News Archive

Product Report

Product Report: Cyber-Ark Privileged Identity Management Suite (PIM) - 70257

From the KuppingerCole perspective it is mandatory to quickly address the PxM challenges which exist in any IT environment. This requires solutions which cover all (or at least most) of the different aspects of PxM in an integrated solution, for a heterogeneous environment. Cyber-Ark PIM is defined as a suite by the vendor. However, it is more sort of an integrated product with several common elements and different feature sets, going beyond the typical suite approach. Cyber-Ark itself names the common elements as “Privileged Identity Management Infrastructure”. Defining the...

Product Report

Product Report: Zscaler Cloud Security

Zscaler is an integrated SaaS solution for web and e-mail security offered by the US-based company of the same name. It provides a cloud platform for anti-malware and anti-spam protection, application control, and data loss prevention. What makes Zscaler stand out their competitors in SaaS security market is that their solution is entirely cloud-based and does not require any extra hardware or software installation. By utilizing a large global network with more than 40 datacenters around the world and optimized and hardened network architecture Zscaler is capable of providing high...

Webcast

Using Standards to Manage Access to SOA and Cloud Services

Kuppinger Cole Webinar recording

Blog

Lessons enterprises should learn from the recent wiki-leak

There has been a lot of discussion around Wikileaks publishing an incredible amount of data which has been classified as confidential by the US Government. I don't want to discuss this from specifically - many people have done this before, with fundamentally different conclusions. More interesting is what this means for private organizations, especially enterprises. Wikileaks has threatened some of them: The russian oligopolies, the finance industry in general. That comes to no surprise. Wikileaks founder Assange rates them as "bad",e.g. his enemies. Given that Wikileaks isn't alone out...

Webinar

Jan 26, 2011: The Business Value of Log Management Best Practices

Although log management recently has been gaining more attention as a key element of any information security strategy, many even large organizations have not yet developed and implemented log management best practices. In this webinar, Kuppinger Cole´s Pricipal Analyst Martin Kuppinger will discuss with you the business value of best practices for log management. Followed by Martin, Pascal Oetiker from Novell will describe his view on how to develop and implement log management best practices.

Webcast

Managing the Change - Getting on the Road to the Cloud through Small and Manageable Steps

Kuppinger Cole Webinar recording

Blog

Cloud Computing – Service Integration Smarts for CIOs

Cloud Computing is the hot topic in IT and it will remain so, though possibly not under the same name. And while the hype expression may change, Cloud Computing itself is going to fundamentally redefine business IT. And while not every CIO may welcome this development, he or she should prepare themselves for what is clearly going to be the next big step in this industry. Cloud Computing stands for services made available and consumed via „clouds", be they private or public. The term cloud itself simply indicates an IT environment in which such services are hosted. Having said...

Webcast

Building Operational Governance for SharePoint 2010

Kuppinger Cole Webinar recording

Blog

Creating new attack surfaces in VMs and Network Security devices

There is a good reason to add functionality to specific types of devices, especially in the network. Doing security at the edge can be highly efficient. Thus, implementing for example PEPs (Policy Enforcement Points) for access management into network access gateways is, from the perspective of efficiency, a pretty good idea. And when looking at what the network vendors like Cisco, F5 Networks, and all the others are doing, the number of add-ons which can be added to these devices and run locally has increased significantly. Basically the same, still at a lower level, could be observed...

Blog

EU Privacy Direction

Last week I had the privilege of attending a seminar at which Peter Hustinx, the EU Privacy Commissioner outlined the future approach on personal data protection in the European Union.   This approach includes “a right to be forgotten” as well as mandatory data breach reporting.   Given that the WikiLeaks website has recently released 2.5 million documents that were supposedly “private” reports by US embassies - you might ask “what does privacy mean?”  Well privacy in this context is more narrowly defined to be privacy of personal information. In the EU privacy is based on the European...

Blog

Without standards for DRM and IRM Cloud Security will remain a daydream

IT Security in and for the Cloud is one of today’s hottest topics. Unfortunately, it is almost as complicated as the Cloud itself, spanning from Identity Management and logging intelligence to data encryption. This article explores the various scenarios and demonstrates both strengths and weaknesses. Vendors both like to invent and employ hype expressions to describe their technologies, and it is clear why: They want to make their products stand out from the rest. It's been that way since the earliest days of modern computing, and it goes especially for the field of IT Security. Remember...

Vendor Report

Vendor Report: Novell - Identity and Security

Novell has a long history in the fields of identity and security. The company was one of the pioneers in network operating systems and the corresponding directory and security services. Over the year, it has continued to develop and expand its portfolio. Today, identity and security remain at the heart of Novell’s business model, along with products for data centers based on Novell Suse Linux as well as products for communication, security and device management collectively labeled “end user computing”. Over the past years, Novell has been following a clearly fined...

Webcast

How Does Cloud Governance Relate to IT and SOA Governance and What Should Be Done Differently?

Kuppinger Cole Webinar recording

Webcast

Designing a Cloud-ready Holistic IT Security Concept - the Business View

Kuppinger Cole Webinar recording

Webcast

Cloud Computing Risk Areas

Kuppinger Cole Webinar recording

Webcast

5 Key Challenges for Cloud Computing Governance

Kuppinger Cole Webinar recording

Webcast

Privileged Cloud Identity Management

Kuppinger Cole Webinar recording

Blog

Waking up to the walk-away problem

Okay, just because I’m paranoid doesn’t mean they aren’t out to get me, right? But I guess that’s what comes from dealing to long with IT security people whose chosen profession involves trying to outsmart some very smart people on the dark side of computing. I love listening to my friend Andy Müller-Maguhn, for instance. He's one of the founders of the Chaos Computer Club in Hamburg, who likes to scare the heck out of managers in the audience by describing the ingenious ways hackers have for breaking into other people’s systems and what all the horrible damage they can do there. Andy is...

Survey

Virtualization Security Survey: Security – an essential prerequisite for successful virtualization

During September and October 2010 KuppingerCole conducted an independent survey of the status and plans for Virtualization Security amongst organizations. This survey shows that security is a key success factor to virtualization. Organizations transitioning to a virtualized or cloud IT model need to invest in a security strategy, in organization and skills, and in technology. Vendors need to provide better integration between security and service management plus security tools to better support heterogeneous virtualized and physical environment.   Highlights of the results are:...

Vendor Report

Vendor Report: CA Technologies Virtualization Security

Virtualization Security is not a single product category but comprises several different types of solutions from different categories, including IAM (Identity and Access Management), information protection, service automation, service assurance, service management, as well as system security solutions for hardening and monitoring resources. In order to be effective, Virtualization Security has to be well planned and requires a set of well-integrated products to provide the right balance between security and risk mitigation on one hand, and costs and complexity on the other. CA...

Webcast

Virtualization Security Trends & Insights: Results from KuppingerCole's Recent Survey

Kuppinger Cole Webinar recording

Webcast

Kontextbasierte Authentifizierung im Active Directory Umfeld

Kuppinger Cole Webinar recording

Blog

What I would expect from capacity MANAGEMENT

These days I talked with one vendor about his news around capacity management. Capacity management is used as a term to describe products which are used for optimizing workloads in data centers and to make the best use of the resources within these data centers. Honestly, I didn't do a deep dive into that specific area before, and maybe I'm a green on advanced IT topics - but when vendors are promising capacity management, I'd expect that to be somewhat active. However, I've learned that it's about reporting and analytics - even in association with terms like dynamic, continuous, proactive...

Webcast

How to Let Your Access Management Scale - and Save Costs

Kuppinger Cole Webinar recording

Blog

Finally: Novell is sold

I'm following Novell for more than 20 years right now. And for roughly the same period of time there have been rumours of other companies acquiring Novell. But it never happened. Not really, at least. You could argue that the acquisition of Cambridge Technology Partners was sort of a takeover of Novell by Cambridge, with Jack Messman becoming CEO and so on. But at the end, Novell was at its own again. But yesterday the news spread that Attachmate is buying Novell - finally they are sold. Attachmate will keep Novell as separate business unit and maintain the brands of Novell and Suse. With...

Webcast

Integrating Enterprise GRC and IT-GRC Programs on a Single Framework

Kuppinger Cole Webinar recording

Webcast

Authentifizierung in der Cloud - richtig gemacht

Kuppinger Cole Webinar recording

Webcast

Identitäts- und Datenschutz im Cloud Computing

Kuppinger Cole Webinar recording

Webcast

Governance, Risk Management & Compliance in der Cloud

Kuppinger Cole Webinar recording

Webcast

Cloud Computing in der praktischen Umsetzung

Kuppinger Cole Webinar recording

Webcast

One Authentication Strategy for All - from Internals to the Customer

Kuppinger Cole Webinar recording

Blog

Secure Pipes or the new Role of Telcos

This week, I had a very interesting discussion with Werner Thalmeier, CTO of M86 Security, about the protection of systems and information. He used the analogy of the "secure pipe" to explain the approach they are following - today, our drinking water is clean, we can use it directly out of the pipe. In former days, it wasn't. It had to be cooked, filtered, and so on. The approach of M86 Security is basically the same - keep the pipe clean so that you don't have to care about what comes out. We ended up in a discussion of new challenges in that area, especially the "apps" for the so called...

Webinar

Dec 16, 2010: Using Standards to manage access to SOA and Cloud Services

In this webinar you learn how a Gateway and a Policy Server work together to apply policies to SOA and Cloud services. These policies control not only who can access the services, but also when they can access the services, how they can use the services, and how the access control decision is made. A best practice framework will be described, which scales to high-volume usage and allows reuse of these policies, promoting efficiency and reducing time-to-market and development costs. Besides KuppingerCole´s Senior Analyst Felix Gaehtgens, who will give an introduction and moderate the...

Blog

You can’t have one without the other(s)

Remember the old New Yorker cartoon about the canine computer user telling his sidekick: „On the Internet nobody know’s you’re a dog“? That was back in 1993, but it still holds true. And while many, myself included, relish the anonymity the Net gives us, the inability to prove conclusively who is on the other end of the line can be irking, and even downright dangerous, when large sums of money or the running of critical or possibly even existential systems is concerned. Of course, the username/password currently used by almost everybody doesn’t prove who you or I are at all. It simply...

Webcast

SharePoint Governance: Vom Site-Chaos zur vertrauenswürdigen Plattform

Kuppinger Cole Webinar recording

Webcast

XACML Based Authorization - Considerations for an Efficient and Flexible Architecture

Kuppinger Cole Webinar recording

Blog

eMail that noone really needs

These days, the Deutsche Post started its eBrief service. And the so called De-Mail is as well on its way. The common idea: Trustworthy, legally signed eMail. So far, so good. But we all know that its not the first approach for secure eMail. Some people are even using it actively, and some even beyond the reach of their corporate eMail systems. But when I look at my inbox, well below 1% of the incoming mails are signed and exactly 0% are encrypted. Why should that change with new services which are expensive (to send the eBrief costs money like a real letter), have a complex registration...

Blog

Old dog, new tricks

At my time in life, you sort of become settled into old, comfortable habits, and that’s okay. However, moving from Munich to Boston to set up our new US office has shaken a few things up in my life. And as if that wasn’t enough, I flew out to the Bay Area a couple of days later to attend IIW ’11, which the organizers, Kaliya Hamlin (a.k.a. “identitywoman”), Phil Windley and Doc Searls put on at the Museum of Computer History right around from NASA’s Ames Research Lab at Moffet Field  in Mountain View – and boy did that give me a dose of culture shock. I mean, we at KuppingerCole have some...

Webinar

Nov 30, 2010: Privileged Cloud Identity Management

In diesem Webinar wird zunächst Martin Kuppinger von KuppingerCole eine grundlegende Einführung in das Management privilegierter Benutzer im Unternehmen, innerhalb von Outsourcing-Verhältnissen und in der Public Cloud geben. Der Schwerpunkt wird hier insbesondere auf der Frage liegen, welche Anforderungen an einen Public Cloud oder Outsourcing Dienstleister zu stellen sind, damit Ihr internes (PUM) durch die Hinzunahme von Cloud Services nicht kompromittiert wird. Jochen Koehler vom Privileged Identity Management Spezialisten Cyber-Ark wird daran anschliessend einen überaus interessanten...

Webcast

Zugriffe im Griff: Von der Übersicht zur Risikominimierung

Kuppinger Cole Webinar recording

Webcast

How to Deploy Identity Management When You're Not a Top Fortune 500 Company

Kuppinger Cole Webinar recording

Webinar

Nov 23, 2010: How to let your Access Management Scale – and Save Costs

In this webinar, Martin Kuppinger will talk about streamlined approaches to consistently implement access management in a way to have common identities and policies applied to authentication. Followed by Martin, Sara Buttle, Alfredo Vistola (both F5 Networks) and Patrick McLaughlin (Oracle) will describe their practical view on how an efficient, scalable access management should be implemented.

Webinar

Nov 26, 2010: Virtualization Security Trends & Insights: Results from KuppingerCole´s Recent Survey

Sponsored by CA Technologies, KuppingerCole have conducted a survey, to better understand your views and experiences on security in virtualized environments and the developments happening in this space. How do you secure your virtual environments today? And how does your future roadmap look like? In this webinar, Martin Kuppinger will show the results of the survey and will give you some background.

Webinar

Nov 26, 2010: Kontextbasierte Authentifizierung im Active Directory Umfeld

Die (automatische) Anpassung der Sicherheitsstufe eines Authentifizierungsvorgangs an den jeweiligen Kontext leistet einen erheblichen Beitrag zur operativen Effizienz und spart Geld. In diesem Webinar spricht Martin Kuppinger, Principal Analyst bei Kuppinger Cole, über die unterschiedlichen Ansätze adaptiver Authentifizierungsverfahren, bei denen unterschiedlich starke Authentifizierungswege für unterschiedliche Risiken angewendet werden können, und gibt eine Übersicht über Lösungen im Active Directory Umfeld. Reto Bachmann von Quest Software wird danach den Einsatz des Quest Defender in...

Webinar

Dec 09, 2010: Building Operational Governance for SharePoint 2010

During this free webinar, Martin Kuppinger will give an overview on SharePoint Governance, followed by SharePoint expert Joel Oleson who will show you how to simplify SharePoint 2010 management with operations plans that include governance and change management policies as well as governance best practices.

Webinar

Nov 12, 2010: SharePoint Governance: Vom Site Chaos zur vertrauenswürdigen Plattform

SharePoint-Umgebungen tendieren dazu, sich den GRC-Anforderungen Ihres Unternehmens widersetzen zu wollen. In diesem Webinar beschreibt Martin Kuppinger einen holistischen Ansatz zur Einbung Ihrer SharePoint-Umgebung in ein unternehmensweites GRC und Identity Management. Dr. martin Kuhlmann von Omada wird daraufhin detailliert darstellen, wie sich dieser Ansatz effektiv umsetzen lässt.

Webinar

Dec 13, 2010: Managing the Change - Getting on the Road to the Cloud through Small and Manageable Steps

In this webinar, KuppingerCole´s Principal Analyst Martin Kuppinger will discuss with Joe Baguley, Quest Software´s CTO Europe, about how to transition from a reactive, siloed IT to a more agile, cloud computing aware infrastructure through small, manageable steps and subtle changes in thinking.

