Kuppinger Cole + Partner

Kartenbetrug für Banken und Sparkassen alles andere als “Peanuts”

Tue, 16 Mar 2010 23:36:03 +0100

Eines der bestgehütetsten Geheimnisse der Kreditkartenbranche wurde gestern Abend ganz nebenbei auf einer Informationsveranstaltung in München gelüftet. Monika Kummer, Abteilungsleiterin Risikomanagement bei der Bayern Card-Service GmbH (eine Tochter der Bayerischen Landesbank und der Bayerischen Sparkassen) bezifferte auf einem Infroabend für Journalisten den Schaden, den Kartenbetrüger Jahr für Jahr anrichten, auf zwischen 0,2 und 0,3 Prozent vom gesamten Kartenumsatz. Dieser betrug bei BCS 2009 rund 16 Milliarden Euro. Gauner haben also rund 32 Millionen Euro erbeutet – Peanuts., könnte man meinen, jedenfalls aus Sicht der Bankenwelt.

Weit gefehlt! Die Banken verbuchen ja nur einen kleinen Teil des großen Umsatzkuchens als Provision, nämlich etwa 1,2 Prozent. Den Rest der Provisionen (zwischen 3 und 6 Prozent, je nach Kartengesellschaft und Vertragsmodell des Händlers) kassieren so gennannte Acquirer, die direkt mit dem Händler und später mit den Banken abrechnen. Im Klartext heißt das: Mindestens ein Fünftel ihres Provisionsumsatzes verlieren Banken und Sparkassen durch Kartenbetrug! Erdnüsse sehen anders aus.

Als wäre das noch nicht schlimm genug, stehen die Banken unter massivem Druck der Europäischen Union, ihre Bankgebühren bei grenzüberschreitenden Kartenzahlungen, die so genannten “Interchange Fees”, drastisch abzusenken. Bereits im Dezember 2007 hatte die EU-Kommission millionenschwere Gebühren von Mastercard gekippt und den Konzern unter Androhung eines Bußgeldes zur Vorlage eines neuen Gebührenmodells verdonnert. Im März 2008 war Visa an der Reihe: Die Kommission eröffnete gegen sie eine Kartelluntersuchung, an deren Ende ein saftige Bußgeld hätte stehen können.

Im April 2009 senkte schließlich Mastercard ihr Interbankenentgelt bis zur abschließenden Klärung des Streits durch den Europäischen Gerichtshof. Im Gegenzug verzichtete die Kommission einstweilen darauf, ein Verfahren gegen die Kreditkartenfirma zu eröffnen. Es dürfte jedoch klar sein, dass die Banken hier weitere Einbußen werden hinnehmen müssen. Sagen wir ein Prozent? Dann aber legen sie nach Abzug der Betrugsverluste sogar drauf beim Kartengeschäft.

Die Kreditkarte sei in Deutschland “immer noch ein Produkt der Zukunft”, sagte gestern Abend Günther Tittel, Direktor des Sparkassenverbands Bayern. Wenn die Banken und Sparkassen kein Mittel finden, um den Abfluß ihrer Gewinne durch Kartenbetrug zu stoppen, wird es wohl auf Dauer so bleiben.

Allerdings hat die BCS noch ein paar Pfeile im Köcher. So plauderte Monika Kummer aus dem Nähkästchen: Ihre Organisation arbeitet an einem System, das jeden Kartenbesitzer automatisch per SMS benachrichten wird, sobald er eine Zahlung in einer bestimmten Höhe getätigt haben soll. “Wenn es nicht stimmt, kann er sofort Einspruch einlegen”, sagte sie. Außerdem prüft die BCS, ob es möglich sei, Zahlungen aus Risikoländern ganz zu sperren, und zwar auf der Grundlage des índividuellen Zahlungsverhaltens. Der Kunde soll selbst festlegen können, aus welchen Ländern die Kartengesellschaft Zahlungen akzeptieren soll und aus welchen nicht.

Angesichts der drohenden Kostenlawine durch steigenden Kartenbetrug wird klar, warum die Banken und Sparkassen diesem Thema einen so hohen Stellenwert einräumen. Wer macht schon gerne Geschäfte, bei denen er drauflegen muss? Dem Kunden kann es ja egal sein – er ist gegen Betrüger versichert.

04.05.2010: EEMA Public Workshop: Cloud Computing Services

Tue, 16 Mar 2010 11:13:18 +0100

In Kuppinger Cole + Partner

This Cloud Computing introduction and tutorial is invaluable for delegates who wish to learn and increase their knowledgebase. It is aimed at all stakeholders who have an influence on policy and the impact on commercial and business applications and services.
more

Vendor Report: Cyber-Ark

Mon, 15 Mar 2010 00:00:00 +0100

In Kuppinger Cole + Partner

Cyber-Ark hat sich als einer der führenden Anbieter im Bereich von Privileged Access Management (PAM) etabliert und dürfte derzeit die größte funktionale Breite im Markt aufweisen. Darüber hinaus bietet das Unternehmen Lösungen für den sicheren Transfer von Dateien und den Umgang mit sensiblen Dokumenten an. Das Unternehmen wurde 1999 gegründet und ist durch Investoren finanziert worden.

Das Kernprodukt ist die Cyber-Ark Privileged Identity...
more

Versatile authentication – break-through for mass adoption of strong authentication?

