by Matthias Reinwarth
The news is already getting quieter around the GDPR, the general data protection regulation as issued by the European Union. Several weeks ago it has been discussed in detail in many articles, and background information has been provided by many sources, including lawyers and security experts, but in the meantime other topics have taken its place in the news.
But unlike some other topics, the GDPR won't go away by simply ignoring it. It is less than two years from now, that it will reach legally binding status as a formal law for example in Germany. Probably one of the most striking characteristics of the new regulation that is constantly underestimated is the scope of its applicability: It actually applies in all cases where the data controller or the data processor or the data subject is based in the EU. This includes all data processors (e.g. cloud service providers) or data controllers (e.g. retailers, social media, practically any organisation dealing with personally identifiable information) which are outside the EU, especially for example those in the US. They, however, seem to be gaining the lead in taking the right first steps already in comparison with European organisations.
So the GDPR will be a major game changer for a lot of customer facing services. For many organisations changing the processes, the applications and the infrastructure landscape to be compliant with the regulations of the upcoming new requirements as laid out in the GDPR will be a massive challenge.
The following image focuses just on some of the “highlights” of the European General Data Protection Regulation. But apart from this each and every organisation should review the current version of the text which goes far beyond that. It is available on the Internet, e.g here, and detailed and profound commentary is available e.g. here. My fellow analyst Dr. Karsten Kinast provided a great short wrap-up during his keynote at EIC 2016 in Munich earlier this year.
While two years sound like a long period of time actually the opposite is true. The requirements as imposed by the GDPR are at least partially substantially different from existing national data protection regulations. Every organisation has to identify, which steps are required to implement proper measures to comply to these regulations for their own processes and business models. When looking at the amount of time required to implement all changes identified, somewhat less than two years no longer appears to be overly plenty of time.
Unfortunately, especially industry associations appear not to be willing to supply adequate support or advice and often enough end up in commonplace remarks. Instead of providing appropriate guidance often the opposite is done by repeatedly praising Big Data as the basis for next generation business models. While this might nevertheless be true for some organizations, it can only be true when being compliant to the upcoming GDPR in every relevant respect.
Many important decisions will have to be left for court decisions in the end. This might turn out as a difficult challenge with only little practical advice being available as of now. But doing nothing is not an option at all.
Compliance to legal or regulatory requirements is rarely considered as a value in itself, but it is - and will be even more - a sine qua non when it comes to data protection, customer consent and privacy very soon. On the other hand: Assuring a high level of security and consumer privacy ahead of the legal requirements can be a competitive advantage. So if you have not yet started making your organisation and your business ready for the GDPR and its upcoming regulations, today might be a good day to take the first steps.
Identity Relationship Management: Kommunikation und Kollaboration mit Partnern und Kunden sicher steuern
Mit der steigenden Nachfrage von Unternehmen nach engerer Kommunikation und Kollaboration mit externen Partnern und Kunden wächst auch der Bedarf an professionellem Web Access Management und Identity Federation. Geeignete Lösungen ermöglichen sichere Zugänge von und auf externe Systeme, auch aus der Cloud. Um die Vielzahl an Anforderungen für eine sichere Kommunikation und Kollaboration erweiterter und vernetzter Unternehmen nahezu lückenlos mit IT abzudecken und gleichzeitig agil zu bleiben, sind Standardinfrastrukturen notwendig.
Executive View: EmpowerID Office 365 Manager - 71322
by Alexei Balaganski
EmpowerID Office 365 Manager is an Identity and Access Management solution for Office 365 providing single sign-on, user provisioning and administration, and access governance functions in a single integrated package.
Executive View: ForgeRock Identity Gateway - 71318
by Alexei Balaganski
ForgeRock Identity Gateway is a centralized proxy-based gateway enabling secure access and policy enforcement for web applications, APIs, devices and things.
Managing Risk through Cloud App Authentication and 360° Control
The easy availability of IT services delivered as cloud services together with the revolution in the range of devices that are used to access these services has created challenges for organizations in the areas of security and compliance. Employees and associates can use their personal cloud services to perform their jobs without reference to their employer. Line of business managers can acquire cloud services without performing risk assessment or considering the impact of these on compliance. To compound the problem mobile devices can be used to access these services from outside of the organizational perimeter anytime and anywhere.
Microsoft announces Project Bletchley on Azure Blockchain as a Service (BaaS)
by Ivan Niccolai
KuppingerCole has long noted the importance of blockchain technologies, whilst also noting that the key challenges to the adoption of blockchain technologies remained standardisation, privacy & security, as well as dilemmas regarding the types of blockchain technologies to adopt. In regards to these final two points, the main arguments have centred around the use of permissioned vs unpermissioned blockchains, as well as anonymous, pseudonymous or identified blockchains.
Microsoft made some wise decisions in response to these challenges. Initially, by announcing Blockchain as a service (BaaS) offerings on Azure last November, and subsequently announcing many new partnerships with various blockchain technology start-ups and consortiums, it gave organisations the opportunity to quickly begin experimenting with various blockchain tools easily and without the need to make decisions about which specific technology to use at this early stage of maturity of blockchain technologies.
Microsoft now has further progressed its BaaS offering with Project Bletchley. Finally, organisations can begin to make use of concrete benefits of blockchains whilst still remaining agnostic in regards to which specific blockchain used to deliver these benefits.
