News Archive

Blog

Quo vadis?

Passwords have been the security standard for thousands of years, ever since they replaced biometrics as the preferred method of authentication. Biometrics? That’s right. From pre-historic times access to secure sites (food/money storage, military camps, etc.) was biometrically controlled – the guard either recognized you or didn’t. If he recognized you and was aware that you had clearance then you’d be allowed access. Otherwise, you might get run-thru with a sword. But as the population needing access to secure sites increased, it was no longer possible for every guard to know every...

Product Report

Product Report: Kaspersky Endpoint Security 8 and Kaspersky Security Center 9 - 70401

Kaspersky Endpoint Security and Kaspersky Security Center are two key components of Kaspersky Open Space Security – the integrated security suite from highly reputable security company Kaspersky Lab. Targeted primarily towards small and medium businesses, Kaspersky Open Space Security offers a flexible solution for protecting workstations, file and mail servers, network gateways, mobile devices and smartphones. Depending on their requirements, customers can choose from several solutions, each with different components. However since endpoint protection and centralized management...

Blog

Quest acquires Bitkoo – another step for Quest to play with the big boys

During the past few years, Quest has acquired several other IAM vendors: Völcker Informatik (Provisioning and Access Governance), Symlabs (Virtual Directory Services), Vintela (Linux/UNIX Authentication and Integration), and e-DMZ (Privileged User/Account Management) are just some examples of this shopping spree. The newest addition to the Quest portfolio is Bitkoo, a vendor in the  Dynamic Authorization Management space (http://jacksonshaw.blogspot.com/2011/12/quest-acquires-bitkoo-and-dives-into.html). This acquisition comes as no surprise given that Dynamic Authorization Management is...

Advisory Note

Advisory Note: The Open API Economy - 70352

How the Open API Economy is increasing and changing the need for Identity Management. Baking an organization’s core competence into an Open API is an economic imperative. It’s clear that three main trends are driving technology in all areas. It goes without saying that as digital identity is the gateway to all network-based products and services that identity is being affected by these trends: Social Computing Mobile Computing Cloud Computing While this observation is accurate and certainly these three trends are having a significant impact on things, there is...

Webcast

Clearing up a Cloudy Standard: Simple Cloud Identity Management

KuppingerCole Webinar recording

Webinar

Feb 09, 2012: Bridging the Cloud Sign-On Gap

With a plethora of user names and passwords to remember, end users are already frustrated. Adding multiple cloud applications makes it more difficult for end users and increases help desk call volume. Single-Sign on can bridge the gap between the enterprise and the cloud while reducing user frustration. In this webcast KuppingerCole and Oracle will discuss how organizations can benefit from a cloud sign-on strategy. In addition, you will learn how single sign-on can jump start your cloud access management strategy and improve security.

Webcast

The Open API Economy - Opportunities and Risks

KuppingerCole Webinar recording

Blog

EVERY MOVE YOU MAKE I’LL BE WATCHING YOU

Is your location private? If you have installed an App on a smartphone it is almost certain that your location is being tracked. So should you care? Are you giving away details of your movements too cheaply? Is being able to track where your children are a benefit or a risk? To find the answers to these and other questions, on December 12th I attended “A Fine Balance 2011: Location and Cyber privacy in the digital age” sponsored by the UK Knowledge Transfer Network. The title to this article is taken from the lyrics of a 1983 song by “The Police” that was used as the basis of a talk by...

Blog

Managing Privacy and Data Protection – moving from “optional” to “mandatory”

My colleague Jörg Resch just gave us a summary on the current status of new EU Privacy Regulation that is “in the works” in Brussels. If only a portion of this becomes “EU Law” – meaning that it will not be a Directive which needs to be translated into local national law but supersedes any existing national law – it will change the game in an instance. Not only would the “amusingly small” fines that could currently be imposed e.g. German companies for breaking privacy laws (standard maximum fine 50.000 €) be bumped up to “significant” numbers, but the actual provider of a service could be...

Vendor Report

Vendor Report: Oracle Cloud Security - 70160

This document is an evaluation of Oracle’s platform for Cloud computing from an information security perspective. Oracle offers a comprehensive set of tools and technologies upon which to build Cloud services. These services which can be built range from IaaS (Infrastructure as a Service) using Oracle VM Server software and Sun hardware through to SaaS (Software as a Service) built upon the Oracle Database technology and Oracle Fusion Middleware. The Oracle platform is based on Oracle Exalogic Elastic Cloud hardware and Oracle Exadata Database Machine. The tools enable Cloud services...

Blog

Security - the key to smart grids and planets

This week was the 6th National IT Summit in Germany. Like always, that's where big speeches are made and little happens. The German BITKOM (Bundesverband Informationswirtschaft, Telekommunikation und neue Medien e.V.), the IT and communications industry lobbyist association put the topic of smart networks (or grids) on the table. They requested initiatives (and money) to build such networks. That comes as no surprise, given that the smart world will require massive investments. So driving this forward makes sense. However, the big problem to solve for this smart world - whatever it will...

Webcast

Risk. The New Compliance

KuppingerCole Webinar recording

Product Report

Product Report: Quest One Identity Manager 5 - 70133

In 2010, Quest Software acquired the German software vendor Völcker Informatik AG, based in Berlin. Völcker had established itself in recent years as a provider of technically innovative solutions and a vendor to be reckoned with in the field of Identity and Access Management (IAM). In the process, the company has become highly visible in the German-speaking market and has succeeded in creating a substantial customer base including many large and well-known corporations, particularly in the German-speaking market. However, Völcker has no longer been a niche player, but...

Product Report

Product Report: Axiomatics Policy Management Suite - 70293

This product report covers the following Axiomatics Policy Management Suite consisting of of the following products: Axiomatics Policy Server Axiomatics Policy Auditor Axiomatics Reverse Query The Axiomatics Policy Management suite falls into the category of Dynamic Authorization Management Systems, which are sometimes also called Entitlement Management or Policy Management solutions . Products of that category use the XML-based XACML standard – eXtensible Access Control Markup Language – to define authorization policies and make access control decisions. Axiomatics is a...

Blog

Saying that others are wrong doesn't make a mobile OS secure

Recently, Chris DiBona published a comment (or blog or whatever it is) at Google+ bashing at a lot of companies and people in the industry. He starts with "people claiming that open source is inherently insecure and that android is festooned with viruses because of that and because we do not exert apple like controls over the app market." Further down he claims that no major cell phone has a virus problem like Windows or Mac machines. There are some other harsh statements in the article, especially about vendors in the security space being charlatans and scammers. Not surprising that there...

Blog

YUNANO – CLOUD SOLUTIONS FOR MID SIZED ENTERPRISES

If you think that China only manufactures socks – read on to learn how Chinese software and European Cloud expertise plans to deliver ERP and CRM to mid-sized enterprises in EMEA. On November 8th, 2011 – the European IT services company ATOS and the Chinese software company UFIDA INTERNATIONAL HOLDINGS, LTD. announced the formation of a Joint Venture, YUNANO™ which will address the growing Cloud market in Europe and China, targeting midsize organizations. UFIDA is a Chinese software company, registered in Shanghai, which was founded in 1988 and has a focus on software for Accounting, ERP,...

Executive View

Snapshot: GTB Technologies – DLP solutions - 70357

GTB is a US-based vendor which delivers a suite of products focusing on the DLD and DLP issues, e.g. Data Loss Detection and Data Loss Prevention. The core product GTB Inspector acts as a content-aware reverse firewall which scans all outbound traffic and applies classification on these traffic in real-time. The second product is the GTP Endpoint DLP which is content-aware device control.  It sits at the endpoints and thus for instance supports mobile devices outside of the perimeter as well. Finally there is GTB eDiscovery which can scan desktops and file shares, report on vulnerable...

Blog

A totally unsurprising proposal for European cloud initiatives

Today I received a press release of SAP talking about a new study of Roland Berger (a large consulting firm) and SAP with the title "Cloud Computing brings new growth opportunities to - Europe's IT and communications industry". It ends with a program consisting of five points, the proposal of Roland Berger and SAP. The points are Define a European legal framework for data protection and data security Define a "European Cloud Gold Standard" as sort of certificate for cloud providers Spend EU money for research and development around innovations in the cloud Support Cloud Computing for...

Webcast

Access Governance: Identity Management aus dem Business für das Business

KuppingerCole Webinar recording

Blog

Is cloud computing worth the hassle?

Cloud computing provides organisations with an alternative way of obtaining information technology services and offers many benefits including increased flexibility as well as cost reduction. But man many organisations are reluctant to adopt the cloud because of concerns over information security and a loss of control over the way IT services are delivered. These fears have been exacerbated by recent events reported in the press including outages by Amazon and the three-day loss of Blackberry services from RIM. So what approach can be taken to ensure that the benefits of the cloud outweigh...

Executive View

Snapshot: Ilex Meibo and Meibo People Pack – IAM for the “big and not so big ones” - 70356

Ilex is a French company founded back in 1989. The company, which started with security consulting services, has been offering IAM products for many years, focusing mainly on France and other French speaking countries, but now expanding to other regions. Ilex offers, besides a solution for Single Sign-On, Web Access Management, and Federation, the tools Meibo and Meibo People Pack which provide IAM (Identity and Access Management) solutions for the SMB market and large mid-sized organizations. Meibo can serve larger environments or act as an addition to existing IAM infrastructures.

Vendor Report

Vendor Report: Fischer International - 70254

Fischer International differentiates itself from other vendors in the IAM market space especially through its strong focus on providing “Cloud Services” through a SaaS solution for the core functions of Identity Management. Unlike most others, Fischer International built its product completely around that particular approach. This brings specific technical advantages as far as multi-tenancy and connector architectures are concerned. It also affects configuration and management which tend to be more difficult to implement for products originally built for on-premise deployments....

Blog

SAML, SCIM - and what about authorization?

Cloud Computing is just another delivery model for IT services. However, due to the specifics of cloud services like multi-tenancy and many others, requirements sometimes are even higher than for on-premise services. One of these requirements in well-architected IT environments and for well-architected applications is the ability to externalize security. That includes relying on external directories for administering and authenticating users, e.g. on Identity Providers. It might include the capability of "cloud provisioning", e.g. receiving changes of users - even while I clearly favor...

Blog

Clearing up a cloudy standard

It was just over 10 years ago, at the annual Catalyst conference, that provisioning rivals Business Layers and Access360 sat on different sides of the conference meeting room (the ballroom of the Mariott hotel in San Diego) and hurled catcalls and invective at each other. A year later, they’d matured (as had the technology) and – under the auspices of the Organization for the Advancement of Structured Information Standards (OASIS) joined to help form the Provisioning Services Technical Committee. A year after that, in 2003, the committee demonstrated the first release of the Provisioning...

Webcast

Why Access Governance Moves the Risk and Reward Balance in your Favour

KuppingerCole Webinar recording

Webinar

Dec 15, 2011: Clearing up a Cloudy Standard: Simple Cloud Identity Management

"Simple Cloud Identity Management (SCIM) appears to be our best chance for any sort of public provisioning standard, something we desperately need and have needed for years", says Dave Kearns. Join him, Ping Identity CTO Patrick Harding and SailPoint CTO Darran Rolls for this webinar on the newest provisioning specification which both Harding and Rolls have been involved with from the beginning.

Blog

Duqu follows Stuxnet - the next attack on the industry

Last week Duqu, a new Trojan, became known to us readily coined by security experts and media as Stuxnet 2.0. Stuxnet and Duque, however, probably are only the tip of the iceberg and the precursors of new attack scenarios, which will keep us busy from now on. It was the special characteristic of Stuxnet that the attack did not occur at the level of popular operating systems. Stuxnet targeted the control systems of industrial plants. The alleged target was the control technology of Iran's nuclear power plants. They are used for instance to control the speed of motors in many industrial...

Vendor Report

Vendor Report: Courion - 70353

Courion provides identity management solutions since 1996, is well established in North America,. Although the company has traditionally not had a strong presence in Europe, several large accounts in Germany, Switzerland and the UK are using Courion’s products. This is about to change: the company has prioritized Europe for the next years and plans to aggressively expanding there through new hires and partnerships. Courion’s flagship products are its identity access management suite that also includes many GRC (governance, risk-management and compliance) features. In fact,...

Webinar

Dec 01, 2011: Risk. The New Compliance

For many years complying with government standards and industry regulations has been seen as a check box in the lengthy list of IT security tasks. However, most recent changes in the ecosystem (e.g., increased cyber security threats) have led to a rethinking of this approach. More and more organizations realize that instead of looking at Governance, Risk, and Compliance from a centralized perspective, it is more efficient to let business operations drive these efforts as that's where the organization's risk knowledge resides. Join this webcast where we reveal how to tackle risk and its...

Webcast

Solving the Million Record Challenge with XACML

KuppingerCole Webinar recording

Webinar

Dec 13, 2011: The Open API Economy - Opportunities and Risks

Three main (business) trends are driving technology in all areas: Social Computing, Mobile Computing and Cloud Computing. Looking behind the curtain, we see that these three trends with strong impact on everything around us are based on yet another trend, which is enabling companies to build their business models on top of services and features available through Open APIs (standardised application programming interfaces through which applications can connect to other applications). The impact of Open APIs on the way we do business is growing so fast, that we have to label it not just as a...