Webinar

Nov 19, 2010: Integrating Enterprise GRC and IT-GRC Programs on a Single Framework

This webinar will highlight how organizations can manage risk better across their IT and business processes, thus enabling them to determine potential impact considering both IT and business controls.

Blog

Cloud Computing is mainly Service Management

When looking at all the discussions around the "cloud" I still miss some focus on the real essentials of a strategic (!) approach for using clouds. Clouds are, when looking at the right now common understanding of private, hybrid, and public clouds, in fact nothing else than IT environments which produce IT services. These services are provided at many different layers, like in the common (and pretty coarse grain) segmentation into SaaS, PaaS, and IaaS. But: It is about the (efficient, scalable,...) production of standardized, reusable services. Cloud Computing is about using these...

Webcast

Policy Based Access Control with XACML 3.0

Kuppinger Cole Webinar recording

Blog

IT-SA conference takeaways

A long time ago my last post... Anyway, lots of first-year students and research grant applications kept me busy. The IT-SA is now THE event for IT-security in Germany. It has not the flavour of the RSA conference, altough it may actually be of a similar size, at least in the exhibition area. It is much more about small conferences around the exhibition floor, organized / owned by different people and groups, such as e.g. the AppSec conference in Germany or the KuppingerCole Enterprise Cloud Security summit. Consequently, and this is especially true for folks from abroad, don't expect a...

Blog

Convergence re-iterated

The press release of HID acquring ActiveIdentity almost slipped my sensor network, despite the fact that I had the honour of having some close contact to top-level HID guys this week. I am totally positive about this acquisition, as HID now is able to get their hands on some really good Versatile Authentication Server (VAS) with AI's 4Tress product. This is what they need to really set a mark in the authentication industry, because their NaviGO tool was a good starting point but it really lacks the quality and integration some of the other tools feature. HID is brand new to "software", but...

Webinar

Nov 11, 2010: XACML Based Authorization - Considerations for an Efficient and Flexible Architecture

Attribute based authorization, using XACML, is the vanguard approach for enforcing business and security policies in the 21st century. However, XACML does not live by policies alone - it consumes privilege-granting attributes from various identity sources. For this webinar, KuppingerCole have brought together pioneers in XACML and attribute management, Axiomatics and Radiant Logic respectively, to discuss architectural considerations for a standards based solution to externalize authorization. KuppingerCole´s Senior Analyst Felix Gaehtgens will interview Gerry Gebel, David Brossard...

Webinar

Nov 18, 2010: Authentifizierung in der Cloud - richtig gemacht

Wenn sich interne und externe Benutzer an Diensten anmelden müssen, die mal in der privaten und mal in der öffentlichen (public) Cloud laufen, wird es auf den ersten Blick viel komplexer, eine verlässliche Authentifizierung durchzuführen. Doch ist das wirklich so? Oder bieten nicht die heute etablierten Technologien wie Identity Federation oder Enterprise Single Sign-On in Verbindung mit neuen Ansätzen wie der kontextbasierenden, flexiblen Authentifizierung nicht Optionen, eine stringente Authentifizierungsstrategie umzusetzen? Martin Kuppinger und Sebastian Rohr von KuppingerCole werden...

Webinar

Nov 18, 2010: Identitäts- und Datenschutz im Cloud Computing

Unternehmensweit gelten dieselben Sicherheitsrichtlinien, egal von wo aus die Anwender arbeiten und wo die von ihnen genutzten Dienste zur Verfügung gestellt werden. Nahtlose Integration von Cloud Services in das Sicherheitskonzept Ihres Unternehmens und eine Identität für alles, deren Sicherheit dem jeweiligen Kontext angepasst ist. So oder so ähnlich lässt sich eine funktionierende Basis für ein sicheres Cloud Computing mit wenigen Worten beschreiben. In diesem Webinar beschreibt Sebastian Rohr, Senior Analyst bei Kuppinger Cole, wie Sie Ihre bestehende Infrastruktur Schritt für Schritt...

Webinar

Nov 18, 2010: Governance, Risk Management & Compliance in der Cloud

Zwischenzeitlich haben sich sehr viele Unternehmen dafür entschieden, Dienste aus der Cloud zu nutzen. Teilweise auch schon seit Jahren, bevor der Begriff des Cloud Computing überhaupt entstanden war. Wenn es aber um die Verteilung unternehmenskritischer Informationen geht, dann ist die Zurückhaltung sehr viel größer und der Zielkonflikt zwischen einer "Hochverfügbarkeit" von Informationen und deren Sicherheit wird mit dem fortschreitenden Siegeszug des Cloud Computing immer stärker. Für interne Systeme ist ein funktionierender GRC-Ansatz die Regel. Wie aber sieht es in der Cloud aus? In...

Webinar

Nov 18, 2010: Cloud Computing in der praktischen Umsetzung - Ein Leitfaden

So stark die Resonanz zum Thema Cloud Computing auch sein mag - so klafft doch häufig noch eine starke Lücke zwischen dem Anspruch, die interne IT durch Zugabe von Cloud Services flexibler und kostengünstiger zu gestalten, und der praktischen Umsetzung. Dafür gibt es mehrere Gründe. Einerseits fehlt der Konsens über vertrauensbildende Richtlinien, die das Geschäft zwischen Cloud-Anbietern und den "Konsumenten" von Cloud Services regeln. Andererseits herrscht verbreitet Unsicherheit darüber, wie sich das Cloud Computing auf bestehende Risiken auswirkt und welche neuen Risiken man sich mit...

Webcast

Identity Federation: Essential Building Block for a Winning Cloud Strategy in your SAP Environment

Kuppinger Cole Webinar recording

Webcast

Zurück zur Kernkompetenz: Cloud Computing als Strategie

Kuppinger Cole Webinar recording

Webinar

Nov 16, 2010: One Authentication Strategy for All – from Internals to the Customer

Martin Kuppinger of KuppingerCole will discuss the trends around authentication strategies, the breadth of options available today, and the future evolution towards a centralized layer for context-based authentication and authorization - for all types of users and for all types of services and use cases. Dirk Losse of ActivIdentity will then describe some Best Practices and talk about his experiences with authentication projects.

Blog

Soft biometrics for stronger authentication

I'm somewhat reluctant regarding biometrics. There are some good reasons that biometrics still are a niche approach: The need for specialized hardware, the aversion of users against some biometric approaches like fingerprints, the discussion about potential security weaknesses for example around fingerprints, the intrusiveness to the user experience, and more... However, there is one approach I find interesting: Keystroke Biometrics. The German vendor Psylock provides several solutions based on what they call keystroke biometrics. The user has to train the system a little. I had to enter...

Webinar

Oct 28, 2010: Zugriffe im Griff: Von der Übersicht zur Risikominimierung

Martin Kuppinger von KuppingerCole geht in diesem Webinar auf die Trends im Bereich der Access Governance und die Rolle, die Access Governance in GRC-Strategien spielen kann und muss ein. Er definiert Anforderungen an Access Governance-Lösungen und liefert eine Checkliste für die Auswahl solcher Lösungen. Klaus Hild von Novell spricht anschließend über Best Practices für die schrittweise Entwicklung und Umsetzung von Access Governance-Lösungen.

Webinar

Oct 25, 2010: How to Deploy Identity Management When You're Not a Top Fortune 500 Company

Medium-to-large enterprises face specific challenges in implementing identity management. Quite often, solutions are tailored for very large companies, making deployments an uneasy fit. In this Webinar, Martin Kuppinger will show how, by adding focused added value step-by-step, enterprises can accumulate quick wins and reach identity workflow and compliance safely. Followed by Martin, Stéphane Vinsot from Evidian will lead you through some Best Practices and will talk about Evidian´s experiences with identity management deployments in medium-to-large enterprises.

Webcast

Privileged User Management: Wer kontrolliert die Admins?

Kuppinger Cole Webinar recording

Product Report

Product Report: Novell Identity Manager 4

Novell Identity Manager 4 is a family of products in the category of enterprise provisioning, allowing synchronizing and managing identities and entitlements, including strong policy and reporting features. Beyond the basic capabilities, Novell has added advanced role management and policy management features as well as new reporting capabilities and support for cloud applications. That reflects the overall trend in the market from technical provisioning tools towards more complete platforms with support for a multitude of target systems as well as integrated Access Governance...

Blog

Oracle acquires Passlogix

Oracle has announced that they are acquiring Passlogix. That is no real surprise to me. Oracle has been the last large OEM partner of Passlogix for their E-SSO (Enterprise Single Sign-On) solution. Others like IBM had decided for own solutions in the past. Passlogix had some success in direct sales, but being a niche vendor they probably had to decide between an exit strategy or significant investments to expand their own portfolio. From an Oracle perspective, the acquisition definitely makes sense. Oracle mentions "tighter integration" as the opportunity behind that deal. And that exactly...

Blog

Red Hat and the Cloud

These days I've talked with Red Hat about their Cloud strategy. It was an interesting and, in some areas, somewhat surprising conversation. It is not that surprising that Red Hat doesn't focus on becoming an IaaS (Infrastructure as a Service) provider themselves, e.g. directly competing with Amazon EC2, Microsoft Azure and other environments isn't on their agenda at that point of time. Red Hat focuses on providing the technology some of these provides (not Microsoft, for sure) require - but not mainly the very big ones, but all the others like Telcos, large MSPs (Managed Service Providers),...

Press Release

KuppingerCole to open US office

Expansion part of global strategy – expanded service offering in identity and security Duesseldorf, October 05th 2010 – In order to better serve its clients in North America, KuppingerCole, the globally recognized European analyst group in Identity Management and Information Security for traditional, cloud and hybrid infrastructures, has announced the opening of a U.S. branch. Tim Cole, co-founder and Distinguished Fellow at KuppingerCole, will coordinate all activities from the group’s new office in Boston.

Webcast

Best Practices for Enterprise Log Management

Kuppinger Cole Webinar recording

Product Report

Product Report: SECUDE Security Intelligence

SECUDE ist ein Hersteller, der sich auf Sicherheitslösungen spezialisiert hat. Ein wesentlicher Teil des Lösungsportfolios ist im SAP-Umfeld angesiedelt. Dazu zählen neben dem neuen Produkt SECUDE Security Intelligence für SAP insbesondere Funktionen für die sichere Authentifizierung und Kommunikation in SAP-Infrastrukturen. SECUDE Security Intelligence arbeitet als Schicht zwischen den verschiedenen Protokollen und Syste-men im SAP-Umfeld mit SIEM-relevanten (Security Information and Event Management) Informatio-nen auf der einen Seite und konsumierenden Systemen...

Product Report

Product Report: SECUDE Security Intelligence

SECUDE is a vendor specializing in security solutions mainly for SAP customers. In addition to their latest product, SECUDE Security Intelligence, the company’s portfolio includes a number of solutions providing authentication and communication within SAP environments. SECUDE Security Intelligence works by providing a layer between the various protocols and SAP-related systems handling SIEM (Security Information and Event Management) information on the one hand, and the receiving applications on the other. These are typically also SIEM-enabled. Data in the SAP system is extracted by...

Blog

Security questions for authentication - a ticking privacy time bomb?

We all are familiar with external (and sometimes also internal) websites which require us to pick or define security questions and to provide answer to these questions. What is your mother's maiden name? Which is your favourite sports team? Which is the color you like most? And so on... These questions are sometimes used as additional means for authentication, for example by PayPal. More frequently they are used for password resets. These days, when working with my colleagues Sachar Paulus and Sebastian Rohr on a comprehensive piece on strong authentication which will be published soon, we...

Webcast

Machen Sie mehr aus dem Active Directory - Identity-Dienste für die heterogene IT

Kuppinger Cole Webinar recording

Product Report

Product Report: CA Access Control – Privileged User and Password Management

CA Access Control Privileged User and Password Management is a solution which addresses a threat which virtually any organization today is facing: The risk of misuse of privileged accounts. Thus it is part of the PxM PxMmarket segment (with PxM being Privileged User/Account/Access/Identity Management, depending on the product specifics and the vendors marketing) within the IAM (Identity and Access Management) and broader IT Security market. The focus of PxM tools is to better manage and audit these accounts and thus mitigate the risks. CA Access Control Privileged User and Password...

Webcast

Die Microsoft-Plattform optimal nutzen: Mit wenig Aufwand zur umfassenden Identity Management Lösung

Kuppinger Cole Webinar recording

Webinar

Oct 22, 2010: Policy Based Access Control with XACML 3.0

Version 3 of the XACML standard could be a large stride forward towards a flexible and versatile access management. As opposed to traditional role-based access control systems, XACML is policy driven, not role driven. So, should we throw away now role-based access control? In this webinar, Kuppinger Cole´s Senior Analyst Felix Gaehtgens will talk about the improvements achieved with this new standard version and describe, how these improvements can influence current and future access control initiatives. Felix will be followed by former Burton Group Analyst and now Axiomatics Americas...

Webcast

Managing Identities in Hybrid Cloud Environments

Kuppinger Cole Webinar recording

Vendor Report

Vendor Report: Novell – Identity and Security

Novell hat eine sehr lange Historie im Bereich Identity und Security. Das Unternehmen hat mit Netzwerk-Betriebssystemen und den zugehörigen Verzeichnis- und Sicherheitsdiensten begonnen und zählt zu den Pionieren in diesem Markt. Über die Jahre wurde das Portfolio konsequent weiterentwickelt und ausgebaut. Auch heute zählt  der Bereich Identity und Security zu den Kerngeschäftsbereichen von Novell neben den Produkten für Rechenzentren rund um Novell Suse Linux und den von Novell als „End User Computing" bezeichneten Produkten für...

Product Report

Product Report: Quest Defender

Quest Defender is an authentication platform solution that, unlike others in the market, offers true two-factor authentication supporting a wide range of tokens, thus providing strong authentication for a wide range of devices along with simplified token distribution. A special feature, though hardly surprising coming from Quest, is the deep integration it provides with Active Directory, Microsoft’s near-ubiquitous directory service. Identities, roles and policies are administered within Active Directory itself, thus enabling users to hitch on to existing AD infrastructures and...

Blog

Cloud Computing: Thinking inside the box

The problem with Cloud Computing is that no two experts can agree what it really is, right? Wrong! As of Sunday evening, we at least have two major players singing from the same psalm book. At Oracle Open World in San Francisco, Larry Ellison went public with the announcement that not only does he agree with Amazon on their definition of Cloud Computing; he is actually stealing their thunder, or at least the thunder of the name Amazon invented to describe their cloud services, namely “Elastic Cloud”.He also gave a firm answer to the age-old question, is Cloud Computing an...

Product Report

Product Report: Oracle Database Security

Oracle Database Security is in fact not a single product but a set of products. It supports different features around securing content in databases. This report focuses mainly on Oracle Advanced Security and Oracle Database Vault but covers the other products as well. This is based on the fact that these two products are, from the KuppingerCole understanding, at the core of Oracle Database Security. Both products are part of the relatively new product category Database Security, which consists of products which are specifically trying to enhance the security of information in databases....

