Blog posts by Sebastian Rohr

The digital divide in Identity Management

My dear friend Mia Harbitz of the Interamerican Development Bank ( has recently linked me to of what I felt to be one of the most important papers on “Identity Management” since I work in this field. The paper does not analyze the pros and cons of doing bottom-up or top-down role design, nor does it dive into the depths of Access Governance and streamlining reconciliation efforts in your organization.
It investigates what any of you claim (and probably experienced yourself) to be a birth-right: your own personal identity! We all know the fuzz around Google+ and the headache it gave Kaliya “Identity Woman” when she was blocked from using G+ due to not using her “real name” but a moniker she was widely known under – at least better known as under her real name (which I only found out during the discussion around G+!). The paper - I recommend you all read – does not care about these problems which seem SO huge to us, but merely touch a small fraction of all mankind (which is, by the way, true to about 99% of the problems I solve during my work…) . It cares about the problems of billions of people not even HAVING an identity, because they did not get registered by their mother upon birth and thus do not have a valid a birth certificate.
Without further ado, please all read the paper “Travelling the Distance: a GPS-based study of the access to birth registration services in Latin America and the Caribbean” … It is an eye-opener to the problems of the “real world of identity management” and we as the crusaders of the digital world should not leave behind our fellow humans on the side of the “digital divide” …

Personal Data Vault – putting YOUR data in YOUR hands

I still remember the fun that was had when Dick Hardt first made his cool presentations on User Centric Identity Management and regaining control of who would access to what attribute of your multiple personas, be it online, at home or at work. We all know, that his company sxip identity failed because it did not gain enough momentum to monetize on the idea. Still, concepts such as the (also “failed”, much to my demise) Information Cards by Microsoft or the OpenID approach share some aspects of the sxipper product – putting you in control of your data. The current hype around the new EU privacy and data security legislation is putting some more focus to this! Apparently, only very tech savvy users – geeks like you and me  - seem to widely adopt and use OpenID. I, personally was attracted to Clavid, a Swiss IDP who combines OpenID with the one thing missing everywhere else: Strong Authentication! Most of you know that this is sort of my pet topic here at KCP and so I was really amazed to see them offer Yubikeys, Avionics’ Internet Passport and even SwissID Government issued certificates as a means of strong authentication – making Clavid an early representative of the prospering “Authentication as a Service” market segment. Not prospering enough, I guess, as I did not see the Clavid guys buying fast cars and castles at Lake Geneva’s' shores… Anyway, the concept of letting us – the users/consumers/customers – decide on who gets access to which detail of my life and (digital) identity remains an unsolved issue. Be it the tedious task of filling out forms after forms to get your kid into day-care or getting new insurance for your car – you have to share information about yourself and your loved ones and wonder: do they REALLY need that info? And if so: why do they ask me the same questions over and over again? Wouldn't it be nice if more of these form-fields could be “auto-filled”, depending on your choice of what to disclose and what not? Wouldn't it be great to have one common place to securely store all the insurance information, account information and whatnot? Just like putting your valuables in a bank deposit box (or your high-security safe in your secret lair downstairs, depending if you are a super villain or not)? You could even “compartmentalize” your life into stuff belonging to work/career (like digital versions of all your certifications and endorsements), your personal leisure activities (like memberships in sportsclub and your fishing license, Open Water Diver certificate), your kids info (school district, Headmaster contacts, the football team coach) and the list continues. I recently tried to gather my families' core identity data, such as passport and ID card numbers, SSN, healthcare ID, tax ID etc. and it took me full Sunday. Last week I did it all over again, as I misplaced the sheet of paper I used – pretty old school, don't you think? But all personal stupidity aside: wouldn't it be great to use that “digital vault” full of your own personal data to actually ERASE all the personal detail that are stored at the gazillion of companies and organizations you interact with day to day? Why must I put my CC info and full address with “your airline of choice”, if I could use their services “pseudonymously” and only allowing access to those details “on demand” while I actually book a flight? Currently, if I lose my CC or it expires the internet economy burdens me with changing my CC info in each of the gazillion pages I do business with. Why? I am looking forward to a (hopefully very near) future, where I can actually manage my data in one place and have those who need access to it authorized on a configurable basis. Sure, my employer should have continuous access to my bank account information! But if I am leaving – how can I make them erase that info on file today? Look put for some colnew announcements and blogs on KCP on this - my colleagues will provide more info as it becomes "freely available" :-)

