Blog
Without Prosecution, There Is No Protection
by John Tolbert
The Equifax data breach saga continues to unfold. In late 2017, the company admitted it had suffered significant data loss starting in March of last year. There were likely multiple data theft events over a number of months. At some point in May, they notified a small group of customers but kept mostly quiet. Months later the story went public, after Equifax contacted government officials at the US federal and state level. The numbers and locations of consumers affected by the breach keeps growing. As of March 1, 2018, Equifax is reported to have lost control of personally identifiable...
Blog
2018 – the Turning Point for Social Networks
by John Tolbert
The Facebook data privacy story continues to be in the headlines this week. For many of us in IT, this event is not really a surprise. The sharing of data from social media is not a data breach, it’s a business model. Social media developers make apps (often as quizzes and games) that harvest data in alignment with social networks’ terms of service. By default, these apps can get profile information about the app users and their friends/contacts. There are no granular consent options for users. What gives this story its outrage factor is the onward sharing of Facebook user data...
Blog
FIAM – Fake Identity and Access Management
by John Tolbert
Just when you thought we had enough variations of IAM, along comes FIAM. Fake digital identities are not new, but they are getting a lot of attention in the press these days. Some fake accounts are very sophisticated and are difficult for automated methods to recognize. Some are built using real photos and stolen identifiers, such as Social Security Numbers or driver’s license numbers. Many of these accounts look like they belong to real people, making it difficult for social media security analysts to flag them for investigation and remove them . With millions of user credentials,...
Blog
Administrative Security in Security Products
by John Tolbert
At KuppingerCole, cybersecurity and identity management product/service analysis are two of our specialties. As one might assume, one of the main functional areas in vendor products we examine in the course of our research is administrative security. There are many components that make up admin security, but here I want to address weak authentication for management utilities. Most on-premises and IaaS/PaaS/SaaS security and identity tools allow username and password for administrative authentication. Forget an admin password? Recover it with KBA (Knowledge-based authentication)....
Blog
The Need for Speed: Why the 72-hour breach notification rule in GDPR is good for industry
by John Tolbert
The EU’s General Data Protection Regulation (GDPR) will force many changes in technology and processes when it comes into effect in May 2018.  We have heard extensively about how companies and other organizations will have to provide capabilities to: Collect explicit consent for the use of PII per purpose Allow users to revoke previously given consent Allow users to export their data Comply with users’ requests to delete the data you are storing about them Provide an audit trail of consent actions Software vendors are preparing, particularly those...
Blog
CIAM Vendor Gigya to be Acquired by SAP Hybris
by John Tolbert
This past weekend we learned that Gigya will be acquired by SAP Hybris.  California-based Gigya has been a top vendor in our CIAM Platforms Leadership Compass reports . Gigya offers a pure SaaS CIAM solution, and has one of the largest customer bases in the market.  SAP’s Identity solution was previously positioned more as an IDaaS for SAP customers for SAP use cases. What is most interesting is the pairing of Gigya with SAP Hybris.  Hybris is SAP’s marketing tools, analytics, and automation suite.  It already has a considerable customer base and big...
Blog
Recapping CIW Seattle 2017
by John Tolbert
Last week we completed the opening dates on the Consumer Identity World Tour in Seattle.  To kick off the event, the Kantara Initiative held a one-day workshop to showcase the work that they do.  Kantara is an international standards organization which develops technical specifications promoting User Managed Access, Consent Receipt, Identities of Things, and Identity Relationship Management.  Kantara is also a Trust Framework Provider, approved by the  US Federal Government´s Identity and Access Management (ICAM) , which accredits Assessors and Approve CSPs at...
Blog
The Return of Authorization
by John Tolbert
Authorization is one of the key concepts and processes involved in security, both in the real world as well as the digital world.  Many formulations of the definition for authorization exist, and some are context dependent.  For IT security purposes, we’ll say authorization is the act of evaluating whether a person, process, or device is allowed to operate on or possess a specific resource, such as data, a program, a computing device, or a cyberphysical object (e.g., a door, a gate, etc.). The concept of authorization has evolved considerably over the last two...
Blog
GDPR vs. PSD2: Why the European Commission Must Eliminate Screen Scraping
by John Tolbert
The General Data Protection Regulation (GDPR) and Revised Payment Service Directive (PSD2) are two of the most important and most talked about technical legislative actions to arise in recent years.  Both emanate from the European Commission, and both are aimed at consumer protection. GDPR will bolster personal privacy for EU residents in a number of ways.  The GDPR definition of personally identifiable information (PII) includes attributes that were not previously construed as PII, such as account names and email addresses.  GDPR will require that data processors obtain...
Blog
At the Intersection of Identity and Marketing
by John Tolbert
Digital Transformation is driving a diverse set of business initiatives today, including advanced marketing techniques, creating new consumer services, acquiring better customer information, and even deploying new identity management solutions.  As organizations discover new and efficient methods for engaging customers, they often realize new and more profitable revenue streams. At the intersection of identity and marketing, we find Consumer Identity and Access Management (CIAM) systems.  CIAM is a relatively new but fast-growing area within the overall IAM market.  As...