News Archive

Webinar

Jan 31, 2013: Rethinking Identity and Access Governance in a World of Change and Complexity

The convergence of Cloud, Mobile and Social Computing create strong new opportunities and change the way we use Information Technology, shifting the control into the hands of the users. Governing identity and access in such a complex environment is key to success. Join us in this webinar to discuss these challenges.

Press Release

Dr. Karsten Kinast, LL.M. joins KuppingerCole as an Analyst

Wiesbaden, December 18th, 2012 - Dr. Karsten Kinast, LL.M., one of Europe’s most high-profile data protection experts, has joined analyst company KuppingerCole as a Fellow Analyst responsible for all topics with a legal focus, in particular data protection law, IT law, copyright and media law. In this capacity, he will also act as a moderator and content director for these topics at the European Identity & Cloud Conference (EIC) 2013, which takes place for the seventh time on 14–17 May 2013 in Munich. 

Blog

Mobile Device Management: It will grow – but should it?

Some weeks ago I stumbled upon an article, which said that the MDM (Mobile Device Management) market will grow massively within the next five years. I don’t doubt that the market will grow. However I’d raise the question whether it should grow that much – or, in other words, whether MDM is really the solution of choice. I don’t doubt that there is some need for MDM technologies. However, this might be more about understanding MDM as an element of other technologies or a tactical piece of a bigger puzzle. Let me explain why. The problem organizations are facing today is that there are more...

Blog

Santa’s Identity Issues

If you’ve never really thought about it, you should realize that the Christmas season is a wonderful time to reflect on identity issues. As a young child, I wondered why there seemed to be so many Santa Clauses – all the stores seemed to have one in a “grotto,” while every street corner had one ringing a bell and collecting money in a cauldron. the only other people I’d ever seen (in books) with a cauldron were witches – but I didn’t make a connection. It never occurred to me – we didn’t even know the term then – was that it might be a massive case of identity theft, or identity fraud as...

Press Release

Rechtsanwalt Dr. Karsten Kinast LL.M. wird Analyst bei KuppingerCole

Wiesbaden, 14. Dezember 2012  - Rechtsanwalt Dr. Karsten Kinast, LL.M., einer der europaweit profiliertesten Datenschutzexperten, übernimmt ab sofort als Fellow Analyst beim Analystenunternehmen KuppingerCole die Verantwortung für alle Themen mit juristischem Fokus, insbesondere Datenschutzrecht, IT-Recht, Urheberrecht und Medienrecht. In dieser Funktion wird er auch auf der European Identity & Cloud Conference (EIC) 2012, die am 14.-17.05.2013 zum 7. Mal in München stattfinden wird, die Moderation und fachliche Leitung zu diesen Themen übernehmen.

Webcast

Expand your GRC Controls to Cover all Systems - How to Make SAP GRC Work in a Heterogeneous World

KuppingerCole Webinar recording

Blog

How a botnet has stolen 36 million Euro from European bank customers

In a recently published study Versafe and Check Point Software Technologies, two software vendors, analyze the recent Eurograpper attack based on the Zeus botnet and ZitMO (Zeus in the Mobile). This attack reportedly diverted up to 36 million € by intercepting financial transactions. The most interesting aspect of this is that the attack bypassed the out-of-band authentication of financial transactions. The banks use this approach to send TAN codes (transaction numbers) to the mobile phone of the user. It is out-of-band if (and as long) as the user uses another device like his PC for...

Executive View

Snapshot: Oracle Mobile and Social Access Management - 70724

As part of its recently announced 11g R2 release of Oracle Identity and Access Management, Oracle also released a new component called Oracle Access Management Mobile and Social. This solution significantly enhances the scope of the current OAM (Oracle Access Manager) platform, adding support for mobile devices and for logins based on social networks (social logins)...

Blog

The employee – still security risk Nr. 1

Recently, there was news here and here that a disgruntled technician of the Swiss spy agency NDB (Nachrichtendienst des Bundes) had stolen terabytes of counter-terrorism information shared between the NDB, the CIA, and MI6 (the UK spy agency). The person has been temporary arrested. It is still unclear whether he has already sold some of that information or not. This case, together with many others like the theft of data from Swiss banks, which then is sold to German tax offices, again highlights that the biggest security risk for most organizations comes from internals. There is no doubt...

Webcast

Using IAM Technology to Protect Information, to Defend the Brand & Increase Business Productivity

KuppingerCole Webinar recording

Product Report

Product Report: Oracle ESSO - 70581

With IT organizations constantly facing the dichotomy of doing more with less, the need for products that are well integrated, efficient and cost effective is ever on the increase. KuppingerCole offers a model designed to help IT organizations manage this dichotomy by changing the perspective on IT in general. We consider that an IT organization’s job should not only be viewed from a technology perspective but—perhaps even more importantly—should also be viewed from a business perspective. Then, the primary goal of an IT organization and its sole purpose is to provide...

Vendor Report

Vendor Report: MetricStream - 70105

MetricStream is a vendor in the GRC (Governance, Risk Management, Compliance) market. Within that market, MetricStream is positioned as an Enterprise GRC vendor with good support for IT GRC, providing solutions that cover business aspects as well as provide the technical integration to IT systems. This is in contrast to pure-play Business GRC solutions which only focus on manual controls and don’t provide out-of-the-box integration with IT systems. MetricStream provides a number of solutions for different GRC requirements. These include, amongst others, solutions for regulatory...

Blog

Holy Grail for the Cloud

Back in August (“Open Source IAM – is it right for you?”) I wrote about my friend Brad Tumy’s Open Source Identity Solutions list and spent a paragraph or two on ForgeRock OpenAM, which, I told myself, I’d try to get back to with more information for you. So recently I chatted with ForgeRock’s John Barco (director of product marketing) and Jamie Nelson (Vice President of Engineering), both of whom I’d first met when they were at Sun Microsystems. John & Jamie filled me in and what’s happening with ForgeRock, and I’d like to pass that...

Webcast

Access Governance und dynamische Zugriffsteuerung kombiniert: So machen Sie ihre IT-Sicherheit fit für die Zukunft

KuppingerCole Webinar recording

Webcast

Reach the Next Maturity Level in your IAM Deployment - Beyond Classical Provisioning

KuppingerCole Webinar recording

Advisory Note

Advisory Note: From Data Leakage Prevention (DLP) to Information Stewardship - 70587

Loss and theft of Information from organizations continues to be a significant problem. The new data protection regulations in the EU will increase focus on this area. Given the amount of attention to this problem and the wealth of standards and technology available – why do these leaks still occur? This document considers the sources of leakage and describes how better information stewardship based on information centric security is essential to manage these risks and mitigate any problems resulting from leakage of information. Information stewardship is not a new term; it has...

Blog

It Takes a Community to Manage an API Ecosystem

Intro Starting at the EIC 2012 I have been talking and presenting a lot about The API Economy. The API Economy has become a strategic topic for organizations. As one can expect with a hot topic, there are many opinions and views on the matter. Therefore there a many comments, blog posts and articles written about The API Economy. Needless to say it is tough to keep track of everything being said or to track any given thread. I should start off by saying the questions asked by this blog post are appropriate and need to be answered. The DataBanker thread An interesting thread that I have...

Webinar

Dec 04, 2012: Using IAM Technology to Protect Information, to Defend the Brand & Increase Business Productivity

Identity & Access Management first and foremost is a business dimension and should be process-oriented and results-driven. In this webinar you will learn how to enable business owners to decide and be accountable of wo gets access to what.

Blog

Making it personal

SWIFT, the Society for Worldwide Interbank Financial Telecommunication was created in 1973 as a cooperative within the financial community with the mission of creating a shared worldwide data processing and communications link and a common language for international financial transactions. It should need stating, but I will: this activity involves the secure exchange of proprietary data while ensuring its confidentiality and integrity.  Through the end of September this year, SWIFT had handled 3,424,307,411 messages – that’s over 18 million a day, and the totals continue to grow. In 2009,...

Whitepaper

Whitepaper: Assignment Management – think beyond access - 70734

The days when IT lived in an isolated silo within the enterprise and everything was managed from a technical perspective with only traditional computing devices are past. Today’s reality is about more users and new ways to interact with them (Social Computing), more devices (Mobile Computing), and other deployment models (Cloud Computing). But is IT out of control? Not if it is done right. It is about managing what everyone in this bigger and open ecosystem requires. It is about assigning what they need and what they are allowed to have. Devices and other assets. Access....

Webinar

Dec 12, 2012: Expand your GRC Controls to Cover all Systems – how to Make SAP GRC Work in a Heterogeneous World

SAP GRC, especially with the new release, is a key component in the GRC (Governance, Risk Management, Compliance) strategies and implementations of many organizations. It provides a broad functionality, but it is mainly targeted at SAP environments. Even while SAP in many organizations is the core business environment, auditors have started looking at other environments as well – for example the Microsoft Windows and SharePoint infrastructure which holds most of the unstructured data. In addition, there are several industries and many organizations which have a series of other core business...

Webcast

The Strategic Approach to Cloud Computing. From Tactics and Chaos to Efficiency

KuppingerCole Webinar recording

Webinar

Nov 29, 2012: Reach the Next Maturity Level in your IAM Deployment – Beyond Classical Provisioning

Cloud, Mobile, Social Computing - IAM requirements are rapidly changing and need to go beyond classical provisioning. In this webinar, KuppingerCole´s Principal Analyst Martin Kuppinger will guide you through these new challenges and talk about maturity levels of IAM deployments. Quest Software (now part of Dell) Principal Solutions Architect Paul Walker will contribute a number of best practice examples and talk about his experience from migrating existing provisioning environments to up-to-date flexible and future-proof solutions.

Webcast

Best Practices for Business-Driven Identity & Access Management

KuppingerCole Webinar recording

Blog

Your reputation precedes you

In our last outing about trust (“Who do you trust?”), I concluded: “In the end, we know that Trust is a binary condition which has attributes – you trust “an entity” for “a task”. Trust on-line can be calculated by doing a risk assessment (amount of loss times probability of loss) and seeing if the product of that assessment is lower than your pre-set “trust threshold”. Calculating the probability of loss involves factoring in experience or reputation. So, when you get to the bottom of it, trust is inextricably tied up with reputation.” But how can we assess or calculate reputation? And...

Executive View

Snapshot: salesforce.com - Salesforce Identity - 70630

salesforce.com is one of the original enterprise cloud application vendors. Coupled with its flagship CRM solution, Salesforce is branching out its expertise into other areas of the cloud computing area. With the introduction of Salesforce Identity, the company is bringing its considerable infrastructure and knowledge to customers for managing application-independent identities for authentication and authorization in the cloud. salesforce.com processes over 7 Billion logins a year on behalf of 100,000+ customers. After years of establishing identity as an integral part of its core...

Webcast

Identity Management as a Service (IdMaaS) - the Dope or are we Duped?

KuppingerCole Webinar recording

Blog

Who do you trust?

Trust. Most people understand the concept of “trust”, but most people are also at somewhat of a loss for words when asked to define that concept, especially in terms of on-line transactions and digital identities. I mentioned recently that I’m involved with the Identity Ecosystem Steering Group (IdESG), part of the US government’s National Strategy for Trusted Identities in Cyberspace (NSTIC). What’s startling, when I think about it, is that the concept of “trust” hasn’t been discussed – or even alluded to – in the approximately 4 to 6 hours per week of meetings I’ve participated in over...

Blog

Security in the banking world – still full of (unpleasant) surprises

I remember a conversation I had years back with the person responsible for online banking security at one of the larger banks. The conversation was about secure online banking. I learned that banks are not necessarily willing to go the maximum for security. They simply look at the risk and then decide about what they are willing to invest in online banking security. Given that I’m an advocate for using risk-based approaches in IT security I understand this position. However I’m still, after all these years, not fully convinced that some of the banks are doing this approach right. The point...

Blog

Does Risk Management really fail in IT Security?

In an article published at Network World Online Richard Stiennon, Chief Research Analyst at a company called IT-Harvest, claims that IT Risk Management inevitably fails in IT. He ends up with recommending “threat management techniques” instead of risk management. He says that it is about making decisions about threats. However, he seems to have a misconception over what risk management is about. Risks are threats on assets. They have a specific probability and a potential impact. The thesis of Richard Stiennon is based on the assumption that Risk Management mandatorily starts with...

Product Report

Product Report: 3Scale API Management - 70626

The emerging API Economy is presenting significant challenges to all industry participants. When coupled with the Computing Troika—Cloud, Mobile, and Social computing—the API Economy is bringing about change in strategy requirements that have not ever been presented to organizations before. For example, the sheer number and nature personas and identities and the need to give access to internal information and resources is very significant. The API Ecosystem is made of the rapidly evolving elements of The API Economy that organizations need to understand and integrate in to...

Press Release

New KuppingerCole Advisory Note - Decision support for selecting the best Service Provider

Duesseldorf, October 18th, 2012 - Guideline and Advice in one: the KuppingerCole Advisory Note Cloud Provider Assurance helps companies to assess the performance of cloud providers based on measurable controls in order to make them comparable.

Blog

BYOD: Just a symptom of a bigger evolution. Don’t worry about BYOD – solve the challenges of the Computing Troika.

BYOD (Bring Your Own Device) is one of the hot topics of today’s IT. Many vendors promise to solve the BYOD challenges, with MDM (Mobile Device Management), MAM (Mobile Application Management), or other technologies. Most of these technologies fix some of the problems. But all of them fail in the great promise of solving all of your BYOD challenges. Even worse, solving BYOD challenges is not what you should really care about. BYOD is just a symptom of a far bigger evolution. This evolution is about what my colleague Craig Burton just recently called “The Computing Troika” – the three major...

