News Archive

Blog

Why CIO should put GRC on the New Year’s resolution list

GRC (Governance, Risk Management, Compliance) is one of the best-known and least understood buzzwords in IT today. As is too often the case, a variety of stakeholders have seized on the expression and defined it any way they choose. Nevertheless, GRC belongs right up there on your list of New Year’s resolutions because it is (or should be) an essential part of overall IT strategy. As the term itself implies, GRC covers a range of crucial topics which all deserve to be examined separately and closely. Governance is the umbrella phrase since it describes the overall concept of proper (as in...

Blog

Will IBM change the way we do PAM (or PIM or PUM)?

I've blogged several times about PAM (Privileged Account/Access Management) in the last few months, stating that I expect more integration of PAM with existing IAM applications (Here, here, here, and here). Now IBM is moving forward on this with their PIM offering. It's interesting to observe what IBM is doing these days. There hadn't been that many news from IBM for a pretty long time. But this year IBM has increased its speed significantly. The release of TIM 5.1 with many significant improvements, their approaches around risk and compliance with tight integration to TIM as well as other...

Blog

CapEx and OpEx – the latest thing in IT buzzwords

Talking with IT decision makers these days, it seems that two new terms keep cropping up, namely the abbreviations “CapEx” and “OpEx”. They stand, of course, for “capital expenditures” and “operational expenditures”. Both have been borrowed from economic parlance but are now widely used in IT Speak, too. Broadly, CapEx is something you want to avoid, while OpEx is something you want to keep under control. To do that, IT people have two available options, one of them simple, the other kind of tricky. The easy one is leasing which means avoiding the need to tie up tight budget in expensive...

Webcast

Provisioning Trends: Schlank, voll automatisiert, kostengünstig

Kuppinger Cole Webinar recording

Webcast

How to Start: Recertification or Active Access Controls First?

Kuppinger Cole Webinar recording

Webcast

How to Efficiently Implement SoD Controls: Which Level Works?

Kuppinger Cole Webinar recording

Webcast

XACML: The Holy Grail of Access Governance?

Kuppinger Cole Webinar Recording

Blog

The simple cloud API - a step forward?

Some few weeks ago, the "Simple Cloud API" has been announced. The company behind this is Zend technologies, which calls itself "The PHP Company". More important is the fact that Microsoft and IBM are amongst the supporters of Simple Cloud API. That means that there is a significant momentum behind that approach from the very beginning. One could argue that this is just another standard or API besides so many approaches we've seen recently. However, the Simple Cloud API is somewhat unique for some reasons: It is focused on PHP. You may like PHP or not but it is an important language for...

Webcast

5 Golden Rules for Efficiently Implementing Access Governance

Kuppinger Cole Webinar Recording

Webcast

Getting the Big Picture: How Access Governance fits into IT Governance and Risk Management

Kuppinger Cole Webinar Recording

Webcast

The Three Elements of Access Governance: Recertification/Attestation – Access Control – Privileged Access Management

Kuppinger Cole Webinar Recording

Vendor Report

Vendor Report: TESIS SYSware

TESIS SYSware, part of the TESIS group, is a private company located in Munich. The group consists of three divisions that are involved in a variety of IT fields. TESIS SYSware’s (hereafter referred to as TESIS) core business is in IT security and identity management. They are a provider of standardized software for these markets. The company’s focus is on password, privileged account and access management solutions for Windows file servers. As a specialized provider in the IAM market, TESIS is not well known. However, TESIS has powerful products and, for a company of its...

Blog

Vendors - lemmings or another species?

I had several interesting discussion with some vendors about the future of some market segments in the IAM market. And when I look at these markets (and many other IT markets, including the emerging cloud market) one thing becomes obvious: Established vendors tend to act as sort of lemmings. What do I mean by that? There is an idea that appears to be successful for one vendor. Then other vendors tend to follow without really analyzing whether this is really the best approach. They frequently claim that their customers are requesting that type of solutions. But: Their customers are...

Blog

No Information Security Without Identity

IT professionals often have trouble convincing the budget managers that the often costly projects in Identity and Access Management (IAM) are really necessary. That should come as no surprise, since most of them belong to the category “IT infrastructure”, and it’s always hard to show a true ROI on something as fundamental as that. However, in lean times like these the boss man is more inclined than ever to demand a return any type of expenditure. So what is the poor IT guy to do? One way is to use "soft" sales arguments, and that's why compliance has become so popular recently. It...

Blog

Beta Systems finally merges its versions

German vendor Beta Systems, one of the well established vendors in the core IAM market, e.g. provisioning (notably, they provide other solutions as well), has recently unveiled the new version of its provisioning product, now called SAM Enterprise Identity Manager - in contrast to its former name SAM Jupiter. That highlights that this product is part of a specific market segment, the identity provisioning products - most of them are named "Identity Manager". It as well shows that Beta Systems understands this release as a really major release. And, in fact, it is. Amongst the broad set of...

Blog

Identity Management by accident or design?

I was talking recently with Joerg Mauz, the CIO of a small German company called Ansmann AG that makes batteries and chargers for laptops and mobile phones. They may be tiny by some standards, but they have a big global footprint, and their  300 people are distributed around the globe from Shanghai to Macau to Stockholm and soon the U.S. as well. I asked him whether he thought Identity Management was a big issue for small companies like his, and he laughed. "They don't know what it is", he said, and then added: "Even though they may be doing it themselves already." Ansmann is a good case...

Webcast

Pass Your Next Compliance Audit With Confidence

Kuppinger Cole Webinar Recording

Blog

Too many GRCs out there

One issue when dealing with GRC (Governance, Risk Management, Compliance) is that there is no single person which is responsible within organizations. And there is a simple reason for that: There are far too many GRCs out there. Vendors provide completely different offerings using the same acronym. That's not new, but in the case of GRC, there is even more uncertainty raised than usual in the IT industry. From my perspective, the solutions might be segmented into four layers: The so called "Enterprise GRC" which should be better named "Business GRC" or something because the other...

Blog

Show me your terrorists!

I just came back from a meeting of the German chapter of IAPP, the International Association of Privacy Professionals, and the words of the chairman, Dr. Jyn Schultze-Melling, a lawyer with the firm Nörr, Stiefenhofer & Lutz, still ring in my ears: “We are sacrificing employee privacy on the altar of anti-terrorism.” It turns out that firms are required by law to check their employees names against lists of terrorism suspects published by the United Nations and the European Union. In Germany, §34 of AWG, the Foreign Trade Law, forbids companies aiding or abetting persons or...

Webcast

Single Sign On for SAP Environments

Kuppinger Cole Webinar recording

Product Report

Product Report: Quest Single Sign-On solutions for SAP

The two products discussed here, Quest Single Sign-On for SAP GUI and ABAP and Quest Single Sign-On for NetWeaver, are Quest’s offering in the market for Single Sign-On (SSO) between Active Directory-infrastructures and SAP-environments on the basis of Kerberos. Quest also offers a „classic“ SSO solution called Quest Enterprise Single Sign-On as an option for infrastructures which do not run Kerberos. Authenticating primarily via Active Directory which is standard in many companies brings some big advantages. In addition, all necessary information is consolidated within...

Blog

Sony VAIO VGN-Z series - finally with VT-support

I recently bought a very expensive high-end Sony VAIO VGN-z31 and was more than surprised and downright angry, when I found out they had disabled the "VT"support of the Intel CPU, making it almost useless when it comes to virtualization with Virtual PC, VMware Workstation, Xen or what ever your favourite Hypervisor was. With their latest set of updates for their EFI (the new BIOS technology) now finally they gave in to the numerous customer complaints, all coming from power users and professionals, who were upset to just have spent 2.000 -3.000 €/$ on a machine, that was basically leaving...

Blog

Why cloud services will sell despite slowdowns in outsourcing and MSS growth

Within the last few months, I've read several news about slowdowns in the growth of the outsourcing business and particularly the MSS (Managed Security Services) business, at least compared to the high expectations raised in the years before. Does that mean that the cloud is dead before it really starts? I don't believe, for several reasons: There are different numbers regarding the status and grwoth of the MSS and outsourcing market. Some are much positiver than others - and it is no surprise that the negative ones are cited most (even the IT press more and more acts in the yellow press...

Blog

Commenting Print: Welt Kompakt 4.11.2009

I guess it became unpopular to read printed news in some societies but I really enjoy reading WELT KOMPAKT, a smaller printed formfactor of well-known daily WELT. Today, the more or less entertaining "Internet" section had a lead article called "Safe in the Web 2.0" or "Sicher im Web 2.0" by author Peter Zschunke. Eager to learn more about how "the general public" is informed about the dangers that lurk in the web, I read the mid-size article, featuring a James Bond-like shot of what seems to be Security Ops Center. My interest turned into surprise, ending in a sort of rage when I finished...

Vendor Report

Cloud Vendor Report: Amazon

Amazon is widely known as online retailer, having expanded its bookstore business to many other areas over time. Some time ago Amazon has entered the Cloud Computing market. Amazon provides a broad set of services under their label Amazon Web Services (AWS), with the Amazon Elastic Compute Cloud (EC2) as the most popular one. Amazon’s strategy for providing web services based on their own experience in providing highly scalable and reliable services for relatively low cost (which is mandatory for their success in the retail business) appears to be valid. Amazon has managed to become...

Blog

The German data protection law starts to bite

The Deutsche Bahn has been sentenced to a penalty of 1,1 Mio Euro for breaches of the German data protection law, e.g. the privacy regulations in Germany. That is the record penalty based on the BDSG (Bundesdatenschutzgesetz), how the law formally is called. The reason for that penalty were abusive analysis of employee data, to identify potential cases of corruption and fraud. Data of bank accounts of suppliers and employees were compared. That became public, there was a lot of public discussion about - the topic was top in the news for several days. And the CEO, Hartmut Mehdorn, was...

Blog

#SAPTechEd - SAP Netweaver & GRC Identity Management

#SAPTechEd - SAP Netweaver & GRC Identity Management During the last 30 month I was rather critical towards SAP's approach on how to position and further develop the technology acquired from Norwegian MaXware in 2007. The visit to SAP TechEd 2009 in Vienna showed through several technical presentations and direct interviews with people such as Keith Grayson, that SAP did a really job in not only integrating MaXware into the Netweaver group but also coming up with a sound strategy on how to move forward with whole offering. Besides the fact that Business Objects GRC systems still has some...

Blog

#SAPTechEd - GRC cooperation between SAP and Novell

I already pointed out my personal satisfaction about the recently announced cooperation between SAP and Novell in the GRC market. This morning I had the opportunity to discuss the whole approach with Jay Roxe of Novell and Ranga Bodla of the SAP GRC group, operating both out of the US. Besides my enthusiasm about the materialization of something I suggested to be beneficial (every once in a while, analysts DO show that they are humans, too!), the discussion of business opportunities, market pull and demand for GRC in general were almost identical between the three of us. First let's check...

Webinar

Dec 08, 2009: 5 Golden Rules for Efficiently Implementing Access Governance

How to do Access Governance right? Which are the key success factors you have to focus on for as well quick-wins as long-term success? This session explains how to solve the access governance needs best.

Webinar

Dec 09, 2009: How to Start: Recertification or Active Access Controls First?

What is the best approach to do access governance? Should you start with attestation to understand where the problems are? Or should you first have a management infrastructure in place which allows to control access across different systems and use access governance approaches then to improve the state of your information security? Or is recertification sufficient? Kuppinger Cole analysts and different vendors discuss the strengths and weaknesses of different approaches?

Webinar

Dec 09, 2009: How to Efficiently Implement SoD Controls: Which Level Works?

SoD controls (Segregation of Duties) are a cornerstone of access governance. But how to efficiently implement them? Should they be based on roles, on activities, on granular entitlements? There are many different approaches to solve the problem. In this panel, different vendors and Kuppinger Cole analysts will discuss different approaches for SoD controls, with focus on their manageability and the required granularity.

Webinar

Dec 09, 2009: XACML: The Holy Grail of Access Governance?

In this panel, the role XACML will and can play for access governance is discussed. Is XACML the solution? What is missing? How to manage policies and how to analyze these dynamic constructs? And how to avoid vendor lock-in? The strengths, shortcomings and needed improvements are discussed by different vendors and Kuppinger Cole analysts.

Webinar

Dec 08, 2009: Getting the Big Picture: How Access Governance fits into IT Governance and Risk Management

Access Governance is a key element in every strategy for information and system security as well as IT Governance. However, there are many different approaches from system-level access control management tools for ERP systems with some SoD support up to “Enterprise GRC” solutions which focus on the risk management and governance approaches from a high-level business perspective, sometimes without the interface to IT systems. And access-related controls are only part of that – 4 of 210 controls within COBIT, for example. For sure they are highly relevant, but they are only part of a bigger...

Webcast

The Critical Role of XACML in SOA Governance and Perimeter Web Service Security

Kuppinger Cole Webinar recording

Blog

#SAPTechEd - Google Wave @ work // Enterprise 2.0?

Communication & Collaboration - that is what email is all about - or should be. The GoogleWave concept mimics the snail-mail and a wiki at the same time, while being a protocol and an application also. The demo looks like a cooperative instant-message chat, but showing character by character, making an almost f2f chat impression... Who used OneNote online before, may be used to see the joint changes of multiple participants in one document - but it is amazing to see even uploads of photos and other material into the wave in a blink of a eye. To see somebody adding a Google-map into the wave...

Blog

#SAPTechEd - Original1 against Product Piracy

Again, sorry for bothering you with non-IAM information, but this is heavily interesting for those looking into Business-GRC. Jut now, Nokia, SAP and Gieseke+Devrient announced the JointVenture calles Original1, which will offer SaaS solutions for anti-piracy and anti-conterfeiting projects. Goal is to enable customs officers, supply-chain service providers and possible whole-sale customers to check and verify if a certain batch or delivery is actually original product or counterfeited merchandise. The solution will leverage technology by all three vendors, comprising SAP ERP back-end...

Blog

Q & A from the XACML/ABAC Webinar

On the Webinar that Babak and I did on ABAC and XACML three weeks back, there were quite a few questions that popped up! Unfortunately we did not have time to answer all of them during the webinar, so we promised that we would collect them and answer them afterwards. BTW today there is another webinar on a related topic: The Critical Role of XACML in SOA Governance and Perimeter Web Service Security Q: Please, specify the major difference between role mining (role consolidation based on role attributes) and the privilege giving mining approach? A: (Babak) Role mining is about finding...

Blog

#sapteched: too much twittering.. ;-) - but not enough on IAM & GRC

Did you find yourself adding hash-tags in emails or "old-fashioned" blog posts recently? Well, I think we are all tweeting quite a lot (except for me, I do not spend to much time on it) and organizing tweets that way is a good thing, for sure... In between two Netweaver security tracks I just wanted to give you an update on the cool show, SAP put together once again! I already met so many friends and colleagues and usual suspects, I almost felt like visiting EIC ;-) in Munich. Novell made some great announcements recently and - to no surprise for me - their now combined SAP/Novell offering...

