Kuppinger Cole + Partner

One issue when dealing with GRC (Governance, Risk Management, Compliance) is that there is no single person which is responsible within organizations. And there is a simple reason for that: There are far too many GRCs out there. Vendors provide completely different offerings using the same acronym. That’s not new, but in the case of GRC, there is even more uncertainty raised than usual in the IT industry.

From my perspective, the solutions might be segmented into four layers:

The so called “Enterprise GRC” which should be better named “Business GRC” or something because the other technologies are as well around the “Enterprise” but sometimes more focused on IT. Vendors in that space are, amongst others, companies like OpenPages, Bwise, Mega. The focus is on business risks and business controls, a high level view and frequently mainly on manual controls.
The layer which is best described with the term “Continuous Controls Monitoring”, which is about looking at specific IT systems and issues from a business perspective. Order processes, delivery status, and such things. Typically there is a mix of automated and manual controls, and some systems focus more on specific enterprise applications (billing,…), whilst others focus more on the consistency of the entire process. Vendors here are, amongst others, companies like SAP (Process Control, Risk Control) and Oracle, mainly for their environments, and such ones like Approva.
The layer which I’d call “specific/specialized GRCs”, amongst which IAM-GRC solutions (sometimes called “access governance”) and SIEM solutions are the most popular ones, even while I’d add several service management tools as well as long as they focus on service fulfillment and the service management process itself. These tools provide much more depth on specific controls, typically only a small subset of all IT controls. IAM-GRC for example focuses on roundabout 4 of 210 COBIT controls, the ones around identity and access. However, the level of automation is significantly higher and controls are much more specific. In each of the segments here we have a lot of vendors.
System-level tools around operations management, system-level auditing, integration of system-level logs and that stuff – tools which really do a deep dive into the access controls of file servers and shares and other aspects.

With a big picture like that, it becomes obvious, that we have several elements within a GRC strategy. Business and IT have to work closely together to define what is needed in which area and how these tools interfere and how they have to be integrated. With this view, the need for a single person as responsible one for GRC diminishes. There are at least two, one at the business and one at the IT level. And there are even more for different “operational” tools at the lower levels.

If companies have defined their big pictures, it is easier for them to identify which tools they need to implement it. And it is easier for vendors to identify the persons to speak with.

More important from my analyst perspective is the first aspect: Companies which don’t have a clearly defined strategy on GRC will most likely end up with a mix of tools, non-integrated, not always providing the required features. Thus: A GRC roadmap and a GRC architectural blueprint are mandatory.

More about the system-level aspects might be heared (for the ones who read this soon) at our webinar today. A replay will be available soon.

Even more information about this topic and especially the IAM-GRC aspects (Access Governance) will be available at the Kuppinger Cole Virtual Conference on this topic December 8th to 9th. Registration for that conference is free.

Tim Cole: Show me your terrorists!

Thu, 19 Nov 2009 11:28:17 +0100

In Kuppinger Cole + Partner

I just came back from a meeting of the German chapter of IAPP, the International Association of Privacy Professionals, and the words of the chairman, Dr. Jyn Schultze-Melling, a lawyer with the firm Nörr, Stiefenhofer & Lutz, still ring in my ears: We are sacrificing employee privacy on the altar of anti-terrorism.
more

Pass Your Next Compliance Audit With Confidence

Thu, 19 Nov 2009 00:00:00 +0100

In Kuppinger Cole Podcasts

Bottom-Up or Top-Down or both? What is the appropriate approach to automate auditing on access and reporting on directories and identities and also on mail and file access? In This Webinar, Martin Kuppinger (Kuppinger Cole), Jackson Shaw and Reto Bachmann (both Quest Software) will discuss with you these questions and talk about best practices on how to integrate IT- and business views.
Download

Single Sign On for SAP Environments

Wed, 11 Nov 2009 00:00:00 +0100

In Kuppinger Cole Podcasts

The identity management marketplace offers a number of different solutions enabling Active Directory-based single sign-on for SAP, making life for SAP endusers much easier and at the same time offering a good potential to reduce the costs of managing your IT infrastructure. In this webinar, Martin Kuppinger (Kuppinger Cole), will talk about the different concepts of SAP-SSO and why Kerberos is a real option in such an environment. Then, Jackson Shaw and Reto Bachmann (Quest Software) will pre...
Download

Product Report: Quest Single Sign-On solutions for SAP

Mon, 09 Nov 2009 00:00:00 +0100

In Kuppinger Cole + Partner

The two products discussed here, Quest Single Sign-On for SAP GUI and ABAP and Quest Single Sign-On for NetWeaver, are Quest’s offering in the market for Single Sign-On (SSO) between Active Directory-infrastructures and SAP-environments on the basis of Kerberos. Quest also offers a „classic“ SSO solution called Quest Enterprise Single Sign-On as an option for infrastructures which do not run Kerberos.

Authenticating primarily via Active Directory which is standard...
more

Sony VAIO VGN-Z series – finally with VT-support

Sun, 08 Nov 2009 19:02:07 +0100

I recently bought a very expensive high-end Sony VAIO VGN-z31 and was more than surprised and downright angry, when I found out they had disabled the “VT”support of the Intel CPU, making it almost useless when it comes to virtualization with Virtual PC, VMware Workstation, Xen or what ever your favourite Hypervisor was.

With their latest set of updates for their EFI (the new BIOS technology) now finally they gave in to the numerous customer complaints, all coming from power users and professionals, who were upset to just have spent 2.000 -3.000 €/$ on a machine, that was basically leaving them without support for virtualization.

Vaio customers, rejoice! Check the update sources for your machine, and hopefully you will find a matching update. For all others: check out the “reverse engineered” hacks for activating VT…
Happy VMwaring

Sebastian
PS: off to get that SQL Server running…

Why cloud services will sell despite slowdowns in outsourcing and MSS growth

Thu, 05 Nov 2009 11:56:30 +0100

Within the last few months, I’ve read several news about slowdowns in the growth of the outsourcing business and particularly the MSS (Managed Security Services) business, at least compared to the high expectations raised in the years before. Does that mean that the cloud is dead before it really starts? I don’t believe, for several reasons:

There are different numbers regarding the status and grwoth of the MSS and outsourcing market. Some are much positiver than others – and it is no surprise that the negative ones are cited most (even the IT press more and more acts in the yellow press way…).
In days of economic turmoil (and we are still in these days, despite the quick recovery of the bonus mentality in financial institutions), customers tend to first drop external services before they fire employees – that affects MSS.
Outsourcing is sort of a “big beast” which is diffcult to tame. It takes a long preparation, it is inflexible. Overall, it needs to adopt to become more flexibile and easier to use. Cloud Computing with its granularity of services is an approach to address the shortcomings of outsourcing.
A feedback I had from multiple CISOs regarding MSS is that the quality of service and the level of contol frequently is insufficient – thus it is about implementation and delivery of MSS, not the overall concept.

Two reasons why the Cloud (in my understanding of an approach for a flexible use of IT services with the ability to switch between and choose the best provider, internal or external – e.g. much more about service than about external things from the Internet) will be successful shortly explained:

If you think about a matrix like shown below with two axis, Outsourcing is just sort of the specialized approach to the cloud. And from our expectations, the sweet spot for most providers will be around “community clouds”, in the centre of this. That potential for industry clouds, community clouds, and point solutions isn’t unveiled yet. Thus, there is much more in the cloud than is discussed today.
The cloud is not new. It didn’t just appear at the sky but grew over years. SaaS is out there for a while, service management as well. Not even to talk about outsourcing. The cloud is, from my perspective, just the result of an evolution from a tactical, opportunistic use of external services towards an strategic approach on how to best provide IT services (external vs. internal). We’re at sort of the “break-even”, to use an analogy.

Cloud Matrix

By the way: The biggest risk for the cloud is too much marketing. But that was the same with Client Server, the Internet, and many other things. None of them disappeared, but all big changes took years to become reality. The same is true for the cloud.

I appreciate your feedback on that! And see you at EIC 2010 and Cloud 10, both to be held in Munich, May 4th to 7th, 2010.

Commenting Print: Welt Kompakt 4.11.2009

Wed, 04 Nov 2009 15:50:17 +0100

I guess it became unpopular to read printed news in some societies but I really enjoy reading WELT KOMPAKT, a smaller printed formfactor of well-known daily WELT. Today, the more or less entertaining “Internet” section had a lead article called “Safe in the Web 2.0″ or “Sicher im Web 2.0″ by author Peter Zschunke. Eager to learn more about how “the general public” is informed about the dangers that lurk in the web, I read the mid-size article, featuring a James Bond-like shot of what seems to be Security Ops Center. My interest turned into surprise, ending in a sort of rage when I finished the article.
It takes quite some time and effort to make me angry, but I instantly – for the first time in my life – wrote a letter to the author and the editors, and went like this:
Sehr geehrte Damen und Herren, sehr geehrter Herr Zschunke!

Ich habe anfangs mit Interesse, später mit zunehmender Verwunderung das gelesen, was die Welt Kompakt als redaktionellen Beitrag in der Internet Rubrik hat drucken lassen. Für mich klingt diese doch sehr einseitige, leider wenig von journalistischer Qualität sprechende Berichterstattung eher nach Advertorial, denn nach guter Recherche und umfassender Information. Dem Format und dem Umfang sei geschuldet, dass hier nur ein Bruchteil der Problematik von Datensicherheit und Datenschutz im Web 2.0 beleuchtet werden kann – aber dann ernsthaft dem Leser zu vermitteln, die Firma RSA hätte „die Lösung im Schrank“ und könne diese Probleme quasi „wegzaubern“ wenn sich die sozialen Netzwerker denn endlich mal aus dem Sessel bequemen würden? Das halte ich nicht nur für inkorrekt, ich halte es für gefährlich! Zumal „RSA“ nun wirklich nicht das Produkt sondern der Firmenname ist und Sie, wie ich annehme, eigentlich von einer Kombination der enVision Produktlinie mit anderen Werkzeugen sprechen. Zumindest die Nennung einiger vergleichbarer Technologien oder Anbieter wie Novell, ArcSight, CA etc. hätte der Neutralität gut getan… Die Produkte und Lösungen der RSA sind sicher anerkannt und wirkungsvoll – sowohl bei der Analyse von (Fehl-)Verhalten als auch beim Zugriffsschutz und der Verschlüsselung. Aber, um es sinngemäß mit den Worten von Bruce Schneier zu sagen:
„Wer denkt, dass Technologie seine Probleme lösen kann, der hat weder die Technologie noch die Probleme verstanden.“

Das Problem mit der sehr einseitigen Berichterstattung bleibt – es gilt eher am Konzept der sozialen Netzwerke, ihrer Datensammlung und Datenverwaltung zu arbeiten und den Anwender besser aufzuklären. Meiner Meinung nach steht Ihr Artikel der Aufklärung der Anwender eher im Weg, da hier ohne Sinn nach Technologie verlangt wird obwohl der eigene Menschenverstand ein viel besseres Mittel zum Schutz vor Missbrauch wäre. Bei mir hinterlässt dieser Artikel einen sehr faden Beigeschmack.

There is nothing wrong with a good advertorial or product related story, but this was so blatently single-sided, I just could not resist! I would love to discuss this with alll of you – feel free to comment, mail or call me!

The German data protection law starts to bite

Thu, 29 Oct 2009 10:17:50 +0100

The Deutsche Bahn has been sentenced to a penalty of 1,1 Mio Euro for breaches of the German data protection law, e.g. the privacy regulations in Germany. That is the record penalty based on the BDSG (Bundesdatenschutzgesetz), how the law formally is called. The reason for that penalty were abusive analysis of employee data, to identify potential cases of corruption and fraud. Data of bank accounts of suppliers and employees were compared. That became public, there was a lot of public discussion about – the topic was top in the news for several days. And the CEO, Hartmut Mehdorn, was (factually) fired.

However, dealing with corruption and fraud is a must for the management of any corporation. Heinrich von Pierer, the former CEO of Siemens, had to leave the company because he didn’t address corruption and fraud. Hartmut Mehdorn did it – and lost as well. Obviously, there are regulations in conflict. The problem of both was that they had no valid concept of which regulations are relevant, which are in conflict and how to deal with these conflicts. The Bahn analyzed far too much data and didn’t put that approach into a bigger concept, openly discussing it with the works council and so on.

So one lesson which should be learned by everyone with responsibility for compliance regulations (and the BDSG is one of them) is: Analyze the relevant regulations, clearly define the valid approach to deal with, discuss it with the works council as far as employee data is affected, talk with your auditors – in fact have a strategic approach on how to operationalize the regulations.

The second interesting aspect around the “Bahn” case is that the penalty is a record penalty – and only 1.1 million Euro, which is sort of paid out of the petty cash. Thus it hurt some people at the Bahn, loosing their jobs. But it is only a small penalty from the perspective of the large corporation. It seems that the BDSG is sort of a “law that has no teeth” (in German the saying is “toothless tiger”…). But there is good news (from the perspective of enforcing privacy and data protection): The new amendments of the BDSG will change things fundamentally – the tiger will get teeth.