Whitepaper

Whitepaper: Migrating Sun Identity Manager to Quest One Identity Manager - 71000

This document adds to the KuppingerCole Advisory Notes #70,607 “Migration Options for your Legacy Provisioning” and #70,610 “Migration Options and Guidelines for Oracle Waveset Identity Manager”. It focuses on the Sun Identity Manager (SIM) product, now also known as Oracle Waveset Identity Management and historically as Waveset Lighthouse. This product has an officially defined end-of-life which causes customers to evaluate their migration options. The purpose of this document is to provide the facts and consequences regarding a migration from SIM (and its...

Webcast

Identity in an API Economy

KuppingerCole Webinar recording

Blog

2012 International Oasis Cloud Symposium

The Intersection of Policies, Standards & Best Practices for Robust Public Sector Cloud Deployments Introduction Last week I was invited to attend the 2012 International Oasis Cloud Symposium. I was very impressed. The attendance was not large—in fact—the organizers limited the number of attendees to 125 people. I was not able to attend the first day, but the second day was lively with many interesting presentations and discussions. I won’t go over the complete agenda, if you want to it can be located in PDF format here. Overall I would say every presentation given was worth...

Executive View

Snapshot: Microsoft acquires Phonefactor - 70733

On October 4th Microsoft announced the acquisition of Phonefactor, a provider of phone-based multifactor authentication. Microsoft informed us about this acquisition only in a blog post on their Windows Azure blog at the MSDN (Microsoft Developer Network) website . There is no official press release out, but Phonefactor itself provides some information at their website . Obviously Microsoft didn’t consider this as being a major acquisition but just another piece of technology which adds to their major strategic initiatives, including Windows Azure. However it could turn out as an...

Blog

US Defense Secretary Panetta and the cyber Pearl Harbor

At the end of last week, US Defense Secretary Leon Panetta gave his first major speech on cybersecurity. The speech was given during the Business Executives for National Security meeting in New York. It gained some attention in the news. This concept wasn’t entirely new, as Jon Oltsik pointed out in a post – back in 1998 Deputy Defense Secretary John Hamre cautioned the U.S. Congress about the same topics, using the term “cyber Pearl Harbor” back then as well. On the other hand, in March 2012 the US Cyber Chief talked about a tide of cyber criminality. And even while I stated that tide...

Blog

Google under fire – from the EU and FTC

Yesterday there were two interesting news items about Google. A document issued by 24 of the 27 European Data Protection Councils requests Google to change their privacy policies. They claim that collection of personal data to such an extent as Google does is considered a massive risk for the privacy of users. I can agree. The Councils however don’t consider the policies as illegal, at least not yet. That might change with the upcoming new EU data protection rules in 2014. Nevertheless they request Google to better inform users about the use of their personal data. I personally think that...

Press Release

Press release: New KuppingerCole Leadership Compass Identity Provisioning – a decision-making tool to help select the right identity provisioning provider

Duesseldorf, October 15th, 2012 - Overview and decision-making tool in one: the KuppingerCole Leadership Compass Identity Provisioning offers a comprehensive overview of the many identity provisioning solution providers in the market.

Press Release

Neuer KuppingerCole Leadership Compass Identity Provisioning - Unterstützung bei der Auswahl des passenden Identity Provisioning Anbieters

Düsseldorf, 15. Oktober 2012 - Überblick und Entscheidungshilfe zugleich: Der  KuppingerCole Leadership Compass Identity Provisioning bietet einen umfassenden Überblick der am Markt verfügbaren Anbieter von Identity Provisioning Lösungen.

Leadership Compass

Leadership Compass: Identity Provisioning - 70151

Identity Provisioning is still one of the core segments of the overall IAM market. Thus it comes to no surprise that this segment is more crowded by vendors than virtually all the other IAM market segments. This Leadership Compass provides an overview and analysis of the Identity Provisioning market segments. It shows that there are several established vendors with mature solutions, but also some very interesting smaller or regional vendors with a good potential for growth and for delivering what customers require. Picking solutions always requires a thorough analysis of customer...

Webinar

Nov 06, 2012: Best Practices for Business-Driven Identity & Access Management

Social Computing, Mobile Computing and the Cloud are challenging your enterprise´s security strategy and create the need for a new look at IAM. In this webinar, Martin Kuppinger (KuppingerCole) and Deepak Taneja (Aveksa) will talk about the changing requirements for Identity and Access Management in global organizations.

Vendor Report

Vendor Report: NetIQ – the complete portfolio - 70624

Novell was acquired by The Attachmate Group in April 2011. The portfolio of Novell has been distributed across three business units of the Attachmate Group. The SUSE portfolio of Linux solutions was made into a business unit that is now simply called SUSE. The Novell business unit will continue to market and sell the collaboration, endpoint management and File and Networking Services...

Vendor Report

Vendor Report: NetIQ – the Novell Identity & Security Products - 70304

Novell was acquired by The Attachmate Group in April 2011. The portfolio of Novell has been distributed across three business units of the Attachmate Group.  The SUSE portfolio of Linux solutions was made into a business unit that is now simply called SUSE. The Novell business unit will continue to market and sell the collaboration, endpoint management and File and Networking Services. Unlike most KuppingerCole Vendor Reports, this report does NOT provide an analysis of an entire vendor’s Identity and Security portfolio and services. This report covers a subset of what is now...

Webcast

Risiken erkennen und wirksam vermeiden: Integrierte Ansätze und Lösungen für IT GRC

KuppingerCole Webinar recording

Blog

Pseudonymity means real privacy

In my last posting, I stated that “privacy is not anonymity”. I received a few questions about that, so today I want to elaborate on the subject. Let’s get something out of the way right off the bat – there is not, nor can there be, true “anonymity” on the internet – or almost anywhere else, for that matter. Someone, or something, knows who you are – even if they don’t know your “real” name. Here’s an illustration from real life. A man walking his dog, we’ll call him “Mr. A”, gets into an altercation with another man (Mr. B) and knocks him down, then runs away. Speaking to the police,...

Press Release

Neue KuppingerCole Advisory Note - Entscheidungshilfe für die Wahl des richtigen Cloud Providers

Düsseldorf, 08. Oktober 2012 - Leitfaden und Entscheidungshilfe zugleich: Die KuppingerCole Advisory Note Cloud Provider Assurance hilft den Unternehmen, die Leistungsfähigkeit von Cloud Providern basierend auf messbaren Controls einzuschätzen und vergleichbar zu machen. 

Webinar

Nov 08, 2012: The Strategic Approach to Cloud Computing. From Tactics and Chaos to Efficiency

Selecting your Cloud Service Provider right and making sure that he steadily delivers on his promise - this needs processes in place at your organization enabling a structured way of selecting an appropriate cloud service from a myriade of offerings availabe in the market, and laying the foundations for effective and efficient cloud audits. Join this webinar to learn how to create such processes and reduce risks of high migration efforts, unnecessary costs or even unavailability of critical services.

Webinar

Nov 30, 2012: Access Governance und dynamische Zugriffsteuerung kombiniert: So machen Sie ihre IT-Sicherheit fit für die Zukunft

Herkömmliche Konzepte für die Informationssicherheit, bei denen Zugriffsberechtigungen basierend auf vergleichsweise starren Gruppen oder Rollen in Form von statischen Konstrukten reichen heute nicht mehr aus, um den aus den großen Trends Cloud Computing, Mobile Computing und Social Computing wirksam begegnen zu können. In diesem Webinar lernen Sie, wie sich Access Governance weiterentwickeln muss und welche Rolle die dynamische Zugriffssteuerung in Zukunft spielen wird.

Blog

Internet Association – a lobbying organization

Recently the “Internet Association” has been created. Their claim on the website is “We are the unified voice of the Internet economy”. They then state that they represent the interests of America’s (!) leading Internet companies and their global (!) community of users. The real message follows afterwards: “We are dedicated to advancing public policy solutions to strengthen and protect internet freedom, foster innovation and economic growth and empower users”. This could also be read somewhat differently: We are the lobbyist organization which will try to avoid everything that can stop us...

Blog

Adobe - your biggest security risk?

Adobe warned a few days ago  that an internal server with access to its digital certificate code signing infrastructure was hacked. This resulted in at least two malicious files being distributed that were digitally signed with a valid Adobe certificate. If you take the numbers published by Secunia, a security/patch management software vendor, Adobe ranks pretty high in the list of companies with reported vulnerabilities – especially when taking into account that it is only two core products in the case of Adobe (Adobe Reader and Adobe Flash Player), compared to the broad portfolio of...

Advisory Note

Advisory Note: Cloud Provider Assurance - 70586

Can an organization trust an IT service provided through the Cloud? A survey by KuppingerCole showed that “Cloud security issues (84.4%) and Cloud privacy and compliance issues (84.9%) are the major inhibitors preventing organizations from moving to a private Cloud.” The answer to this question can be found in the old Russian maxim, which was often quoted by President Ronald Regan: “trust but verify”. Cloud services are outside the direct control of the customer organization, and their use places control of the IT service and infrastructure in the hands of the...

Blog

Security like a start-up? Better not!

Recently I stumbled upon a blog post with a title starting with the words “Do security like a start-up…”. That rang my inner alarm bells! When reading the post I became relaxed again. It was about the need for business and IT to work together and the recommendation to look for more generalists rather than specialists – both aspects I fully buy in to even while acknowledging that good generalists are a rare species. But coming back to the title… Interestingly the post was published just around the discussion of the severe security issues of WhatsApp. WhatsApp is just another example of a...

Webinar

Jan 22, 2013: European Identity & Cloud Conference 2013 Preview

The European Identity & Cloud Conference (EIC) 2013 once again will be Europe´s most important event exploring the future of information technology. Join us in this webinar for a compehensive preview on this year´s key topics and speakers.

Webinar

Oct 30, 2012: Identity Management as a Service (IdMaaS) - the Dope or are we Duped?

Big players like salesforce.com entering the market: Will this redefine the way we do IAM and solve our challenges in the days of Cloud Computing, Mobile Computing, and Social Computing?

Webcast

Risiken vermeiden beim Management privilegierter Identitäten

KuppingerCole Webinar recording

Blog

In search of privacy

Way back in 1999, Scott McNealy – then the chief executive officer of Sun Microsystems – famously said that consumer privacy issues are a "red herring." He went on to say: "You have zero privacy anyway, get over it." Yet just in the past two weeks privacy has been much in the news on many counts. A French court ruled that pictures of Kate, the Duchess of Cambridge, sunbathing topless were an invasion of her privacy since there was a reasonable expectation that she would be unobserved while poolside at a private residence hundreds of meters from a public vantage point. (The photographer...

Blog

NSTIC Update

National Institute of Standards and Technology awards $9M to support trusted identity initiative Introduction On September 20, 2012, the National Institute of Standards and Technology (NIST) announced more than 9 million USD dollars of grant awards in support of the National Strategy for Trusted Identities in Cyberspace (NSTIC). The grants were awarded to five consortiums. All of the big. All of them representing different views and technologies with strong focus on identity, security, and trust. NSTIC Background While many identity and security professionals are familiar with the Obama...

Blog

Security by obfuscation

The reaction to the security alert for Windows Explorer recently revealed an interesting phenomenon: Many people believe in security by obfuscation. I alerted some people when I first saw the news concerning that security issue. Some reacted by saying: “I like my Apple iBook” or “I’ve use other browsers for a long time”. No doubt, these people are not affected by that Internet Explorer security issue. But the underlying message in these comments is about “security by obfuscation”. Today I read another news story about iOS 6 which addresses more than 200 security issues, which allow...

Blog

Salesforce Identity

Identity Management as a Service (IdMaaS) gets a new 500lb guerilla Introduction When I first heard of Salesforce’s Identity announcements this week at Dreamforce, I was reminded of the old joke “Q:Where does a 500lb. gorilla sit? A: Anywhere he wants.” Salesforce Identity makes Salesforce the new 500lb gorilla in the Digital Identity jungle. Announcement Details You can read the basic details of the announcement on Chuck Mortimore’s blog. Here is a quick summary: What is Salesforce Identity? Salesforce Identity provides Identity and Access Management (IAM) services for Web and mobile...

Advisory Note

Advisory Note: API Economy Ecosystem - 70625

The nascent API Economy is rapidly maturing and is shaping up to be both promising and challenging. Meeting the challenges of The API Economy will be as important for customers as embracing the personal computer was in the 1980s or embracing the mobile and tablet trends are today. Customers are faced with the challenge of understanding the distinction of being both an API consumer and an API Provider. Further it has become imperative that customers begin to put infrastructure in place—hopefully from a trusted API consumer or provider technology vendor—to manage the...

Webcast

BYOD, Social Networking, Cloud - sicher und kalkulierbar

KuppingerCole Webinar recording

Blog

SAML is Dead! Long Live SAML!

Answers to the unanswered questions from the webinar Introduction Last Friday on Sept. 14, Pamela Dingle—Sr. Technical Architect from Ping Identity Corp.—and I conducted a free webinar about the much ballyhooed demise of SAML. You can view the webinar in its entirety on the KuppingerCole website. To us, the best measurement of interest in any given webinar is the drop off rate. Just how many people drop off during the presentation? We were very pleased in the interest of the topic for the number of attendees and for that fact that no one dropped off from the presentation and Q&A....

Webcast

Preparing Your Enterprise for the Generation Y: BYOD & Mobile Device Management

KuppingerCole Webinar recording

Vendor Report

Vendor Report: Atos DirX - 70621

Atos ist einer der größten internationalen Anbieter von IT-Dienstleistungen mit mehr als 70.000 Mitarbeitern und einer globalen Präsenz. Das Unternehmen ist nach der Übernahme des Bereichs Siemens IT Solutions and Services (SIS) von Atos Origin in Atos umbenannt worden. Atos ist an der Pariser Börse im Segment Eurolist notiert. Dieser Vendor Report beschäftigt sich mit einem Ausschnitt des Portfolios von Atos, den DirX-Produkten. Diese sind dem Geschäftsfeld System Integration bei Atos zugeordnet und dort wiederum im Bereich Identity, Security and...