Webinar

Dec 08, 2009: The Three Elements of Access Governance: Recertification/Attestation – Access Control – Privileged Access Management

Access Governance is commonly associated with “recertification” or “attestation” as approaches for a recurring review of existing access controls by the responsible managers in IT and business. But knowing the problems isn’t sufficient – enforcing changes and implementing continuous processes for access controls is a key element. And, beyond that, many approaches mainly focus on standard access and not on the security sensitive privileged accounts. This session explains the elements for a consistent approach – across all areas of access governance and all levels of controls, from system to...

Blog

Windows 7 and SmartCard removal behaviour... no system lock?

Ok, this should be a blog about insights to the general Identity & Access Management and Governance, Risk Management & Compliance Markets. Sorry to bother you guys with technology details (like the one about Win7 and 3G(UMTS) on netbooks, every once in a while, but I think one blog is enough to maintain and publish stuff to ;- ) So, who ever started using Win 7 in a secure environment may have come across the issue that smartcard log-in works like a breeze in these days, but you may be as puzzled as I was, when I pulled the card from the reader and the system did NOT lock itself... Well,...

Blog

Vienna Calling

Well, unlike Falco in his famous hit single, this time it is SAP, who's calling the worlds'ERP elite to Austrias capital next week - and I am happy enough to participate in this one-in-a-thousand events that really stand out. My very high expectations regarding the expertise I am planning to meet is only paralleled by the curiousity if (and if yes, who) there is gonna be a star like Zucchero performing as part of the event :-) Ok, back to the real issues, because there is lot of work to be done while I am at the event. First of all, I will try to get as much in-depth technology insight as...

Webcast

Ein Passwort für alles - Enterprise Single Sign-on

Kuppinger Cole Webinar recording

Blog

Social networks could be secure!

Yesterday, I read an article at a German news web-site about the recent security leaks found in the social network SchülerVZ. The article claims that social networks like SchülerVZ and Facebook (both are mentioned) don't have any chance to avoid crawlers accesing personal data which should be presented only to friends. Ridiculous!!! Sorry, that is definitely nonsense! It is very simple. You have some data which is visible only to some specific persons. You have an authorization policy, which might be expressed in the form of ACLs or XACML or whatever. Some application (the regular...

Blog

XACML - why it is so important

XACML (eXtensible Access Control Markup Language) gains an increasing attention as one of the core standards in the field of information security and thus IT security. Whilst standards like SAML (Security Assertion Markup Language) address the problem of authentication, XACML is about authorization - the more complex threat. XACML allows the definition and exchange of authorization policies in a heterogeneous environment. Whether it is about cloud security and controlling the authorization policies of cloud services or about SOA security for internal applications: XACML supports the...

Blog

Show me your terrorists!

How many terrorists work for your company? Dunno? Well, see you in jail, pal! I just came back from a meeting of the German chapter of IAPP, the International Association of Privacy Professionals, and the words of the chairman, Dr. Jyn Schultze-Melling, a lawyer with the firm Nörr, Stiefenhofer & Lutz, still ring in my ears: "We are sacrificing employee privacy on the altar of anti-terrorism." It turns out that firms are required by law to check their employees names against lists of terrorism suspects published by the United Nations and the European Union. In Germany, §34 of AWG, the...

Blog

How to fight „GRC Anarchy“

GRC (Governance, Risk Management, Compliance) has become a leading issue not only for IT professionals, but for senior management as well. However, it isn’t always clear who’s in charge. Responsibility for GRC is set to become a major issue in the coming months.. So whose job is GRC, anyway? Unfortunately, there is no clear-cut answer. Most intuitive solutions prove at closer glance to be just too simple. It can't be the CFO, because that would mean that he would be in charge of policing his own bailiwick. The CIO can't do it, either, unless we're talking about controlling the IT...

Webinar

Oct 27, 2009: The Critical Role of XACML in SOA Governance and Perimeter Web Service Security

SOA is far from dead but many organizations suffer from a severe SOA disease caused by too many enthusiastic deployments of isolated and siloed services. In this webinar, Martin Kuppinger will provide you with insights on SOA Governance, followed by Axiomatics and Intel showcasing their joint SOA security solution.

Webinar

Dec 10, 2009: Provisioning Trends: Schlank, voll automatisiert, kostengünstig

Martin Kuppinger (Kuppinger Cole) und Reto Bachmann (Quest) bringen Sie in diesem Webinar auf den neuesten Stand im Bereich des automatisierten Provisioning

Webinar

Nov 19, 2009: Pass Your Next Compliance Audit With Confidence

Bottom-Up or Top-Down or both? What is the appropriate approach to automate auditing on access and reporting on directories and identities and also on mail and file access? In This Webinar, Martin Kuppinger (Kuppinger Cole), Jackson Shaw and Reto Bachmann (both Quest Software) will discuss with you these questions and talk about best practices on how to integrate IT- and business views.

Webinar

Nov 11, 2009: Single Sign-on for SAP Environments

The identity management marketplace offers a number of different solutions enabling Active Directory-based single sign-on for SAP, making life for SAP endusers much easier and at the same time offering a good potential to reduce the costs of managing your IT infrastructure. In this webinar, Martin Kuppinger (Kuppinger Cole), will talk about the different concepts of SAP-SSO and why Kerberos is a real option in such an environment. Then, Jackson Shaw and Reto Bachmann (Quest Software) will present some best practices based on Quest´s solution for SAP.

Press Release

Eine Referenz-Architektur für GRC

Neuer Übersichts-Report von Kuppinger Cole + Partner Düsseldorf, 14.10.2009 - Governance, Risk & Compliance: Diese drei Begriffe (abgekürzt "GRC") tauchen inzwischen immer häufiger auf. Sie werden aber leider oft durcheinander gebracht. Es ist eben leicht, alle möglichen Technologien unter das Dach von "Risk" oder "Compliance" zu packen, doch bei Kunden und Anwendern kann das zu Unsicherheit und Verwirrung führen. Der neue Report "Eine Referenz-Architektur für GRC" von KCP liefert eine eindeutige...

Press Release

GRC Reference Architecture

New Overview Report from Kuppinger Cole available Duesseldorf October, 14th, 2009 - Governance, Risk & Compliance - these three terms, in short "GRC" are pretty widely used in these days. Unfortunately, there is great confusion in how this term is used. The reason for this confusion is with high probability the fact that it allows to sell pretty easily all kind of technology under the umbrella of "Risk" and "Compliance" solutions. The new report "A GRC Reference Architecture" aims to clarify the term GRC by defining a reference...

Webcast

The Role of Entitlement Management in Governance, Risk and Compliance Management

Kuppinger Cole Webinar recording

Blog

Another approach to IRM

Last week I had a discussion with Seclore, a software company based in Mumbai, India. They are focusing on the area of Information Rights Management (IRM), one of my favourite research areas. I'm interested in this topic mainly for two reasons: Information Rights Management is one of the IT topics with the closest relation to the core business topic of Information Security/Protection (including Intellectual Property Rights, IPRs). Information Rights Management is the approach which allows the ongoing protection of information at rest, in move and in use - compared to many other...

Webcast

Sicherheit mit automatisiertem Provisioning

Kuppinger Cole Webinar recording

Blog

Integration for the cloud

On Monday I've met with Matthieu Hug from RunMyProcess in Paris, an interesting start-up company in the "cloud". Their focus is pretty easy: Integrate the cloud - with what you have internally and with other cloud services. At CeBIT 2008 I've done a presentation about "SaaS" and related topics (we didn't use the term "cloud" at that point of time). One of the three major issues I've discussed as threats in that area (and would mention nowadays as cloud threats) is integration. How do you integrate external cloud services with other external services or internal applications? Some of these...

Product Report

Product Report: Quest Single Sign-On solutions for SAP

Mit den beiden Produkten Quest Single Sign-On for SAP GUI and ABAP und Quest Single Sign-On for NetWeaver bietet Quest eine marktführende Lösung für das Single Sign-On zwischen Active Directory-Infrastrukturen und SAP-Umgebungen auf Basis von Kerberos an. Als Option für Infrastrukturen, in denen man keine Kerberos-basierende Lösung einsetzen möchte, gibt es zudem noch Quest Enterprise Single Sign-On, eine klassische Enterprise Single Sign-On-Lösung. Der Vorteil ist, dass dabei die primäre Authentifizierung über das Active Directory, die in sehr...

Blog

Identity Management: Challenge Outsourcing

Outsourcing and offshoring are a fact of life in many companies, but for some, when it comes to managing user identities and access rights or enforcing rules on governance, risk management and compliance, these are still very early days indeed. In fact there are a number of good reasons why you should think about IAM (Identity & Access Management) every time you think about GRC (Governance, Risk & Compliance). Despite all the efforts to secure externally managed services and applications through policies and technology, gaps in the safety nets set up by those in charge of GRC...

Advisory Note

Overview Report: A GRC Reference Architecture

Governance, Risk & Compliance - these three terms, in short "GRC" are pretty widely used in these days. Unfortunately, there is great confusion in how this term is used. The reason for this confusion is with high probability the fact that it allows to sell pretty easily all kind of technology under the umbrella of "Risk" and "Compliance" solutions. But there are very precise areas that GRC should cover, and other that it shouldn't, for example "IT-GRC", the area of tools and methodologies to assure internal control within IT operations, should be...

Press Release

Neuer Business Report der Analystengruppe Kuppinger Cole verfügbar

Düsseldorf, 02.10.2009 - Die Analystengruppe Kuppinger Cole, die sich auf die Themenfelder Identity und Access Management (IAM), GRC (Governance, Risk Management, Compliance), digitale Identitäten im Unternehmen, im Internet und der Gesellschaft sowie Cloud Services und Computing fokussiert, hat ihren Business Report "Identity & Security in der Cloud" vorgestellt.

Blog

GRC – a heavily segmented market

GRC – Governance, Risk Management, Compliance. A typical buzzword, but well established right now. However, the problem of all emerging markets associated with a buzzword arises here as well: There are many different vendors with different types of offerings, all claiming to solve the GRC problem. But: The GRC problem has many facets and is (beyond “we have to manage risk, we have to be compliant”) largely undefined. We’ll publish a report these days on a GRC reference architecture followed by, probably in early November, a market segmentation report, placing vendors in one or more...

Blog

GRC - a heavily segmented market

GRC - Governance, Risk Management, Compliance. A typical buzzword, but well established right now. However, the problem of all emerging markets associated with a buzzword arises here as well: There are many different vendors with different types of offerings, all claiming to solve the GRC problem. But: The GRC problem has many facets and is (beyond "we have to manage risk, we have to be compliant") largely undefined. We'll publish a report these days on a GRC reference architecture followed by, probably in early November, a market segmentation report, placing vendors in one or more...

Webcast

Beyond Role Based Access Control - the ABAC approach

Kuppinger Cole Webinar recording

Advisory Note

Technology Report: XACML – Extensible Access Control Markup Language

This report explains XACML, an evolving standard in the field of access control. Access control in IT is of vital importance. Companies use access control technology to protect sensitive systems and information, and to keep assets safe. At the same time, compliance with external regulations and internal policies is very important and access control technology is key. We can think about access control doing two things: 1. Identifying the users (who are you) 2. Allowing known users to do things (what are you allowed to do) The first part is authentication and solutions are very mature...

Blog

Google makes changes to Android Market, but many are still unhappy

Under immense pressure from users and developers, Google has recently announced some changes to Android Market. But this may turn not be enough. Even though sales for mobile phones with Google's Android operating system are ramping up, developers find it hard to make money on that platform. A recent bombshell was a blog post from Larva Labs towards the end of August. Larva Labs' average income for all Android paid applications was only $62.39 per day - and that included games that are ranked #5 and #12 in the Android Market. This is a tiny figure when compared to Apple's App Store, where a...

Blog

Beyond RBAC

Please join me tomorrow for a free Webinar on the topic "Beyond Role Based Access Control - the ABAC Approach". Many - if not most - organisations are not getting as much value as they thought from RBAC (role based access control). In fact, many RBAC projects start with high expectations, but quickly get bogged down due to many issues and problems. Eventually it turns out that the initial expectations were too ambitious. But why? Is RBAC making promises that are difficult to keep? Many in the industry (Babak and myself included) think that this is due to the fact that the real world just...

Press Release

Kuppinger Cole-Analyst zum Professor für Security- und Risikomanagement ernannt

Düsseldorf, 24.09.2009 - Sachar Paulus, Senior Analyst bei Kuppinger Cole für die Themen SAP-Sicherheit und GRC, wird ab Oktober eine Professur für Wirtschaftsinformatik, insbesondere Unternehmenssicherheit und Risikomanagement, an der Fachhochschule Brandenburg übernehmen. Er unterrichtet dort im Master- Studiengang "Security Management" und leitet das Kompetenzzentrum für Qualifizierung im Bereich Sicherheit.

Blog

VeriSign VIP - back again?

It has been pretty quíet around the VIP (VeriSign Identity Protection) solution. I have played around with that solution some two years ago, when support for eBay and PayPal had been added. But after that I didn't see much of VIP (and didn't hear much of VeriSign, honestly). Until these days, when TriCipher and VeriSign announced a strong authentication solution for Google Apps. They call it "triple-sec" given that three different factors are used - the two provided by TriCipher and an out-of-band authentication based on VeriSign VIP Access for Mobile. VeriSign VIP Accessfor Mobile is in...

Advisory Note

Business Report: Identity & Security in the Cloud

Cloud Computing ist seit etwa zwei Jahren das Modewort schlechthin in der IT-Branche. Historisch geht Cloud Computing auf verschiedene Ansätze zur externen Bereitstellung von Anwendungen oder Speicherplatz, um die Unternehmens-IT zu entlasten oder sogar ganz zu ersetzen. ASP („Application Service Providing“) wurde bereits in den 90ern mit dem Aufkommen des Internet intensiv diskutiert, entsprechende Angebote scheiterten aber in der Regel an unzureichenden Bandbreiten, mangelnde Zuverlässigkeit sowie Sicherheitsbedenken der Anwender. Nur wenige Dienste wie...

Webcast

Identity Services and the Cloud

Kuppinger Cole Webinar recording

Webcast

Sicherheitsrichtlinien zuverlässig durchsetzen

Kuppinger Cole Webinar recording

Webcast

Minimizing Business Risks through Enterprise SSO

Blog

Cloud Business Models - a threat for vendors

During the last months I had a number of conversations with vendors about the licensing and business models for their cloud offerings. And frequently the conclusion was that the models aren't really adequate for the cloud. Some might work today and for some period of time, but they are not likely to be successful on the longer term. One ob the obvious shortcomings are accounting periods which are too long and thus don't provide the required flexibility which is a key advantage of cloud services. Contracts which run at least 12 months or accounting periods which look at the peak use within...

