourcing, the use of third-party services as well as the cloud services that are gradually becoming more relevant are considered part of the "IT services" focus area. Speaking from real life experience: improvements in identity and access management, privileged account management and access governance have proven to be successful controls to implement BAIT and VAIT requirements effectively and measurably. In turn, BAIT and VAIT can provide an excellent justification for finally implementing the improvements to IAM/IAG that have long been needed.

 Figure 1: VAIT and related IAM/IAG fields of action

So, the obvious question is who should care about these German regulations for financial services? If you are an insurance company or a bank with a subsidiary in Germany, there is no question about that. Banks and insurance companies face substantial challenges to implement these very concrete requirements into business practice without delay. They must be implemented appropriately, transparently and in a well-documented way by the companies within their scope. (Talk to us, we can help you.)

But what if your organization is not directly in the scope of these regulations? Why not consider them as a benchmark that could help you to increase your organizational maturity. Both BAIT and VAIT are freely available published in English on the Internet. They provide all organizations, even those outside of the financial sector and outside of Germany, with a set of well-elaborated requirements for trustworthy IT. You can use these as a challenge against which to judge the quality of your own overall security and compliance. Going beyond the regulatory requirements as a way to improve your own policies, organization and processes.

And yes, talk to us, we can help you.

Discover KuppingerCole

KuppingerCole PLUS

Get access to the whole body of KC PLUS research including Leadership Compass documents for only €800 a year

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Blog

Spotlight

AI for the Future of your Business Learn more

AI for the Future of your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00