Blog

Identity in a Post-PC Era

How 400M iOS devices changes everything Most of the planet at least paid a little bit of attention to the announcement of the iPhone 5 on Sept. 12th. The anticipation for the announcement was so high, that sales of the iPhone 4 and iPhone 4s actually dipped some in the last quarter. While I like all of the things Apple has done with the new iPhone — and I have already ordered mine — I found the other information given at the announcement to be astounding. The numbers — presented in the keynote by CEO Tim Cook — were more than just significant. Especially when viewed from the perspective...

Webcast

SAML is Dead. Long Live SAML!

KuppingerCole Webinar recording

Webinar

Oct 24, 2012: Switching Identity Management & Governance Vendors to Meet Emerging Requirements

Given the importance of Identity Management and Governance as a foundation for efficient security and compliance processes, organizations are evaluating the future viability of their existing implementations, but are equally concerned that switching vendors will be a costly, time-consuming process. In this 50 minutes webinar, Kuppinger Cole Principal Analyst Martin Kuppinger and Merritt Maxim from CA Technologies will review the various best practices to follow that can allow any organization to migrate from one identity management vendor to another.

Blog

The misunderstood cloud

With apologies to The Animals – Baby, do you understand me now? Sometimes I feel a little mad But don't you know that no one alive can always be an angel When things go wrong I feel real bad.  I'm just a cloud whose intentions are good Oh Lord, please don't let me be misunderstood When Citrix recently surveyed 1000 people, it found that 51% think bad weather affects cloud computing. 17% have pretended to understand cloud computing while on a date. 40% said the biggest advantage to cloud computing was the ability to work from home, naked. And, of those who profess to have never used cloud...

Blog

RSA Conference 2012 Podcast: Cloud Provider Assurance

Cloud computing provides organisations with an alternative way of obtaining IT services. However many organisations are reluctant to adopt the Cloud because of concerns over information security and loss of control. This presentation covers assurance approaches to managing the Cloud including CSA Controls Matrix, SSAE16/ISAE3401, BITS Shared Assessments and ISO 27001. RSACE2012 Podcast: GRC-301: Cloud Provider Assurance Listen to the podcast now: [audio:http://rsa.edgeboss.net/download/rsa/rsaconference/2012/eu/podcasts/RSAC_08-30-12-GRC-301.mp3] Or download the audio file directly:...

Webinar

Oct 09, 2012: Risiken erkennen und wirksam vermeiden: Integrierte Ansätze und Lösungen für IT Governance Risk Management & Compliance (IT-GRC)

Als böten traditionelle Infrastrukturen mit ihren Schwachstellen und Angriffspunkten nicht bereits genügend Risiken, machen IT-Konsumerisierung, Social Media im Unternehmen und alle damit verbundenen Veränderungen die Ungewissheit zum Standard. Traditionelles Risk Management stößt hier an seine Grenzen. In diesem Webinar gibt Ihnen KuppingerCole Senior Analyst Prof. Dr. Sachar Paulus einen Überblick über die aktuellen Trends, Ansätze und Lösungen im Bereich IT-GRC. Danach spricht Mark Fischer von ITConcepts über seine Praxiserfahrungen bei der Einfürhung von IT-GRC-Lösungen.

Webinar

Oct 16, 2012: Identity in an API Economy

In an API Economy, everyone and everything has an API. That means 26 billion APIs by the year 2015. What is your organization doing to prepare for this fundamental shift in IT infrastructure? Join KuppingerCole´s Distinguished Analyst Craig Burton and Layer 7 Technologies CTO Scott Morrison in this webinar to understand more about the API Economy and the role of Identity for your organization.

Webinar

Sep 14, 2012: SAML is dead. Long Live SAML!

Is SAML a dead protocol or just a walking Zombie ready to consume all enterprise brains? Or is it yet alive and well both in legacy and the future? Attend this webinar to join the discussion KuppingerCole´s Distinguished Analyst Craig Burton about health and well being of the Federated sign-on protocol of choice -- SAML.

Blog

Open Source IAM – is it right for you?

Open Source projects usually get short shrift from pundits and journalists. Open source Identity projects get even less shrift. (“Shrift”, by the way, has an interesting etymology, at least to those who wonder about where the words we use come from). Commercial vendors have whole staffs of flacks (Public Relations/Media Relations/Analyst Relations specialists) whose sole job is to be sure that I and those like me are aware of everything that’s happening with their products. There are company CEOs, CTOs, sales and marketing execs, product managers and others who spend a good deal of their...

Product Report

Product Report: Beta Systems Software AG - SAM Enterprise Identity Manager - 70273

Der SAM Enterprise Identity Manager der Beta Systems Software AG (Beta Systems) ist in der Kategorie der Enterprise Provisioning-Systeme mit integrierter Access Governance–Funktionalität einzuordnen. Die Kernfunktionalität ist der strukturierte, automatisierte und nachvollziehbare Abgleich von Identitätsinformationen zwischen verschiedenen Zugriffschutzsystemen auf Basis von definierten Prozessen und Connectoren. Wie bei Provisioning-Lösungen üblich, finden sich auch Funktionen für die Umsetzung von Workflows für Antrags- und Genehmigungsverfahren,...

Vendor Report

Vendor Report: Beta Systems - 70150

Die Beta Systems Software AG (Beta Systems) ist ein in Berlin ansässiger Anbieter von Standardsoftwareprodukten in den Bereichen IAM (Identity und Access Management), Access Governance, GRC (Governance, Risk Management, Compliance), Data Center Automation, Data Center Audit und Document Processing and Audit. Zu letztgenanntem Bereich gehören Lösungen für die Verarbeitung von großen Datenmengen in Rechenzentren und das Management und die Automatisierung in Rechenzentren. Dieser Report konzentriert sich auf die Produkte von Beta Systems, die im Bereich IAM, Access...

Webinar

Sep 27, 2012: Risiken vermeiden beim Management privilegierter Identitäten

Komplexe Organisationsstrukturen, Legionen unterschiedlicher Zielplattformen und -Systeme, kombiniert mit einer großen Zahl schlecht dokumentierter Legacy-Systeme - das Management privilegierter Benutzerkonten und die von solchen Konten ausgehenden hohen Risiken für die Informationssicherheit erfordert viel Aufmerksamkeit, ein tiefes Verständnis für die Compliance-Anforderungen, die an Ihr Unternehmen gestellt werden, und vor allem flexible Lösungen. In diesem Webinar erhalten Sie einen Überblick über die unterschiedlichen Lösungsansätze des Privileged Identity Management und deren...

Webinar

Sep 19, 2012: BYOD, Social Networking, Cloud - sicher und kalkulierbar

Die Einbindung mobiler Endgeräte, seien Sie im Eigentum des Mitarbeiters oder des Unternehmens, die Nutzung von Social Media im Unternehmen und der vielfältige Einsatz von Cloud-Anwendungen - all dies ist Alltag geworden und stellt IT-Professionals in den Unternehmen jeden Tag vor neue Herausforderungen. In diesem Webinar wird Martin Kuppinger, Principal Analyst bei KuppingerCole, darüber sprechen, wie die Unternehmens-IT die Erschließung des Nutzens dieser Trends ermöglicht, ohne die damit verbundenen Risiken für Ihre Informationssicherheit zu erhöhen.

Executive View

Snapshot: Quest One Identity Manager Data Governance Edition - 70722

Over the past few years, companies have started investing in Access Governance to better manage access certification, access analytics, and access requests. However that is not sufficient. It is, though, a big step forward for organizations which have not only installed a piece of software but also implemented the required organization, guidelines, and processes...

Webcast

XACML and the Externalization of Authorization: How to do it Right

KuppingerCole Webinar recording

Executive View

Snapshot: SAML Vulnerabilities - 70723

On August 10th, 2012, the University of Bochum (German Ruhr-Universität Bochum) published a research paper titled On breaking SAML: Be whoever you want to be . In that paper the authors provide an analysis of potential security weaknesses in SAML. They analyzed 11 out of 14 major SAML frameworks. Eleven of these frameworks showed XML Signature wrapping (XSW) vulnerabilities. The authors of the research paper claim that attackers thus can take “whatever identity they want”...

Executive View

Snapshot: OAuth 2.0 - 70725

Recently Eran Hammer, one of the – until then – co-authors and editors of the OAuth 2.0 standard which is currently finalized by an IETF (Internet Engineering Task Force) working group, declared that he will withdraw his name from the specification of OAuth 2.0. He posted about this in his blog . In that blog he raised several concerns about OAuth 2.0, ending up in a conclusion that OAuth 2.0 is “more complex, less interoperable, less useful, more incomplete and most importantly, less secure” than OAuth 1.0. However he also states that “OAuth 2.0 at the hand...

Blog

The Honan Hack and the BYOI meme

By now you should have heard about the so-called “epic” hacking of the accounts of Wired journalist Mat Honan. Only those on vacation well out of civilization (i.e., no internet, no phones, no newspapers, no radio, no TV) could honestly say that the details weren’t available to them. Nevertheless, here’s a quick summary of what happened. Honan’s Twitter account was hacked. From this were discovered his Gmail account name and home address. Using the Gmail password recovery system, they discovered Mat’s backup email address was a .me account (.me is owned by Apple). They also discovered his...

Blog

Simplifying XACML – the Axiomatics ALFA plugin for Eclipse IDE

Axiomatics, a leading vendor in the market of Dynamic Authorization Management systems – sometimes called either Entitlement Management or Policy servers – has recently released a new tool called the ALFA plugin for Eclipse IDE. ALFA stands for “Axiomatics Language for Authorization”. With that tool Axiomatics allows developers authoring XACML 3.0 policies in the widely used Eclipse environment using a syntax which is close to commonly used programming languages like Java or C#. This is a pretty nice tool which closes a gap around XACML development. Instead of having programmers creating...

Blog

The best product for IdM?

A recent discussion in the LinkedIn group “Identity Management Specialists Group” asked for the personal opinion about what is the best IdM product out there. Besides the fact that it listed only five products to choose from in a survey, this question, from my perspective, is the wrong question. If I just take the question, my answer would simply be: “None”. There is no “best product” in that market. There is only the product best suited to solve the customer’s problem. And by the way: What is IdM? OK, this is an abbreviation for “Identity Management”, which is better understood as Identity...

Blog

What will it mean when Windows operating systems reject encryption keys smaller than 1024 bit soon?

Microsoft will soon release an update to its current operating systems (Windows XP and higher; Windows Server 2003 and higher), which will block the use of cryptographic keys that are less than 1024 bits in length. This announcement was made quite a while ago, but most links go to a rather specialized place, the “Windows PKI blog”. And honestly, who besides some geeks are really reading such a blog? The consequence is that certificates with key lengths of 512 bits will be blocked, leading to error messages. These errors can occur when browsing the web, when trying to enroll certificates,...

Advisory Note

Scenario: The Future of Authentication - 70341

A number of significant trends are causing the authentication (AuthN) and authorization (AuthZ) architectures and technologies to significantly change. Cloud, mobile and Social computing combined (The Computing Troika) are causing an identity explosion that is requiring organizations to embrace and evangelize authenticated access to any resource by anyone from any device. At the same time, organizations are being required to address this more complex and demanding authentication environment with fewer resources and to do so more efficiently. In short, the traditional...

Webcast

Preparing Your Enterprise for the Generation Y: BYOD & Mobile Device Management

KuppingerCole Webinar recording

Blog

Doing BYOD right – it’s all about information security

A recent article in Network World online  had the title “For BYOD Best Practices, Secure Data, Not Devices”. I fully agree with that title. However when reading it I struggled somewhat with the solutions proposed therein, which were mainly about “mobile device virtualization” and MAM (Mobile Application Management) instead of classical MDM (Mobile Device Management). However, neither mobile device virtualization (we might call this MDV) nor MAM really are about securing data. OK, MAM as proposed by companies like Apperian at least also can protect the communication channel and the storage...

Blog

The death (and life) of a protocol

I had a great time at the recent Cloud Identity Summit - a fantastic venue (Vail, CO) with a wonderful lineup of speakers second only to our own European Identity and Cloud Conference (EIC) coming up next May in Munich. (Hurry, the call for speakers is already underway). What I didn’t expect in Vail was a great deal of controversy, but there was. And right at the center of it all was my colleague, KuppingerCole’s Distinguished Analyst Craig Burton. Craig stood up at the podium and announced to the world: “SAML is dead.” This was off the chart because, well, SAML (Security Assertion Markup...

Webcast

Welcome to European Identity & Cloud Conference

Blog

What’s behind Bitdefender’s Clueful App having been removed from Apple’s App Store?

Apple recently removed the app Clueful, provided by the IT security software vendor Bitdefender, from its App Store. That at first glance isn’t momentous news. However, when looked at in a little more detail, it raises some questions. The iOS app Clueful had been available in App Store for about two months. It had been approved by Apple back then. Bitdefender, even while being pretty cautious in what they are telling the public, says: Apple informed Bitdefender’s product development team of the removal – for reasons we are studying – after it was approved under the same rules. This is a...

Webcast

Enterprise Role Management Done Right: Building the Bridge Between Business and IT

KuppingerCole Webinar recording

Webcast

Life Management Plattformen & die Zukunft des Social Networking

KuppingerCole Webinar Recording

Blog

The value of information – the reason for information security

If you’ve ever struggled with finding the argument for an investment in information security, here it is: According to a survey recently published by Symantec, 40% of the worth of organizations is derived from the information they own. The link goes to a German site and the extract of that survey specific to Germany but the report is in English. The global version can be found here. There are other interesting numbers: 57% of the German respondents expect a loss of customers and 48% brand damage in case of a leak of information (and breach notification). The global numbers aren’t that...

Webcast

How to Unleash the Power of Life Management Platforms

KuppingerCole Webinar recording

Blog

Leaked passwords – where does it end?