Webcast

The Clock is Ticking: Rethink PCI 2.0 Compliance

KuppingerCole Webinar recording

Executive View

Snapshot: Nervepoint Access Manager - 70354

Nervepoint Access Manager - Self-Service v0.5 is a free tool that provides self-service and password reset functionality as well as account unlock for Active Directory. The product is still deemed “beta” by Nervepoint Technologies, but the recently published v0.5 offers some additional benefit and valuable tools that can reduce help-desk calls in small to medium enterprises. The simplistic UI for the end-users is intuitive and self-explanatory, thus enabling average users to set-up their account and manage their data.

Blog

UK Government ID Assurance Program

The UK National Identity Card ceased to be a valid legal document on 21 January 2011. What does this mean for e-Government in the UK? In October 2010 Martha Lane Fox – the founder of Lastminute.com and UK Government’s digital champion – delivered a report on delivering government services via the web. As a result of this report the Right Honourable Francis Maude, the minister responsible, launched a study “Ensuring Trust in Digital Services” through the Technology Strategy Board. On October 31st, 2011 I attended a series of presentations and demonstration describing the results of this...

Webinar

Nov 10, 2011: Delivering a Context Service through Virtualization

Apart from defining the difference between identity and context, the second of the Radiant Logic webinar series with KuppingerCole Senior Analyst Dave Kearns as guest speaker will clarify why context virtualization is critical in the authorization and profile management realm. For both internal and cloud-based applications, contextual insight offers substantial possibilities. Combining identity and context enables businesses to reach CDI and MDM targets, bringing the discussion into the more traditional SQL/Data warehouse realm.

Product Report

Product Report: iT-CUBE agileSI - 70349

agileSI is a product which collects SAP security information and provides this information to Security Information and Event Management (SIEM) tools. The initial release supports ArcSight ESM, the market leader in the SIEM market. Beyond extracting the SAP security information, agileSI transforms that information for use in SIEM tools and adds standard configurations to ArcSight ESM which allow you to directly perform analytics. These analytics can be customized, depending on the customer requirements. agileSI is the second product brought to market by iT-CUBE, a German software vendor,...

Blog

More on the Open API Revolution

As I said in an earlier post, the folks as Programmableweb.com announced the that the number of open APIs they track reached an unbelievable number—4000—in record time. The published this graph showing the hockey stick growth rate: Figure 1—Total Number of APIs source: Programmableweb So lets take quick look at the dynamics of this growth rate. Phil Windley helped me out and here is what we came up with. The data could be interpreted as a power law. Phil  used this: Figure 2—Extrapolating the Numbers source: Craig Burton and Phil Windley But I am going to go out on a limb and...

Blog

Mobile phones and security - still two worlds colliding?

Some days ago I received a new HTC Pro Windows Phone, now running with Windows 7.5, the "Mango" release. Overall, I really like that phone. It is smart, it is very easy to configure. I never had a phone which was up and running with access to all mail accounts, calendar, and tasks so quickly. It works pretty seamless with Office 365. OK, having Skype on the phone would be great, in particular given that Microsoft owns Skype. So far, so good. But then you start this phone and are asked for the PIN. But if you just cancel the PIN entry, you have full access to everything which is on that...

Blog

Relevance of recertification

In a recent briefing with CrossIdeas, the MBO of the former Engiweb, an Italian software manufacturer in the area of Access Governance and Dynamic Authorization Management, they demonstrated an interesting feature: Doing recertifications based on relevance. Recertification of access rights is a key element of regulatory compliance. This is done frequently on a pretty standardized schedule. Doing this once or twice a year is the typical approach. For some specific systems or groups of users, we frequently see that the intervals are shorter, e.g. some risk-oriented approach is not uncommon....

Blog

The API Computing Magic Troika and the API Economy

Intro Provocative quotes: Baking your core competency into an open API is a economic imperative. source: Craig Burton If you are not engaged in generating or enabling open API’s for your business—you are not in the game. source: Craig Burton Social—, Mobile—, and Cloud-computing are hot. The API computing magic troika is white hot. source: Craig Burton Ubiquitineurs don’t litigate or file for patents. Litigation and patents are the tools of the purveyors of scarcity. Source: Craig Burton I talk to my buddy and visionary Doc Searls almost everyday. He is busy writing his new book about the...

Webcast

IdM in der Praxis: Urlaubs- und Krankheitsvertretungen einfach und sicher gemacht

KuppingerCole Webinar recording

Vendor Report

Vendor Report: TITUS - 70301

TITUS (www.titus.com) is a privately held company specializing in information classification and data security, including Data Loss Prevention (DLP). The product portfolio consists of several products sup-porting the information classification and some aspects of DLP requirements in different types of environments, from email to SharePoint and Cloud security. TITUS has been covered in KuppingerCole’s 2010 report “Hidden Gems”, covering vendors with a strong potential in the market. The company successfully managed to build on the strong potential we had identified and...

Blog

Information (hardware-) Security

We have been discussing IRM, DRM, DLP and other acronyms back and forth for a quite a while now and I am sure there are a good bunch of solutions out there for those organizations, that have policies and procedures in place to sufficiently plan, build and run thus a tool. Thus, I was pretty much „meh“ about any discussions revolving around the pros and cons of approaches… Well, our close friends sometimes surprise us with problems, we never seem to have „seen“ before. One of those friends runs a small System Integrator / VAR company and approached me with a problem, that is common among...

Blog

Hunting for the latest Android Release?

Recently I came across a news alert that Google have released Android 4.0 on some new mobile phone. 4.0 already? That is extreme, Android hasn't been around that long. It is good on one side, that there seems to be a strong community of developers eliminating bugs and improving on a fast pace. On the other side - you need to be quick in carrying your new Android smartphone home if you want to install the first OS update before your hardware becomes incompatible with the latest release. Cupcake, Donut, Eclair, Froyo, Gingerbread, Honeycomb.... now Ice Cream Sandwich and soon Jelly Bean -...

Product Report

Product Report: SailPoint IdentityIQ 5.2 - 70287

SailPoint is one of the pioneers in the emerging market for Access Governance. The company was founded in 2005 by a group of executives with long experience in IAM (Identity and Access Management) as well as in the general IT market. SailPoint is a company that started focusing exclusively on a platform that provides what they describe as “Identity Governance”. Designated “IdentityIQ,” the product belongs to the category of so-called “Access Governance” tools, which themselves form a relatively new segment within the markets for GRC (Governance, Risk...

Blog

The Decadence of Stuxnet, Duqu, Staatstrojaner and other Government produced Vermin

It seems that we now have entered the “Age of Political Cretinism”, with governments reducing themselves to either waste money or produce malware. We have several recent examples for this tendency: Stuxnet, Duqu and similar, (have alook at Martin's recent blogpost on this) well elaborated and dangerous trojans aiming at large industrial facilities on the one side, and poorely timbered Trojans used to regain the option to spy anybody's communication with anyone in a time where skype and similar services have made this more difficult for governments. The German so-called “Staatstrojaner”...

Blog

Stuxnet reloaded - the war has just begun

Yesterday, news about a new trojan have spread. The trojan is called Duqu or, correctly, W32.Duqu. It appears to be based on Stuxnet code, thus it is targeted against industrial automation equipment. However, unlike Stuxnet the new Trojan isn't targeted to sabotage industrial control systems but steals data. So it is most likely just the precursor to the next Stuxnet-like type of attack. Duqu was, from what we know, targeted against selected organizations mainly in the area of software development for industry automation. It does some espionage there, collecting information which then might...

Product Report

Product Report: DirX Identity 8.2 - 70134

With DirX Identity, Siemens has been able to establish itself amongst the technically leading vendors in the area of enterprise provisioning. As part of the Atos Origin acquisition of Siemens IT Solutions and Services (SIS) on 1st July 2011, the entire DirX product portfolio has been passed to Atos Origin. Atos Origin was renamed “Atos” to coincide with the takeover of SIS. Atos is marketing the DirX products on a global scale. The functionality of version 8.1, which has been available since 2009, and version 8.2, released in 2011, has been significantly enhanced compared to...

Webinar

Nov 22, 2011: Access Governance: Identity Management aus dem Business für das Business

Verantwortung kann nicht delegiert werden. Es sind die Mitarbeiter der Fachabteilungen, die gegenüber Aufsichtsorganen, Prüfern und Justiz in der Verantwortung stehen und letztlich auch in die Haftung genommen werden. Alleine schon deshalb (aber natürlich auch, weil sie näher am Prozess sind und es deshalb besser können) muß ein modernes Identity Management fachabteilungstauglich sein. Identity & Access Governance. In diesem Webinar beschreibt zunächst Martin Kuppinger, worauf es ankommt, wenn man seine Identity Infrastruktur den Fachabteilungen als Service zur Verfügung stellt. Danach...

Webcast

Surviving the Cyber Security Attack Wave

KuppingerCole Webinar recording

Vendor Report

Vendor Report: Symplified - 70121

Securant Technology was a visionary vendor which created the web access management niche in the mid 1990’s. When that company was acquired by RSA, its management team immediately began thinking about what would come next. From that brain-storming emerged Symplified. Symplified was envisioned and built to be the identity service for the cloud-based computing platform that was beginning to emerge in the early years of the 21st century. Initially this was supposed to be a pure-play cloud strategy – nothing would be installed on-premises. Since the market wasn’t quite ready...

Webinar

Nov 10, 2011: Solving the Million Record Challenge with XACML

This webinar with Martin Kuppinger and Gerry Gebel is part of our XACML how-to series and will highlight, how you can implement XACML policies in "big data" scenarios.

Blog

Steve Jobs: cause to reflect

I am the same age as Steve Jobs. So when Phil Windley sent me the link to the 1985 Playboy Magazine interview of Steve Jobs (just before he was forced to leave Apple) I had to laugh at some of the questions made by the interviewer and remember all of the things that where going on in the industry then. During the 80’s I worked for Ray Noorda at Novell. My job was to create and drive Novell’s strategy. The plan was simple, give real freedom of choice to the customer and be interoperable with as many networks and computers as possible. By 1985 Noorda was finally coming around to the freedom...

Blog

SIEM - it's not mainly about tools

Last week, IBM announced the acquisition of Q1 Labs. The same day, McAfee acquired its plans to buy NitroSecurity. Not that long ago, HP bought ArcSight. Obviously, SIEM vendors seem to be very attractive to the large players in IT. SIEM, the acronym of Security Information and Event Management, consists of two disciplines. One is about managing the security information from different sources, the other is about real-time analysis of that information to identity events. Given the increasing security threats (no, it aren't just challenges anymore), having approaches in place which help in...

Blog

German state fails in hacking

This weekend, the German CCC (Chaos Computer Club), an institution which probably is best described as the "white hat" association in Germany and being prominent for a long time for identifying security issues, informed the public about severe issues with the so called "Bundestrojaner", a trojan used by the German BKA (sort of the counterpart to the FBI) in some cases to hack computers of suspects and to collect internet telephony data. There are two severe issues identified. The first one is that the trojan is able to do a lot of things which are just illegal. The German Federal...

Webcast

XACML Made Easy: Modeling High Level Policies in XACML

KuppingerCole Webinar recording

Blog

Understanding Identity and Access Management

In the second document from our series outlining KuppingerCole’s basic positions on key issues sur-rounding Digital Identity, Security and Infrastructure Management, we will explore the cornerstones of Identity & Access Management, which is mostly known by its abbreviation “IAM”, along with current trends and ramifications for corporate IT systems. IAM is primarily seen as a set of technologies which govern and regulate who is allowed access to which information stored or being processed within IT environments. Unfortunately, taking such a narrow technology-focused view deflects from the...

Product Report

Product Report: Evidian Identity & Access Manager 9 - 70130

Corporate IT environments are growing more complex every day. Not only do users within and outside the organization need to access sensitive information, they need to do so on the road and from a wide range of different devices. Identity & Access Management (IAM) is increasingly being recognized as the key to both security and business success for enterprises around the world. Evidian, a subsidiary of Groupe Bull created in July 2000 as an Independent Software Vendor company, is a well-established player in this field. Its signature product, Evidian Identity and Access Manager,...

Advisory Note

Scenario: Understanding Identity and Access Management - 70129

In this second document from our series outlining KuppingerCole’s basic positions on key issues sur-rounding Digital Identity, Security and Infrastructure Management, we will explore the cornerstones of Identity & Access Management, which is mostly known by its abbreviation “IAM”, along with current trends and ramifications for corporate IT systems. IAM is primarily seen as a set of technologies which govern and regulate who is allowed access to which information stored or being processed within IT environments. Unfortunately, taking such a narrow technology-focused...

Advisory Note

Advisory Note: Avoiding Lock-in and Availability Risks in the Cloud - 70171

Cloud computing provides an opportunity for organizations to optimize the procurement of IT services from both internal and external suppliers. The Cloud is not a single model but covers a wide spectrum ranging from applications shared between multiple tenants to virtual servers used by a single customer. The risks associated with Cloud computing depend upon both the service model and the delivery model adopted. This document focuses on two specific risks – availability and lock-in. A major objective of IT services is that systems, applications and data are available to authorized...

Blog

DigiNotar and RSA hackings demonstrate need for multi-level IT security

The attacks on SSL certificate authorities such as DigiNotar or GlobalSign threaten significant aspects of SSL-based security on the Internet. They also demonstrate yet again that security concepts should be multi-layered and never have a “single point of failure”. In late August it emerged that Dutch SSL certificate authority DigiNotar, a subsidiary of the VASCO Group, had been the subject of a successful attack in which an attacker, presumably from Iran, hacked into DigiNotar’s certificate authority (CA). Claims have meanwhile surfaced that the CA was insufficiently secured.Now...