Thu, 11 Mar 2010 11:57:54 +0100

In Martin Kuppinger

Versatile authentication is one of the hot topics in IT – more and more vendors start to support it in some way or another. Versatile, a not that common term, means the ability to flexibly switch between different authentication methods. In practice, versatile authentication solutions shall support at least the following features:

Flexible use of different authentication methods.
Simple plug-in of additional authentication methods, e.g. extensibility.
Flexible interfaces for applications OR integration with existing technologies which interface with other apps.
Support for step-up authentication and other more advanced approaches.

Other aspects like fallback methods, management support for handling the token logistics and so on are value-adds, depending on the implementation of the versatile authentication technology.

The business value is easy to describe: Reusing existing strong authentication technologies for more use cases makes things cheaper. Being able to use expensive very strong authentication where required but relying on other, cheaper, and appropriate technologies in other use cases reduces costs. Logistics for reused strong authentication technology is cheaper. All use cases, including external users like customers and suppliers, can be supported.

The interesting question is about where to add versatile authentication. There is an increasing number of approaches where we observe versatile approaches:

Specific platforms for versatile authentication: These tools frequently are provided by vendors of strong authentication technologies to enhance the flexibility of their solutions. Sometimes they are part of the context-/risk-based authentication market.
Enterprise SSO: Given that E-SSO is a point of authentication to many applications, it makes sense to support versatility there – to allow a strong, graded authentication to different applications.
Core OS: The primary authentication is another area. What has been common in Unix/Linux environments for a long time is well supported in Windows environments since Windows Vista as well, replacing the error-prone, inflexible GINA approach. In fact that is versatility built into the OS.
Web Access Management: Another SSO point, counterpart to E-SSO.
Context/Risk based authentication platforms: They usually support as well at least some degree of versatility.

Overall, supporting versatile authentication is more and more a standard feature and the “versatility” of platforms for authentication is, from my point of view, an important point when selecting vendors. Hard-coding strong authentication into applications doesn’t really make sense anymore.

Going one step further and looking at the title of this post: Yes, I think that versatile authentication is the key to mass adoption for strong authentication because it allows for reuse and flexibility. Instead of deciding on one approach, which either is sort of “overkill” for many use cases and leads to high costs or isn’t secure enough for other scenarios, there can be a mix of technologies. And, beyond that, there is a much easier fallback (think about forgotten/lost tokens) and step-up (think about high-value transactions and access to very sensitive information). Customers can be integrated easier with simpler approaches like soft-tokens, using stronger technologies only in specific scenarios. And new approaches like the upcoming German nPA (national electronic ID card) might be integrated easily as just another approach for strong authentication. And especially the upcoming eID cards in many countries are a strong authentication mechanism which will be widely available.

Thus: When thinking about any investment in strong authentication, don’t forget to build this on a versatile approach.

We will discuss the topic at EIC 2010 - and there will be an interesting webinar as well soon.

Product Report: Axiomatics Policy Server and Policy Auditor

Thu, 11 Mar 2010 00:00:00 +0100

In Kuppinger Cole + Partner

This product report covers the Axiomatics Policy Server and the accompanying Policy Auditor. These products fall into the category of Entitlement Management solutions. They use the XML-based XACML standard – Extensible Access Control Markup Language – to define authorisation policies and make access control decisions. Agents are available for the Java and .NET platform that work together with the Policy Server in order to enforce the policies.

Axiomatics has distinguished...
more

15.04.2010: Access Governance: Implement Processes, Reduce Business Risks

Tue, 09 Mar 2010 16:23:02 +0100

In Kuppinger Cole + Partner

As the demand for user access increases, IT security organizations run the risk of not being able to meet the needs of the business for timely and compliant delivery of access. In this webinar, you will learn, how operational efficiencies in access administration can be achieved while enabling sustainable compliance with regulatory requirements.
more

26.03.2010: Managing Cloud Security and Cloud Risk

Tue, 09 Mar 2010 09:13:20 +0100

In Kuppinger Cole + Partner

Martin Kuppinger will discuss in this presentation risk-based approaches to manage cloud security. The issue, from his perspective, isnt that the cloud is inherently insecure. The real issue is to deal in appropriate way with the specifics of the cloud which includes not only security but as well related issues like availability. In this presentation, Martin Kuppinger will talk about aspects like authentication and authorization in cloud environments, cross-cloud governance approaches and...
more

26.03.2010: Identity, Security, Governance for the Cloud Who is Who? A Market Overview

Tue, 09 Mar 2010 09:08:59 +0100

In Kuppinger Cole + Partner

There is an increasing number of offerings around Identity Management, Cloud Security, and Cloud Governance in the market. Some of these are well-known and established, others are new. Martin Kuppinger will provide an overview of the different elements of cloud security (for private, hybrid, and public clouds) and a structuring of that emerging market(s). This presentation provides insight into what is there and what is missing from a KuppingerCole perspective.
more

26.03.2010: Cloud Management Sufficient to Mitigate Security Risks?

Tue, 09 Mar 2010 09:04:04 +0100

In Kuppinger Cole + Partner

There is an increasing number of tools to manage cloud environments. Some are, in fact, more tools to manage virtualized environments, whilst others focus more on service management issues. More and more of these tools promise to support hybrid environments as well. However the question arises whether security is covered sufficiently by these tools. The panel will discuss the state of cloud management with respect to the security requirements.
more

25.03.2010: The Internal Cloud What are the Risks Involved and how to Avoid them?

Tue, 09 Mar 2010 09:00:58 +0100

In Kuppinger Cole + Partner

Many companies are telling that they tend to start with a private cloud instead of going to the public cloud. Besides the question whether hybrid IT environments arent reality today, this panel will discuss the specific security risks of internal clouds, especially around the changes from physical to virtual environments, but as well with respect to more loosely coupled IT environments and their new threats which are in fact not that new, given that we have some experience on loosely...
more

25.03.2010: Cloud Computing Standards - Which ones are Already there and which ones are Missing?

