News Archive

Vendor Report

Cloud Vendor Report: Amazon

Amazon is widely known as online retailer, having expanded its bookstore business to many other areas over time. Some time ago Amazon has entered the Cloud Computing market. Amazon provides a broad set of services under their label Amazon Web Services (AWS), with the Amazon Elastic Compute Cloud (EC2) as the most popular one. Amazon’s strategy for providing web services based on their own experience in providing highly scalable and reliable services for relatively low cost (which is mandatory for their success in the retail business) appears to be valid. Amazon has managed to become...

Blog

The German data protection law starts to bite

The Deutsche Bahn has been sentenced to a penalty of 1,1 Mio Euro for breaches of the German data protection law, e.g. the privacy regulations in Germany. That is the record penalty based on the BDSG (Bundesdatenschutzgesetz), how the law formally is called. The reason for that penalty were abusive analysis of employee data, to identify potential cases of corruption and fraud. Data of bank accounts of suppliers and employees were compared. That became public, there was a lot of public discussion about - the topic was top in the news for several days. And the CEO, Hartmut Mehdorn, was...

Blog

#SAPTechEd - SAP Netweaver & GRC Identity Management

#SAPTechEd - SAP Netweaver & GRC Identity Management During the last 30 month I was rather critical towards SAP's approach on how to position and further develop the technology acquired from Norwegian MaXware in 2007. The visit to SAP TechEd 2009 in Vienna showed through several technical presentations and direct interviews with people such as Keith Grayson, that SAP did a really job in not only integrating MaXware into the Netweaver group but also coming up with a sound strategy on how to move forward with whole offering. Besides the fact that Business Objects GRC systems still has some...

Blog

#SAPTechEd - GRC cooperation between SAP and Novell

I already pointed out my personal satisfaction about the recently announced cooperation between SAP and Novell in the GRC market. This morning I had the opportunity to discuss the whole approach with Jay Roxe of Novell and Ranga Bodla of the SAP GRC group, operating both out of the US. Besides my enthusiasm about the materialization of something I suggested to be beneficial (every once in a while, analysts DO show that they are humans, too!), the discussion of business opportunities, market pull and demand for GRC in general were almost identical between the three of us. First let's check...

Webinar

Dec 08, 2009: 5 Golden Rules for Efficiently Implementing Access Governance

How to do Access Governance right? Which are the key success factors you have to focus on for as well quick-wins as long-term success? This session explains how to solve the access governance needs best.

Webinar

Dec 09, 2009: How to Start: Recertification or Active Access Controls First?

What is the best approach to do access governance? Should you start with attestation to understand where the problems are? Or should you first have a management infrastructure in place which allows to control access across different systems and use access governance approaches then to improve the state of your information security? Or is recertification sufficient? Kuppinger Cole analysts and different vendors discuss the strengths and weaknesses of different approaches?

Webinar

Dec 09, 2009: How to Efficiently Implement SoD Controls: Which Level Works?

SoD controls (Segregation of Duties) are a cornerstone of access governance. But how to efficiently implement them? Should they be based on roles, on activities, on granular entitlements? There are many different approaches to solve the problem. In this panel, different vendors and Kuppinger Cole analysts will discuss different approaches for SoD controls, with focus on their manageability and the required granularity.

Webinar

Dec 09, 2009: XACML: The Holy Grail of Access Governance?

In this panel, the role XACML will and can play for access governance is discussed. Is XACML the solution? What is missing? How to manage policies and how to analyze these dynamic constructs? And how to avoid vendor lock-in? The strengths, shortcomings and needed improvements are discussed by different vendors and Kuppinger Cole analysts.

Webinar

Dec 08, 2009: Getting the Big Picture: How Access Governance fits into IT Governance and Risk Management

Access Governance is a key element in every strategy for information and system security as well as IT Governance. However, there are many different approaches from system-level access control management tools for ERP systems with some SoD support up to “Enterprise GRC” solutions which focus on the risk management and governance approaches from a high-level business perspective, sometimes without the interface to IT systems. And access-related controls are only part of that – 4 of 210 controls within COBIT, for example. For sure they are highly relevant, but they are only part of a bigger...

Webcast

The Critical Role of XACML in SOA Governance and Perimeter Web Service Security

Kuppinger Cole Webinar recording

Blog

#SAPTechEd - Google Wave @ work // Enterprise 2.0?