In retrospect of 2011

Well, the time between the years (usually today referring to the days after Christmas until New Years Eve - but did you know these were historically the twelve days between December 24th and January 6th which served to align lunar and solar calender years? But I am getting too much off-topic...) is used to reflect about the year passed. There are a few things and events that absolutely impressed me in 2011, which I like to talk about a litte! First, there was the spring event European Identity Conference (EIC - which had a great impact from my personal point of view. I never had so many interviews, briefings, talks and sessions to host in that short amount of time. But instead of feeling exhausted and depleted when finally traveling home that Friday, I felt energized, motivated and inspired! So many interesting people to talk to, so many vibrant sessions and panel discussions to follow - and a really delicious catering all the time! Second, the autumn event IT Security Area ( in Nuremberg. A tradefair by design, it was also packed with a decent conference framework programme and the three official stages in the exhibition area had a rather impressive set of security speakers such as Prof. Taher el-Gamal, Martin Schallbruch of the State Department or Horst Flätgen of Federal Office of IT Security. Though spanning a much larger scope than EIC, Identity Management and Privacy Protecting Technologies were key topics discussed. Finally, there was one vendor event which really impressed me a lot. Being a former CA, Microsoft and Siemens employee, I do know what large corporations are able to pull off regarding trade-fairs and exhibitions as well as "in-house events". But comparing a Microsoft booth at Cebit, a CA InExchange or similar events just did not do well. Ok, Microsoft TechEd, SAP SAPPHIRE and CA World are all a close call. But Oracle OpenWorld in San Francisco this year was by far the most exciting and entertaining event! Let me give you a little impression of the breadth of topics that I (as an Identity, Privacy & Security Analyst) was confronted with: - Big Data - Cloud Services - Database Management (doh!) - Secure Programming Guides and Secure Development Programmes - Hardware and the opportunities of full HW/MW/SW Stacks (see? I did not use "advantage"!) - Bring Your Own Device (yeah, many Oracle people had personal "i"-devices with them!) and many more! Ok, the topics I can really give an insight on where the following: It really looks like Oracle assimilated the Sun Hardware Business – the racks could be seen all over the space in San Francisco at Oracle Open World. Of more interest to me, was how they would present their integration efforts in the IAM space, as they had also acquired a large amount of Intellectual Properties and code around role-mining and attestation from SUN. Sadly, they did not really make that a topic but continued to refer to their „suite“, which from my point of view still lacks some deep-end integration regarding the OIA (Oracle Identity Analytics). At least it looks like the 12g releases will deliver on that. I meet with some happy customers though, who had deployed this „component“ of the suite and they were all boasting how easy it was to setup and how they could impress their management with quick-wins. Well, that was always „inside“ the products core, which I had the honor to work with during previous engagements. What I felt was missing a bit, is to stress the actual „power of the suite“: if you deploy OIA for analysis and re-certification (attestation), it is (or at least should be) a natural choice to have that co-deployed with OIM and get all the changes delivered automatically. There is Integration, and Oracle worked a lot on that behind the scenes. But there is still some way to go, for example by having one workflow system instead of two for OIA and OIM – again something that is said to become available with 12g. Another point that needs to be addressed with the suite offering is a much more customer centric approach of visualizing which component can help with which problem – a simple mapping would suffice! That would also help their field engineers and pre-sales staff which sometimes appear a little uncertain about which component to use when and about the dependencies of components. So, it is nice to hear about deeper integration of the Fusion middleware component areas and how they work to together to make our life more enjoyable, but having some clear communication about “what fits where” in the IAM arena alone would help them a lot. Once the components (and please do not rename them again) went through that “matchmaking” from a marketing/sales perspective, everyone could better draw the lines and delimit what functionality comes with which component and how to combine elements to receive the expected functionality. The last issue about selling an IAM suite I was curious about still remains unsolved: what to do if customers already have some components in place and will not want to migrate those? Selling a suite into a large organization may be like dumping a large black monolith into their IT. Having the components sharply delimited but at the same time tightly integrated is a key requirement for the vendor to successfully sell the suite. Keeping open interfaces and providing the customer the freedom of choice for selecting a competitive component for – let us say provisioning – is a key for customer success with their IT-landscape integration. While these goals seem to be contradictive at first, they become the same if you live up to your own pledge to support open and well documented standards and interfaces. As soon as all components of a suite support the same set of standards and interfaces, they are clearly delimited (hopefully) and can be mixed and combined to better match the actual requirements customers have. The big black monolith referred to above, then converts into a nice set up easy-to-connect Lego® bricks that enable customers to build their own suite. Given that the Oracle IAM suite in fact consists of many building blocks and that Oracle has a clear vision for (and is delivering on) a service-oriented approach to consume IAM services – the Oracle Service Oriented Security – they are well positioned to tell a much stronger story here than they sometimes do. The real Cloud – now available at Oracle (and only there!?) According to the first entertaining minutes of Oracle CEO Larry Ellison's keynote at Oracle Open World, Oracle is now the only vendor to offer a real cloud – whatever that is supposed to mean. At least Hasan Rivzi elaborated a little more of the details how to register, pick services, select the payment plan (!) and then get the service created and defined. I am so happy about that update, as Larry rather concentrated on bashing that certain other Cloud vendor, whose CEO-keynote had been “postponed” the day before. At least in Germany, bashing the Co-Opetition is not considered good business conduct. At least not if you continue to brag over 90 minutes how much their services are inferior to your own (which have not even materialized yet). Well, as mentioned, Hasan explained in more detail how PaaS and IaaS offerings will be shaped and differentiated from the competition. A big focus will be on Java-based offerings, but my main points of interest were that key things like “Complete Isolation” of the different environments, SSO for the applications created, Centralized User Management with Delegated Administration for all of the above as well as Identity Federation between internal and Cloud Applications. That will be accompanied by “caging” resources and dedicated virtual machines per client, to keep the customers more secluded and to avoid “leaking” of data between environments. Another nice point to add: Data Integration is supposed to make moving data to the Cloud and back from the Cloud to your internal apps easier. Still unclear how that will actually work out, though. Wrapping up: I will return this year to see how the Suite approach was refined and how my (and some highly respected analyst folks) advice was used to push the capabilities of existing modules!