Blog

Agility, service levels, and cost

Some two weeks ago I've been at the EMC EMEA Analyst Summit in France. In one of the session Chuck Hollis, VP Global Marketing CTO of EMC Corporation (what a title, isn't it?) made a very good comment when of the presenters talked about the needs for agility and speed service level fulfillment and improvement cost optimization of IT when providing services. He pointed out that IT looks at this typically in the order of cost - service level - agility, while business looks at agility - service level - cost. I really like that. You might argue that business always is talking about IT...

Webinar

Nov 03, 2011: The Clock is Ticking: Rethink PCI 2.0 Compliance

The time when you will ultimatively have to demonstrate PCI DSS 2.0 compliance is getting closer now. We therefore would like to invite you to join us in this webinar to have a look at how you can certify fast and at reasonable cost. Don´t miss this webinar and its great speaker lineup: KuppingerCole´s Senior Analyst Dave Kearns, Tom Arnold from Payment Software Company, who is one of the leading Qualified Security Assessors in the world, and Dr. Torsten George from Agiliance.

Blog

What is the future of trust?

Trust is a fundamental concept of today's IT. Security is based on trust. We have (or better: had, after DigiNotar?) trust that a web server which has a valid SSL certificate is the server it claims to be. We had trust that RSA SecurID tokens are secure (whích they still are to some degree, but a lower than before). We have trust that our authentication in the Active Directory is done in a secure way. We trust the identity provider when using identity federation. However, especially the first two examples raise the question whether the concept of trust still is a foundation to build...

Webcast

Thriving in Change - Using Federation and the Cloud to Minimize IT Costs

KuppingerCole Webinar recording

Webinar

Nov 15, 2011: Why Access Governance Moves the Risk and Reward Balance in your Favour

In this webinar, KuppingerCole´s Principal Analyst Martin Kuppinger will describe, how to reduce business risks through transferring responsibility for defining, maintaining and auditing information security policies and access rules from IT to those business divisions which actually need these policies to do their job. Following to Martin´s presentation, Quest Software´s Phil Allen will show practical approaches and best practices implementing such an Access Governance program.

Webcast

Why Managing Privileged Users Benefits your Business

KuppingerCole Webinar recording

Blog

Facebook strikes again

Last spring, the world was up in arms over alleged tracking of users’ locations by iPads,  iPhones and Smartphones powered by Google’s Android operating system. According to a story from ABC News, “…Just days after researchers demonstrated that some Apple iPhone and iPad owners have had their locations tracked by their devices, another security researcher revealed that Android phones, which use Google's mobile operating system, store users' geographic information in a very similar manner.” Interestingly, though, Apple had revealed that information a year earlier in a letter drafted in...

Blog

Microsoft acquires BHOLD technology assets

Today Microsoft announced that they have acquired technology assets from BHOLD, a dutch vendor of Access Governance technology. Microsoft thus now owns technology which has been missing in their IAM portfolio until now. Microsoft thus enters the Access Governance market. Whether that will happen through enhancements of their existing FIM 2010 product or by adding another product based on the BHOLD technology hasn't been announced yet. Anyhow, the deal will change the Access Governance market, particularly regarding the offerings which are targeted to complement Microsoft FIM. KuppingerCole...

Webcast

Integrating Access Governance and Entitlement Management

KuppingerCole Webinar recording

Advisory Note

Advisory Note: From Identity and Access Solutions to Access Governance - 70318

The need to identify users, control what they can access and audit their activities is fundamental to information security. Over the past decade there has been a tsunami of identity and access management technology designed to provide a solution to these needs. However many organizations have not realised the benefits expected from the application of this technology, because they have taken a technology led approach rather than one based on governance. In addition – the move to outsourcing and the Cloud means that technology and some processes are no longer under direct control....

Blog

Who are the good guys - the one that keep you informed about security issues or the others?

I understand the reason behind - but it is still contradictory. People expect IT vendors to quickly inform them about security issues. And people then blame them for the security issues. OK, if there are security issues which affect someone, he has some reason to blame the company responsible for these. Nevertheless, some more fairness would help in achieving even more openness. If you have to admit a security issue and you fix it, then this is obviously better than just trying to hide what has happened. Let's take some examples. Microsoft has been bashed for years for not doing even to...

Webcast

Game On: Managing Multi-Regulatory Compliance

KuppingerCole Webinar recording

Blog

The UBS case: Again 2 billion US$ lost due to unauthorized transactions of a trader

Today, the next story about banks failing in managing trading risks hit the news. It remains unclear what allowed the trader to execute unauthorized (and thus most likely illegal) transactions which lead to that loss. However, the Risk Management of UBS obviously failed. By the way: UBS had to annouce that just the day the swiss parlament started a debate about new regulations for the finance industry. It will be interesting to hear about why that could happen. Did some people co-operate? Did the risk management system specifically for that types of transactions fail? Or has it been an...

Blog

UBS: No Guts, No Glory

I just read that UBS is reporting some 2 Billion $$ damage from "unauthorized deals" one of their investment bankers made. 2 years after Kerviel / Société Generale. This is the hard way of learning things. The only thing that now might really help those who will be asked why somebody is able to do unauthorized deals and create 2 Billion Dollars loss: Get the latest album from Australian Hard Rock Band Airbourne: "NO GUTS NO GLORY", take a day off and listen to it. Or for immediate relief, have a look at their "NO WAY BUT THE HARD WAY" video. Great music.

Product Report

Product Report: CrossIdeas IDEAS - 70271

CrossIdeas is a European vendor based in Italy specializing in Access Governance, Dynamic Authorization Management, and IAM. Formerly known as Engiweb Security, the company was renamed following a management buy-out and operates today as an independent software vendor in their core market segments. Like its predecessor, CrossIdeas is a one-product company, focusing entirely on their “IDEAS” platform which is built around role management, authorization management, and other core identity-related features. KuppingerCole feels that the product is well positioned as an accepted...

Webinar

Oct 06, 2011: XACML Made Easy: Modeling High Level Policies in XACML

In this webinar, Principal Analyst Martin Kuppinger will give an overview on how the XACML standard can be used to achieve a top-down approach to governance. Following Martin's presentation, Axiomatics' Director of Technology Partnerships and former Kuppinger Cole Analyst Felix Gaehtgens will show examples that show how easy it actually is to translate high-level access control requirements from written English into XACML policies that implement tight control. Felix will then describe how to model XACML policies to integrate risk-awareness in access controls.

Blog

GlobalSign interrupt their Certificate Services and ask Fox-IT to Investigate Alleged Security Breach

Only hours after the individual/group claiming responsibility for the DigiNotar hack had posted on pastebin, that he/they have access to 4 more high profile CAs and had named GlobalSign to be one of those 4, GlobalSign reacted and released a statement that they have ceased to issue any SSL certificates. Also GlobalSign have asked Fox-IT for e-discovery and investigative services to verify the hacker's claim. GlobalSign, a GMO Internet Inc. company since 2006, has its roots in Belgium. Back in 2000, Vodafone had bought a 40% share of GlobalSign through their German subsidiary D2 Mannesmann....

Blog

The DigiNotar Hack, Black Tulips, Rogue Certificates and what You're not Being Told about PKI and Risk

DigiNotar is a Dutch "Internet Trust Provider" running a Certificate Authority (CA),  selling SSL Certificates and digital signature solutions. DigiNotar had recently been bought by VASCO.  On August 30, 2011, DigiNotar/VASCO reported that DigiNotar detected on July 19th, 2011 an intrusion into their CA infrastructure, "... which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including Google.com. " In the meantime we know that so far the known number of fraudulently created certificates is beyond 500 and it concerns domains like...

Workshop

Nov 17, 2011: KuppingerCole Industry Round Table: Cloud Computing und Datenschutzrecht

Seit mehr als 2 Jahren befinden wir uns in einer Cloud Computing Hype-Phase, und ein Ende ist nicht in Sicht. Im Gegenteil: es gibt kaum ein Unternehmen, in dem IT Professionals nicht unter mehr oder weniger starkem Druck ihres Top Managements das Cloud Computing Zeitalter einleuten und bereits die nächste Treibstufe zünden. Mehr Agilität für weniger Geld, wir kennen die für eine Verlagerung der IT in die Cloud einschlägigen Business-Argumente zwischenzeitlich gut genug um zu wissen, dass die Cloud keine vorübergehende Erscheinung sein wird. Doch auch nach 2 Jahren Hype sind die Risiken in...

Workshop

Oct 12, 2011: Risiko- und Schutzbedarfsanalysen im Cloud Computing

Wertvolles Expertenwissen zum Kernthema Cloud Security bietet Ihnen dieser halbtägige Intensiv-Workshop, den wir Ihnen während der IT-Security Messe it-sa 2011 (11.-13. Oktober 2011, Halle 12 auf dem Nürnberger Messegelände) bieten. Als Teilnehmer dieses Workshops erhalten Sie eine kostenfreie Eintrittskarte zur IT-Security Messe it-sa 2011.

Blog

Planning future-proof IT Security projects

In IT, proper planning is all-important. If it is neglected, chaos ensues. Identity & Access Management (IAM) is a good case in point: As more and more enterprises recognize that it is not enough to simply concentrate on digital IDs and handling access requests, the Golden Rule of IT projects comes into play: „Think big – start small“. Identity & Access Management is a perfect example of what happens when IT departments approach a basic problem with a too narrow focus. In the end, they wind up having to broaden both their scope and their financial commitment. And often, they find...

Vendor Report

Vendor Report: Microsoft® Cloud Security - 70126

This document is an evaluation of Microsoft’s Windows Azure™ Cloud platform from a security perspective. This platform allows organizations to build Cloud applications which are then hosted in the worldwide network of Microsoft datacenters. It also allows organizations to host existing applications that run under Windows Server 2008 and certain types of data in these Microsoft datacenters. Microsoft has put considerable thought into meeting the security challenges of Cloud computing and incorporated solutions to these challenges in their offering. Many organizations are moving...

Webinar

Oct 25, 2011: IdM in der Praxis: Urlaubs- und Krankheitsvertretungen einfach und sicher verwalten

Sie sind hoffentlich gut erholt und wohl behalten zurück aus Ihrem Urlaub? Dann wünschen wir Ihnen, dass Ihre Vertretung gute Arbeit geleistet hat und Ihr Erholungseffekt nicht alsbald durch liegen gebliebene Arbeit aufgezehrt wird. Gute Arbeit kann eine Vertretung allerdings nur dann wirklich leisten, wenn sie dieselben Zugriffsrechte und Systemberechtigungen hat wie Sie. Wie man dies auf einfache und nachvollziehbare Art und Weise erreichen kann, ohne dass Sie Ihre Passworte weitergeben müssen, das erfahren Sie in diesem Webinar.

Webinar

Oct 13, 2011: Surviving the Cyber Security Attack Wave

In this webinar, KuppingerCole's co-founder and Principle Analyst Martin Kuppinger will talk about the key elements of a pro-active security risk management strategy. Then, Dr. Torsten George from Security and Operational Risk Management pioneer Agiliance will describe the elements of a properly planned and implemented security risk management program that enables organizations to reduce risk by making threats and vulnerabilities visible and actionable, enabling them to prioritize and address high risk security exposures before breaches occur.

Webinar

Sep 15, 2011: Game On: Managing Multi-Regulatory Compliance

In this webinar, KuppingerCole's co-founder and Principle Analyst Martin Kuppinger will give you an overview on how to stay compliant in a multi-regulatory environment. Followed by Martin, Cognosec CEO Oliver Eckel will reveal best practices of managing compliance in today's multi-regulatory world.

Blog

Ignorance is no excuse

Looking back on the spectacular security breaches of the past few months it is almost impossible to avid the feeling that enterprises and organizations around the world have their heads stuck firmly in the sand, at least as far as Information Security goes. Okay, so you didn’t know the pistol was loaded. Well, ignorance is hardly an excuse in most cases, and Information Security is one of them. The only way to protect yourself from attack is by knowing your own weaknesses and doing something about them.There are at least two ways to skin this particular cat; one has to do with proper...

Executive View

Snapshot: Pawaa Enterprise Protection Suite - 70343

Pawaa is specialist on Enterprise Information Protection based in Bangalore, India, offering a number of products and modules for use cases such as integration with Google Docs, SAP Business Objects or as an online storage platform.

Webinar

Sep 22, 2011: Integrating Access Governance and Entitlement Management

Under the impact of the worldwide financial services crisis and the resulting recession in major Western markets have put pressure on governments to introduce new legislation to alleviate the danger of a reoccurrence. However, new oversight regulations always tend to add complexity. For example, the new US Dodd-Frank Act is 6 times the size of its predecessor, the 2002 Sarbanes Oxley Act. Responding to these new set of laws forces enterprises and organizations to improve the transparency and flexibility of their access governance procedures. In this webinar, we will explore the diverse...

Webinar

Sep 28, 2011: Thriving in Change - Using Federation and the Cloud to Minimize IT Costs

Overcoming the inherent security and identity management challenges is key to a successful move into the cloud. In this webinar, KuppingerCole's Senior Analyst, Sebastian Rohr, will give suggestions for successful adoption of cloud computing that overcome the inherent security and identity management challenges. Sebastian will be joined by Travis Spencer, a Sr. Technical Architect in Ping Identity’s CTO office, who will elaborate on these options, drawing on the lessons learned from the hundreds of Ping Identity customers that have overcome these difficulties.