Communication & Collaboration - that is what email is all about - or should be. The GoogleWave concept mimics the snail-mail and a wiki at the same time, while being a protocol and an application also. The demo looks like a cooperative instant-message chat, but showing character by character, making an almost f2f chat impression... Who used OneNote online before, may be used to see the joint changes of multiple participants in one document - but it is amazing to see even uploads of photos and other material into the wave in a blink of a eye. To see somebody adding a Google-map into the wave...

Blog

#SAPTechEd - Original1 against Product Piracy

Again, sorry for bothering you with non-IAM information, but this is heavily interesting for those looking into Business-GRC. Jut now, Nokia, SAP and Gieseke+Devrient announced the JointVenture calles Original1, which will offer SaaS solutions for anti-piracy and anti-conterfeiting projects. Goal is to enable customs officers, supply-chain service providers and possible whole-sale customers to check and verify if a certain batch or delivery is actually original product or counterfeited merchandise. The solution will leverage technology by all three vendors, comprising SAP ERP back-end...

Blog

Q & A from the XACML/ABAC Webinar

On the Webinar that Babak and I did on ABAC and XACML three weeks back, there were quite a few questions that popped up! Unfortunately we did not have time to answer all of them during the webinar, so we promised that we would collect them and answer them afterwards. BTW today there is another webinar on a related topic: The Critical Role of XACML in SOA Governance and Perimeter Web Service Security Q: Please, specify the major difference between role mining (role consolidation based on role attributes) and the privilege giving mining approach? A: (Babak) Role mining is about finding...

Blog

#sapteched: too much twittering.. ;-) - but not enough on IAM & GRC

Did you find yourself adding hash-tags in emails or "old-fashioned" blog posts recently? Well, I think we are all tweeting quite a lot (except for me, I do not spend to much time on it) and organizing tweets that way is a good thing, for sure... In between two Netweaver security tracks I just wanted to give you an update on the cool show, SAP put together once again! I already met so many friends and colleagues and usual suspects, I almost felt like visiting EIC ;-) in Munich. Novell made some great announcements recently and - to no surprise for me - their now combined SAP/Novell offering...

Webinar

Dec 08, 2009: The Three Elements of Access Governance: Recertification/Attestation – Access Control – Privileged Access Management

Access Governance is commonly associated with “recertification” or “attestation” as approaches for a recurring review of existing access controls by the responsible managers in IT and business. But knowing the problems isn’t sufficient – enforcing changes and implementing continuous processes for access controls is a key element. And, beyond that, many approaches mainly focus on standard access and not on the security sensitive privileged accounts. This session explains the elements for a consistent approach – across all areas of access governance and all levels of controls, from system to...

Blog

Windows 7 and SmartCard removal behaviour... no system lock?

Ok, this should be a blog about insights to the general Identity & Access Management and Governance, Risk Management & Compliance Markets. Sorry to bother you guys with technology details (like the one about Win7 and 3G(UMTS) on netbooks, every once in a while, but I think one blog is enough to maintain and publish stuff to ;- ) So, who ever started using Win 7 in a secure environment may have come across the issue that smartcard log-in works like a breeze in these days, but you may be as puzzled as I was, when I pulled the card from the reader and the system did NOT lock itself... Well,...

Blog

Vienna Calling

Well, unlike Falco in his famous hit single, this time it is SAP, who's calling the worlds'ERP elite to Austrias capital next week - and I am happy enough to participate in this one-in-a-thousand events that really stand out. My very high expectations regarding the expertise I am planning to meet is only paralleled by the curiousity if (and if yes, who) there is gonna be a star like Zucchero performing as part of the event :-) Ok, back to the real issues, because there is lot of work to be done while I am at the event. First of all, I will try to get as much in-depth technology insight as...

Webcast

Ein Passwort für alles - Enterprise Single Sign-on

Kuppinger Cole Webinar recording

Blog

Social networks could be secure!

Yesterday, I read an article at a German news web-site about the recent security leaks found in the social network SchülerVZ. The article claims that social networks like SchülerVZ and Facebook (both are mentioned) don't have any chance to avoid crawlers accesing personal data which should be presented only to friends. Ridiculous!!! Sorry, that is definitely nonsense! It is very simple. You have some data which is visible only to some specific persons. You have an authorization policy, which might be expressed in the form of ACLs or XACML or whatever. Some application (the regular...