Seminar

Oct 19, 2010: Enterprise Cloud Security Summit

Innerhalb weniger Jahre hat sich das Cloud Computing zu einem dominierenden Trend entwickelt, der sich zudem wie kaum ein Trend zuvor verändernd auf die IT-Infrastruktur auswirkt. Im Gegensatz zu typischen, Technologie-getriebenen Trends, geht die Nachfrage nach Cloud Computing Services von den Fachabteilungen aus, bisweilen unter Umgehung der "klassischen" internen IT-Infrastruktur. Für die IT-Abteilungen bedeutet dies, einer ganzen Reihe von neuen Sicherheitsrisiken begegnen zu müssen. Im KuppingerCole Enterprise Cloud Security Summit diskutieren erfahrene Analysten mit Ihnen darüber, wie...

Product Report

Product Report: IBM Tivoli Identity Manager

The IBM Tivoli Identity Manager (TIM) belongs to the category of enterprise provisioning systems. Its core function is to reconcile identity information among different systems based on defined processes and connectors to the target systems in a structured, automated, and traceable manner. IBM Tivoli Identity Manager supports some integrated Access Governance capabilities beyond classical Identity Provisioning. The focus has shifted from pure provisioning towards the more advanced capabilities around role management, access certification, and SoD policies as well as advanced workflow...

Vendor Report

Vendor Report: Courion

Courion provides identity management solutions since 1996 and is well established in North America. The company has traditionally not had a focus on Europe, even though several large accounts in Switzerland and the UK are using Courion’s products. This is about to change: the company has prioritized Europe for 2010 and is aggressively expanding there through new hires and partnerships. Courion’s flagship products are its identity access management suite that also includes many GRC (governance, risk-management and compliance) features. In fact, Courion’s product strategy...

Blog

IBM acquires OpenPages - and proves our GRC vision

It is always nice when trends an analyst has predicted become reality. I've been talking and blogging a pretty long time about the need for an integrated GRC approach, especially beyond the isolated "Enterprise GRC" with little automation. Yesterday, IBM announced that they agreed to acquire OpenPages, one of the most prominent vendors in the Enterprise GRC space. That isn't really a surprise, given that IBM is investing in the GRC market for quite a while. The really interesting parts in the presentation given by IBM on this acquisition yesterday are the parts where the Enterprise GRC...

Webcast

Virtualization Security Trends & Insights

Kuppinger Cole Webinar recording

Webinar

Oct 14, 2010: Zurück zur Kernkompetenz: Cloud Computing als Strategie für weniger Komplexität in der IT

In diesem Webinar führt Martin Kuppinger in die Thematik des Cloud Computing ein und stellt eine Checkliste für den optimalen und vor allem sicheren Einstieg in die Public Cloud vor. Mit Mani Pirouz wird dann ein Vertreter des erfolgreichen Cloud Computing Pioniers salesforce.com eine Reihe von Praxisbeispielen beschreiben und sich einer Diskussion über die Chancen und Risiken des Cloud Computing stellen.

Webinar

Dec 02, 2010: Cloud Computing Risk Areas

Before jumping into the cloud, you should know about the risks, so that you can ask the right questions to your provider. In this webinar session, we will discuss the main risk areas of cloud computing, such as data location, transparency, privileged user access, Recovery and data segregation, and how to keep them under control.

Webinar

Dec 02, 2010: How does Cloud Governance Relate to IT and SOA Governance and what should be done Differently?

When applications and information move beyond the perimeter, they become more vulnerable and cause privacy related issues. How can we make sure that cloud services live in a controlled environment? Do we need to reinvent the governance whell or is Cloud governance just an extension of your existing SOA governance? Join us in this webinar session to discuss this exciting topic.

Webinar

Dec 02, 2010: Designing a Cloud-ready Holistic IT Security Concept - the Business View

IT security is in a challenging transition period. On the one hand, threats are real and they are growing more and more sophisticated. On the other hand, the promise of cloud computing is trying to transform computing into an ubiquitous utility. The IT services world is going through a revolutionary change, making traditional, perimeter based security models obsolete. And it will not stop, it will be going even worse. If there ever has been a time to totally rethink your overall security strategy, it´s good that it is now. Join us in this session, to discuss the new holistic enterprise...

Webinar

Dec 02, 2010: 5 Key Challenges for Cloud Computing Governance

Cloud Computing is adding a number of challenges to IT governance. In this opening session to the 2010 Kuppinger Cole Cloud Computing Virtual Conference, Martin Kuppinger will talk about the 5 key challenges to be aware of, if you want to extend your IT governance to cloud computing.

Blog

Cloud Computing: Thinking inside the box

The problem with Cloud Computing is that no two experts can agree what it really is, right? Wrong! As of Sunday evening, we at least have two major players singing from the same psalm book. At Oracle Open World in San Francisco, Larry Ellison went public with the announcement that not only does he agree with Amazon on their definition of Cloud Computing; he is actually stealing their thunder, or at least the thunder of the name Amazon invented to describe their cloud services, namely “Elastic Cloud”. He also gave a firm answer to the age-old question, is Cloud Computing an application or...

Webinar

Sep 22, 2010: Die Microsoft-Plattform optimal nutzen: Mit wenig Aufwand zur umfassenden Identity Management Lösung

In diesem Webinar umreißt Martin Kuppinger ein Szenario, wie sich unter Verwendung der Microsoft Security Lösungen eine ganzheitliche Identity Management Infrastruktur erstellen lässt. Anschliessend geht Dr. Martin Kuhlmann (Omada) darauf ein, wie eine solche Lösung in der Praxis umgesetzt wird.

Webinar

Oct 08, 2010: Privileged User Management: Wer kontrolliert die Admins?

Zeitgemäße Lösungsansätze für das Management privilegierter Identitäten stehen deshalb im Fokus dieses Webinars. Zunächst wird Martin Kuppinger einen Einblick in die unterschiedlichen Methoden des Privileged User Management und einen Überblick über den Lösungsmarkt geben. Danach wird Klaus Hild von Novell aus seinen reichhaltigen Projekterfahrungen an Hand einiger prägnanter Beispiele aus unterschiedlichen Branchen den aktuellen Stand in der Praxis beschreiben und Handlungsempfehlungen geben.

Webinar

Sep 14, 2010: Virtualization Security Trends & Insights

In this webinar, Martin Kuppinger will talk about security in virtualized environments and the developments happening in this space. How does state-of-the-art security in virtual environments look like? And what should be a future roadmap that works?

Webinar

Oct 12, 2010: Identity Federation: Essential Building Block for a Winning Cloud Strategy in your SAP Environment

In this webinar, Martin Kuppinger will give an overview on the current and future role of identity federation in hybrid cloud infrastructures with a focus on SAP environments. He will be followed by Keith Grayson from SAP, who will be talking on SAP user management optimization through SAML 2.0.

Expo

Oct 19 - 21, 2010: it-sa 2010: IT-Security-Messe

Die IT-Security-Messe it-sa 2010 in Nürnberg bietet als Fachmesse die ideale Plattform, um sich in einem boomenden IT-Sicherheits-Markt erfolgreich zu positionieren. Das Messekonzept der it-sa ist für Besucher eine attraktive Kombination aus erfahrbarer Fachkompetenz, praktischer Demonstration und der Konzentration von IT-Security-Lösungen.

Blog

Not Just Any Port in a Storm

As anyone in the identity industry knows, more lies between America and Europe that just an ocean. In fact, when it comes to privacy and data protection, a wide gulf separates the old and new worlds. Germany in particular is often perceived as hidebound, not to say paranoid, when it comes to companies collecting personal data about their customers. People are signing up by the thousands to have their houses deleted from Google StreetView, with the mass-circulation “Bild Zeitung” running panic-inducing headlines like “StreetView snoops private data” and warning their readers about“Google’s...

Blog

New Survey

All participants of the survey will receive a complementary copy of the survey results report, its key findings and recommendations. And even in private environments, either on-premise or in dedicated environments of service providers, things are changing. In this survey, we'd like to understand your views and experiences on security in virtualized environments and the developments happening in this space. How do you secure your virtual environments today? And how does your future roadmap look like? Kuppinger Cole have launched a survey on these questions and based on the results of...

Webinar

Sep 29, 2010: Machen Sie mehr aus dem Active Directory - Identity-Dienste für die heterogene IT

Die meisten Unternehmen verfügen über eine zentrale Active Directory-Infrastruktur. Deshalb spricht viel dafür, darauf aufzubauen, um beispielsweise auch andere Systemumgebungen zu verwalten. So kann man bei geringem Integrationsaufwand noch mehr aus der ohnehin vorhandenen Infrastruktur machen und die heterogene IT in den Griff bekommen.

Product Report

Product Report: Quest Defender

Der Quest Defender ist eine Lösung im wachsenden Markt für flexible Authentifizierungsplattformen. Im Gegensatz zu anderen Lösungen setzt der Quest Defender konsequent auf eine Zwei-Faktor-Authentifizierung. Dabei werden sehr viele unterschiedliche Tokens unterstützt, so dass es dennoch eine große Bandbreite für die Authentifizierung gibt – sowohl im Hinblick auf die Unterstützung von Endgeräten als auch die Authentifizierungsstärke und die erforderliche Logistik für die Verteilung von Tokens. Eine Besonderheit des Produkts, die aber...

Press Release

Artikel zum Thema "Cloud Computing - Service Management ist der Erfolgsschlüssel" von Martin Kuppinger verfügbar

Düsseldorf, 12.08.2010 - Martin Kuppinger, Gründer und Principal Analyst bei KuppingerCole, hat einen Artikel zum Thema „Cloud Computing und die Notwendigkeit eines funktionierenden Service Management“ geschrieben. In diesem Artikel liefert Martin Kuppinger eine aktualisierte, praxisorientierte Definition der Begriffe „Cloud“ und „Cloud Computing“, um anschließend die zentrale Rolle des Service Managements für die erfolgreiche Umsetzung des Cloud Computings in Unternehmen zu beschreiben. Dabei geht es nicht nur um die Sicht der IT,...

Blog

Diving down to the details of access controls

Provisioning is important to keep access under control, as well as Access Governance solutions play a vital role in that game. However, there is a third group of applications which is commonly required: Tools which allow to dive into the details of access controls in specific environments. There are SAP specific solutions and tools for mainframe environments, XACML for standardized entitlement management for custom applications might be counted as well - and there are tools for the world of less structured information, like file servers, Microsoft SharePoint, and others. These tools are...

Webinar

Sep 30, 2010: Best Practices for Enterprise Log Management

Not only since cloud computing has become a hype, traditional perimeters have been more and more disappearing. Managing risks and securing compliance in such "cloudy" environments has become a critical priority. At the same time, an ever increasing number of different systems and devices create floods of IT events and monitoring those events and find out those in real time, which indicate a threat. Managing logs therefore has become a complex task. Join us in this webinar to discuss best practices for log management.

Congress

May 10 - 13, 2011: European Identity Conference 2011

With its world class list of speakers, a unique mix of best practices presentations, panel discussions, thought leadership statements and analyst views, EIC has become an absolute must-attend event for enterprise IT leaders from all over Europe.

Blog

The GRC Marketplace is shaking up: SAP and CA partnering on GRC

In the last weeks, I had a number of interviews and product / vendor briefings about GRC related products. And as you may have noticed, the marketplace is yet pretty unstructured. Since there is still no generally accepted common definition or reference architecture for GRC (altough I have developed one, see my reports), anyone touching functionality related to GRC assumes it is in the core. And so you can find extended document management solutions there (for policy managemnet) as well as controls and IT controls management tools, besides access governance and financial risk management...

Webinar

Sep 17, 2010: Managing Identities in Hybrid Cloud Environments

It is easy to understand, why the cloud computing model appeals to senior executives, as it promises to enable enterprises to rapidly and cost efficiently adapt to changes in their business environment. Agility is key to success, but budgets are tight - that´s where cloud computing scenarios fit in perfectly. Adding cloud services to your existing enterprise IT - how does that fit with your identity management? This is the key question, when it comes to security in such hybrid environments. In this webinar, we will discuss with you about identity infused compliance in hybrid cloud/internal...

Product Report

Product Report: Beta Systems Software AG SAM Enterprise Identity Manager v1.1

The Beta Systems Software AG SAM Enterprise Identity Manager belongs to the category of enterprise provisioning systems. Its core function is to reconcile identity information among different systems based on defined processes and connectors to the target systems in a structured, automated, and traceable manner. It also supports common provisioning features such as user self service, delegated administration and password management. Further functions include configurable workflows for request procedures and approvals as well as auditing functions for logging and analyzing modifications made...

Product Report

Product Report: Adobe LiveCycle ES2 Rights Management

Adobe LiveCycle ES2 Rights Management ist ein Produkt, das von KuppingerCole der Kategorie Information Rights Management (IRM) zugeordnet wird. IRM ist aus Sicht von KuppingerCole eine der zentralen Funktionen für schlüssige, effiziente und durchgängige Konzepte der Informationssicherheit und damit ein Kernbaustein in jeder IT-Sicherheitsarchitektur. IRM setzt auf die direkte Zuordnung von Berechtigungen zu Informationen. Dokumente werden verschlüsselt und mit Berechtigungen für die Nutzung versehen. Sie können damit nur von den Personen, die entsprechende...

Blog

A Right to Forget?

The Internet, like an elephant, never forgets. Unfortunately, it also never forgives, as witnessed by the case of Stacy Snyder, a 25 year-old former student at Millersville University School of Education in Pennsylvania, who wanted to become a teacher. Until the day she went to a party and had her picture taken drinking from a plastic beaker and wearing a pirate hat. The picture found its way onto MySpace, where it was seen by a professor who thought it decidedly unfunny. In fact, he was so incensed that he informed the school authorities who refused to grant the young woman the diploma...

Blog

JanRain - identities for social networks

Amongst the different vendors I've spoken recently, JanRain is definitely one of the most interesting ones - and will most likely make it into the list of next year's Hidden Gem vendors. JanRain has had some popularity as one of the initiators of OpenID and with their OpenID libraries and other related services. However, they have made an interesting move during the last years and now provide what they call a "user management platform for the open web". In fact, they provide products for web sites and social networks to enhance the user experience around registration and the services which...

Blog

SAP adds an Identity Provider

SAP recently has announced that their SAP NetWeaver Identity Management 7.1 now includes an SAML 2.0 Identity Provider - it requires the Service Pack (or Support Pack) Stack 5 (by the way: who at SAP is responsible for product names??? SAP BusinessObjects GRC Access Control; SAP NetWeaver Identity Management 7.1 SP Stack 5;...). SAP is commited to SAML (Security Assertion Markup Language) for a while now - and SAML 2.0 support is found at many places in the SAP portfolio. SAP systems can act as service providers in federation scenarios, with SAML 2.0 enabling the Single Sign-On and sharing...

Blog

Your token to VISA...

The recently published document on protecting credit card data during processing and storage with tokenization technology has gathered quite a bit of response (see for yourself http://usa.visa.com/download/merchants/tokenization_best_practices.pdf). As others like Mr. McMillon of RSA said before (http://www.rsa.com/blog/blog_entry.aspx?id=1687), it is an overall good approach - and my very recent experience with CC data processing in outsourcing environments proves to me that solutions for this are in great demand. Besides the "nit-picking" (please excuse, we are totally on the same page...