Managing Privacy and Data Protection – moving from “optional” to “mandatory”

My colleague Jörg Resch just gave us a summary on the current status of new EU Privacy Regulation that is “in the works” in Brussels. If only a portion of this becomes “EU Law” – meaning that it will not be a Directive which needs to be translated into local national law but supersedes any existing national law – it will change the game in an instance. Not only would the “amusingly small” fines that could currently be imposed e.g. German companies for breaking privacy laws (standard maximum fine 50.000 €) be bumped up to “significant” numbers, but the actual provider of a service could be held liable for not protecting the data of his customer (or his customers' customer, that is). Currently, if your company uses any kind of (IT) service and your customer data is disclosed by errors or omissions on behalf of the Service Provider, still your company will be sued and needs to pay the fine as you did not execute proper Governance in your contract with the Service Provider (hence I've been promoting the need for good information security governance paragraphs in each outsourcing contract!). In other words: although your Service Provider failed to deliver secure services and neglected his responsibility to provide the high quality and security that you expected from a professional vendor, you are being held accountable for the improper action that lead to the disclosure. Looks like this is going to be changed! Or at least, the EU will try to change it…Behold of the Lobbyists!

Sometimes fate has it, that two corresponding subjects are discussed in parallel – as I talked to my old friend Peter Schoo of recently formed Fraunhofer AISEC in Munich-Garching. Just before I received Jörg's summary on the progress of EU Privacy Law, I discussed with Peter what has been happening regarding Privacy Protection and Anonymity in the market. Recently, my point of view on gathering “customer information” and the process of storing this information to create a “customer profile” has changed dramatically. Besides the fact that this more or less in contradiction to Germanys' data protection laws (referring to “Daten-Sparsamkeit” here), marketing experts always constructed some sort of “need” to justify this compilation. Especially the “REWE incident” where thousands of customer home addresses and other personal information was ripped from a marketing driven exchange platform (through this site, kids could swap the stickers they harvested with each of Moms shopping trips to REWE stores) made me feel like having this data had become more of a liability/risk than creating benefit/opportunity. This is where Peters' newest creation comes into play – his team created a tool called “Prividor” which stands for “Privacy Violation Detector”. It basically spiders a website and checks for any issues with data protection and privacy legislation that this site or portal may have. As some consumers are beginning to revert to a more strict handling of personal information, those “concerned users” would definitely feel more comfortable browsing for “special information” on sites that respect the privacy of a user. Especially government-owned sites or information portals that handle sensitive topics such as cancer, HIV infection or even “erectile dysfunction” would benefit largely. Imagine the user browsing for these things and receiving even more “blue pill” advertisements than usual or getting sponsored ads for cancer treatment on the next portal you visit – not what you fancy if you are really struck by that health condition! Well, people with extensive Facebook (or name your favorite social network here) usage will probably not even think about such things, but a growing number of “concerned users” will. Now take into account what the EU seems to be aiming at and – voilà – demand for a “privacy protecting web-design” of any kind will rise instantly. As I said, sometimes fate “makes may day”