Webinar

Oct 13, 2009: The Role of Entitlement Management in Governance, Risk and Compliance Management

Modern IT infrastructures empower their users and thereby introduce new risks. The effectiveness and efficiency of control frameworks and GRC programs are therefore becoming an increasingly important focus area for IT and business managers alike. Yet, GRC initiatives tend to be reactive, striving to optimize monitoring, surveillance and auditing capabilities and the GRC overhead keeps growing. Instead we need risk-intelligence built into our IT-infrastructures. This is what Entitlement Management helps achieve. Entitlement Management provides real-time enforcement of policy-based access...

Webinar

Sep 29, 2009: Beyond Role Based Access Control - the ABAC Approach

In this webinar we discuss the original ideas behind RBAC and why large RBAC projects often lead to role explosion problems and therefore fail in their initial ambitions. We also introduce the concept of Attribute Based Access Control (ABAC) which overcomes some of the well-known problems with RBAC and enables a fine-grained and contextual (adaptive) access control. ABAC meets the requirements of modern IT-infrastructures where dynamically changing needs must be captured and dealt with in real-time. This Webinar is supported by Axiomatics.

Webinar

Oct 23, 2009: Ein Passwort für alles - Enterprise Single Sign-on

Es gibt kaum einen Anwender, der nicht schon einmal sein Passwort vergessen hat und das Helpdesk mit einem Passwort Reset beschäftigen musste. Die Arbeit des Helpdesk nimmt exponentiell zu, wenn die Anwender sich mehrere unterschiedliche Passwörter für unterschiedliche Anwendungen merken müssen, die auch noch mit unterschiedlichen Intervallen geändert werden müssen. Projekte, die sich der Vereinfachung der Authentifizierungsprozesse annehmen, sind deshalb im Unternehmen sehr sichtbar, und ein RoI lässt sich in aller Regel bereits durch die verringerten Helpdesk-Lasten schlüssig nachweisen....

Webinar

Oct 09, 2009: Sicherheit mit automatisiertem Provisioning

Nicht nur in grossen Unternehmen ist die Benutzerverwaltung durch ständige Änderungen und Ergänzungen eine ressourcenzehrende Herausforderung. Auch wenn die Prozesse für die Provisionierung von Benutzerkonten in den unterschiedlichen Anwendungen sauber definiert sind - manuelles Arbeiten birgt enorme Sicherheitsrisiken beispielsweise in Form verwaister Benutzerkonten. In diesem Webinar sprechen wir über die Möglichkeiten, diese Sicherheitsrisiken durch automatisiertes Provisioning zu minimieren.

Webinar

Sep 17, 2009: Minimizing Business Risks through Enterprise Single Sign-on

Receiving approval for project budgets has been difficult in these days, especially if there isn´t a very visible and almost immediate return on investment. Simplifying the way how users login to the applications they need for their daily business is an area, where plenty of low hanging fruits provide such immediate RoI i.e. through the reduction of password reset helpdesk calls. In this webinar, Joe Skocich from IBM and Martin Kuppinger talk about commonly overlooked considerations when evaluating SSO solutions, and how to short term tactical RoI considerations with long term business risk...

Webcast

Vereinfachung der Berechtigungsanalyse und -Verwaltung

Kuppinger Cole Webinar recording

Blog

Quick Wins in Identity Management

In times of economic downturn, the pressure is on to save costs and increase efficiency. Everybody working in the IT sector will be familiar with projects being put on hold, spending frozen, colleagues being laid off. Unsurprisingly, most of those left working in IT departments see their workload and working hours increased, as they are being asked to deliver more with less resources. These are the typical signs of a dire economy, that may or may not be starting to turn around slowly: but those particular problems are not going away any time soon. With the current squeeze on cost and...

Blog

Novell takes off into the Cloud

Novell has very recently announced a new product entitled "Cloud Security Services" - a comprehensive set of software that allows cloud providers to connect customers to their infrastructure in a safe and efficient way. This product is the first one that is not marketed to enterprises - instead it is sold to cloud service providers, who will license it for their customers. Cloud computing is generating much interest. A recent statistic by Google has shown that hits for the phrase "cloud computing" are growing steadily. Why? In search for productivity and efficiency, enterprises...

Advisory Note

Overview Report: SAP Security – Getting the Whole Picture

SAP Security is a wide field. Most SAP Technology Experts think that SAP Security is all about authorizations, user management, roles, profiles and all that highly complicated stuff. But it is like with protecting a house: if you only look at who has which keys for the doors, but forget to close the windows, then your security might be pretty weak. Therefore, it is important to get "the whole picture" about SAP security. Consequently, in this report we highlight all the relevant technical and organizational activities that you should think about when you care about the security...

Vendor Report

Cloud Vendor Report: Citrix

Citrix Systems (Citrix) is an established IT vendor which started with Terminal Server products in Windows environments, allowing users to access sessions which are running on a Windows Server remotely. Based on the success of these market-leading technology, Citrix has consequently expanded its portfolio over the course of the years to address as well more complex virtualization and “application delivery” issues as well as to enter the emerging Cloud Computing market. In the latter market, Citrix acts as a virtualization and management infrastructure vendor as well as an...

Product Report

Product Report: Siemens DirX Identity 8.1

Siemens hat sich mit der seit 2007 verfügbaren Version 8.0 von DirX Identity als einer der technisch führenden Anbieter im Bereich des Enterprise Provisioning etablieren können. Mit der seit August 2009 erhältlichen Version 8.1 hat Siemens die Funktionalität wiederum erheblich erweitert. Das Pro-dukt zählt zu den technisch marktführenden Lösungen. Zudem hat Siemens für den Bereich seiner Sicherheitslösungen inzwischen wieder eine klare und sinnvolle organisatorische Struktur geschaffen, nachdem es im Rahmen der Umstrukturierung des...

Blog

Social OX - changing the way we work with social networks

Open-Xchange, a provider of open source messaging and groupware, has announced its concept of Social OX, OX standing for Open Xchange and the concept of a "personal information hub". The idea is to provide an approach where someone can maintain its "contacts" centrally and exchange that information with social networks like LinkedIn, Plaxo, Xing, FaceBook, MySpace, and others. The idea is to consolidate, manage, and re-use personal and social network data. The concept supports publishing data to others and consuming shared data. In effect, that information will become exchangeable, in...

Webcast

Zugriffsmanagement richtig gemacht

Kuppinger Cole Webinar recording

Seminar

Sep 22, 2009: Governance, Risk und Compliance – mehr als nur Regeln

Zuverlässigkeit ist das wichtigste Merkmal einer guten Identitäts- und Sicherheitsmanagementlösung. Mit der schriftlichen Niederlegung der Management- und Sicherheitsverfahren allein ist es aber nicht getan – Sie müssen die Gewissheit haben, dass Sie mit der gewählten Lösung auch alle Richtlinien und Vorschriften erfüllen, umsetzen und kontrollieren können. Das Ziel heißt „Making IT Work As One!“

Blog

Is PAM (or PIM or PUM) moving into Provisioning?

These days I have been talking with Siemens on enhancements for their DirX Identity product, a provisioning tool (and, by the way, a pretty good one). Amongst the new features is some support for Privileged Account Management (PAM). That’s interesting. I’ve blogged some time ago about the possibility of provisioning vendors starting to acquire PAM vendors and adding these capabilities to their provisioning products. Siemens didn’t acquire but implemented some own technology. They mainly focus on providing one-time passwords for the use of privileged accounts and re-setting these...

Webinar

Sep 18, 2009: Sicherheitsrichtlinien zuverlässig durchsetzen

Auf dem Papier ist es in der Regel gar nicht so schwierig, durch entsprechende Richtlinien einen zufriedenstellenden Grad an Sicherheit zu erreichen. Jedoch zehren in der Praxis fehlende Ressourcen, enge Budgets und nicht zuletzt die immer komplexer werdende Infrastruktur an einer effizienten Um- und Durchsetzung dieser Richtlinien. In diesem Webinar beschreiben wir Ihnen in Zusammenarbeit mit Novell, welche Ansätze für eine automatisierte Überwachung der Sicherheit von IT-Systemen am Markt existieren und worauf Sie bei der Einführung achten müssen.

Blog

Identity – Last Man Standing?

Somehow the Hofbraeukeller in Munich, one of my favorite city’s nicest beer garden restaurants, seems to lend itself particularly well to long, meandering discussions of identity management. It’s the place the U.S. participants at the European Identity Conference regularly gather for their pre-conference pigs’ feet feast, and since it’s conveniently located around the corner from where I live, I often use it as a meeting place for visitors from all over the world. I mean, if you’re in Bavaria, by all means go to a Bavarian place for lunch instead of one of the ubiquitous sushi stalls. I...

Blog

Is PAM (or PIM or PUM) moving into Provisioning?

These days I have been talking with Siemens on enhancements for their DirX Identity product, a provisioning tool (and, by the way, a pretty good one). Amongst the new features is some support for Privileged Account Management (PAM). That's interesting. I've blogged some time ago about the possibility of provisioning vendors starting to acquire PAM vendors and adding these capabilities to their provisioning products. Siemens didn't acquire but implemented some own technology. They mainly focus on providing one-time passwords for the use of privileged accounts and re-setting these passwords...

Press Release

Analystengruppe Kuppinger Cole nimmt sich dem Cloud-Chaos an

Die Analystengruppe Kuppinger Cole hat einen aktualisierten Market Report zum Thema Cloud Computing veröffentlicht.
Cloud Computing ist die nächste grundlegende Evolutionsstufe der IT und weit mehr als ein Hype. Cloud Computing führt zu einer flexiblen, skalierbaren IT, bei der Services sowohl intern bereitgestellt als auch extern bezogen werden können, ganz nach Bedarf und Rahmenbedingungen.

Blog

Licensing for the cloud - the Skype case

These days, there were several articles in different media stating that eBay might discard its Skype service. The reason is that they haven't acquired the underlying P2P core technology. This is still owned by Joltid. And Joltid plans to terminate that license agreement. One doesn't need to be a prophet to guess that the real reason behind that situation is about money... However, eBay definitely is in a difficult situation. They might find a deal with Joltid. They might discard the Skype service with its 16 million users - which probably won't be that lucky about. They might develop an...

Blog

Microsoft: minimum disclosure about minimum disclosure

A good year ago, Microsoft acquired an innovative company called U-Prove. That company, founded by visionary Stephan Brandt, had come up with a privacy-enabling technology that effectively allows users to safely transmit the minimum required information about themselves when required to - and for those receiving the information, a proof that the information is valid. For example: if a country issued a digital identification card, and a service provider would need to check whether the holder over 18 years of age, the technology would allow to do just that - instead of having to transmit a...

Blog

Finally: an open XACML API!

Whilst at the Burton Group’s Catalyst 2009 conference, I ran into Prateek Mishra from Oracle who told me somewhere between the lines of our conversation that a new XACML API that has just been posted to the OASIS XACML TC. It was a “soft launch” that was announced at the Kantara meetings on Monday at Burton Catalyst (which very unfortunately, I missed). When Prateek mentioned it to me, it stopped me dead in my tracks, because I find it really significant news – a very important step towards flexible access control policy based on XACML. Before I get in the details, let me step back a bit...

Blog

About trademarks in the IAM business

These days I have learned that Fischer International Identity has trademarked to pretty generic terms: Identity as a Service (TM) IaaS (TM) I wondered (and still wonder) about that. Fischer declared that they have invented that type of business ("a services-based architecture built from the ground-up for the express purpose of cost-effectively delivering identity management capabilities via the Software as a Service (SaaS) model"), built on a SOA architecture, supporting multi-tenancy, being able to work across firewalls. Honestly: Yes, they are an innovator in that space....

Blog

The blessings of 3G with Win 7

Asa tech savvy person and all-time traveller I recently acquired a mobile network data flat of one of the local German and international providers - the one with pink logo. For every contract/subscription you sign, you usually get some perks, extra stuff, a mobile handset or - in my case - one of those netbooks. The Acer Aspire One 531 I was sent does feature an integrated 3G modem by OPTION Wireless ad comes with Windows XP Hometo my demise. Failing in preparing a proper backup (Acer gives you a backup software to burn media - but a netbook does not have an optical drive, and maping the...

Webcast

Externalizing Identity to the Cloud

Kuppinger Cole Webinar recording

Blog

Many test cases for German eID card

Some days ago the German government announced a list of 30 companies with test cases for the upcoming eID card, which will be available starting November, 2010. The good news is that the BMI (Federal Ministry of the Interior) has managed to get a good number of test scenarios outside of eGovernment. The identification of flight passengers at airports, hotel check-in, online shops, and some use cases for age verification are on the list of published test cases. For sure there are as well many eGovernment applications amongst these 30+ scenarios but the real important thing is that there are...

Blog

Virtual Directory Innovations

As someone actively covering directory services and virtual directories, several innovations have caught my attention. The players within the virtual directory space are (in alphabetical order) Optimal IDM, Oracle, SAP, Radiant Logic, Red Hat, and Symlabs. When it comes to product development and innovation within the last year, you can split those vendors right down the middle. - Optimal IDM, Radiant Logic and Symlabs have been actively developing their product and churning out new features in new versions. The others have not been adding any features, but instead spent time changing...

Webinar

Aug 20, 2009: Vereinfachung der Berechtigungsanalyse und -Verwaltung

In diesem Webinar geht Martin Kuppinger zunächst auf die Notwendigkeit ein, konsistente Autorisierungsstrategien zu entwickeln, die bei minimiertem administrativen Aufwand einen durchgängigen Schutz von Informationen bieten – indem man sich auf das Wesentliche konzentriert und sich nicht in Punktlösungen verzettelt. Reto Bachmann von Quest Software wird daran anschliessend anhand von Praxisbeispielen beschreiben, wie sich das Berechtigungsmanagement unter Einsatz des Quest Access Managers einfach und transparent gestalten lässt.

Webinar

Aug 14, 2009: Zugriffsmanagement richtig gemacht

In diesem kostenlosen Webinar gehen wir darauf ein, wie eine ideale Basis für ein konsistentes Access Management geschaffen werden kann und wie man dieses schrittweise weiterentwickelt.

Webinar

Sep 21, 2009: Identity Services and the Cloud

The reason companies are considering cloud computing is to avoid the expense involved in building or acquiring the infrastructure, and to some extent managing it. However, without paying attention to the security and governance implications, those cost savings will actually evaporate when they either try to retrofit their existing business policies and controls into the cloud environment, or when they have to deal with the fallout from a breach or issue. In This webinar, Nishant Kaushik (Oracle) and Martin Kuppinger (Kuppinger Cole) will talk about this, and examine how identity services...