Tue, 09 Mar 2010 08:52:39 +0100

In Kuppinger Cole + Partner

There are many standards out there for the cloud. SAML (Security Assertion Markup Language) for federation, SPML (Service Provisioning Markup Language), and many others. But there are as well many standards missing, either directly related to security or in some relation to security like service management standards, given that SLAs (Service Level Agreements) and service descriptions are a key for measuring service fulfillment and thus managing risk and security issues. Obvious shortcomings...
more

25.03.2010: Cloud Computing is it Really a Risk?

Tue, 09 Mar 2010 08:47:01 +0100

In Kuppinger Cole + Partner

Cloud Computing frequently is discussed mainly as a security risk. However, there is as well the view that the cloud is or might be more secure than on-premise IT solutions. Martin Kuppinger will look at risks of cloud computing, the status and outline the points which you should look at when considering a move to the cloud or moving additional services to the cloud. In contrast to most other information on that topic available today, the presentation will also look at solutions for these...
more

The business of business is trust

Tue, 09 Mar 2010 08:25:38 +0100

In Tim Cole

Who’s pulling the cart on data protection? At least in Germany, that has traditionally been government’s role, and that has made the German regulatory environment one of the fiercest in the world for foreign enterprises and organizations. U.S. companies in particular are often reluctant to engage in the German market for fear of running afoul of the strict laws, but the same actually goes for the EU as a whole. Witness Amazon Web Services decision to build two separate clouds, one (based in Dublin) for Europe and another for the rest of the world.

So it may come as a surprise to hear a voice raised in Germany demanding a whole new deal on data protection. Sven Gábor Jánszky is the founder of 2B Ahead, a think tank based in Halle, a backwoods town in the wilds of former East Germany. Presumably that gives him enough time to think deeply about serious issues such as Digital Identity.

His solution may sound simple – let business take care of it – but it isn’t. And especially coming from someone in the typically paternalistic Old Europe, it’s downright seditious.

And what is even more surprising was that ARD, the largest German TV station, gave Mr. Jánszky a spot on its prime time “Tagesthemen” news show to voice his opinion. “We need to reinvent data protection”, he told an audience of millions of German watchers, “and business, especially the IT business, needs to take the lead.”

How often do identity gurus in the U.S. get to air their views on “60 minutes”?

Anyway, Jánszky thinks that the concept of the state protecting people’s privacy is so 20th century. “They want to share their personal information”, he believes, and it’s the job of business to help them do it in a controlled fashion. He thinks it’s high time the industry takes the lead in creating a system that will allow everyone to distribute personal information freely, but retain a final say in where it goes and how it’s used. For starters, he says, companies should provide users full disclosure on what data about them they have stored. This would be a first step towards establishing a trust relationship, and that is something any company should be interested in. Trust leads to loyalty, and that means return customers and more moola in the till.

The role of government, Jánszky says, is simple: Stop trying to build walls around the consumer and instead focus on passing laws that enable companies to use personal information, provided they do so in a responsible way and with the full content and oversight of the consumer.

This may not sound exactly new to some within the identity community. But then, has anybody been on national TV lately to espouse their views? The Germans may be behind (or ahead, depending on your point of view) in terms of draconian privacy laws, but at least they have a public discussion going. Wonder where it will finally lead…

Sebastian Rohr: Can authentication be both strong and flexible?

Mon, 08 Mar 2010 08:49:41 +0100

In Kuppinger Cole + Partner

Whether you want to place a bid at eBay, check your bank balance online or your credit rating at Schufa or Experian, or access your corporate SAP account: Instead of asking you to please enter your user name and password, chances are the system nowadays will demand some other method of authentication like a token or a smartcard, or it may offer to scan your finger or iris.
more

Market Overview Strong Authentication

Mon, 08 Mar 2010 00:00:00 +0100

In Kuppinger Cole + Partner

For companies and their employees as well as for online-services and their customers respectively, authentication with username and password are no longer considered bearable. The multitude of user accounts and the increasing complexity that passwords are expected to have, simply brought this mode of authentication to a point where users and administrators are no longer able to cope with it. Be it the increased level of security, a.k.a. authenticity, required by the service provider, or...
more

Back to the basics – you still need “core IAM”

Wed, 03 Mar 2010 13:18:38 +0100

In Martin Kuppinger

In these days the industry talks a lot about IT GRC, Risk Management, Access Governance, Identity for the Cloud, and so on. However, we should keep in mind that the vast majority of organizations still have to do a lot of homework around basic Identity and Access Management. And, even more: That’s the foundation for many of the other things like Access Governance, because it’s not only about auditing but as well about managing (and, honestly, it’s much more about managing and enforcing preventive controls than of auditing in a reactive way, isn’t it?).

Thus, you shouldn’t ignore Identity Provisioning, Virtual Directory Services (still one of the most valuable technologies in IAM and one of the best hidden secrets at the same time), or Enterprise SSO. You will find a lot of Podcasts of Webinar recordings at our website. Thus, I won’t analyze everything around that but focus on some few points why we still should consider the core IAM market as relevant:

Provisioning tools have matured over the past years – and they support many of the “new” features like access certification frequently. Thus you can do a lot of things relying only on these “basic” tools instead of adding too much on top of them. Not all, but a lot. That has to be carefully analyzed but in several cases, one tool definitely is the better solution than multiple tools. That’s like in real life: There are advantages for the multi-tool, there are advantages for the specialized tools.
If you look at the market, than there are relatively few really big organizations. Most of them have some IAM. But, correctly, most of them have more than one IAM approach and implementation. Thus, they have integration issues which is an important market, with many architectural options to solve this. And, beyond that, in these large organizations you frequently can observe a tendendy to implement some point solutions in some areas – for example an additional provisioning tool for some specific systems. Given that, there is still a lot of work to do and a lot of potential, for example in providing the provisioning tool which integrates other provisioning tools.
The medium-sized businesses frequently don’t have much provisioning and other IAM solutions in place. Thus, there is a huge market opportunity, as well for on-premise as cloud-based solutions.
Some implementations might be worth a review with respect to today’s requirements and solutions. There is always room for updates and even replacements.