One of these days I’ll be able to stop railing against password problems. Today, however, is not that day. It was just last month that I wrote (“Lessons Learned from the LinkedIn fiasco”) about the problems that LinkedIn had with their recent password breach: No salt for hashed passwords is bad practice; No immediate response to the breach is bad PR; No plan to deal with information leaks through hacking, insider theft, inadvertent exposure and the like violates your users trust. I ended by saying “One of the more painless ways of learning is through others’ mistakes (rather than our...

Blog

Privacy is back – the discussion about the new German law on citizen registration

Germany has, in contrast to many other countries, a mandatory citizen registration. One side effect is the national ID card (now an eID). Another is that there are registration offices at every local authority. And there is a law called “Melderechtsrahmengesetz” (MRRG) which rules everything about this registration. A few days ago the German Bundestag passed a revision of this law, and did it during the semi-final of the European Football Championship (Real football, played by feet and with a ball; not American football, played by hand and with an egg) between Germany and Italy. That...

Blog

SCIM and the Microsoft Graph API

Kim Cameron recently blogged about his view on SCIM and the Microsoft Graph API. Kim explains his view as to why SCIM and the Microsoft Graph API, which is related to the WAAS (Windows Azure Active Directory), are complementary. That reminded me of two older posts in my own blog: In 2010 I posted about an idea which Microsoft unveiled at a PDC (Professional Developers Conference) called system.identity. Last year, after SCIM has been announced, I published some of my thoughts about SCIM. Even while I didn’t focus explicitly on relationships in the second post but more on the management...

Advisory Note

Scenario: Understanding Cloud Security - 70321

This research note is one of series of documents describing KuppingerCole’s basic positions and providing insights into IT Service and Information Security Management. It describes the principal information security risks associated with Cloud computing and how these risks can be managed by effective IT service management using the KuppingerCole model. The Cloud provides an alternative way of providing or procuring IT services and offers many benefits including increased flexibility as well as reduced cost. It extends the spectrum of IT service delivery models beyond managed and...

Product Report

Product Report: CrossIdeas IDEAS - 70620

CrossIdeas is a European vendor based in Italy specializing in Access Governance, Dynamic Authorization Management, and IAM (Identity and Access Management). Formerly known as Engiweb Security, the company was renamed following a management buy-out and operates today as an independent software vendor in their core market segments. Concerns which have been voiced along the transition regarding maintaining existing Engiweb customers have shown that they were negligible. The markets CrossIdeas deals in, especially Access Governance continue to support a number of comparatively small...

Webcast

Intelligent Access Management - Vorsprung vor dem Auditor

KuppingerCole Webinar recording

Blog

User views on Privilege Management

Last December (“Quo Vadis?”) I advocated using Privilege Management solutions for all users. As Martin Kuppinger defined it in his advisory note last April: “Privilege Management, which in the KuppingerCole nomenclature is called PxM, is the term used for technologies which help to audit and limit elevated rights and what can be done with shared accounts. The x in PxM is used due to the fact that there are many different terms in the market which aren’t used consistently: Privileged Access Management Privileged Account Management Privileged Identity Management Privileged User...

Blog

Dell to acquire Quest Software – really starting their software business now?

Dell today announced that they have a definitive agreement to acquire Quest Software. Quest Software then would form the core of the software division of Dell, which until now was pretty small. There were some business units like Dell Boomi (www.boomi.com), but no real software business. The decision to acquire Quest Software is an interesting move which, from my perspective, makes a lot of sense. Quest’s strengths are in the areas of Identity and Access Management/Governance with their Quest One Identity portfolio and around Systems Management, particularly Windows Management, Performance...

Blog

The sad world of passwords – and why IdPs don’t solve the problem

This week Jackson Shaw commented in his blog on an article written by John Fontana. The discussion is about the future of passwords and how federation and structures with IdPs (Identity Providers) will help us to avoid them. Both have somewhat different opinions. However, in both posts there is the idea of having an IdP, using federation, and getting rid of passwords. My perspective is a little different and I’d like to add two important points (even while I think that Jackson is right with his skepticism regarding a quick replacement of passwords and with highlighting that password...

Webcast

Choosing the Right Cloud

KuppingerCole Webinar recording

Survey

Survey Report: Identity Access Management und Governance in der Finanzindustrie - 70584

Studie zum aktuellen Status der Umsetzung von Identity und Access Management sowie Identity und Access Governance in der Finanzindustrie in Deutschland und der Schweiz.

Studie beauftragt von Beta Systems.
Studie durchgeführt von KuppingerCole.

Blog

A CHANGE FOR THE BETTER?

There is an old joke that circulated amongst IT professionals during the 1980s – this joke goes as follows.  A man goes up to an ATM puts his card in the machine and requests some cash.  The machine accepts his card and PIN but doesn’t give out any cash.  He goes into the bank and tells a cashier what has happened.  The cashier replies – “that’s strange because we just had brand new software installed this morning”.  This joke is probably not funny if you bank with RBS in the UK. I normally write about IT security issues so – why is it that this entry is about managing change.  Well -...

Conference

Sep 13, 2012: Digital Economics Forum 2012

Mit Macht drängt die „Generation Y“ auf den Arbeitsmarkt und übernimmt Verantwortung in den Unternehmen. Aufgewachsen mit dem Internet, geübt im Umgang mit den neuesten mobilen Gadgets und daran gewöhnt, dass ein neuer Kontakt nur einen Mausklick entfernt ist, egal ob Kollege/Kollegin, Partner, Kunde, Lead, stellen sie CIOs und IT Professionals vor die größten Herausforderungen seit Einführung des Mainframe. Wie lässt sich Informationssicherheit in einer vollständig deperimeterisierten Umgebung erreichen? Wie kann man den bunten Zoo an privaten Endgeräten, der an den Schreibtischen ohnehin...

Blog

Security out of the Blue

If you were asked to think of an IT security firm perhaps IBM would not be top of the list.  However IBM has a significant set of products in this market and it manages the security of its customers’ outsourced and cloud systems, as well as that of its very large internal IT operations.  Following the acquisition of Q1 Labs late last year IBM is reorganizing to bring together all the security products under one division.  Well large companies are forever re-organizing so why does this change matter?  In short this is important because it reflects the increasing level of cyber risk and the...

Blog

IBM CastIron – delivering on the promise of the Open API Economy

Some days ago I had a very interesting briefing with IBM on their CastIron products. I had been in touch with CastIron way before they became part of IBM, because CastIron was one of the most interesting start-ups around “Cloud Integration”, i.e. the ability to integrate different cloud services and on-premise applications using the exposed APIs. Since then a lot has happened. The number of available APIs exploded, as my colleague Craig Burton has described in his report on the Open API Economy. More and more vendors are entering the space and are picking up the term Open API Economy. The...

Blog

Making Good on the Promise of IdMaaS

As a follow up to Microsoft’s announcement of IdMaaS, the company announced the — to be soon delivered — developer preview for Windows Azure Active Directory (WAAD). As John Shewchuk puts it: The developer preview, which will be available soon, builds on capabilities that Windows Azure Active Directory is already providing to customers. These include support for integration with consumer-oriented Internet identity providers such as Google and Facebook, and the ability to support Active Directory in deployments that span the cloud and enterprise through synchronization technology. Together,...

Blog

Lessons Learned from the LinkedIn fiasco

By now you should all be familiar with the “hack-in” on June 6 which led to the taking of over 6.5 million hashed user passwords. My colleague, Craig Burton, has addressed what should happen next, but I’d like to examine some issues which might appear tangential to the leak but should still be of concern. First, according to LinkedIn Product Director Vicente Silveira: “Based on our investigation, all member passwords that we believe to be at risk have been disabled.” How does LinkedIn know what my password is? Sure, they could search through all accounts, comparing the hashed value stolen...

Webinar

Jul 03, 2012: Intelligent Access Management – Vorsprung vor dem Auditor

Nie war es wichtiger als heute, genau darüber Bescheid zu wissen, wer wozu berechtigt ist und wer was getan hat. In diesem Webinar geht es um das intelligente Management von Zugriffsrechten. Um Risiken zu reduzieren, Compliance sicherzustellen und um den Anwendern selbst die Möglichkeit zu geben, ihre Zugriffsrechte zu organisieren.

Blog

LinkedIn Password Disaster

I first thought about ignoring this topic for my blog. However, there have been so many press releases, blogs, and other comments on it which have been just wrong or absurd that I finally decided on posting a little about it. First of all, the LinkedIn Password Disaster reinforces the old rule that you shouldn’t reuse passwords (at least not too much). Second, it is another proof of the fact that the security skills of developers are on average far too low. There are not enough developers with strong security skills, but many developers with a lack of good skills in security which are...

Blog

Active Directory in the Cloud – the new Microsoft WAAD offering

Over the course of the last few days, there have been many posts being published in different blogs, including the ones of Craig Burton, Nishant Kaushik of Identropy, KuppingerCole’s Dave Kearns and for sure Kim Cameron and John Shewchuk. I won’t dive into the discussion taking place between Craig, Nishant, Kim and others but clearly have to say that I’m fully with Craig on that it is about “Freedom of choice” and that this is fundamentally different from the “Freedom to choose your captor”. My main points later down will focus on the blog of John. However, when looking at the initial...

Blog

THE DIMINISHING NETWORK PERIMETER

I just returned from NISC - the National Information Security Conference - held this year in Cumbernauld in Scotland. The theme of this event was “the diminishing network perimeter”. With the advent of smart phones, tablets, Kindles and BYOD, the boundaries between the work and home environment have dissolved so how do you maintain the security of your corporate network? How does this impact on the corporate network, and how much can you put into the cloud? There were many interesting sessions around this theme and, as well as giving a talk on the Deadly Sins of Cloud computing, I sat on a...

Webinar

Sep 18, 2012: Preparing your Enterprise for the Generation Y: BYOD & Mobile Device Management

A plethora of mobile devices are invading the enterprise at incredible speed, raising issues in areas like access control, policy enforcement, security of confidential data on users’ devices, and many others. Practices of “bring your own device,” (BYOD) and “company owned, personally enabled,” (COPE) are trying to describe methods of mitigating the risks involved. In this training, KuppingerCole Principal Analyst Martin Kuppinger will help IT professionals to find their best way through the myriad of recommendations and solutions related to this issue, and implement the right corporate...

Training

Aug 14, 2012: XACML and the Externalization of Authorization: How to do it Right

This training will give an overview about XACML and the concepts behind, from the way policies are expressed to the different components like PEPs, PDPs, or PAPs. It also will look at the shortcomings XACML currently has and how to best deal with them. It will look at different approaches in which XACML currently is used, showing the breadth and potential limitations of XACML. And it will discuss where to better not use XACML itself but to “translate” things.

Webinar

Aug 07, 2012: Preparing your Enterprise for the Generation Y: BYOD & Mobile Device Management

A phletora of mobile devices are invading the enterprise at incredible speed, raising issues in areas like access control, policy enforcement, security of confidential data on users’ devices, and many others. Practices of “bring your own device,” (BYOD) and “company owned, personally enabled,” (COPE) are trying to describe methods of mitigating the risks involved. In this training, KuppingerCole Principal Analyst Martin Kuppinger will help IT professionals to find their best way through the myriad of recommendations and solutions related to this issue, and implement the right corporate...

Webinar

Jul 17, 2012: Life Management Plattformen & die Zukunft des Social Networking

Social Networking steckt noch in den Kinderschuhen, der eher suboptimal sich entwickelnde Kurs der Facebook-Aktie mag ein Indiz dafür sein. Social Networking wie wir es heute kennen, basiert in der überwiegenden Zahl der Geschäftsmodelle darauf, dass die Nutzer weitgehend auf Privatspäre und Kontrolle über ihre persönlichen Daten verzichten. Durch die sich häufenden Fälle von Datenmissbrauch und Identitätsdiebstahl wirkt dieser Verzicht mit jedem Tag unangebrachter. Life Management Plattformen bringen Social Networking und Privatsphäre zusammen und schaffen die Basis für neue...

Webinar

Jul 17, 2012: How to Unleash the Power of Life Management Platforms

Life Management Platforms will change the way individuals deal with sensitive information like their health data, insurance data, and many other types of information – information that today frequently is paper-based or, when it comes to personal opinions, only in the mind of the individuals. In this webinar, KuppingerCole Founder and Principal Analyst Martin Kuppinger will describe, why Life Management will be a key trend and how it will influence your enterprise.

Training

Jun 27, 2012: Choosing the Right Cloud

The rise of cloud computing has changed the rules for optimising your IT strategy. However within cloud computing there are many choices. Making the right choices can save time and money making the wrong choices can increase risks. This training will look at how to choose the right cloud for your business need.

Blog

Freedom of Choice != Your Choice of Captor

Earlier this week I posted a first-look analysis of Microsoft’s Cloud-based Identity Metasystem (IDMaaS).In that analysis I stated: Microsoft is not only doing something innovative — but profoundly innovative. On June 7, Nishant Kaushik (Chief Architect at Identropy) wrote on his blog (How Do Governance Controls fit into IDMaaS?): I’ll be honest, I’m having a little trouble seeing what is so innovative about WAAD itself. How is the fact that becoming an Office 365 customer automatically gives you an AD in the cloud that you can build/attach other Azure applications to that differentfrom...

Blog

Managing risk, not preventing loss

I spent a week in Boston recently, attending Courion’s Converge conference. This was the 10th annual customer (existing and future customers) meeting the now venerable Identity Management company has produced and as always it provided a great way to see what the implementers - the enterprise IT and security folks - were doing, thinking and planning. The first thing I noticed was the company’s new catchphrase, “See risk in a whole new way,” which alluded to their newest product, Access Insight which they dub as an “Access Intelligence Engine.” There were also two major takeaways (among...

Blog

LinkedIn Hacked—More Reason for IdM in the Cloud

On June 6, 2012 LinkedIn was hacked and user accounts — names and passwords — were compromised. Follow LinkedIn’s advice on addressing the matter. There are just two things I want to say about this. 1. Service Providers should build hardened systems up-front Any service provider that has a security architecture that stores names and passwords on a server somewhere has an unacceptable system design. There is simply NO excuse for letting this happen — EVER. LinkedIn management is acting like hashing and salting passwords is some new thing that they are all over as a result of the...