Advisory Note

Trend Report: Desktop Virtualization and VDIs

Desktop Virtualization and VDIs (Virtual Desktop Infrastructures) are key topics for many IT managers and decision makers. However, like with every hype topic, there are shortcomings. Investments in VDIs and Desktop Virtualization thus have to be done carefully, after weighing the opportunities against the risks and the strengths against the weaknesses. From the perspective of KuppingerCole, VDIs will play an important role in the strategy for providing desktops or workspaces to users. However, they are one deployment option amongst others and will co-exist with other deployment options for...

Blog

The Risks of Local Password Management

In the run-up to the Black Hat meeting next week in ORT, hackers have announced that they will pulic demonstrate how to compromise the password storage system used by Firefox in its popular browser. Using so-called cross site scripting attacks (XSS), they want to prove that storing passwords locally is inherently dangerous. Well, so what else is new? The real question is: How can we make Single Sign-On (SSO) safe? The answer is: You can do it – but it won’t be easy. Fundamentally, the issue revolves around the proper storage of credentials.  Most enterprise-scale SSO solutions in use...

Blog

Facebook - they won't understand

Today I opened my Facebook which I use actively since yesterday. When g0ing to my settings, the system informed me about changed privacy settings. What it then recommended was ridiculous: All my very tight settings should be opened up. Instead of sharing information only with my friends, the system suggested that I should share a lot of information with everyone and other, sometimes sensitive information (religion, political opinions) with friends of my friends. I had to manually change back everything to "old settings" which at least was an option I could use. However, from my perspective...

Blog

Cloud, Automation, Industrialization

Cloud Computing is still a hot topic. And there are still many different definitions out there. I personally tend to differentiate between two terms: Cloud: An IT environment to product IT services. Cloud Computing: Making use of these services - procurement, orchestration, management,... Thus the internal IT can be understood as one of many clouds, there might even be multiple internal clouds. But we don't have to care that much about internal, external, public, private, hybrid,... The prerequisite for an IT environment to be understood as a cloud is the service orientation, e.g. the...

Blog

Impressions from the IT-Analyst Event in London

Last week I was invited to the IT-Security Analyst & CISO Forum Event in London, with a few vendors and a few CISOs. The form of the event is unique, and thanks to Eskenzi PR it is an excellent opportunity to gather the expectations from CISOs and the answers to these by vendors. Here are a few impressions and take-aways: - "Most of the vendor's products are crap, they are fundamentally flawed in the sense that they do not increase security a pence", as one of the CISOs said (Chatham House rules applied). More specifically, asking for more details, most of the tool and product vendors...

Blog

The new Swift agreement contains the seeds of new security issues

The European Parliament has passed the controversial new Swift agreement following intense debate aimed at dispelling worries about data protection. In fact, nothing much was changed, and the amount of data to be forwarded to US authorities involved in the “war of terrorism” remains mind-boggling. Proponents of the new agreement point out that it at least gives Europeans a say in what data to release. A representative of Europol, the European Law Enforcement Organization, will be able to veto any request with doubtful legal grounding. But isn't that hopelessly old-fashioned? In fact,...

Blog

Quest and Völcker - and what about the customers?

Yesterday, Quest announced the acquisition of Völcker Informatik. I've blogged about the impact on the IAM (and especially the Identity Provisioning) market yesterday. In this post, I'll focus on the impact on existing customers. Acquisitions are always a situation where FUD arises - fear, uncertainty, doubt. There are many examples of acquisitions where customers were on the looser's side afterwards, because their products of choice were (or are) supported only for a limited time before they had to migrate to another product. I won't bash on vendors here who have acted like that - you all...

Blog

The first Hidden Gem isn't hidden anymore!

Some days ago, we've published our report on Hidden Gems 2010 - vendors which are innovative but not that well known, at least not on a worldwide basis. We've included 25 vendors. Right now, only 24 of them are hidden. Völcker Informatik, one of the Hidden Gems, has been acquired by Quest Software. There is a good reason for that: Völcker is, from the Quest perspective, a Gem which might help them make shine (even) more than before. And not only from the Völcker perspective. For sure I like it when a Hidden Gem becomes "more visible", because it proves our rating of these vendors. So I'm...

Blog

Quest acquires Voelcker - the IAM market will change...

Today, Quest announced that they will acquire the German Völcker Informatik AG with its ActiveEntry product, a leading-edge identity provisioning solutions with some integrated Access Governance capabilities. From my perspective, that is a very interesting acquisition, which brings Quest into a leading position in the overall IAM market. Until now, Quest has been a provider of several point solutions around IAM issues. They had some provisioning capabilities in their ActiveRoles Server before - but it hasn't been the technical leading-edge product but more an add-on for some provisioning...

Blog

Do we still have to care about directory services?

It became pretty quiet around directory services during the last years. When I remember the discussions back some 10, 15 or 20 years around NDS versus LAN Manager (and the underlying domain approach) or Active Directory when it came to market, and even the discussions which came up in the early days of OpenLDAP, it is pretty quiet nowadays. Are all the problems solved? Are the right directories in place? Are the best solutions chosen when something changes? When talking with end user organizations it becomes obvious that we are far away from that state. There are implementations of...

Press Release

New Trend Report „Hidden Gems 2010“ from analyst group Kuppinger Cole available

Kuppinger Cole introduces an overview of Hidden Gems 2010 in the area of Identity and Access Management, GRC (Governance, Risk Management, Compliance) and Cloud Computing

Product Report

Product Report: Völcker ActiveEntry 4.1

Völcker Informatik AG based in Berlin has established itself in recent years as a provider of technically innovative solutions and a vendor to be reckoned with in the field of Identity and Access Management (IAM). In the process, the company has become highly visible in the German-speaking market and has succeeded in creating a substantial customer base including many large and well-known corporations, particularly in the German-speaking market. With introduction of its new flagship product, ActiveEntry Version 4.1 for enterprise provisioning, Kuppinger Cole believes that the company...

Blog

How Data Leaks Through Twitter

If you’re a soccer fan, thinking back to the year 1986 will probably remind you of the nail-biting final between Germany and Argentina that the South Americans narrowly won (unlike the devastating 0:4 loss they received this year, but that’s only by the way). If you are a data protection professional, however, harking back to 1986 will probably conjure up memories of the widespread street demonstrations during the run-up to the German census. Of course, the 80ies saw a lot of protest movements; atomic weapons and the new runway at Frankfurt International drew angry crowds, but resentment...

Webcast

Hidden Gems - Vendors you Should Have a Look at

Kuppinger Cole Webinar recording

Advisory Note

Trend Report: Hidden Gems 2010

This report covers vendors which are, from the KuppingerCole perspective, Hidden Gems in the mar-kets which we are analyzing. The “Hidden Gems” are vendors which are •    relatively small and •    innovative They might be established in a specific country (being sort of “world famous in Italy”) but not that visible beyond that country. They might be successful only in a specific industry but provide products and services that are of value for many other industries. But all of them have a clear unique selling proposition and...

Blog

BAM brought to reality

Do you remember the term BAM? BAM is an acronym for Business Activity Monitoring. It was a hype topic in the early 2000's. And then we didn't hear that much anymore about this topic. Yes, there are several vendors out there, providing different types of solutions. And like always, there are several vendors who claim to be the leaders in the category of BAM. When BAM became a hot topic some 10 years ago, the implementations were nothing else than a little advanced analytics. That was, at that point of time, far away from my expectations which were around intelligent, automated, real-time...

Webcast

How to Keep Entitlement Management Lean - in any Environment

Kuppinger Cole Webinar recording

Blog

No more Mr. Nice Guy

Adobe is a company everybody likes. Okay, with the possible exception of Steve Jobs, that is. But really: Adobe is probably the largest vendor in the IT industry that doesn’t compete head-on with any of the other giants. In fact, cooperation seems to be somehow bred into their genes, which is why the Adobe managers I met with recently in Paris seemed to be exceptionally nice. But that may change. Take Sydney Sloan, Director, Adobe’s director of product marketing & operations who is a typical charming Canadian (except that she’s an expat from the States) and whom I must thank for a...

Blog

Cloud Security = IDM+ERM, BUT: who will drive it is the real question!

My last blog on the future necessities to really, really secure applications in the cloud was heavily discussed, which I think is a good sign, obviously there is something to discuss... But let's get a bit more down to the real problems. Of course, DRM is not the same thing as ERM (let me stick to ERM for the time being), and most of the companies having integrated DRM technology into their content offering have absolutely no clue about the potential complexity of access rights one might need in a company context - just look at the average number of enterprise roles for a medium-sized...

Blog

VDIs - more than a deployment option?

Virtual Desktop Infrastructures (VDIs) are hype. But are they really a strategic element of IT? Or are they just a deployment option? I think that the answer is influenced by two major aspects: Time and the maturity of Desktop Virtualization The functional breadth of VDIs With respect to the first aspect, VDIs today are more sort of a more expensive, more complex alternative to Terminal Services. Less users per server, the same (sometimes a little bit more advanced) protocol for remote desktop access, very limited capabilities to run the VMs locally on a hypervisor - VDIs aren't really...

Webinar

Jun 29, 2010: How to Keep Entitlement Management Lean - in any Environment

How to gain more flexibility and efficiency in an environment where requirements change very fast, and where users and services cannot be classified any more as easy as being "internal" or "external". This Webinar is about key decision criteria for lean entitlement management and provisioning solutions.

Blog

Choosing the right Identity Provider

It isn’t exactly a new idea, but designing your Identity and Access Management (IAM) with your users in mind always makes sense. But how about your customers and suppliers? After all, they, too, increasingly need to gain admittance to some of your internal applications and data. Unfortunately, internal directories usually aren’t up to the job, so choosing the right identity provider is growing more and more important. It isn’t exactly a new idea, but designing your Identity and Access Management (IAM) with your users in mind always makes sense. But how about your customers and...

Blog

Beyond LDAP - have a look at system.identity

LDAP (Lightweight Directory Access Protocol) is well established. It is the foundation for today's Directory Services, which support LDAP as a protocol and which usually build their data structure on the associated LDAP schema. There are many interfaces for developers to use LDAP, from the LDAP C API to high-level interfaces for many programming environments. Even while LDAP is well established, it is somewhat limited. There are several restrictions - two important ones are: The structure of LDAP is (more or less) hierarchical. There is one basic structure for containers - and linking...

Blog

Cloud Security = Interoperability for DRM

This week was very interesting for me. I have had a number of calls and meetings with people dealing with software components and architectures that will make  the cloud secure. And the most interesting observation is: actually everything is there. We as an industry could simply start doing secure clouds right away. It is of course not so much about the standard stuff that we often hear: trust into the cloud providers, their ability to deal with data privacy requirements, or multi-tenancy capabiltiies of enterprise cloud services. No. It is actually about how to secure the data between...

Webinar

Jul 02, 2010: Hidden Gems - Vendors you Should Have a Look at

In this webinar, Kuppinger Cole´s founder and chief analyst will talk about his research findings for a recent report on vendors, which are, from the KuppingerCole perspective, Hidden Gems in the markets which we are analyzing. “Hidden Gems” are vendors which are (still) relatively small, less known then "the big ones", and which offer innovative solutions worth to consider. Even though there are currently a lot of other interesting innovations out there, released by established vendors, like for example Microsoft’s U-Prove. However, this webinar will cover only those vendors...

Blog

Reducing lock-in risks - Salesforce.com has understood

One of the really interesting announcements in the Cloud space these days has been from VMware and Salesforce.com with their vmforce offering. Their claim is "The trusted cloud for enterprise Java developers". Correct. It is a cloud environment where Java developers can build apps with a Spring Eclipse-based IDE, where they can use Tomcat, and so on. Thus there is an environment do build and deploy Java apps in the cloud. Beyond that, force.com functionality might be used. That is definitely interesting because force.com provides a lot of services around business analytics, reporting,...

Seminar

Jun 30, 2010: Durchgängiger Schutz statt Stückwerk - Informationen richtig schützen

Wie kann man Informationen in allen Nutzungssituationen ("at rest, in move, in use") optimal und zuverlässig schützen? Information Rights Management ist hier einer der strategisch wichtigsten Ansätze und ein Kernelement in Strategien für die Informationssicherheit.

Blog

My new iPad and Identity Management

Today, I ordered my new iPad. I am really eager to use it, especially as a multi-purpose information and media home device. So far, so good. Obviously a device like this will be THE front end for the brave new Cloudy Web Services world. Whether via classical http(s) requests or via WS-*, the Apps on these kind of devices will make the Cloud happen to the average home user. But: I am not sure how this fits into the identity management demands of these services. Haven't we seen so much integration and convergence trends in the identity space in the last months? How does these actually match...

Press Release

European Identity Conference (EIC) expands further

Identity Management and Governance for Businesses – and the Cloud

Munich, May 27th 2010 – The European Identity Conference 2010, which drew to a close on May 7th, 2010, has further solidified its position as the premier event for IAM (Identity and Access Management) and GRC (Governance, Risk Management and Compliance). At the same time, the topic of Cloud Computing—with special emphasis on Cloud Security and Governance—has shifted even more into the limelight, also as a result of the Cloud 2010 conference that ran parallel to the EIC.

Conference

Oct 04 - 06, 2010: The Experts Conference Europe

The Experts Conference (TEC) 2010 kommt dieses Jahr nach Düsseldorf! TEC 2010 Europe bietet erstklassiges Training und Networking – für Experten, von Experten – und vermittelt Ihnen Wissen über effektive, innovative Möglichkeiten, die Technologien, die tagtäglich Ihre Geschäftsprozesse unterstützen, zu verwalten. Zusätzlich zu den etablierten Trainings zu Microsoft Directory & Identity Technologien wird es auf der TEC 2010 wieder zahlreiche Exchange Vorträge und zum ersten Mal ebenfalls SharePoint Sessions geben.

Conference

Oct 04 - 06, 2010: The Experts Conference Europe

The Experts Conference (TEC) Europe is coming to Düsseldorf in 2010! TEC 2010 Europe delivers world-class training and networking - for the experts, by the experts - and teaches better, more innovative ways to run and manage the technologies that drive your organization every day! In addition to its highly-acclaimed training on Microsoft Directory & Identity technologies, TEC 2010 will bring back a full agenda of Exchange training and the first ever TEC for SharePoint! As one of the Identity experts Martin Kuppinger (Kuppinger Cole) discusses in his presentation “Provisioning...

Press Release

Identity Management und Governance für Unternehmen – und die Cloud

European Identity Conference (EIC) wächst weiter

München, 25.05.2010 - Die am 07.05.2010 zu Ende gegangene European Identity Conference 2010 hat ihre Position als Leitveranstaltung für IAM (Identity und Access Management) und GRC (Governance, Risk Management, Compliance) weiter ausgebaut. Gleichzeitig ist auch das Thema Cloud Computing und hier insbesondere Cloud Security und Governance immer stärker ins Blickfeld gerückt, auch durch die parallele Cloud 2010-Konferenz.