Cloud Vendor Report: Amazon

Thu, 29 Oct 2009 00:00:00 +0100

In Kuppinger Cole + Partner

Amazon is widely known as online retailer, having expanded its bookstore business to many other areas over time. Some time ago Amazon has entered the Cloud Computing market. Amazon provides a broad set of services under their label Amazon Web Services (AWS), with the Amazon Elastic Compute Cloud (EC2) as the most popular one.

Amazon’s strategy for providing web services based on their own experience in providing highly scalable and reliable services for relatively low cost...
more

#SAPTechEd – SAP Netweaver & GRC Identity Management

Wed, 28 Oct 2009 17:42:51 +0100

#SAPTechEd – SAP Netweaver & GRC Identity Management
During the last 30 month I was rather critical towards SAP´s approach on how to position and further develop the technology acquired from Norwegian MaXware in 2007. The visit to SAP TechEd 2009 in Vienna showed through several technical presentations and direct interviews with people such as Keith Grayson, that SAP did a really job in not only integrating MaXware into the Netweaver group but also coming up with a sound strategy on how to move forward with whole offering. Besides the fact that Business Objects GRC systems still has some valuable functionality as provisioning tool for complex environments, the capabilities regarding the “Netweaver to SAP application” provisioning can now safely be called “unparalled” in the market. If you have access to the SDN platform, make sure to get your hands on the numerous slides in the SIMxyz track of TechEd. You can learn how to easily implement SAP Netweaver Identity Management, integrate with SAP Business Objects GRC and much more. As pointed out above, the joint deployment of the “standard provisioning engine” and the GRC one does have some benefits, especially if the Compliant User Provisioning (CUP) features are needed due to strong GRC requirements. It has been stressed in the sessions, that such a design needs to be planned very carefully and that cross-competence teams should be in charge of this to get all requirements and stakeholders represented in the final architecture.
Regarding 3rd party system integration, the ongoing standardization plays into SAPs hands, as Keith and I discussed the growing relevance of SPML and SAML 2.0, which, by the way, has now been tested and certified to be working with SAP ID management solutions and might find its way into the core product in the future. More and more provisioning targets become easier to integrate, as the corresponding ISVs now see openness towards IAM solution as a benefit.
To sum the impressions up: Keith and all the others did a great job in “turning around a skeptical analyst”. I am positive, that the current setup and strategy will result in a good position in the ever changing Enterprise Identity Management market for SAP.

#SAPTechEd – GRC cooperation between SAP and Novell

Wed, 28 Oct 2009 17:14:52 +0100

I already pointed out my personal satisfaction about the recently announced cooperation between SAP and Novell in the GRC market. This morning I had the opportunity to discuss the whole approach with Jay Roxe of Novell and Ranga Bodla of the SAP GRC group, operating both out of the US.
Besides my enthusiasm about the materialization of something I suggested to be beneficial (every once in a while, analysts DO show that they are humans, too!), the discussion of business opportunities, market pull and demand for GRC in general were almost identical between the three of us.
First let´s check the market pull: both companies said they received multiple requests by existing customers to provide insight on how to couple the more business-GRC oriented SAP solutions and the more IT-GRC oriented SIEM tool Sentinel of Novell. As open APIs were already available and Novell had their products on the path to SAP certification, taking the next step and analyzing the related business opportunity was only a matter of weeks. The joint approach beyond using and testing the APIs was then tested by a large consulting and system integration company in their labs. Looks like when there is a proven market, everybody is interested in providing a solution.
Second, the demand for End-to-End GRC solutions: as KuppingerCole indicated during last year`s GRC event in Frankfurt, more general and broader oriented solution would be necessary and on offer soon. Only 10 month later, not a single-product but a joint solution IS available! SAP and Novell beat our projections and I guess it will take another 6-9 month before we either see another co-op or even a merger between two niche-players to offer a competing solution or product.
Third, the business opportunity: SAP being the Business Intelligence provider they are, quickly was able to provide Novell with numbers on SAP GRC customers and quite a few hundred of them were identified as possible candidates to be addressed for a joint deployment. Vice versa, existing Novell customers with SAP deployments turned out to be of a significant magnitude, thus both groups form a considerable target. We at KuppingerCole can only second, that both the identified customers and the remaining “white space” in the market would benefit from a joint and integrated deployment – the former generating added value almost instantly – the latter reaping the benefits from the then (expectedly) available best practices generated by the early adopters.
General perspective: KuppingerCole sees their own projections and analysis fulfilled ahead of time! SAP and Novell now have a considerable head-start in the market and thus have potential to counter offerings such from Enterprise GRC vendors such as BWise, OpenPages or Mega due to the breadth and depths of the combined solution.
If you like to receive further insight, which GRC approach now makes sense for you, feel free to contact us and make sure to attend our upcoming related webinars http://www.kuppingercole.com/webinars

08.12.2009: 5 Golden Rules for Efficiently Implementing Access Governance

Tue, 27 Oct 2009 21:55:39 +0100

In Kuppinger Cole + Partner

How to do Access Governance right? Which are the key success factors you have to focus on for as well quick-wins as long-term success? This session explains how to solve the access governance needs best.
more

09.12.2009: How to Start: Recertification or Active Access Controls First?

Tue, 27 Oct 2009 21:51:28 +0100

In Kuppinger Cole + Partner

What is the best approach to do access governance? Should you start with attestation to understand where the problems are? Or should you first have a management infrastructure in place which allows to control access across different systems and use access governance approaches then to improve the state of your information security? Or is recertification sufficient? Kuppinger Cole analysts and different vendors discuss the strengths and weaknesses of different approaches?
more

09.12.2009: How to Efficiently Implement SoD Controls: Which Level Works?

Tue, 27 Oct 2009 21:47:33 +0100

In Kuppinger Cole + Partner

SoD controls (Segregation of Duties) are a cornerstone of access governance. But how to efficiently implement them? Should they be based on roles, on activities, on granular entitlements? There are many different approaches to solve the problem. In this panel, different vendors and Kuppinger Cole analysts will discuss different approaches for SoD controls, with focus on their manageability and the required granularity.
more

09.12.2009: XACML: The Holy Grail of Access Governance?

Tue, 27 Oct 2009 21:38:36 +0100

In Kuppinger Cole + Partner

In this panel, the role XACML will and can play for access governance is discussed. Is XACML the solution? What is missing? How to manage policies and how to analyze these dynamic constructs? And how to avoid vendor lock-in? The strengths, shortcomings and needed improvements are discussed by different vendors and Kuppinger Cole analysts.
more

08.12.2009: Getting the Big Picture: How Access Governance fits into IT Governance and Risk Management

Tue, 27 Oct 2009 21:33:22 +0100

In Kuppinger Cole + Partner

Access Governance is a key element in every strategy for information and system security as well as IT Governance. However, there are many different approaches from system-level access control management tools for ERP systems with some SoD support up to Enterprise GRC solutions which focus on the risk management and governance approaches from a high-level business perspective, sometimes without the interface to IT systems. And access-related controls are only part of that 4 of 210...
more

#SAPTechEd – Google Wave @ work // Enterprise 2.0?

Tue, 27 Oct 2009 14:32:16 +0100

Communication & Collaboration – that is what email is all about – or should be.
The GoogleWave concept mimics the snail-mail and a wiki at the same time, while being a protocol and an application also.
The demo looks like a cooperative instant-message chat, but showing character by character, making an almost f2f chat impression…
Who used OneNote online before, may be used to see the joint changes of multiple participants in one document – but it is amazing to see even uploads of photos and other material into the wave in a blink of a eye.
To see somebody adding a Google-map into the wave and have it adjusted to show the right location IS amazing!

Let us put it like this:
As a digital nomad and “never in the own office” worker, I want this, and I want it NOW!
Now for Enterprise 2.0:
adding a SAP Business Process Design tool Gravity to Wave enables cooperative work on new process designs inside the Wave.
Re-designing processes to adjust changes caused i.e. by Mergers & Acquisitions now becomes easier due to real-time collaboration between subject matter experts. Cool user experience…

#SAPTechEd – Original1 against Product Piracy

Tue, 27 Oct 2009 14:02:12 +0100

Again, sorry for bothering you with non-IAM information, but this is heavily interesting for those looking into Business-GRC.
Jut now, Nokia, SAP and Gieseke+Devrient announced the JointVenture calles Original1, which will offer SaaS solutions for anti-piracy and anti-conterfeiting projects.
Goal is to enable customs officers, supply-chain service providers and possible whole-sale customers to check and verify if a certain batch or delivery is actually original product or counterfeited merchandise.
The solution will leverage technology by all three vendors, comprising SAP ERP back-end information, Nokia mobile device extensions for on-site reading/scanning of products and Gi+De technology to secure the process steps and information. The company will be led by Claudia Alsdorf as CEO and will be located in Frankfurt, Germany. As to specific requirements, the solutions will be technology agnostic and available on devices and systems not offered by the contributing parties.
Target customers will be the brand-owners and vendors of high-value or high-risk products, e.g. luxury goods, pharmaceuticals or the like.

Q & A from the XACML/ABAC Webinar

Tue, 27 Oct 2009 13:05:10 +0100

On the Webinar that Babak and I did on ABAC and XACML three weeks back, there were quite a few questions that popped up! Unfortunately we did not have time to answer all of them during the webinar, so we promised that we would collect them and answer them afterwards.

BTW today there is another webinar on a related topic: The Critical Role of XACML in SOA Governance and Perimeter Web Service Security

Q: Please, specify the major difference between role mining (role consolidation based on role attributes) and the privilege giving mining approach?

A: (Babak) Role mining is about finding groups of permissions that can be bundled in terms of roles that can then be assigned to users. The idea of privilege-giving attribute mining is to find those attributes that affect permissions and use them to create access rules. Let’s take an example. In a business application, users may have been assigned permissions to Create and Release Purchase Orders, to Maintain Vendor Master data, Release Requisitions, Register Service Entry and Release etc. In a role mining project doing a bottom-up survey of permissions, an analysis of these permissions and how they are grouped into roles will be made. If a role called Purchasing combines all of the above permissions, we would probably identify a Segregation of Duties violation between the rights to Release Purchase Orders and the right to Maintain Vendor Master Data. As a result we would suggest remodeling of the Purchasing role to avoid the conflict. In a top-down approach, Role mining is about identifying a role in business critical processes that will need to be entitled with certain permissions in order to serve its purpose in that process. Role mining projects are typically about top-down and bottom-up combined, which in the end will lead to considerable efforts to map permissions to roles in such a way that everyone is able to do his or her job without acquiring excessive permissions – quite a daunting task.

An Attribute Mining project would very much like the top-down approach in role mining start with business processes to define which RULES for access can be derived. Examples: Attestation of purchase orders exceeding the amount of $xx, can only be made by users who a) belong to the cost center charged and b) have a management level of 10 or higher. From this rule we can derive that the following attributes are privilege-giving: a) user profile’s cost center assignment, b) users management level, c) purchase orders cost center and d) purchase order’s amount. To verify, these attributes would allow a rule to be formalized like this: If user.costcenter = purchaseorder.costcenter and user.managementlevel>=10 and purchase.amount<=$xx then permit else deny.

Q: Tell me more / define better what you mean when you talk about a missing context of the RBACs model?

A: (Babak) What we argue is that RBAC is a static model which makes it difficult to capture the context that may affect an access decision. If we try to capture the context for an access in terms of roles then we will easily get a role explosion. We may for instance need to differentiate permissions depending on time of day – some users have access only during normal business hours whereas others have 7*24 access. This could lead to the creation of two roles, one for normal business hours, one for extended access. Add other context-related conditions such as remote login, authentication strength, line encryption etc. and we end up with the need to capture very many different roles. It is worth noting that normal ERP systems typically need to handle very large numbers of roles (thousands) internally to capture all their user permissions. If a combined role structure from multiple ERP systems must be established with contextual aspects included, role explosion issues simply become unmanageable.

Q: I didn’t quite get the difference between attribute based access control and rule based access control. can you elaborate?

A: (Felix) In a nutshell, the main difference between ABAC and RBAC is that RBAC revolves around the concept of the role. ABAC can use any attributes (including the role) so it is much more flexible.

A: (Babak) Attribute based access control is not in conflict with rule based access control. Rule based access control is about creating rules defining access permissions, but if these rules are based on attributes then we have a type of attribute-based access control.

Q: I understood there exists a better way in comparison to the RBAC model, but a language is not enough at all. You need a product which combines both. Is this the message you want to send out here?

A: (Babak) Well, the purpose of the workshop is to present the concept of ABAC and how it solves some of the common and well-known issues with RBAC. But you are right that we also need products to support this new approach. Axiomatics has a complete product suite to support xacml policy life cycle management 360. Most vendors of business applications and IAM products also have more or less elaborate support for XACML built-in.

Q: Is there a defined migration path from an established RBAC model to an ABAC model?