Blog

What I would like to see First from IDMaaS

Intro Kim Cameron and John Shewchuk jointly rolled out Microsoft’s vision of Identity Management (IDMaaS) as a Service and then Microsoft’s implementation of that vision as Windows Azure Active Directory (WAAD). I posted first impressions. Kim Cameron responded. This morning over coffee I was gesturing through Zite — the iPhone and iPad personal publishing review app. There was my blog post in the headlines. I realize that Zite personalizes the headlines so probably no one else saw that, but that seemed pretty cool. Anyway, it got me to thinking what kind of things I would like to have...

Blog

Microsoft is Finally Being Relevant

Surprise surprise. For the last few years it looked as if the battling business units and power struggles within Microsoft had all but rendered the company incapable of doing anything innovative or relevant. But clearly something has happened to change this lack of leadership and apparent stumbling in the dark. Microsoft is not only doing something innovative — but profoundly innovative. In a dual post by Microsoft’s John Shewchuk and Kim Cameron, the announcement was made about what Kim Cameron alluded to at the KuppingerCole EIC in April — Identity Management as a Service (IDMaaS). This...

Blog

Choosing the Right Cloud

Adopting Cloud computing can save money, but it is important to choose the right Cloud solution for your business need. KuppingerCole have produced a Scenario Report – Understanding Cloud Computing to help you make the right choice. The Cloud provides an alternative way of procuring IT services that offers many benefits including increased flexibility as well as reduced cost.  It extends the spectrum of IT service delivery models beyond managed and hosted services to a form that is packaged and commoditized. The Cloud is not one thing; it covers a wide spectrum of types of service and...

Training

Jul 10, 2012: Enterprise Role Management Done Right: How to Successfully Implement Role Management – if you need it

Enterprise Role Management still is a key topic when it comes to efficiently manage large groups of users. The art of clearly defining projects for role discovery and implementation, architecture model development and lifecycle maintenance with regards to scope and resources is your most important takeaway from this training.

Blog

Back to the (digital) future

My colleague Martin Kuppinger recently published “Intention and Attention – how Life Management Platforms can improve Marketing”, which discussed the role of Life Management Platforms (see Advisory Note: Life Management Platforms: Control and Privacy for Personal Data) within the “Intention Economy” (the subject of Doc Searls new book). In chatting with Martin about this we also brought up our other colleague, Craig Burton’s ideas on the Open API Economy. This all reminded me of a presentation I’d done back in the fall of 2000 for a barnstorming tour on behalf of Business Layers, the...

Blog

Smart Data: The better Big Data – using the Open API Economy concepts to better deal with your data

IT vendors these days are making a lot of noise about “Big Data”. That comes as no surprise, since Big Data allows selling masses of expensive hardware, software, and services. But does it really make that much sense for the customer? The sales pitch for Big Data is that companies can better do business based on that approach. They can do better marketing based on analyzing more data about their customers. They might provide better security services on analyzing more data. They might need it to deal with machine-generated data in the connected vehicle. However: better marketing is not...

Blog

Is API Growth in a Stall?

Intro Last year when we published the API Economy document, we showed the growth rate of APIs over time. Examining the numbers from the same source — the ProgrammableWeb — in 2012 it appears as if the hockey stick growth of over 100% each year is starting to slow down. What is really happening? The numbers Figure 1 shows the original numbers we published in the Open API Economy report. It shows a compound annual growth rate of roughly 100% each year starting in 2005. The source of the numbers is the ProgrammableWeb. Figure 1: 100% Annual Growth Rate. Source: The ProgrammableWeb Figure 2...

Blog

The Future of IT Organizations – why IT needs a marketing department

Some weeks ago we published a report called “The Future of IT Organizations“. This report talks about how to restructure IT Organizations, following the basic structure we propose for IT in the KuppingerCole IT Paradigm. That paradigm is first described in the KuppingerCole Scenario “Understanding IT Service and Security Management”. From our perspective, IT organizations have to change fundamentally in order to redefine the way we do IT to better deal with challenges like Cloud Computing. When looking at the future of IT, there is one area which I find particularly interesting. Some of...

Webcast

EIC 2012 Session: Database Firewalls - Advancing Security for Enterprise Data

Martin Kuppinger, KuppingerCole
Dr. Steve Moyle, Oracle
Sebastian Rohr, KuppingerCole

April 19, 2012 16:30

Webcast

EIC 2012 Session: Exchanging Metadata through Different Federations on a Global Scale

Nicole Harris, Head of Identity Management, JISC Advance

April 19, 2012 15:40

Webcast

EIC 2012 Session: Federation or Synchronization – the Future of the Cloud

Andrew Nash, Google
Darran Rolls, SailPoint
Travis Spencer, Ping Identity

April 19, 2012 15:20

Webcast

EIC 2012 Session: What Federation is About – in Theory and in Practice

Dave Kearns, KuppingerCole

April 19, 2012 15:00

Webcast

EIC 2012 Session: Security for Virtualized Environments, Privileged Users and PCI Compliance

Guy Balzam, CA Technologies
Stephan Bohnengel, VMware
Giovanni Ciminari, Telecom Italia

April 19, 2012 14:30

Webcast

EIC 2012 Session: From Virtualization to the Cloud and Beyond

Craig Burton, KuppingerCole
Martin Kuppinger, KuppingerCole

April 19, 2012 14:00

Blog

Intention and Attention – how Life Management Platforms can improve Marketing

Life Management Platforms will be among the biggest things in IT within the next ten years. They are different from “Personal Data Stores” in the sense of adding what we call “apps” to the data stores and being able to work with different personal data stores. So they allow to securely working with personal data by using such apps which consume but not unveil that data – in contrast to a data store which just could provide or allow access to personal data. They thus are more active and will allow every one of us to deal with his personal data while enforcing privacy and security. Regarding...

Blog

IIW and VRM Report

At the first of the month I attended IIW 14 in Mountain View. I also attended the VRM workshop on the 30th. The VRM workshop was hosted by Ericsson. The IIW was held at the Computer History Museum. Before I summarize what happened at those events, I want to give a little background on IIW. IIW IIW uses a format referred to as an “unconference.” The main purpose of an unconference is to avoid the traditional design of a conference. A way I have heard it described is the format developed by Harrison Owen. Legend has it that Owen noticed that during a conference, most of the real activity and...

Webcast

EIC 2012 Session: The Kuppingercole IT Model and the API Economy

Craig Burton, KuppingerCole
Kim Cameron, Microsoft
Martin Kuppinger, KuppingerCole
Fulup Ar Foll, KuppingerCole
Dr. Steven Willmott, 3Scale

April 19, 2012 11:30

Webcast

EIC 2012 Session: VRM and the Intention Economy - Now What?

Craig Burton, KuppingerCole
Scott David, K&L Gates LLP
Marcel van Galen, Qiy
Drummond Reed, Connect.Me
Doc Searls, Berkman Center for Internet and Society
Phil Windley, Kynetx

April 19, 2012 10:30

Webcast

EIC 2012 Session: IT Strategies and Information Security in Banks - The Regulator´s View

Dr. Markus Held, Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin)
April 18, 2012 11:30

Blog

Entitlement Management – has it really been an academic exercise?

Recently I read a blog post from my appreciated and well known analyst colleague Kevin Kampman at Gartner Group talking about entitlement management. That post had some points which made me wonder. I’ll pick some of the quotes: “One of access control’s biggest challenges is that it has often been an academic exercise. Maybe we can move the discussion forward by thinking about what is needed, not just what is possible.”  “For any object, a set of conditions should be met to provide access such as time, attribute, role, etc. it seems we need a more flexible way to characterize all of the...

Webcast

EIC 2012 Session: Access Governance Case Study - Friends Life Realizes Quick Time To Value

Julia Bernal, Group Business Security & Data Protection Manager, Friends Life
April 18, 2012 17:30

Webcast

EIC 2012 Session: Identity & Access Management as a Key Element for a Value focused Security Strategy

Ralf Knöringer, Atos IT Solutions and Services GmbH
Hassan Maad, Evidian
Shirief Nosseir, CA Technologies
Christian Patrascu, Oracle
Peter Weierich, iC Consult GmbH

April 18, 2012 17:00

Webcast

EIC 2012 Session: How to successfully get business to participate in IAM and Access Governance

Dr. Martin Kuhlmann, Omada
Edwin van der Wal, Everett

April 18, 2012 15:30

Webcast

EIC 2012 Session: Delivering Actionable Recommendations to Senior Management based on a Structured Risk Identification and Evaluation Process

Dr. Waldemar Grudzien, Association of German Banks
Berthold Kerl, Deutsche Bank AG
Prof. Dr. Sachar Paulus, KuppingerCole

April 18, 2012 15:00

Webcast

EIC 2012 Session: Munich Re’s Identity & Access Management - Experience Report and Best Practices

Wolfgang Zwerch, MunichRe
April 18, 2012 14:30

Webcast

EIC 2012 Session: IAM Governance in the New Commerzbank

Dirk Venzke, Director, Commerzbank AG
April 18, 2012 14:00

Webcast

EIC 2012 Session: How to Address Regulatory Needs Fast and Lean

Dr. Waldemar Grudzien, Association of German Banks
Dirk Venzke, Commerzbank AG
Dr. Horst Walther, Kuppinger Cole
Wolfgang Zwerch, MunichRe

April 18, 2012 12:00

Webcast

EIC 2012 Session: Facing the Online Threats against Retail and Banking Customers - What are the Future Perspectives?

Prof. Dr. Sachar Paulus, Senior Analyst, KuppingerCole
April 18, 2012 11:00

Webcast

EIC 2012 Session: Cyber Crime, Cloud, Social Media... - IS Threats for Banks are Constantly Increasing. What Should We Be Doing?

Berthold Kerl, Deutsche Bank AG
April 18, 2012 10:30

Blog

Preventing, or surviving, data leaks

Just last week it was reported in The Guardian that “Computer hackers have managed to breach some of the top secret systems within the [UK] Ministry of Defence.” If the department charged with protecting the country can’t protect its own secrets then what chance does your organization have? This is just the latest (at the time I’m writing this) in a seemingly ever escalating number of security breaches, data thefts and data losses. So much so, in fact, that Data Loss Prevention (DLP – also called Data Leak Prevention) is the fastest growing segment of the Security, Identity and Access...

Press Release

Analystenhaus KuppingerCole liefert Unterstützung für die Migration von „Legacy Identity Provisioning“

Düsseldorf, 09. Mai 2012  - Mit dem Report Migration Options and Guidelines for Oracle Waveset ergänzt das Analystenunternehmen KuppingerCole den bereits vor einigen Tagen veröffentlichten Report Migration Options for your Legacy Provisioning . Der Report Migration Options for your Legacy Provisioning liefert im Überblick die wichtigsten Handlungsempfehlungen für Unternehmen, die sich vor der Herausforderung sehen, ihre bestehenden Identity Provisioning-Lösungen zu ersetzen.

Advisory Note

Advisory Note: Dealing with privacy risks in mobile environments - 70224

The ongoing trend of IT consumerization and deperimeterization has a profound effect on modern society. Mobile devices are becoming increasingly sophisticated and their numbers are growing exponentially. Social networking has made sharing information all too easy and controlling its spread nearly impossible. Growing adoption of cloud-based services, while having obvious advantages, means that more and more sensitive information is now stored and managed by third parties, and users are no longer in direct control over it. Combined with the inconsistency and largely reactive nature of...

Blog

Dynamic Authorization Management Best Practices

Due to a last minute speaker change I had to prepare a short presentation on „Dynamic Authorization Management – Best Practices from our Advisory“ for EIC 2012. When we found a replacement for the speaker, I didn’t give that presentation. However I will do a webinar on that soon and I want to provide some of the content here, as sort of an appetizer. Dynamic Authorization Management is about dynamically deciding to approve or not authorization requests provided by services (like applications) based on policies and attributes (roles, application used, context, whatever,…). It includes...

Advisory Note

Business Report: Key Risk/Performance Indicators IAM and GRC - 70204

The concept of Key Performance Indicators is well established at the corporate level, using scorecards as a tool for providing a quick overview on the progress of organizations towards their goals. Key Risk Indicators add risk metrics to that view, relating the progress of indicators to changes in risks. The report provides selected Key Risk Indicators (KRI) for the area of IAM and GRC. These indicators are easy to measure and provide a quick overview of the risk status and its changes for organizations. The indicators can be combined into a risk scorecard which then can be continuously...

Blog

Bring Your Own Identity? Yes. And No.

Recently I read a blog post  by Nick Crown, Director of Product Marketing at UnboundID. He talked about “Bring Your Own Identity” which he thinks is more groundbreaking and disruptive than BYOD (Bring Your Own Device). I would say yes, there is a value in BYOI, but: -          this is definitely not as groundbreaking and disruptive as BYOD -          this is only a small piece in a much larger puzzle and it definitely will not end with a two-tiered identity infrastructure as proposed in Nick Crown’s blog post -          there’s definitely no need to introduce yet another marketing...

Advisory Note

Advisory Note: Migration Options and Guidelines for Oracle Waveset - 70610

This document extends the Advisory Note #70,607 “Migration Options for your Legacy Provisioning” and focuses on Oracle's Waveset Identity Provisioning system which is also historically known as Sun Identity Management/Manager or, in short, SIM, which before the acquisition of Waveset by Sun was named Waveset Lighthouse. The product will usually be called Waveset IDM (Identity Management) throughout this report, using Sun Identity Management or Waveset Lighthouse only when it is relevant to differentiate between historical releases. Identity provisioning systems are systems...

