News Archive


Who do you trust?

Trust. Most people understand the concept of “trust”, but most people are also at somewhat of a loss for words when asked to define that concept, especially in terms of on-line transactions and digital identities. I mentioned recently that I’m involved with the Identity Ecosystem Steering Group (IdESG), part of the US government’s National Strategy for Trusted Identities in Cyberspace (NSTIC). What’s startling, when I think about it, is that the concept of “trust” hasn’t been discussed – or even alluded to – in the approximately 4 to 6 hours per week of meetings I’ve participated in over...


Security in the banking world – still full of (unpleasant) surprises

I remember a conversation I had years back with the person responsible for online banking security at one of the larger banks. The conversation was about secure online banking. I learned that banks are not necessarily willing to go the maximum for security. They simply look at the risk and then decide about what they are willing to invest in online banking security. Given that I’m an advocate for using risk-based approaches in IT security I understand this position. However I’m still, after all these years, not fully convinced that some of the banks are doing this approach right. The point...


Does Risk Management really fail in IT Security?

In an article published at Network World Online Richard Stiennon, Chief Research Analyst at a company called IT-Harvest, claims that IT Risk Management inevitably fails in IT. He ends up with recommending “threat management techniques” instead of risk management. He says that it is about making decisions about threats. However, he seems to have a misconception over what risk management is about. Risks are threats on assets. They have a specific probability and a potential impact. The thesis of Richard Stiennon is based on the assumption that Risk Management mandatorily starts with...

Product Report

Product Report: 3Scale API Management - 70626

The emerging API Economy is presenting significant challenges to all industry participants. When coupled with the Computing Troika—Cloud, Mobile, and Social computing—the API Economy is bringing about change in strategy requirements that have not ever been presented to organizations before. For example, the sheer number and nature personas and identities and the need to give access to internal information and resources is very significant. The API Ecosystem is made of the rapidly evolving elements of The API Economy that organizations need to understand and integrate in to...

Press Release

New KuppingerCole Advisory Note - Decision support for selecting the best Service Provider

Duesseldorf, October 18th, 2012 - Guideline and Advice in one: the KuppingerCole Advisory Note Cloud Provider Assurance helps companies to assess the performance of cloud providers based on measurable controls in order to make them comparable.


BYOD: Just a symptom of a bigger evolution. Don’t worry about BYOD – solve the challenges of the Computing Troika.

BYOD (Bring Your Own Device) is one of the hot topics of today’s IT. Many vendors promise to solve the BYOD challenges, with MDM (Mobile Device Management), MAM (Mobile Application Management), or other technologies. Most of these technologies fix some of the problems. But all of them fail in the great promise of solving all of your BYOD challenges. Even worse, solving BYOD challenges is not what you should really care about. BYOD is just a symptom of a far bigger evolution. This evolution is about what my colleague Craig Burton just recently called “The Computing Troika” – the three major...


Whitepaper: Migrating Sun Identity Manager to Quest One Identity Manager - 71000

This document adds to the KuppingerCole Advisory Notes #70,607 “Migration Options for your Legacy Provisioning” and #70,610 “Migration Options and Guidelines for Oracle Waveset Identity Manager”. It focuses on the Sun Identity Manager (SIM) product, now also known as Oracle Waveset Identity Management and historically as Waveset Lighthouse. This product has an officially defined end-of-life which causes customers to evaluate their migration options. The purpose of this document is to provide the facts and consequences regarding a migration from SIM (and its...


Identity in an API Economy

KuppingerCole Webinar recording


2012 International Oasis Cloud Symposium

The Intersection of Policies, Standards & Best Practices for Robust Public Sector Cloud Deployments Introduction Last week I was invited to attend the 2012 International Oasis Cloud Symposium. I was very impressed. The attendance was not large—in fact—the organizers limited the number of attendees to 125 people. I was not able to attend the first day, but the second day was lively with many interesting presentations and discussions. I won’t go over the complete agenda, if you want to it can be located in PDF format here. Overall I would say every presentation given was worth...