A: The OASIS XACML committee has released an XACML Profile for Role Based Access Control (RBAC) which can be used as a basis for migration projects. That said, one naturally needs to be aware of the constraints given by the architecture of legacy systems – “converting” an existing RBAC-based business application to an ABAC-based model may require a considerable effort. In some instances it may be more attractive to implement connectors that can provision attribute-based rules from a Policy Administration Point to application specific rule configurations which in turn may be RBAC based.

Q: How do you manage attribute based access to multiple resource? Traditionally, privilege attributes are bundled into roles and are assigned to users. If you have many attributes that control access to resources, doesn’t that increase administrative burden?

A: No, as we said in the presentation it will most likely be much less number of attributes needed to define access permissions than the number of roles. This is because we will define access rules based on the attributes rather than representing different set of permissions in terms of roles.

Q: Sounds like this method will have significant application impact – can you respond to this concern?

A: Yes, we believe that many applications will in the future implement the XACML request-response protocol. Already today, most large vendors of Identity & Access Management products or applications that handle business critical data have some sort of “XACML story”.

Q: Does ABAC related to Claim Based Authentication? Are they like corresponding concepts?

A: (Babak) Yes, one way to see claims is as provisioning of attributes to the access control system, so these are definitely complementary technologies.

A: (Felix) Authentication and authorisation are two different concepts, but of course they are related: authentication tells us who the user is, and then authorisation tells us whether the user is allowed to do something. The concept of Claim-based authentication is based on the fact that a “Claim” will already deliver attributes to an application. What happens then? These attributes could be made available to the authorisation engine.

Q: Are there any good resources and real world examples to get started with ABAC?

A: (Babak) Well a good place to start with is the XACML TC page. Axiomatics has also a very informative website (www.axiomatics.com) with all introductory information regarding ABAC and XACML.

A: (Felix) We also have recently released a XACML Technology report that is available from our web site.

Q: RBAC seems after implementation quite static in maintenance ABAC seems intensive in maintenance, since attribute values vary over time (daily, hourly etc) would it not make maintenance costs more expensive and more complex?

A: (Babak) Well this is really the other way around. The idea is not to change the time attribute manually but to fetch the data from the right attribute source which is perhaps a clock.

A: (Felix) To add to Babak’s point there: ABAC will make use of information that already exists in an enterprise. The initial maintenance cost would be to deliver those attributes to the policy decision engine. And for that, good technology such as virtual directories already exist.

#sapteched: too much twittering.. ;-) – but not enough on IAM & GRC

Tue, 27 Oct 2009 12:14:32 +0100

Did you find yourself adding hash-tags in emails or “old-fashioned” blog posts recently?
Well, I think we are all tweeting quite a lot (except for me, I do not spend to much time on it) and organizing tweets that way is a good thing, for sure…

In between two Netweaver security tracks I just wanted to give you an update on the cool show, SAP put together once again! I already met so many friends and colleagues and usual suspects, I almost felt like visiting EIC in Munich.
Novell made some great announcements recently and – to no surprise for me – their now combined SAP/Novell offering for end-to-end GRC does add a lot of value for customers of both companies.
Just a few weeks ago, doing an invited talk at the SAP Partner Port in Waldorf with Loren Heilig, Managing Director of IBSolutions, I claimed that SAP does have a big advantage when it comes to Business GRC, while they really lack the depth needed to control everything down to the system-level, aka “more technically”. As a complimentary solution vendor, I showed some Novell slides, and the reactions were pretty … ambigious.
While the customer audience seemed to like the idea, the vendor representatives seemed a bit uncomfortable. Today, I find my self to be proven by reality – my own little “analyst crystal ball” only had a “warning period” of roughly 4 month, though. Maybe I should get to London and place some bets, before making my next presentations…
SAP and Novell: congratulations! You now offer the most complete GRC approach in the market today (at least from my humble perspective!)

08.12.2009: The Three Elements of Access Governance: Recertification/Attestation Access Control Privileged Access Management

Tue, 27 Oct 2009 11:56:14 +0100

In Kuppinger Cole + Partner

Access Governance is commonly associated with recertification or attestation as approaches for a recurring review of existing access controls by the responsible managers in IT and business. But knowing the problems isnt sufficient enforcing changes and implementing continuous processes for access controls is a key element. And, beyond that, many approaches mainly focus on standard access and not on the security sensitive privileged accounts. This session explains the elements for a...
more

The Critical Role of XACML in SOA Governance and Perimeter Web Service Security

Tue, 27 Oct 2009 00:00:00 +0100

In Kuppinger Cole Podcasts

SOA is far from dead but many organizations suffer from a severe SOA disease caused by too many enthusiastic deployments of isolated and siloed services. In this webinar, Martin Kuppinger will provide you with insights on SOA Governance, followed by Axiomatics and Intel showcasing their joint SOA security solution.
Download

Windows 7 and SmartCard removal behaviour… no system lock?

Sun, 25 Oct 2009 12:43:01 +0100

Ok, this should be a blog about insights to the general Identity & Access Management and Governance, Risk Management & Compliance Markets. Sorry to bother you guys with technology details (like the one about Win7 and 3G(UMTS) on netbooks, every once in a while, but I think one blog is enough to maintain and publish stuff to ;- )
So, who ever started using Win 7 in a secure environment may have come across the issue that smartcard log-in works like a breeze in these days, but you may be as puzzled as I was, when I pulled the card from the reader and the system did NOT lock itself…
Well, as my friend Walter Hofer of IDpendant was kind enough to investigate the issue (and let me know right after he found out):
Even with a corresponding GPO in the AD set, Win 7 will refuse to lock the computer after the smartcard has been removed from the reader as Microsoft chose to create a new system service called Smartcard Removal Policy – and it is set to MANUAL. Unless you look that service up in the “Services” menu and change its start behaviour to “Auto”, you will not get the expected results—
Just to get you a faster solution if this should occur to you, too!
Keep up the safe&secure computinge experience!

Vienna Calling

Sun, 25 Oct 2009 12:31:54 +0100

Well, unlike Falco in his famous hit single, this time it is SAP, who´s calling the worlds´ERP elite to Austrias capital next week – and I am happy enough to participate in this one-in-a-thousand events that really stand out. My very high expectations regarding the expertise I am planning to meet is only paralleled by the curiousity if (and if yes, who) there is gonna be a star like Zucchero performing as part of the event
Ok, back to the real issues, because there is lot of work to be done while I am at the event. First of all, I will try to get as much in-depth technology insight as possible and my agenda is bustling with activity around Netweaver Identity Management and SAP security. Especially the second, more general topic has some relevance as I am looking into the SAP and 3rd party audit and compliance solutions available today. Besides SAP´s own offering in the GRC arena, I am about to dive deeper into CheckAud of ibs Schreiber, a tool I came across in several Master´s thesis I have been advisor for. Next is “mesaforte” of Swiss Wikima4 AG and last not least the SAST System Audit and Security Toolkit, of Akquinet, especially since they now co-operate with my valued friends at Virtual Forge (some of my former Fraunhofer SIT colleagues are the founders).
Do you have expertise in one of those? Are you at TechEd in Vienna? Make sure to meet me over a cup of coffee or a Stiegl Bräu beer!
Looking forward to meet you in Vienna!

Ein Passwort für alles - Enterprise Single Sign-on

Fri, 23 Oct 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

Es gibt kaum einen Anwender, der nicht schon einmal sein Passwort vergessen hat und das Helpdesk mit einem Passwort Reset beschäftigen musste. Die Arbeit des Helpdesk nimmt exponentiell zu, wenn die Anwender sich mehrere unterschiedliche Passwörter für unterschiedliche Anwendungen merken müssen, die auch noch mit unterschiedlichen Intervallen geändert werden müssen. Projekte, die sich der Vereinfachung der Authentifizierungsprozesse annehmen, sind deshalb im Unternehmen sehr sichtbar, und ei...
Download

Social networks could be secure!

Thu, 22 Oct 2009 09:28:31 +0200

Yesterday, I read an article at a German news web-site about the recent security leaks found in the social network SchülerVZ. The article claims that social networks like SchülerVZ and Facebook (both are mentioned) don’t have any chance to avoid crawlers accesing personal data which should be presented only to friends. Ridiculous!!!

Sorry, that is definitely nonsense!

It is very simple. You have some data which is visible only to some specific persons. You have an authorization policy, which might be expressed in the form of ACLs or XACML or whatever. Some application (the regular frontend, a crawler, an administrative application,…) tries to access data. You have done an authentication. You do the authorization by comparing the authentication information to the authorization information. You decide on whether access is allowed or not. That is done in millions of applications day-by-day. And that shouldn’t work with social network sites? I don’t see any real reason why!

For sure there are two reasons why at least some social networks don’t do that in this way:

Bad software architecture: Security has to be done by design, from the very beginning. Otherwise it is hard to implement it. Unfortunately, many developers don’t design security in their products but add it at the end, as something painful they have to do at the minimum level.
Performance considerations: For sure security will affect performance. For any access, you will have to do security checks. You will even have to provide stronger authentication features. But it can be done. Providers will probably require some more hardware to keep the performance level of their social networks. But security has its price.

But to be honest: These aren’t valid reasons. Either you are able to deploy a social network in a secure way and fulfill the data protection laws. Or you should shut the entire thing down. Given that it is possible to secure social networks, the operators should be fully responsible for any security breach.

By the way: Even the databases themselves can be fully secured. That depends a little on the database chosen and the additional technologies in place, like Oracle’s Database Security products (to mention one of the more advanced solutions). OK, that will again cost you some performance and some money. But again it is about “security first”. If the providers of social networks can’t afford the cost of security, their business model just doesn’t work.

XACML – why it is so important

Thu, 22 Oct 2009 09:14:22 +0200

XACML (eXtensible Access Control Markup Language) gains an increasing attention as one of the core standards in the field of information security and thus IT security. Whilst standards like SAML (Security Assertion Markup Language) address the problem of authentication, XACML is about authorization – the more complex threat. XACML allows the definition and exchange of authorization policies in a heterogeneous environment. Whether it is about cloud security and controlling the authorization policies of cloud services or about SOA security for internal applications: XACML supports the authorization management in such use cases.

However, there is no such thing as a free lunch: XACML not only tools like XML/SOA Security Gateways which support that standard or cloud services with XACML support. There are two other important aspects:

XACML in fact means a shift from a more static security approach like with ACLs (Access Control Lists) towards a dynamic approach, based on policies which are applied at runtime. These dynamic security concepts are more difficult to understand, to recertify, to audit and analyze in their real-world implications. Thus, the use of XACML requires not only the right tools but well-thought concepts for policy creation and management.
XACML is just a foundation to express policies. Within a use case, policy concepts have to be defined. Over time, there should be higher level standards or defined use cases building on XACML and focusing on a standardization of the content of these policies.

Anyway, XACML is very useful. One of the most interesting areas for XACML is SOA Security. Currently, many SOA-based applications still lack a valid concept for authorization. Authorization still frequently is built into these applications. XACML can provide the policies to externalize the authorization management and thus add flexibility to SOA-based applications.

Overall, it is – from my perspective – definitely worth to spend some time exploiting the potentials for XACML to improve the security of systems and applications. There are many areas where XACML can be used successfully today. However, like with any emerging technology, there will be a lot of improvements in the managing and consuming applications (and, hopefully, around the standards ore use cases building on XACML) over the next few years. Thus the step to XACML has to be considered carefully. The good thing is: It is about standards, thus the risk of lock-in isn’t that big.

We will talk more on depth in an upcoming webinar. Register for free!

Show me your terrorists!

Wed, 21 Oct 2009 14:37:59 +0200

In Tim Cole

How many terrorists work for your company? Dunno? Well, see you in jail, pal!

I just came back from a meeting of the German chapter of IAPP, the International Association of Privacy Professionals, and the words of the chairman, Dr. Jyn Schultze-Melling, a lawyer with the firm Nörr, Stiefenhofer & Lutz, still ring in my ears: “We are sacrificing employee privacy on the altar of anti-terrorism.”

It turns out that firms are required by law to check their employees names against lists of terrorism suspects published by the United Nations and the European Union. In Germany, §34 of AWG, the Foreign Trade Law, forbids companies aiding or abetting persons or organizations that endanger national security or the “peaceful coexistence of peoples” in any way – like for instance paying them a salary. Failure to comply with this law carries heavy fines; up to 5 years in jail for the CEO, for instance.

On the other hand, European data privacy laws prohibit routine scanning of personal data without due cause. So if nobody has done anything suspicious lately, running their names past the UN or EU lists is probably illegal in many countries.

Of course, tell that to the families after some nut explodes a vest of dynamite in your company canteen and slaughters a few of your employees.

So yes, companies have to screen their own people, but when exactly? On hiring? What if the employee has a change of heart two or three years later and signs up for the Muslim Brotherhood? Does that mean you have to scan periodically, maybe once or twice a year? And if you live in a country like Germany where the works committee has a big say in these matters, how do you ever hope to convince them?