The reason why there is somewhat fewer attention of the marketing departments of vendors on that segment (at list when looking at some vendors which have not only provisioning) is simple: Provisioning is hard to sell. E-SSO is easier to sell. Access Governance might be even easier than that. Thus, looking at the low-hanging fruits instead of focusing on products with a long sales-cycle and a lot of competition, appears to be logical from a sales perspective. However, that leaves a large portion of the market blank and it doesn’t fill the pipeline sufficiently for a time where the low-hanging fruits might have been picked.

It’s not up to me to judge about vendor marketing and sales strategies. But it is interesting to observe what is happening in the market. And that might be one reason for the relative success of several of the smaller vendors in many markets (by the way: some large vendors are very active in the “classical” segments – innovative, focused,…).

From a customer perspective, the buzz and fuzz around the new topics might divert the focus from the things which have to be done as a foundation, on which other things can be built. Thus customers always should keep in mind that they can’t be successful without doing their homework. And that includes to provide a solid foundation for provisioning – with an adequate architecture for the customer’s requirements. I’ll blog about these architectures soon but you might as well look here - I’ve touched the topic in this webinar.

Don’t miss the European Identity Conference 2010 and its Best Practice presentations to learn more about this. See you in Munich, May 4th to 7th.

Why IPv6 might benefit from European and German privacy regulations

Wed, 03 Mar 2010 11:24:58 +0100

In Martin Kuppinger

Yesterday, the German Federal Constitutional Court declared the German law on “Vorratsdatenspeicherung” for illegal. That wasn’t a real surprise, given that this is overall well aligned to other decisions of the Federal Constitutional Court. Two interesting annotations: There where some 35.000 suitors against this law. And the German Minister of Justice, Sabine Leutheusser-Schnarrenberger, was amongst them. She started the law suit when being in opposition – right now she had the interesting situation that there was a lawsuit by her against Germany, represented by her – so she would have been a winner in that case anyway.

The law on “Vorratsdatenspeicherung” (a nice term, isn’t it, as long as the name of the Minister of Justice) is about the collection of data at ISPs and other types of service providers – about connection logs in internet and telephony services. They had to be kept for six months to allow investigations. The law has been formulated based on an EU guideline, but exceeded the minimum requirements of that guideline. The fact that this law has been declared illegal might affect as well the EU guidelines because they are critizised not only in Germany but in other countries as well, it probably will affect other instances of massive and undifferentiated data collection of the German state.

The Federal Constitutional Court doesn’t forbid the collection of information. However, the current law didn’t fulfill the requirements of data security, didn’t comply with some other laws (like the protection of preachers, doctors,… and their confidentiality requirements), and didn’t restrict the use of the information sufficiently. Interestingly, the Federal Constitutional Court also decided that the information has to be deleted immediately (or at least as fast as possible), thus the decision goes beyond other decisions which allowed the government to first improve the law, without changing the status quo.

After the decision of the Federal Constitutional Court had been unveiled the discussions about the next steps started immediately – and that’s where IPv6 comes into play. Within its decision, the Federal Constitutional Court declared that connection data of churches, some governmental organizations, and other specified parties must not be stored. That led to the argument of the lobbyists of the “internet economy” (e.g. ISPs and so on) that this can’t be implemented. Given that IP addresses are usually assigned dynamically it wouldn’t be feasible to exclude some groups. But, honestly, that isn’t true. It is true as long as you rely on IPv4 and dynamic IP addresses (and given that they are limited, we have to). But it isn’t true with IPv6. With other words: When relying on IPv6, you can comply with the decision of the German High Court. Given that the technology supporting IPv6 is out in most areas – client operating systems, servers,… – at least in most cases, the answer is simple: Finally switch to IPv6 as the standard protocol and you’re done. Overall, we’ve been waiting way to long for IPv6 becoming the primary protocol and IPv4 being used only for backwards compatibility. This decision, with its impact on the entire European legislations in that field, thus might become a push towards IPv6.

24.03.2010: Beyond Simple Attestation How to Really Keep Your Access Under Control

Wed, 03 Mar 2010 08:36:56 +0100

In Kuppinger Cole + Partner

Attestation should not be a point solution, but an element within a larger information security architecture. In this Webinar, we will talk about where access certification is today and what is changing and what has to change. We will describe maturity levels with respect to access certification and will focus on the relationship to risk management and to overall IT governance.
more

Felix Gaehtgens: Microsoft releases its privacy-enabling U-Prove technology

Tue, 02 Mar 2010 15:31:44 +0100

In Kuppinger Cole + Partner

Microsoft has just announced the availability of U-Prove - an innovative privacy-enabling technology that it acquired almost exactly two years ago. This is a significant announcement, because of two reasons: first of all, the technology is in our opinion a gigantic enabler for many applications that have been held back because of privacy concerns, and second because Microsoft is releasing the technology to the world under its "Open Specifications Promise", allowing anybody to use and...
more