Blog

The digital divide in Identity Management

My dear friend Mia Harbitz of the Interamerican Development Bank (www.iadb.org) has recently linked me to of what I felt to be one of the most important papers on “Identity Management” since I work in this field. The paper does not analyze the pros and cons of doing bottom-up or top-down role design, nor does it dive into the depths of Access Governance and streamlining reconciliation efforts in your organization. It investigates what any of you claim (and probably experienced yourself) to be a birth-right: your own personal identity! We all know the fuzz around Google+ and the headache it...

Webcast

EIC 2012 Keynote: Interview - What are the Privacy and Information Security Challenges 2012 and Beyond?

Roy Adar, Vice President of Product Management, Cyber-Ark
Dr. Nigel Cameron, CEO, Center for Policy on Emerging Technologies
Martin Kuppinger, KuppingerCole
Shirief Nosseir, Marketing Manager, CA Technologies
Jim Taylor, VP Identity and Security Management, NetIQ
April 17, 2012 15:40

Webcast

EIC 2012 Keynote: Conflicting Visions of Cloud Identity

Kim Cameron, Creator of the Laws of Identity and Microsoft Identity Architect, Microsoft
April 17, 2012 15:20

Webcast

EIC 2012 Keynote: eID new challenges with Digital Agenda and Cloud Computing

Prof. Dr. Reinhard Posch, CIO for the Austrian Federal Government, Republic of Austria
April 17, 2012 15:00

Webcast

EIC 2012 Keynote: "Che cosa sono le nuvole?” (What are the clouds?)

Dr. Emilio Mordini, CEO, Centre for Science, Society and Citizenship CSSC
April 17, 2012 14:40

Webcast

EIC 2012 Opening Keynote

Dr. Nigel Cameron, CEO, Center for Policy on Emerging Technologies
Martin Kuppinger, KuppingerCole
April 17, 14:00

Webcast

EIC 2012 Closing Keynote

Dave Kearns, Senior Analyst, KuppingerCole
Prof. Dr. Sachar Paulus, Senior Analyst, KuppingerCole
April 19, 2012 17:30

Webcast

EIC 2012 Keynote: Trust and Complexity in Digital Space

Dr. Jacques Bus, Secretary General, Digital Enlightenment Forum
April 19, 2012 9:30

Webcast

EIC 2012 Keynote: The Future of Attribute-based Credentials and Partial Identities for a more Privacy Friendly Internet

Prof. Dr. Kai Rannenberg, T-Mobile Chair of Mobile Business & Multilateral Security, Goethe University in Frankfurt
April 19, 2012 9:00

Webcast

EIC 2012 Keynote: How Identity Management and Access Governance as a Service make your Cloud Work and your Business more Agile

Ralf Knöringer, Manager Business Unit IAM, Atos IT Solutions and Services GmbH
April 19, 2012 8:30

Webcast

EIC 2012 Keynote: How to build a Secure and Open Cloud

Stephan Bohnengel, Sr. Specialist Systems Engineer Security, VMware
April 18, 2012 18:40

Webcast

EIC 2012 Keynote: Top Challenges and Threats Security Managers Should Watch Out For

Prof. Dr. Eberhard von Faber, Security Strategy and Executive Consulting, T-Systems
April 18, 2012 18:20

Webcast

EIC 2012 Keynote: How Mobility Clouds the Future and SOA / Web 2.0 gives way to the Cloud API

André Durand, Founder & CEO, Ping Identity
April 18, 2012 18:00

Webcast

EIC 2012 Keynote: Information Security Governance in Banks: Delivering Actionable Recommendation to Management

Berthold Kerl, Managing Director, Head of Information & Technology Risk Governance, Deutsche Bank AG
April 18, 2012 9:30

Webcast

EIC 2012 Keynote: Securing Critical Banking Infrastructures in the Age of Cyber Warfare

Dr. Waldemar Grudzien, Director, Department Retail Banking and Banking Technology, Association of German Banks
April 18, 2012 9:00

Webcast

EIC 2012 Keynote: Leveraging Identity to Manage Enterprise Change and Complexity

Jim Taylor, VP Identity and Security Management, NetIQ
April 18, 2012 8:30

Webcast

EIC 2012 Keynote: Identity Management & Cloud Security - There’s a Workflow for That

Patrick Parker, Founder and CEO, The Dot Net Factory
April 17, 2012 19:10

Webcast

EIC 2012 Keynote: Scaling Identity, Access, and Audit Controls to Internet Proportions

Mike Neuenschwander, Sr. Director, Oracle
April 17, 2012 18:50

Webcast

EIC 2012 Keynote: Free Customers: The New Platform

Doc Searls, Berkman Fellow, Berkman Center for Internet and Society at Harvard University
April 17, 2012 18:30

Webcast

EIC 2012 Keynote: What About Bring your own Device?

Dr. Barbara Mandl, Senior Manager, Daimler AG
April 17, 2012 18:10

Webcast

EIC 2012 Keynote: How do Today’s Technology Challenges make Real IAM Possible?

Jonathan Sander, Director of IAM Business Development, Quest Software
April 17, 2012 17:50

Webcast

EIC 2012 Keynote: What Standards Have Done and Will Do for Cloud Identity

Dr. Laurent Liscia, Executive Director, OASIS
April 17, 2012 17:30

Webcast

EIC 2012 Keynote: Externalized Authorization - What is it Good for?

Peter Weierich, Senior Strategy Consultant, iC Consult GmbH
April 17, 2012 17:10

Webcast

EIC 2012 Keynote: Cloud, Consumerization & Identity: Time to Transform the Security Model

Shirief Nosseir, Marketing Manager, CA Technologies
April 17, 2012 16:50

Webcast

EIC 2012 Keynote: Ripped from the Headlines – The ‘Privileged’ Connection – Solved!

Roy Adar, Vice President of Product Management, Cyber-Ark
April 17, 2012 16:30

Blog

CLOUD COMPUTING DEADLY SINS

Adopting Cloud computing can save money, you need to avoid the seven deadly sins. The Cloud provides an increasingly popular way of procuring IT services that offers many benefits including increased flexibility as well as reduced cost. It extends the spectrum of IT service delivery models beyond managed and hosted services to a form that is packaged and commoditized. However - many organizations are sleepwalking into the Cloud. Moving to the Cloud may outsource the provision of the IT service, but it does not outsource the customer’s responsibilities. There are issues that may be...

Product Report

Product Report: Virtual Forge CodeProfiler - 70585

Die Analyse der Sicherheit von Programmcode ist eines der bedeutendsten Geschäftsfelder im Bereich der sicheren Software-Entwicklung. Für alle gängigen Programmiersprachen gibt es recht reife Produkte und die wichtigsten Innovatoren wurden von den großen Software-Herstellern aufgekauft. Es gibt jedoch einen wenig beachteten Bereich der Software-Entwicklung, der nichtsdestotrotz recht wichtig für die Unternehmen ist: das so genannte Customizing von SAP-Anwendungen. Customizing bedeutet typischer Weise dass das SAP Standard-Angebot um neue Anwendungsbestandteile...

Webcast

Quantifying Access Risk: How to Sell the Access Governance Project to your CFO

KuppingerCole Webinar recording

Webcast

European Identity Award 2012 Ceremony

The European Identity Awards 2012 honoring outstanding projects and initiatives in Identity Management, GRC (Governance, Risk Management and Compliance) and Cloud Security were presented yesterday by the analyst group KuppingerCole at their annual event, the European Identity Conference 2012 in Munich. Winners were chosen from a shortlist of exemplary projects and initiatives compiled by the analysts at KuppingerCole, end-user companies and vendors during the last 12 months.

Advisory Note

Advisory Note: Making critical infrastructures in finance industry fit for the age of cyber attacks - 70405

When looking at the topic of this research note, there are two major aspects to look at. One is about “critical infrastructures”; the other is about “the age of cyber attacks”. We’re looking at critical infrastructures in finance industry. However, this is at least to some degree also about finance industry as a critical infrastructure. The finance industry in its role as one of the backbones of the economy and of entire states is a critical infrastructure. If critical infrastructure within the finance industry becomes attacked, this imposes a massive risk on...

Blog

The Identity Explosion – one reason to re-engineer not only our IAM

During my Opening Keynote at this year’s EIC (European Identity & Cloud Conference, www.id-conf.com), when talking about the Top Trends in IAM, Mobile Security, GRC, and Cloud Computing I used the term “Identity Explosion” to describe the trend that organizations will continue (or start) to re-define their IAM infrastructures in order to make them future-proof. I talked more about that in my presentation on “Re-engineering IAM to better serve your business’ needs” later during the conference. Interestingly, I heard the term “Identity Explosion” being used several times in other sessions...

Congress

May 14 - 17, 2013: European Identity & Cloud Conference 2013

With its world class list of speakers, a unique mix of best practices presentations, panel discussions, thought leadership statements and analyst views, EIC has become an absolute must-attend event for enterprise IT leaders from all over Europe.

Press Release

Analystengruppe KuppingerCole veröffentlicht neue Reports

Düsseldorf, 24. April 2012  – Im Rahmen der sechsten European Identity & Cloud Conference 2012 (EIC), der Leitveranstaltung in Europa zu diesen Themen, hat die Analystengruppe KuppingerCole eine Reihe neuer Reports veröffentlicht. Dazu zählen zum einen Reports zu den in diesem Jahr auf der Konferenz verliehenen European Identity Awards, in denen die ausgezeichneten Projekte vorgestellt werden. Darüber hinaus gibt es drei weitere neue Reports, die sich mit der IT-Sicherheit in der Finanzindustrie, mit Marktentwicklungen und mit den wichtigsten...

Advisory Note

Advisory Note: IT-Initiativen 2012-2013: Eine 6*3-Matrix - 70609

Welche Initiativen sollen 2012/2013 auf der Agenda von CIOs ganz oben stehen? Diese Advisory Note liefert, basierend auf dem kontinuierlichen Research von KuppingerCole, Vorschläge für die Beantwortung dieser Frage. Im Report werden für sechs Themenfelder jeweils drei Initiativen vorgeschlagen, die für die kontinuierliche Weiterentwicklung der IT besonderen Nutzen versprechen und die eine Reaktion auf laufende und kommende Trends darstellen. Das Ziel ist eine IT, die fit für die Zukunft ist, sich aber gleichzeitig am Machbaren, am Sinnvollen und an den zu...

Blog

EIC 2012 - My Pickings

We’ve just concluded the sixth EIC, the European Identity and Cloud Conference. It was my fifth, but I continue to learn something new each time. Before I get into what I learned this year, a brief note to mention that EIC 2013 will return to Unterschleissheim (just outside Munich) from May 14-17. Begin to book now, it’s sure to be even bigger and better than ever. I’ve been going to technology conferences, both big and small, for 25 years and it never ceases to amaze me that there’s always something new to learn – either a new technology, or a new way to look at technology. While it’s...

Blog

EIC 2012 – some take-aways

EIC 2012, the European Identity and Cloud Conference, is history now. We had a week fully packed with a lot of great keynotes, sessions, panels, and workshops. For me, it definitely was the year in which the EIC was most influential to my own thinking. The reason for that was simply that we had a lot of very good panels and other types of sessions related to some research we published around EIC or are currently working on. The three key topics were: The KuppingerCole IT Paradigm which we have described as a model for developing IT infrastructures and organization in a way that it is fit...

Advisory Note

Trend Report: Top Trends 2012-2013 - 70516

As in the past years, KuppingerCole has worked out the Top Trends in IT in general, Cloud Computing, GRC (Governance, Risk Management and Compliance), IAM (Identity and Access Management) and Mobile Computing. The most important trends are, from our perspective, an increasing level of compromise of digital certificates, the proliferation of “Bring your own Device” (BYOD), and the need for better encryption among other preventive measures to ensure Data Loss Prevention (DLP) and secure device management.

Press Release

European Identity Award 2012

Duesseldorf, April 19th, 2012  - The European Identity Awards 2012 honoring outstanding projects and initiatives in Identity Management, GRC (Governance, Risk Management and Compliance) and Clooud Security were presented yesterday by the analyst group KuppingerCole at their annual event, the European Identity Conference 2012 ( www.id-conf.com ) in Munich. Winners were chosen from a shortlist of exemplary projects and initiatives compiled by the analysts at KuppingerCole, end-user companies and vendors during the last 12 months. Award winners have all distinguished...

Blog

European Identity Award 2012

The European Identity Awards 2012 honoring outstanding projects and initiatives in Identity Management, GRC (Governance, Risk Management and Compliance) and Cloud Security were presented yesterday by the analyst group KuppingerCole at their annual event, the European Identity Conference 2012 in Munich. Winners were chosen from a shortlist of exemplary projects and initiatives compiled by the analysts at KuppingerCole, end-user companies and vendors during the last 12 months. Award winners have all distinguished themselves through exceptional efforts in Identity and Access Management (IAM),...

Executive View

Advisory Note: European Identity Award 2012: OpenID Connect - 70706

Best New Standard 2012 in Category „Best Innovation/New Standard in Information Security”: Providing the Consumerization of SAML. Driving the adoption of federation and making this much simpler.

Advisory Note

Advisory Note: IT-Initiatives 2012-2013: a 6*3-Matrix Report - 70612

Which initiatives should be top on the agenda of CIOs in 2012/2013? This Advisory note suggests answers to this question, based on the ongoing research of KuppingerCole. The report proposes three initiatives within six areas, which promise specific benefits for the future development of IT. They represent responses to current and future trends. The goal is an IT, which is fit for the future, but at the same time based on what is feasible, and is oriented at the meaningful and the observable changes of the requirements. The report concisely describes each of the areas for action naming...

Press Release

European Identity Award 2012

Düsseldorf, 18. April 2012  - Der European Identity & Cloud Award 2012, mit dem die besten Projekte und Initiativen rund um Identity & Access Management, GRC (Governance, Risk Management and Compliance) und Cloud Security ausgezeichnet werden, wurde von der Analystengruppe KuppingerCole im Rahmen der derzeit in München stattfindenden European Identity & Cloud Conference (EIC) verliehen.  Die Jury wählte die Gewinner aus Vorschlägen aus, die von den Analysten der KuppingerCole-Gruppe, von Anwenderunternehmen und Herstellern im Laufe der...