Webinar

Sep 27, 2011: Why Managing Privileged Users Benefits your Business

In this webinar, KuppingerCole's co-founder and principal analyst Martin Kuppinger will give you an overview on the dos and don'ts of privileged user management, with a special emphasis on hybrid cloud environment. Followed by Martin, Phil Allen, Quest Software's Director Identity Management EMEA, will talk about Quest Software's solution focus within the privileged user management sphere, which recently received a strong boost through the acquisition of e-DMZ Security.

Blog

Moving forward in IAM at your own pace

During the last years, there has been a lot of change in the Identity Provisioning market. Sun became part of Oracle, Novell is now NetIQ, BMC Control-SA is now at SailPoint, Völcker has been acquired by Quest, Siemens DirX ended up at Atos. These changes as well as other influencing factors like mergers & acquistions, failed projects, and so on lead to situations where customers start thinking about what to do next in IAM and around provisioning. Another factor is that sometimes provisioning solutions are implemented with focus on specific environments - SAP NetWeaver Identity...

Vendor Report

Vendor Report: Lieberman Software - 70107

Lieberman Software is an established vendor in the PxM (Privileged Access, Account, Identity, User Management) market, one of the fastest growing segments in the broader IAM and GRC market. The core product ERPM (Enterprise Random Password Manager) supports the management of all types of passwords in a heterogeneous environment by managing and securing the passwords. In addition to its core PxM product, Lieberman Software delivers various Windows management tools. In contrast to other vendors in the PxM market, Lieberman Software focuses on the management of the passwords of privileged...

Webinar

Aug 25, 2011: A Complete Identity Service Through Virtualization

In this webinar, directory expert and Senior KuppingerCole Analyst Dave Kearns will explore the challenges of identity integration and how to solve them through identity & context as a service. Dave will be joined by Lauren Selby from Radiant Logic, who will talk about Radiant Logic´s approach to defining an integration layer between internal, "traditional" identity management needs an the new cloud computing challenges.

Blog

Persons, Identities, Users, Accounts

Is there a mismatch between the reality in organizations and the implementations of at least several of the Identity Provisioning and Access Governance solutions when it comes to the representation of physical persons in IT? To me it appears that there is a mismatch. The reality in all large organizations I know is that the real world is sort of 3-tiered: There is a physical person - let's call him Mr. X Mr. X can act in very different contexts. You might call them roles or digital identities, however all of these terms are overloaded with meanings. I'll give three examples for that. 1....

Blog

Stop Using the "C" and the "E" Word

While attending the Cloud Identity Summit last week in Keystone Co. I noticed a usage trend that needs addressing. Almost without exception, the discussions around identity and identity technology used two categories for defining market segments. The two categories are: The Consumer The Enterprise These ambiguous categories are hindering moving forward with identity discussions and productivity. Every session I attended, I challenged the presenter to define these terms. Without exception, the confusion and ambiguity were rampant. For example, where are the people that don’t work for a...

Product Report

Product Report: DirX Identity 8.2 - 70134

Siemens hat sich mit DirX Identity als einer der technisch führenden Anbieter im Bereich des Enterprise Provisioning etablieren können. Im Rahmen der Übernahme von Siemens IT Solutions and Services (SIS) durch Atos Origin zum 1. 7.2011 ist das gesamte DirX-Produktportfolio an Atos Origin gegangen. Mit der Übernahme von SIS wurde gleichzeitig Atos Origin in Atos umbenannt. Atos vertreibt die DirX-Produkte weltweit.   Die seit 2009 erhältliche Version 8.1 und die 2011 veröffentlichte Version 8.2 sind gegenüber den je-weiligen Vorgängerversionen...

Advisory Note

Scenario: Understanding IT Service and Security Management - 70173

This research note is the first of series of documents describing KuppingerCole’s basic positions and providing insights into IT Service and Information Security Management. It describes the fundamental building blocks of, including what IT should be able to deliver to the business as well as the technical production of IT services. Together, these form the basis for effective organization of IT departments, as well as for improving Business/IT alignment, and making the procurement or production of IT services more efficient. The fundamental role of IT within an organization...

Blog

Recertification in dynamic authorization systems

Access Governance tools are becoming standard in IAM infrastructures. However, they mainly focus on "static" access controls, e.g. the entitlements granted to a user based on roles and other paradigms. Recertification is supported by these tools, and the solutions are maturing quickly. Thus, that part of Access Governance is easy to solve. However, the next wave is coming with the increasing success of tools which are commonly called Entitlement Servers or Policy Servers. I tend to call them Dynamic Authorization Systems because they authorize based on rule sets and attributes at runtime....

Blog

Slipsliding away from passwords

Tell me a story! Everybody hates passwords, because there so many of them and keeping track is tricky. And of course we all know that passwords are inherently insecure, so we would all be better off with something else. Nowadays, there’s another reason to hate password, namely the perfusion of smartphones and other mobile devices with itsy-bitsy, teeny-weenie keypads that make typing in long, complicated passwords a real pain. Lots of people have spent lots on time trying to come up with alternatives. Biometrics? Smartcards? Keystroke recognition? Voice recognition? You name it,...

Blog

How to deal with Data Sprawl? Could a sticky policy standard help?

Data Sprawl appears to me to be one of the biggest challenges in information security. And, by the way, Data Sprawl is not an issue that is specific to Cloud Computing. It is a problem organizations are facing day by day. What happens when data is extracted from a SAP system? One example: a CSV (flat) file is created with some data from the HR system. This file is delivered to another system, in best case using some secure file transfer. But what happens then? That other systems processes the file in some way or another. It might export some or all of the data, which then ends up in yet...

Blog

What can News International teach us about information governance?

WHAT HAPPENED? On July 19th, Rupert Murdoch, proprietor of one of  the world’s largest news organizations News International, apologized for phone hacking by reporters at the News of the World, and is quoted as saying “this is the humblest day of my life” to a committee of MP’s in London. What does this teach us about information governance? On Sunday July 10th, 2011 the News of the World published it last edition. This paper had been publishing for 168 years and was the top selling Sunday newspaper in the UK. The closure came following revelations of how the newspaper had allegedly...

Press Release

BYOD puts new pressure on IT pros

There is no way to control the business use of private mobile devices – information security is the only answer

Duesseldorf July 13th, 2011
- The growing trend towards use of privately owned mobile devices such as iPhones, iPads, tablet PCs and laptops for business purposes is causing IT departments to lose control of the security and integrity of their systems. Instead of trying to stop the trend toward BYOD (“Bring Your Own Device”), IT pros should focus on securing the information itself.

Press Release

BYOD setzt ITler unter Druck

Private Endgeräte in der Firma sind nicht zu kontrollieren – Informationssicherheit als Ausweg

Düsseldorf, 13. Juli 2011
- Angesichts des Trends zur Verwendung privater mobiler Endgeräte wie iPhone, iPad, Tablets oder Laptops in Unternehmen drohen IT-Abteilungen die Kontrolle über die Sicherheit ihrer Systeme zu verlieren. Statt sich gegen den BYOD-Trend zu stemmen, sollten ITler ihr Augenmerk (und ihre Investitionen) auf das Schaffen von echter Informationssicherheit legen.

Blog

Critical success factors for IAM projects

This is sort of a "back to the roots" post, but for some good reason. I've done several advisories and customer calls recently, and in some of them it became obviuos that companies tend to miss some of the critical success factors for IAM (Identity and Access Management). Some of the projects are still too technology-focused. So I've put together some key success factors for IAM projects. These are not that technical, so you won't read things like "support the cloud", because that should just be a result of the requirements analysis. Requirements: Understand the requirements of Business...

Advisory Note

Advisory Note: BYOD - 70335

Bring Your Own Device (or “BYOD” for short) may seem like the latest hype, but in fact it isn’t really all that new. Employees have been bringing their smartphones or iPads to work for quite some time now, mostly with their employers’ explicit (or at least implicit) consent. And ever since, IT departments have been worrying about losing control and how to halt the spread of privately owned mobile devices. Sadly, they are missing the point. They need to accept that smartphones and tablets are a fact of life in the networked economy, and that they are poised to...

Blog

ITIL is good, but IT Service Management is better

Service Management and with it the IT Infrastructure Library, or ITIL, is key to bridging the gap between IT users and „IT production“. But as Cloud Computing goes mainstream, it becomes increasingly clear that ITIL alone is not enough. For their Service Management needs, many vendors and user companies rely today on the IT Infrastructure Library. Developed in the 80ies by the UK Government's Central Computer and Telecommunications Agency as a set of recommendations on best practices for IT, ITIL really is quite helpful as a pedestal upon which Service Management can be based since it...

Blog

How can IT keep a grip on mobile devices?

Bring Your Own Device (or “BYOD” for short) is another IT hype word making the rounds nowadays, but it isn’t really all that new. Many employees have been bringing their smartphones or iPads to work for quite some time now, with the company’s explicit or implicit consent – at least as long as access with such devices hasn’t be fully blocked. IT departments worry increasingly about how to control the proliferation of privately owned mobile devices, but they’re missing the real point. Of course, many people have been using private devices professionally for years, ever since laptops started...

Webcast

How to Prepare for BYOD (Bring Your Own Device)

Kuppinger Cole Webinar recording

Blog

Calendra is back – at least sort of

Do you remember Calendra? The vendor which was acquired by BMC many years ago? At least many existing and remaining customers require Calendra. And some of them really miss the company. What made Calendra popular was their tool which allowed to quickly building applications to deal with information held in directories. That approach was different to provisioning, different to meta directories, and it was not just hard coding everything. Being a specialized IDE for database environment, it allows customer to quickly build directory-based applications for example to manage employee data or...

Webinar

Jun 30, 2011: How to prepare for BYOD (Bring Your Own Device)

In a recent blog entry , KuppingerCole´s principal analyst Martin Kuppinger wrote, that the acronym BYOD stands for IT departments accepting that they’ve lost against their users. Now we have to see, how we can make the best out of it and minimize the risks involved with private mobile devices logging into corporate networks. In this webinar, Tim Cole will moderate a discussion between Craig Burton and Martin Kuppinger on how to prepare your enterprise for BYOD by providing a risk-based selection of secure paths to access corporate information and to protect that information.

Blog

PAP – Privacy, Anonymity and Pseudonymity

Privacy and anonymity have been associated with the internet at least since Peter Steiner’s famous cartoon on page 61 of the July 5, 1993, issue of The New Yorker  which originated the meme “On the internet, nobody knows you’re a dog.” Yet today most people are no clearer about the difference between the two (or among those and their cousin, pseudonymity) than they were twenty years ago. I bring this up because the general press and the blogosphere have once again been lit up in a discussion of identity, anonymity and privacy. “A Gay Girl in Damascus” was a much talked about blog. As...

Blog

Data Protection Laws – Location or Information?

One of the intensively discussed issues in Cloud Computing is compliance with local data protection and privacy laws. The European laws, for instance, are sort of “location-dependent”. It is much easier to deal with PII (Personally Identifiable Information) within the borders of the EU than outside of that region. That is the reason why many large Cloud Providers build data centers within the EU to support their European customers. The question which recently came to my mind is: Does it really make sense to focus on location? Shouldn’t we better focus on the information security itself?...

Press Release

Keine Panik nach den dem großen RSA-Hack

Analysten raten zu überlegter Reaktion nach schlimmstem Hackerangeiff der IT-Geschichte – Unternehmen sollten schnell organisatorische und technische Maßnahmen ergreifen Düsseldorf, 14. Juni 2011 - Nach dem erfolgreichen Hackerangriff auf Server des Sicherheitsspezialisten RSA im März diesen Jahres und weiteren aktuellen Angriffen auf große Rüstungskonzerne wie Lockheed, L-3 und Northrop Grumman, die offenbar auf der Grundlage der beim RSA-Hack gestohlenen Informationen erfolgten, sind  Unternehmenskunden von RSA auf der ganzen Welt...

Blog

SailPoint and BMC - how to move forward?

There has been a lot of FUD (Fear, Uncertainty, Doubt) regarding Control-SA. The product has been moved from BMC to SailPoint in spring 2011. But communication about the impact for customers has been weak (to use a positive term...). After several talks with both SailPoint and BMC I'd like to provide some information. First of all, SailPoint now owns Control-SA, including the support team and other related human resources. There even is a roadmap for Control-SA and support for the newer releases (ESS 7.5.x) will be provided for several years from now. On the other hand, SailPoint...

Advisory Note

Advisory Note: Authorization in the Cloud - 70217

Authorization covers the processes and technologies concerned with managing, enforcing and auditing the rights of access that individuals have to resources. The essential characteristic of Cloud Computing is that data and resources are held remotely from the users of that data and that access to that data is mainly over the internet.  The need to identify users, to control what they can access, and to audit their activities is even more important when services are being shared over the internet with other organizations. Furthermore the legal and regulatory responsibility for this...

Press Release

RSA Hack: Don’t panic, keep calm!

Analyst warn against overly hasty reactions to biggest security breach in IT history – corporations should adopt necessary organizational and technical measures sooner rather than later Duesseldorf June 10th, 2011 - Following the successful hacking attack against EMC Corp’s RSA Security Division in March of this year, and especially since news of subsequent attacks against large military contractors such as Lockheed Martin, L-3 and Northrop Grumman, which seem to have been based on data stolen from RSA, companies and organizations around the world that use the popular RSA...

Blog

RSA Hack: Don’t panic, keep calm!

