News Archive


Identity & Access Management in the Cloud: Real or a Mirage?

KupingerCole Webinar recording

Product Report

Product Report: Virtual Forge CodeProfiler - 70583

Code security analysis has become one of the most important business segments servicing the secure development of software. Products are pretty mature for every mainstream programming language, and large IT companies have acquired the major technology innovators in that segment. There is, though, an area of software development that receives little attention, although being quite important for businesses: the so-called customizing of SAP applications. Customization in SAP applications typically means that new application pieces will be added to the SAP standard offering. In many cases...


Security > 140 Conversation with Craig Burton

I had a conversation with Gunnar Peterson recently. Here is the transcript of the exchange. It is short but worth looking at. Today's Security > 140 Conversation is with Craig Burton is a Distinguished Analyst at KuppingerCole, in his  recent work, Craig explores the API Economy and how participating in the API economy reconfigures organizations' priorities. Gunnar always asks insightful questions. I really enjoy his presentations each year at the Cloud Identity Summit. Not sure if I will be speaking this year or not.

Advisory Note

Technology Report: Access Governance Architectures - 70219

Access Governance is about the governance and management of access controls in IT systems and thus about mitigating access-related risks. These risks include the stealing of information, fraud through changing information, and the subverting of IT systems, for example in banking to facilitate illegal actions, to name just a few. The large number of prominent incidents within the last few years proves the need to address these issues – in any industry. There are an increasing number of tools for Access Governance. On one hand, a number of start-ups have entered the market with...


Cloud Identity and Synchronization

I saw a marketing brochure the other day that claimed “Today’s average enterprise utilizes 16 different directories,” touting their synchronization engine for provisioning and de-provisioning. The vendor’s take seemed to be that 16 was a huge number, but I merely chuckled to myself. Fifteen years ago, while barnstorming the US for a provisioning vendor I would frequently ask the audience how many identity stores they’d identified in their organization. I still remember one memorable response: “we’ve found 116, but we’ve only just started looking.” Ten years ago, soon after the Liberty...

Product Report

Product Report: Oracle Database Firewall - 70339

Oracle Database Firewall is part of Oracle’s defense in depth approach to security, providing a first line of defense for databases by analyzing database traffic before it reaches the database. Oracle Database Firewall expands Oracle’s solutions for heterogeneous databases, supporting Oracle Database, SQL Server, IBM DB2 LUW, and Sybase ASE. MySQL support was introduced in the most recent release. Unlike most other products in that area, Oracle Database Firewall accurately analyzes database activity traffic over the network with very little latency and thus is able to intercept...


Conducting an Orchestra - The New Role of IAM

KuppingerCole Webinar recording


Why the US Cyber Chief is wrong: It’s not a tide of Cyber Criminality – there will be no ebb tide

Today I read an article about US investments in cyber security, with the US Department of Defense (DoD) budget requesting 3.4 billion US$ by itself. The US Cyber Chief, Army General Keith Alexander, commander of U.S. Cyber Command and director of the NSA (National Security Agency) is quoted as saying “Nation-state actors in cyberspace are riding a tide of criminality.” I believe he is wrong in one very important point: It is not about a tide, it is about a continuous rise. So it would have been better had he chosen the comparison to the (potential) long-term rise of the sea-level caused by...


Returning (or finally bringing?) Identity and Access Management (IAM) to the User

KuppingerCole Webinar recording


Encryption is only as good as the protection of its keys

This morning I received a press release pointing to a blog of John Grimm, who works at Thales e-Security. Thales e-Security is the part of the Thales Group, which specializes in encryption. They offer, amongst several other technologies, HSM (Hardware Security Modules) and Enterprise Key Management solutions. The blog commented on the recent discovery of the Mediyes Trojan by Kaspersky Lab. Kaspersky is one of the leading vendors in the Anti-Virus/Anti-Malware segment. The touchpoint between them in the case of Mediyes is that the Trojan uses a digital signature based on a stolen private...


15% of CIOs ban private devices – the Don Quixote approach on BYOD

I read news this morning quoting a survey by Coleman Parkes, an UK-based research company, saying that 15% of CIOs ban private devices to mitigate the BYOD risks. I personally don’t believe in that approach because it is just too likely to fail. It is like Don Quixote tilting at windmills, I’d say. On first glance, banning private devices might seem the best choice. Using only devices you’ve provided yourself, evaluated and tested, well configured, seems to be the best approach when it comes to mitigating information security risks. But does this approach really work? Let’s focus on five...


TPM – why is this technology so rarely used?

During the last few weeks I have received a large number of press releases issued by Wave Systems. Reading the headlines, my impression was that this is just another vendor oversimplifying security. Headlines like “Change the status quo of security: Just switch on” caused that impression, given that behind these headlines you usually find a tool vendor with limited capabilities and big claims who tries to sell a little piece of software as the holy grail of IT security. So I thought about using these examples as a starting point for bashing a little on that type of vendor. However, after...


Access Risks - from SAP to the Outer Space: an Identity & Access Governance Journey

KuppingerCole Webinar recording


Identity – Of, By, In and For the Cloud

There’s Identity, and there’s the Cloud. While we still can’t quite agree as to what is Identity and what are Cloud Services we also can’t wait until we decide those issues to properly connect the two. Apps can reside either in the datacenter or in the cloud. They could also reside on our local device (PC, tablet, smartphone, etc.) but we’ll simplify today’s discussion (and leave mobile identity and apps to another day) by concentrating on these two platforms. Identity services can reside in either place also. Often, in fact, they’ll reside in both places. More on that in a moment....


Microsoft vs. Google: The battle of the business models

This year’s CeBIT, the world’s largest IT fair, has the topic of “Managing Trust”. For some reason, the “Deutsche Messe”, the company behind CeBIT, decided to have Eric Schmidt as one of the speakers at the official opening ceremony anyhow. Right after the speech of Schmidt, Microsoft sent out a press release “Ralph Haupter comments on CeBIT opening”. Ralph Haupter is the General Manager of Microsoft Germany. The summary of this press release is simple: According to Microsoft, Eric Schmidt just missed the topic. He didn’t talk about managing trust but about some opportunities of the digital...


Non-working P3P privacy policies in browsers - whom to blame?

Another recent discussion was about Microsoft blaming Google and Facebook for circumventing IE privacy policies. There were many articles about that issue, two of them you’ll find here: There are two aspects from what I understand. First of all, Facebook doesn’t care for privacy and Google at least not much. Facebook clearly states that it doesn’t have a P3P privacy...


Google’s Privacy Policy – the market will decide

There has been a lot of noise around Google changing its privacy policies. My esteemed colleague Dave Kearns said that they just consolidated them. I’ll stay with “changed”, due to the effect of this: Google now can do much more with the user’s data – if the user logs into any Google service. So my point is that discussions about changing or consolidating is splitting hairs. In fact they have changed the way they deal with privacy. Google claims to have done this because their customers want it. I doubt that. Customers want Single Sign-On. But does anybody really believe that customers...


Apr 26, 2012: Quantifying Access Risk: How to Sell the Access Governance Project to your CFO

How can Access Risk be measured and made visual? How can it be used to prioritize processes such as Access Certification or Role Modeling? This webinar aims to explain new methodologies for Access Risk scoring to prioritize corrective actions and justify to your CFO why investment done on Identity & Access Governance project is good value for money.

Welcome to KuppingerCole

How can we help you

Send an inquiry

+49 211 237 077 33

Mo – Fr 8:00 – 17:00

Stay Connected


AI for the Future of Your Business Learn more

AI for the Future of Your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]