Webcast

Bridging Mobile Networks IP Multimedia Subsystem (IMS) and Internet Identity

Best practices session at the European Identity Conference 2010 by Jonas Hogberg, Ericsson

Webcast

Orange France Telecom Identity Management Strategy

Best practices session at the European Identity Conference 2010 by Philippe Clément, Orange/France Telecom

Webcast

Identity Management & Cloud Computing in the Automotive Industry

Best practices session at the European Identity Conference 2010 by Dr. Barbara Mandl, Daimler AG

Webcast

Managed IAM Service Project at Piaggio

Best practices session at the European Identity Conference 2010 by Lorenzo Mastropietro, Piaggio

Webcast

Bringing BMW’s New Central Identity and Access Management System into Life

Best practices session at the European Identity Conference 2010 by Jürgen Skerhut, BMW and Dr. Andreas Neumann, Logica Deutschland

Webcast

Integrating Physical Access Control into Active Directory at King ICT, Croatia

Best practices session at the European Identity Conference 2010 by Adrian Castillo, HID Global and Kristian Koljatic and Nino Talian, KING ICT d.o.o.

Webcast

German National ID – Privacy by Design

Best practices session at the European Identity Conference 2010 by Andreas Reisen, Federal Ministry of the Interior, Germany

Webcast

The EC STORK Project - Approaches, Challenges, Results

Best practices session at the European Identity Conference 2010 by Marc Sel, PwC Belgium

Webcast

SPOCS - Crossborder Access to eGovernment Services

Best practices session at the European Identity Conference 2010 by Martin Spitzenberger, Austrian Federal Chancellery

Webcast

Identity and Access Management at Munich University Hospital

Best practices session at the European Identity Conference 2010 by Dr. Walter Swoboda and Simon Leutner, University Hospital of Munich

Webcast

From Creative Chaos to Modern Service Provisioning

Best practices session at the European Identity Conference 2010 by Dr. Nicola Stein, German Aerospace Center

Webcast

Migros Identity Management & SSO - Implementation and Perspectives

Best practices session at the European Identity Conference 2010 by Rudolf Gisler, Migros Dr. Peter Schill, SafeNet

Webcast

Venn and the Art of Data-Sharing

Best practices session at the European Identity Conference 2010 by Eve Maler, PayPal Inc.

Webcast

Business Oriented Entitlement Life-Cycle Management

Best practices session at the European Identity Conference 2010 by Henrik Siiskonen, If P&C Insurance Company Ltd and Pekka Hagström, RM5 Software

Webcast

From Plastic to Secured Bits - a Wallet for Virtual Cards on the Mobile Phone

Best practices session at the European Identity Conference 2010 by Jörg Heuer, Deutsche Telekom Laboratories

Webcast

Login for the Mobile Internet - What new Challenges arise from Mobile Internet Usage?

Best practices session at the European Identity Conference 2010 by Michael Gärtner, Deutsche Telekom AG

Webcast

Best Practices for Identity Management from the Annals of Private Banking

Best practices session at the European Identity Conference 2010 by Kumar Sarvesh, Deutsche Bank (Suisse) S.A

Webcast

Integration of SAP in a Comprehensive Identity Management Solution for Access and Authorization Control with Enterprise Roles

Best practices session at the European Identity Conference 2010 by Dr. Uwe Vehlies, Hannover Re and Rüdiger Berndt, Oxford Computer Group Deutschland

Webcast

Online Services and Identity Management – Driving Innovations through a Cross Sector Vision

Best practices session at the European Identity Conference 2010 by Olivier Maas, Atos Worldline and Vincent Etchebarne, Orange Labs / France Telecom

Blog

Trends from the European Identity Conference

The European Identity Conference (EIC), which has become the foremost gathering point for the identity community Europe, focused this year on a number of current topics in the areas of identity and security. A new track dedicated to cloud computing shed new light on application scenarios with special reference to security issues. Attendees and experts agreed that this will be the make or break issue for this well-hyped form of decentralized IT. One important conclusion reached by many at the conference is that, while cloud computing may be good way to handle  data processing and even...

Product Report

Product Report: Völcker ActiveEntry 4.1

Die Berliner Völcker Informatik AG hat sich in den vergangenen Jahren als ernst zu nehmender und technisch sehr innovativer Anbieter im Identity und Access Management-Markt etabliert. Dabei ist es dem Unternehmen auch gelungen, insbesondere im deutschsprachigen Markt, eine sehr hohe Sichtbarkeit zu erreichen und eine signifikante Zahl auch von großen Kunden zu gewinnen. Mit der Version 4.1 seines Kernprodukts ActiveEntry für das Enterprise Provisioning festigt das Unternehmen aus Sicht von KuppingerCole seine Position in der Spitze des Marktes. Die Stärken des...

Blog

Why Software Security is a part of any Business Model

During the last weeks, with all the discussions about security- and privacy-related issues in social networks like Facebook or SchülerVZ, I've had some talks with people. My position is that these issues are a result of bad software architecture. The counter argument sometimes has been that when building these networks the focus has been on functionality, not security - and that the business model of these networks is based on the functionality. What was meant by that is that you should first care about functionality and that security is somewhat irrelevant because it doesn't help you in...

Webcast

The Most Valid Wins of IAM

Keynote at the European Identity Conference 2010 by Jackson Shaw, Active Directory, Identity Management Expert, Quest Software

Webcast

IAM into the Cloud: Improving Security with Cloud and Collaboration Technology

Keynote at the European Identity Conference 2010 by Tim Dunn, Vice President - Security Business Unit, CA

Webcast

Security, Automatization and Management Essentials for the Cloud

Keynote at the European Identity Conference 2010 by Richard Sharp, Director of Software Production, XenServer Group, Citrix Systems

Blog

European Identity Conference 2010

EIC 2010 has ended. And like each year, there are some interesting observations. I'll take three of them: The "classical" IAM topics like provisioning or E-SSO are well understood now - and extended. Federation becomes reality. The cloud impacts IAM - and vice versa. Topics like provisioning and E-SSO were discussed mainly in the many "Best Practice" sessions. There are many implementations out there. Several of them use MSSPs (Managed Security Service Providers) or other Saas-/Cloud style types of deployment. And they are increasingly integrated with other IT infrastructure elements...

Webcast

An Information Society Perspective on Electronic Identity Management

Keynote at the European Identity Conference 2010 by Dr. Dirk van Rooy, Head of Sector, Trust and Security, European Commission, DG Information Society and Media

Webcast

Follow the Money: How Cloud Providers' Business Needs Drive Enterprise Identity & Security

Keynote at the European Identity Conference 2010 by Dale Olds, Distinguished Engineer, Novell

Webcast

Identity in the Cloud – Finding Calm in the Storm

Keynote at the European Identity Conference 2010 by André Durand, Founder & CEO, Ping Identity

Webcast

On Cloud 9 or Lost In (that) Space

Keynote at the European Identity Conference 2010 by Prof. Dr. Eberhard von Faber, Security Strategy and Executive Consulting, T-Systems

Webcast

Extending the Principles of Service-Oriented Security to Cloud Computing

Keynote at the European Identity Conference 2010 by John Aisien, Vice President of Product Management, Oracle Corporation

Webcast

The Role as a Role Model

Keynote at the European Identity Conference 2010 by Niels von der Hude, Senior Manager, Beta Systems Software

Webcast

Trust in the Cloud

Keynote at the European Identity Conference 2010 by John Hermans, Associate Partner, KPMG

Webcast

Next-Generation Provisioning: A Governance-based Approach

Keynote at the European Identity Conference 2010 by Darran Rolls, Chief Technology Officer, Sailpoint

Webcast

National ID Documents Driving eApplications / eBusiness

Keynote at the European Identity Conference 2010 by Sabine Erlinghagen, Vice President & General Manager Identity Management & Biometrics, Siemens IT Solutions and Services

Webcast

The Need of Preconfigured Business Processes for Identity Management and IT Compliance

Keynote at the European Identity Conference 2010 by Peter Weierich, Völcker Informatik

Webcast

Federated Directory meets Minimal Disclosure: Mortal Enemies or Soul Mates?

Keynote at the European Identity Conference 2010 by Kim Cameron, Chief Architect of Identity in the Security Division, Microsoft

Webcast

Six Sigma For the Secure Cloud-Equip the Enterprise for Success

Keynote at the European Identity Conference 2010 by Gerry Gebel, President, Axiomatics Americas

Webcast

Convergence: Better Control, Lower Cost

Keynote at the European Identity Conference 2010 by Dave Kearns, Identity Expert & Writer, Network World

Webcast

Interview with Fernando García, Symlabs

Felix Gaehtgens interviews Fernando García at the European Identity Conference 2010

Webcast

Interview with Nishant Kaushik, Oracle

Felix Gaehtgens interviews Nishant Kaushik at the European Identity Conference 2010

Webcast

Interview with Dr. Dirk van Rooy, European Commission

Felix Gaehtgens interviews Dr. Dirk van Rooy at the European Identity Conference 2010

Webcast

Interview with Priska Altorfer, wikima4 AG

Martin Kuppinger interviews Priska Altorfer at the European Identity Conference 2010

Webcast

Interview with Kim Cameron, Microsoft

Felix Gaehtgens interviews Kim Cameron at the European Identity Conference 2010

Webcast

Interview with Sabine Erlinghagen, Siemens

Tim Cole interviews Sabine Erlinghagen at the European Identity Conference 2010

Webcast

Interview with Matthew Gardiner, CA

Felix Gaehtgens interviews Matthew Gardiner at the European Identity Conference 2010

Webcast

Interview with Gerry Gebel, Axiomatics

Felix Gaehtgens interviews Gerry Gebel at the European Identity Conference 2010

Webcast

Interview with Lorenzo Mastropietro, Piaggio

Felix Gaehtgens interviews Lorenzo Mastropietro at the European Identity Conference 2010

Webcast

Interview with Nick Nikols, Novell

Felix Gaehtgens interviews Nick Nikols at the European Identity Conference 2010

Webcast

Interview with Prof. Dr. Eberhard von Faber and Dr. Michael Pauly, T-Systems

Felix Gaehtgens interviews Prof. Dr. Eberhard von Faber and Dr. Michael Pauly at the European Identity Conference 2010

Webcast

Interview with Jackson Shaw, Quest Software

Martin Kuppinger interviews Jackson Shaw at the European Identity Conference 2010

Webcast

Interview with Peter Weierich, Völcker Informatik

Martin Kuppinger interviews Peter Weierich at the European Identity Conference 2010

Webcast

European Identity Awards 2010

European Identity Awards ceremony during the European Identity Conference 2010. May 5, 2010 in Munich, Germany.

Webcast

European Identity Conference 2010 Opening keynote

Opening keynote at the European Identity Conference 2010 by Tim Cole and Martin Kuppinger, Kuppinger Cole

Blog

Outstanding projects and initiatives in Identity Management honored

European Identity Award for outstanding projects, innovations and advancements in the field of digital identity management was presented by the analyst group Kuppinger Cole at a festive ceremony at the European Identity Conference 2010, the leading European venue for Identity and Access Management (IAM) and Governance, Risk Management and Compliance (GRC) in Munich. Awards were given in six categories. Besides the award for “best innovation” in IAM or GRC, the categories include best program or initiative in internal projects, B2B, B2C, Cloud Computing and eGovernment/eHealth. Vendors,...

Product Report

Product Report: wikima4 mesaforte

Mesaforte is a product of the Swiss firm wikima4. The product arose out of experiences from numerous projects. A series of customers has licensed it and it is being advanced within the scope of regular product development. By now, the solution, originally geared toward monitoring the security of SAP infrastructures, has a greater functional breadth. It targets the control and monitoring of access authorizations, security events, and configuration settings in SAP environments and other systems. The current version, 3.0, has a three layer architecture with a web client, in which to begin...

Advisory Note

A Review of Cloud Business Models and Demonstrations in Finance and Health Clouds

By Victor Chang, Gary Wills and David De Roure This paper reviews current cloud computing business models and presents proposals on how organisations can achieve sustainability by adopting appropriate models. Using the Jericho Forum´s Cloud Cube Model (CCM), we classify cloud computing business models into eight types: (1) Service Provider and Service Orientation; (2) Support and Services Contracts; (3) In-House Private Clouds; (4) All-In-One Enterprise Cloud; (5) One-Stop Resources and Services; (6) Government funding; (7) Venture Capitals; and (8) Entertainment and Social...

Advisory Note

Business Report: GRC Market Structure

GRC stands for Governance, Risk Management, Compliance. It is used to describe Information Tech-nology which supports these specific business requirements. This report provides a segmentation of the overall GRC market with its different elements, from the C-level dashboards down to technical elements which are required to provide information for automated controls and the automated re-mediation in case that defined thresholds of controls aren’t met. The core elements are Business GRC Operational GRC Generic IT GRC and CCM (Continuous Controls Monitoring) Specialized IT...

Vendor Report

Vendor Report: Passlogix

Passlogix is a software vendor which started in the field of E-SSO (Enterprise Single Sign-On) in 1996 and established itself as one of the leading vendors in that particular segment. The company has a significant direct and partner sales channel. In addition, Passlogix has built on the OEM channel. Oracle is still an OEM of Passlogix, but Passlogix is doing the major part of its business with end customers and through other channels, including solution providers and technology partners. Passlogix has expanded its portfolio amongst the core E-SSO solutions but with tight integration of...

Product Report

Product Report: wikima4 mesaforte

Mesaforte ist ein Produkt des Schweizer Unternehmens wikima4. Das Produkt ist als Resultat von Erfahrungen aus zahlreichen Projekten entstanden, von einer Reihe von Kunden lizenziert und wird im Rahmen einer regulären Produktentwicklung vorangetrieben. Das ursprünglich auf die Sicherheitsüberwachung von SAP-Infrastrukturen ausgerichtete Lösung hat inzwischen eine größere funktionale Breite und zielt auf die Steuerung und Überwachung von Zugriffsberechtigungen, Sicherheitsereignissen und Konfigurationseinstellungen in SAP-Umgebungen und anderen Systemen...

Product Report

Product Report: Engiweb IDEAS

Engiweb is one of the European vendors in the IAM and GRC space, based in Italy. The company is owned by Engineering Ingegneria Informatica, the largest system integrator in Italy with operations as well in some other countries. Engiweb is a one-product company, entirely focusing on their platform IDEAS which is built around role management, authorization management, and other features. The product is, in the Kuppinger Cole notion, best positioned as part of the market segment of Access governance platforms but with additional support for Entitlement Management. Engiweb is, from our...

Advisory Note

10 Top Trends 2010

As in the past years, Kuppinger Cole has worked out 10 Top Trends in IAM (Identity and Access Management) and GRC (Governance, Risk Management, Compliance). These are complemented by 10 Top Trends in Cloud Computing. The most important trends are, from our perspective, an increasing level of Business-IT-Alignment and the evolution towards hybrid IT environments based on a well-managed mix of internal as well as external IT services.

Advisory Note

Die Top Ten Trends 2010

Wie jedes Jahr haben die Analysten von Kuppinger Cole wieder die zehn wichtigsten Trends im Markt für Identity und Access Management (IAM) sowie Governance, Risk Management und Compliance (GRC) herausgearbeitet. In diesem Jahr kommen erstmals die Top Ten Trends bei Cloud Computing hinzu. An der Spitze der drei Listen steht unserer Meinung nach eine noch stärkere Zusammenarbeit zwischen operativen Geschäftseinheiten und IT (so genanntes „Business-IT-Alignment“) sowie die schrittweise Einführung von Hybrid-Umgebungen auf der Grundlage gut abgestimmter interner...