Following the successful hacking attack against EMC Corp’s RSA Security Division in March of this year, and especially since news of subsequent attacks against large military contractors such as Lockheed Martin, L-3 and Northrop Grumman, which seem to have been based on data stolen from RSA, companies and organizations around the world that use the popular RSA “SecurID” token system are both confused and worried. They are demanding to know whether they can still trust the system and what they are supposed to do now that every SecurID token must be considered potentially compromised. In an...

Advisory Note

Advisory Note: „RSA SecurID – how to act after the hack? “ - 70344

As reported extensively in the media, hackers in march of this year successfully attacked the data center of EMC Corp’s RSA security division, obtaining copies of security information for RSA’s SecurID key fob system, a token-based mechanism for creating OTPs (One time passwords) in a two-factor authentication approach used extensively by companies and government agencies around the world. Now, two large military contractors, Lockheed Martin and L-3 Communications, have reported that they have been victims of security breaches based on data obviously stolen from RSA. A third...

Blog

Classify Your Data [Not Protectively Marked]

Can users do a good job of classifying unstructured data? Tim Upton, president of Titus told the attendees at NISC in St Andrews Scotland that he believes they can. He cited figures that indicate most data breaches are due to mistakes rather than deliberate misuse or theft. It should be noted that Titus provides software that allows users to do just that when they create an e-mail, document, presentation or other similar kinds of files. When they create the object the software will prompt them to classify it according to a predefined set of categories. These categories can match a...

Blog

How to Spot an Unnecessary Identity Fail

I’ve been watching the recent announcements about how hackers—some speculate foreign countries—have cracked the security infrastructure of a system and have stolen the names and passwords of thousands—sometimes millions—of customers. The details of all these disasters are not what I want to talk about. Just this simple and seemingly obvious point. Any system that stores the names and passwords of anyone is a failed security design. Symmetric vs. Asymmetric keys In the late seventies, these three guys—Rivest, Shamir and Adleman (you probably know them as “RSA”)—published a paper...

Advisory Note

Advisory Note: Strong Authentication - 70261

This research note provides a comprehensive overview about authentication technologies available today. Strong authentication is a challenge for most organizations. However, selecting the appropriate strong authentication mechanism(s) is a difficult decision. This research note provides criteria for selecting the mechanism or combination of mechanisms which fits best to the different use cases like internal users accessing highly sensitive information or external users doing small financial transactions. The research note analyzes authentication mechanisms based on several criteria,...

Advisory Note

Advisory Note: IAM and GRC Market Evolution 2011/2012 - 70180

IAM and GRC are two of today’s most important IT market segments. Increasing regulatory pressures, as well as the ability to execute, drive the evolution of these market segments. KuppingerCole has recently scrutinized these segments, looking at the expected changes related to market growth, maturity, and cloud readiness. We expect to see significant changes within these market segments, with some of the newer technology sectors massively gaining momentum. In addition, this research note looks at the impact of investments in IAM, GRC, and some other key technology areas on the...

Vendor Report

Vendor Report: Vasco - 70303

Vasco is a vendor in the Authentication Management market which provides a number of differentiated solutions around strong authentication, electronic & digital signing. The vendor is well known for its broad range of hardware tokens for authentication & signatures and the complimentary software solutions acting as management server and validation point. To serve the different security requirements and protection classes usually found in a larger organization, Vasco has diversified both their hardware token range and their software solutions and also introduced non-hardware based...

Vendor Report

Vendor Report: BiTKOO - 70110

BiTKOO is a privately held company that provides solutions for authorization/entitlement management in enterprise IT environments. The company was founded in 2006, starting with its product Keystone based on technology formerly developed for Walt Disney Company. BiTKOO has since broadened its product portfolio substantially and now offers several products around authorization management for different IT environments. Authorization/entitlement management is among the most interesting new areas within the broader IAM (Identity and Access Management) market. It is about managing entitlements...

Blog

Symlabs now part of Quest

Quest just acquired another vendor in the IAM market. Symlabs is definitely more sort of a “hidden gem”, a vendor not being very well-known. That isn’t that surprising given that Symlabs mainly focuses on Federation (somewhat popular) and Virtual Directory Services (not as popular as they should be). From a Quest perspective, Symlabs adds some missing pieces to the more and more complete puzzle of the Quest Identity Management portfolio, the Quest One Identity solutions. Starting with some Active Directory-centric solutions some time ago, Quest has managed to build one of the broadest IAM...

Blog

News from the Analyst Summit in London

Every Summer, Eskenzi PR organizes the IT security analyst and CISO forum. It basically consists of one-on-one meetings between vendors and analysts and round table discussions between vendors, analysts and end-users, typically CISOs. And the event this year was excellent! The quality and density of information is quite high, and it allows to grasp trends, both on the vendor as well on the end-user side, quite well in a highly condensed format. So: an ideal opportunity to review a number of technology trends. Here are a few insights of the event I want to share with my followers. This...

Blog

Be prepared for BYOD

BYOD: Again one of these acronyms. It stands for "Bring Your Own Device". You'd also say that it stands for IT departments accepting that they've lost against their users. They have lost the discussion about which devices shall be allowed in corporate environments. When I travel by train, I observe an impressive number of different devices being used. There are Windows notebooks, netbooks, iPads, iBooks, other types of "pads", smartphones,... For a long time corporate IT departments have tried to limit the number of devices to a small list, thus being able to manage and secure them....

Executive View

Snapshot: alfabet planningIT IT Risk Management - 70380

planningIT is a platform for Business IT Management developed and offered by the German software manufacturer alfabet. planningIT has a number of modules and capabilities, but in the context of this snapshot we will confine ourselves to examining the IT Risk Management module which allows customers to perform IT Risk Management in a business-driven manner.

Webcast

Der schleichende Kontrollverlust über das digitale Ich

Inteview mit Martin Kuppinger

von Achim Killer, DLF

Press Release

European Identity Award 2011

München, 20. Mai 2011 - Der European Identity Award 2011, mit dem die besten Projekte und Initiativen rund um Identity & Access Management ausgezeichnet werden, wurde von der Analystengruppe KuppingerCole im Rahmen der in München stattgefundenen European Identity Conference (EIC) verliehen.

Blog

Mono Resurrects Itself as Xamirin

When I was deeply involved in technology and company acquisitions at Novell, I learned the hard way how difficult it is to merge disparate corporate cultures. Money usually only helps a little. Company after company acquired by Novell disappeared from the planet. Often times with disastrous results. It was only on occasion that an acquisition yielded any measurable benefit. Then I heard the welcome surprise, Miguel announced the formation of Xamarin. Unlike the bumbling headless Attachmate strategy, he nails a clearly articulated plan and vision for Xamarin. “We believe strongly in...

Congress

Apr 17 - 20, 2012: European Identity & Cloud Conference 2012

With its world class list of speakers, a unique mix of best practices presentations, panel discussions, thought leadership statements and analyst views, EIC has become an absolute must-attend event for enterprise IT leaders from all over Europe.

Blog

IT Security’s little “Pulchinella Secret”

The European Identity Conference EIC, which recently ended here in Munich, had many highlights, but for me personally the very best was the keynote by the Italian psychologist Dr. Emilio Mordini, CEO of the Centre for Science, Society and Citizenship CSSC in Rome, which he describes as a leading independent research centre specializing in advice on political, ethical and social issues raised by emerging technologies. His topic was “Secrecy in the Post Wikileaks Era“, in itself a fascinating subject, but where it got really entertaining and thought-provoking was when he turned to the subject...

Press Release

European Identity Award 2011

Munich May 11th, 2011 - The European Identity Award 2011 honoring outstanding projects and initiatives in Identity Management was presented on Wednesday by the analyst group KuppingerCole at their annual event, the European Identity Conference 2011 (www.id-conf.com) in Munich.

Webcast

Interview with Jörg Heuer, Deutsche Telekom Laboratories

Day three of the European Identity Conference 2011

Webcast

Interview with Fulup Ar Foll, Oracle

Day three of the European Identity Conference 2011

Blog

European Identity Award 2011

The European Identity Award 2011 honoring outstanding projects and initiatives in Identity Management was presented on Wednesday by the analyst group KuppingerCole at their annual event, the European Identity Conference 2011 in Munich. Winners were chosen from a shortlist of exemplary projects and initiatives compiled by the analysts at KuppingerCole during the last 12 months. Award winners have all distinguished themselves through exceptional efforts in Identity and Access Management (IAM), Governance, Risk Management and Compliance (GRC), and Cloud Security. The European Identity...

Webcast

Interview mit Tim Cole, KuppingerCole

Webcast

Interview with Kim Cameron

Day two of the European Identity Conference 2011

Webcast

Interview with Michael Schwarz, Gluu

Day two of the European Identity Conference 2011

Webcast

Interview with Martin Kuppinger, KuppingerCole

Day two of the European Identity Conference 2011

Webcast

Interview with Dave Kearns, Network World

Day two of the European Identity Conference 2011

Webcast

Interview with Nishant Kaushik, Oracle

Day two of the European Identity Conference 2011

Webcast

Interview with Felix Gaehtgens, Axiomatics

Day two of the European Identity Conference 2011

Webcast

Tim Cole about the European Identity Conference

Webcast

Interview with Drummond Reed, connect.me

Day two of the European Identity Conference 2011

Webcast

Interview with Don Thibeau, OpenID Foundation

Day two of the European Identity Conference 2011

Webcast

Interview with Dr. Barbara Mandl, Daimler

Day two of the European Identity Conference 2011

Webcast

Interview with Prof. Dr. Eberhard von Faber, T-Systems

Day two of the European Identity Conference 2011

Webcast

Interview with Prof. Dr. Sachar Paulus, KuppingerCole

Day two of the European Identity Conference 2011

Webcast

Interview with Laurent Liscia, OASIS

Day two of the European Identity Conference 2011

Webcast

Interview with Nelson Cicchitto, Avatier

Day two of the European Identity Conference 2011

Webcast

Interview with Jackson Shaw, Quest Software

Day two of the European Identity Conference 2011

Webcast

Interview with Rolf von Roessing, ISACA

Day two of the European Identity Conference 2011

Advisory Note

Business Report: IT-Initiativen 2011-2012: Eine 6*3-Matrix - 70265

Welche Initiativen sollen 2011/2012 auf der Agenda von CIOs ganz oben stehen? Die Research Note liefert, basierend auf dem kontinuierlichen Research von KuppingerCole, Vorschläge für die Beantwortung dieser Frage. Im Report werden für sechs Themenfelder jeweils drei Initiativen vorgeschlagen, die für die kontinuierliche Weiterentwicklung der IT besonderen Nutzen versprechen und die eine Reaktion auf laufende und kommende Trends darstellen. Das Ziel ist eine IT, die fit für die Zukunft ist, sich aber gleichzeitig am Machbaren, am Sinnvollen und an den zu...

Advisory Note

Advisory Note: IAM and GRC Market - the Evolution in 2011/2012 - 70180

IAM and GRC are two of today's most important IT market segments. Increasing regulatory pressures, as well as the ability to execute, drive the evolution of these market segments. KuppingerCole has recently scrutinized these segments, looking at the expected changes related to market growth, maturity, and cloud readiness. We expect to see significant changes within these market segments, with some of the newer technology sectors massively gaining momentum. In addition, this research note looks at the impact of investments in IAM, GRC, and some other key technology areas on the cost and...

Vendor Report

Vendor Report: Siemens - 70169

Siemens is one of the largest companies in the world. Siemens IT Solutions and Services (SIS), responsible for IT-products and services, is one of the different segments [referred to by Siemens as “sectors”] within the group. The established IAM and GRC products from Siemens are also allocated to this segment. In December of 2010, Siemens and Atos Origin announced that they will establish a global strategic partnership. To create a market-leading European IT company, Siemens AG will integrate the business of Siemens IT Solutions and Services into Atos Origin in the summer of...

Vendor Report

Vendor Report: IBM Cast Iron Systems - 70103

Application integration is a key requirement to support the business requirements for flexible business processes, spanning a variety of applications. With the cloud and an increasing number of SaaS services, e.g. applications hosted in the cloud, integration moves to a new level of complexity. The integration of cloud and on-premise application services requires new types of integration platforms and new deployment models for these platforms. The platforms should be available as cloud service and for on-premise deployments to support the different scenarios of IT environments from...

Advisory Note

Cloud Computing Overview - 70140

The Cloud is an environment which allows the delivery of IT services in a standardized way.   This standardization makes it possible to optimize the procurement of IT services from both external and internal providers.   The Cloud covers a wide spectrum from shared applications delivered over the internet to virtual servers hosted internally.  The risks associated with Cloud computing depend upon both the service model and the delivery model adopted.   The common security concerns across this spectrum are ensuring the confidentiality, integrity and...

Product Report

Product Report: Entrust Identity Guard v9.3 - 70322

Entrust Identity Guard is a representative of the rather new market segment of Versatile Authentication Servers (VAS) and offers a single administration interface for managing up to twelve different authentication factors or authentication methods, respectively. The number of authentication factors and the internally created, low cost grid cards are the outstanding features of this platform independent solution.   The flexibility regarding choice of underlying operating system as well as the well-structured web GUI allow efficient management – from deployment of personal grids to...

Blog

Bringing the Web to Life at Last

It isn’t very often that an Internet principle comes along that is so important that it actually affects almost everyone and everything. The Live Web  is one of those Internet principles. The Static Web — the Internet as we know it today — has no thread of knowing or context. Until now, there has not been enough infrastructure in existence for a computer to do the work of presenting the Internet in a context of purpose. The Live Web presents an infrastructure and architecture for automating context on the internet. The Live Web brings to life the notion of context automation. The term...