Executive View

Snapshot: Microsoft acquires Phonefactor - 70733

On October 4th Microsoft announced the acquisition of Phonefactor, a provider of phone-based multifactor authentication. Microsoft informed us about this acquisition only in a blog post on their Windows Azure blog at the MSDN (Microsoft Developer Network) website . There is no official press release out, but Phonefactor itself provides some information at their website . Obviously Microsoft didn’t consider this as being a major acquisition but just another piece of technology which adds to their major strategic initiatives, including Windows Azure. However it could turn out as an...


US Defense Secretary Panetta and the cyber Pearl Harbor

At the end of last week, US Defense Secretary Leon Panetta gave his first major speech on cybersecurity. The speech was given during the Business Executives for National Security meeting in New York. It gained some attention in the news. This concept wasn’t entirely new, as Jon Oltsik pointed out in a post – back in 1998 Deputy Defense Secretary John Hamre cautioned the U.S. Congress about the same topics, using the term “cyber Pearl Harbor” back then as well. On the other hand, in March 2012 the US Cyber Chief talked about a tide of cyber criminality. And even while I stated that tide...


Google under fire – from the EU and FTC

Yesterday there were two interesting news items about Google. A document issued by 24 of the 27 European Data Protection Councils requests Google to change their privacy policies. They claim that collection of personal data to such an extent as Google does is considered a massive risk for the privacy of users. I can agree. The Councils however don’t consider the policies as illegal, at least not yet. That might change with the upcoming new EU data protection rules in 2014. Nevertheless they request Google to better inform users about the use of their personal data. I personally think that...

Press Release

Neuer KuppingerCole Leadership Compass Identity Provisioning - Unterstützung bei der Auswahl des passenden Identity Provisioning Anbieters

Düsseldorf, 15. Oktober 2012 - Überblick und Entscheidungshilfe zugleich: Der  KuppingerCole Leadership Compass Identity Provisioning bietet einen umfassenden Überblick der am Markt verfügbaren Anbieter von Identity Provisioning Lösungen.

Press Release

Press release: New KuppingerCole Leadership Compass Identity Provisioning – a decision-making tool to help select the right identity provisioning provider

Duesseldorf, October 15th, 2012 - Overview and decision-making tool in one: the KuppingerCole Leadership Compass Identity Provisioning offers a comprehensive overview of the many identity provisioning solution providers in the market.

Leadership Compass

Leadership Compass: Identity Provisioning - 70151

Identity Provisioning is still one of the core segments of the overall IAM market. Thus it comes to no surprise that this segment is more crowded by vendors than virtually all the other IAM market segments. This Leadership Compass provides an overview and analysis of the Identity Provisioning market segments. It shows that there are several established vendors with mature solutions, but also some very interesting smaller or regional vendors with a good potential for growth and for delivering what customers require. Picking solutions always requires a thorough analysis of customer...


Nov 06, 2012: Best Practices for Business-Driven Identity & Access Management

Social Computing, Mobile Computing and the Cloud are challenging your enterprise´s security strategy and create the need for a new look at IAM. In this webinar, Martin Kuppinger (KuppingerCole) and Deepak Taneja (Aveksa) will talk about the changing requirements for Identity and Access Management in global organizations.

Vendor Report

Vendor Report: NetIQ – the complete portfolio - 70624

Novell was acquired by The Attachmate Group in April 2011. The portfolio of Novell has been distributed across three business units of the Attachmate Group. The SUSE portfolio of Linux solutions was made into a business unit that is now simply called SUSE. The Novell business unit will continue to market and sell the collaboration, endpoint management and File and Networking Services...

Vendor Report

Vendor Report: NetIQ – the Novell Identity & Security Products - 70304

Novell was acquired by The Attachmate Group in April 2011. The portfolio of Novell has been distributed across three business units of the Attachmate Group.  The SUSE portfolio of Linux solutions was made into a business unit that is now simply called SUSE. The Novell business unit will continue to market and sell the collaboration, endpoint management and File and Networking Services. Unlike most KuppingerCole Vendor Reports, this report does NOT provide an analysis of an entire vendor’s Identity and Security portfolio and services. This report covers a subset of what is now...