Looking forward to your feedback, dear readers! Oh, and here are the links, for the curious ones...

Information (hardware-) Security

We have been discussing IRM, DRM, DLP and other acronyms back and forth for a quite a while now and I am sure there are a good bunch of solutions out there for those organizations, that have policies and procedures in place to sufficiently plan, build and run thus a tool. Thus, I was pretty much „meh“ about any discussions revolving around the pros and cons of approaches… Well, our close friends sometimes surprise us with problems, we never seem to have „seen“ before. One of those friends runs a small System Integrator / VAR company and approached me with a problem, that is common among these service providers: handling of RMAs… Usually, if you have outsourcing agreements and service contracts, you would also have a number of SLAs that cover the use, transport, protection and security of data and mobile data storage devices such as flash-disks, thumb-drives or the very useful external hard drives, which are used to back-up full Virtual Servers if no SAN/NAS is available on-site. Well, these SLAs cover exactly that: the STANDARD operating procedures and day-to-day handling of those devices. But what happens, if one or more of the external hard-drives becomes defective and is not accessible because the controller is broken? You just had a full back-up pushed onto that drive last Friday and – during your standard tests of back-up media – you find the disk to irresponsive due to controller failure. You KNOW that your client's full data-center including Domain Controller, Exchange and ERP systems are on that drive. You are unable to read the data, you can also not delete the drive and you cannot “open” the casing because it voids the warranty under which you would like to get the drive replaced by your vendor/distributor. Actually, you would have to send in the defective drive as-is (with all your client-data on it) and wait to have it replaced or repaired. If replaced – what happens to the “raw disks”? They could easily be put into a computer or hooked up to another controller and data extracted. If repaired, the controller will be exchanged and at least QA tests will reveal the sensitive nature of the data stored… According to the System Integrator community it is impossible to negotiate a special data-protection agreement with the Distributors, as their margins are already too low to invest in legal advisory regarding a set of 150 € products. Also, the clients are rather unwilling to sign a waiver, which reduces or fully removes liability for any data breach from the SI. I would really LOVE to talk to some lawyers of the HD manufacturers and/or Distributors about this topic, as I fear that a large number of these RMAs happen without any thought about data protection…

Strong Authentication, please! But make it stirred, not shaken!

Back to the roots - Strong Authentication is my topic of the month. To be more precise, the combination of several methods of strong authentication all managed through one central, versatile system, allowing both high-security solutions with high cost per authentication and mass-market easy to use methods for low to medium security settings. Versatile Authentication Services/Servers/Platforms are key to low TCO and high usability for different user segments and use-cases. I already finished most of my market analysis and am currently compiling the report. If you feel the urge to let me know about your fresh product/solution in that segment, let me know :-) Just comment this post or write to me ! Thanks for your input - see you all at EIC2011 to discuss the results!

Convergence re-iterated

The press release of HID acquring ActiveIdentity almost slipped my sensor network, despite the fact that I had the honour of having some close contact to top-level HID guys this week. I am totally positive about this acquisition, as HID now is able to get their hands on some really good Versatile Authentication Server (VAS) with AI's 4Tress product. This is what they need to really set a mark in the authentication industry, because their NaviGO tool was a good starting point but it really lacks the quality and integration some of the other tools feature. HID is brand new to "software", but they heavily invested in own resources to come up with NaviGO - thus it is a natural thing to seek some established brand or set of tools and accelerate the (obviously successful!) strategy of becoming of THE vendors for VAS. I am confident that this is a good match, but with all acquisitions there come friction and loss and talent. So, seeing things the other way round, it may be hard for the AI guys to actually blend in with the HID guys. At least, they had some hardware tokens for their own and now they just have access to some really good contact and contact-less card readers. Hopeyfully, the differences in style, attitude and go-to-market can be aligned, as the Identity & Access Management market is definitely something else than the PACS and RFID reader market space. To sum things up, I think the two of them make a great match! Still I ask myself if the two worlds can be merged by such a take-over? Everybody knows I am a both a big fan and big promoter of holistic security concepts and convergence as such - it would benefit the market to see this merger evolve into some true Convergence VAS products!