Vendor Report

Vendor Report: Siemens - 70169

Siemens ist eines der größten Unternehmen weltweit. Innerhalb des in verschiedene Segmente [Siemens spricht hier von Sektoren] gegliederten Konzerns gibt es den Bereich Siemens IT Solutions and Services (SIS), der für IT-Produkte und –Dienstleistungen zuständig ist. Diesem Bereich sind auch die IAM- und GRC-Produkte von Siemens zugeordnet. Im Dezember 2010 gaben Siemens und Atos Origin bekannt, dass sie eine globale strategische Partnerschaft gründen werden. Um ein neues marktführendes europäisches IT-Unternehmen zu schaffen, wird die Siemens AG...

Blog

Welcome Craig Burton!

Today marks a milestone in the history of KuppingerCole, since today is the day we welcome the youngest member of our team. Did I say “young”? Sorry, wrong word. Of course he isn’t really the oldest – that’s still me. But he ain’t exactly no spring chicken, either. I’m talking about Craig Burton, of course. Yes, that Craig Burton. The guy who founded The Burton Group. The same guy who almost single-handedly defined what it means to be an analyst in the Identity & Access Management workplace. The one of the leading lights in our industry, grayest of “eminence gris” in a field where...

Blog

The Sony case - or how to best ignore security best practices

The data theft at Sony has been in the headlines for some days now. What makes me most wonder is that - from what I've read and heard first - even the passwords were stored unencrypted. However, Sony claims to have used a hash to protect these passwords. It looks like Sony also has stored the credit card numbers plus the associated security codes (which are, by the way, one of the most ridiculous approaches to enhance security) together and, no surprise, unencrypted. But if Sony has used hash values: Why did everyone assume that these passwords become common knowledge (at least for the...

Blog

Craig Burton Joins KuppingerCole

Craig Burton, founder of Burton Group, is joining the KuppingerCole team, as Distinguished Analyst. Burton will add new impulses to the research agenda and liaise directly with KuppingerCole's customers in North America. "Craig Burton is one of the best-known names in our industry," said Tim Cole, co-founder of KuppingerCole. "Thanks to his well-established network and his profound expertise, he will substantially increase our footprint in our core markets," Cole believes. As head of KuppingerCole's new Boston office, Cole will be working directly with Burton, who is based in Salt Lake...

Webcast

Database Firewall - Build the First Line of Protection

Kuppinger Cole Webinar recording

Blog

Kantara goes to Germany

In May, members of Kantara Initiative, an industry group dedicated to bridging and harmonizing the identity actions to ensure secure, identity-based, online interactions, will be in Germany for two consecutive high-level meetings. On May 13, Kantara is co-hosting a Summit event together with the OpenID Foundation (OiX) as an addition to KuppingerCole's European Identity Conference in Munich. The topic will be "Trust Framework Model and IDM". Immediately after EIC, many Kantara delegates will board the train for Berlin where a 3-day "Face-to-face Meeting" is scheduled at the Fraunhofer...

Executive View

Snapshot: SecurIT TrustBuilder - 70381

SecurIT TrustBuilder is a Versatile Authentication Server (VAS) provided by the Belgian company SecurIT. The product started as add-on for IBM Tivoli Access Manager but right now works with a broad set of different tools. Beyond the versatility features, TrustBuilder now provides the capability for transaction signing and security as a service to access management systems and applications.

Product Report

Product Report: Oracle Database Vault/Oracle Audit Vault - 70112

The market for Database Security involves a number of different technical solution approaches which are not covered by a single product, but instead require a set of different products and features in order to secure content in databases. As a result, there are many different solutions on offer in the market today. In this report we will focus on Oracle Database Vault and Oracle Audit Vault which are two products covering two distinct areas of database security, the first one focusing on preventive controls and the other on detective controls. Oracle Database Vault deals with privileged...

Executive View

Snapshot: Sun to Oracle Identity Upgrade - 70382

Oracle Sun to Oracle Identity Upgrade program is an initiative aimed at informing Sun customers about the company’s future strategy for former Sun Identity and Access Management (IAM) products, and about their planned migration paths. This program is a follow-up to when Oracle which unveiled the general product roadmap for Sun customers in the realm of IAM when the acquisition of Sun Microsystems was complete.

Blog

SCIM - will SPML shortcomings be reinvented?

There is a new initiative driven by Google, salesforce.com, and Ping Identity called SCIM (Simple Cloud Identity Management). It claims to overcome the shortcomings of SPML (Simple Provisioning Markup Language), a standard being around for some 10 years. SPML has the target of being a standard for provisioning information between systems. It is supported by most provisioning and access governance tools, but only few target systems. SAP probably is the most important supporter. Google, salesforce.com, and others in the cloud don't support SPML. Thus, provisioning to these systems requires...

Blog

Pretzels in the Cloud

You know you're at a real nerdfest when the conference catering consists of large pretzels and candybars. This tweet by some unknown delegate just about captures my own impression of TEC 2011. Measured in terms of techies per square feet, this simply has to be the geekiest conference in the galaxy. For me as an Identity guy, it was also a kind of homecoming, a reassurance that, yes, there are lots and lots of people out there that share our vision of a world where digital identities will better protect and enable us both in our business and our private lives. There has been some loose...

Webcast

Letting the right people in

Managing user identities and controlling access to data and system resources is essential for any company's governance, risk and compliance strategy. Martin Kuppinger , founder and principal analyst at Kuppinger Cole, heads this panel discussion on identity and access management with Jonathan Sander of Quest Software, Kurt Johnson of Courion, and Ravi Srinvasan of IBM Tivoli. This pocast has been  recorded and published by ETM Magazine .

Blog

Why you should focus on the infrastructure layer

In these days of slowly increasing maturity of Cloud Computing it becomes more and more obvious that and why IT depends on a well thought layer which I tend to simply call "infrastructure". I have two simple pictures of IT in mind: The somewhat classical model of platform, infrastructure, and software, like found in PaaS, IaaS, and SaaS in the common Cloud Computing meta models. It's about hardware and other foundational components like operating systems, about the layer between to manage and orchestrate everything, and the applications themselves. Another view consists as well of three...

Webcast

Identity Management - in the Cloud and for the Cloud

Kuppinger Cole Webinar recording

Seminar

May 10, 2011: OpenID Summit Munich

The OpenID Foundation's 2011 series of OpenID Summits focus is on use cases and topics of interest to key developers, executives and analysts in the identity industry. The OpenID Summit in Munich will focus on global adoption dynamics and the evolution of OpenID technologies. It is a free event co-sponsored by Google and Microsoft.

Blog

Symantec Bets on Virtual Workspaces and Mobility

Symantec recently announced their Endpoint Management Strategy and Release 7.1 of the Altiris product.  Managing the software patch level and software licenses on desktops, laptops, and mobile devices is a significant workload for organizations.  This work is essential to protect the devices, the information that they contain and to comply with licensing and other matters.  However it does not, in itself, add organizational value. This kind of management is technically very challenging and needs sophisticated tools to meet these challenges.  According to DHL’s Jan Trnka Global Altiris...

Blog

The Sandmen Cometh

"Silicon-based lifeforms" is a term Ray Bradbury might have used to great effect. "Invasion of the Sand Beings" would have made a great sci-fi title. Just imagine the film trailer: "They're awesome! They're everywhere! They're made of silicon! They're indestructable!" So imagine my surprise hearing what seemed at first to be a level-headed CEO explaining to me that his company, Venafi, is in the business of supplying "ID badges for silicon-based lifeforms" Okay, Venafi has its headquarters in a Salt Lake City suburb named, of all things, Sandy, but this surely is a pun too far, isn't it?...

Webcast

Business-Centric, Cloud-Aware Identity and Access Management

Kuppinger Cole Webinar recording

Blog

SAP CUA and SAP NetWeaver Identity Management - some survey results

User Management in SAP environments has fundamentally changed over the course of the last 10 to 15 years. When centralizing user management became an increasing demand of SAP customers, SAP introduced CUA (Central User Administration) several years ago. However, CUA has some restrictions and many customers have chosen other options like provisioning tools from 3rd party vendors. Thus, SAP has decided to change the approach. SAP NetWeaver Identity Management no is the strategic recommendation of SAP for managing users across SAP systems. If blogged about that before here and here. We have...

Executive View

Snapshot: Thales SafeSign Authentication Suite - 70383

Thales SafeSign is a set of stand-alone modules that comprises the full feature-set of so called Versatile Authentication Servers or Platforms (VAS or VAP). It can be deployed as authentication server for token and mobile based One Time Password (OTP), Challenge and Response, EMV/CAP and PKI based authentication or as a Token/Card Management Solution (CMS), but its full capability is used when deployed as the single “authentication layer” inside an enterprise IT architecture with need for multiple authentication mechanisms.

Webcast

Reliable Protection for Information in Databases

Kuppinger Cole Webinar recording

Blog

Healing the Breach at RSA

It must have hurt: RSA, one of the world’s biggest names in IT Security, recently was forced to admit that there had been a successful attack against the “seeds” that are a part of their hallmark RSA SecurID Token system. These seeds store secret information that enables the system to assemble one-time passwords. Nobody really knows how serious the breach of security has been, and RSA isn’t talking, but there nevertheless are lessons to be learned for the entire industry. One of the things RSA has refused to discuss is the amount of information lost through the seed theft. Another is the...

Webinar

Apr 19, 2011: Identity Management – in the Cloud and for the Cloud

How to best deploy Identity and Access Management today? There is an increasing number of opportunities, including hosted and cloud-based options. And there is an increasing number of services in the cloud which have to become integrated into the IAM ecosystem. Thus the question is: How to best deploy IAM to serve all requirements?

Blog

Should you learn about fraud from your customers?

Today I stumbled about an interesting survey. The core result: More than three-quarters of financial institutions learn of fraud incidents when notified by their own customers. The quote I like most is: "In other words, despite the availability today of world-class fraud detection technology, despite broad awareness of the current fraud threats and incidents – nothing spreads faster than word of a breach". Fascinating, isn't it!? However, it is really somewhat irritating. There is some reason for financial institutions not to invest as much as they could and should in security. Security...

Webinar

May 03, 2011: Database Firewall – Build the first line of protection

Database Security is one of the key elements within any IT security strategy, given that several of the most severe incidents in IT are related to attacks against databases and that most of the critical and sensitive information in organizations is stored in databases. Database firewalls implement a first line of defense, blocking in real time any suspicious data manipulation without forcing production environment redesign. Thus, companies should consider the value that these tools can add to their security strategy.

Webcast

Access Management: Simplify Access to Web- and Cloud-based Applications without Compromising Security

Kuppinger Cole Webinar recording

Blog

Switching Cloud Provider

In Brussels on March 22nd Neelie Kroes, Vice-President of the European Commission responsible for Digital Agenda European Cloud Computing Strategy, made a speech at the opening of the Microsoft Centre for Cloud Computing and Interoperability. In this she said “...to offer a true utility in a truly competitive digital single market, users must be able to change their cloud provider easily. It must be as fast and easy as changing one’s internet or mobile phone provider has become in many places...” So what are the difficulties to achieving that goal and how far are we away from it now? Well...

Blog

Database Security - a strategic perspective

In the recent months I've done a lot of research around database security, talking with vendors like Oracle, IBM (Guardium), Sentrigo (now McAfee), Imperva, Bitkoo, and some others as well as with several end user organizations who either are using database security products or evaluating those technologies. When looking at the market it is very important to understand that it is not a homogeneous market. The different solutions range from firewalls to specific tools for label security or data masking. Some are tightly integrated with databases, others are non-intrusive. I will provide a...

Webcast

Overcoming Enterprise Entitlement Barriers by Externalizing Authorization

Kuppinger Cole Webinar recording

Vendor Report

Vendor Report: Avatier - 70144

Avatier is a vendor in the Identity and Access Management (IAM) market which provides an integrated set of tools to cover core requirements in that market. The AIMS (Avatier Identity Management Suite) supports features like role mining, password management and reset, user provisioning, recertification of access and access requests. With this offering, AIMS fits into the Enterprise Identity Provisioning market segment, which is at the core of most IAM implementations. In contrast to most other vendors, the core focus is on providing a simple-to-use, user-centric ap-proach to IAM, focused...

Webcast

Identity Management, Access Governance und Datenschutz: Sind Sie auf der sicheren Seite?

Kuppinger Cole Webinar recording

Advisory Note

KuppingerCole Top Trends 2011 - 70116

Wie jedes Jahr haben die Analysten von KuppingerCole wieder die wichtigsten Trends im Markt für allgemeine IT, Cloud Computing, Governance, Risk Management und Compliance (GRC), Identity und Access Management (IAM) und Mobile Computing herausgearbeitet. An der Spitze dieser Listen steht unserer Meinung nach eine noch stärkere Zusammenarbeit zwischen operativen Geschäftseinheiten und IT (so genanntes "Business-IT-Alignment") sowie die schrittweise Einführung von Hybrid-Umgebungen auf der Grundlage gut abgestimmter interner und externer IT-Services.

Blog

RSA SecurID again

I've blogged last week about the RSA SecurID case. In the meantime there were several other posts and advices on that and I'd like to put together some thoughts from my side about that, looking at what customers should do now. What should existing customers do short-term? In most cases, RSA SecurID will be a standard mechanism for strong authentication which can't be replaced immediately. If customers don't use a solution for versatile authentication they usually aren't able to opt for another (stronger) authentication mechanisms on the fly. Not using RSA SecurID however will make things...