Vendor Report

Vendor Report: SAP

SAP is the world’s leading vendor of enterprise business systems, with a core focus on ERP (Enterprise Resource Planning), but as well delivering application platforms for business processes and business intelligence solutions. Within the broad portfolio of SAP, the areas of GRC (Governance, Risk Management, and Compliance) and IAM (Identity and Access Management) became more prominent over the course of the last few years, based on the fact that these capabilities are highly important for today’s businesses to as well fulfill compliance requirements as to optimize business...

Product Report

Product Report: Quest ActiveRoles Server

Quest’s ActiveRoles Server belongs to the category of Enterprise Provisioning products, but it is not a typical standard-issue provisioning solution. Instead, it is a tool for role-based administration of both Active Directory and a growing number of other system environments. As is to be expected, its greatest strengths are in management of Active Directory environments, where its functionality extends significantly beyond just simple provisioning. On the other hand, Quest has been systematically augmenting and improving the product’s existing provisioning functions over the...

Blog

Vendors might sell even in immature markets

These days I had a discussion with a vendor who sells different security tools which make up sort of an Endpoint Security "suite" about my and his view on that market. He was sort of offended by my critical view on today's endpoint security market and claimed that his company and many of his competitors are selling large amounts of licenses to customers. Thus I must be wrong when telling people that the market isn't really mature today. My view on endpoint security is, by the way, not as sceptic as the one I have on the DLP market (Data Leakage Protection/Prevention). I think that well...

Blog

Lesser of two evils?

More than 250.000 people have watched "ethical hacker" Chris Paget cruising the streets of San Francisco gathering RFID data from the new U.S. PASS cards and "enhanced" chipped drivers licenses. All it took him about $250 for a scanner and an antenna, as well as a piece of software he downloaded from the Internet. The new "e-passports" are now mandatory for U.S. citizens entering the United States from Canada, Mexico, Bermuda and the Caribbean, though conventional passports will be accepted as long as they are valid. Paget was able to read and clone the information of the chips within...

Advisory Note

Market Report: Cloud Computing

Cloud Computing wird häufig als der Bezug von Diensten aus dem Internet gesehen. Diese Definition ist nach unserer Einschätzung nicht korrekt. Der wesentliche Aspekt des Cloud Computings liegt darin, IT als Services zu betrachten, die flexibel bezogen und konfektioniert werden können, um die Anforderungen des Business zu betrachten. Grundlegend neu ist dabei der flexible Bezug dieser Services, womit IT-Services mehr und mehr zu Ressourcen wie Strom oder Wasser werden, die aus der Steckdose oder dem Wasserrohr bezogen werden. Das gilt natürlich nicht für alle...

Blog

Google's latest bombshell: the Chrome operating system!

The news from Google hit like a bombshell. Google is launching an operating system, called Chrome OS (like its web browser). According to the press release, the system will be shipping on Netbooks in the second half of next year. As is to be expected, the operating system will be open source. Chrome OS will be built on top of a Linux kernel, and will "use its own windowing system", which most likely means that X windows - the standard for decades on UNIX platforms - will not be used. As technology evolves, it sometimes makes sense to draw a line under what has been done so far, and start...

Blog

Will DMTF deliver on cloud management?

Recently, the DMTF (Desktop Management Task Force) announced an initiative to develop cloud standards for resource management, packaging formats, and security mechanism to facilitate the interoperability of private and public clouds (and amongst public clouds from different providers). Given my recent critics on the term of "private cloud" that means just standards to be able to use different types of service providers, regardless where they are. The announcement can be found here. The DMTF starts an Incubator to develop such standards, including existing work and standards like WS-Policy...

Blog

Integralis set to become the security arm of NTT

By acquiring the Munich-based IT security specialist Integralis AG, the Japanese telco giant NTT (Nippon Telephone & Telegraph) plans to become a major player in the world-wide market for managed security and identity management solutions. Integralis (511 employees, €167 million Turnover) will be integrated as a separate division within NTT’s Communications subsidiary (13,000 employees, €10 billion turnover). On Tuesday, NTT offered the Integralis shareholders €6.75 per share. Integralis’ shares had been trading for around €5, up from a low of €2.14 in February. This...

Blog

Stronger and simpler authentication

I've seen many approaches for strong authentication - most of them are either too expensive, too complicated, or they aren't really appealing. The latter is true for approaches like "passfaces" have to pick one or some known faces from different pictures. Many approaches are complicated to deliver. And many of the token-based approaches are complex from a logistics perspective and are expensive. However, many of these approaches and especially combinations of for example hardware tokens and soft-tokens will work for many use cases. But there are other approaches which are interesting as...

Blog

The flowering of the identity store

The Personal Data Eco-System (diagram by Iain Henderson and Drummond Reed) Another reason I really love Twitter: It takes you places you might never have found on your own. Take a recent post by xmlgrrl, a.k.a. Eve Maler of Sun Microsystems, a terse pointer to a posting by Iain Henderson of Mydex on rightsideup.net entitled "The Personal Data Eco-System" which provides by far the best theoretical overview that I, at least, have seen on the true nature and function of personal data. The text is an abstract of a session Ian and his pal Drummond Reed of Concordance, who is also a trustee...

Blog

Saving with security

This is true in many areas. Single solutions popularly labeled and sold under the name “Data Leakage Protection/Prevention” are mostly just conscience salvers. They may deal with a certain concern, but don’t solve the overall security problem. In fact most of them leave gaping holes. Most of the issues addressed by DLP products can be resolved through group policy rules in Windows. Central management through true Endpoint Security/Protection solutions are by far the best way to handle your company’s wide range of client security issues. Another area in which poor...

Webcast

Get the Big Picture - Managing Access beyond SAP for Cross-Enterprise Identity Governance

Kuppinger Cole Webinar recording

Blog

Pricing models for the cloud

Even while I don't share his understanding of the term "private cloud" (I don't believe in that term) , I like what Chuck Hollis of EMC has blogged about "Monetizing the cloud". There are so many open questions around the valid business models for as well cloud providers as consumers for cloud services. And everyone will have to learn a lot - and learning from others might help to avoid mistakes. By the way I also wouldn't limit the cloud discussion to "providing infrastructure" - it goes well beyond that and covers virtually any type of IT service. There will room to discuss thinks like...

Blog

Why is IBM TIM 5.1 just a minor release?

IBM yesterday has announced its Tivoli Identity Manager 5.1. If you read the list of new features you might end up with the same question like me: Why is it only version 5.1, e.g. a minor (.1) release instead of TIM 6? Amongst the new features are fundamental things like Role Management, SoD support, attestation and, last not least, support for some Privileged Account Management (or Privileged Identity Management, the term IBM is using). With other words: IBM has significantly expanded the feature set of its product, mainly adding a lot of IAM-GRC features to what TIM delivers. Given that...

Webinar

Jul 22, 2009: Externalizing Identity into the Cloud

Externalizing Identities from applications into a service oriented layer within the enterprise IT architecture has been discussed a lot within the last years, mainly in the light of reducing application development costs and to devolve all those identity silos captured in enterprise applications. With cloud computing and *aaS picking up momentum, the externalization of identity management into such a service layer finally seems to be rewarded with enough attention to move far up on many CIO´s priority lists. Join this free webinar moderated by Dave Kearns to learn more about the different...

Blog

Parallels wants to bring SaaS to the masses

Just got back from my favorite neighborhood watering hole in Munich, the Cafe Wienerplatz, where I met with Soeren von Varchmin, who recently moved in next door after spending a few years in Seattle. Soeren is VP SaaS at Parallels, a company that describes itself as "worldwide leader in virtualization and automation software that optimizes computing for consumers, businesses and providers". His job is to bring together Internet Providers and Services Providers (ISVs) by providing a common plattform to provision, manage and integrate applications and services over the Internet. His vision...

Blog

It's not about the cloud - it's about Cloud IT

The biggest problem around cloud computing is the lack of a valid and well accepted definition. Definitions like "scalable services delivered via the internet" fail for example when thinking about "private clouds" which aren't used via the internet (but at least based on using the same standards). And, by the way, not every cloud service will have to be highly scalable - there will be more and more very specialized services where functionality is key, not a massive scalability. But the more you dive into the topic of cloud computing it becomes obvious that this cloudy thing of "cloud"...

Webcast

Messbare Vorteile für Sicherheit und Kosten durch Single Sign-On mit starker Authentifizierung

Kuppinger Cole Webinar recording

Blog

Hooray, LDAPcon 2009 is coming up!

I was delighted when I saw that LDAPcon is happening again this year. I went to the first event in Cologne, Germany 2007, and was very impressed. When you have the "creme de la creme" from the LDAP community talking about their favourite topic, you're guaranteed an interesting and exhiliarating time - assuming that LDAP and directories are your thing. I still remember last time how Howard Chu gave us a musical demonstration of how a well-performing directory should perform - on the violin! I don't think anybody forgot that. We also got a very good overview of the different open source...

Blog

UnboundID launches frontal attack on Sun - good idea??

I recently received a press release from UnboundID announcing the availability of a new "synchronization server". This software keeps two LDAP servers in sync (as the name suggests) - bidirectionally. In theory very useful, and it's free too. But there's a small trick: the synchronization server supports both Sun's DSEE (Directory Server Enterprise Edition) and the new Unbound ID Directory Server. In the release, Unbound ID makes no secret of what this software should be used for: to migrate away from Sun's directory toward Unbound ID's competing solution. UnboundID is a start-up based out...

Webinar

Jun 25, 2009: Get the Big Picture – Managing Access beyond SAP for Cross-Enterprise Identity Governance

In this free webinar, you’ll learn how an integrated identity governance approach can more effectively improve your risk posture with enterprise-wide policy enforcement, access certifications and role management across all relevant systems. By having a single view into user access rights, you will greatly improve your visibility into risky or non-compliant areas and automate your processes for managing these risks.

Product Report

Product Report: Siemens DirX Access

Siemens managed to enter the web access management and identity federation market successfully by buying in and then significantly developing technology. Siemens DirX Access’ version 8.1 is a technically accomplished solution with a flexible and modular architecture concept. Siemens DirX Access 8.1 covers all standard requirements for solutions in this segment and in addition offers even more features for web services security and application integration options - especially for federation-support. The product is thus one of the leading solutions in the marketplace. A decisive...

Vendor Report

Vendor Report: Siemens

Siemens is one of the largest companies in the world. Siemens IT Solutions and Services (SIS), responsible for IT-products and services, is one of the different segments [Siemens refers to these as “sectors”] of the company group. The established IAM and GRC products from Siemens are also allocated to this segment. Biometric solutions, smartcards, card management and public key infrastructures are part of the product range for IT security, in addition to IAM core solutions. SIS focuses more and more on the integration of horizontal solutions portfolios such ERP, CRM and...

Webinar

Jun 09, 2009: Messbare Vorteile für Sicherheit und Kosten durch Single Sign-On mit starker Authentifizierung

In diesem Webinar wird auf den quantitativen und qualitativen Nutzen von Enterprise Single Sign-On-Projekten in Verbindung mit starker Authentifizierung eingegangen.

Webcast

EIC Impressions

A few short interviews from the European Identity Conference 2009

Webcast

Interview with Marina Walser, Novell

Tim Cole interviews Marina Walser at the European Identity Conference 2009

Webcast

Interview with Kim Cameron, Microsoft

Tim Cole interviews Kim Cameron at the European Identity Conference 2009

Webcast

Interview with Fulup Ar Foll, Sun Microsystems

Tim Cole interviews Fulup Ar Foll at the European Identity Conference 2009

Blog

Trends and Threats in Desktop Virtualization

Desktop virtualization is clearly a hot topic in IT, but a closer look reveals that some elements are still missing and that in many use cases problems would be better addressed using “classic” technologies such as Client Lifecycle Management and terminal services. That certainly doesn’t mean that there is no need for desktop virtualization. There are several interesting use cases for desktop virtualization and the technology will become more important over time. A successful deployment of desktop virtualization, however, requires a well-thought concept and careful planning, and...

Blog

What defines the cloud?

There are plenty of definitions of the "cloud". Most of them include aspects like services which are provided via the internet and which are highly scalable. But the discussion about terms like a "private cloud" proves that this is a somewhat insufficient definition. Depending on the definition of a "private cloud", these services might be delivered via a private network. The insufficiency becomes obvious as well with respect to some of the aspects of the cloud. There are so many different types of cloud services that there are for sure some which, for example, are so specific that they...

Webcast

The Care and Feeding of Online Relationships

Keynote at the European Identity Conference 2009

by Eve Maler, Sun Microsystems

Webcast

Identity Management Systems as a Risk?

Keynote at the European Identity Conference 2009

by Niels von der Hude, Beta Systems Software

Webcast

Identity Management in the Focus of eGovernment and Vertical Solutions

Keynote at the European Identity Conference 2009

by Sabine Erlinghagen, Siemens IT Solutions and Services

Webcast

The Road to Claims: From Vision to Reality

Keynote at the European Identity Conference 2009

by Kim Cameron, Microsoft

Webcast

Is there a difference between the European way of doing IAM/GRC and „the rest of the world“?

Keynote at the European Identity Conference 2009

by Paul Heiden, BHOLD COMPANY BV, Prof. Dr. Audun Josang, Queensland University of Technology, and Oslo University, Darran Rolls, Sailpoint, Chris Harvison, Scotiabank

 

Webcast

Identity Management & GRC 2009 - 2019

Opening keynote at the European Identity Conference 2009

by Martin Kuppinger, Kuppinger Cole + Partner

Webcast

Interview with Berthold Kerl, Deutsche Bank

Tim Cole interviews Berthold Kerl at the European Identity Conference 2009

Webcast

Interview with Prof. Dr. Rob Fijneman, KPMG

Tim Cole interviews Dr. Rob Fijneman at the European Identity Conference 2009

Webcast

Interview with Dr. Prateek Mishra, Oracle

Felix Gaehtgens interviews Dr. Prateek Mishra at the European Identity Conference 2009

Webcast

Interview with Dale Olds, Novell

Felix Gaehtgens interviews Dale Olds at the European Identity Conference 2009

Webcast

Interview with Anthony Nadalin, IBM

Felix Gaehtgens interviews Anthony Nadalin at the European Identity Conference 2009

Webcast

Interview with Fulup Ar Foll, Sun Microsystems

Felix Gaehtgens interviews Fulup Ar Foll at the European Identity Conference 2009

Webcast

Interview with Dr. Babak Sadighi, Axiomatics AB

Felix Gaehtgens interviews Dr. Babak Sadighi at the European Identity Conference 2009

Webcast

Interview with Pat Patterson, Sun microsystems

Felix Gaehtgens interviews Pat Patterson at the European Identity Conference 2009

Webcast

Interview with Eve Maler, Sun Microsystems

Felix Gaehtgens interviews Eve Maler at the European Identity Conference 2009

Blog

My Twitter Top Ten

I know it's funny, but in fact it's me, by far the oldest guy at KCP, who is actually the greatest fan of Twitter. Perhaps if you don't have as much time left to waste as some of my younger colleagues you learn to appreciate abbreviation. Anyway, the European Identity Conference which ended yesterday here in Munich produced a bumper crop of Tweets which I have been browsing through this morning at my leisure (first time in a week I'v had any), and I thought I would share a few with those of you who do not yet fully appreciate just how powerful this new medium actually is. Summing up of a...