Advisory Note

Best Practice: European Identity Award 2012: Swisscom - 70705

Special Award 2012 for „Mobile Security”: Swisscom MobileID – secure and easy authentication using the mobile phone with minimal impact on hardware based on ETSI Mobile Signature Standard.

Advisory Note

Best Practice: European Identity Award 2012: Sanofi S.A. - 70704

Best Project 2012 in the Category „Best Cloud Security Project”: Implementing Federation quickly to support business requirements. Federation becoming a business enabling technology.

Building the foundation for future business cases. Enabling secure access to Cloud applications.

Advisory Note

Best Practice: European Identity Award 2012: Europol - 70703

Best Project 2012 in Category „Best Access Governance and Intelligence Project”: Strategic IAM project adding centralized auditing across all IAM modules.

Ready for further expansion of auditing in an IAM ecosystem in a highly security-sensitive environment, including external collaboration.

Real-time monitoring beyond simple audit logs.

Advisory Note

Best Practice: European Identity Award 2012: Siemens AG - 70701

Best Project 2012 in Category „Best Identity and Access Management Project”: Enabling the hybrid Cloud in an audit-proof way.

Based on a flexible, scalable, standards-based architecture. Supporting complex, dynamic approval workflows in a very large scale environment.

Press Release

Analystengruppe KuppingerCole veröffentlicht neuen Research zur EIC 2012

Düsseldorf, 13. April 2012 - Zur European Identity & Cloud Conference 2012 (EIC), die am kommenden Dienstag in München beginnt und die führende europäische Veranstaltung in diesem Themenfeld ist, hat die Analystengruppe KuppingerCole mehrere neue Reports veröffentlicht. Diese stehen ab sofort zum Download unter http://www.kuppingercole.com/reports bereit.

Advisory Note

Advisory Note: Migration Options for your Legacy Provisioning - 70607

Migrating an existing provisioning system always becomes a red-hot topic once a vendor becomes acquired by another vendor. In these situations - like the acquisition of Sun Microsystems by Oracle, of Novell by NetIQ, of Völcker by Quest Software and all the other acquisitions we’ve seen in the past - customers are anxious regarding the future roadmap and the impact on their own infrastructures. However, when looking at reality, there are far more situations in which organizations think about changing their provisioning system. The question then is: What to do? Where to migrate...

Advisory Note

Advisory Note: IAM and GRC Market – the Evolution in 2012/2013 - 70580

IAM (Identity and Access Management) and GRC (Governance, Risk Management, and Compliance) are two of the most important IT market segments these days. They are driven by various factors. One is increasing regulatory pressure. Companies need to manage their risks, including access risks to their corporate information. That has put IAM and GRC on top of the IT agenda. However, IAM and GRC are also enabling technologies to help enterprises better deal with major trends in overall IT. Social computing, mobile computing, and cloud computing all are about dealing with more groups of users,...

Advisory Note

Advisory Note: Life Management Platforms: Control and Privacy for Personal Data - 70608

Life Management Platforms will change the way individuals deal with sensitive information like their health data, insurance data, and many other types of information – information that today frequently is paper-based or, when it comes to personal opinions, only in the mind of the individuals. They will enable new approaches for privacy- and security-aware sharing of that information, without the risk of losing control of that information. A key concept is “informed pull” which allows consuming information from other parties, neither violating the interest of the...

Advisory Note

Advisory Note: Rating Methodology for Products and Vendors - 70555

KuppingerCole as an analyst company regularly does evaluations of products and vendors. The results are, amongst other types of publications and services, published in the KuppingerCole Product Reports and KuppingerCole Vendor Reports.

KuppingerCole uses a star rating to provide a quick overview on our perception of the products or vendors. The categories of this rating and the reasons for deciding for a specific number of stars are explained later in this document.

Advisory Note

Advisory Note: Privilege Management - 70177

Privilege Management - which, in the KuppingerCole nomenclature, is called PxM - is the term used for technologies which help to audit and limit elevated rights and what can be done with shared accounts. During the last few years, PxM has become increasingly popular. Some vendors have enhanced their offerings significantly, while acquisitions have also led to vendors with broader offerings. The reason for that growth is the increasing demand in the market. PxM is on its way out as a niche market and becoming a mandatory element of every Information Security and IAM (Identity and Access...

Advisory Note

Scenario: The Future of IT Organizations - 70350

When looking at today’s IT, it is driven by some major evolutions. Everything which is done in IT has to take these evolutions into account. One is Social Computing. The second evolution is Mobile Computing. The third evolution is Cloud Computing. All these trends affect IT fundamentally. The consumerization and deperimeterization of IT are logical consequences. Information technology (IT) is available to virtually everyone and virtually everywhere. When looking at the Future of IT Organizations, Cloud Computing has the biggest impact. With the rise of Cloud Computing, IT managers...

Advisory Note

Scenario: Understanding Cloud Computing - 70157

This research note is one of series of documents describing KuppingerCole’s basic positions and providing insights into IT Service and Information Security Management. It describes the varieties of Cloud services and delivery models, the principal risks associated with Cloud computing and how the Cloud fits within the IT service delivery options for an organization. It relates the Cloud back to the basic building blocks of IT service delivery which together form the basis for effective organization of IT departments. The Cloud provides an alternative way of providing or procuring...

Blog

EIC 2012 – what I will talk about

Next week, EIC 2012 (European Identity and Cloud Conference) will take place in Munich. The conference will again grow significantly, and we will have a mass of interesting sessions there, ranging from keynote sessions to panels, best practices, and several workshops and roundtables. You definitely shouldn’t miss that conference. I want to give a sneak peek at what I will talk about this year. The Opening Keynote on Tuesday, April 17th, 2012 will be about trends in IAM, GRC, Cloud Computing, and Mobile Security. I also will provide a quick view of the KuppingerCole IT Paradigm, which is...

Blog

User-centric Identity – the Ethernet of identity protocols?

Back in the mid 1990’s, Fiber Distributed Data Interface (FDDI) was touted as the networking protocol of the future. It could handle traffic of 100 megabits per second (mbps) and was considered far more reliable than Ethernet (which was only 10 mbps, anyway) as it was a deterministic protocol based on the Token Bus architecture (similar to Token Ring). Standard Ethernet protocol was considered to be unable to provide more than 10 mbps bandwidth and – due to its “collision detection” technology – was also considered unreliable. Yet here we are today with most networks tied together by 100...

Webcast

Identity & Access Management in the Cloud: Real or a Mirage?

KupingerCole Webinar recording

Product Report

Product Report: Virtual Forge CodeProfiler - 70583

Code security analysis has become one of the most important business segments servicing the secure development of software. Products are pretty mature for every mainstream programming language, and large IT companies have acquired the major technology innovators in that segment. There is, though, an area of software development that receives little attention, although being quite important for businesses: the so-called customizing of SAP applications. Customization in SAP applications typically means that new application pieces will be added to the SAP standard offering. In many cases...

Blog

Security > 140 Conversation with Craig Burton

I had a conversation with Gunnar Peterson recently. Here is the transcript of the exchange. It is short but worth looking at. Today's Security > 140 Conversation is with Craig Burton is a Distinguished Analyst at KuppingerCole, in his  recent work, Craig explores the API Economy and how participating in the API economy reconfigures organizations' priorities. Gunnar always asks insightful questions. I really enjoy his presentations each year at the Cloud Identity Summit. Not sure if I will be speaking this year or not.

Advisory Note

Technology Report: Access Governance Architectures - 70219

Access Governance is about the governance and management of access controls in IT systems and thus about mitigating access-related risks. These risks include the stealing of information, fraud through changing information, and the subverting of IT systems, for example in banking to facilitate illegal actions, to name just a few. The large number of prominent incidents within the last few years proves the need to address these issues – in any industry. There are an increasing number of tools for Access Governance. On one hand, a number of start-ups have entered the market with...

Blog

Cloud Identity and Synchronization

I saw a marketing brochure the other day that claimed “Today’s average enterprise utilizes 16 different directories,” touting their synchronization engine for provisioning and de-provisioning. The vendor’s take seemed to be that 16 was a huge number, but I merely chuckled to myself. Fifteen years ago, while barnstorming the US for a provisioning vendor I would frequently ask the audience how many identity stores they’d identified in their organization. I still remember one memorable response: “we’ve found 116, but we’ve only just started looking.” Ten years ago, soon after the Liberty...

Product Report

Product Report: Oracle Database Firewall - 70339

Oracle Database Firewall is part of Oracle’s defense in depth approach to security, providing a first line of defense for databases by analyzing database traffic before it reaches the database. Oracle Database Firewall expands Oracle’s solutions for heterogeneous databases, supporting Oracle Database, SQL Server, IBM DB2 LUW, and Sybase ASE. MySQL support was introduced in the most recent release. Unlike most other products in that area, Oracle Database Firewall accurately analyzes database activity traffic over the network with very little latency and thus is able to intercept...

Webcast

Conducting an Orchestra - The New Role of IAM

KuppingerCole Webinar recording

Blog

Why the US Cyber Chief is wrong: It’s not a tide of Cyber Criminality – there will be no ebb tide

Today I read an article about US investments in cyber security, with the US Department of Defense (DoD) budget requesting 3.4 billion US$ by itself. The US Cyber Chief, Army General Keith Alexander, commander of U.S. Cyber Command and director of the NSA (National Security Agency) is quoted as saying “Nation-state actors in cyberspace are riding a tide of criminality.” I believe he is wrong in one very important point: It is not about a tide, it is about a continuous rise. So it would have been better had he chosen the comparison to the (potential) long-term rise of the sea-level caused by...

Webcast

Returning (or finally bringing?) Identity and Access Management (IAM) to the User

KuppingerCole Webinar recording

Blog

Encryption is only as good as the protection of its keys

This morning I received a press release pointing to a blog of John Grimm, who works at Thales e-Security. Thales e-Security is the part of the Thales Group, which specializes in encryption. They offer, amongst several other technologies, HSM (Hardware Security Modules) and Enterprise Key Management solutions. The blog commented on the recent discovery of the Mediyes Trojan by Kaspersky Lab. Kaspersky is one of the leading vendors in the Anti-Virus/Anti-Malware segment. The touchpoint between them in the case of Mediyes is that the Trojan uses a digital signature based on a stolen private...

Blog

15% of CIOs ban private devices – the Don Quixote approach on BYOD

I read news this morning quoting a survey by Coleman Parkes, an UK-based research company, saying that 15% of CIOs ban private devices to mitigate the BYOD risks. I personally don’t believe in that approach because it is just too likely to fail. It is like Don Quixote tilting at windmills, I’d say. On first glance, banning private devices might seem the best choice. Using only devices you’ve provided yourself, evaluated and tested, well configured, seems to be the best approach when it comes to mitigating information security risks. But does this approach really work? Let’s focus on five...

Blog

TPM – why is this technology so rarely used?

During the last few weeks I have received a large number of press releases issued by Wave Systems. Reading the headlines, my impression was that this is just another vendor oversimplifying security. Headlines like “Change the status quo of security: Just switch on” caused that impression, given that behind these headlines you usually find a tool vendor with limited capabilities and big claims who tries to sell a little piece of software as the holy grail of IT security. So I thought about using these examples as a starting point for bashing a little on that type of vendor. However, after...

Webcast

Access Risks - from SAP to the Outer Space: an Identity & Access Governance Journey

KuppingerCole Webinar recording

Blog

Identity – Of, By, In and For the Cloud

There’s Identity, and there’s the Cloud. While we still can’t quite agree as to what is Identity and what are Cloud Services we also can’t wait until we decide those issues to properly connect the two. Apps can reside either in the datacenter or in the cloud. They could also reside on our local device (PC, tablet, smartphone, etc.) but we’ll simplify today’s discussion (and leave mobile identity and apps to another day) by concentrating on these two platforms. Identity services can reside in either place also. Often, in fact, they’ll reside in both places. More on that in a moment....

Blog

Microsoft vs. Google: The battle of the business models

This year’s CeBIT, the world’s largest IT fair, has the topic of “Managing Trust”. For some reason, the “Deutsche Messe”, the company behind CeBIT, decided to have Eric Schmidt as one of the speakers at the official opening ceremony anyhow. Right after the speech of Schmidt, Microsoft sent out a press release “Ralph Haupter comments on CeBIT opening”. Ralph Haupter is the General Manager of Microsoft Germany. The summary of this press release is simple: According to Microsoft, Eric Schmidt just missed the topic. He didn’t talk about managing trust but about some opportunities of the digital...

Blog

Non-working P3P privacy policies in browsers - whom to blame?

Another recent discussion was about Microsoft blaming Google and Facebook for circumventing IE privacy policies. There were many articles about that issue, two of them you’ll find here: http://www.networkworld.com/news/2012/022012-microsoft-says-google-circumvents-ie-256358.html?hpg1=bn http://www.networkworld.com/news/2012/022212-microsoft-browser-privacy-256444.html?source=NWWNLE_nlt_microsoft_2012-02-23 There are two aspects from what I understand. First of all, Facebook doesn’t care for privacy and Google at least not much. Facebook clearly states that it doesn’t have a P3P privacy...

Blog

Google’s Privacy Policy – the market will decide

There has been a lot of noise around Google changing its privacy policies. My esteemed colleague Dave Kearns said that they just consolidated them. I’ll stay with “changed”, due to the effect of this: Google now can do much more with the user’s data – if the user logs into any Google service. So my point is that discussions about changing or consolidating is splitting hairs. In fact they have changed the way they deal with privacy. Google claims to have done this because their customers want it. I doubt that. Customers want Single Sign-On. But does anybody really believe that customers...