According to Schultze-Melling, there are loads of even more mundane problems to consider. For instance, Osama Bin Laden would hardly use his real name when joining your company, and probably not even one of the score or so aka’s he is also listed under in the UN list, but would chose an entirely new name instead. How about different spellings? After all, for an Arab speaker, Ahmed Gamdi, Ahmad Al Gamdi, Ahmet Gamdi, and Ahmed Al-gamdi could very well be one and the same guy. There are more than 32 spelling for Lybia’s Colonel Gaddafi (or Qadhafi, Kadafi, Gadhafi, Qaddafi, etc.). Are you legally required to check them all?

As ist that wasn’t bad enough, you can try telling it the cops who come to arrest your boss because one of your employees gave to the local chapter of the Holy Land Foundation which funds Hamas or the National Development Front in India that finances Al-Qaeda. The UN and the EU, not to mention the US Department, publish lists of organizations they consider to be affiliates or fund raisers for international terrorists. Unfortunately, hardly any new employee mentions this in his hiring questionnaire, so what should you do? Periodically ask all your people whether they have joined a terrorist organization lately? Maybe hand them the list and ask them to make appropriate check marks. And what if they refuse — do you fire them? Anyway, answering in the affirmative could constitute an act of self-incrimination, so requiring it would itself be illegal in most civilized countries.

Until now, most HR departments have dealt with these questions in the handiest possible way – by ignoring them. Out of about 20 companies represented at the IAPP meeting, among them a few on the Fortune 100 list, only two raised their hands when I asked who has ever conducted a scan for terrorist suspects within their organizations.

My feeling is that this illustrates the legislative confusion surrounding identity and privacy on the governmental level, but it also points out some tough questions that need to be answered by identity pros before we can hope to achieve anything like a balanced approach to the legitimate concerns of citizens, employees and consumers about how authorities and employers handle their personal data on the one hand, and the requirements of businesses, bureaucracies and, yes, terrorism fighters on the other.

Martin Kuppinger: How to fight GRC Anarchy

Mon, 19 Oct 2009 14:51:22 +0200

In Kuppinger Cole + Partner

GRC (Governance, Risk Management, Compliance) has become a leading issue not only for IT professionals, but for senior management as well. However, it isnt always clear whos in charge. Responsibility for GRC is set to become a major issue in the coming months..
more

27.10.2009: The Critical Role of XACML in SOA Governance and Perimeter Web Service Security

Fri, 16 Oct 2009 12:16:19 +0200

In Kuppinger Cole + Partner

SOA is far from dead but many organizations suffer from a severe SOA disease caused by too many enthusiastic deployments of isolated and siloed services. In this webinar, Martin Kuppinger will provide you with insights on SOA Governance, followed by Axiomatics and Intel showcasing their joint SOA security solution.
more

19.11.2009: Pass Your Next Compliance Audit With Confidence

Fri, 16 Oct 2009 11:02:42 +0200

In Kuppinger Cole + Partner

Bottom-Up or Top-Down or both? What is the appropriate approach to automate auditing on access and reporting on directories and identities and also on mail and file access? In This Webinar, Martin Kuppinger (Kuppinger Cole), Jackson Shaw and Reto Bachmann (both Quest Software) will discuss with you these questions and talk about best practices on how to integrate IT- and business views.
more

11.11.2009: Single Sign-on for SAP Environments

Thu, 15 Oct 2009 15:18:03 +0200

In Kuppinger Cole + Partner

The identity management marketplace offers a number of different solutions enabling Active Directory-based single sign-on for SAP, making life for SAP endusers much easier and at the same time offering a good potential to reduce the costs of managing your IT infrastructure. In this webinar, Martin Kuppinger (Kuppinger Cole), will talk about the different concepts of SAP-SSO and why Kerberos is a real option in such an environment. Then, Jackson Shaw and Reto Bachmann (Quest Software) will...
more

Another approach to IRM

Wed, 14 Oct 2009 07:53:50 +0200

Last week I had a discussion with Seclore, a software company based in Mumbai, India. They are focusing on the area of Information Rights Management (IRM), one of my favourite research areas. I’m interested in this topic mainly for two reasons:

Information Rights Management is one of the IT topics with the closest relation to the core business topic of Information Security/Protection (including Intellectual Property Rights, IPRs).
Information Rights Management is the approach which allows the ongoing protection of information at rest, in move and in use – compared to many other approaches which cover only one of these phases.

Most solutions in that market are based on plug-ins into existing applications which enforce the IRM policies. The policies are managed centrally, information (documents) are protected by encryption.

Seclore’s approach is different in that they not mandatorily rely on such plug-ins but mainly act “below” the application. The client component (which is required to access protected, e.g. encrypted, documents) tries to analyze the activities off the application like access to the file system. One impact of that approach is that a document might be opened with different applications supporting the specific document format.

Even while I personally believe that implementing IRM functionality within the applications (the more common approach of vendors like Microsoft, Adobe and Oracle) allows a tighter control about the actions of a user and application on a document, the Seclore approach has some appeal. It is lightweight and works well today with different applications and in different environments, beyond the enterprise. As long as there is no common standard for the interactions of applications (the policy enforcement points) and the IRM backend systems across different vendors, this is a workaround. And once there is such a standard, Seclore is very likely to support it. Thus, not only looking at the big vendors but as well at Seclore makes sense in these early days of Information Rights Management.

The Role of Entitlement Management in Governance, Risk and Compliance Management

Wed, 14 Oct 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

Modern IT infrastructures empower their users and thereby introduce new risks. The effectiveness and efficiency of control frameworks and GRC programs are therefore becoming an increasingly important focus area for IT and business managers alike. Yet, GRC initiatives tend to be reactive, striving to optimize monitoring, surveillance and auditing capabilities and the GRC overhead keeps growing. Instead we need risk-intelligence built into our IT-infrastructures. This is what Entitlement Manage...
Download

Sicherheit mit automatisiertem Provisioning

Mon, 12 Oct 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

Nicht nur in grossen Unternehmen ist die Benutzerverwaltung durch ständige Änderungen und Ergänzungen eine ressourcenzehrende Herausforderung. Auch wenn die Prozesse für die Provisionierung von Benutzerkonten in den unterschiedlichen Anwendungen sauber definiert sind - manuelles Arbeiten birgt enorme Sicherheitsrisiken beispielsweise in Form verwaister Benutzerkonten. In diesem Webinar sprechen wir über die Möglichkeiten, diese Sicherheitsrisiken durch automatisiertes Provisioning zu minimieren.
Download

Integration for the cloud

Wed, 07 Oct 2009 09:35:01 +0200

On Monday I’ve met with Matthieu Hug from RunMyProcess in Paris, an interesting start-up company in the “cloud”. Their focus is pretty easy: Integrate the cloud – with what you have internally and with other cloud services. At CeBIT 2008 I’ve done a presentation about “SaaS” and related topics (we didn’t use the term “cloud” at that point of time). One of the three major issues I’ve discussed as threats in that area (and would mention nowadays as cloud threats) is integration. How do you integrate external cloud services with other external services or internal applications? Some of these services provide a set of web service interfaces. But even then, integration is a tough work.

RunMyProcess now provides an external “cloud” service to do that integration. They provide pre-configured web services of a series of (external) cloud service providers, including Salesforce.com, SAP BusinessByDesign, and GoogleApps. And they allow to define processes which include one or more of these products. That allows to build integration between such services and existing internal applications. It as well allows to enhance cloud based services like GoogleApps. Matthieu told me that some of his customers are adding workflows to GoogleApps to replace Lotus Notes (even while I’d recommend the customer to consider LotusLive as an option in that case…). And there are some companies starting to create added-value services by integrating and enhancing cloud services, creating sort of “industry clouds” or “community clouds”.

I like the approach of providing an integration platform in that way. It doesn’t solve every problem (and more complex platforms built on top of classical application servers might provide some more functionality) but it is an answer to one of the biggest threats in the cloud. Thus it is definitely worth to have a look at that solution. And it is just another example of the amount of creativity unveiled by the cloud evolution.

If you want to learn more about the cloud, you definitely should attend Cloud 09, Dec 2nd-4th, Munich. And you should always have a look at the Kuppinger Cole webinars. We do webinars on cloud topics frequently – and there are many recordings of cloud webinars available.

Product Report: Quest Single Sign-On solutions for SAP

Wed, 07 Oct 2009 00:00:00 +0200

In Kuppinger Cole + Partner

Mit den beiden Produkten Quest Single Sign-On for SAP GUI and ABAP und Quest Single Sign-On for NetWeaver bietet Quest eine marktführende Lösung für das Single Sign-On zwischen Active Directory-Infrastrukturen und SAP-Umgebungen auf Basis von Kerberos an. Als Option für Infrastrukturen, in denen man keine Kerberos-basierende Lösung einsetzen möchte, gibt es zudem noch Quest Enterprise Single Sign-On, eine klassische Enterprise Single Sign-On-Lösung.

Der...
more

Sebastian Rohr: Identity Management: Challenge Outsourcing

Tue, 06 Oct 2009 18:55:05 +0200

In Kuppinger Cole + Partner

Outsourcing and offshoring are a fact of life in many companies, but for some, when it comes to managing user identities and access rights or enforcing rules on governance, risk management and compliance, these are still very early days indeed.
more

Overview Report: A GRC Reference Architecture

Mon, 05 Oct 2009 00:00:00 +0200

In Kuppinger Cole + Partner

Governance, Risk & Compliance - these three terms, in short "GRC" are pretty widely used in these days. Unfortunately, there is great confusion in how this term is used. The reason for this confusion is with high probability the fact that it allows to sell pretty easily all kind of technology under the umbrella of "Risk" and "Compliance" solutions. But there are very precise areas that GRC should cover, and other that it shouldn't, for example...
more

Martin Kuppinger: GRC a heavily segmented market

Thu, 01 Oct 2009 13:25:20 +0200

In Kuppinger Cole + Partner

GRC Governance, Risk Management, Compliance. A typical buzzword, but well established right now. However, the problem of all emerging markets associated with a buzzword arises here as well: There are many different vendors with different types of offerings, all claiming to solve the GRC problem. But: The GRC problem has many facets and is (beyond we have to manage risk, we have to be compliant) largely undefined. Well publish a report these days on a GRC reference architecture followed...
more

GRC – a heavily segmented market

Thu, 01 Oct 2009 12:00:29 +0200

GRC – Governance, Risk Management, Compliance. A typical buzzword, but well established right now. However, the problem of all emerging markets associated with a buzzword arises here as well: There are many different vendors with different types of offerings, all claiming to solve the GRC problem. But: The GRC problem has many facets and is (beyond “we have to manage risk, we have to be compliant”) largely undefined. We’ll publish a report these days on a GRC reference architecture followed by, probably in early November, a market segmentation report, placing vendors in one or more appropriate segments. Like every valid and successful emerging market, GRC will move from a large set of different solutions towards a market with some well defined segments of vendors.

There are the so called “Enterprise GRC” vendors like Mega, OpenPages, or Bwise. But even between these there are significant differences. There are vendors working more at the level of CCM (Continuous Controls Monitoring), including companies like Approva. There are IAM-GRC vendors like Aveksa, BHOLD, Engiweb, Sailpoint, and several others. There are IAM solutions with added GRC capabilities – in the meanthime most of them. There is GRC support in BSM (Business Service Management) applications. And, and, and… I don’t want to unveil to much from the upcoming reports which you will find at our website but like to focus on another aspect:

Which GRC approach to choose?

First of all, I believe that we have to use the potential of GRC for better interfacing Business and IT. There are business controls, there are IT controls. These have to be mapped. Thus, we should end with solutions which support as well the business as the IT requirements. That will never ever be a single solution, but a combination of some. High level controls and dashboards, CCM approaches and more specific solutions for different groups of IT controls. It should as well be an approach which isn’t only “detective” or, more correct, “reactive” but finds the balance between proactive/preventive and reactive/detective.

The big picture is relatively easy to describe, like we have done in our reference architecture.

The way towards that is much more difficult. There are many influencing factors like the industry and size of the organization, the current organizational structure (especially around the responsibility for GRC issues), the process maturity of the organization, the maturity of IT management approaches, and so on. Thus there can be different (and more than one) starting points. But in any case, there should be a well agreed (but coarsely described) “big picture”, as the guideline for building a GRC roadmap.

I personally believe that three factors are most important:

Providing quick wins
Providing a business view which, from the beginning, starts in integrating with IT – only manual controls are’t sufficient, it is always about the appropriate mix of manual and automated controls
Closing the loop – don’t focus only on the reactive part (like with pure “access certification”) but start acting on the results, for example by integrating provisioning to fix the detected problems

These are some of the most important criteria to choose solutions in the GRC space.

Have a look at our event website for upcoming events and webinars around GRC.

And, for sure, don’t hesitate to ask for our advice on building your GRC “big picture”.