Risiken erkennen und wirksam vermeiden: Integrierte Ansätze und Lösungen für IT GRC

KuppingerCole Webinar recording


Pseudonymity means real privacy

In my last posting, I stated that “privacy is not anonymity”. I received a few questions about that, so today I want to elaborate on the subject. Let’s get something out of the way right off the bat – there is not, nor can there be, true “anonymity” on the internet – or almost anywhere else, for that matter. Someone, or something, knows who you are – even if they don’t know your “real” name. Here’s an illustration from real life. A man walking his dog, we’ll call him “Mr. A”, gets into an altercation with another man (Mr. B) and knocks him down, then runs away. Speaking to the police,...

Press Release

Neue KuppingerCole Advisory Note - Entscheidungshilfe für die Wahl des richtigen Cloud Providers

Düsseldorf, 08. Oktober 2012 - Leitfaden und Entscheidungshilfe zugleich: Die KuppingerCole Advisory Note Cloud Provider Assurance hilft den Unternehmen, die Leistungsfähigkeit von Cloud Providern basierend auf messbaren Controls einzuschätzen und vergleichbar zu machen. 


Nov 08, 2012: The Strategic Approach to Cloud Computing. From Tactics and Chaos to Efficiency

Selecting your Cloud Service Provider right and making sure that he steadily delivers on his promise - this needs processes in place at your organization enabling a structured way of selecting an appropriate cloud service from a myriade of offerings availabe in the market, and laying the foundations for effective and efficient cloud audits. Join this webinar to learn how to create such processes and reduce risks of high migration efforts, unnecessary costs or even unavailability of critical services.


Nov 30, 2012: Access Governance und dynamische Zugriffsteuerung kombiniert: So machen Sie ihre IT-Sicherheit fit für die Zukunft

Herkömmliche Konzepte für die Informationssicherheit, bei denen Zugriffsberechtigungen basierend auf vergleichsweise starren Gruppen oder Rollen in Form von statischen Konstrukten reichen heute nicht mehr aus, um den aus den großen Trends Cloud Computing, Mobile Computing und Social Computing wirksam begegnen zu können. In diesem Webinar lernen Sie, wie sich Access Governance weiterentwickeln muss und welche Rolle die dynamische Zugriffssteuerung in Zukunft spielen wird.


Internet Association – a lobbying organization

Recently the “Internet Association” has been created. Their claim on the website is “We are the unified voice of the Internet economy”. They then state that they represent the interests of America’s (!) leading Internet companies and their global (!) community of users. The real message follows afterwards: “We are dedicated to advancing public policy solutions to strengthen and protect internet freedom, foster innovation and economic growth and empower users”. This could also be read somewhat differently: We are the lobbyist organization which will try to avoid everything that can stop us...


Adobe - your biggest security risk?

Adobe warned a few days ago  that an internal server with access to its digital certificate code signing infrastructure was hacked. This resulted in at least two malicious files being distributed that were digitally signed with a valid Adobe certificate. If you take the numbers published by Secunia, a security/patch management software vendor, Adobe ranks pretty high in the list of companies with reported vulnerabilities – especially when taking into account that it is only two core products in the case of Adobe (Adobe Reader and Adobe Flash Player), compared to the broad portfolio of...

Advisory Note

Advisory Note: Cloud Provider Assurance - 70586

Can an organization trust an IT service provided through the Cloud? A survey by KuppingerCole showed that “Cloud security issues (84.4%) and Cloud privacy and compliance issues (84.9%) are the major inhibitors preventing organizations from moving to a private Cloud.” The answer to this question can be found in the old Russian maxim, which was often quoted by President Ronald Regan: “trust but verify”. Cloud services are outside the direct control of the customer organization, and their use places control of the IT service and infrastructure in the hands of the...


Security like a start-up? Better not!

Recently I stumbled upon a blog post with a title starting with the words “Do security like a start-up…”. That rang my inner alarm bells! When reading the post I became relaxed again. It was about the need for business and IT to work together and the recommendation to look for more generalists rather than specialists – both aspects I fully buy in to even while acknowledging that good generalists are a rare species. But coming back to the title… Interestingly the post was published just around the discussion of the severe security issues of WhatsApp. WhatsApp is just another example of a...

Welcome to KuppingerCole

How can we help you

Send an inquiry

+49 211 237 077 33

Mo – Fr 8:00 – 17:00

Stay Connected


AI for the Future of Your Business Learn more

AI for the Future of Your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]