Webinar

Apr 26, 2012: Quantifying Access Risk: How to Sell the Access Governance Project to your CFO

How can Access Risk be measured and made visual? How can it be used to prioritize processes such as Access Certification or Role Modeling? This webinar aims to explain new methodologies for Access Risk scoring to prioritize corrective actions and justify to your CFO why investment done on Identity & Access Governance project is good value for money.

Webcast

Access Governance richtig gemacht: Investitionsschutz und zielgerichtete Weiterentwicklung

KuppingerCole Webinar recording

Blog

Google as Bogeyman

Is Google the new Microsoft? That is, is Google now the company that "people love to hate," so that - no matter what they do - there's sure to be criticism of them? Ten years or so ago Google was seen as the "white knight" that would vanquish the Microsoft dragon as a worthy successor to Apple in that role. Now, though, it appears that Apple has risen from the ashes and is the valiant warrior that the Google "dark lord" is trying to usurp. Here in the western hemisphere, the gathering of personal data in order to present ads to you which reflect your interests is considered by many to be a...

Webinar

Mar 22, 2012: Conducting an Orchestra – The New Role of IAM

With the loss of control over many resources through current trends like BYOD (bring your own devices) and usage of cloud services, enterprise IT is going through a radical change. In this webinar, you will learn about the new role of Identity & Access Management as an information security cornerstone.

Webcast

Best Practice Driven Identity & Access Management

KuppingerCole Webinar Recording

Blog

Apple iOS (and Android): Data Leakage by Design

Recently an old story hit the news again: Apple iOS allows apps free access to the address book, without any user consent. However that isn’t really new. The story was told back in 2010. Privacy awareness and concerns, however, have massively gained momentum since then, so it is a different situation now. Apple CEO Tim Cook has been asked by two congressmen to provide answers by Feb 29th (even while it is a German link, the lower half with the letter of the congressmen is in English). See also this link. What has happened: Apple iOS allows apps to access the address book information. Some...

Webinar

Mar 29, 2012: Identity & Access Management in the Cloud: Real or a Mirage?

Traditional IAM solutions have not kept pace with cloud innovation. Therefore, new approaches to identity and access management are gaining ground. Should you move your IAM infrastructure to the cloud? What is the role of related standards? These and more questions will be addressed in this webinar.

Webcast

Sicherheitsanalysen und Sicherheitsmanagement - schnell, automatisiert, intelligent

KuppingerCole Webinar recording

Blog

Data Protection and the Cloud

Nowhere is the uncertainty surrounding data protection currently greater than with regard to cloud services. Microsoft is on the right track with its extensive implementation of the EU standard contract clauses, writes Martin Kuppinger. At the end of last year, Microsoft brought its Office 365 contracts into line with EU data protection and privacy regulations. But the real question when such an announcement is made is always: what’s really behind it? In this case, Microsoft can arguably be considered a pioneer. Microsoft has taken a step that many other providers should emulate. An...

Press Release

Terminblocker - European Identity and Cloud Conference 2012

Düsseldorf, 13. Februar 2012  - Vom 17. bis 20. April 2012 findet in München die englischsprachige European Identity and Cloud Conference (EIC) 2012 statt. Mit mehr als 550 Teilnehmern aus über 20 Ländern und einem Ausstellungsbereich, in dem alle wichtigen Anbieter der Bereiche Identity & Access Management, Cloud Computing und GRC vertreten sind, hat sich die European Identity and Cloud Conference  in den vergangenen 6 Jahren als eine der weltweit wichtigsten Veranstaltungen für eine  moderne und zukunftsfähige Informationssicherheit...

Blog

IAM legacies – bad for your business

It’s been almost 15 years since Business Layers and Oblix ushered in the new age of Identity and Access Management Systems (IAM systems) with what I called at the time the “killer app” for Directory Services – electronic provisioning. Even more incredible is that it’s almost 20 years since I wrote a workflow-based provisioning application (I even called it “employee provisioning”) based on Microsoft’s messaging application programming interface (MAPI). It actually was quite primitive in terms of 21st century provisioning tools in that it relied on automated email messages to inform people...

Webcast

Bridging the Cloud Sign-on Gap

KuppingerCole Webinar recording

Blog

Isn’t it better that we talk about last-generation firewalls instead of next-generation firewalls?

One of the buzzwords that became quite popular during the last few years is “next-generation firewall”. Some startup vendors position themselves in that market segment and established firewall vendors are trying to catch up. But when looking at what next generation firewalls are, I doubt that this term really applies, for two reasons: One is the question of which role firewalls will play in the future. There is no doubt that we will need some sort of firewalls as part of a multi-layered security concept. However, the firewall as the leading security device at the perimeter isn’t the...

Webinar

Mar 21, 2012: Returning (or finally bringing?) Identity and Access Management (IAM) to the User

IAM needs the involvement from the end users and their business line managers, because it is there where access related risks can be handled best. Join us in this webinar to discuss, how you can leverage acceptance of your IAM solution.

Press Release

Fulup Ar Foll joined the KuppingerCole analyst team

Duesseldorf, February 6th, 2012  - Fulup Ar Foll just joined KuppingerCole as a Senior Analyst. Besides his very strong background in large scale and high performance identity and access management, as well as information security architecture, Fulup´s research focus is related to consumer and citizen identity, mobile security and to the evaluation and assessment of technology standards. “We are glad to have Fulup on board. Fulup is one of the most experienced and well-known professionals in the industry and adds to the brain pool of KuppingerCole”,...

Webcast

Back to the ROOTs

KuppingerCole Webinar recording

Product Report

Product Report: Blackbird Management Suite - 70402

The Blackbird Management Suite is well architected and is designed to include high levels of integration with the existing support modules for Active Directory and the Windows Server File System. The administrative interface for Active Directory makes use of the Windows Snap-in architecture for 3rd party products with the Microsoft Management Console (MMC). The File System management is done through an extended explorer thus maintaining the familiarity with the traditional Windows Explorer. All this tight compliance with the Windows environment does a resplendent job of minimizing the...

Blog

LinkedIn – the next bad guy

Last Friday, I received two identical emails from LinkedIn contacts informing me about changes in the privacy conditions of LinkedIn. Without user consent, LinkedIn is now allowed to use names and pictures of the users in advertisements. Users can revoke the permission in a simple way (see below). However, what LinkedIn has done raises the question whether the providers of today’s social networks never will learn their privacy lessons. LinkedIn once again has shown the fundamental misunderstanding of social network providers, that all data therein is their data. However, it is the data of...

Blog

Evil, or just different

Well that didn’t take long. Less than a week after I predicted that “2012 could be a very good year for privacy,” Google announced a new privacy policy, one which would apply across almost all of its services. Far from being seen as a good thing, though, the initial reaction was a large outpouring of grief by the privacy community. Even the general media portrayed the move in a dark light. The Washington Post, for example, was quick to point out that “A user signing up for Gmail, for instance, might never have imagined that the content of his or her messages could affect the experience on...

Webinar

Mar 13, 2012: Access Risks - from SAP to the Outer Space: an Identity & Access Governance Journey

Access Governance applies across the entire application landscape, but has the largest impact on SAP where key business processes are managed. As SAP pose unique Access Security needs, it tends to be left in isolation. This webinar will explain how to address SAP specific needs without losing the benefits of an Enterprise wide Identity & Access Governance implementation.

Webinar

Feb 28, 2012: Access Governance richtig gemacht: Investitionsschutz und zielgerichtete Weiterentwicklung

Access Governance – dieser Begriff steht für Lösungen, mit denen sich Zugriffsrechte besser steuern und kontrollieren lassen. Die regelmäßige Re-Zertifizierung und damit Überprüfung von Zugriffsberechtigungen gehört ebenso dazu wie analytische Funktionen für den Status von Zugriffsberechtigungen und Rollenmanagement-Funktionen. Die Lösungen müssen aber auch das Management von Zugriffsberechtigungen mit einfachen Bestellfunktionen für Berechtigungen durch Endanwender und damit auch eine gute Integration mit bestehenden Provisioning-Systemen unterstützen. Nur mit einem vollständigen Kreislauf...

Webcast

Privacy by Design

KuppingerCole Webinar recording

Blog

Personal Data Vault – putting YOUR data in YOUR hands

I still remember the fun that was had when Dick Hardt first made his cool presentations on User Centric Identity Management and regaining control of who would access to what attribute of your multiple personas, be it online, at home or at work. We all know, that his company sxip identity failed because it did not gain enough momentum to monetize on the idea. Still, concepts such as the (also “failed”, much to my demise) Information Cards by Microsoft or the OpenID approach share some aspects of the sxipper product – putting you in control of your data. The current hype around the new EU...

Blog

Stopping a Clapper Over WikiLeaks

The U.S. government announced plans to put in place within the next five years measures designed to make it impossible to pass on sensitive information to the likes of WikiLeaks. They hope to accomplish this by “tagging” information so it can be tracked in case someone shares it with outsiders. The idea of creating “information-rich information” is obviously the right way to go in addressing privacy and security concerns in the Digital Age. It is possible, technically at least, to attach rules to individual pieces of information, such as who is allowed to do what with it and what happens...

Webinar

Feb 21, 2012: Best Practice Driven Identity & Access Management

Mobile devices and apps, cloud based services, social networks, personal life management platforms - or, in short terms, let your customer in. Managing identities behind these trends creates the need for a new look at IAM. In this webinar, Dave Kearns will discuss with industry experts on the most important qualities a new generation of effective IAM solutions has to provide.

Press Release

Privacy by Design: KuppingerCole Webinar mit Dr. Ann Cavoukian, Michelle Dennedy und Dave Kearns am 26.01.2012 um 17 Uhr

Top-Experten zum Thema Privacy: Datenschutz, Informationssicherheit und Privatsphäre sind machbar Düsseldorf, 24. Januar 2012 - Der Schutz von Daten und Privatsphäre im digitalen Teil unseres Lebens mit all seinen Online-Aktivitäten hat sich zu einem beherrschenden Thema der „Consumer Identity“ entwickelt. 2012 wird die Diskussion um den Schutz der eigenen Informationen noch intensiver werden. KuppingerCole erwartet, dass sie in diesem Bereich der IT, in dem es um die Identitäten des Kunden und Konsumenten geht und der unser aller private...

Blog

Ignoring it doesn’t mean that there aren’t massive cyberthreats

The hot topic in IT (and beyond, for many organizations) in 2012 will be Security, including all its facets such as Identity and Access Management, SIEM (Security Information and Event Management), Anti-Virus and IDS/IPS (Intrusion Detection/Prevention Systems), and all the other components. That will also give the GRC market (Governance, Risk Management, Compliance) another strong push, because GRC tools are increasingly used to define and manage security controls in a consistent way. GRC is becoming the business interface to security management, translating the complex information for the...

Webinar

Feb 16, 2012: Sicherheitsanalysen und Sicherheitsmanagement - schnell, automatisiert, intelligent.

Auch wenn häufig viel zu leichtfertig der Begriff "Cyberwar" verwendet wird (denn Tote gibt es nur im wirklichen Krieg) - die Bedrohungslage durch Online-Kriminalität ist immens geworden. Security Information and Event Management (SIEM) stellt Ihnen wirksame Mittel dagegen zur Verfügung und hilft Ihnen dabei nicht mehr nur rein reaktiv tätig werden zu können. In diesem Webinar sprechen wir mit Ihnen über neue Herangehensweisen in diesem Bereich.

Blog

2012 - Another one like the other ones

Happy New Year! At least, I sincerely hope the new year will be a happy one. But – at least in the Identity and Access marketplace – I fear it will be more of the same with banner headlines touting security breaches, insider scams and worse. Without further ado, here’s what my crystal ball sees coming down the pike in 2012. Phishing ramps up, especially spear-phishing Phishing is the hacker’s “art” of getting authentication and/or identity information through social engineering methods. Typically this is done via email (for example, telling you to click a link to keep your bank account...

Executive View

Snapshot: ClusterSeven Enterprise Spreadsheet Manager - 70852

ClusterSeven Enterprise Spreadsheet Manager (ESM) is a so-called “End User Computing Governance and Data Intelligence” solution. End User Computing is characterized by business computing activities performed by End Users, typically executed in spread sheet applications such a MS Excel, but also desktop applications such as MS Access or other VBA based applications and files such as .CSV (comma separated variable). 

Webinar

Jan 26, 2012: Privacy by Design

2011 was, once again, a bad year for privacy as data breaches releasing usernames, passwords, credit card details and even medical records continued to make news right through the end of the year. Time has proven that no amount of imposed regulation can protect privacy in the face of a determined hacker. What’s needed is what’s called Privacy by Design. Join us in this webinar, where Senior Analyst Dave Kearns will discuss with Ontario´s Information and Privacy Commissioner Dr. Ann Cavoukian, who originally developed the privacy by design concept, and with McAfee Chief Frivacy Officer...

Webinar

Feb 02, 2012: Back to the ROOTs

In diesem Webinar erläutert zunächst Martin Kuppinger die aktuellen Trends im Markt für PxM (Privileged Access, Account, Identity, User Management) und die Frage, wo und wie man PxM-Lösungen mit seiner übrigen Identity und Access Management-Infrastruktur verbinden sollte. Daran anschliessend stellt Jochen Koehler von Cyber-Ark praktische Ansätze zur Verwaltung von privilegierten Identitäten vor.

Blog

In retrospect of 2011

Well, the time between the years (usually today referring to the days after Christmas until New Years Eve - but did you know these were historically the twelve days between December 24th and January 6th which served to align lunar and solar calender years? But I am getting too much off-topic...) is used to reflect about the year passed. There are a few things and events that absolutely impressed me in 2011, which I like to talk about a litte! First, there was the spring event European Identity Conference (EIC - www.id-conf.com) which had a great impact from my personal point of view. I...

Quicklinks

Welcome to KuppingerCole

How can we help you

Send an inquiry

+49 211 237 077 33

Mo – Fr 8:00 – 17:00

Stay Connected

Spotlight

AI for the Future of your Business Learn more

AI for the Future of your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]