Press Release

Awards for outstanding Identity management projects

Analyst company Kuppinger Cole confers European Identity Award 2009

On the occasion of the European Identity Conference 2009 (EIC), the leading European event for Identity and Access Management (IAM) and GRC (Governance, Risk Management, and Compliance), the analyst firm Kuppinger Cole conferred the European Identity Award. The award recognizes outstanding projects as well as innovations and additional developments of standards.

Press Release

Analystengruppe Kuppinger Cole vergibt den European Identity Award 2009

Die Analystengruppe Kuppinger Cole hat im Rahmen der European Identity Conference 2009 (EIC), der europäischen Leitveranstaltung für Identity und Access Management (IAM) und GRC (Governance, Risk Management, Compliance) den European Identity Award vergeben. Mit dem Award werden herausragende Projekte sowie Innovationen und Weiterentwicklungen von Standards honoriert.

Blog

Awards for outstanding Identity management projects

On the occasion of the European Identity Conference 2009 (EIC), the leading European event for Identity and Access Management (IAM) and GRC (Governance, Risk Management, and Compliance), the analyst firm Kuppinger Cole conferred the European Identity Award. The award recognizes outstanding projects as well as innovations and additional developments of standards. There are six categories for the award. In addition to best innovation in the areas of IAM and GRC, and the best new or improved standards, the best projects of the past 12 months for the categories internal projects, B2B, B2C, and...

Vendor Report

Vendor Report: Aveksa

Aveksa's claim is "Enterprise Access Governance". The company is one of several startups which provide a GRC platform to support requirements of what Kuppinger Cole calls IAM-GRC, e.g. the Identity and Access Management related aspects of GRC (Governance, Risk Management, and Compliance). Aveksa was founded in 2006, by an experienced team including several former executives from Netegrity, a market leader in identity and access management software that was acquired by CA in 2004. Aveksa has successfully managed to set up an impressive number of partnerships. From an overall...

Vendor Report

Vendor Report: Beta Systems

Die Beta Systems Software AG ist ein in Berlin ansässiger Anbieter von Standardsoftwareprodukten. Das Unternehmen unterstützt die Bereiche Security (mit Fokus auf Identity und Access Management) und Compliance sowie Dokumentenverarbeitung, die Verarbeitung von großen Datenmengen in Rechenzentren und das Management und die Automatisierung in Rechenzentren. Die Produkte und Lösungen zielen auf die Prozessoptimierung in der IT ab und sind auf eine verbesserte Sicherheit und mehr Agilität in der IT ausgerichtet. Im Mittelpunkt steht heute die Erfüllung von...

Product Report

Product Brief: Microsoft Forefront Identity Manager

On Monday the 23rd of March, Microsoft announced that it would - again - delay the launch of ILM 2, the "Identity Lifecycle Manager". The release was now pushed back one whole year, to give Microsoft more time to "validate ILM in long-running live deployments before release". As can be expected, this announcement has caused a considerable amount of reactions, ranging from delight to frustration. The blogosphere and newswires soaked up the news and were buzzing with comments, and even outright speculation.   Kuppinger Cole has been asked by journalists to provide an opinion as...

Vendor Report

Vendor Report: vps ID Systeme

Die vps ID Systeme GmbH (vps) ist eine 100%ige Tochtergesellschaft der börsennotierten Digital Identi-fication Solutions AG. Letztere ist wiederum aus dem Bereich Identifikations- und Sicherheitssysteme des KODAK-Konzerns entstanden und 2003 als unabhängiges Unternehmen gegründet worden. Die Digital Identification Solutions AG ist seit 2006 börsennotiert. Die vps wiederum wurde 1992 gegründet und hat sich von Beginn an auf Software-Produkte für die Personalisierung und Verwaltung von Sicherheitsausweisen ausgerichtet. Seit 2004 werden web-basierende...

Advisory Note

Market Report: The SAP Identity Management Strategy

About two years have gone by since SAP took over the Norwegian manufacturer MaXware. Since then, SAP IM has positioned itself in the Identity Management market and significantly enhanced the products taken over from MaXware. In the meantime, the strategy has also become much clearer than it was two years ago. The product called SAP NetWeaver Identity Management has gained a lot of attention in the market. By now, SAP can provide numerous customer references. Furthermore, it is especially customers with a large SAP infrastructure as well as mid-sized companies that show an active interest...

Blog

EIC09: ICF-German Chapter Gründung

Dear readers, the following post is provided bi-lingual but does not represent a one-to-one translation. Most information is for German speaking readers, so the English version is comparably short! Still, there is some general info in the English part, so please make sure you read both parts… The ICF German Chapter Inauguration Meeting www.informationcard.de Participants: Corisecio, Fraunhofer FOKUS, Deutsche Telekom, Oracle, Novell, Arcot, Microsoft, Siemens, fun Communications, Hasso-Plattner-Institut, Azigo, KuppingerCole and MANY more! Initiated by Jens Fromm of Fraunhofer FOKUS in...

Press Release

Prof. Dr. Sachar Paulus wird Partner bei Kuppinger Cole

Experte für Sicherheitsmanagement und SAP-Themen verstärkt das Team der Kuppinger Cole-Analysten

Prof. Dr. Sachar Paulus, der frühere Chief Security Officer von SAP, wird neuer Senior Partner der Analystengruppe Kuppinger Cole. Prof. Dr. Paulus hat sich über Jahre hinweg als führender Experte im Bereich der Informationssicherheit etabliert und verfügt durch seine frühere Tätigkeit auch über exzellente Kenntnisse im SAP-Umfeld.

Press Release

European Identity Conference continues to grow

Around 500 attendees. More than 50 exhibitors.

The 3rd European Identity Conference 2009 (EIC), which has opened its doors today, has already been a resounding success. This year´s conference continues to generate a lot of interest despite the difficult economic climate. With more than 50 exhibitors, the venue has established itself as Europe´s leading event on the topic. All big names in identity management will be represented there, which means that the EIC 2009 will provide the most comprehensive access to European identity management providers in one single venue.

Press Release

European Identity Conference wächst weiter

Rund 500 Teilnehmer. Über 50 Aussteller.

Die morgen in München beginnende 3rd European Identity Conference 2009 (EIC) ist schon jetzt ein voller Erfolg. Die diesjährige Konferenz ist auch im schwierigen Marktumfeld weiter im Aufwind begriffen. Mit nun über 50 Ausstellern hat sie sich als wichtigste Veranstaltung in diesem Bereich in Europa fest etabliert. Dabei sind alle namhaften Anbieter im Identity Management vertreten, so dass die EIC 2009 den umfassendsten Zugang zu Identity Management-Anbietern in Europa innerhalb einer Veranstaltung bietet.

Press Release

Neue Reports zu Zukunftsthemen des Identity Managements

Analystengruppe Kuppinger Cole stellt Reports zu Claims-based Identities und zur starken Authentifizierung beim user-centric Identity Management vor

Das Analystenunternehmen Kuppinger Cole stellt auf der morgen beginnenden European Identity Conference 2009 (EIC) zwei neue Reports vor, die sich mit Zukunftsthemen des Identity und Access Managements befassen.

Blog

Where in the Cloud am I?

Recently, at a press briefing by German IBM boss Stefan Jetter who waxed enthusiastic about Cloud Computing, an elderly journalist rose and asked him a show-stopper: “Where are my data when they’re out there in the Cloud?” Jetter did a double take, but my colleague pressed on: “I mean, physically, where are they?” Of course, the answer is: On some nameless server somewhere, anywhere in a grid farm in Ohio or Dublin or… In fact, the usual answer is : Who cares? Well, for one the German privacy protection agencies. Passing data across national boundaries can be a federal offense not only...

Advisory Note

Trend Report: SSO 2009

Single Sign-On (SSO) ist eines der wichtigsten Felder im Identity und Access Management (IAM).Durch eine vereinheitlichte Authentifizierung können eine Reihe von Business-Values erreicht werden, darunter reduzierte Risiken für Sicherheit und Compliance sowie niedrigere Service Desk-Kosten. Innerhalb der Vielzahl von unterschiedlichen technischen Ansätzen für das Single Sign-On sehen wir Identity Federation und, in Ergänzung für spezielle Einsatzfelder, die Technologien des user-centric Identity Managements als die strategischen Lösungsansätze, weil...

Advisory Note

Trend Report: The impact of claims-based approaches

The term of “claims-based identity” and the idea overall of using the term “claim” in Identity and Access Management (IAM) has been introduced by Microsoft some two years ago but the concepts can be used in any environments and technologies can (and sometimes are) provided by other vendors as well. A claim is a piece of information about a user provided by an identity provider which can be challenged by the relying party which receives that claim. Claims can represent pretty much anything about a user. The name, the age, the role within in a corporation, the...

Advisory Note

Technology Report: Strong authentication for user-centric Identity Management

Currently, there is a lot of work done around user-centric identity management. But until now, there is a lack of strong authentication in that area – even while there are several existing approaches which can be used and even while there are many potential identity providers. Despite the fact, that there are several open questions regarding business models for identity providers and the, until now, slow adoption of user-centric technologies beyond the experts and geeks, we expect a bright future for strong authentication as well as for user-centric identity management. User-centric...

Advisory Note

Market Report: Die Identity Management-Strategie von SAP

Seit der Übernahme des norwegischen Herstellers MaXware durch SAP sind inzwischen rund zwei Jahre vergangen. Seit diesem Zeitpunkt hat sich SAP IM im Identity Management-Markt positioniert. Die von MaXware übernommenen Produkte wurden in dieser Zeit signifikant wei-terentwickelt. Auch in der Strategie gibt es inzwischen deutlich mehr Klarheit als noch vor zwei Jahren. Das als SAP NetWeaver Identity Management bezeichnete Produkt hat erhebliche Aufmerk-samkeit im Markt geweckt. SAP kann inzwischen etliche Referenzkunden vorweisen. Zudem gibt es gerade bei Kunden mit einer...

Advisory Note

Market Report: Oracle buys Sun – the Impact on IAM and GRC strategies and tactics

The news that Oracle will acquire Sun Microsystems has lead to some uncertainty at existing Oracle and Sun customersin the IAM and GRC market space. That uncertainty will exist for quite some time, given that the acquisition is not expected to close before the summer of 2009. Until that point of time, both vendors will have to act separately and are not allowed to publish a combined roadmap. Kuppinger Cole has, as part of its research programme, extensively researched both companies’ offerings and strategies. Until the proposed merger is cleared, and both companies provide a road...

Advisory Note

Market Report: GRC 2009

GRC (Governance, Risk Management, Compliance) is amongst the most important emerging market segments in IT. Kuppinger Cole observes an trend towards tools which integrate analysis, attestation, authorization management, risk management, Segregation of Duties controls, and role management functionalities to provide an overall GRC solution with focus on access controls and authorization which can be applied to all applications and all compliance regulations which are relevant to any organization in a first step. Beyond that we expect to see more complete GRC solutions which cover other...

Product Report

Product Report: Omada Identity Manager

Der dänische Hersteller Omada hat sich in den vergangenen Jahren als wichtigster Technologiepartner von Microsoft im Umfeld von MIIS und Forefront Identity Manager positionieren können. Gemeinsam mit Microsoft wurden eine Reihe von großen Projekten gewonnen und zusammen mit unterschiedlichen Integrationspartnern umgesetzt. Omada erweitert dabei die derzeit primär auf die technische Synchronisation von Identitätsinformationen ausgelegte Microsoft-Technologie um weitergehende Funktionen für das Rollenmanagement und Workflows, um Self-Service-Schnittstellen,...

Product Report

Product Report: Quest ActiveRoles Server

Der Quest ActiveRoles Server ist der Produktkategorie Enterprise Provisioning zuzuordnen. Das Produkt ist dabei keine typische Provisioning-Lösung, sondern im Kern ein Werkzeug für die rollenbasierte Verwaltung von Active Directory-Umgebungen, das inzwischen auch eine zunehmende Zahl von anderen Systemumgebungen unterstützt. Entsprechend liegen die spezifischen Stärken des Produkts auch beim Management von Active Directory-Umgebungen, wo es in der Funktionalität signifikant über typische Provisioning-Produkte hinausgeht. Auf der anderen Seite hat Quest die...

Vendor Report

Vendor Report: Siemens

Siemens ist eines der größten Unternehmen weltweit. Innerhalb des in verschiedene Segmente [Siemens spricht hier von Sektoren] gegliederten Konzerns gibt es auch den Bereich Siemens IT Solutions and Services (SIS), der für IT-Produkte und –Dienstleistungen zuständig ist. Diesem Bereich sind auch die etablierten IAM- und GRC-Produkte von Siemens zugeordnet. Zu den Produktangeboten für IT-Sicherheit gehören neben IAM-Kernlösungen auch biometrische Lösungen,Smartcards, Kartenmanagement und Public Key Infrastructures. Über die reinen Produkte...

Vendor Report

Vendor Report: TESIS SYSware

Die TESIS SYSware ist ein in München beheimatetes Unternehmen in Privatbesitz, das Teil der TESISGruppe ist. Diese Unternehmensgruppe besteht aus drei Teilunternehmen, die sich mit unterschiedlichen IT-Themenfeldern beschäftigen. Die TESIS SYSware (im Folgenden kurz als TESIS bezeichnet) hat ihren Schwerpunkt in den Bereichen IT-Security und Identity Management und ist ein Anbieter von standardisierten Softwareprodukten in diesem Bereich. Das Unternehmen ist dabei primär auf Lösungen für das Kennwortmanagement, das Privileged Account Management und das...

Product Report

Produktbericht: Radiant Logic Virtual Directory Server

Mit dem Release 5.0 des Virtual Directory Server hat Radiant Logic seine Produktlinie in die VDS Proxy Edition und die VDS Context Edition aufgespaltet, um den spezifischen Anforderungen der Verzeichnisvirtualisierung besser entsprechen zu können. Viele der Anforderungen an Virtual Directories entstehen aus den spezifischen Umsetzungsproblemen, die überwunden werden müssen und die am besten über gezielte Punktlösungen gelöst werden. Die VDS Proxy Edition von Radiant Logic ist gut platziert, diese Probleme zu lösen und wird zu einem entsprechenden Preis...