Your token to VISA...

The recently published document on protecting credit card data during processing and storage with tokenization technology has gathered quite a bit of response (see for yourself As others like Mr. McMillon of RSA said before (, it is an overall good approach - and my very recent experience with CC data processing in outsourcing environments proves to me that solutions for this are in great demand. Besides the "nit-picking" (please excuse, we are totally on the same page here!) about calling encrypted CC data a "token" (which it is NOT...), there are some issues about the general approach shown by VISA. First, it is absolutely positive to see any progress and innovation around securing payment methods and payment processing, either at the PoS or online (and there are nice solutions for both environments readily available in the market, such as nuBridges offering, for example). Second, it is advisable to contribute to standardization and commonly accepted methods - isn't it? Well, it looks like VISA - with all due respect for their effort to make this world a safer place! - has failed to get broad 3rd party support (such as e.g. funnelling this through the PCS DSS commitees or having it openly reviewed by experts) . It remains a mystery (at least to me) why VISA chose to spearhead this alone. The overall feedback received from experts around the world is a mixed bag of "well thought, but has major weaknesses". Thus, it is definitely worth a look if you have a need for securing CC data in your systems and guidance is needed on how to define certain aspects. On the other hand, it is advisable to compare the VISA best practices with what the "other" stakeholders such as Mastercard, Diners, Amex and the like may add or edit. From my personal perspective I applaud the advances made by this project but I clearly dislike the fact, that VISA did this on their own, effectively putting an extra burden on banks, merchants and all others dealing with CC data to harmonize with deviating requirements that may be published by other companies. I sincerely hope that the payment card industry does not fall into a "deny-all" mode but instead that a revised version with support from industry organizations such a the PCI DSS council is made public any time soon. Until then, I recommend reading, understanding and cross-checking the VISA best practices for tokenization with the extensive feedback already available from industry experts around the globe. The time for protecting CC data and other PII is definitely NOW, and good tokenization can help to reduce the leakage of such information!

How Data Leaks Through Twitter

If you’re a soccer fan, thinking back to the year 1986 will probably remind you of the nail-biting final between Germany and Argentina that the South Americans narrowly won (unlike the devastating 0:4 loss they received this year, but that’s only by the way). If you are a data protection professional, however, harking back to 1986 will probably conjure up memories of the widespread street demonstrations during the run-up to the German census.

Of course, the 80ies saw a lot of protest movements; atomic weapons and the new runway at Frankfurt International drew angry crowds, but resentment of what many saw as uncontrolled and unwarranted collection of personal data was up there among the chief causes for civic unrest. Why, many asked, does the state want to now so much about our personal lives, and especially about immigrants and other foreign nationals residing in Germany? Was there some sinister plot abroad instigated by creepy bureaucrats lurking behind unmarked doors?

Now fast forward to the year of grace 2010, and how different things seem. Once more, a decree has gone out that all the world, or at least the German part of it, should be registered - but where are the protesters, where the councils of concerned citizens, where even a couple of angry letters to the editor? At least for now it seems the German population could care less who wants to know what about their lives and habits. This represents at the very least a change in temperament and begs the question: Don't our kids, who have grown up amidst social networks of almost every description, give a hoot about these things? Or maybe it's just another symptom of disenchantment with politics in general?

In fact there are a number of issues surrounding the upcoming census that need to be addressed and that citizens, and even more so enterprises, ought to be concerned about and aren't. So maybe we should take a closer look at the world of the so-called Digital Natives and ask: How do these young people feel about privacy? What influence do social networks have on their attitudes towards data protection? And above all, what can companies learn from this?