Advisory Note

Advisory Note: Cloud Computing - Cloud Security Management - 70139

The Cloud allows the procurement of IT services from both internal and external suppliers to be opti-mized because the services are delivered through the Internet in a standard way.   The Cloud is not a single model but covers a wide spectrum from applications shared between multiple tenants to virtual servers used by one customer and hosted internally.  The information security risks associated with Cloud computing depend upon both the service model and the delivery model adopted. The common security concerns across this spectrum are ensuring the confidentiality, integrity...

Blog

Having the right conversation on online banking security

Sometimes the most interesting conversations are about something you never really expected to discuss, but I digress. No, seriously: You sometimes get sidetracked on a topic that becomes so fascinating that your meeting is almost over before you get back to what you really wanted to talk about. Take for instance a conversation I had recently with Julian Lovelock of ActivIdentity. There are lots of things I as an analyst wanted to know about their recent acquisition by HID, who are at home in the “old” world of physical access management and who obviously wanted to buy into the “new” world...

Blog

RSA SecurID breach: it had to happen...

As you, dear reader, can imagine, the information about the SecurID breach was really shaking the minds of us analysts here - for a long time, we were telling the story that SecurID was the right compromise between security, convenience and manageability - until SMS became so cheap, that they made the first place for cheap, manageable and strong authentication. There has been said much about the management aspects, whether it will shake the industry (I personally believe, yes, but much slower than some people argue) or what this means for the reputation of the world's largest strong...

Blog

Identity Management - Process or Technology

Identity Management – Process or Technology? RSA recently announced SEC 8-K filing a security breach, relating its SecureID authentication technology.   This reopens the question of which is the most important factor in identity management – processes or technology? One line of thinking has been that the major cause of identity theft and data loss is poor process and that strengthening the process is the key approach. Strong processes are indeed required but a strong process can be undermined by a weakness in  technology.   Authentication: The electronic identity of someone depends...

Blog

RSA SecurID - it will never be the same again

Yesterday RSA informed about a security breach which they assume to be an "advanced persistent threat", e.g. a long-running attack. In that case it was apparently against the seeds, e.g. the base material for keys which are used to generate OTPs. With other words: The first and (until now) stronger part of the two-factor authentication used with RSA SecurID cards isn't secure anymore. In fact it shows that every approach which relies on a central database of such seeds has its inherent security weaknesses. The importance of this breach becomes obvious when looking at the SEC 8-K filing -...

Press Release

Article on the "Top Trends 2011" from Martin Kuppinger available

Duesseldorf, March 17th, 2011 - As in the past years, KuppingerCole has worked out the Top Trends in IT in general, Cloud Computing, GRC (Governance, Risk Management and Compliance), IAM (Identity and Access Management) and Mobile Computing, which will be presented at this year’s European Identity Conference and CLOUD 2011. The most important trends are, from  a KuppingerCole perspective, an increasing level of Business-IT-Alignment and the evolution towards hybrid IT environments based on a well-managed mix of internal as well as external IT services.

Blog

Your law or mine in the Cloud?

Where in the Cloud am I? And more importantly: Where are my data? I know that many managers and CIOs are asking themselves similar questions. In fact, as I have posted before, a colleague of mine put that question to Martin Jetter, CEO of IBM Germany, at a briefing about a year ago, namely: “If I give you my data to store in the Cloud, where exactly are they?” Mr. Jetter didn’t quite get the question at first, so he launched into a lengthy technical explanation, but the guy interrupted him and insisted: “I mean, physically, where are they?” Of course, there was no really good answer, and...

Webinar

Apr 12, 2011: Reliable Protection for Information in Databases

How to best protect data? This is about processes, this is about technology. Whilst Database Governance focuses on the big picture, technology enables the required controls. Amongst them, encryption is a key technology – supporting critical controls to prevent by-passing the access controls mechanisms within databases and in the surrounding system environment. In this webinar, Martin Kuppinger will outline how Database Security solutions fit into the approach of Database Governance, which role encryption technologies play therein, and what it needs for a holistic approach on Database...

Blog

Database Security - a hot topic

During the last few months I've did a lot of research around database security, and some advisory. This market, with the very big player Oracle and its large number of offerings, and IBM as another heavyweight vendor, is growing rapidly. Besides the two big ones there are several specialized vendors like Sentrigo, Imperva, Bitkoo, NetIQ, and several others - I'll cover the market soon in an upcoming research note which will provide an overview about all key players in that market. Have a look here regularly - the research note will be out latest around mid April... By the way: You'll find...

Webcast

Database Governance - How to Put the Right Controls in Place to Protect Your Data

Kuppinger Cole Webinar recording

Webinar

Apr 14, 2011: Business-Centric, Cloud-Aware Identity and Access Management

In this webinar, KuppingerCole´s Principal Analyst Martin Kuppinger will introduce you into the key elements of a future-proof and cloud-ready Identity and Access Management strategy and how to deal with hybrid cloud environments. Following Martin, Ralf Knöringer and Rudolf Wildgruber from Siemens IT Solutions and Services will present case studies and product features of Siemens DirX Identity and DirX Audit and show how to realize an Identity Governance solution that creates business value.

Advisory Note

Advisory Note: Database Governance - 70102

Database Governance is the set of policies, procedures, practices and organizational structures ensuring the execution of database related activities in an organization according to defined strategies and controls. Database Governance is required to enforce Information Security for structured data held in databases. Within Enterprise GRC, Database Governance is an element of IT GRC. Enterprise GRC starts with Corporate Governance, e.g. the general, enterprise-wide policies and the focus on strategic risks. Business GRC with its focus on operational risks is the second element (or...

Vendor Report

Vendor Report: Symantec Cloud Security - 70115

The Cloud is an environment which allows the delivery of IT services in a standardized way.   This standardization makes it possible to optimize the procurement of IT services from both external and internal providers.   The information security risks associated with Cloud computing depend upon both the service model and the delivery model adopted.   The Cloud covers a wide spectrum from shared applications delivered over the internet to virtual servers hosted internally.  The common security concerns across this spectrum are ensuring the confidentiality,...

Webcast

Recent Trends and Best Practices in Internal Audit Management for Better Business Performance

Kuppinger Cole Webinar recording

Webinar

Mar 24, 2011: Identity Management, Access Governance und Datenschutz: Sind Sie auf der sicheren Seite?

Datenschutz - ein notwendiges Übel? In zahlreichen Unternehmen ist dieses Thema auch heute in der Tat noch eine Randerscheinung, obwohl mit der gesteigerten öffentlichen Wahrnehmung und damit einher gehenden Sensibilisierung jeder bekannt werdende Verstoß zu einer fundamentalen Schädigung der Substanz Ihres Unternehmens führen kann. Dieses Webinar hilft Ihnen dabei, den Datenschutz wirksam und effizient in Ihrem Unternehmen zu verankern.

Blog

We need a policy standard for the use of data

One of the issues I'm confronted with in most of the advisories I'm doing is "how to protect information once it leaves a system". A typical situation is that HR data leaves the HR system and is imported in another system - the identity provisioning system, a business analytics tool, or whatever else. Once information is out of HR, it is out of control. Lost somewhere in the happy hunting grounds of information... However, from a governance perspective (and deu to many specific regulations) we have to keep control. PII has to be well managed, financial data has to be well managed, risk...

Press Release

Save the date: European Identity / CLOUD Conference 2011

Duesseldorf March 9th, 2011 - The European Identity Conference 2011 (EIC) and co-located CLOUD 2011 will take place from May 10-13, 2011, in Munich. Now in its fifth year, Kuppinger Cole´s flagship event is the place to meet with thought leaders, experts and decision makers to learn about, discuss and shape the market in most significant technology topics such as Identity Management, Governance, Risk Management and Compliance (GRC) and Oriented Architecture (SOA), both in “classical” environments as well as in private, public and hybrid cloud environments with a strong...

Press Release

Terminblocker: European Identity / CLOUD Conference 2011

Düsseldorf, 08.03.2011 - Vom 10. bis 13. Mai 2011 finden in München zeitgleich die European Identity Conference (EIC) und CLOUD 2011 statt. Im Rahmen der Jahresveranstaltungen von KuppingerCole treffen sich Analysten und Vordenker der Branche mit IT-Experten und -Entscheidern, um die neuesten Trends kennenzulernen. Dabei wird der Markt rund um Identity Management, Governance, Risk Management and Compliance (GRC) und Service Oriented Architecture (SOA) – sowohl in „klassischen“ wie auch privaten, öffentlichen und hybriden Cloud-Umgebungen – diskutiert...

Advisory Note

KuppingerCole Top Trends 2011 - 70116

As in the past years, KuppingerCole has worked out the Top Trends in IT in general, Cloud Computing, GRC (Governance, Risk Management and Compliance), IAM (Identity and Access Management) and Mobile Computing. The most important trends are, from our perspective, an increasing level of Business-IT-Alignment and the evolution towards hybrid IT environments based on a well-managed mix of internal as well as external IT services

Blog

10 Rules for Securing the Cloud

Security is the hottest topic in town when considering moving your business to the Cloud, especially if you plan to use an external provider or, even worse, more than one provider. How do you make sure your data are “secure” out there? Here are ten simple rules to follow in if you want to stay on the safe side of Cloud Computing. There are many kinds of clouds: private and public, just to name the two most common ones. Private clouds are usually run over a more or less dedicated infrastructure operated by an external provider. Public clouds, on the other hand, run on shared infrastructures...

Executive View

Snapshot: Oracle Database Firewall - 70384

Oracle Database Firewall is one of several Oracle offerings in the database security market. It complements other products such as Oracle Database Vault that offer protection within the database by providing protection by analyzing database traffic outside the database. Like few other products in that area, Oracle Database Firewall analyzes database activity traffic over the network and thus is able to intercept and filter potentially illegitimate database activities based on pre-defined policies.

Webcast

Externalize Authorization - XACML and Beyond

Kuppinger Cole Webinar recording

Blog

Android attacks - you shouldn't be surprised

The news about a significant number of malicious apps for the Android platform on mobile phones hit the news yesterday. Many comments still sounded a little surprised. However there is no reason for being surprised. Today's mobile phones are insecure by design. The vendors haven't understood that security is mandatory for long term success and they are still selling devices which are as secure as a PC in the mid '80s of last century. Unfortunately these devices are connected and have far more capabilities than the PCs of the early days. The vendors (and developers of OSes) are just...

Blog

Persons, identities, users, accounts - and which attributes to select from HR

One of the discussion which pops up in many advisories is around the terms and related object to use in Identity and Access Management. This is directly related to the question which attributes to use where and which to import from HR. My best bet and experience is that customers should look at three levels ob objects: Persons, e.g. the human being Identities, e.g. a virtual representation. There might be several identities for one person. Someone might be the manager of several companies within an organization. Or someone is working as an internal in an insurance and as external sales...

Webinar

Mar 29, 2011: Overcoming Enterprise Entitlement Barriers by Externalizing Authorization

Entitlement Management is about keeping control of authorizations within applications by externalizing the policy management and the authorization decisions. However, a strategic approach on to Entitlement Management requires strategic offerings, supporting standards and built to scale. In this Webinar, Martin Kuppinger will talk about the status and evolution of the market for Entitlement Management, the role XACML plays, real-world architectural consideration and approaches. Followed by Martin, Subbu Devulapalli from Oracle will talk about solutions and real-world use cases.

Seminar

May 13, 2011: Trust Framework Model and IdM Summit - produced by Kantara Initiative and OIX

2011 brings new opportunities for identity services in the enterprise & consumer markets. Gain state-of-identity insight through a series of presentations of common scenarios from diverse market leaders.

Product Report

Product Report: protected networks 8MAN - 70131

8MAN von protected-networks.com ist ein Access Control-Werkzeug, das derzeit Windows-Umgebungen mit dem Active Directory und File-Servern unterstützt. Eine Erweiterung auf weitere Zielsysteme ist in Vorbereitung. Das Produkt unterstützt die Analyse von Berechtigungen, die Protokollierung von Änderungen, die Vergabe von Berechtigungen, ihre Kontrolle durch Dateneigner und ergänzende Reporting-Funktionen. Damit werden die zentralen Anforderungen in diesem Bereich unterstützt. Das Produkt kann durch eine aufgaben-orientierte, einfach nutzbare Oberfläche...

Blog

Don't start with technology - but understand technology first

I still too frequently observe that organizations are too quick when it comes to technology decisions. In many organizations, there is first a decision that a "provisioning", "web application firewall", "single sign-on", or even "identity management" is needed. Then some people google for these terms, find some vendors and decide about the solution. That fits to requests like "We'd like to have identity management running by the end of the year - could you support us?" On the other hand I frequently observe that many customers aren't aware of important technologies like Access Governance...

Webinar

Mar 31, 2011: Access Management: Simplify Access to Web- and Cloud-based Applications without Compromising Security

The role of web access management has changed and nowadays serves as a central layer of protection for many different services, enabling federations and allowing versatility for users. Join us in this webinar to learn, how to transform your traditional web access management into such a central multi-purpose layer.

Webcast

Sicherheit in der Cloud: Die 5 wichtigsten Regeln für eine funktionierende Sicherheitsstrategie

Kuppinger Cole Webinar recording

Blog

Is encryption really the cure for what ails ya in the Cloud?

