KuppingerCole Analysts' View on Adaptive Authentication & Authorization
To understand what this newsletter is about it’s important that we have an agreement on what we mean when we use the term “adaptive authentication”. It isn’t a difficult concept, but it’s best if we’re all on the same page, so to speak.
Executive View: akquinet SAST GRC Suite - 70979
by Matthias Reinwarth
Today’s SAP security requirements go far beyond traditional Access Governance needs regarding users, their access and roles. akquinet offers a full-featured product suite for GRC and security for SAP environments. The provided modules cover a wide range of aspects in this sensitive area of SAP security and GRC.
Welcome to the European Identity & Cloud Conference 2016
The European Identity & Cloud Conference 2016, taking place May 10 – 13, 2016 at the Dolce Ballhaus Forum Unterschleissheim, Munich/Germany, is Europe’s leading event for Identity and Access Management (IAM), Governance, Risk Management and Compliance (GRC), as well as Cloud Security. For the 10th time KuppingerCole brings together exhibitors and more than 600 participants including most of Europe’s and the world’s leading vendors, end users, thought leaders, visionaries and analysts.
Beyond Datacenter Micro-Segmentation – start thinking about Business Process Micro-Segmentation!
by Martin Kuppinger
Sometime last autumn I started researching the field of Micro-Segmentation, particularly as a consequence of attending a Unisys analyst event and, subsequently, VMworld Europe. Unisys talked a lot about their Stealth product, while at VMworld there was much talk about the VMware NSX product and its capabilities, including security by Micro-Segmentation.
The basic idea of Datacenter Micro-Segmentation, the most common approach on Micro-Segmentation, is to segment by splitting the network into small (micro) segments for particular workloads, based on virtual networks with additional capabilities such as integrated firewalls, access control enforcement, etc.
Using Micro-Segmentation, there might even be multiple segments for a particular workload, such as the web tier, the application tier, and the database tier. This allows further strengthening security by different access and firewall policies that are applied to the various segments. In virtualized environments, such segments can be easily created and managed, far better than in physical environments with a multitude of disparate elements from switches to firewalls.
Obviously, by having small, well-protected segments with well-defined interfaces to other segments, security can be increased significantly. However, it is not only about datacenters.
The applications and services running in the datacenter are accessed by users. This might happen through fat-client applications or by using web interfaces; furthermore, we see a massive uptake in the use of APIs by client-side apps, but also backend applications consuming and processing data from other backend services. Furthermore, there is also a variety of services where, for example, data is stored or processed locally, starting with downloading documents from backend systems.
Apparently, not everything can be protected perfectly well. Data accessed through browsers is out of control once it is at the client – unless the client can become a part of the secure environment as well.
Anyway, there are – particularly within organizations with good control of everything within the perimeter and at least some level of control around the devices – more options. Ideally, everything becomes protected across the entire business process, from the backend systems to the clients. Within that segmentation, other segments can exist, such as micro-segments at the backend. Such “Business Process Micro-Segmentation” stands not in contrast to Datacenter Micro-Segmentation, but extends that concept.
From my perspective, we will need two major extensions for moving beyond Datacenter Micro-Segmentation to Business Process Micro-Segmentation. One is encryption. While there is limited need for encryption within the datacenter (don’t consider your datacenter being 100% safe!) due to the technical approach on network virtualization, the client resides outside the datacenter. The minimal approach is protecting the transport by means like TLS. More advanced encryption is available in solutions such as Unisys Stealth.
The other area for extension is policy management. When looking at the entire business process —and not only the datacenter part — protecting the clients by integrating areas like endpoint security into the policy becomes mandatory.
Neither Business Process Micro-Segmentation nor Datacenter Micro-Segmentation will solve all of our Information Security challenges. Both are only building blocks within a comprehensive Information Security strategy. In my opinion, thinking beyond Datacenter Micro-Segmentation towards Business Process Micro-Segmentation is also a good example of the fact that there is not a “holy grail” for Information Security. Once organizations start sharing information with external parties beyond their perimeter, other technologies such as Information Rights Management – where documents are encrypted and distributed along with the access controls that are subsequently enforced by client-side applications – come into play.