18.03.2010: Making Security Stronger Yet Easier to Use

Tue, 02 Mar 2010 00:32:42 +0100

In Kuppinger Cole + Partner

While companies are moving toward growth in 2010, IT budgets are still under intense scrutiny. IT departments are being asked to keep their networks and applications secure while still allowing end users to not be weighed down by policies and time consuming procedures with often a reduction in funds. In this webinar we will discuss about frequently unseen and very significant saving potentials through connecting enterprise-SSO and strong authentication with your existing infrastructure.
more

What business has to learn so that IT can align

Fri, 26 Feb 2010 12:17:15 +0100

In Martin Kuppinger

We’re talking a lot about the need for IT to align with business. But it’s not about a one way road. There is no doubt that IT has to think much more “business”. Risk focus (here and here), performance management, the understanding of IT as Information Technology instead of Information Technology, the path towards an ERP for IT,… I think that many CIOs and CISOs are well aware of this and many of them are working towards that goal.

However, if I look at the business side, it appears to me that IT still is somewhat ignored when it is about alignment. Two examples out of many from my practice:

When talking about GRC initiatives at the IT level, customers frequently complain about risk management initiatives with focus on organizational risks where they are not even able to start a discussion about integration. However, any IT risk is just a risk because its associated with organizational and (sometimes) strategic risk. Thus, you can’t ignore the IT risk perspective from an “Enterprise” GRC perspective (which, by the way, is sort of an arrogant term, ignoring exactly the fact I’m discussing here – “Business GRC” would be much more appropriate). You can’t run a business without IT. It’s part of the operations. And IT risks might have severe impact on your overall business performance – look at fraud in financial institutions, data theft, and so on.
When talking with the Business GRC vendors – look at the upper layer here – some of them (not all!!!) show an attitude of “we’re doing the relevant business GRC instead of the irrelevant IT things” and claim that they don’t need to provide integration or to support the IT part of the business.

However, given that IT is an important part of every business (the German Bafin – the government agency responsible of auditing and controlling the financial institutions – explicitly claims that IT is a core part of banking business and has to be understood that way), that means ignoring risks. And, even more, it means ignoring that there are elements in risk management which are provided by IT. You need automated controls besides the manual controls. And all the Business GRC tools are IT tools, by the way.

The problem from my perspective is that as well some vendors as many responsibles in the organizations don’t want to play with the IT guys. However, they could not only do a much better job by better executing their controls but they as well could do their job correctly, by really adressing the whole breadth of (operational and strategic) risks.

That’s just one example where business has to learn to better align with IT – and it’s not the only one. Look at the description of business services. For sure there has to be a translation into IT services at some point of time. But before you can do that, you have to have something which can be translated. And frequently, the problem isn’t the translation but what has to be translated. If the original text isn’t sufficient, the translation result never will be. Everyone dealing with software development probably has made this experience: Many issues in software development are caused by an insufficient descriptions of the requirements.

I think that it is time that not only IT understands that it exists only because it provides value to the business but that businesses rely on IT and thus have to align with IT. And that Business/IT alignment is definitely not only something where IT has to learn a lot. Businesses have to do as well – to understand the operational impact of IT (and IT risks), to describe their service requirements, to accept that the operational risk associated with an IT risk has to be balanced with the opportunities of a business service. Just think about all the insecure applications we have in organizations just because a department required them and IT security concerns have been ignored. That has not only been because IT wasn’t able to translate the IT risk into an operational risk – it has been as well because business didn’t understand IT.

Thus, both have to learn. And sometimes it appears to me that business has to learn even more than IT. Not only the people within organizations, but as well the consultants at the different levels. So if your consultant for risk management hasn’t yet covered the operational impact of IT risks and how to deal with that, you should ask him why – and if he doesn’t provide a valide answer, you should re-think the engagement…

Tim Cole: Barcelona Deja-vu

Thu, 25 Feb 2010 09:16:48 +0100

In Kuppinger Cole + Partner

Its the phone industrys dirty little secret: As humble handys (as Germans quaintly persist in calling mobile handsets) morph themselves into miniature editions of full-fledged computers, the danger of its being attacked by hackers or compromised by malware is growing, cancer-like and unseen. And while many people were discussing security issues this at this years GSMA Mobile World Expo in Barcelona, they did so mostly in a whisper.
more

Ever had trouble securely sharing data with business partners?

Wed, 24 Feb 2010 19:23:10 +0100

In Sebastian Rohr

Coming from a network security background, for me “IPSec 3DES VPNs” seemed to be the solution for secure data transfer between business partners for quite a long time. Over the years, with more experience, I naturally found out that this was not the solution for all use-cases and scenarios these crazy folks called “customers” came up with. Nonetheless, when SSL-VPNs became en-vogue I hesitated to join the choir of supporters. While I fully understand and support the idea of a more flexible, more application or user-centric approach due to the gain in usability, I still love my “old VPN client” when connecting to the company resources.

During the last 13 month two projects kept me busy, that changed my personal perception of what one may need to be happy regarding secure access to resources and secure file transfer. One of those is largely related to “Cloud Computing” as such, and using//processing company data which is not stored inside my brick + mortar, perimeter secured, firewall protected company server but somewhere in the “internet”. Making sure only the right person with the right credential accesses this data makes me want to use strong authentication, but few of the Cloud service providers do offer such an additional layer of protection.