We've seen it all before in our circles of families and friends: nieces, nephews and of course our own kids seem to be online 24 by 7. Texting is out, Twitter is in! The days when teenagers spent countless hours on the phone are over; today's adolescents prefer to foregather online and communicate with their peers via Facebook, YouTube or whatever network they happen to frequent. They spent countless hours updating their profiles, and everybody seems to know everybody, at least three mouse clicks removed. Today, everyone's "friends", and they want to exchange stuff - texts, photos, videos - regularly, if possible in real-time, at least as long as the weekly allowance doesn't run out. Welcome to the bright new world of instant, total communication and Web 2.0.

To store and share information online instead of on their own hard drives is to these youngsters as natural as wearing cargo pants and getting pierced, and the same goes for the ubiquitous Internet. This is good news, of course, for future bosses and HR managers since it means they won't have to train these budding Knowledge Workers of tomorrow in things like using SaaS applications and storing things in the cloud. After all, desktop publishing is so 20th century; the Net Generation run up their school yearbooks in "Web2Print" Shops where anyone can lend a hand with the layout or upload texts and pictures. Reservations, not to mention worries, about technology in general and data collection, storing and publishing in particular? I don't think so!

The Participatory Web has taken parents, teachers, professors and most especially security experts completely by surprise. Young people, it turns out, are oblivious to things like security governance, and parental oversight is apparently an outdated concept. Unfortunately, this also means a total lack of control over what kids do or don't do online, and the same goes for when they enter the working world.

Enterprises - stuck in the Web  

Take just one example: personal resumes. Time was when HR managers could rely on an applicant's honesty, or at least they could catch them out if they fibbed. After all, they had to attach school reports, training certificates and other official documents that were easy to verify. Background checks were only necessary for jobs in sensitive fields such as defense contracting or military intelligence. Calls to personal references like in the U.S. were virtually unheard of on this side of the Atlantic.

Today, HR routinely uses the Web to scan candidates and to catch them out if they have "invented" some previous position or awarded themselves job skills which they in fact lack. A quick Google query and the applicant becomes almost completely transparent, thanks to LinkedIn, Plaxo, Xing, Yansi or especially Facebook. Within minutes they can assemble a portfolio complete with more personal information and private pictures (sometimes showing candidates in rather embarrassing situations) than the former census opponents could have imagined in their wildest dreams!

Okay, the information isn't being stored in a central location (where, incidentally, it would be quite secure since it would be intended for the eyes of state officials only) but is distributed willy-nilly around the Internet. But on the other hand, there is not even a rudimentary form of access control and in most cases the owner is no longer in charge of his or her information, as numerous cases of "data leakage" from online communities have proven in the past. This can end to downright de-facto „data dispossession", with the operators of social networks disputing the right of the owner to have the final say over how their data is used or to whom it is distributed.

Most job candidates are in effect offering offer potential employers a comprehensive overview not only of their professional careers, but their private lives, as well, along with a deep glimpse into the depths of their souls and their social relationships. And the best thing, at least from an HR perspective, is that this is all completely free and totally legal! One of the most popular German social networks for young people, "Wer-kennt-Wen" (or "wkw" for short), of which the author is a member, now post warning signs for new members that read: "Your boss can read your profile". They also publish guidelines aimed at helping youngsters (and grownups, too!) to grasp the basic rules of privacy and social governance.

 Web 2.0 on the job

Due to their great popularity and widespread acceptance (not to mention peer pressure), social networks can be a major hazard for enterprises, as well. Many personal profiles that are posted in business communities not only give the viewer an idea whom they are dealing with and how qualified he or she may be, they also provide loads of information about their employers' organization and modus operandi. Besides, many business networks not only show the person's job contacts within the firm, but also which suppliers, contractors, consultants and even customers he or she deals with. By leisurely perusing the postings on an employee's community homepage, a competitor can gather lots of info about a company's business relationships, projects and cooperation agreements.

Networks and communities are only part of the problem; the others are private and professional forums, blogs and instant messaging systems such as Twitter. Staff members with lots of exposure usually have lots of "followers" who regularly read what they write. If employers do not have policy guidelines in place that set out what may and may not be divulged online, this can prove to be a train wreck waiting to happen, or at the very minimum a PR disaster in the making. A corporate culture of open communication is fine and good, but only if employees have been briefed on what is acceptable behavior in online communities. The PR department should be involved in setting up such guidelines, as well as legal and management, of course. Even better is an official company agreement which, don't forget, will in most cases need to be passed by the works council, too. On the other hand, there simply is no way for an employer to force everyone to submit web postings prior to publication; you'll just have to trust your people - and hope for the best!

