News Archive

Blog

What business has to learn so that IT can align

We're talking a lot about the need for IT to align with business. But it's not about a one way road. There is no doubt that IT has to think much more "business". Risk focus (here and here), performance management, the understanding of IT as Information Technology instead of Information Technology, the path towards an ERP for IT,... I think that many CIOs and CISOs are well aware of this and many of them are working towards that goal. However, if I look at the business side, it appears to me that IT still is somewhat ignored when it is about alignment. Two examples out of many from my...

Blog

Barcelona Deja-vu

It’s the phone industry’s dirty little secret: As humble “handys” (as German’s quaintly persist in calling mobile handsets) morph themselves into miniature editions of full-fledged computers, the danger of its being attacked by hackers or compromised by malware is growing, cancer-like and unseen. And while many people were discussing security issues this at this year’s GSMA Mobile World Expo in Barcelona, they did so mostly in a whisper. This was in contrast to the brazen self-promotion on display everywhere else on the Montjuïc fairgrounds where the operators, designers, manufacturers...

Blog

Ever had trouble securely sharing data with business partners?

Coming from a network security background, for me “IPSec 3DES VPNs” seemed to be the solution for secure data transfer between business partners for quite a long time. Over the years, with more experience, I naturally found out that this was not the solution for all use-cases and scenarios these crazy folks called “customers” came up with. Nonetheless, when SSL-VPNs became en-vogue I hesitated to join the choir of supporters. While I fully understand and support the idea of a more flexible, more application or user-centric approach due to the gain in usability, I still love my “old VPN...

Blog

Gerry Gebel joins Axiomatics

My friend Gerry Gebel, long time Burton Group analyst is joining Axiomatics to ramp up the company's US presence. I received an email from him that started by saying "I thought I would give you a nice surprise on a Saturday morning"... and indeed what a surprise that was! I can definitely understand Gerry's choice for Axiomatics. The company is new, up and coming, full of very smart people and way ahead of everyone else in the area of authorisation/access management. Axiomatics comes at the top places in my own personal "favourite innovative companies" list, together with Unbound ID, the...

Blog

GRC and IT Security - where is the link?

GRC became one of the really hot topics in business and IT, especially in larger organizations, over the course of the last few years. However, there is a lot of confusion about the terms associated with GRC. In many organizations, few people have a clear view of what GRC involves and requires, and few organizations have an organizational structure for GRC with clearly defined responsibilities. Of these organizations, many have limited their GRC initiatives either to some aspects like “business only”, “risk only” or “IT only”. Virtually every organization has an IT security department. Few...

Workshop

May 04, 2010: Kantara Initiative Public Workshop: Making the World Safe for User-Managed Access

This workshop will review User Managed Access (UMA) benefits, use cases, progress to date, and next steps. It is co-located with the European Identity Conference. Registration for the workshop is free.

Blog

Approaches to secure your data in databases

Last week I had an interesting briefing with IBM regarding their Guardium acquisition. With that acquisition of a company specialized on database security, IBM becomes the second large vendor investing in that area, following Oracle who has Database Security products in its portfolio for some years now. The IBM/Guardium deal fits pretty well in the current time, when looking at the increasing problem of information theft. Besides IBM and Guardium there are some smaller vendors in that market which I will cover in another post near-time. IBM Guardium, in contrast to the Oracle approach, is...

Blog

What you could do with stolen data - a squib

Last week, the German health insurance company BKK had to unveil a severe information leak. The company has become blackmailed because someone had stolen masses of sensitive patient records. Besides the fact, that the way that this happened shows an astonishing carelessness when dealing with IT security and privacy at the BKK and raises many questions (see below), there are some interesting new options for the German government to work with this data. You could for example take such patient records and combine them with the recently acquired stolen data from Switzerland about potential tax...

Blog

Identity Management is key to Smart Grid Security

In 10-12 years from now, the whole Utilities and energy market will look dramatically different. Decentralization of energy production with consumers converting to prosumers pumping solar energy into the grid and offering  their electric car batteries as storage facilities, spot markets for the masses offering electricity on demand with a fully transparent price fixing (energy in a defined region at a defined time can be cheaper, if the sun is shining or the wind is blowing strong), and smart meters in each home being able to automatically contract such energy from spot markets and then...

Press Release

Article on data theft and insider attacks from Martin Kuppinger available

Duesseldorf February, 16th, 2010 - Martin Kuppinger, co-founder and Principal Analyst at Kuppinger Cole, has just written a new article on data theft and insider attacks in which he describes the associated problems and risks and describes tactical and strategic measures to avoid them. According to Mr. Kuppinger, unprotected data and subsequent data leakage remain a major hazard in most organizations today. He also discusses ways and means for reducing information-related risks from both within and without. The article runs to approximately 1,100 words and can be made available to...