The other project was based on very Information Society 1.0 processes – the need to secure and protect the personal subscriber information of periodicals and daily newspapers that are exchanged between the publisher and the logistic service provider who manages the delivery of above mentioned print products – even if the subscriber is on vacation in Spain or recently moved to new address. These transfers are conducted between separate systems, distributed all over Europe. As most of these application systems are build individually, no real data standard is established. As the number of parties involved is high and participants change frequently, classic VPNs are out of question (and possibly “too expensive”). Thus, the need to protect data transfer (yes, it is based on FTP!!!) is obvious. Well, have you ever tried to create a solution that acts both as a server AND a client and supports FTP, sFTP, FTPS and other cryptic siblings of the FTP protocol? No? Well, you should not!

The “cure”?
Being a big fan of hardware, a.k.a. token-based, strong authentication mechanisms, vendors of non-hardware based mechanisms usually have a hard time convincing me that it is worthwhile paying attention to their product briefings. MultiFactors´ Garret Grajek was one of those CTOs whom I was giving a hard time until I finally arranged an appointment for a briefing. What can I say? The approach to using soft-certificates as second factor for authentication and the combination with out-of-band (a.k.a. SMS based) messaging during registration of a computer/session did impress me – because it was so simple and straight-forward! Especially for me, who uses multiple devices in parallel to access e.g. my mail, registering my personal computer at home or my clients´ laptop in the customer network to access Outlook Web Access this really did the trick. Ok, the downside is, I still need to log-in with my AD credentials – but this is something I criticized with Entrusts´ GRID authentication scheme, also (which I love, because it is such a low prized alternative to OTP tokens). Back to my project experience with outsourcing and “Cloud Services”, MultiFactor now has launched a nice extension which makes this approach available for use with services such as SalesForce.com and GoogleApps by leveraging federation technology. Now, I have to admit, this is something one can hardly achieve by using their own smartcard or token based authentication technology – especially not if one frequently changes the machine used. I guess if this approach can be tied into an Authentication Strategy and could possibly be supported by one of the Versatile Authentication Platform solutions, I could be a full supporter of these ominous “soft-tokens”.

Still, this does not help directly with my friends´ subscriber data, that needs to be updated daily. Fortunately, last Friday I had a briefing with nuBridges, a vendor of data protection tools that target both data at rest and data in motion. For the data at rest part, tokenization, scrambling and obfuscation of data – especially sensitive information such as credit card information – can be altered and stored in such ways that unique identification is still possible but leaked data would essentially be worthless. I won´t go into too much detail on this, but my experience with outsourcing and out-tasking applications that also handle payment transactions tells that there is some need for this. I was by far more interested in their secure data transfer solution, called nuBridges Exchange. Again, without going into too much technical detail, this solution provides a nice standard-of-the-shelf product to securely handle multiple parties exchanging large quantities of files in a secure way. Besides support for all varieties of secure data file transfer protocols, the most important fact is the streaming capability of the solution. The files in transfer are not stored on the receiving end of the transfer connection but rather streamed onwards to a protected internal storage system. As the receiving server sits in-between two firewalls and the “inbound streaming” transmission through the internal firewall is initiated by the control server inside the secured area, no open ports need to be put into the internal firewall system. As time for a first briefing usually is insufficient to go into much detail, I was unable to investigate the architecture and implementation further, but both management interface, report dashboard and the availability of a self-service portal for the business partners made a rather good overall impression. I am looking forward to further investigate these solutions and for sure will take a closer look at their Exchange Network service, also – especially as protecting credit card data at the point-of-sales and between PoS and central merchant systems seems to be attracting the attention of auditors lately.

What do you think about protecting data transfer and authentication/authorization strategies in a Cloud-environment? Let me know!

Gerry Gebel joins Axiomatics

Fri, 19 Feb 2010 17:40:43 +0100

In Felix Gaehtgens

My friend Gerry Gebel, long time Burton Group analyst is joining Axiomatics to ramp up the company’s US presence. I received an email from him that started by saying “I thought I would give you a nice surprise on a Saturday morning”… and indeed what a surprise that was!

I can definitely understand Gerry’s choice for Axiomatics. The company is new, up and coming, full of very smart people and way ahead of everyone else in the area of authorisation/access management. Axiomatics comes at the top places in my own personal “favourite innovative companies” list, together with Unbound ID, the latter continuing to amaze me by their determination (and skill!) to redefine directory services from the ground up and “do it properly”. Both Axiomatics and Unbound ID will in the near future surely conquer the Identity Management world as we know it! OK joke aside

Speaking of Axiomatics, the timing (for me, personally) was actually quite interesting, as I have just finished a report on the company’s “Policy Server” and “Policy Auditor”. This is due to come up on our site within the next week. The report focuses on strengths and weaknesses of the products, the contexts in which it is most useful, the areas in which it is way ahead of its competitors and where it still needs to catch up.

I’ve also had the pleasure of doing a few Webinars (here and here) with Axiomatics and also interviewed Babak at last year’s EIC. So congratulations both to Gerry and to Axiomatics, a great team has gotten another great addition!

Martin Kuppinger: GRC and IT Security - where is the link?

Thu, 18 Feb 2010 15:51:11 +0100

In Kuppinger Cole + Partner

GRC became one of the really hot topics in business and IT, especially in larger organizations, over the course of the last few years. However, there is a lot of confusion about the terms associated with GRC. In many organizations, few people have a clear view of what GRC involves and requires, and few organizations have an organizational structure for GRC with clearly defined responsibilities. Of these organizations, many have limited their GRC initiatives either to some aspects like...
more

04.05.2010: Kantara Initiative Public Workshop: Making the World Safe for User-Managed Access

Thu, 18 Feb 2010 10:08:01 +0100

In Kuppinger Cole + Partner

This workshop will review User Managed Access (UMA) benefits, use cases, progress to date, and next steps. It is co-located with the European Identity Conference. Registration for the workshop is free.
more

Approaches to secure your data in databases

Wed, 17 Feb 2010 11:46:47 +0100

In Martin Kuppinger

Last week I had an interesting briefing with IBM regarding their Guardium acquisition. With that acquisition of a company specialized on database security, IBM becomes the second large vendor investing in that area, following Oracle who has Database Security products in its portfolio for some years now. The IBM/Guardium deal fits pretty well in the current time, when looking at the increasing problem of information theft. Besides IBM and Guardium there are some smaller vendors in that market which I will cover in another post near-time.