Security governance for communities

Communications and behavior guidelines for Web 2.0 should be part and parcel of any comprehensive strategy aimed at dealing with corporate security. These should not b repressive, but should instead try to incorporate the benefits of the new technology and make it work for the company, not against it. Things like official Twitter hash tags, corporate blog sites and closely-monitored customer forums are a step in the right direction, but given the prevalence of private blogs and online communities they can necessarily address only part of the problem. Management will have to strike a balance between corporate interests and undue (or unlawful) interference with employees' rights as netizens. In fact, some enterprises have begun to encourage their customer-facing staff to use platforms such as Facebook, Slideshare or YouTube to distribute sales presentations, restricting themselves to setting out guidelines for correct use of brand names or job titles in their network profiles. Others have established their own "corporate pages" in networks like Xing or Facebook and urge their people to frequent them.

A sure recipe for trouble is to try and plug the dike by forbidding employees to visit Facebook or other social sites during working hours. That is the equivalent of sticking one's head in the sand and ignoring the new reality of modern telecommunications. Unless your company is involved in extremely sensitive work, say in arms production or aerospace, this option is simply not on the table.

Enterprises operating in other fields should welcome the chance to open up their communication channels in order to receive unfiltered feedback from customers and partners, and to showcase their own strengths and achievements via social networks. Of course, this means that existing works agreements and non-disclosure rules need to be updated or completely rewritten, and maybe it would be a good idea to hold seminars for employees in order to bring them up to speed on proper conduct when online. That way, you can generate cooperation and make sure everyone understands the problem so that digital information and identities can flow freely over the Internet.

The upcoming German census in 2011 might prove to be a good starting point for will boost awareness both among employees and citizens about the risks involved in being too generous with private and business information.

Why enterprises shouldn’t economize on IT security

We’ve all been there before: helpdesks deluged by calls from irate users, constant complaints about buggy apps, complicated login procedures or passwords no one can remember. Much-overdue investments in security patches and updates for heirloom software have to be postponed time and again because maintenance and support eat up all the money, and still the boss is under pressure to tighten the belt another notch by slashing the IT budget yet further.

And after all: Isn't IT supposed to be all about reducing costs? What about all those productivity gains and slick business processes? Yes, but tampering with IT budgets in general isn't a very good idea. IT security departments in particular tend to be run on a per-project basis. Despite laudable efforts towards following ITIL and project portfolio management procedures, this way of working can easily distract those in charge from keeping their eye on the big picture.

Tons of resources are routinely consumed by projects emanating from the operational departments which continue to clamor for quick solutions to their specific problems. And since these guys are pretty good at describing their "business needs" in dramatic terms, they tend to be seenby the powers that be as highly relevant. As a result, budget tends to flow to them and not into badly needed repairs to the IT infrastructure itself.

IT departments need to get two things right. For one, they must focus on the overall needs of the enterprise itself. That's what business-IT alignment is all about. But they must also take the lead in defining strategic projects instead of letting themselves be herded along by business interests.

IT security is a perfect example. Most projects that originate within the business units of the company either neglect security concerns completely or merely pay lip service to them. The suits somehow assume that IT will somehow solve the problem somewhere along the way. Isn't that part of their job as providers of infrastructure?

Unfortunately, this attitude can force IT departments to shoulder substantial capital investments that don't seem to belong to the project in question. The whole thing can quickly sink to the level of a classic chicken and egg dilemma.

Anticipating the needs of business

For CIOs and IT department heads, the first challenge is how to anticipate the real needs of their "customers" in the business units. This calls for a deep understanding of the business itself - something that many technicians, who are experts in their own fields, find difficult, to put it mildly.

Besides struggling with the realization that technical expertise isn't always enough to handle the demands of business professionals, IT people are also under pressure to fund the necessary research in order to understand what is driving the other side. This can evolve attending meetings or travelling to conferences, reading additional literature and delegating certain tasks to members of their staff who, of course, always seem to have more important things to do. IT departments need to pencil in extra time for this kind of thing above and beyond the actual hours budgeted for the actual project work. Team meetings are a good venue to exchange views and information between business units and IT, and they should be used as such.