Beyond Role Based Access Control - the ABAC approach

Wed, 30 Sep 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

In this webinar we discuss the original ideas behind RBAC and why large RBAC projects often lead to role explosion problems and therefore fail in their initial ambitions. We also introduce the concept of Attribute Based Access Control (ABAC) which overcomes some of the well-known problems with RBAC and enables a fine-grained and contextual (adaptive) access control. ABAC meets the requirements of modern IT-infrastructures where dynamically changing needs must be captured and dealt with i...
Download

Technology Report: XACML Extensible Access Control Markup Language

Tue, 29 Sep 2009 00:00:00 +0200

In Kuppinger Cole + Partner

This report explains XACML, an evolving standard in the field of access control. Access control in IT is of vital importance. Companies use access control technology to protect sensitive systems and information, and to keep assets safe.

At the same time, compliance with external regulations and internal policies is very important and access control technology is key. We can think about access control doing two things:

1. Identifying the users (who are you)
2. Allowing...
more

Beyond RBAC

Mon, 28 Sep 2009 13:01:13 +0200

Please join me tomorrow for a free Webinar on the topic “Beyond Role Based Access Control – the ABAC Approach“.

Many – if not most – organisations are not getting as much value as they thought from RBAC (role based access control). In fact, many RBAC projects start with high expectations, but quickly get bogged down due to many issues and problems. Eventually it turns out that the initial expectations were too ambitious. But why? Is RBAC making promises that are difficult to keep?

Many in the industry (Babak and myself included) think that this is due to the fact that the real world just happens to be too complex to model efficiently with RBAC. This means that organisations must be realistic about what they can achieve with RBAC, and mitigate some of its shortcomings. But isn’t there a better way? There certainly is, and that’s what we’ll be speaking about tomorrow. There’s nothing wrong about roles per se, but we need to add more context to them. Then finally, we can reap the full benefits of agile access management, reach and even surpass the value that was expected from troubled RBAC projects.

I am delighted to speak again on a Webinar with Babak Sadighi, CEO and one of the founders of Axiomatics. Babak and his colleagues are an extremely smart bunch of people who are very passionate about access control. They have researched the topic for many years. I’ve interviewed Babak at the last European Identity Conference, which you can see here. So if you’re interested in access and role management, please join us tomorrow, I promise that you will not be disappointed

VeriSign VIP – back again?

Thu, 24 Sep 2009 09:42:11 +0200

It has been pretty quíet around the VIP (VeriSign Identity Protection) solution. I have played around with that solution some two years ago, when support for eBay and PayPal had been added. But after that I didn’t see much of VIP (and didn’t hear much of VeriSign, honestly). Until these days, when TriCipher and VeriSign announced a strong authentication solution for Google Apps. They call it “triple-sec” given that three different factors are used – the two provided by TriCipher and an out-of-band authentication based on VeriSign VIP Access for Mobile.

VeriSign VIP Accessfor Mobile is in fact an OTP (one time password) generator which runs on mobile phones. Overall, a strong authentication can be achieved that way for TriCipher’s MyOneLogin service which is the tool used. MyOneLogin is a cloud-based SSO solution for other (external) cloud or SaaS services which uses SAML to provide authentication information to Google Apps Premier.

The VIP support is offered for free for Google Apps Premier customers – as long as they use the strong authentication only for Google Apps Premier. If they’s like to extend this to other apps, it’s not free anymore. Anyhow, this is at least an interesting solution for companies who rely on these cloud services and require an relatively easy strong authentication solution. For sure you’d have to accept that you need your mobile phone in addition but the alternative would be to rely on some soft-token approach or to carry another token or device to support strong authentication.

Besides the fact, that the “for free” doesn’t last long in practice, given that most customers probably will secure other apps as well, the biggest question from my perspective is whether a cloud-SSO for cloud only (more or less) is the solution of choice. Customers which further rely heavily on internal (and non-web) applications might benefit more from a traditional E-SSO approach supporting internal as well as external applications of any type. However, integration of these tools with applications like Google Apps typically relies on traditional exchange of username/password in the background instead of the more advanced SAML approach provided for example by MyOneLogin. With other words: There are other options, but at least the TriCipher/VeriSign offering is an interesting approach worth to have a look at.

To learn more about what’s going on in the “cloud”: Attend the Kuppinger Cole Cloud 09 conference, December 2nd-4th, Munich.

Business Report: Identity & Security in the Cloud

Wed, 23 Sep 2009 00:00:00 +0200

In Kuppinger Cole + Partner

Cloud Computing ist seit etwa zwei Jahren das Modewort schlechthin in der IT-Branche. Historisch geht Cloud Computing auf verschiedene Ansätze zur externen Bereitstellung von Anwendungen oder Speicherplatz, um die Unternehmens-IT zu entlasten oder sogar ganz zu ersetzen. ASP („Application Service Providing“) wurde bereits in den 90ern mit dem Aufkommen des Internet intensiv diskutiert, entsprechende Angebote scheiterten aber in der Regel an unzureichenden Bandbreiten,...
more

Identity Services and the Cloud

Tue, 22 Sep 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

The reason companies are considering cloud computing is to avoid the expense involved in building or acquiring the infrastructure, and to some extent managing it. However, without paying attention to the security and governance implications, those cost savings will actually evaporate when they either try to retrofit their existing business policies and controls into the cloud environment, or when they have to deal with the fallout from a breach or issue. In This webinar, Nishant Kaushik (Orac...
Download

Sicherheitsrichtlinien zuverlässig durchsetzen

Mon, 21 Sep 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

Auf dem Papier ist es in der Regel gar nicht so schwierig, durch entsprechende Richtlinien einen zufriedenstellenden Grad an Sicherheit zu erreichen. Jedoch zehren in der Praxis fehlende Ressourcen, enge Budgets und nicht zuletzt die immer komplexer werdende Infrastruktur an einer effizienten Um- und Durchsetzung dieser Richtlinien. In diesem Webinar beschreiben wir Ihnen in Zusammenarbeit mit Novell, welche Ansätze für eine automatisierte Überwachung der Sicherheit von IT-Systemen am Markt e...
Download

Cloud Business Models – a threat for vendors

Fri, 18 Sep 2009 10:41:03 +0200

During the last months I had a number of conversations with vendors about the licensing and business models for their cloud offerings. And frequently the conclusion was that the models aren’t really adequate for the cloud. Some might work today and for some period of time, but they are not likely to be successful on the longer term.

One ob the obvious shortcomings are accounting periods which are too long and thus don’t provide the required flexibility which is a key advantage of cloud services. Contracts which run at least 12 months or accounting periods which look at the peak use within a calendar month are not what we need for the cloud. Over time, customers will expect the ability to switch their provider quickly and to pay-per-use. For sure there are services where customers aren’t that likely to move ever or on short-term (salesforce.com, SAP BusinessByDesign). But I’ve seen that model as well at the platform and infrastructure level.

But pay-per-use models can be critical as well. If there are either too many elements in or elements which can’t be predicted, these models don’t provide the advantage of reliable cost models which are as well a key advantage that cloud services can and should provide. That is the same like with ISPs in the past – there will be a logical move to flatrate models. Noone likes to become bankrupt because he is too successful.

The reason for these sometimes inadequate business models are obvious:

Many vendors in the cloud are experienced with classical, license-based business models and have no experience and sometimes little understanding of new cloud business models. They are insecure and have to learn.
Customers currently frequently accept these business models – but that will change.

However it is very interesting to observe the change in these business models over time. In the cloud, business models are always under stress test. The impact of actions of other vendors is strong. For example, Microsoft in fact has defined an maximum price tag for hosted Exchange services with their own offering. Providers which want to earn more will have to very clearly show the added value to their customers.

That will not automatically lead to a situation in which the cheapest provider wins. But for sure cloud service providers will have to react on what others are doing. Thus, flexible business models and an efficient production of cloud services are mandatory. Vendors who are not able to pick up the pace of these changes in business models are likely to disappear from the market.

Minimizing Business Risks through Enterprise SSO

Fri, 18 Sep 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

Receiving approval for project budgets has been difficult in these days, especially if there isn´t a very visible and almost immediate return on investment. Simplifying the way how users login to the applications they need for their daily business is an area, where plenty of low hanging fruits provide such immediate RoI i.e. through the reduction of password reset helpdesk calls. In this webinar, Joe Skocich from IBM and Martin Kuppinger talk about commonly overlooked considerations when eval...
Download

13.10.2009: The Role of Entitlement Management in Governance, Risk and Compliance Management

Fri, 28 Aug 2009 09:43:40 +0200

In Kuppinger Cole + Partner

Modern IT infrastructures empower their users and thereby introduce new risks. The effectiveness and efficiency of control frameworks and GRC programs are therefore becoming an increasingly important focus area for IT and business managers alike. Yet, GRC initiatives tend to be reactive, striving to optimize monitoring, surveillance and auditing capabilities and the GRC overhead keeps growing. Instead we need risk-intelligence built into our IT-infrastructures. This is what Entitlement...
more

29.09.2009: Beyond Role Based Access Control - the ABAC Approach

Fri, 28 Aug 2009 09:34:04 +0200

In Kuppinger Cole + Partner

In this webinar we discuss the original ideas behind RBAC and why large RBAC projects often lead to role explosion problems and therefore fail in their initial ambitions. We also introduce the concept of Attribute Based Access Control (ABAC) which overcomes some of the well-known problems with RBAC and enables a fine-grained and contextual (adaptive) access control. ABAC meets the requirements of modern IT-infrastructures where dynamically changing needs must be captured and dealt with...
more

17.09.2009: Minimizing Business Risks through Enterprise Single Sign-on

Wed, 26 Aug 2009 11:25:10 +0200

In Kuppinger Cole + Partner

Receiving approval for project budgets has been difficult in these days, especially if there isn´t a very visible and almost immediate return on investment. Simplifying the way how users login to the applications they need for their daily business is an area, where plenty of low hanging fruits provide such immediate RoI i.e. through the reduction of password reset helpdesk calls. In this webinar, Joe Skocich from IBM and Martin Kuppinger talk about commonly overlooked considerations when...
more

Vereinfachung der Berechtigungsanalyse und -Verwaltung

Thu, 20 Aug 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

In diesem Webinar geht Martin Kuppinger zunächst auf die Notwendigkeit ein, konsistente Autorisierungsstrategien zu entwickeln, die bei minimiertem administrativen Aufwand einen durchgängigen Schutz von Informationen bieten indem man sich auf das Wesentliche konzentriert und sich nicht in Punktlösungen verzettelt. Reto Bachmann von Quest Software wird daran anschliessend anhand von Praxisbeispielen beschreiben, wie sich das Berechtigungsmanagement unter Einsatz des Quest Access Managers ein...
Download

Social OX – changing the way we work with social networks

Tue, 18 Aug 2009 09:00:36 +0200

Open-Xchange, a provider of open source messaging and groupware, has announced its concept of Social OX, OX standing for Open Xchange and the concept of a “personal information hub”. The idea is to provide an approach where someone can maintain its “contacts” centrally and exchange that information with social networks like LinkedIn, Plaxo, Xing, FaceBook, MySpace, and others. The idea is to consolidate, manage, and re-use personal and social network data.

The concept supports publishing data to others and consuming shared data. In effect, that information will become exchangeable, in contrast to today’s lock-in approach in most social networks. Data can be tagged and so on, allowing to use different data for different contexts. That even will allow companies to integrate (respecting the data protection/privacy laws) available contact aggregated from individual contacts of employees, as one of many use cases.

Currently, HTTP and XML are the underlying concepts, allowing an easy adoption. But Open-Xchange considers approaches like information cards as well for the future. The focus is on a common semantics and standardized interfaces to exchange that information. And Open-Xchange claims that several large social network providers are starting to support that concept.

Social OX is an interesting threat for providers of social networks, given that it opens them up. But will it also affect their business models? Currently, the lock-in is a part of the concepts. With approaches like Social OX (and the approach for exchanging social network information might be used by other vendors as well) that lock-in disappears, allowing to use platforms like Open-Xchange to read the data out and publish it to another social network. That will allow a faster and more easy switch between social networks.

However, it is unlikely that leading social networks will disappear. They benefit from the number of users and they especially benefit from their other services around the personal information which could be exchanged using Social OX. However, it will become easier for new social networks (and other system relying on that information) to enter the market. Today, the value of new social network approaches is frequently low because there are too few users. That will become easier, even with the need of others to subscribe and import their data as well.

Social OX has the potential to influence the way we work with social network data and personal information, with Open-Xchange (and maybe other vendors) acting as personal information hub. It might as well allow new business models (think about personalization). And it might lead to a world with more successful social networks than today, due to a lower market entry for newcomers. But as long as the market leaders focus on the added values for the network members and have a valid business model (which isn’t necessarily true for all of them today), Social OX will not lead to their replacement. However, they will have to learn to exist without the lock-in of social network information of their customers.

Zugriffsmanagement richtig gemacht

Mon, 17 Aug 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

In diesem kostenlosen Webinar gehen wir darauf ein, wie eine ideale Basis für ein konsistentes Access Management geschaffen werden kann und wie man dieses schrittweise weiterentwickelt.
Download

Identity – Last Man Standing?