IBM Guardium, in contrast to the Oracle approach, is not tied to a specific database management system but works as an external solution. There are obviously pros and cons for both approaches. Performance, administration, flexibility regarding the defined policies and other aspects differ significantly. Thus, before choosing solutions, a detailed analysis of these approaches should be performed (and KuppingerCole will provide a market overview for database security around April which might be a good starting point for such an analysis).

The entry of IBM in that market shows an increasing maturity and relevance of this particular IT market segment. And it raises the question of which role database security can play within IT security. From my perspective, it is an interesting area which is mandatory to protect sensitive information. Information in databases is at risk, and cases like BKK or the stolen data from Swiss banks offered to the German government prove that. However, this is just one element within an IT security strategy focusing on authorized access to data. Securing the database with the wrong policies or with giving away privileged accounts to untrustworthy parties won’t help much. Thus, database security projects never ever should be driven by the database guys but must be understood as an element within IT security blueprints. Only a consistent approach to security will really reduce the security risks and thus the related operational risks.

Even more I think that database security always will be somewhat limited in its scope. Once data is outside the database, it doesn’t protect the data anymore. On the long run we might have to fundamentally rethink the concepts of today’s databases and make them “security-aware”. What do I mean by that? Data within databases should be inherently protected. Think about applying concepts we find today in Information Rights Management (IRM) at the document-level at a much more granular level to data within databases, ensuring that any record (or part of a record) can only be accessed according to defined policies. Such an approach would have massive impact on the existing technology. How to index? How to deal with encrypted information? How to define these policies? However, if you look at database security from a very fundamental point-of-view, it becomes obvious that applying database security to existing databases won’t fully solve the problem because it is only about “data at rest”.

Nevertheless I think that any organization has to think about implementing database security in the meantime, until we have better solutions sometimes in the far future – I’d expect fundamental changes to database technology to take at least 10-15 years to become ready for mass adoption. It might take even a little longer. To cite John Maynard Keynes, the famous economist who focused on theories with a short-term view when being critized for not looking at long-term evolutions: “On the long term we are all dead”. Given that, short-term we should evaluate and implement existing database security approaches, rethink the authentication and authorization approaches within databases (using the GRANT statement a little bit more detailed…) and integrate this with our overall IT security and governance approaches (and especially IAM). In the meantime, the vendors have to think about how to do the next fundamental step to make DBMS inherently security-aware.

What you could do with stolen data – a squib

Wed, 17 Feb 2010 11:21:08 +0100

In Martin Kuppinger

Last week, the German health insurance company BKK had to unveil a severe information leak. The company has become blackmailed because someone had stolen masses of sensitive patient records. Besides the fact, that the way that this happened shows an astonishing carelessness when dealing with IT security and privacy at the BKK and raises many questions (see below), there are some interesting new options for the German government to work with this data.

You could for example take such patient records and combine them with the recently acquired stolen data from Switzerland about potential tax fraud. If you take for example people who recently showed insomnia or started bed-wetting, that should be fully sufficient for an initial suspicion by the attorneys. And that is just the tip of the iceberg. There are so many other interesting opportunities of combining patient records with other types of information… Thus the thief probably should have approached the German government instead of the BKK. They are always willing to buy stolen things and to make use of that, like they have proven recently.

Some words about the BKK case itself: The BKK had outsourced some tasks to a call center. There hasn’t been an auditing about the privacy, IT security, or data protection approaches of that outsourcer. In fact, it appears that there have been other outsourcers and freelancers involved. Besides this, there was an IT company involved which did the support for the outsourced call center. The employees of that IT company had some privileged accounts with access to massive amounts of sensitive patient records.

Overall, there has obviously been a lack of understanding of IT security and privacy issues I seldomly have seen before, at least not in the healthcare and finance industry. No valid concept for differentiated access controls, no privileged access management, no data leakage prevention, nothing. Incredible – but true.

Identity Management is key to Smart Grid Security

Wed, 17 Feb 2010 11:15:31 +0100

In Joerg Resch

In 10-12 years from now, the whole Utilities and energy market will look dramatically different. Decentralization of energy production with consumers converting to prosumers pumping solar energy into the grid and offering their electric car batteries as storage facilities, spot markets for the masses offering electricity on demand with a fully transparent price fixing (energy in a defined region at a defined time can be cheaper, if the sun is shining or the wind is blowing strong), and smart meters in each home being able to automatically contract such energy from spot markets and then tell the washing machine to start working as soon as electricity price falls under a defined line. And – if we think a bit further and apply Google-like business models to the energy market, we can get an idea of the incredible size this market will develop into.

These are just a few examples, which might give you an idea on how the “post fossile energy market” will work. The drivers leading the way into this new age are clear: energy production from oil and gas will become more and more expensive, because pollution is not for free and the resources will not last forever. And the transparency gain from making the grid smarter will make electricity cheaper than it is now.