Press Release

Article on the "Top Trends 2010 in IAM, GRC and Cloud Computing" from Martin Kuppinger available

Duesseldorf April, 26th, 2010 - Once a year, Martin Kuppinger, co-founder and principal analyst at Kuppinger Cole,  produces a list of Top Trends in Identity and Access Management. At this year’s European Identity Conference (EIC 2010), he will present an expanded list of trends covering the additional fields of GRC (Governance, Risk Management, Compliance) and Cloud Computing. The two most important trends, according to Mr. Kuppinger, will be an increasing level of Business-IT-Alignment and the development of hybrid environments based on a well-managed mix of internal and...

Webcast

Information Security and Governance for Microsoft SharePoint Environments

Kuppinger Cole Webinar recording

Vendor Report

Vendor Report: RM5 Software

RM5 Software is a Finnish software vendor which provides software for managing entitlements in applications for internal and external applications, provided on-premise or in SaaS deployment models. In contrast to identity provisioning products, the main focus is not on users and their attributes but on the authorizations or entitlements these users have in particular systems. The second important feature is that RM5 Software from the very beginning has focused on supporting on-premise and SaaS deployments and on supporting external and internal applications, thus covering all variants of...

Product Report

Product Report: Beta Systems Software AG SAM Enterprise Identity Manager v1.1

Der Beta Systems Software AG SAM Enterprise Identity Manager ist in der Kategorie der Enterprise Provisioning-Systeme einzuordnen. Die Kernfunktionalität ist der strukturierte, automatisierte und nachvollziehbare Abgleich von Identitätsinformationen zwischen verschiedenen Systemen auf Basis von definierten Prozessen und Connectoren zu den Zielsystemen. Wie bei Provisioning-Lösungen inzwischen üblich, finden sich auch Funktionen für den User Self Service, die delegierte Administration und das Kennwortmanagement. Außerdem werden konfigurierbare Workflows...

Product Report

Product Report: Aveksa Enterprise Access Governance Platform

The Aveksa 4.0 Enterprise Access Governance Platform is a significant step beyond its predecessors. The new version is much stronger in its support of preventive controls and the management of access controls, by using existing tools and manual requests to operators for platforms without technical integration. This is a significant step forward beyond the detective approach which was at the centre of the earlier product version. Besides this, there are significant improvements around rules, role mining, and other important product features. Aveksa has implemented these changes based on...

Webcast

One Entitlement Management For All - How to Manage All Users, Services, and Service Providers

Kuppinger Cole Webinar recording

Blog

Why enterprises shouldn’t economize on IT security

We’ve all been there before: helpdesks deluged by calls from irate users, constant complaints about buggy apps, complicated login procedures or passwords no one can remember. Much-overdue investments in security patches and updates for heirloom software have to be postponed time and again because maintenance and support eat up all the money, and still the boss is under pressure to tighten the belt another notch by slashing the IT budget yet further. And after all: Isn't IT supposed to be all about reducing costs? What about all those productivity gains and slick business processes? Yes, but...

Blog

Why we need claims in Windows

Microsoft has introduced the concept of claims-based securitywith it's "Geneva" project. Claims are sort of attributes which are provided by identity providers in the form of tokens and consumed by applications. In fact they are one way to make federation easier and more user centric. "Geneva" provides the tools at all levels to work with claims. The concept of claims is used by some other groups at Microsoft and we probably will see several Microsoft applications with support for claims within the next months. However, the biggest impact might be on the Windows operating system itself....

Press Release

Article on the “new German digital ID card – nPA” from Martin Kuppinger available

Duesseldorf April, 19th, 2010 - Martin Kuppinger, co-founder and Principal Analyst at Kuppinger Cole, has written an article about the new German digital ID card in which he discusses the security and usability issues as well as the “pseudonymity” feature that will soon be introduced with the “neuer Personal-Ausweis”, or “ePA”. His conclusion is that, far from creating transparent “glass” customers or citizens,  the nPA will instead be a big step forward, ushering in a new era of information security as well as a wealth of new and...

Webinar

Apr 26, 2010: Information Security and Governance for Microsoft SharePoint Environments

In this webinar, we will look at the SharePoint Security and the SharePoint Security Add-On market, with specific focus on what you need to fulfill the GRC requirements in SharePoint environments and how to do that integrated with other information systems.

Webinar

Apr 21, 2010: One Entitlement Management for all – How to Manage all Users, Services, and Service Providers Consistently

As IT is becoming more and more hybrid, we will discuss in this webinar the trends, the changes, and approaches for a holistic entitlement management across different types of applications.

Webcast

Access Governance: Implement Processes, Reduce Business Risks

Kuppinger Cole Webinar recording

Blog

There is more than automation

I've done several webinars around changing architectures for Identity Provisioning and Access Governance during the last few months. And new architectural approaches for Provisioning have been an important topic at the EIC for years. I've also written a report on Access Governance architectures recently. That is no surprise. Provisioning has to integrate with IT Service Management in some way. It has to support the standard systems where automation is key as well as other systems which either don't support automation interfaces (unfortunately there are several apps out there which don't...

Product Report

Product Report: SAP Business Objects GRC Access Control

The SAP BusinessObjects GRC Access Control (in short AC) solution is a powerful set of tools that help to automate risk analysis and mitigation for user and authorization management in SAP and non-SAP systems. It is a strong product for the SAP ABAP world, and is able to cover non-SAP systems using real-time adapters from Greenlight. It covers a substantial subset of the overall GRC requirements – it provides a leading-edge solution for SAP environments, which are at the centre of many IT environments and is able to perform as a realtime cross-platform solution. The core of the...

Press Release

Save the date: European Identity Conference 2010

Duesseldorf April, 12th, 2010 - The European Identity Conference 2010 (EIC) will take place from May 4-7, 2010, in Munich. Now in its fourth year, Kuppinger Cole´s flagship event is the place to meet with thought leaders, experts and decision makers to learn about, discuss and shape the market in most significant technology topics such as Identity Management, Governance, Risk Management and Compliance (GRC) and Cloud Computing. For the first time CLOUD 2010 will be co-located with EIC 2010. With its world class list of speakers, a unique mix of best practice presentations, panel...

Press Release

Terminblocker: European Identity Conference 2010

Düsseldorf, 12.04.2010 - Vom 4. bis 7. Mai 2010 findet in München die European Identity Conference (EIC) 2010 statt. Im Rahmen der Jahresveranstaltung von Kuppinger Cole, die in diesem Jahr zum vierten Mal durchgeführt wird, treffen sich Analysten und Vordenker der Branche mit IT-Experten und -Entscheidern, um die neuesten Trends kennenzulernen und den Markt rund um Identity Management, Governance, Risk Management und Compliance (GRC) und Cloud Computing zu diskutieren und zu formen. Zum ersten Mal werden die Veranstaltungen CLOUD 2010 und Mittelstandsdialog...

Blog

Gemalto invests in Strong Auth Tokens

Just recently my Strong Authentication report has been published and now there is one vendor less in the scope: French-American card and token giant GEMALTO announced that it acquired the niche player TODOS: http://www.todos.se/index.php/media/archives/gemalto_acquires_e-banking_specialist_todos_ab/ Todos has some very interesting tokens, but I am pretty sure that Gemalto was just after the Todos'IP around online-banking security. Unknown to most of the world, it is Todos (or now Gemalto) that owns the technology that secure online banking solutions are based upon. Hopefully, Gemalto does...

Press Release

Artikel zum Thema „Neuer Personalausweis – Warum der nPA ein Erfolg wird“ von Martin Kuppinger verfügbar

Düsseldorf, 07.04.2010 - Martin Kuppinger, Gründer und Principal Analyst bei Kuppinger Cole, hat einen Artikel zum Thema „Neuer Personalausweis“ geschrieben. In diesem Artikel beschäftigt sich Martin Kuppinger ausgiebig mit der Sicherheitsdiskussion, der Nutzbarkeit und Pseudonymität des nPA, weiterhin geht Martin Kuppinger darauf ein, was dem Neuen Personalausweis noch fehlt, um optimal nutzbar zu sein. Herr Kuppinger betont, dass der nPA in Summe nicht nur eine wichtige Innovation für die Informationssicherheit bedeuten kann und wahrscheinlich auch...

Blog

Protecting the “I” in “IT”

Companies spend substantial sums on IT security, but for some reason it seems they aren’t getting much bang for their bucks. The reason, of course, it that they are putting them in point solutions instead of investing them in clear and proven strategies. By definition, point solutions are meant to solve one particular problem without regard to any related issues. They provide a quick fix for a certain problem or a fast track to implementing a new service, but they don’t solve the overall issue. Take SAP security, for instance: If you don’t protect your data base and the...

Press Release

Article on „ Identity Management for the cloud – taking the next step” from Martin Kuppinger available

Duesseldorf March, 31st, 2010 - Martin Kuppinger, co-founder and Principal Analyst at Kuppinger Cole, has written an article on the topic of „Identity Management for the Cloud“ in which he explores the reasons why companies and organizations must ask themselves if their Identity and Access Management (IAM) systems are capable of handling not just external users, but external ones as well: suppliers, partners and above all customers. Such comprehensive systems will increasingly become necessary as parts of corporate IT, especially services and data, become cloud-born. Here,...

Press Release

Neuer Technology Access Governance Architectures Report der Analystengruppe Kuppinger Cole verfügbar

Die Analystengruppe Kuppinger Cole stellt ihren neuen Technology Report Access Governance Architecture vor Düsseldorf, 31.03.2010 - Der neue Kuppinger Cole-Report stellt unterschiedliche Ansätze für Access Governance-Architekturen vor. Access Governance hat sich in den vergangenen beiden Jahren zu einem der wichtigsten Themen im Bereich IT-Sicherheit, Identity und Access Management (IAM) sowie Governance, Risk Management, Compliance (GRC) entwickelt. Bei Access Governance geht es darum, Zugriffsrechte auf Systeme und Informationen so zu steuern, dass die Richtlinien...

Blog

Strong authentication as business development

In my recent post on versatile authentication I touched the topic of national eID cards. Some two weeks ago, I did a presentation on eID interoperability from a private perspective. I started with the question about why strong authentication technologies are still not widely used. The vendors might claim that they are, but in fact we still mainly rely on weak approaches like username/password, PINs, PIN/TAN, and so on. One reason for that is that approaches which are reusable need a sponsor. Many companies in eBanking, eCommerce, and other areas understand the need for strong...

Vendor Report

Vendor Report: Cyber-Ark

Cyber-Ark has established itself as one of the leading vendors of Privileged Access Management (PAM) solutions and offers one of the most functionally comprehensive products in the market. In addition, Cyber-Ark is active in the field of secure file transfer for secure document handling. The company was founded in 1999 and is investor financed. Its flagship product is the Cyber-Ark Privileged Identity Management (PIM) Suite. The terms PIM, PAM and PUM (Privileged User Management) are often used synonymously, but KuppingerCole prefers the PAM designation. Whatever name is used, this is...

Webcast

Managing Cloud Security and Cloud Risk

Kuppinger Cole Webinar recording

Webcast

Identity, Security, Governance for the Cloud - Who is Who? A Market Overview

Kuppinger Cole Webinar recording

Webcast

Cloud Management - Sufficient to Mitigate Security Risks?

Kuppinger Cole Webinar recording

Webcast

The Internal Cloud - What Are the Risks Involved And How to Avoid Them?

Kuppinger Cole Webinar recording

Webcast

Cloud Computing Standards - Which Ones Are Already There And Which Ones Are Missing?

Kuppinger Cole Webinar recording

Webcast

Cloud Computing - is it Really a Risk?

Kuppinger Cole Webinar recording

Webcast

Beyond Simple Attestation - How to Really Keep Your Access Under Control

Kuppinger Cole Webinar recording

Blog

Is an insecure smart planet really smart?

There are a lot of talks about making our planet smarter. Despite being far too much fiction, the film "Die Hard 4.0" has been around some of the potential risks around this. I recently had a very interesting discussion with a forensic/incident expert from the US. We've discussed several issues and ended around the idea of this "smarter planet" and the "smart grid" as one of its most prominent elements. Per se, the idea of having a networked infrastructure in many areas, with a high degree of flexibility and increased service availability is as appealing as inevitable - things will go that...

Advisory Note

Technology Report: Access Governance Architectures

Access Governance is about the governance and management of access controls in IT systems and thus about mitigating access-related risks. These risks include the theft of information, fraud through changing information, and the abuse of IT systems for example in banking for illegal actions, to name just a few. The large number of prominent incidents within the last few years proves the need to address these issues – in any industry. There is an increasing number of tools for Access Governance. However, the implementation has to be well-thought, given that there are many different...

Webcast

Making Security Stronger Yey Easier to Use

Kuppinger Cole Webinar recording

Press Release

Artikel zum Thema „Identity Management auch für die Cloud – der nächste Schritt“ von Martin Kuppinger verfügbar

Düsseldorf, 18.03.2010 - Martin Kuppinger, Gründer und Principal Analyst bei Kuppinger Cole, hat einen Artikel zum Thema „Identity Management für die Cloud“ geschrieben. In diesem Artikel beschäftigt sich Martin Kuppinger mit der Notwendigkeit, das derzeitig bestehende Identity und Access Management (IAM) nicht nur auf die internen Benutzer zu beschränken, sondern auch Kunden und Lieferanten in die IT-Prozesse einzubeziehen. Herr Kuppinger betont, dass ein funktionsfähiges IAM, das sowohl interne wie auch externe Benutzer und Systeme integriert, die...

Blog

Myths about Cloud Security

There are so many myths out there about Cloud Security - time to start putting them away... The cloud is inherently insecure. No, not really. There are providers which deliver a high level of security. The cloud can be more secure than internal IT, given that services are frequently operated very professional. The cloud is more secure than the internal IT. No, as well not. The cloud is neither secure or insecure. It is about the single service which might be more or less secure. And it always depends on with what you compare, e.g. how strong security in the existing internal environment...

Blog

Measuring the real costs of identity theft

One of the best-held secrets in the German credit card industry was inadvertently revealed last night at an informal press dinner hosted by Bayern Card Services, an acquirer jointly operated by Bayerische Landesbank and the Bavarian community-owned savings and loan banks (“Sparkassen”). Asked just how much money banks were losing from credit card fraud, Monika Kummer, head of risk management for BCS, blurted out a figure of between 0.2 and 0.3 percent of total card turnover. When pushed for further details, she clamed up, but the genie was already out of the bottle. After that, the math...

Workshop

May 04, 2010: EEMA Public Workshop: Cloud Computing Services

This Cloud Computing introduction and tutorial is invaluable for delegates who wish to learn and increase their knowledgebase. It is aimed at all stakeholders who have an influence on policy and the impact on commercial and business applications and services.