Tue, 11 Aug 2009 15:55:41 +0200

In Tim Cole

Somehow the Hofbraeukeller in Munich, one of my favorite city’s nicest beer garden restaurants, seems to lend itself particularly well to long, meandering discussions of identity management. It’s the place the U.S. participants at the European Identity Conference regularly gather for their pre-conference pigs’ feet feast, and since it’s conveniently located around the corner from where I live, I often use it as a meeting place for visitors from all over the world. I mean, if you’re in Bavaria, by all means go to a Bavarian place for lunch instead of one of the ubiquitous sushi stalls.

I thought my latest guest, Tom Stewart, CFO of MultiFactor Authentication out of Irvine, CA, would be thrilled, but it turns out he spent two years working for Intel in Munich, so he’s been there and done that. Which is okay, because it gave us more time to get down to basics about his company’s strategy and products.

Tom is in the business of making security tokens obsolete. I know you’re going to hate this if you just gave a pile to RSA or Verisign, but MultiFactor believes that hardware-based strong authentication is poised to go the way of the dodo.

Of course, software tokens have been around for quite awhile, but they are often considered to be weaker than hardware tokens, or else they require some fancy PKI architecture to make them safe enough for serious corporate use.

Well, think again, Tom says. His “SecureAuth” system sits inside the firewall and handles full bidirectional X.509 authentication for apps and other systems without any tokens or PKI infrastructure and, more importantly, at a fraction of the cost. The system used to connect the client with your company network is proprietary, but it uses SAML or any other system you want to use to connect to outside applications or SaaS providers. Just how they do it and whether it really works the way they say it does is beside the point here, but readers are invited to visit their website at www.multifa.com for a free online demo and as much nerdy prose as you can stomach. (Tom is a marketing guy, but he is apparently surrounded by a team of true, dyed-in-the-wool techies.)

Personally, my attention perked up when Tom began to describe the way SecureAuth acts as a kind of gatekeeper for Active Directory (in 90 percent of cases, he says) or any other directory service you happen to be running.

This seems especially exciting to me when you consider it in terms of Cloud Computing, where we are seeing a rash of new cloud-based identity services. Bob Blakley of Burton described what he calls the “ability to build a virtual identity provider using a multitude of different services”. At the Catalyst Conference in San Diego a few weeks ago, he expressed his surprise that, unlike what everyone was expecting, providing identity services for the Cloud wasn’t turning out to be “this big monolithic thing”. Instead, the market is building a set of small specialty firms that handle identity tasks and offer discrete billable units that companies can put together. Ping, for instance, integrates PingConnect with Google Apps so a user’s Google ID can be used for single sign-on across some 60 online services.

Sourcing your identity management may appear to make good business sense, but does it really? After all, companies are sourcing just about everything else related to their IT. But Tom believes, and I agree, that identity management is the last thing you want to see going out the door. “As long as you control the directory, you control everything”, he maintains. Letting external service providers make changes or allowing them to make copies of your directory, which some do, is simply asking for big trouble.

My feeling, and it’s nothing more than that, is that companies will be very cautious in moving towards the cloud, choosing a step-by-step approach rather than taking the sudden plunge. As much as small and medium-sized enterprises would love to say goodbye to their IT and concentrate on their core business, they should draw the line at their directory, be it active or otherwise.

In fact, you could probably make a case for keeping only your directory and sourcing everything else, but then what is the poor CIO to do? Anyway, directory services might actually prove to be the Last Man Standing as corporate IT gradually disappears into Cloud-cuckoo-land.

Is PAM (or PIM or PUM) moving into Provisioning?

Tue, 11 Aug 2009 13:13:17 +0200

These days I have been talking with Siemens on enhancements for their DirX Identity product, a provisioning tool (and, by the way, a pretty good one). Amongst the new features is some support for Privileged Account Management (PAM). That’s interesting. I’ve blogged some time ago about the possibility of provisioning vendors starting to acquire PAM vendors and adding these capabilities to their provisioning products.

Siemens didn’t acquire but implemented some own technology. They mainly focus on providing one-time passwords for the use of privileged accounts and re-setting these passwords after use. This is combined with strong authentication, using smartcards. In fact it is sort of a mix between product (resetting passwords and all that stuff) and project (adding strong authentication using other products). But finally they became a pioneer in integrating PAM with provisioning.

There is no doubt that the leading PAM suites like the ones provided by Cyber-Ark or Lieberman Software provide a much broader feature set. However, integrating that with provisioning tools, identity lifecycles, and existing (self) service interfaces is a valid approach. I expect other vendors to follow, adding PAM support as well. However, the specialists will provide a more sophisticated solution at least for a pretty long period of time (unless they become acquired…).

But what Siemens has done proves my thesis on PAM moving into provisioning, servicing the specific requirements of customers. And it proves that PAM is moving from a niche topic towards a mainstream technology in the broader IAM market.

Regarding the term PAM (or PIM or PUM): I prefer Privileged Account Management because it is about accounts which are associated to a person and their digital identity. The user is sometimes associated with an account, sometimes more understood as a construct in between, e.g. a user-ID with some accounts associated and sometimes the situation that some person with one digital identity could have multiple user-IDs. For what is managed, PAM seems to be the most appropriate term, from my point of view.

Licensing for the cloud – the Skype case

Mon, 03 Aug 2009 14:53:35 +0200

These days, there were several articles in different media stating that eBay might discard its Skype service. The reason is that they haven’t acquired the underlying P2P core technology. This is still owned by Joltid. And Joltid plans to terminate that license agreement. One doesn’t need to be a prophet to guess that the real reason behind that situation is about money…

However, eBay definitely is in a difficult situation. They might find a deal with Joltid. They might discard the Skype service with its 16 million users – which probably won’t be that lucky about. They might develop an own P2P technology. Or they might replace the P2P technology. Given the limited time eBay has to solve the problem they the most likely options are that eBay either will find a new agreement with Joltid or will have to acquire another P2P technology. There are several P2P providers out there, some supporting phone capabilities, like Collanos Phone. There are Open Source projects like Gizmo. Thus there are some options. It will require some intense technical due diligence for eBay to choose the technology which allows to continue the Skype service with somewhat equal features and not too much of disruption for existing users. But there are solutions out there.

It will be interesting to observe which option eBay chooses. Given that I’m a Skype user, I’m really interested in. I’m as well interested from a perspective of an analyst for the Cloud Computing market, because the situation eBay is in shows the inherent complexity of Cloud Computing with many different relying parties. Think about a situation where, just as an example, a database isn’t provided any more by the cloud computing platform it has been run on before, because the company providing the platform has terminated the agreement with the database vendor. That would be somewhat the same story. Thus, think about these dependencies and look at the potential problems…

Microsoft: minimum disclosure about minimum disclosure

Mon, 03 Aug 2009 07:00:47 +0200

A good year ago, Microsoft acquired an innovative company called U-Prove. That company, founded by visionary Stephan Brandt, had come up with a privacy-enabling technology that effectively allows users to safely transmit the minimum required information about themselves when required to – and for those receiving the information, a proof that the information is valid. For example: if a country issued a digital identification card, and a service provider would need to check whether the holder over 18 years of age, the technology would allow to do just that – instead of having to transmit a full data set, including the age of birth. The technology works through a complex set of encryption and signing rules and is a win-win for both users who need to provide information as well as those taking it (also called “relying parties in geek speak”). With the acquisition of U-Prove, Microsoft now owns all of the rights to the technology – and more importantly, the associated patents with it. Stephan Brandt is now part of Microsoft’s identity team, filled with top-notch brilliant minds such as Dick Hardt, Ariel Gordon, Mark Wahl, Kim Cameron and numerous others.

Privacy advocates should (and are) happy about this technology because it effectively allows consumers to protect their information, instead of forcing them to give up unnecessary information to transact business. How many times have we needed to give up personal information for some type of service without any real need for this information? For example, if you’re not shipping anything to me… what’s the point of providing my home or address? If you are legally required to verify that I’m over 18 (or 21), why would you really need to know my credit card details and my home address? If you need to know that I am a customer of one of your partner banks, why would you also need to know my bank account number? Minimum disclosure makes transactions possible with exactly the right fit of personal details being exchanged. For those enterprises taking the data, this is also a very positive thing. Instead of having to “coax” unnecessary information out of potential customers, they can instead make a clear case of what information they do require for fulfilling the transaction, and will ultimately find consumers more willing to do business with them.

So all of this is really great. And what’s even better, Microsoft’s chief identity architect, Kim Cameron has promised not to “hoard” this technology for Microsoft’s own products, but to actually contribute it to society in order to make the Internet a better place. But more than one year down the line, Microsoft has not made a single statement about what will happen to U-Prove: minimum disclosure about its minimum disclose technology (pun intended!). In a post that I made a year ago, I tried making the point that this technology is so incredibly important for the future of the Internet, that Microsoft should announce its plans what do with the technology (and the patents associated for it).

Kim’s response was that Microsoft had no intentions of “hoarding” the technology for its own purposes. He highlighted however that it would take time to do this – time for Microsoft’s lawyers, executives and technologists to irk out the details of doing this.

Well – it’s been a year, and the only “minimum disclosure” that we can see is Microsoft’s unwillingness to talk about it. The debate is heating up around the world about different governments’ proposals for electronic passports and ID cards. Combined with the growing dangers of identity theft and continued news about spectacular leaks and thefts of personal information, this would really make our days. Unless you’re a spammer or identity thief of course.

So it’s about time Microsoft started making some statements to reassure all of us what is going to happen with the U-Prove technology, and – more importantly – with the patents. Microsoft has been reinventing itself and making a continuous effort to turn from the “bad guys of identity” a decade (in the old Hailstorm days with Microsoft Passport) into the “good guys” of identity with its open approach to identity and privacy protection and standardisation. At Kuppinger Cole we have loudly applauded the Identity Metasystem and Infocards as a ground-breaking innovation that we believe will transform the way we use the Internet in the years to come. Now is the time to really start off the transformative wave of innovation that comes when we finally address the dire need for privacy protection. Microsoft has the key in its hands, or rather, locked in a drawer. C’mon guys, when will that drawer finally be opened?

Finally: an open XACML API!

Fri, 31 Jul 2009 19:15:45 +0200

Whilst at the Burton Group’s Catalyst 2009 conference, I ran into Prateek Mishra from Oracle who told me somewhere between the lines of our conversation that a new XACML API that has just been posted to the OASIS XACML TC. It was a “soft launch” that was announced at the Kantara meetings on Monday at Burton Catalyst (which very unfortunately, I missed). When Prateek mentioned it to me, it stopped me dead in my tracks, because I find it really significant news – a very important step towards flexible access control policy based on XACML. Before I get in the details, let me step back a bit and explain what this is, why I find this so significant and why it got me so excited.

XACML, the eXtensible Access Control Modeling Language is an XML-based standard for authorization and access control. It is based on the Attribute Based Access Control (ABAC) model that is hailed as the next generation of access control models. According to many, ABAC will ultimately replace RBAC (Role Based Access Control). Instead of only using a role as the determining factor whether to grant access or not, many attributes can be used. Of course roles can be used in ABAC as well – since ABAC can use multiple attributes to make access control decisions, the “Role” can be one of those attributes – so ABAC can emulate RBAC perfectly while adding many additional advantages. This means that it is possible to add context to the access control decisions and adds for a finer granularity, tighter controls and more flexibility for the business.

Here’s an example: I might be authorised to make bank transfers from an application. In RBAC, this would usually mean that I would have a role enabled for my account, for example “Make_Transfers”. Simple, right? Well, perhaps not so. As the need for control gets tighter, I may be authorised only to make transfers up to a value of 2000 EUR without any approval. Anything else above that requires the approval of at least two of the financial supervisors. So how would you do this with RBAC? Not really so easy. And with ABAC? Piece of cake. With RBAC, the bank transfer application would have to have some hardwired piece of logic implementing the “max 2000 EUR without approval”. With ABAC, the policy could just express that if I have the role “Make_Transfers” and “transfer_amount <= 2000” the operation is approved. ALso approved is an operation if I have the role “Make_Transfers” and “transfer_amount <= 2000” and “valid_approvals >= 2”. Everything else is denied.

So let me get back to the XACML API. There has been adoption by XACML, and I could even see it for myself here at Burton Catalyst 2009 just by meeting the sheer number of vendors that are actively supporting it and using it it for policy enforcement and access control. What has really been missing however was a ready-to-use API that would allow developers to make an access control request in their application and get a decision. Now we finally have an API that allows developers to do just that. I’ve spent over an hour yesterday hunched over my brand-new netbook with Prateek and Pat Patterson, poring over the API and can only say: thumbs up!

So what can this API be used for? Is it easy enough for developers to jump on and enable their applications for externalised access control? Well, not really. XACML is a very powerful and expressive policy modeling language, and also defines a request/response protocol. This creates a certain level of complexity. Whilst of course it is possible for application developers to use this API in their applications, I think that higher-level authorisation APIs are still needed that make it “dead easy” for developers to externalise access control. For matters of comparison, I was very impressed at how easy it is to .NET developers to harness the Geneva Framework (which is now called WIF or Windows Identity Foundation). Microsoft has made it truly “dead easy” for developers to make their applications ready for externalised authentication and claims – with just a few lines of “plumbing code”. Externalising authorisation must be made just as simple. The XACML API is a great start to provide a foundation that can be used to connect simpler APIs and existing access control frameworks to XACML.