While there is value in Datacenter Micro-Segmentation, it is clearly only a piece of a larger concept – in particular because the traditional perimeter no longer exists, which also makes it more difficult to define the segments within the datacenter. Once workloads are flexibly distributed between various datacenters in the Cloud and on-premises, pure Datacenter Micro-Segmentation reaches its limits anyway.
Executive View: Gurucul Predictive Risk Analytics - 71511
by Mike Small
Gurucul Predictive Risk Analytics provides an interesting approach that combines access governance, risk management and the detection of cyber threats. Unlike other solutions that focus on network traffic or technical vulnerabilities this solution focuses on identity, access and user activity to detect and prioritize risk.
Leadership Compass: Privilege Management - 71100
by Martin Kuppinger
Wie können der Zugriff auf kritische Systeme und Geschäftsinformationen gesteuert und gleichzeitig sichere und optimierte Geschäftsvorgänge ermöglicht werden? Dieser Report bietet Ihnen einen Leitfaden, der Sie dabei unterstützt, ein für Ihre Bedürfnisse optimal geeignetes Privilege Management-Produkt zu finden.
Identitätsmanagement im Mittelpunkt der digitalen Transformation
Die erste Hype-Welle um das Internet of Things (IoT) hat an vielen Stellen die Privatsphäre und das Dateneigentum unberücksichtigt gelassen. IoT Implementierungen müssen die Beziehung von Nutzern, Nutzerdaten, Dingen und Diensten (Services) berücksichtigen. Nur dann können sie erfolgreich sein. Nutzer wollen entscheiden, mit wem sie die Daten teilen. Ein hochskalierendes Identitäts- und Accessmanagement ist hierfür Voraussetzung. Insbesondere müssen die Verfahren, mit denen der Zugriff auf Daten oder Geräte gesteuert wird, einheitlichen Protokollen folgen (Autorisierungsprotokolle), ansonsten sind die Lösungen unterschiedlicher Anbieter nicht kompatibel.
Advisory Note: Blockchain Impact on the Financial Industry - 71601
by Bruce Hughes
The Financial industry is estimated to spend over US$1bn on Blockchain projects over the next two years. This report provides an overview of impact Blockchain is having within the Financial Sector, the benefits that can be achieved, the challenges and the changes to expect from this emerging technology.
Mar 15, 2016: Whitelisting und darüber hinaus
Nicht Server und Cloud, sondern die Arbeitsplatzrechner von Unternehmensmitarbeitern stellen die große Masse der Unternehmens-IT dar. Damit steht jeder Arbeitsplatzrechner im Fokus potentieller Angreifer und muss nachhaltig vor einer Vielzahl von internen wie externen Angriffen und Fehlbenutzungen geschützt werden. Firewalls und Virenscanner stellen heute akzeptierte und weitgehend implementierte Sicherheitsmaßnahmen dar. Der Schutz des klassischen Desktops, aber auch von Server-Systemen, vor der Ausführung unerwünschter Software durch Anwender wie Administratoren ist eine kontinuierliche Herausforderung.
Executive View: Intermedia AppID® Enterprise - 71522
by Mike Small
Intermedia AppID® Enterprise is a cloud based identity management platform for web applications. This provides a solution to many of the security and compliance needs of the agile connected business. As well as adding value to the cloud and hosting services provided by Intermedia it is also of interest to organizations that use web applications from other providers.
Executive View: Nexis contROLE - 71502
by Matthias Reinwarth
Nexis contROLE bietet ein effizientes und komfortables Role Lifecycle Management in Kombination mit Role Analytics, entweder als Standalone-Lösung oder als Add-on zu vorhandenen Identity and Access Management-Infrastrukturen.
Mar 08, 2016: How to manage your Azure AD and Office 365: Get a grip on your environment even in the Cloud
In the first part of this webinar, Martin Kuppinger, Founder and Principal Analyst at KuppingerCole, will talk about general benefits of next-generation auditing, alerting, reporting and management solutions for analyzing user and administrator activities across various sources of unstructured data, thus building a potential foundation for a long-term unified compliance and auditing strategy.