Web Services and Service Oriented Architectures are a good place to start putting these anticipated business needs to use. That way, IT can ensure that everything is well documented and that security issues are properly addressed from day one. Sadly, in many enterprises such "miracle" technologies as SOA turn out to be just another evil for IT to live with since business unit can't be bothered with things like strategic planning or security architectures - all they want is an application that must be up and running P*R*O*N*T*O! IT departments are left to try and clean up the resulting mess by painstakingly unbundling sloppy SOA systems and adding security as an afterthought.

Poor planning can be habit-forming

Many existing IAM (Identity and Access Management) installations also turn out to be examples of poor strategic planning. Yes, as a rule they can handle the technical requirements, but too often they fail to integrate with newly-developed business projects both in terms of long-term planning and overall control. Instead, they are implemented the way things used to be done back in the 20th century: identities and privileges are stored in silos and have to be jury rigged to the IAM system.

IT departments should demand strict policies and rules for administering and replacing legacy silos as part of the planning and updating process within existing applications, and new ones should be avoided at all costs. Viable alternatives include identity federation or even claim-based identity management. Both can reduce the load on IT and solve the issues that decentralized identity management brings with it. For IT to take the helm in formulating appropriate guidelines and policies they need to demonstrate their business acumen and their understanding of the underlying forces that shape decisions within the operative departments of the company.

Transparency is an important factor in establishing a true partnership between business and IT. It can help in establishing the right IT strategy and achieving agreement on the necessary security measures. The results of in-depth risk analysis and internal audits may be painful; they enable those responsible to best judge the eventual business impact of various threat scenarios such as breakdowns, attacks or data leakage.

These meetings need to be meticulously planned. IT professionals should take care to identify low-hanging fruit such as of defense measures that can be implemented quickly and easily, and they should aim at raising the level of awareness on the "other side" for risks are being taken. IT can provide vital orientation, which in itself is a first step towards avoiding uncoordinated and hasty reactions and stop-gap measures like point solutions that can cause more trouble than they are worth in terms of overall security management. IT should always be ready to pull a solution out of their hat for the problems that are sure to crop up at meetings like these.

Identifying and controlling risk

These individual solutions need to be augmented by a comprehensive security strategy that has the support of the company CSO. Risks that have been recognized and properly evaluated should be addressed through coordinated internal procedures. A good way of doing this is to add up the dollar values of the risks involved and to "monetize" the risk incurred by each stakeholder demanding that they make corresponding contributions to the overall risk management budget. By accepting budget responsibility, security and IT departments can act in tandem to ensure not only compliance to governance guidelines, in other words full risk management, but to also active mitigation and avoidance of such risks.

By being able to draw on a separate "budget pot", IT can finance appropriate infrastructure investments or improvements meant to facilitate risk management. It can also help reduce indirect IT and infrastrcture costs which hitherto had to be apportioned throughout the company; never a good way for IT to make itself popular and win friends. Once a framework of IAM and GRC tools has been created, IT can reuse them again and again for new applications and systems at no or little extra cost.

Application and lifecycle management systems are also important elements in any future-facing IT (security) management environment. It helps to define requirements for the applications themselves, as well as for their implementation, improvement, customization, and deactivation. This brings obvious advantages from an IT security perspective: obligatory updates such as moving from an old Java environment to the latest version can be accomplished in a controlled fashion and under an established budget.

Similarly, IT departments can exercise better control over weak points in client and server operating systems (in case this isn't already part of their asset and license management solutions) as well as in applications and tools. This will enable them to discover, evaluate and eliminate the corresponding risks, either manually or automatically. Web-based applications, which are growing increasingly popular, should also be monitored in this way.

Getting more traction from IT innovation

In sum it can be said that IT managers must increasingly be ready to accept direct responsibility as opposed to simply providing a service. This calls for a new awareness, literally a new self-image, both on the part of IT and information security professionals. This in turn will go far towards correcting the imbalance between the performance delivered by IT and the esteem in which it is held within the company. Today, most IT departments find themselves in the role of low man on the totem pole. Climbing up the acceptance ladder will require commitment and hard work along with the determination to drive innovation. The part IT plays in enabling the business units needs to be highlighted in order to make them appreciate the contribution being made by IT to the company as a whole. CIOs and IT heads need to communicate these contributions more aggressively instead of hiding their light as usual under a bushel.

But first, IT professionals need to themselves understand just how important their daily work is to the success of the company and how vital IT security is to the ongoing, uninterrupted running of its business. IT has a big role to play in creating innovation of its own, and not just when business tells them what to do.

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00