Product Report

Produktbericht: SailPoint IdentityIQ

SailPoint IdentityIQ ist eines der führenden Produkte im aufstrebenden Marktsegment der Identiy/Access-GRC-Plattformen, das leistungsstarke Funktionen in den Bereichen Attestierung, Audit, Analyse und Rollenverwaltung bietet – Letzteres wurde im aktuellen Release deutlich verbessert. Das Produkt unterstützt einen Risiko-Scoringansatz mit Schwerpunkt auf dem Identitätsrisiko, ist jedoch keine vollwertige Enterprise Risk Management-Lösung. Über direkte Schnittstellen zum Zielsystem oder zu bestehenden Provisioning-Lösungen kann es für die Steuerung...

Blog

10 Top Trends 2009 for IAM and GRC

As in the past years, Kuppinger Cole has worked out 10 top trends in IAM (Identity and Access Management) and GRC (Governance, Risk Management, Compliance). Things are going forward in 2009, despite the economic crisis – even more, especially GRC vendors are benefiting from the crisis and the increasing investments in GRC. The need for Risk Management is well understood now. But our analysis shows that there are advancements in many other areas of IAM and GRC as well. The impact of Cloud Computing, new electronic passports as a means for authentication, and more discussions about privacy...

Blog

The rationales behind the Oracle-Sun deal

The (planned) Oracle/Sun deal has gained a lot of attention. There was a lot of discussion of the rationales behind. But most of them didn't really touch the point why Oracle will spend so much money for Sun. Have a look at the rationales: The hardware? Not really. Oracle never has done hardware business before. That is another type of business. For sure there are some advantages. It is a little easier for Oracle to offer appliances, but they could have done this with standard hardware and some flavour of Linux. For sure, for big shops that might become interesting - highly scalable...

Press Release

Cloud 09 - the Conference on Cloud Computing

Strategies for the right step towards "Cloud Computing"

The analyst company Kuppinger Cole will hold the Cloud 09 conference from November 24 - 26 in Munich. The leading conference on Cloud Computing in Europe will combine Thought Leadership and Best Practices.

Blog

The balance act of changing the business model

Last week Microsoft has announced that they will offer own cloud computing services in nineteen different countries. The approach is "hosted by Microsoft, offered by partners". That is an interesting approach and it is obviously the result of Microsoft's thoughts about how to manage the balance act between the existing business model and the upcoming cloud computing business. On one hand, Microsoft relies on their partners which sell software licenses today. On the other hand, Microsoft has to provide offerings as cloud services. Until now, there have been some limited offerings for...

Webcast

Enterprise Single Sign-On in der Praxis

Kuppinger Cole Webinar recording

Press Release

Zur European Identity Conference 2009 stellt Kuppinger Cole digitale Webausweise aus

Kuppinger Cole + Partner, Veranstalter der European Identity Conference (EIC) 2009, stellt allen Konferenzteilnehmern eine digitale Identität in Form eines Webausweises aus. Der Ausweis ermöglicht die sichere und einfache Anmeldung zum Kundenbereich der Analystengruppe, ohne Eingabe von Benutzername und Passwort. Technisch realisiert wird die Ausgabe von dem auf Identity Management Lösungen spezialisierten IT-Unternehmen fun communications. 

Blog

Sun integrates MySQL with IDM Offering

Sun Microsystems has just announced at the annual MySQL Conference that it is adding extended support for MySQL into its Identity Management stack. That's great, but what does it mean? For one, MySQL is hugely popular - starting off as an embedded open source database, and slowly but surely pushing into the enterprise RDBMS area over the years. Most enterprises use MySQL somewhere - some of them use MySQL strategically (i.e.: if you need a database, consider MySQL as one of the option, or even as the default option). So what does this have to do with identity management? Most databases are...

Blog

How could a future Oracle-Sun Identity Management Stack look like?

On the 20th of April, news of Oracle's intention to acquire of Sun Microsystems took most people by surprise. Reactions predictably covered the whole spectrum, with an abundance of comments going each way between delight and dismay. We've been asked for comments by customers and journalists over the last days, and have talked with several customers of both companies. Obviously, both Sun and Oracle employees are under strict orders not to comment on the proposed acquisition, and it is "business as usual" - at least for the near future: both companies have to work the way they have until they...

Press Release

Top-Experten zu Identity Management und Compliance auf der European Identity Conference

Mehr als 100 Sprecher auf der wichtigsten IAM- und GRC-Konferenz

Auf der vom 5. bis 8. Mai 2009 in München stattfindenden European Identity Conference 2009 (EIC) wird sich, wie schon in den Vorjahren, die Crème de la crème der Experten für Identity und Access Management (IAM) und GRC (Governance, Risk Management, Compliance) treffen. Die Experten werden ihr Wissen und ihre Erfahrungen mit den Teilnehmern teilen.

Blog

Liberty Alliance moves to Kantara

Today, Liberty Alliance will move to a new organization named Kantara. That is based on the analysis that security, privacy, and minimal disclosure of end users' personal information are becoming more and more important. In this area, several initiatives are on their way. The idea of Kantara now is to build an umbrella organization for the entire identity industry and to streamline different initiatives. Liberty Alliance will become a part of that bigger effort. The interesting question will be: Will Kantara become a big umbrella or a small one? There are several interesting initiatives...

Blog

Sun and Oracle - I would have won my bet

Today Oracle announced that they will acquire Sun. That isn't a real surprise to me. When the potential acquisition of Sun by IBM has been discussed some weeks ago, I've been asked about my view on that. From my perspective that would have been mainly a market share deal. And when big market share deals are discussed, Larry Ellison isn't far away. Thus I've said at that point of time that Oracle might as well make a bid. The third company I had in mind was Cisco, but they have missed that opportunity (which would have improved their strategic positioning significantly). Right now, Larry...

Webcast

Controlling the Impacts of Recession on IT Security

Kuppinger Cole Webinar recording

Webcast

Cloud Computing – Opportunities & Risk

Kuppinger Cole Webinar recording

Press Release

Cloud 09 - die Konferenz zum Cloud Computing

Strategien für den richtigen Schritt hin zum "Cloud Computing"

Düsseldorf, 15.04.2009 - Das Analystenunternehmen Kuppinger Cole wird vom 24.-26. November 2009 in München die Konferenz Cloud 09 ausrichten, die als Leitveranstaltung zum Cloud Computing in Europa Thought Leadership und Best Practices kombinieren wird.

Webinar

Apr 23, 2009: Enterprise Single Sign-On in der Praxis

Konfrontiert mit einer zunehmenden Flut an Passworten für Benutzerkonten in einer steigenden Zahl an Anwendungen, gewinnt das unternehmensweite Single Sign-on zunehmend an Bedeutung. Einerseits zur Steigerung der Produktivität und zur Reduzierung der Helpdesk-Kosten, andererseits aber auch für ein Mehr an Sicherheit. Lernen Sie in diesem praxisorientierten Webinar anhand konkreter Projektbeispiele, den Nutzen eines E-SSO Systems für Ihr Unternehmen optimal zu erschliessen.

Blog

Identity Management and the Cloud

Cloud Computing will be the next big paradigm shift in IT. I have no doubt about that. But like with in many other cases, there is first of all a vision, then a buzzword, then some basic technology - and then people start to think about things like reliability and security. The same is true with Cloud Computing. There are many services out there, but IAM and GRC for the cloud are heavily underestimated. That is somewhat funny given that some of these services appeared in the big New Economy bubble some ten years ago. Salesforce.com is just one example, some of the online conferencing...

Blog

The Open Cloud Manifesto

At March 30th, several vendors, including IBM, Sun, and Cisco, announced an "open cloud manifesto" which pleads for open standards in the cloud. The "open cloud" shall allow choice and flexibility of cloud platforms and cloud providers. A main target is the easy portability of applications. But, if you read that manifesto, you'll find the typical sentences about "openness", "avoiding vendor lock-in", "the need for standards", and so on. One of the most interesting things with the short and pretty lightweight (to avoid the harsh term of  "meaningless") "manifesto" is which vendors are...

Blog

The German ePA project - yes we can

OK, everyone has used that claim "yes we can" right now. But it fit's pretty well to the German project ePA (Elektronischer Personalausweis) which is one amongst several projects in different European countries for a new type of personal identification card. It's not an ePassport but an personal identification card - you have to have the latter in Germany, you can obtain the first if you require it for international travel. In contrast to some other countries like the USA and the United Kingdom, a personal ID card is mandatory in Germany. Currently it is an "old-school" type of printed...

Blog

The Digital Knee

Since "Minority Report", where Tom Cruise toted a squishy bag full of spare eyeballs around to hold up in front of iris scanners, thus fooling the access systems, biometrics has been a buzzword, if only a minor one, but it has failed to catch on in a meaningful way. A few years back I speculated that this is because every existing biometric method has serious drawbacks. Fingerprints fade as you grow older, and some people don't have any because they are afflicted with a rare disease  called "Naegeli syndrome" or dermatopathia pigmentosa reticularis (DPR) that can cause vexing social...

Blog

Is SSO the key to the desktop?

I recently had a cup of coffee with a couple of interesting youngsters from Hamburg, Christian Evers and Philipp Spethmann, who have set themselves a truly impressive goal. They are out to wrest nothing less than the control of German desktops from giants like iGoogle, T-Online, Yahoo! & Co. And they believe the way to do this is by providing consumers a safe and simple way to log onto their favorite websites. Their company, founded two years ago with money from Ammer Partners, one of Germany's big venture funds (yes, there still are functioning venture funds over here; many of them,...

Blog

Compliance as a risk?

GRC (Governance, Risk Management, and Compliance) has become a core issue for any CIO over the course of the last few years. SOX brought popularity to IT compliance – and nowadays everyone seems to talk about GRC. But sometimes, the approaches chosen seem to increase risk instead of mitigating it. What might seem to be sort of a provocative thesis unfortunately is the reality. There are, from our perspective, four critical aspects in many of today’s GRC initiatives. The first one is that GRC requires an organization which is GRC-ready. The second is that often too many tools are used....

Blog

In Praise Of Sabbaticals

In early 2008, I asked my colleagues at Kuppinger Cole + Partner for leave of absence in order to take a "Sabbatical", a kind of timeout. No, not because of burnout or anything dramatic like that, but rather because distance tends to sharpen your perspective, and I was worried that I was getting too wound up in the nitty-gritty of Identity Management as a specialized field. As a more or less non-technical person, I had begun to believe that the issues addressed by this industry are much wider than many of us seem to realize. And in order to truly appreciate what is going on I felt I needed...

Webinar

Apr 03, 2009: Controlling the Impacts of Recession on IT Security

As the recession is severely hitting most industries, type and quality of security threats are changing quickly. In this webinar, Martin Kuppinger will describe these threats and their impact on Identity and Access Management, GRC, Privileged Account Management, Data Leakage Prevention, and Information Rights Management.

Blog

The wild ride that was TEC 2009

I just came back from this year's Expert conference, TEC 2009. Last year it was still called the "Directory Expert's Conference" (DEC). This year the conference has been extended to include training on Microsoft Exchange as well, hence the name change. And of course not to forget that Quest has taken over Netpro - but has this really changed the scope or focus of TEC? Not at all, as was very immediately visible from the start, with a very funny introductory video. It started off just like a very glitzy marketing presentation that turned quickly into a hyperbole of fuzzy marketing buzzwords...

Workshop

May 05, 2009: Information Card Foundation (German Chapter) Meeting

Vendor Report

Vendor Report: Econet

Die econet AG ist ein in München ansässiges Unternehmen, das 1994 gegründet wurde. Der Fokus des in Privatbesitz befindlichen Unternehmens liegt auf der Unterstützung von IT-Geschäftsprozessen und IT-Diensten. Der Ansatz zielt auf die Verbindung von Identity Management und Service Management und eine Unterstützung von GRC-Anforderungen ab. Spezifische Stärken liegen in der Risikoanalyse und im Risikomanagement, in Integration mit dem Lösungsportfolio des Unternehmens. Econet zählt mit seinem Ansatz zu den interessanten und innovativen Anbietern...

Product Report

Product Report: Siemens DirX Access

Siemens hat auf einer zugekauften und signifikant weiterentwickelten Technologiebasis den Einstieg in den Markt für Web Access Management und Identity Federation erfolgreich bewältigt. Mit der Version 8.1 von Siemens DirX Access wird eine technisch ausgereifte Lösung mit einem flexiblen, modularen Architekturkonzept angeboten. Siemens DirX Access 8.1 deckt alle Standardanforderungen an Lösungen in diesem Segment ab und geht insbesondere in der Federation-Unterstützung, bei der Sicherheit für Web Services und bei den Möglichkeiten der Anwendungsintegration...

Product Report

Product Report: Engiweb IDEAS

Engiweb is one of the European vendors in the IAM and GRC space, based in Italy. The company is owned by Engineering Ingegneria Informatica, the largest system integrator in Italy with operations as well in some other countries. Engiweb is a one-product company, entirely focusing on their platform IDEAS which is focused around role management, authorization management, and other features. The product is, in the Kuppinger Cole notion, best positioned as part of the market segment of Identity/Access-oriented GRC platforms. Engiweb is, from our perspective, one of the European vendors of...

Vendor Report

Vendor Report: IBM’s IAM and GRC offerings

IBM is amongst the vendors which have entered the IAM market early. Right now, IBM can deliver in most areas of the IAM market, with only few missing elements in their overall portfolio. In the GRC market, the current focus of IBM is more towards SIEM-related GRC issues and log analysis, whilst IBM offers no specific platform for IAM-GRC. Anyhow, we expect IBM to be able to provide solutions through partnerships if required. Besides this, the approach chosen by IBM positions the company pretty well for the emerging trend towards GRC platforms which support any aspect of GRC require-ments...

Blog

There are many facets of Privileged Account Management

The PAM/PIM/PUM (Privileged Account/Identity/User Management; I prefer PAM) market is one of the boom markets in IT. I've blogged about that recently (here and here). And I've talked with many vendors in that market segment about what they are currently delivering and about what they have in mind for the future. These briefings and the ongoing analysis on PAM proves my thesis that it is still a relatively immature market (not saying that all the products are immature - there are some really good tools out there...). The PAM market currently is in the typical situation of all emerging...

Blog

Cloud Computing – just a hype or change of paradigm?

In a webinar on Thursday I’ll talk about the hype and reality of Cloud Computing. It is interesting to observe that Cloud Computing made it beyond the IT magazines and into the business/economic publications. But the promises you find there (at least in German publications) are probably somewhat overhyped. From my perspective, there are some things to note: Cloud Computing is, in many areas, built on existing approaches – anyhow, there are many new aspects in it Cloud Computing will change the IT landscape of organizations fundamentally Cloud Computing will provide new business...