Press Release

Artikel zum Thema „Cloud Computing – ein Sicherheitsrisiko?“ von Martin Kuppinger verfügbar

Düsseldorf, 16.02.2010 - Martin Kuppinger, Gründer und Principal Analyst bei Kuppinger Cole, hat einen Artikel zum Thema „Cloud Computing – ein Sicherheitsrisiko?“ geschrieben. In diesem Artikel beschäftigt sich Martin Kuppinger zunächst mit der Definition des Begriffs „Cloud Computing“, um dann auf den Sicherheitsaspekt einzugehen. Herr Kuppinger betont in seinen Ausführungen, dass das Cloud Computing durchaus ein kalkulierbares Risiko darstellt, sofern einige strategische Bedingungen erfüllt werden. Diese Bedingungen...

Blog

EIC 2010 Keynote: The Irreversible Collision of Technology and Business Risk - from Drew Bartkiewicz

Drew Bartkiewicz, Vice President at The Hartford E&O, Cyber and New Media Liability, just joined the EIC 2010 speaker lineup and will give a keynote on "Unseen Liability - The Irreversible Collision of Technology and Business Risk". Drew also just has written a book with the same title, which will be published in May.

Blog

"Cloud-readiness" – What it means for software developers

Everybody’s up in the air about clouds, but few seem to really know where they’re heading. Most existing applications aren’t ready for the cloud quite yet, especially since the realization seems to be sinking in that building security into the cloud is no trivial pursuit. Cloud computing is about to change the way software is written. Till now, applications were programmed with scant regard to what they would actually be deployed for later. After all, isn’t that what operating systems are for?But now, in today’s world of cloud excitement (or should we say cloud hysteria?) every...

Blog

Once again a great speaker lineup - EIC 2010 Agenda Preview

Once again, we are very lucky at Kuppinger Cole, that so many excellent experts from all over the world forward their speaker proposals for the European Identity Conference (EIC), which this year will take place on 4th to 7th May, again in Munich (we will move to a new venue next year!). The agenda is still in draft mode and many things yet have to be added or modified, but if you want to have a first look, even before it is officially published, here is the link: http://www.id-conf.com/events/eic2010/agenda. Some very exciting and controversal strategic views, like for example Munich Re...

Press Release

Artikel zum Thema Datendiebstahl von Martin Kuppinger verfügbar

Düsseldorf, 10.02.2010 - Martin Kuppinger, Gründer und Principal Analyst bei Kuppinger Cole, hat einen Artikel zum Thema Datendiebstahl geschrieben. In diesem Artikel beschreibt Martin Kuppinger das Problem und die verbundenen Risiken und geht auf die taktischen und strategischen Maßnahmen zur Vermeidung von Datendiebstahl ein. Herr Kuppinger betont in seinen Ausführungen, dass der fehlende Schutz von Informationen ein unkalkulierbarer Risikofaktor für Unternehmen darstellt und diskutiert Möglichkeiten, wie sich die Unternehmen davor schützen...

Webcast

Expanding the Reach - Identity as a Key Enabler of Customer Satisfaction through Context-aware Personalization

Kuppinger Cole Webinar recording

Webcast

From E-SSO to a Holistic Authentication- and Authorization Strategy

Kuppinger Cole Webinar recording

Webcast

Access Management Tools - can they Integrate with what you have in a Lean Way?

Kuppinger Cole Webinar recording

Webcast

Versatile Authentication - One Layer of (Strong) Authentication

Kuppinger Cole Webinar recording

Webcast

5 Quick Win Approaches to Achieve the Next Level of your IAM Infrastructure

Kuppinger Cole Webinar recording

Webcast

Provisioning and Access Governance Trends

Kuppinger Cole Webinar recording

Blog

Simplifying or over-simplifying authentication?

My colleague Jörg Resch recently blogged a lot about approaches for "lightweight" authentication and the risks associated with them. There are many companies out there with new or claimed-to-be-new approaches on more or less strong and more or less valid authentication. Whether that's the approach of isec, of GrIDsure, of Yubikey or one of the many other vendors out there, I doubt that there is the holy grail of authentication amongst. Some of them are definitely interesting, some of them not.  Many of them are interesting as one element in an authentication strategy - like GrIDsure, which...