Kudos for Cisco and Oracle for having contributed this. Great work, guys!

About trademarks in the IAM business

Thu, 30 Jul 2009 12:41:26 +0200

These days I have learned that Fischer International Identity has trademarked to pretty generic terms:

Identity as a Service (TM)
IaaS (TM)

I wondered (and still wonder) about that. Fischer declared that they have invented that type of business (”a services-based architecture built from the ground-up for the express purpose of cost-effectively delivering identity management capabilities via the Software as a Service (SaaS) model”), built on a SOA architecture, supporting multi-tenancy, being able to work across firewalls. Honestly: Yes, they are an innovator in that space.

Unfortunately, that isn’t the only technology to which the terms mentioned above are applied. There are many different identity services. External identity providers for OpenID, strong authentication services, SSO for the cloud,… – to all these services the terms IaaS (TM) and Identity as a Service (TM) are frequently applied. And if you look at Application Security Infrastructures, then it is as well about providing identity services.

Thus, I agree with Fischer that they are sort of a pioneer in providing “provisioning as a service” (which would be PaaS) but I don’t agree with their view on that they have invented they entire market space for which these terms are used today. Anyhow, it is a little like Daimler having trademarks on “car”, “Automobil”, and other related terms, isn’t it!?

On the other side: Maybe I shouldn’t bash on Fischer for trademarking (why not try to get them?), but the ones on the governmental side which have agreed to trademark these very common terms. What will be next? SaaS (TM)? Cloud Computing (TM)? I really can’t understand that such common terms are trademarked (and I will use some related but somewhat different terms in the future). However, anyone who uses these terms has to attribute ownership of the mark to Fischer International Identity, like they have stated. Let’s look how they deal with the trademarks in practice. And be careful when using these terms.

To comply with the trademarking stuff: Identity as a Service (TM) and IaaS (TM) are trademarks owned by Fischer Internation Identity.

The blessings of 3G with Win 7

Fri, 24 Jul 2009 17:30:27 +0200

Asa tech savvy person and all-time traveller I recently acquired a mobile network data flat of one of the local German and international providers – the one with pink logo. For every contract/subscription you sign, you usually get some perks, extra stuff, a mobile handset or – in my case – one of those netbooks. The Acer Aspire One 531 I was sent does feature an integrated 3G modem by OPTION Wireless ad comes with Windows XP Hometo my demise. Failing in preparing a proper backup (Acer gives you a backup software to burn media – but a netbook does not have an optical drive, and maping the DVD burner in my home Vista machine is not acceptable use of the software – and thus deactivated) I killed XP home anyway and installed Win 7 fresh of a 8 GB USB flash (see here for a geek howto, or here for the DAU help with prepping the USB stick). All worked well – even a complete Office 2007 and Visio2007 found its way on the device – no driver problems, except… for the 3G!

I spent way too much time to figure this out, so here are the resources needed:
Driver handling & tweaking plus driver links
http://www.itgrl.de/2009/03/31/aspire-one-3g-treiber-fur-umts-modem/
Driver Links Acer
http://global-download.acer.com/GDFiles/Driver/3G/3G_Option_5.0.12.0_XPx86_A.zip?acerid=633776034442008284&Step1=Netbook&Step2=Aspire One&Step3=AO531h&OS=X01&LC=de&SC=EMEA_8
Driver Links Option (IMEI required!)
http://www.option.com/en/support/software-download/product-list/

After trying desperately to use the T-Mobile web´n´walk software for a while (even the EMBEDDED Version taken from the mysterious FTP server in Czech Republic) did always UNINSTALL the Option drivers leaving my netbook without connectivity.
Using the ACER Software DOES the trick though, but yu have to tweak it:
the Acer 3G Connection wil fail to connect (it finds the device, SIM is entered, network is acquired) but the it get stucks while “connecting” aka “Verbinden…”.
Again, calling the friendly mobile provider support, we quickly analyzed that we are only one step away. Simple solution:
create a new modem connection with *99# as the number to be dialed and all works well suddenly!

Now, back to real work… message me if you have a working setup with w´n´w software on Win 7 and internal Option MOx40 cards… or actual stand alone drivers for Win 7 that are NOT deleted when installing w´n´w

Externalizing Identity to the Cloud

Thu, 23 Jul 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

Externalizing Identities from applications into a service oriented layer within the enterprise IT architecture has been discussed a lot within the last years, mainly in the light of reducing application development costs and to devolve all those identity silos captured in enterprise applications. With cloud computing and *aaS picking up momentum, the externalization of identity management into such a service layer finally seems to be rewarded with enough attention to move far up on many CIO´s...
Download

Many test cases for German eID card

Wed, 22 Jul 2009 14:20:31 +0200

Some days ago the German government announced a list of 30 companies with test cases for the upcoming eID card, which will be available starting November, 2010. The good news is that the BMI (Federal Ministry of the Interior) has managed to get a good number of test scenarios outside of eGovernment. The identification of flight passengers at airports, hotel check-in, online shops, and some use cases for age verification are on the list of published test cases.

For sure there are as well many eGovernment applications amongst these 30+ scenarios but the real important thing is that there are obviously many partners outside the eGovernment which are interested to use the eID card for identification (or age verification) purposes within their specific business use cases. If they succeed, there will be a lot more partners once the eID card is officially issued - and the more companies will use the eID card, the more momentum will be there for “buying” the eID card and switching to it from the current conventional ID card. That is about “buying” because the eID card is mandatory when renewing the current eID card (which is valid 10 years from the date of issuance). That fee will be accepted more likely when the card can be used for many use cases.

Overall it appears that the German government is doing a good job in creating some interest in and momentum behind the eID card. And doing a broad test with many partners more than one year before the card is distributed widely is definitely important – there will be many lessons learned. Anyhow, the biggest threat for the eID card still will be the acceptance. Test cases are one thing – the other aspects are usability (make the eID card as easy to use as possible, even from home) and trust. There will be a lot of discussions around the eID card, and educating users about the security and privacy (which is pretty good in the eID card concept) is extremly important for the success of the German eID card. But there will be a lot of FUD (fear, uncertainty, doubt) raised around this issues, like “the fingerprints aren’t fully secure”. Yes, in fact, there is some slight chance of abuse – but what the eID card provides is a big step forward for most of the users. Thus, we should look at it more positive and understand it as an important improvement for security in the Internet – with some shortcomings (national, time-to-market,…).

It will be definitely interesting to observe the different test cases and the lessons learned there. Despite all doubts, the German eID card has a good chance of becoming a successful project.

Virtual Directory Innovations

Tue, 21 Jul 2009 17:45:01 +0200

As someone actively covering directory services and virtual directories, several innovations have caught my attention. The players within the virtual directory space are (in alphabetical order) Optimal IDM, Oracle, SAP, Radiant Logic, Red Hat, and Symlabs. When it comes to product development and innovation within the last year, you can split those vendors right down the middle. – Optimal IDM, Radiant Logic and Symlabs have been actively developing their product and churning out new features in new versions. The others have not been adding any features, but instead spent time changing logos, product names, default file locations and otherwise integrating the virtual directory products into the respective Oracle/RedHat/SAP identity management ecosystems. In fact, in some of the latter cases I ask myself whether it is likely to expect any virtual directory product innovations anymore.

So what’s new? Where’s the innovation happening?

Optimal IDM: New connectors have been added for Microsoft SQL Server 2008, eDirectory. A special version for Microsoft Sharepoint integration has also been released, as well as “automated compliance features” that monitor for changes that violate definable rules and alert administrators.

Radiant Logic: Its flagship product, formerly Radiant VDS (Virtual Directory Server) has been split up into to new products: The VDS Proxy Edition and the VDS Context Edition. The former is a classical virtual directory product that falls into the same category than Oracle VDS and the Symlabs Virtual Directory products. The latter is a mix of meta-directory and virtual directory features. Radiant Logic has rewritten major parts of the virtual directory core to make it more efficient in order to overcome performance problems that used to be a weak point in the product.

Symlabs: A full virtual tree functionality has been added. This makes the product easier to configure. In the past, a virtual tree had to be constructed by manually configuring plugins to filter and route requests. This had made configuration more difficult compared to other virtual directory products. This used to be a weak point in their products, like the performance used to be a negative point in Radiant Logic’s virtual directory server. Symlabs has also added a complete web-based remote administration interface that can be used instead of, or side-by-side with the local Java configuration interface.

What else is new? The latest piece of news comes from Symlabs who have released a competitive benchmark paper that contains the results of a comprehensive benchmark of the virtual directory servers from Oracle, Radiant Logic and Symlabs. The numbers speak for themselves. Of course, comparative tests by vendors must always be taken with a grain of salt. In the report, Symlabs encourages companies to do their own benchmarks to verify the results in the Symlabs study. However, the numbers are credible and document what has already been known for some time. The Symlabs product comes out as the fastest virtual directory. This is unsurprising, due to a very efficient internal design and a small footprint that this translates to a level of efficiency that surpasses other virtual directory servers.

At second place in the competitive benchmark comes Radiant Logic’s VDS Proxy Edition server, which is also interesting. Until end of last year, Radiant Logic’s virtual directory product was at the tail end of all performance benchmarks, beaten by both Oracle and Symlabs by – at least – a scale of magnitude. Radiant Logic has done some hard work last year to catch up, and it shows by surpassing the Oracle product in the benchmarks and coming in second place.

The virtual directory segment continues to be innovative. This is good for customers that are increasingly adopting virtual directories as simple point solutions to solve integration issues between applications and directory servers. However, innovation does not happen everywhere. It has been very quiet around Red Hat’s, SAP’s and Oracle’s virtual directory products for a long time – up to now, little has happened with those products. Optimal IDM, Radiant Logic and Symlabs have done some serious enhancements to their products and compete head-on in the virtual directory arena. Remember the old stereotype that smaller companies tend to be much more innovative than the larger ones?

Lesser of two evils?

Wed, 15 Jul 2009 12:05:33 +0200

In Tim Cole

More than 250.000 people have watched “ethical hacker” Chris Paget cruising the streets of San Francisco gathering RFID data from the new U.S. PASS cards and “enhanced” chipped drivers licenses. All it took him about $250 for a scanner and an antenna, as well as a piece of software he downloaded from the Internet. The new “e-passports” are now mandatory for U.S. citizens entering the United States from Canada, Mexico, Bermuda and the Caribbean, though conventional passports will be accepted as long as they are valid. Paget was able to read and clone the information of the chips within minutes. While only tag numbers were intercepted, not the personal data on the chip, this is enough to identify and track individuals, which brings us a step closer to my favorite nightmare scenario: As I leave the airport in, say, Tunis or Cairo on my way to a nice sunny vacation I am picked up and followed by jihadists bent on killing any American capitalist swine they can find.

This may not be news to most of us, but what struck me was a comment by Gigi Zenk, a spokeswoman for the Washington state Department of Licensing, quoted in today’s edition of the “International Herald Tribune”, who believes that “Americans aren’t that concerned about RFID” in a time when “tracking an individual is much easier through a cellphone.”

Is this simply a brainless bureaucrat talking twaddle, or is she being cynical? Then again, maybe she has a point: If people did care a lot about “little brother”, as the global surveillance web is now being referred to, wouldn’t they do something about it? Like switch off their mobiles?There have been rpeorts of German tax dodgers being caught because they said they were at home when in fact their phones were in the offices of a bank in Zurich.

In Germany, supposedly a country obsessed with privacy concerns and boasting the strictest data protection laws on the planet, a law calling for issuing RFID-enabled passports passed with hardly a murmur, and they are now gearing up to issue each and every one of their 80-some million citizens a mandatory personal ID card that will also carry a chip.

Maybe cynicism does help. How about this: If everybody is naked, nobody will be bothered by nakedness. Just blend in with the crowd. Implant an RFID chip in every forehead. There’s safety in numbers, after all. Or then again, maybe not…

New design

Tue, 30 Jun 2009 22:26:03 +0200

We would like to present a “design refresh” of our web sites: www.kuppingercole.com, blogs.kuppingercole.com, and www.id-conf.com.

We hope that a common header style will increase recognition and ease navigation between the sites.

You are welcome to visit anytime, there is always something new waiting for you

The flowering of the identity store

Sat, 27 Jun 2009 09:22:34 +0200

In Tim Cole

The Personal Data Eco-System (diagram by Iain Henderson and Drummond Reed)

Another reason I really love Twitter: It takes you places you might never have found on your own. Take a recent post by xmlgrrl, a.k.a. Eve Maler of Sun Microsystems, a terse pointer to a posting by Iain Henderson of Mydex on rightsideup.net entitled “The Personal Data Eco-System” which provides by far the best theoretical overview that I, at least, have seen on the true nature and function of personal data.