Blog

The Cloud

One of the key IT topics is the “cloud”. This term which is somewhat “cloudy” is definitely relevant. But, like most new trends, it isn’t really new. Many services within the cloud are here for many years. Look at salesforce.com, to name just one example. Or have a look at web hosting. Some things have been called “outsourcing” before. For sure the approach of the cloud goes well beyond classical outsourcing. But there are many lessons which can be learned for example from outsourcing: Clearly defined SLAs, defining the location where services are provided from to comply with...

Blog

Innovations in the world of LDAP

I've recently been to Sun's directory labs in the the beautiful city of Grenoble, France to talk about what Sun has in store with their two directory servers: DSEE and OpenDS. I've used many predecessors of DSEE (starting with the good old Netscape Directory Server) on several projects over the last decade and used to know it inside out. I've grown quite fond of it, and so has everybody else I know who has used the product. I wasn't exactly sure why Sun embarked on its OpenDS project. Why reinvent from scratch what is already a perfectly great product? This question was on my mind, and I...

Webcast

Wer war Root? Was Sie über Privileged Account Management (PAM) wissen sollten

Kuppinger Cole Webinar recording

Webinar

Mar 26, 2009: Cloud Computing – Opportunities & Risk

Besides having been around as a buzzword for quite some time now, current economic challenges seem to strongly increase interest in leveraging cloud computing for the enterprise, finding new competitive advantages, and of course reducing investments into internal infrastructures. In this webinar, Martin Kuppinger will discuss with you Kuppinger Cole´s "Roadmap to the Cloud" - a guideline on how to prepare for cloudsourcing initiatives.

Congress

May 04 - 07, 2010: CLOUD 2010

Kuppinger Cole are proud to announce the Cloud Computing Flagship Event for Europe: CLOUD 2010. Making Cloud Computing work for your enterprise, how to prepare for it and what the risks involved with a cloud strategy are - Join us in Munich for an exciting event beyond the hype.

Congress

May 04 - 07, 2010: European Identity Conference 2010

With its world class list of speakers, a unique mix of best practices presentations, panel discussions, thought leadership statements and analyst views, EIC has become an absolute must-attend event for enterprise IT leaders from all over Europe.

Blog

Deep dive into unknown depth (of PKI and HyperV technology)

Recently, we announced that a report on strong authentication with tokens would be released. The response to that was tremendous - from either side of the market. Some (customer) companies pre-registered to get it, some vendors called back to make sure their products were included, and guess what: NOT all of them were included. This led to two things: me going back to square one and getting briefings with all "new" vendors" and rewriting some portion of the report as well as me tinking: "if I do not know these vendors try to get into the market - how should the market (aka customers)...

Blog

Dynamic authorization management

Authorization management is becoming increasingly popular. But there are, in fact, two very different approaches: Static authorization management, where changes are provisioned to the target systems. Dynamic authorization management, where authorization decisions are externalized to authorization engines at runtime. The latter require changes to the applications, but they lead to the externalization of authentication and authorization (and hopefully as well auditing) from applications. Everything can be easily managed from outside of the applications. Whilst static authorization...

Press Release

Terminblocker: European Identity Conference 2009

Vom 5. bis 8. Mai 2009 findet in München die European Identity Conference (EIC) 2009 statt. Im Rahmen der Jahresveranstaltung von Kuppinger Cole, die in diesem Jahr zum dritten Mal durchgeführt wird, treffen sich Analysten und Vordenker der Branche mit IT-Experten und -Entscheidern, um die neuesten Trends kennenzulernen und den Markt rund um Identity Management, Governance, Risk Management und Compliance (GRC) und Cloud Computing zu diskutieren und zu formen. Mit einer Liste hochkarätiger Sprecher und einem einzigartigen Mix aus Best Practice Präsentationen,...

Press Release

Save the date: European Identity Conference 2009

The European Identity Conference 2009 (EIC) will take place from May 5-8, 2009, in Munich. Now in its third year, Kuppinger Cole´s flagship event is the place to meet with thought leaders, experts and decision makers to learn about, discuss and shape the market in most significant technology topics such as Identity Management, Governance, Risk Management and Compliance (GRC) and Cloud Computing. With its world class list of speakers, a unique mix of best practice presentations, panel discussions, thought leadership statements and analyst views, EIC has become an absolute must-attend...

Blog

Privileged Account Management

Over the course of the last few months, PAM (Privileged Account Management), also called PIM (Privileged Identity Management) or PUM (Privileged User Management) became increasingly popular. The main driving force behind this increase in popularity are the auditors, which more frequently look at the state of privileged accounts and, in many cases, detect and criticize shortcomings in that area. Privileged accounts include administrative accounts (UNIX/Linux root accounts, Windows administrators), system accounts, service accounts, and technical users. It is important not to limit the scope...

Webcast

Fraud Prevention and Multi-factor Authentication

Kuppinger Cole Webinar recording

Webcast

Getting Attestation Right - Improving Audit Performance, Lowering Costs

Kuppinger Cole Webinar recording

Blog

The cloud becomes popular

At this year's CeBIT trade show in Hannover, Germany, cloud computing is the hot topic. That is no surprise to me, given that cloud computing is the trend within IT. Cloud computing is still fundamentally changing IT. In fact, cloud computing isn't really new. Services in the internet are out there for many years. You just have to look at vendors like salesforce.com and others which have their roots in the pre-year-2000 internet bubble. What really changes are three other aspects: There is a more consistent view on cloud computing - and vendors are filling the gaps in the cloud...

Vendor Report

Vendor Report: Oracle

Oracle has, largely through making acquisitions, transformed itself over the past few years into one of the leading suppliers in the IAM (Identity and Access Management) and GRC (Governance, Risk Management, Compliance) areas. Within these IT market segments, the Company is now in a position to deliver solutions covering the majority of requirements and it maintains one of the broadest service portfolios of all suppliers, even if there continue to be sporadic gaps. This situation does however create challenges in relation to the integration requirement. Many of the acquired products...

Blog

The need for a holistic approach to IAM, GRC, DLP, PAM, and IRM

IT is very well-known for first its ability to create three-letter acronyms and second the mix-up of different marketing terms, leading to overlapping and sometimes pretty unclear market segments. Besides, many vendors try to convince people that their (and only their) solution is sort of the holy grail for all problems. This situation becomes very obvious when you look at technologies like IAM, GRC, DLP, PAM, and IRM. These are tightly linked together – and none of these approaches solves all your problems. Thus, it requires an integrated strategy and approach to really address your...

Blog

Novell acquires again

Novell recently announced two “acquisitions”. In fact these aren’t really acquisitions in the sense of Novell buying entire companies but the result is pretty the same. Novell, in one case, signed a perpetual source code license for Enterprise Single Sign-On with ActivIdentity. Novell’s solution SecureLogin is based on the ActivIdentity product. With the new deal, Novell not only OEMs a product but owns the source code and is able to forge the development. Thus, Novell can move faster and in exactly the direction which is relevant to Novell, for example with tighter integration into...

Blog

Getting Attestation Right

In a webinar this Thursay (March 5th) I'll talk about my thoughts about attestation, with focus on approaches that as well provide quick wins as are valid from a long-term perspective. What I currently observe is that attestation is sold as sort of panacea for all GRC issues. What is true is that attestation is important. But some approaches might only provide a positive feeling without much real impact. I frequently miss the support of multi-layered attestation which really covers all levels of IT security. I also frequently wonder about what happens after attestation. It is fine to do...

Webcast

Risk Management Trends

Kuppinger Cole Webinar recording

Blog

eGovernment and eID in Europe

Ever since the infamous “Signaturgesetz” (law for the regulation of electronic signatures) had passed the Bundestag (parliament) in Germany, the industry moaned about the “signature inhibition effect” this law had and still has. Attending the not so obviously related event on the “Industrialization of Cybercrime” some weeks ago, organized by Bitkom and the Ministry of Economics in Berlin, I finally heard one of the well-known lawyers, Mr. Harder from Munich, admit, that the lawyers might have “over - engineered” the whole thing! Well, the next sentence was Mr. Harders' attempt to put that...

Product Report

Product Report: SailPoint IdentityIQ

SailPoint IdentityIQ is one of the leading products in the emerging market segment of Identity/Access-oriented GRC platforms, providing strong capabilities in the areas of attestation, auditing and analysis, and role management – the latter with significant improvements in the current release. The product supports a risk scoring approach that focuses on identity risk; but it isn’t a fully-featured enterprise risk management solution. It can be used to control the management of authorizations using direct connections to target systems or existing provisioning solutions. And,...

Vendor Report

Vendor Report: Oracle

Oracle hat sich in den vergangenen Jahren insbesondere durch Zukäufe zu einem der führenden Anbieter im Bereich IAM (Identity und Access Management) und GRC (Governance, Risk Management, Compliance) entwickelt. Das Unternehmen kann in diesen Segmenten des IT-Markts inzwischen Lösungen für den überwiegenden Teil der Anforderungen bereitstellen und verfügt insgesamt gesehen über eines der breitesten Portfolios aller Anbieter, auch wenn es weiterhin einzelne Lücken gibt. Das bringt allerdings auch die Herausforderung der Integration mit sich. Viele der...

Blog

Novell enters PAM market - the first deal in the next wave of acquisitions in IAM?

Novell has announced that they have acquired the technology for privileged account management (PAM) from Fortefi Ltd. PAM addresses the need to better manage privileged accounts. It is a broad field, starting with root account management in the Unix and Linux environments and reaching out to technical user accounts, system users and local as well as domain administrators in Windows environments or database and other system administrators. There are many privileged accounts out there. And these accounts frequently aren't well managed, despite the fact that they either have full access or at...

Blog

Facebook, Xing, and the question of copyrights...

Some time ago I blogged about the "rise and fall of social networks". My main point was that today's social networks lock-in the information of their customers - but if I participate in Xing, LinkedIn, Facebook or other platforms, I enter my data there. With some networks, it's virtually impossible to export my own network. And if I want to use more than one of these networks, there is no way to just move my existing network to the new platform. The interfaces (in most cases) as well as the standards (in any case) are missing. Yesterday, the discussion gained further momentum because...

Webcast

Reducing Compliance Costs through Risk-Based Segregation of Duties Management

Kuppinger Cole Webinar Recording

Webcast

Key Risk Indicators (KRIs) als Frühwarnsystem zur Verringerung operationeller Risiken

Kuppinger Cole Webinar recording

Press Release

New Kuppinger Cole Report: "Key Risk Indicators for Identity Management and GRC"

25 useful indicators to lower IT risks

The analyst group Kuppinger Cole has presented a new report dealing with Key Risk Indicators (KRI), that is data measuring the risk in businesses. KRIs help businesses recognise and address risks. Risk management is becoming more and more important at all company levels, especially in hard times.

Press Release

Neuer Kuppinger Cole-Report: "Key Risk Indicators für Identity Management und GRC"

25 einfach nutzbare Indikatoren, um IT-Risiken zu verringern

Die Analystengruppe Kuppinger Cole hat einen neuen Report vorgestellt, der sich mit Key Risk Indicators (KRI), also Messwerten für Risiken in Unternehmen, beschäftigt. KRIs unterstützen Unternehmen dabei, Risiken zu erkennen und zu adressieren. Gerade in schwierigen Zeiten kommt dem Risikomanagement auf allen Ebenen des Unternehmens wachsende Bedeutung zu.

Blog

How to reduce the costs of compliance?

I think that is an interesting question. Compliance is a key topic for every organization, with many facets. Currently we have an intense debate about the Deutsche Bahn (railway) and other organizations which have for example compared the bank accounts of their employees with the ones of suppliers. The target is to avoid corruption. From a Corporate Governance perspective and from a compliance perspective (mitigating risks of compliance and so on) that is a valid approach. From the data protection law perspective, it isn't that easy. There are obvious conflicts between different...

Blog

Is there a bright future for directory services?

Last week I've been talking with Andrew Ferguson and Steven Legg of eB2Bcom. Probably you've never heard of them, at least as long as you are neither from the APAC region nor working in the government and defense business where they have most of their customers outside the APAC region. eB2Bcom is, first of all, a system integrator and distributor of IAM and GRC products. But eB2Bcom is as well the company which develops the View500 directory service. You haven't heard of this product? At least it is worth to have a look at. Basically, it is a directory service which goes beyond typical...

Advisory Note

Business Report: Key Risk/Performance Indicators IAM and GRC

The concept of Key Performance Indicators is well established at the corporate level, using scorecards as a tool for a quick overview on the progress of organizations. Key Risk Indicators add risk metrics to that view, relating the progress of indicators to changes in risks. The report provides 25 selected Key Risk Indicators (KRI) for the area of IAM and GRC. These indicators are easy to measure and provide a quick overview of the risk status and its changes for organizations. The indicators can be combined in a risk scorecard which then can be continuously used in IT management and...

Webinar

Mar 02, 2009: Der Weg zu schlanken, fokussierten IAM- und GRC-Projekten (Storniert)

Martin Kuppinger gibt in diesem Webinar Hinweise aus der Beratungspraxis und der Analyse von Kuppinger Cole für die optimierte Gestaltung von IAM-Projekten.

Vendor Report

Vendor Report: Evidian

Evidian is a company mainly owned by Bull Group, a leading French IT company. The company pro-vides solutions for IAM with some GRC support and for IT Service Management, with IAM being the more important element in the overall portfolio. Despite the breadth of their portfolio, Evidian isn’t usually recognized amongst the leading IAM ven-dors – which they should be. Evidian is at least amongst the best established and leading European IAM vendors. With their strengths in access management, E-SSO, and a consistent, integrated plat-form, Evidian provides an interesting approach...

Vendor Report

Vendor Report: BHOLD

BHOLD ist ein spezialisierter Anbieter, der sich auf das Enterprise Authorization Management, also die Verwaltung von Autorisierungen für den Zugriff auf IT-Systeme aus Business-Sicht, spezialisiert hat. Diese Funktion stellt eine der Kernfunktionen von generischen GRC-Anwendungen (Governance, Risk Management, Compliance) mit Fokus auf Identity und Access Management (IAM-GRC) dar. Über das Autorisierungsmanagement hinaus werden von BHOLD auch weitere zentrale GRC-Funktionen wie die Attestierung unterstützt. BHOLD hat seinen Schwerpunkt im Gegensatz zu den meisten...