Blog

XACML - why it is so important

XACML (eXtensible Access Control Markup Language) gains an increasing attention as one of the core standards in the field of information security and thus IT security. Whilst standards like SAML (Security Assertion Markup Language) address the problem of authentication, XACML is about authorization - the more complex threat. XACML allows the definition and exchange of authorization policies in a heterogeneous environment. Whether it is about cloud security and controlling the authorization policies of cloud services or about SOA security for internal applications: XACML supports the...

Blog

Show me your terrorists!

How many terrorists work for your company? Dunno? Well, see you in jail, pal! I just came back from a meeting of the German chapter of IAPP, the International Association of Privacy Professionals, and the words of the chairman, Dr. Jyn Schultze-Melling, a lawyer with the firm Nörr, Stiefenhofer & Lutz, still ring in my ears: "We are sacrificing employee privacy on the altar of anti-terrorism." It turns out that firms are required by law to check their employees names against lists of terrorism suspects published by the United Nations and the European Union. In Germany, §34 of AWG, the...

Blog

How to fight „GRC Anarchy“

GRC (Governance, Risk Management, Compliance) has become a leading issue not only for IT professionals, but for senior management as well. However, it isn’t always clear who’s in charge. Responsibility for GRC is set to become a major issue in the coming months.. So whose job is GRC, anyway? Unfortunately, there is no clear-cut answer. Most intuitive solutions prove at closer glance to be just too simple. It can't be the CFO, because that would mean that he would be in charge of policing his own bailiwick. The CIO can't do it, either, unless we're talking about controlling the IT...

Webinar

Oct 27, 2009: The Critical Role of XACML in SOA Governance and Perimeter Web Service Security

SOA is far from dead but many organizations suffer from a severe SOA disease caused by too many enthusiastic deployments of isolated and siloed services. In this webinar, Martin Kuppinger will provide you with insights on SOA Governance, followed by Axiomatics and Intel showcasing their joint SOA security solution.

Webinar

Dec 10, 2009: Provisioning Trends: Schlank, voll automatisiert, kostengünstig

Martin Kuppinger (Kuppinger Cole) und Reto Bachmann (Quest) bringen Sie in diesem Webinar auf den neuesten Stand im Bereich des automatisierten Provisioning

Webinar

Nov 19, 2009: Pass Your Next Compliance Audit With Confidence

Bottom-Up or Top-Down or both? What is the appropriate approach to automate auditing on access and reporting on directories and identities and also on mail and file access? In This Webinar, Martin Kuppinger (Kuppinger Cole), Jackson Shaw and Reto Bachmann (both Quest Software) will discuss with you these questions and talk about best practices on how to integrate IT- and business views.

Webinar

Nov 11, 2009: Single Sign-on for SAP Environments

The identity management marketplace offers a number of different solutions enabling Active Directory-based single sign-on for SAP, making life for SAP endusers much easier and at the same time offering a good potential to reduce the costs of managing your IT infrastructure. In this webinar, Martin Kuppinger (Kuppinger Cole), will talk about the different concepts of SAP-SSO and why Kerberos is a real option in such an environment. Then, Jackson Shaw and Reto Bachmann (Quest Software) will present some best practices based on Quest´s solution for SAP.

Press Release

GRC Reference Architecture

New Overview Report from Kuppinger Cole available Duesseldorf October, 14th, 2009 - Governance, Risk & Compliance - these three terms, in short "GRC" are pretty widely used in these days. Unfortunately, there is great confusion in how this term is used. The reason for this confusion is with high probability the fact that it allows to sell pretty easily all kind of technology under the umbrella of "Risk" and "Compliance" solutions. The new report "A GRC Reference Architecture" aims to clarify the term GRC by defining a reference...

Press Release

Eine Referenz-Architektur für GRC

Neuer Übersichts-Report von Kuppinger Cole + Partner Düsseldorf, 14.10.2009 - Governance, Risk & Compliance: Diese drei Begriffe (abgekürzt "GRC") tauchen inzwischen immer häufiger auf. Sie werden aber leider oft durcheinander gebracht. Es ist eben leicht, alle möglichen Technologien unter das Dach von "Risk" oder "Compliance" zu packen, doch bei Kunden und Anwendern kann das zu Unsicherheit und Verwirrung führen. Der neue Report "Eine Referenz-Architektur für GRC" von KCP liefert eine eindeutige...