Vendor Report

Vendor Report: Cyber-Ark

Cyber-Ark hat sich als einer der führenden Anbieter im Bereich von Privileged Access Management (PAM) etabliert und dürfte derzeit die größte funktionale Breite im Markt aufweisen. Darüber hinaus bietet das Unternehmen Lösungen für den sicheren Transfer von Dateien und den Umgang mit sensiblen Dokumenten an. Das Unternehmen wurde 1999 gegründet und ist durch Investoren finanziert worden. Das Kernprodukt ist die Cyber-Ark Privileged Identity Management (PIM) Suite. PIM ist eine andere Bezeichnung für das von KuppingerCole als PAM bezeichnete...

Press Release

Neuer Market Overview Strong Authentication Report der Analystengruppe Kuppinger Cole verfügbar

Die Analystengruppe Kuppinger Cole stellt ihren neuen Report Market Overview Strong Authentication vor Düsseldorf, 11.03.2010 - Der neue Kuppinger Cole-Report liefert einen umfassenden Überblick über am Markt verfügbare Lösung für die hardware-/token-basierende starke Authentifizierung und eine Einordnung dieser Lösungen in eine Gesamtstruktur für eine starke, flexible (versatile) Authentifizierung sowie in Authentifizierungsstrategien, die eine optimierte Nutzung von technischen Ansätzen für die starke Authentifizierung erst...

Product Report

Product Report: Axiomatics Policy Server and Policy Auditor

This product report covers the Axiomatics Policy Server and the accompanying Policy Auditor. These products fall into the category of Entitlement Management solutions. They use the XML-based XACML standard – Extensible Access Control Markup Language – to define authorisation policies and make access control decisions. Agents are available for the Java and .NET platform that work together with the Policy Server in order to enforce the policies. Axiomatics has distinguished itself from other vendors in this space by focusing on a solution that consistently implements and...

Blog

Versatile authentication - break-through for mass adoption of strong authentication?

Versatile authentication is one of the hot topics in IT - more and more vendors start to support it in some way or another. Versatile, a not that common term, means the ability to flexibly switch between different authentication methods. In practice, versatile authentication solutions shall support at least the following features: Flexible use of different authentication methods. Simple plug-in of additional authentication methods, e.g. extensibility. Flexible interfaces for applications OR integration with existing technologies which interface with other apps. Support for step-up...

Webinar

Apr 15, 2010: Access Governance: Implement Processes, Reduce Business Risks

As the demand for user access increases, IT security organizations run the risk of not being able to meet the needs of the business for timely and compliant delivery of access. In this webinar, you will learn, how operational efficiencies in access administration can be achieved while enabling sustainable compliance with regulatory requirements.

Webinar

Mar 26, 2010: Managing Cloud Security and Cloud Risk

Martin Kuppinger will discuss in this presentation risk-based approaches to manage cloud security. The issue, from his perspective, isn’t that the cloud is inherently insecure. The real issue is to deal in appropriate way with the specifics of the cloud – which includes not only security but as well related issues like availability. In this presentation, Martin Kuppinger will talk about aspects like authentication and authorization in cloud environments, cross-cloud governance approaches and the specific issues around changing providers. He will also highlight his view that risk and...

Webinar

Mar 26, 2010: Identity, Security, Governance for the Cloud – Who is Who? A Market Overview

There is an increasing number of offerings around Identity Management, Cloud Security, and Cloud Governance in the market. Some of these are well-known and established, others are new. Martin Kuppinger will provide an overview of the different elements of cloud security (for private, hybrid, and public clouds) and a structuring of that emerging market(s). This presentation provides insight into what is there and what is missing from a KuppingerCole perspective.

Webinar

Mar 26, 2010: Cloud Management – Sufficient to Mitigate Security Risks?

There is an increasing number of tools to manage cloud environments. Some are, in fact, more tools to manage virtualized environments, whilst others focus more on service management issues. More and more of these tools promise to support hybrid environments as well. However the question arises whether security is covered sufficiently by these tools. The panel will discuss the state of cloud management with respect to the security requirements.

Webinar

Mar 25, 2010: The Internal Cloud – What are the Risks Involved and how to Avoid them?

Many companies are telling that they tend to start with a “private” cloud instead of going to the “public” cloud. Besides the question whether hybrid IT environments aren’t reality today, this panel will discuss the specific security risks of internal clouds, especially around the changes from physical to virtual environments, but as well with respect to more loosely coupled IT environments and their new threats – which are in fact not that new, given that we have some experience on loosely coupled environments from SOA.

Webinar

Mar 25, 2010: Cloud Computing Standards - Which ones are Already there and which ones are Missing?

There are many standards out there for the cloud. SAML (Security Assertion Markup Language) for federation, SPML (Service Provisioning Markup Language), and many others. But there are as well many standards missing, either directly related to security or in some relation to security – like service management standards, given that SLAs (Service Level Agreements) and service descriptions are a key for measuring service fulfillment and thus managing risk and security issues. Obvious shortcomings are in the field of governance and auditing. In this panel, several experts will discuss the state...

Webinar

Mar 25, 2010: Cloud Computing – is it Really a Risk?

Cloud Computing frequently is discussed mainly as a security risk. However, there is as well the view that the cloud is or might be more secure than on-premise IT solutions. Martin Kuppinger will look at risks of cloud computing, the status and outline the points which you should look at when considering a move to the cloud or moving additional services to the cloud. In contrast to most other information on that topic available today, the presentation will also look at solutions for these issues – some will be discussed in detail her, some in the closing keynote.

Blog

The business of business is trust

Who's pulling the cart on data protection? At least in Germany, that has traditionally been government's role, and that has made the German regulatory environment one of the fiercest in the world for foreign enterprises and organizations. U.S. companies in particular are often reluctant to engage in the German market for fear of running afoul of the strict laws, but the same actually goes for the EU as a whole. Witness Amazon Web Services decision to build two separate clouds, one (based in Dublin) for Europe and another for the rest of the world. So it may come as a surprise to hear a...

Advisory Note

Market Overview Strong Authentication

For companies and their employees as well as for online-services and their customers respectively, authentication with username and password are no longer considered bearable. The multitude of user accounts and the increasing complexity that passwords are expected to have, simply brought this mode of authentication to a point where users and administrators are no longer able to cope with it. Be it the increased level of security, a.k.a. authenticity, required by the service provider, or compliance requirements: other means of authentication are necessary to keep up with future system...

Blog

Can authentication be both strong and flexible?

Whether you want to place a bid at eBay, check your bank balance online or your credit rating at Schufa or Experian, or access your corporate SAP account: Instead of asking you to please enter your user name and password, chances are the system nowadays will demand some other method of authentication like a token or a smartcard, or it may offer to scan your finger or iris. The procedures may differ, but the reasons behind them are the same: Companies want to protect themselves from rampant online fraud. And it's not just banks that are starting to deploy so-called "two-tier" or...

Press Release

Article on "Cloud Computing – a Security Risk?" from Martin Kuppinger available

Duesseldorf March, 04th, 2010 - Martin Kuppinger is Co-Founder and Principal Analyst of Kuppinger Cole. He has written an article entitled “Cloud Computing – a Security Risk?” in which he explores the various and often conflicting definitions of the “Cloud” before turning to the complicated, but vitally important question of cloud security. According to Mr. Kuppinger, cloud computing is at best a “calculated risk”, at least as long as certain strategic preconditions are met, which he describes in detail.

Blog

Back to the basics - you still need "core IAM"

In these days the industry talks a lot about IT GRC, Risk Management, Access Governance, Identity for the Cloud, and so on. However, we should keep in mind that the vast majority of organizations still have to do a lot of homework around basic Identity and Access Management.  And, even more: That's the foundation for many of the other things like Access Governance, because it's not only about auditing but as well about managing (and, honestly, it's much more about managing and enforcing preventive controls than of auditing in a reactive way, isn't it?). Thus, you shouldn't ignore Identity...

Blog

Why IPv6 might benefit from European and German privacy regulations

Yesterday, the German Federal Constitutional Court declared the German law on "Vorratsdatenspeicherung" for illegal. That wasn't a real surprise, given that this is overall well aligned to other decisions of the Federal Constitutional Court. Two interesting annotations: There where some 35.000 suitors against this law. And the German Minister of Justice, Sabine Leutheusser-Schnarrenberger, was amongst them. She started the law suit when being in opposition - right now she had the interesting situation that there was a lawsuit by her against Germany, represented by her - so she would have...

Webinar

Mar 24, 2010: Beyond Simple Attestation – How to Really Keep Your Access Under Control

Attestation should not be a point solution, but an element within a larger information security architecture. In this Webinar, we will talk about where access certification is today and what is changing – and what has to change. We will describe maturity levels with respect to access certification and will focus on the relationship to risk management and to overall IT governance.

Press Release

Artikel zum Thema „Funktioniert es nicht zwischen Business und IT? Nicht immer ist die IT schuld!“ von Martin Kuppinger verfügbar

Düsseldorf, 01.03.2010 - Martin Kuppinger, Gründer und Principal Analyst bei Kuppinger Cole, hat einen Artikel zum Thema „Business-IT-Alignment: Was das Business lernen muss“ geschrieben. In diesem Artikel beschäftigt sich Martin Kuppinger nicht nur mit den Entwicklungen und Erwartungen an die IT, um das Business adäquat zu unterstützen, sondern geht auch darauf ein, was sich auf Seiten der operativen Bereiche im Unternehmen für ein besseres Zusammenspiel von IT und Business zu ändern hat. Herr Kuppinger betont in seinen Ausführungen, dass...

Blog

Microsoft releases its privacy-enabling U-Prove technology

Microsoft has just announced the availability of U-Prove - an innovative privacy-enabling technology that it acquired almost exactly two years ago. This is a significant announcement, because of two reasons: first of all, the technology is in our opinion a gigantic enabler for many applications that have been held back because of privacy concerns, and second because Microsoft is releasing the technology to the world under its "Open Specifications Promise", allowing anybody to use and incorporate the technology royalty-free. With the U-Prove technology, users can release authenticated...

Webinar

Mar 18, 2010: Making Security Stronger Yet Easier to Use

While companies are moving toward growth in 2010, IT budgets are still under intense scrutiny. IT departments are being asked to keep their networks and applications secure while still allowing end users to not be weighed down by policies and time consuming procedures with often a reduction in funds. In this webinar we will discuss about frequently unseen and very significant saving potentials through connecting enterprise-SSO and strong authentication with your existing infrastructure.

Blog

What business has to learn so that IT can align

We're talking a lot about the need for IT to align with business. But it's not about a one way road. There is no doubt that IT has to think much more "business". Risk focus (here and here), performance management, the understanding of IT as Information Technology instead of Information Technology, the path towards an ERP for IT,... I think that many CIOs and CISOs are well aware of this and many of them are working towards that goal. However, if I look at the business side, it appears to me that IT still is somewhat ignored when it is about alignment. Two examples out of many from my...

Blog

Barcelona Deja-vu

It’s the phone industry’s dirty little secret: As humble “handys” (as German’s quaintly persist in calling mobile handsets) morph themselves into miniature editions of full-fledged computers, the danger of its being attacked by hackers or compromised by malware is growing, cancer-like and unseen. And while many people were discussing security issues this at this year’s GSMA Mobile World Expo in Barcelona, they did so mostly in a whisper. This was in contrast to the brazen self-promotion on display everywhere else on the Montjuïc fairgrounds where the operators, designers, manufacturers...

Blog

Ever had trouble securely sharing data with business partners?

Coming from a network security background, for me “IPSec 3DES VPNs” seemed to be the solution for secure data transfer between business partners for quite a long time. Over the years, with more experience, I naturally found out that this was not the solution for all use-cases and scenarios these crazy folks called “customers” came up with. Nonetheless, when SSL-VPNs became en-vogue I hesitated to join the choir of supporters. While I fully understand and support the idea of a more flexible, more application or user-centric approach due to the gain in usability, I still love my “old VPN...

Blog

Gerry Gebel joins Axiomatics

My friend Gerry Gebel, long time Burton Group analyst is joining Axiomatics to ramp up the company's US presence. I received an email from him that started by saying "I thought I would give you a nice surprise on a Saturday morning"... and indeed what a surprise that was! I can definitely understand Gerry's choice for Axiomatics. The company is new, up and coming, full of very smart people and way ahead of everyone else in the area of authorisation/access management. Axiomatics comes at the top places in my own personal "favourite innovative companies" list, together with Unbound ID, the...

Blog

GRC and IT Security - where is the link?

GRC became one of the really hot topics in business and IT, especially in larger organizations, over the course of the last few years. However, there is a lot of confusion about the terms associated with GRC. In many organizations, few people have a clear view of what GRC involves and requires, and few organizations have an organizational structure for GRC with clearly defined responsibilities. Of these organizations, many have limited their GRC initiatives either to some aspects like “business only”, “risk only” or “IT only”. Virtually every organization has an IT security department. Few...

Workshop

May 04, 2010: Kantara Initiative Public Workshop: Making the World Safe for User-Managed Access

This workshop will review User Managed Access (UMA) benefits, use cases, progress to date, and next steps. It is co-located with the European Identity Conference. Registration for the workshop is free.

Blog

Approaches to secure your data in databases

Last week I had an interesting briefing with IBM regarding their Guardium acquisition. With that acquisition of a company specialized on database security, IBM becomes the second large vendor investing in that area, following Oracle who has Database Security products in its portfolio for some years now. The IBM/Guardium deal fits pretty well in the current time, when looking at the increasing problem of information theft. Besides IBM and Guardium there are some smaller vendors in that market which I will cover in another post near-time. IBM Guardium, in contrast to the Oracle approach, is...

Blog

What you could do with stolen data - a squib

Last week, the German health insurance company BKK had to unveil a severe information leak. The company has become blackmailed because someone had stolen masses of sensitive patient records. Besides the fact, that the way that this happened shows an astonishing carelessness when dealing with IT security and privacy at the BKK and raises many questions (see below), there are some interesting new options for the German government to work with this data. You could for example take such patient records and combine them with the recently acquired stolen data from Switzerland about potential tax...

Blog

Identity Management is key to Smart Grid Security

In 10-12 years from now, the whole Utilities and energy market will look dramatically different. Decentralization of energy production with consumers converting to prosumers pumping solar energy into the grid and offering  their electric car batteries as storage facilities, spot markets for the masses offering electricity on demand with a fully transparent price fixing (energy in a defined region at a defined time can be cheaper, if the sun is shining or the wind is blowing strong), and smart meters in each home being able to automatically contract such energy from spot markets and then...

Press Release

Artikel zum Thema „Cloud Computing – ein Sicherheitsrisiko?“ von Martin Kuppinger verfügbar

Düsseldorf, 16.02.2010 - Martin Kuppinger, Gründer und Principal Analyst bei Kuppinger Cole, hat einen Artikel zum Thema „Cloud Computing – ein Sicherheitsrisiko?“ geschrieben. In diesem Artikel beschäftigt sich Martin Kuppinger zunächst mit der Definition des Begriffs „Cloud Computing“, um dann auf den Sicherheitsaspekt einzugehen. Herr Kuppinger betont in seinen Ausführungen, dass das Cloud Computing durchaus ein kalkulierbares Risiko darstellt, sofern einige strategische Bedingungen erfüllt werden. Diese Bedingungen...