Blog

Why to invest in IAM and GRC - especially in these days

There is no doubt: We are in economic turmoils. And no one really knows when things will become better again. It is definitely interesting to observe what is happening from a risk management perspective (Why didn't governments have pre-defined actions prepared? Why didn't financial institutions understand the risks or, if they understood them, why were they willing to take them? What happened with all the positive cash-flow of many organizations which are now in trouble - too much dividends?). But that isn't my topic here. The topic is why organizations should invest in IAM and GRC -...

Webinar

Feb 13, 2009: Zehn Gründe, warum Sie gerade jetzt in IAM und GRC investieren sollten

Martin Kuppinger nennt und erläutert zehn Gründe dafür, warum man gerade jetzt in IAM und GRC investieren sollte, um die IT besser und Unternehmen leistungs- und wettbewerbsfähiger zu machen und Risiken zu reduzieren.

Vendor Report

Vendor Report: Entrust 2009

Entrust zählt zu den bekannten und etablierten Anbietern im Identity Management-Markt. Historisch hat sich das Unternehmen primär als Hersteller und Service-Anbieter im Bereich der Zertifikatsdienste und PKIs (Public Key Infrastructures) positioniert. Im Rahmen der Restrukturierung und Repositionierung hat Entrust allerdings inzwischen ein deutlich breiteres Produktportfolio realisiert, das auf die Stärken in den etablierten Themenfeldern aufbaut.  Trotz erheblicher Herausforderungen durch diesen Prozess der Restrukturierung, die sich zuletzt auch in deutlichen...

Blog

Going beyond attestation: Authorization Management is key

There is no doubt that the attestation capabilities which can be found in many of today's IAM-GRC platforms (e.g. GRC platforms with focus on Identity and especially Access Management aspects) are important and helpful. Attestation provides a capability to go through existing entitlements and, in some cases, changes and confirm or revoke them. But: Attestation is mainly sort of a detective approach. There are two other aspects which have to be addressed as well: Preemptive controls which avoid that there is any access right granted which later on has to be revoked Controls in the sense...

Webinar

Mar 19, 2009: Wer war Root?

Der Umgang mit privilegierten Benutzerkonten, wie beispielsweise "ROOT", birgt hohe Risiken. In diesem Webinar führen wir Sie in die Grundlagen des Privileged Account Management (PAM) ein und geben Ihnen wertvolle Praxistipps, wie Sie Ihr Netzwerk wirksam gegen interne und externe Bedrohung schützen können.

Webinar

Mar 11, 2009: Fraud Prevention and Multi-factor Authentication

In this webinar, Kuppinger Cole´s founder and principal analyst will give you an overview on the market for risk- and context-based, multi-factor authentication and authorization solutions for fraud detection, followed by Stefan Dodel, middleware solutions specialist at Oracle, who will talk about his experiences from numerous projects.

Press Release

Analystengruppe Kuppinger Cole bringt Ordnung in das Cloud-Chaos

Market Report Cloud Computing strukturiert den Cloud Computing-Markt

Die Analystengruppe Kuppinger Cole hat heute Ihren Market Report Cloud Computing veröffentlicht. In diesem Report wird erstmals eine stringente und valide Strukturierung dieses Marktes mit seiner Vielzahl an unterschiedlichen Angeboten - von der Rechnerleistung über einzelne Web Services bis hin zu vollständigen Anwendungsplattformen oder sozialen Netzwerken - geliefert.

Webcast

Cutting Costs through Lean Role Management

Kuppinger Cole Webinar recording

Blog

1-day eema-Workshop: Role Life Cycle Management and IAM - 5 March 2009

This meeting is a one-day event aimed at Ascure, Belgium and is organized in cooperation with Kuppinger Cole and EEMA. This workshop will discuss the approach and importance for setting up Role Life Cycle Management in your IAM Program. Currently many enterprises are investing in having a dynamic RBAC-Role Model but do forget to organize them selves by setting in place a framework for their role model. Role Life Cycle Management has all to do with vision and strategy and is closely related to GRC issues.In this workshop our customers are centralized and we will focus on their issues,...

Webinar

Feb 05, 2009: Key Risk Indicators (KRIs) als Frühwarnsystem zur Verringerung operationeller Risiken

Martin Kuppinger stellt in diesem Webinar den aktuellen Kuppinger Cole Report zu diesem Thema vor und beschreibt die Verwendung dieser KRIs für einen risikobasierten Management-Ansatz. Im Anschluß daran wird Thomas Reeb, Vorstand econet AG, über seinen Ansatz einer Key Performance Indicator (KPI)-Matrix an Hand eines Beispiels (Sicherheit in Dateisystemen) sprechen, mit deren Hilfe sich aus den KRIs Strategien sowie Reifegradmodelle ableiten lassen.

Blog

Engiweb – worth to look at

Even while most IAM and GRC software is provided by US-based companies, there are several vendors from other countries. Eurekify, from Israel, is now part of CA. But there are companies like BHOLD from the Netherlands, IPG from Switzerland, Völcker Informatik or Beta Systems from Germany, Omada from Denmark, Evidian from France, or Symlabs from Portugal, to name just a few. And there is Engiweb from Italy. Like many of the vendors mentioned, Engiweb started in its home country – but that shouldn’t restrict you from having a closer look at what Engiweb is doing.Engiweb has a core...

Blog

Lean Enterprise Role Management

Role Management projects sometimes are stated as too complex. Yes, there are projects which failed due to their complexity. On the other hand, a recent Kuppinger Cole report based on a survey proves that the average number of business roles is relatively small. On the other hand, the complexity of role models for specific system environments (even SAP) is manageable. Thus, defining and implementing role models with multiple layers can be done - and it can be lean. The keys, from my perspective, are the use of multiple clearly defined, separate layers of roles, defined responsibilities for...

Blog

Why IaaS is mandatory for the cloud...

I blogged several times about IaaS (Identity as a Service), last time only some two weeks ago. We will observe a strong increase in that field, the stronger the more people understand that IaaS is mandatory for the cloud. In our upcoming Market Report Cloud Computing 2009 (available starting tomorrow at http://www.kuppingercole.com/reports) we provide, first time ever, a stringent and valid structurization of the cloud market with all its different segments. IaaS is part of this market, but it is as well a prerequisite for most other aspects of cloud computing. The more services you use in...

Blog

The European IAM and GRC landscape

These days, we've been mentioned by Marcus Lasance, an independent IAM consultant who formerly managed MaxWare U.K., in his blog. Dave Kearns commented on this today in his Network World newsletter. Both, Marcus' blog and Daves newsletter were about IAM in Europe - and the fact that there are many more vendors and integrators out there than are visible at first glance. And yes, Kuppinger Cole as an analyst company covers them, but isn't limited to them - for sure we are in touch with the US vendors and companies from other countries (for example Brazil, Australia,...) as well. My personal...

Product Report

Product Report: Radiant Logic Virtual Directory Server

With release 5.0 of Virtual Directory Server, Radiant Logic has split up its product line into VDS proxy edition and VDS context edition to cater better to the specific demands for directory virtualisation. Many virtual directory requirements arise out of specific deployment problems that must be overcome, and are best addressed with targeted point solutions. Radiant Logic’s VDS proxy edition is well placed to address these issues and has been priced accordingly. Other more strategic virtual directory projects are centred on a desire to harmonise and integrate identity data that is...

Webinar

Mar 05, 2009: Getting Attestation Right

In this webinar, Martin Kuppinger, Principal Analyst at Kuppinger Cole give an overview on an automated and risk-based approach to access certification, followed by a discussion with industry thought leaders on how to significantly improve the operational efficiency and accuracy of the attestation process, ensuring the goals of corporate accountability and compliance are met.

Webcast

Service Oriented Security (SOS)

Kuppinger Cole Webinar recording

Vendor Report

Vendor Report: Arcot Systems

Arcot Systems targets the authentication segment of the IAM market with focus on software-based strong authentication with support for versatile authentication and risk-based authentication. The companies’ revenue model is backed by well established hosted services for the financial industry, mainly in providing cardholder authentication to credit card companies. The company provides several leading-edge solutions in the areas of risk-based authentication, web-based versatile authentication, and soft tokens. There is a significant potential to enter the enterprise IT market...

Product Report

Product Report: Sun Identity Manager

Sun Identity Manager is one of the most well-known products in the Enterprise Provisioning market segment. The product has been continuously improved over the course of the last years, with significant changes especially within the last two releases (7.0 and 8.0). It supports all core features we expect from products in that market segment, with strong provisioning capabilities and a broad set of connectors. The biggest shortcoming from our perspective is that changes in the user interfaces and to workflows might become relatively complex, requiring XML and Java knowledge and the use of...

Webinar

Feb 26, 2009: Business Roles, Business Rules, Claims – What is it all about? (CANCELLED)

The webinar will discuss the questions and outline the future trends for business roles, business rules, and claims.

Webinar

Feb 19, 2009: Risk Management Trends

The webinar will discuss risk management trends as well as the evolution of the market for risk management tools.

Webinar

Feb 12, 2009: Reducing Compliance Costs through Risk-Based Segregation of Duties Management

In this Webinar, Kuppinger Cole´s Principal Analyst Martin Kuppinger will highlight the challenges of risk based segregation of duties management, and will discusses technology solutions for continuous monitoring that deliver affordable and effective compliance.

Blog

Authorization Strategy

Even while some expert’s in the industry understand authorization management still as sort of “rocket science”, the year 2008 has shown significant evolution in that field. New vendors like Rohati have entered the market, others like Bitkoo appeared a little earlier, and some of the big vendors like Oracle and CA are as well actively pushing their technologies. There are others like the Italian Engiweb which have even today a strong customer base in that field. And not to forget Microsoft, who’s “Geneva” framework addresses authorization aspects as well. Besides this, IRM...

Blog

Again: Identity Data Theft

Yesterday, news spread about the theft of millions of credit card dates at the US company Heartland Payment Systems, based in Princeton, New Jersey. Even while that might be one of the largest cases of data theft in the credit card industry, it wouldn't be that interesting that I'd blog about. The - from my perspective - really interesting point is, from what I've read in the news, the way the attack has been performed. The information sent is encrypted but has to be decrypted to work with it. The attackers grabbed the then unencrypted information. Surprise? Not really. The problem with...

Blog

Identity as a Service

Some days ago, I had a very interesting discussion with John de Santis and some of his colleagues from TriCipher, one of the vendors which provide IaaS (Identity as a Service) solutions, in that case particularly with their MyOneLogin service. That discussion is one in a row of others I had with several of the other vendors in the IaaS space like Multifactor Authentication, Arcot Systems, or Ping Identity, to mention just a few. On the other hand, my colleague Jörg Resch (currently very active in organizing the European Identity Conference 2009, where we will have, amongst many other...

Webcast

Entitlement Management - Business and Technical Perspectives

Kuppinger Cole Webinar recording

Vendor Report

Vendor Report: ActivIdentity

ActivIdentity is a vendor for solutions around strong authentication, Enterprise Single Sign-On (E-SSO), device and credential management, and secure information transfer. The company has been founded in 1985 with headquarters in the US and in Suresnes, France. The company acts as a niche player in the mentioned market segments, with specific strengths in the fields of versatile authentication, E-SSO (especially in combination with strong authentication), and employee ID cards. Within the market segments ActivIdentity is acting, the company appears to be well established and providing a...

Advisory Note

Trend Report: Enterprise Role Management

Enterprise Role Management describes an enterprise-wide approach for defining role models and roles for every type of system which requires roles, going beyond IAM and GRC requirements. Within that concept, there are typically three levels of roles, which we define as Business Roles, IT-functional Roles, and System-level Roles. These concepts are accepted and implemented by an increasing number of organizations. The report provides, beyond some numbers on the role management market, guidelines for imple-menting Enterprise Role Management successfully. The information in this report is...

Blog

The effect of the recession on IT security

These days I received a pretty interesting survey compiled by Cyber-Ark, one of the vendors in the market for Privileged Account Management (PAM) or Privileged Identity Management (PIM), like Cyber-Ark calls that market segment. I seldom read such an interesting survey, providing insight in the dark side of many users. The survey which has been carried out amongst 600 workers, mainly from financial districts, in New York, London, and Amsterdam included some really tough questions. People were for example asked whether people would try their hardest to gain access to the redundancy lists if...

Vendor Report

Vendor Report: Quest Software

Quest Software has become, after a series of acquisitions, the leading vendor in the segment of Win-dows Management tools. Overall, Quest provides specialized tools to support IT operations in the areas of Windows Management, Application Management, Database Management, and Virtualization Management. Amongst these tools, several solutions support Identity and Access Management (IAM) aspects, which has recently been branded as the Quest One Identity Solution, even while this is only a part of the overall offerings of Quest Software. In contrast to other vendors, Quest never tried to...

Blog

CIO Agenda 2009

The year 2009 will be a threat for most CIOs. There will be pressure on IT budgets. On the other hand, many threats like Governance and Risk Management aren’t solved in most organizations today. The Business/IT alignment still is an open topic for most organizations. Cost cutting is important as well. And the security problems are still there.My five main points for the CIO agenda are:Business controlGRC IndependenceAccountabilityIT organizationNot many aspects, but the ones which are most important for a long term success of business and IT. You might add reliability/availability as...

Blog

Some new Kuppinger Cole surveys on IAM

We've compiled some questionnaires on different aspects of the IAM and GRC markets and put them online. We'd greatly appreciate your participation on these surveys. Most of the questionnaires are very lean, consisting of 10 to 12 questions - only the IAM market survey 2009 is quite a bit longer. Two surveys are about the RoI of IAM, or, more correct, different aspects of IAM. The Identity Administration RoI Survey analyzes the cost of administering Identity Management infrastructures. The IAM Tools RoI survey focuses on the cost of the core tools (mainly directories and provisioning) in...

Blog

From IT to Business

The topic of IT-Business Alignment isn't really new. It is discussed for years right now. And several software vendors, mainly in the area of "Business Service Management" claim to solve the threats in that area. But, honestly: I believe that we are, in most cases, far from a real IT-Business Alignment. I have blogged several times around this, topic (here, here, here, and here). But let's start with my definition of what IT-Business Alignment is: IT does what the business requires - not more, not less. That includes aspects like the ability to efficiently respond on new business requests,...

Blog

Authentication 2.0 - Beyond username and passwords

More and more organizations –driven by the vast amount of media coverage on data loss incidents –realize that the increased security requirements can not to be met by making password policies more complex. Users are already overwhelmed by the sheer number of password they have to memorize, and HelpDesks are flooded by the amount of password related calls. Besides establishing strategic authorization management projects (see Felix´ blog for more on that), organizations tend to rid themselves of ancient UID/password schemes turning towards modern, flexible and – above all –...

Quicklinks

Welcome to KuppingerCole

How can we help you

Send an inquiry

+49 211 237 077 33

Mo – Fr 8:00 – 17:00

Stay Connected

Spotlight

AI for the Future of your Business Learn more

AI for the Future of your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]