Almost two years ago, I blogged about a conversation I had with Martin (“Tall Martin”) Buhr about Cloud Security. At the time, he was the European head of Amazon’s Web Services, and he has recently moved on to Nimbula (“the Cloud Operating System company”) as head of sales and business development, but his words came back to me during an analyst panel at RSA Conference in SFO, where I shared the rostrum with Eric Maiwald of Gartner and Jonathan Penn of Forrester and during which we touched on regulation issues that could block the development of Cloud Computing. In Europe, the case is very...

Webcast

Mehr Informationssicherheit durch effizientes Berechtigungsmanagement

Kuppinger Cole Webinar recording

Blog

SAP focuses on SAML and SAP NW IdM instead of CUA

These days I've met with some of the executives of SAP to talk about their roadmap. Overall, SAP is moving forward with its Identity and Access Management products. e.g. SAP NetWeaver Identity Management (NW IDM). And the integration of the recently acquired SECUDE products and technology will significantly enhance the SAP product portfolio. Some of the new features are improved role management capabilities, reporting via SAP BW (Business Warehouse), and new REST-based APIs for UI creation. No rocket science, but valuable add-ons for their customers. For sure SAP is as well enhancing the...

Blog

Security or a ham sandwich?

When identity pros get together and let their hair down, they like to swap stories about all the dumb and/or ill-advised things people do with their passwords. BBC famously sent a camera team out to interview folks on the streets on London, asking them to reveal their user names and passwords and offering them a ham sandwich in return. More than half complied. Which calls to mind George Bernard Shaw’s famous question “What’s better: eternal salvation or a ham sandwich. Well, nothing’s better than eternal salvation, but a ham sandwich is better than nothing…” In fact, most of the stuff you...

Blog

Does your browser know who you are?

The lowly browser has come a longs way since Marc Andreessen wrote the code for Mosaic back in his salad days as a student at the National Center for Supercomputing Applications because he was fed up with the line-mode interface intrepid Internet pioneers like us were forced to use back in the early Ninties. But Mosaic was a relatively simple program, and improvement set in almost immediately. First came plug-ins, then Java applets and extensions, and today’s web browsers are actually sophisticated and powerful packages of applications that can automatically handle anything from downloading...

Webinar

Mar 10, 2011: Recent Trends and Best Practices in Internal Audit Management for Better Business Performance

Internal Audit (IA), traditionally a vehicle preserving assets and ensuring compliance, has been expanding it´s scope into a means for business process improvement and operational excellence, while at the same time it has to cope with an increasing number of high-impact risks. The challenge is, to shift course from IA´s asset preserving role to a new, value creation focused role. In this webinar, Martin Kuppinger will talk about this paradigm shift in IA, how it can be aligned more closely to your company´s strategies, and how an up-to-date Enterprise GRC strategy will help you to create...

Blog

Quest further extends its IAM portfolio – e-DMZ adds PxM capabilities

Quest today announced that they will acquire e-DMZ Security, a PxM (Privileged Access, Account, Identity, User Management) vendor. That comes to no surprise given that PxM has been one of the last (relatively) white spots at the IAM map of Quest Software. Quest is further completing its portfolio, being a full-service provider for IAM now and offering one of the most complete portfolios in the market. The e-DMZ portfolio consists of several module, providing different types of PxM capabilities: Managing passwords for privileged accounts in a central repository Application password...

Webinar

Feb 22, 2011: Sicherheit in der Cloud: Die 5 wichtigsten Regeln für eine funktionierende Sicherheitsstrategie in der Cloud

Cloud Computing findet jenseits der traditionellen physischen Grenzen, dem sogenannten Perimeter" statt, der den Mittelpunkt traditioneller Sicherheitsansätze bildete. In dem Maße, in dem sensitive Unternehmensdaten und Anwendungen zunehmend in die Cloud abwandern, steigt die Unsicherheit darüber, wie denn Informationssicherheit in der Cloud überhaupt gewährleistet werden kann. In diesem Webinar beschreibt Martin Kuppinger die 5 wichtigsten Regeln für eine funktionierende Cloud-Sicherheitsstrategie. Klaus Hild, Senior Technology Specialist Identity and Security bei Novell, wird...

Executive View

Snapshot: CA Service Catalog 12.6 - 70385

CA Service Catalog 12.6 is a comprehensive offering in the Service Management market, going well beyond traditional ITSM and specifically ITIL focused approaches, but also supporting these use cases. The real strength of the product lies in the fact that it acts as centralized instance within a holistic approach to service management with a strong focus on business performance.

Blog

From technology to business - the shift in Identity and Access Management

Being involved in a lot of advisory projects at end user organizations for some years now, I'd like to share some of the fundamental changes I observe. There is always a gap between what analysts like us, KuppingerCole, predict and what is done in reality. Thus it is always great to observe that things we've predicted and proposed are becoming reality. So what has changed over the course of the last years - trends becoming reality: Access and Identity Management: Back in 2008, I've blogged about the relation of the terms "access" and "identity", the latter being much more difficult to...

Webinar

Mar 03, 2011: Externalize Authorization - XACML and Beyond

Externalizing and centralizing authorization from applications has recently gained momentum, as related standards like XACML have matured and experiences shared by early adopters have been positive. Obviously, potential benefits from a standardized method for authorization are tremendous. KuppingerCole Research therefore has defined a clear focus in the area of centralized authorization, monitoring the market and analyzing best practices. In this webinar, Martin Kuppinger will give an update on his recent findings and he will discuss with Doron Grinstein, CEO at authorization and XACML...

Executive View

Snapshot: IBM Tivoli Live – service manager - 70386

IBM Tivoli Live - service manager is a SaaS offering for core IT Service Management functionalities, including Service Desk, Service Catalog, CCMDB (Change and Configuration Management Database), and Asset Management. It is provided as a joint initiative of the IBM Tivoli product group and IBM GTS workplace services. IBM plans to add additional features in the future. IBM Tivoli Live - service manager thus is an additional deployment option for the IBM Tivoli ITSM offerings.

Executive View

Snapshot: HyTrust, Inc. - 70387

HyTrust is a venture financed company founded in 2007. It is located in Mountain View, CA. The management is experienced, with a history at different leading vendors in the IT industry. The company has successfully built partnerships with several large players, including VMware, Cisco, and RSA Security. It has achieved several innovation awards and has won a significant number of customers since their go-to-market.

Webinar

Mar 15, 2011: Database Governance – How to Put the Right Controls in Place to Protect your Data

In this webinar, Martin Kuppinger will, for the first time ever, introduce the concept of Database Governance, the reasons why you should do that and the connection to Governance initiatives as well as Database Security technologies. He will as well talk about the areas where new conceptual and technical approaches will be required.
Roxana Bradescu of Oracle then will talk about practical approaches to make Database Governance work today – to enhance your level of protection of the valuable information assets.

Webinar

Feb 18, 2011: Mehr Informationssicherheit durch effizientes Berechtigungsmanagement

Es gibt eine ganze Reihe von Gründen, warum das Thema Berechtigungsmanagement aktuell in der Unternehmenspraxis eine große Rolle spielt. Einerseits, weil es die Basis bildet für den Umgang mit Informationsrisiken (Stichwort Wikileaks), andererseits aber natürlich auch, weil es bei vielen Unternehmen Nachholbedarf gibt, um einen besseren Überblick über Berechtigungen zu bekommen und aus einem bisher eher mühseligen Geschäft mit Hilfe zeitgemäßer Werkzeuge Einsparpotenziale zu erschließen. Mit diesem Webinar bieten wir Ihnen die Möglichkeit, sich zu aktuellen Trends und Entwicklungen im...

Blog

Opening the Door to Cloud Security

„Security“ and „Cloud“ are often seen as mutually exclusive. Many CIOs live in fear losing control over their data despite the claims by cloud providers that sensitive information is in fact in safe hands with them. But once data gets replicated, it gets harder and harder to keep them under lock and key. Many organizations hesitate to enter the era of cloud computing because they want to keep their data on a tight leash. Most products in the realm of cloud security fail to address these worries. And while federated identity management, coding security into new software, and security service...

Blog

Escaping from Cross-Platform Purgatory

Things would be so simple if companies could just sit down and agree for everyone to use the same computers, or at least the same operating system. In a perfect world, everyone would use Windows or UNIX or Apple or Linux and IT admins might actually find time to lean back and rest their weary bones. But since we don’t live in a perfect world, admins live in a nightmare of mixed platforms and systems where juggling sensitive data around is something Dante would have described in grueling detail if computers had been around when he wrote the “Inferno”. Cross-platform management is hell any...

Vendor Report

Vendor Report: SecureAuth Corporation - 70260

SecureAuth is a single-product vendor. The product SecureAuth IEP is a platform for a strong two-factor authentication based on X.509v3 certificates for web-based applications, federated environ-ments based on SAML, and VPNs. It is deployed as appliance (hard or soft) and provided as well in cloud deployments based on Amazon EC2 and by Managed Service Providers (MSPs). Beyond the support of strong authentication the product supports different SSO (Single Sign-On) scenarios, federation support, and basic web access management capabilities. It supports many applications out-of-the-box, as...

Blog

Context-aware, information-centric, identity-aware, versatile

Recently another analyst company had a presentation titled "The future of Information Security is context- and identity-aware". Yes - but not that new. I remember that we had the context-based approaches as a key trend at our second European Identity Conference, back in 2008 (thus the upcoming EIC 2011 is IMHO the best place to learn about the new trends and the best practices for today around IAM, Cloud Security, GRC, and related topics). I personally think that there are some important aspects to consider when looking at the overall topic of Information Security: First of all: It is...

Blog

Bringing the Cloud Down to Earth

Without getting into the umpteenth discussion about what, who and where is the Cloud, I think we can safely assume that for average people, and especially for businesspeople, Cloud Computing is when you run an application or store some data on someone else’s server somewhere out there “in the Cloud”. By this definition, Salesforce.com, just to name an instance, fits just about everybody’s idea of Cloud Computing . Oracle’s Larry Ellison would beg to differ, and he actually traded insults onstage at Open World 2010 with Salesforce’s boss Marc Benioff, whom he accused of “just running a few...

Blog

Strong Authentication, please! But make it stirred, not shaken!

Back to the roots - Strong Authentication is my topic of the month. To be more precise, the combination of several methods of strong authentication all managed through one central, versatile system, allowing both high-security solutions with high cost per authentication and mass-market easy to use methods for low to medium security settings. Versatile Authentication Services/Servers/Platforms are key to low TCO and high usability for different user segments and use-cases. I already finished most of my market analysis and am currently compiling the report. If you feel the urge to let me know...

Blog

Virtualization vs. Security

Some days ago, a vendor talked at an analyst meeting about the relationship between virtualization and security. The argument was: At the hypervisor you can combine network security management, server security management and some other aspects of security management - I can't remember everything. Thus virtualization increases security, because you have one point of control. Right - as long as you can control what administrators and operators are doing. Unfortunately, that's not the case in typical virtualization environments. There is no PxM (Privileged Access, Account, Identity, User)...

Webcast

The Business Value of Log Management Best Practices

Kuppinger Cole Webinar recording

Blog

Access Governance Sets the Stage for Information Security and Compliance

Rights Management may not exactly be something new, but the rising demands from internal and external auditors are putting it back in center stage. Organizations are being forced to adopt systematic, open and replicable processes for creating, assigning, and monitoring rights within their systems, not only to ease the admins’ workloads, but also to achieve their compliance goals. Companies have been doing Rights Management for ages now as part of their overall IAM strategies (Identity & Access Management), mainly with a strong emphasis on the technical issues. Lately, however, the focus...

Product Report

Product Report: Cyber-Ark Privileged Identity Management Suite (PIM) - 70257

Die Verwaltung privilegierter Nutzerkonten gehört nach Ansicht von KuppingerCole zu den größten Herausforderungen, denen sich die IT in den nächsten Jahren zu stellen hat. Sie setzt Lösungen voraus, die in der Lage sind alle (oder zumindest die wichtigsten) Aspekte von PxM innerhalb heterogener Umgebungen auf integrierte Weise zu adressieren. Cyber-Ark Priviliged Identity Manager (PIM) wird vom Hersteller als Suite bezeichnet, ist aber tatsächlich eher als integriertes Produkt zu sehen, dass weit über den konventionellen Suite-Ansatz hinaus geht und...

Blog

SAP invests in security technology

SAP recently announced that the they will buy most technology assets from the Swiss-German security specialist SECUDE. The developers and other resources will as well move to SAP, ensuring that as well the software as the "brain"ware is available to SAP. SECUDE provides solutions around SAP for strong authentication, single sign-on, and event management specifically to SAP environments. There is a long-term relationship between both companies, SECUDE being a supplier for many SAP customers in the areas mentioned. One might argue that this acquisition isn't a real big deal, compared to...

Blog

Cloud Security - the market is evolving

Winter holiday season is almost over, and business claims its attention back - it was a nice time with family, good food, and so on. But the world didn't stop, so we had to spend some time to look at a number of products. I would like to mention two here, especially because they help us getting closer to the Secure Cloud. The first is Novell Cloud Security Service (shortly called NCSS). It is not clear according to todays product categories whether it is a product or a service, and this shows that we need to abstract more and more from this separation when moving into the cloud. Let me...

Quicklinks

Welcome to KuppingerCole

How can we help you

Send an inquiry

+49 211 237 077 33

Mo – Fr 8:00 – 17:00

Stay Connected

Spotlight

AI for the Future of your Business Learn more

AI for the Future of your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]