In the second part, Charles McDonald, Vice President of Technology at Knowledge Vault, talks about the idea and development of a scalable, open architecture, completely cloud-based compliance platform for nearly all popular cloud services, resulting in a feature-rich, modular one-stop solution with quick interactive search possibilities, preconfigured reports and practically unlimited retention periods.
AWS IoT Suite
by Alexei Balaganski
After an “extended holiday season” (which for me included spending a vacation in Siberia and then desperately trying to get back into shape) it’s finally time to resume blogging. And the topic for today is the cloud platform for IoT services from AWS, which went out of beta in December. Ok, I know it’s been a month already, but better late than never, right?
As already mentioned earlier, the very definition of the Internet of Things is way too blanket and people tend to combine many different types of devices under this term. So, if your idea of the Internet of Things means controlling your thermostat or your car from your mobile phone, the new service from AWS is probably not what you need. If, however, your IoT includes thousands or even millions of sensors generating massive amounts of data which needs to be collected, processed by complex rules and finally stored somewhere, then look no further, especially if you already have your backend services in the AWS cloud.
In fact, with AWS being the largest cloud provider, it’s safe to assume that its backend services have already been used for quite a few IoT projects. However, until now they would have to rely on third-party middleware for connecting their “things” to AWS services. Now the company has closed the gap by offering their own managed platform for interacting with IoT devices and processing data collected from them. Typically for AWS, their solution follows the no-frills, no-nonsense approach, offering native integrations with their existing services, a rich set of SDKs and development tools and aggressive pricing. In addition, they are bringing in a number of hardware vendors with starter kits that can help quickly implement a prototype for your new IoT project. And, of course, with the amount of computing resources at hand, they can safely claim to be able to manage billions of devices and trillions of messages.
The main components of the new platform are the following:
The Device Gateway supports low-latency bi-directional communications between IoT devices and cloud backends. AWS provides support for both standard HTTP and much more resource-efficient MQTT messaging protocols, both secured by TLS. Strong authentication and fine-grained authorization are provided by familiar AWS IAM services, with a number of simplified APIs available.
The Device Registry keeps track of all devices currently or potentially connected to the AWS IoT infrastructure. It provides various management functions like support and maintenance or firmware distribution. Besides that, the registry maintains Device Shadows – virtual representations of IoT devices, which may be only intermittently connected to the Internet. This functionality allows cloud and mobile apps to access all devices using a universal API, masking all the underlying communication and connectivity issues.
The Rules Engine enables continuous processing of data sent by IoT devices. It supports a large number of rules for filtering and routing the data to AWS services like Lambda, DynamoDB or S3 for processing, analytics and storage. It can also apply various transformations on the fly, including math, string, crypto and other operations or even call external API endpoints.
A number of SDKs are provided including a C SDK for embedded systems, a node.js SDK for Linux, an Arduino library and mobile SDKs for iOS and Android. Combined with a number of “official” hardware kits available to play with, this ensures that developers can quickly start working on an IoT project of almost any kind.
Obviously, one has to mention that Amazon isn’t the first cloud provider to offer an IoT solution – Microsoft has announced their Azure IoT Suite earlier in 2015 and IBM has their own Internet of Things Foundation program. However, each vendor has a unique approach towards addressing various IoT integration issues. The new solution from AWS, with a strong focus on existing standard protocols and unique features like device shadows, not just looks compelling to existing AWS customers, but will definitely kickstart quite a few new large-scale IoT projects. On the Amazon cloud, of course.
Executive View: IBM Cloud Security Enforcer - 71290
by Mike Small
IBM Cloud Security Enforcer is a cloud-delivered solution that provides cloud application visibility, identity and access management, and threat prevention.
Executive View: Centrify for Big Data - 71531
by Mike Small
Centrify Server Suite integrates Hadoop and NoSQL clusters into Microsoft Active Directory for user authentication, authorization and auditing.