Blog

Google StreetView and German Politics: Panem et Circensis

It has been a successful political strategy since the roman empire to divert the people with petty amusements instead of showing attitude. In this sense, German Consumer Minister Ilse Aigner is hitting at Google StreetView and proposes legal action against the camera cars cruising through German cities taking photos. A the same time, the same government successfully implemented a law that forces any communication provider to store all communication data for at least 6 months and make it available to government institutions without a legal warrant. The same government allowes tax...

Blog

Data Leakage Prevention - Something (not only) Swiss Banks Should have a Closer Look Into

It has been in the press and Martin already wrote something in his blog about it -German tax authorities have been approached by various individuals who want to sell information about Germans who hold bank accounts at some Swiss Banks, like Credit Suisse and UBS. I don't want to go into the discussion, wether such a deal, where the government buys "stolen" data (I put it into brackets, because over here, data are not a thing and only things can be stolen) from somebody, is immoral or not. But it certainly is pushing the market for customer information, if it's value becomes as visible as it...

Blog

How much security do we need?

My colleague Jörg Resch blogged today about the ignorance regarding layered security approaches. Yes, there is no absolute security. Security is something which is tightly related to risk. Given that we can't have the perfect security, especially not with people using systems, it's always about the balance between the security-imposed risk and the cost of risk mitigation. That's a very simple balance: The higher the risks are the more you can and should spend on risk mitigation - as long as risk mitigation is feasible (which is not always the case - a life insurance doesn't help you...

Blog

"Our Systemes are Secure"

I love this kind of statement. It contains total ignorance of the fact, that security is not an absolute value and that it should take into account the actions of people attempting to cause damage. This time it was Hans-Jürgen Nantke, head of the German governmental trading platform for CO2 emission permits (DeHSt - Deutsche Emissionshandelsstelle), who said this, after a successful phishing attack had caused a damage of 3 Million Euros to some of the companies using this platform to trade their emission permits. Imagine - a trading platform where "real" money is being moved - with just a...

Blog

Is History-Stealing a Crime?

In my previous posts I described iSec Lab's de-anonymizer, which combines a browser's history with data from a social network (in this case Xing) to find out who is sitting behind a computer surfing the Internet. Just imagine how attractive it would be for many website owners to exactly know who is visiting their site. As it seems to be pretty simple to create such a de-anonymizer, there we might soon see broad use. Therefore the question: is it allowed to run such a de-anonymizer? Well, I'm not a lawyer, but in the German Criminal Law (§ 202a StGB, Ausspähen von Daten), data theft is a...

Blog

De-Anonymizer Self-Test

Here is a screenshot from the self-test I did with the de-anonymizer described in my last post. I'm a member in 5 groups at Xing, but only active in just 2 of them. This is already enough to successfully de-anonymize me, at least if I use the Google Chrome Browser. Using Microsoft Internet Explorer did not lead to a result, as the default security settings (I use them in both browsers) seem to be stronger. That's weird! [caption id="attachment_23" align="alignnone" width="382" caption="De-Anonymizer Test Result"][/caption]

Blog

Identification through "Social Pattern Recognition"

Thorsten Holz, Gilbert Wondracek, Engin Kirda and Christopher Kruegel from Isec Laboratory for IT Security found a simple and very effective way to identify a person behind a website visitor without asking for any kind of authentication. Identify in this case means: full name, adress, phone numbers and so on. What they do, is just exploiting the browser history to find out, which social networks the user is a member of and to which groups he or she has subscribed within that social network. The combination of memberships to different groups seems to be  nearly as unique as a fingerprint....

Congress

May 04 - 07, 2010: Mittelstandsdialog Informationssicherheit

Die Sicherung der IT-Infrastrukturen und Anwendungen, der Datenschutz und die Einhaltung von Richtlinien und Vorschriften ist für jedes Unternehmen unverzichtbar, unabhängig von dessen Größe. Die Methoden und Herangehensweisen an das Thema der Informationssicherheit können sich jedoch erheblich unterscheiden. Der Mittelstandsdialog Informationssicherheit, der zeit- und ortsgleich mit Europas Leitveranstaltung zum Thema Identity Management, der European Identity Conference (EIC) stattfindet, bietet Ihnen die Möglichkeit, den für Ihr Unternehmen optimalen Weg zu einem sinnvollen Mehr an...

Quicklinks

Welcome to KuppingerCole

How can we help you

Send an inquiry

+49 211 237 077 33

Mo – Fr 8:00 – 17:00

Stay Connected

Spotlight

AI for the Future of your Business Learn more

AI for the Future of your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]