The text is an abstract of a session Ian and his pal Drummond Reed of Concordance, who is also a trustee of identitycommons, held at a recent West Coast VRM Workshop and which is also intended as an introduction to the Kantara workgroup where they hope to explore these scenarios more deeply. The focus of the piece is on what Iain and Drummond describe as “Personal Data Stores”, a slightly confusing term for a kind of data warehouse in which to store all the personal data available about me (or you) so that it can be used for anything from paying a credit card bill to scheduling a doctor’s appointment or even planning a home move.

But where it gets really exciting is when the two start to discuss what kind of data there is about me (or you) , what the relationship is between the different kinds of data and how they interact. Basically, they divide all personal data into five categories:

My Data (information about me that I, and only I, own and control)
Your Data (information about me that someone else – e.g. an organization or the government – owns and controls)
Our Data (information about me that is accessible to both me and them, e.g. buyer and seller)
Their Data (information about me that is owned and sold by third parties such as a credit card company)
Everybody’s Data (information about me that is in the public domain, e.g. my postal address or an electoral roll)

Iain and Reed have created the absolutely fascinating flower-like Venn diagram pictured above explaining how and where these separate sorts of data intersect to create what they describe as a “Basic Identifier Set” in the middle. This for them is the “core personal identity data and they believe it will enable a working “personal identity eco-system” for providing services and ensuring transactions sometime in the future, with the individual functioning as the “un-knowing point of integration” of data about themselves.

They describe in detail the various dynamic flows of data between the different categories, such as from My Data to Your Data where individuals provide information about themselves under certain conditions (think the “tick boxes” on web forms indicating whether I want to receive your newsletter if I buy your product) or from Your Data to Their Data as an organization shares information about me with another organization, something which can happen legally (as in identity federation) or illegally (then it’s called identity theft).

I find the Henderson/Reed Diagram an extremely illuminating intellectual achievement since it illustrates the huge complexity involved in addressing issues of identity, both digital and analog. I’m not so sure whether I agree with Iain’s conclusion and forecast that over time (”in 10 years”) some 80% of customer management processes will be driven from a “My Data” perspective. He argues that the rush for user-generated content, as well as economic reasons, will cause organizations to move to a user-controlled model of identity management.

Well, I’ve been around long enough to know you can multiply a given prognosis involving a ten-year timeframe by a factor of between two and ten and still wind up way out in left field. But I do think they are right in assuming that there is a business case for moving towards user-controlled identity. Whether it will be, as they suggest, that allowing a vendor to mine my Personal Data Store for my consumer habits, and especially my buying intentions, will be incentive enough, or whether the prevalent model will be a simple upfront deal – give me your personal information and I will give you a rebate or cash in hand – I don’t know, but until we find out it might be a good idea to contenplate the wonderfully symmetric flower petals of the identity eco-system diagram and ponder it’s implications.

Get the Big Picture - Managing Access beyond SAP for Cross-Enterprise Identity Governance

Thu, 25 Jun 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

In this free webinar, youll learn how an integrated identity governance approach can more effectively improve your risk posture with enterprise-wide policy enforcement, access certifications and role management across all relevant systems. By having a single view into user access rights, you will greatly improve your visibility into risky or non-compliant areas and automate your processes for managing these risks.
Download

Parallels wants to bring SaaS to the masses

Thu, 18 Jun 2009 13:05:38 +0200

In Tim Cole

Just got back from my favorite neighborhood watering hole in Munich, the Cafe Wienerplatz, where I met with Soeren von Varchmin, who recently moved in next door after spending a few years in Seattle.

Soeren is VP SaaS at Parallels, a company that describes itself as “worldwide leader in virtualization and automation software that optimizes computing for consumers, businesses and providers”. His job is to bring together Internet Providers and Services Providers (ISVs) by providing a common plattform to provision, manage and integrate applications and services over the Internet. His vision is to create a large-scale cloud computing ecosystem where software vendors and cloud operators together deliver a wide variety of services to businesses and consumers.

To achieve this goal, Parallels has written what they call the “Application Packaging Standard” (APS) which they describe as a new application packaging format designed to help implement a Software-as-a-Service (SaaS) business model. I guess you could call is “SaaS 2.0″ (or maybe “ASP x.0″), because it enables almost all industry hosting providers – Parallels’ traditional customer base – to team up with almost any application provider to offer their apps as a rental web service.

Once packaged in the APS format – basically just an XML feed – by a software vendor, an application can be easily “plugged” into an infrastructure of any hosting provider that implemented the standard “socket” for the APS applications.

Soeren thinks this is a real win-win situation, since it gives hosting providers a new, higher-value business model while providing a new distribution channel for ISVs. Parallels is touting their standard as an open plattform, and rumor has it that they will be founding a non-profit organization to push the specification in the public domain., so check out their website at www.apsstandard.org for updates.

The reason I was interested in APS is that it contains full-fledged IdM capabilities, from Single Sign-on through provisioning, payment & billing, and since recently even license management, too. Since everybody is heading for the Cloud these days, I thought it would be intersting to know if APS might be a quick fix to the IdM problem in web-based applications. Soeren seems to think so. And technically, he may be right. But of course, to make ASP a “real” standard he’ll have to generate a lot more interest in the IdM community.

Right now, Parallels is big in the provider and hosting market. Their boast is that, out of about 200 million domains in the world, between 30 and 40 million are powered by their software. Or putting it another way, just aboiut every major Internet Provider in the business is a customer of theirs. But simple hosting and plumbing isn’t all that sexy anymore, and big cloud operators like Amazon, Google, 1&1 or Strato are on the lookout for extra sources of income. By hitching them up with ISVs and SaaS vendors like Salesforce et al. they could conceivably tap into some pretty substantial new revenue streams, especially SMEs who find it appealing to rent IT infrastructure and applications instead of buying.

I asked Soeren if APS could also work as a platform for providing identity as a service, and he liked the idea. After all, if the platform can handle SSO and payment in a safe and scalable fashion, why not use it as a kind of universal identity provider for the Cloud instead of building IdM capability directly into the app?

On the other hand, Parallels still has its work cut out for it convincing the thousands and thousands of ISVs out there to plug their existing solutions – whether already SaaS-enabled or legacy – into APS.

Yeah, it makes sense businesswise, but anyone who has every tried to push a standard knows just how innovation-resistant people in the IT industry can be. But with Soeren living right around the corner now, I’ll be able to check back every time we run across each other at Cafe Wienerplatz, so stay tuned.

Messbare Vorteile für Sicherheit und Kosten durch Single Sign-On mit starker Authentifizierung

Wed, 17 Jun 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

In diesem Webinar wird auf den quantitativen und qualitativen Nutzen von Enterprise Single Sign-On-Projekten in Verbindung mit starker Authentifizierung eingegangen.
Download

Hooray, LDAPcon 2009 is coming up!

Tue, 16 Jun 2009 20:47:41 +0200

I was delighted when I saw that LDAPcon is happening again this year. I went to the first event in Cologne, Germany 2007, and was very impressed. When you have the “creme de la creme” from the LDAP community talking about their favourite topic, you’re guaranteed an interesting and exhiliarating time – assuming that LDAP and directories are your thing.

I still remember last time how Howard Chu gave us a musical demonstration of how a well-performing directory should perform – on the violin! I don’t think anybody forgot that. We also got a very good overview of the different open source projects around directories, and about how to make good use of some of the LDAP extensions.

This time, we’ll also have two action-packed days, and the call for papers is open. I encourage everybody to share their best practises, vision and thought and make this an unforgettable event as well. I’ll be submitting for sure

LDAPcon takes place in Portland and starts on September 20, a day before LinuxCon. The second day will be shared with LinuxCon, it seems. Might as well stay for LinuxCon as well! This is a good event not just for directory vendors and project maintainers, but especially also for those who deploy and run LDAP directories in challenging environments, and those who develop software that talks to LDAP servers. Kudos to the Symas guys for helping organise it (and they are just helping to organise it – it’s not at all an OpenLDAP conference, if that what you’re thinking). I’m definitely looking forward to it!

BTW I just saw that Ludo wrote about it as well, and even posted some photos from the 2007 event.

UnboundID launches frontal attack on Sun – good idea??

Thu, 11 Jun 2009 16:59:11 +0200

I recently received a press release from UnboundID announcing the availability of a new “synchronization server”. This software keeps two LDAP servers in sync (as the name suggests) – bidirectionally. In theory very useful, and it’s free too. But there’s a small trick: the synchronization server supports both Sun’s DSEE (Directory Server Enterprise Edition) and the new Unbound ID Directory Server. In the release, Unbound ID makes no secret of what this software should be used for: to migrate away from Sun’s directory toward Unbound ID’s competing solution.

UnboundID is a start-up based out of Austin, TX. It was founded by several ex-Sun employees, including Neil Wilson, author of the “slamd” load generation engine, and formerly one of the key people behind Sun’s OpenDS. I have already raved about their new LDAP SDK for Java, in my opinion the finest and most complete LDAP development kit for any language ever written.

The company is going after the very lucrative Telco and large service provider market, and launched a frontal attack on Sun Microsystems, who is the market leader in that space. UnboundID is offering a 30-40% reduction in yearly maintenance costs if customers switch from DSEE to their solution. Of course there is the usual fine print, and this offer is limited to medium-sized directories with less than two million entries. Why should Sun customers switch from DSEE to UnboundID Directory? According to UnboundID, their server is faster, has less footprint and is supported on a wider platform range.

It is not really obvious to me however why Telcos and large service providers would want to switch. For one, DSEE has been the de-facto market leader for massive-scale directory services, and customer satisfaction is high (not just if you believe the marketing – I’ve personally heard the same from Telcos using the product). A directory server running in a Telco is an absolutely super-critical component, and ripping it out and replacing it is akin to heart surgery. DSEE is very mature after having been around for many years and the kinks have been ironed out in many very large deployments a long time ago already (in fact, I was in one of those deployments in 2002 – that was fun). UnboundID would obviously need to make a very good case and give organisations a high level of assurance for them to switch over. The Telco sector is much more innovative than others, and tends to be on the bleeding edge of technology – but even so, there is a reluctance to switch from a very mature product that “just works” to a brand-new product.

That’s why UnboundID offers the “synchronization server” in order to try to entice organisations to run both directory servers next to each other for a longer period – to evaluate and eventually become comfortable enough with the UnboundID server to make the switch. It seems that the “synchronization server” has been written specifically for this purpose.

Which, personally speaking, I think is a bit of a pity, but hopefully UnboundID will realise the immense value that this synchronisation server could have once they’ve gotten over their frontal attack on Sun. A generic synchronization server that would keep multiple directories from multiple vendors synchronised is a fantastic value proposition, and I’m sure many organisations would jump at it. Especially when it comes from such brilliant minds like Neil Wilson’s who is known for his awesome LDAP stuff.

Interview with Marina Walser, Novell

Tue, 19 May 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

Tim Cole interviews Marina Walser at the European Identity Conference 2009
Download

EIC Impressions

Tue, 19 May 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

A few short interviews from the European Identity Conference 2009
Download

Interview with Kim Cameron, Microsoft

Tue, 19 May 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

Tim Cole interviews Kim Cameron at the European Identity Conference 2009
Download

Interview with Fulup Ar Foll, Sun Microsystems

Tue, 19 May 2009 00:00:00 +0200

In Kuppinger Cole Podcasts

Tim Cole interviews Fulup Ar Foll at the European Identity Conference 2009
Download

EIC impressions

Mon, 18 May 2009 23:17:18 +0200

A few more short interviews from the conference

Interview with Kim Cameron

Mon, 18 May 2009 17:34:55 +0200

Interview with Kim Cameron, Microsoft

The Lost Chapters of EIC

Sun, 17 May 2009 05:43:02 +0200

Today we’ve been finally able to get our hands on a tape we almost believed to be lost forever. But thanks to our video technicians we can now present you a few more interviews from the EIC 2009.

Interview with Marina Walser, Novell EMEA

Interview with Fulup Ar Foll, Sun Microsystems (yes, another one!)

Stay tuned for more.

Keynote by Kim Cameron, Microsoft

Fri, 15 May 2009 02:10:47 +0200

The Road to Claims: From Vision to Reality
Kim Cameron, Microsoft

Keynote by Marina Walser, Novell

Thu, 14 May 2009 19:30:25 +0200

SAP-GRC-IdM – What is the Problem?
Marina Walser, Novell EMEA

Keynote by John Aisien, Oracle

Wed, 13 May 2009 21:53:08 +0200

Enterprise IT-enabled Cost Avoidance & Reduction: The Role of Identity & Access Management
John Aisien, Oracle Corporation

Keynote by Eve Maler, Sun Microsystems

Wed, 13 May 2009 16:02:47 +0200

We’re planning to upload selected EIC 2009 keynotes to YouTube and here is the first one.

The Care and Feeding of Online Relationships
Eve Maler, Sun Microsystems

EIC 2009 presentations and keynotes

Tue, 12 May 2009 16:08:46 +0200