Webcast

The Role of Entitlement Management in Governance, Risk and Compliance Management

Kuppinger Cole Webinar recording

Blog

Another approach to IRM

Last week I had a discussion with Seclore, a software company based in Mumbai, India. They are focusing on the area of Information Rights Management (IRM), one of my favourite research areas. I'm interested in this topic mainly for two reasons: Information Rights Management is one of the IT topics with the closest relation to the core business topic of Information Security/Protection (including Intellectual Property Rights, IPRs). Information Rights Management is the approach which allows the ongoing protection of information at rest, in move and in use - compared to many other...

Webcast

Sicherheit mit automatisiertem Provisioning

Kuppinger Cole Webinar recording

Blog

Integration for the cloud

On Monday I've met with Matthieu Hug from RunMyProcess in Paris, an interesting start-up company in the "cloud". Their focus is pretty easy: Integrate the cloud - with what you have internally and with other cloud services. At CeBIT 2008 I've done a presentation about "SaaS" and related topics (we didn't use the term "cloud" at that point of time). One of the three major issues I've discussed as threats in that area (and would mention nowadays as cloud threats) is integration. How do you integrate external cloud services with other external services or internal applications? Some of these...

Product Report

Product Report: Quest Single Sign-On solutions for SAP

Mit den beiden Produkten Quest Single Sign-On for SAP GUI and ABAP und Quest Single Sign-On for NetWeaver bietet Quest eine marktführende Lösung für das Single Sign-On zwischen Active Directory-Infrastrukturen und SAP-Umgebungen auf Basis von Kerberos an. Als Option für Infrastrukturen, in denen man keine Kerberos-basierende Lösung einsetzen möchte, gibt es zudem noch Quest Enterprise Single Sign-On, eine klassische Enterprise Single Sign-On-Lösung. Der Vorteil ist, dass dabei die primäre Authentifizierung über das Active Directory, die in sehr...

Blog

Identity Management: Challenge Outsourcing

Outsourcing and offshoring are a fact of life in many companies, but for some, when it comes to managing user identities and access rights or enforcing rules on governance, risk management and compliance, these are still very early days indeed. In fact there are a number of good reasons why you should think about IAM (Identity & Access Management) every time you think about GRC (Governance, Risk & Compliance). Despite all the efforts to secure externally managed services and applications through policies and technology, gaps in the safety nets set up by those in charge of GRC...

Advisory Note

Overview Report: A GRC Reference Architecture

Governance, Risk & Compliance - these three terms, in short "GRC" are pretty widely used in these days. Unfortunately, there is great confusion in how this term is used. The reason for this confusion is with high probability the fact that it allows to sell pretty easily all kind of technology under the umbrella of "Risk" and "Compliance" solutions. But there are very precise areas that GRC should cover, and other that it shouldn't, for example "IT-GRC", the area of tools and methodologies to assure internal control within IT operations, should be...

Press Release

Neuer Business Report der Analystengruppe Kuppinger Cole verfügbar

Düsseldorf, 02.10.2009 - Die Analystengruppe Kuppinger Cole, die sich auf die Themenfelder Identity und Access Management (IAM), GRC (Governance, Risk Management, Compliance), digitale Identitäten im Unternehmen, im Internet und der Gesellschaft sowie Cloud Services und Computing fokussiert, hat ihren Business Report "Identity & Security in der Cloud" vorgestellt.

Blog

GRC – a heavily segmented market

GRC – Governance, Risk Management, Compliance. A typical buzzword, but well established right now. However, the problem of all emerging markets associated with a buzzword arises here as well: There are many different vendors with different types of offerings, all claiming to solve the GRC problem. But: The GRC problem has many facets and is (beyond “we have to manage risk, we have to be compliant”) largely undefined. We’ll publish a report these days on a GRC reference architecture followed by, probably in early November, a market segmentation report, placing vendors in one or more...

Blog

GRC - a heavily segmented market

GRC - Governance, Risk Management, Compliance. A typical buzzword, but well established right now. However, the problem of all emerging markets associated with a buzzword arises here as well: There are many different vendors with different types of offerings, all claiming to solve the GRC problem. But: The GRC problem has many facets and is (beyond "we have to manage risk, we have to be compliant") largely undefined. We'll publish a report these days on a GRC reference architecture followed by, probably in early November, a market segmentation report, placing vendors in one or more...

Quicklinks

Welcome to KuppingerCole

How can we help you

Send an inquiry

+49 211 237 077 33

Mo – Fr 8:00 – 17:00

Stay Connected

Spotlight

AI for the Future of your Business Learn more

AI for the Future of your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]