The drivers are getting stronger every day. Therefore, we will soon see many large scale smart grid initiatives, and we will see questions rising such as who has control over the information collected by the smart meter in my home. Is it my energy provider? How would Kim Cameron´s 7 laws of Identity work in a smart grid? How would a “grid perimeter” look like which keeps information on the usage of whatever electric devices within my 4 walls? By now, we all know what cybercrimes are and how they can affect each of us. But what are the risks of “smart grid hacking”? How might we be affected by “grid crimes”?

I think, these are questions which should be discussed interdisciplinary. If anybody would like to contribute to such a discussion, which I am trying to include into this year´s EIC 2010 agenda, please propose!

EIC 2010 Keynote: The Irreversible Collision of Technology and Business Risk – from Drew Bartkiewicz

Sat, 13 Feb 2010 18:45:06 +0100

In Joerg Resch

Drew Bartkiewicz, Vice President at The Hartford E&O, Cyber and New Media Liability, just joined the EIC 2010 speaker lineup and will give a keynote on “Unseen Liability - The Irreversible Collision of Technology and Business Risk“. Drew also just has written a book with the same title, which will be published in May.

Sachar Paulus: "Cloud-readiness" What it means for software developers

Sat, 13 Feb 2010 10:13:22 +0100

In Kuppinger Cole + Partner

Everybodys up in the air about clouds, but few seem to really know where theyre heading. Most existing applications arent ready for the cloud quite yet, especially since the realization seems to be sinking in that building security into the cloud is no trivial pursuit.
more

EIC 2010 Agenda Preview

Fri, 12 Feb 2010 13:16:46 +0100

In European Identity Conference Blog

Joerg Resch is writing that the first draft of the agenda for the European Identity Conference 2010 is online:

Some very exciting and controversal strategic views, like for example Munich Re CIO Dr. Rainer Janßen talking about “what business has to learn, so that IT can align”, lots of “real” cloud security topics, many fantastic best practices, and, for the first time this year, combined with a German speaking track (which can be booked separately), dedicated for medium sized companies and public organizations. Stay tuned, I’ll be adding content to the agenda every day.

EIC 2010 Agenda Preview

If you want to have a look before the agenda is officially published, here is the link.

Once again a great speaker lineup – EIC 2010 Agenda Preview

Fri, 12 Feb 2010 12:57:32 +0100

In Joerg Resch

Once again, we are very lucky at Kuppinger Cole, that so many excellent experts from all over the world forward their speaker proposals for the European Identity Conference (EIC), which this year will take place on 4th to 7th May, again in Munich (we will move to a new venue next year!). The agenda is still in draft mode and many things yet have to be added or modified, but if you want to have a first look, even before it is officially published, here is the link: http://www.id-conf.com/events/eic2010/agenda.

Some very exciting and controversal strategic views, like for example Munich Re CIO Dr. Rainer Janßen talking about “what business has to learn, so that IT can align”, lots of “real” cloud security topics, many phantastic best practices, and, for the first time this year, combined with a German speaking track (which can be booked separately), dedicated for medium sized companies and public organizations. Stay tuned, I´ll be adding content to the agenda every day.

Upcoming webcast on desktop virtualization

Wed, 10 Feb 2010 13:27:53 +0100

In European Identity Conference Blog

Martin Kuppinger will be on BrightTalk on February 23 with a webcast on desktop virtualization:

Desktop Virtualization – how will it look in the future?

Desktop Virtualization is a hot topic – no doubt about that. But some of the lessons learned include that backends might become rather complex, whilst flexibility is low. Even while the future is about client-side virtualization, there is no doubt that customers have to be careful when setting their vision, planning their strategy, and executing on this. How to manage these environments? What has client(-side) virtualization to provide beyond the basic image?

Click the link above to register for the webcast.

Simplifying or over-simplifying authentication?

Wed, 10 Feb 2010 11:41:50 +0100

In Martin Kuppinger

My colleague Jörg Resch recently blogged a lot about approaches for “lightweight” authentication and the risks associated with them. There are many companies out there with new or claimed-to-be-new approaches on more or less strong and more or less valid authentication. Whether that’s the approach of isec, of GrIDsure, of Yubikey or one of the many other vendors out there, I doubt that there is the holy grail of authentication amongst. Some of them are definitely interesting, some of them not. Many of them are interesting as one element in an authentication strategy – like GrIDsure, which is OEMed by other vendors as part of their solutions. There is no doubt that many of these solutions can provide value in specific use cases – Multifactor Corp. provides something for and from the cloud, Yubikey is lightweight, GrIDsure as well. There are other approaches where I doubt that they really provide the required usability. I’m not a friend of approaches where you have to recognize pictures or faces, but they appear to have their market as well.

However, what’s really important around all these approaches for strong authentication are two other aspects:

How do they integrate and work together?
Are they adequate to protect the transactions and interactions within a specific use case?

My point is: It is not about choosing the authentication mechanism but it is about choosing the best mix of few mechanisms, depending on your use cases. That requires an authentication (and authorization) strategy. That requires platforms for versatile authentication like the ones offered by vendors like ActivIdentity, Entrust, Oracle, and others. That requires a clear understanding of the risk and thus the security requirements of different use cases. Than it is about choosing the appropriate mechanism or a mix of them, to use step-up authentication if required and so on.

The biggest risk is that authentication is either not usable or to simple. That might happen when relying on a single mechanism. By mixing several ones, things become muh easier.

To learn more about that, you definitely should visit the European Identity Conference in Munich, May 4th to 7th. And there will be a market overview on the strong authentication market by KuppingerCole within the next few days – have a look at www.kuppingercole.com/reports.

From E-SSO to a Holistic Authentication- and Authorization Strategy