Press Release

Article on data theft and insider attacks from Martin Kuppinger available

Duesseldorf February, 16th, 2010 - Martin Kuppinger, co-founder and Principal Analyst at Kuppinger Cole, has just written a new article on data theft and insider attacks in which he describes the associated problems and risks and describes tactical and strategic measures to avoid them. According to Mr. Kuppinger, unprotected data and subsequent data leakage remain a major hazard in most organizations today. He also discusses ways and means for reducing information-related risks from both within and without. The article runs to approximately 1,100 words and can be made available to...

Blog

EIC 2010 Keynote: The Irreversible Collision of Technology and Business Risk - from Drew Bartkiewicz

Drew Bartkiewicz, Vice President at The Hartford E&O, Cyber and New Media Liability, just joined the EIC 2010 speaker lineup and will give a keynote on "Unseen Liability - The Irreversible Collision of Technology and Business Risk". Drew also just has written a book with the same title, which will be published in May.

Blog

"Cloud-readiness" – What it means for software developers

Everybody’s up in the air about clouds, but few seem to really know where they’re heading. Most existing applications aren’t ready for the cloud quite yet, especially since the realization seems to be sinking in that building security into the cloud is no trivial pursuit. Cloud computing is about to change the way software is written. Till now, applications were programmed with scant regard to what they would actually be deployed for later. After all, isn’t that what operating systems are for?But now, in today’s world of cloud excitement (or should we say cloud hysteria?) every...

Blog

Once again a great speaker lineup - EIC 2010 Agenda Preview

Once again, we are very lucky at Kuppinger Cole, that so many excellent experts from all over the world forward their speaker proposals for the European Identity Conference (EIC), which this year will take place on 4th to 7th May, again in Munich (we will move to a new venue next year!). The agenda is still in draft mode and many things yet have to be added or modified, but if you want to have a first look, even before it is officially published, here is the link: http://www.id-conf.com/events/eic2010/agenda. Some very exciting and controversal strategic views, like for example Munich Re...

Press Release

Artikel zum Thema Datendiebstahl von Martin Kuppinger verfügbar

Düsseldorf, 10.02.2010 - Martin Kuppinger, Gründer und Principal Analyst bei Kuppinger Cole, hat einen Artikel zum Thema Datendiebstahl geschrieben. In diesem Artikel beschreibt Martin Kuppinger das Problem und die verbundenen Risiken und geht auf die taktischen und strategischen Maßnahmen zur Vermeidung von Datendiebstahl ein. Herr Kuppinger betont in seinen Ausführungen, dass der fehlende Schutz von Informationen ein unkalkulierbarer Risikofaktor für Unternehmen darstellt und diskutiert Möglichkeiten, wie sich die Unternehmen davor schützen...

Webcast

Expanding the Reach - Identity as a Key Enabler of Customer Satisfaction through Context-aware Personalization

Kuppinger Cole Webinar recording

Webcast

From E-SSO to a Holistic Authentication- and Authorization Strategy

Kuppinger Cole Webinar recording

Webcast

Access Management Tools - can they Integrate with what you have in a Lean Way?

Kuppinger Cole Webinar recording

Webcast

Versatile Authentication - One Layer of (Strong) Authentication

Kuppinger Cole Webinar recording

Webcast

5 Quick Win Approaches to Achieve the Next Level of your IAM Infrastructure

Kuppinger Cole Webinar recording

Webcast

Provisioning and Access Governance Trends

Kuppinger Cole Webinar recording

Blog

Simplifying or over-simplifying authentication?

My colleague Jörg Resch recently blogged a lot about approaches for "lightweight" authentication and the risks associated with them. There are many companies out there with new or claimed-to-be-new approaches on more or less strong and more or less valid authentication. Whether that's the approach of isec, of GrIDsure, of Yubikey or one of the many other vendors out there, I doubt that there is the holy grail of authentication amongst. Some of them are definitely interesting, some of them not.  Many of them are interesting as one element in an authentication strategy - like GrIDsure, which...

Blog

Google StreetView and German Politics: Panem et Circensis

It has been a successful political strategy since the roman empire to divert the people with petty amusements instead of showing attitude. In this sense, German Consumer Minister Ilse Aigner is hitting at Google StreetView and proposes legal action against the camera cars cruising through German cities taking photos. A the same time, the same government successfully implemented a law that forces any communication provider to store all communication data for at least 6 months and make it available to government institutions without a legal warrant. The same government allowes tax...

Blog

Data Leakage Prevention - Something (not only) Swiss Banks Should have a Closer Look Into

It has been in the press and Martin already wrote something in his blog about it -German tax authorities have been approached by various individuals who want to sell information about Germans who hold bank accounts at some Swiss Banks, like Credit Suisse and UBS. I don't want to go into the discussion, wether such a deal, where the government buys "stolen" data (I put it into brackets, because over here, data are not a thing and only things can be stolen) from somebody, is immoral or not. But it certainly is pushing the market for customer information, if it's value becomes as visible as it...

Blog

How much security do we need?

My colleague Jörg Resch blogged today about the ignorance regarding layered security approaches. Yes, there is no absolute security. Security is something which is tightly related to risk. Given that we can't have the perfect security, especially not with people using systems, it's always about the balance between the security-imposed risk and the cost of risk mitigation. That's a very simple balance: The higher the risks are the more you can and should spend on risk mitigation - as long as risk mitigation is feasible (which is not always the case - a life insurance doesn't help you...

Blog

"Our Systemes are Secure"

I love this kind of statement. It contains total ignorance of the fact, that security is not an absolute value and that it should take into account the actions of people attempting to cause damage. This time it was Hans-Jürgen Nantke, head of the German governmental trading platform for CO2 emission permits (DeHSt - Deutsche Emissionshandelsstelle), who said this, after a successful phishing attack had caused a damage of 3 Million Euros to some of the companies using this platform to trade their emission permits. Imagine - a trading platform where "real" money is being moved - with just a...

Blog

Is History-Stealing a Crime?

In my previous posts I described iSec Lab's de-anonymizer, which combines a browser's history with data from a social network (in this case Xing) to find out who is sitting behind a computer surfing the Internet. Just imagine how attractive it would be for many website owners to exactly know who is visiting their site. As it seems to be pretty simple to create such a de-anonymizer, there we might soon see broad use. Therefore the question: is it allowed to run such a de-anonymizer? Well, I'm not a lawyer, but in the German Criminal Law (§ 202a StGB, Ausspähen von Daten), data theft is a...

Blog

De-Anonymizer Self-Test

Here is a screenshot from the self-test I did with the de-anonymizer described in my last post. I'm a member in 5 groups at Xing, but only active in just 2 of them. This is already enough to successfully de-anonymize me, at least if I use the Google Chrome Browser. Using Microsoft Internet Explorer did not lead to a result, as the default security settings (I use them in both browsers) seem to be stronger. That's weird! [caption id="attachment_23" align="alignnone" width="382" caption="De-Anonymizer Test Result"][/caption]

Blog

Identification through "Social Pattern Recognition"

Thorsten Holz, Gilbert Wondracek, Engin Kirda and Christopher Kruegel from Isec Laboratory for IT Security found a simple and very effective way to identify a person behind a website visitor without asking for any kind of authentication. Identify in this case means: full name, adress, phone numbers and so on. What they do, is just exploiting the browser history to find out, which social networks the user is a member of and to which groups he or she has subscribed within that social network. The combination of memberships to different groups seems to be  nearly as unique as a fingerprint....

Congress

May 04 - 07, 2010: Mittelstandsdialog Informationssicherheit

Die Sicherung der IT-Infrastrukturen und Anwendungen, der Datenschutz und die Einhaltung von Richtlinien und Vorschriften ist für jedes Unternehmen unverzichtbar, unabhängig von dessen Größe. Die Methoden und Herangehensweisen an das Thema der Informationssicherheit können sich jedoch erheblich unterscheiden. Der Mittelstandsdialog Informationssicherheit, der zeit- und ortsgleich mit Europas Leitveranstaltung zum Thema Identity Management, der European Identity Conference (EIC) stattfindet, bietet Ihnen die Möglichkeit, den für Ihr Unternehmen optimalen Weg zu einem sinnvollen Mehr an...

Blog

German politicians argue against the German eID

Today, some influential German politicians started argueing against the upcoming German eID card in a sunday newspaper. The eID card is planned to be available by November, 1st. The main argument is that the costs of the project are increasing - there is the request for some additional 7 million Euro for advertising. The politicans claim as well that experts doubt about the need for the eID card. They propose to shift the introduction to 2020. There are for sure some points with the German eID card which you can discuss. However, the arguments of these politicians just show that they don't...

Blog

Data Leakage Prevention and the Acting of the German Government

In Germany, there is these days (again) a discussion about whether the German State shall buy data about fiscal fraud. There is someone from Switzerland who offers illegaly obtained data about German citizens who have transferred illegal earnings to bank accounts in Switzerland, not paying taxes for this. Germany some months ago has bought such data about bank accounts in Liechtenstein, to identify fiscal fraud and to penaltize this. That leads to some highly interesting questions, and there is a political debate about whether to do that or not. It is obviously illegal to buy stolen goods...

Blog

The risk of costs

There is a constant pressure not only on IT but all areas of organizations to reduce costs. However, that frequently ends up with higher risks and potentially higher costs due to these risks. The problem is: Most organizations, especially in controlling and management, think much more about cost than risk. But cost savings (which are not necessarily negative) without a risk view are a risk - somewhat of a tautology, I know... That is why Risk Management should be a standard and central element in management, as well for business as IT. First of all: From an enterpreneurial perspective,...

Blog

Risk and Services take center stage among IT managers

Simplicity – not to be confused with oversimplification – is the key to successful management. By focusing on the critical issues of risk and services, companies can be sure they have to two most important topics covered. The concept of IT as a service has been around for quite awhile, but risk isn't really on the radar screen yet in most IT departments. This is unfortunate, since risk management can be a powerful tool for decision makers within IT as well as in top management. Life is full of risks, naturally, and in IT particularly; security risks, risk of not reaching stated project...

Blog

The unsocial side of bad software architecture

Last week, there was the news that the Federal Employment Office of Germany will claim for the return of excessive payments from potentially more than a million so called "Hartz 4" recipients. What appears to be of political and social relevance, is as well interesting for IT - because it's about the negative impact of archaic software architecture. Let's start with the background. Hartz 4 stands for as well social welfare aid as unemployment aid, named after Peter Hartz, a former Volkswagen member of the board and advisor to the German government about how to change and optimize these...

Webcast

How to Easily Provide the Detailed Insight into your Systems the Auditors (and you) Need

Kuppinger Cole Webinar recortding

Webinar

Feb 10, 2010: Expanding the Reach - Identity as a Key Enabler of Customer Satisfaction through Context-aware Personalization

Once having an identity management infrastructure in place, maximising this significant investment through expanding the infrastructure´s reach would be a good idea. In this webinar, we look into the possibilities on how to integrate the customer into your identity management strategy.

Webinar

Feb 10, 2010: From E-SSO to a Holistic Authentication- and Authorization Strategy

Expert panel showcasing best practices migrating to a holistic auth(z) and auth(n) strategy.

Webinar

Feb 10, 2010: Access Management Tools - can they Integrate with what you have in a Lean Way?

Controlling access to information and to target applications, is the key element of a security policy. Access management includes multiple elements, such as access control, access delegation, access policy definition and access reporting. In this virtual panel, we will look into how access management tools can integrate into your infrastructure in a lean and flexible way.

Webinar

Feb 09, 2010: Versatile Authentication - One Layer of (Strong) Authentication

Versatile authentication flexibly integrates a variety of open and proprietary authentication methods into one security layer, and strongly simplifies the implementation of multiple authentication methods in complex environments. In this panel, Dave Kearns will discuss with several authentication vendors about current trends in versatile authentication.

Webinar

Feb 09, 2010: 5 Quick Win Approaches to Achieve the Next Level of your IAM Infrastructure

IT organisations are facing an increasing pressure to reduce costs, while at the same time compliance requirements increase and management is asking for more flexible solutions to faster react on new business requirements. In this Webinar, Martin Kuppinger, Principal Analyst at Kuppinger Cole, will describe 5 quick win approaches how to get your IAM infrastucture to the next level.

Webcast

Harnessing Sun's OpenSSO Authentication and Authorization Mechanisms

Kuppinger Cole Webinar recording

Blog

Virtual (Desktop) Identities

I recently took the chance to investigate the virtualization market a bit deeper, namely the market for Virtual Desktops as I have been used to server virtualization and the different flavors thereof for some time. While server virtualization was pretty much straight forward with regard to approach and deployment and those systems – once deployed – had little to no influence on how one runs his environment from a management perspective, Desktop Virtualization does seem to put some new obstacles in the way when it comes to identities, access to resources and management thereof. While most...

Webinar

Feb 09, 2010: Provisioning and Access Governance Trends

Provisioning and access management solutions, core applications of any identity management infrastructure, on the one hand have reached a high maturity level, and are moving down the market making deployments faster and cheaper. On the other hand, requirements have been changing: New sources of identity information have to be used in an increasing number of new processes and applications, with some of them running in the cloud. How to move on from centralized provisioning and access management infrastructures to a new, more decentralized way of doing identity management?

Blog

RSA goes GRC

For some of you, the acquisition of Burton by Gartner might have been the deal of the year. I (for sure, acting in the same market) will not comment on this. But for me, it hasn't been the deal of the year even in these first two weeks. Much more important is the acquisition of Archer by RSA. RSA Security, a EMC subsidiary for several years now, has bought one of the leading GRC vendors. In fact it was EMC which acquired Archer but within EMC it has been RSA Security. Archer is one of the major players in the Enterprise GRC market - I recently discussed the various segments of the GRC...

Webinar

Jan 21, 2010: How to Easily Provide the Detailed Insight into your Systems the Auditors (and you) Need

Approaches to automate and optimize the auditing on access and providing reporting capabilities are mandatory – at any level of IT. To save time and improve quality, appropriate tools are a must. Is there a one-size-fits-all approach?

Webinar

Jan 14, 2010: Harnessing Sun’s OpenSSO Authentication and Authorization Mechanisms

It's been several years since Kim Cameron presented the Identity Metasystem around the concept of "Claims". Years later, Claims are a reality, and there are multiple platforms out there that support using them. We have been advocating the adoption of the Identity Metasystem's concepts, and whilst not endorsing any particular platform per se, we acknowledge that there are several products out there that support this today. As part of a whole series of webinars focusing on practical issues and implementation details, this webinar will deeply dive into the implementation of Sun Microsystems...

Blog

New Webinar series on Claims

It's been a few years since Kim Cameron presented the Identity Metasystem around the concept of "Claims". If you've been following Kuppinger Cole you know how positive we have been about this framework. Years later, Claims are a reality, and there are multiple platforms out there that support using them. We have been advocating the adoption of the Identity Metasystem's concepts, and whilst not endorsing any particular platform per se, we acknowledge that there are several products out there that support this today. From our customers we often hear questions regarding the feasibility,...

Quicklinks

Welcome to KuppingerCole

How can we help you

Send an inquiry

+49 211 237 077 33

Mo – Fr 8:00 – 17:00

Stay Connected

Spotlight

AI for the Future of your Business Learn more

AI for the Future of your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]