In short, Project Bletchley enables the use of blockchains-powered middleware solutions. The first of the two major tools offered by this latest announcement are called “Cryptlets”. This blockchain and development-language agnostic tool allows an organisation to leverage the power of time-stamped decentralised ledgers (blockchains) to secure organisational data without compromising the confidentiality of this data. For example, non-repudiation of a transaction between systems which process confidential data can be ensured by referencing some encrypted, time-stamped information stored on an external blockchain, while ensuring that this information remains completely useless to any other third party not engaged in the original transaction.
Cryptlets thus enable a whole new category of Project Bletchley middleware tools that can provide additional security, scalability and performance to typical middleware use cases even if the blockchains used to provide these features do not natively allow such types of features. Some key examples of this toolset include identity, encryption and key management features. This new blockchain-powered middleware stack will work with existing Azure services such as Key Vault and Active Directory.
By using this combination of centralised, authoritative systems such as middleware, public key infrastructure and authentication stores along with features of decentralised, algorithmic consensus-based technologies such as blockchains, it becomes possible to overcome the limitations of both types of technologies whilst also providing new hybrid technologies with better security and performance characteristics.
Centralised systems are necessary to most organisations, yet the authoritative management nodes of these systems often become the targets of malicious actors. Once these key root nodes are compromised, it is often very difficult to recover from a successful attack as it is very difficult to establish the ‘last known good state’ of the sensitive data. By decentralising this information on time-stamped blockchains, it becomes much harder for an attacker to manipulate the information on a compromised authoritative node.
Project Bletchley finally provides some concrete tools for enabling these hybrid centralised/decentralised secure systems which up until now have mostly only been theoretically discussed. What is important again here is that this project is blockchain technology agnostic. Just like TCP/IP, the value from blockchains (or networking for that matter) does not come from the use of a specific blockchain implementation, but how it can support a given use case.
Blockchain is more than Bitcoin
by Martin Kuppinger
Martin Kuppinger about Blockchain and that it is more than just a part of the Bitcoin cryptocurrency.
No Real Security Without Multi-Factor Authentication Everywhere
Clearly, there is a trend towards approaches for strong, simple, and flexible authentication, beyond passwords. The benefits fall largely under the categories of an improved customer experience, since with Multi-Factor Authentication (MFA) channels, the reduced dependence on passwords allows password policies to be more user friendly.
Executive View: AdNovum Nevis Security Suite - 71094
by Matthias Reinwarth
A solution for managing secure access to corporate resources and protected assets. Strong authentication, a broad spectrum of access management methods, sustainable maintenance processes of identities and authorization data form the basis for secure and auditable user access to applications.
Executive View: Bomgar Privileged Access Management - 71307
by Matthias Reinwarth
Bomgar Privileged Access Management is a comprehensive solution for managing, controlling and monitoring secure privileged access to critical systems. It implements administrative session management and recording while providing collaboration within sessions and integrates with enterprise infrastructure like IAM, SIEM, ITSM and Change Management systems.
Authentication, Access, Assets: The Triple A of Securing Sensitive Systems and Information
In more than two thirds of all cyber breaches, a misused privileged account serves as the entrance gate. Historically, managing privileged access focused on protecting privileged accounts by securing and managing passwords. But today, simply rotating passwords isn’t enough to defend against increasingly sophisticated cyberattacks. When it comes to securing privileged systems and data, organizations need to broaden their focus on controlling Authentication, Access and Assets.
Blockchains and Their Impact on the Finance Industry
by Ivan Niccolai
There is a lot of talk about the impact blockchains will have on the finance industry. The same holds true for FinTechs. However, what will be the real impact? Will we still have the same banking system in five or ten years from now? Or will some groups of banks (the small community banks such as Volksbanken, the large banks such as Deutsche Bank) disappear and becoming replaced by new players? Or will the banks absorb the FinTechs?
Before approaching this question, a brief overview of the fundamental characteristics of blockchains and key concepts is useful. A blockchain is a distributed data structure, brought to worldwide attention by the bitcoin cryptocurrency, that maintains a growing list of transaction records in a way that is extremely resistant to tampering. Algorithmic consensus is the key defining feature of a blockchain. While a public blockchain such as bitcoin’s is completely decentralised as well as distributed, the bitcoin blockchain’s is better defined as a specific type of blockchain: a distributed ledger. Consensus is key, as blockchains replace implicit trust with a consensus algorithm share by all participating nodes, be they public or “permissioned”. A permissioned blockchain is a restricted-access blockchain where, unlike bitcoin, only authorised node may perform or validate transactions on the blockchain.
Consensus is the mechanism by which all the participating nodes reach agreement about the integrity of the existing distributed transaction log and allow new entries to be written to this append-only, linear data structure. The only way that nodes participating in a blockchain can attain consensus is by the use of a published mathematical algorithm. The consensus mechanism is termed sometimes termed “trustless” – though not all blockchains only operate with completely anonymous/pseudoanonymous nodes – as the nodes do not need to trust whatever the other nodes state as truth, they only need to all share the same consensus algorithm which is used to verify blockchain integrity and permit new transactions onto the distributed log after a majority of nodes can perform the same algorithmic checks.
Another key feature is independently-verifiable tamper-evidence. It is trust mechanism for consensus that allows the other key feature of and independently-verifiable distributed log integrity. Just as the nodes make use of the algorithm for achieving consensus, a third party can audit a blockchain and be able to attest to its integrity.
Figure 1: Example of how a Blockchain works (Source: World Economic Forum)
While blockchains are seen by many as having the potential to be a key enabler for a wide range of applications, from the Internet of Things to Life Management Platforms, here the focus will be on key use cases in the Financial sector. With the above core concepts in mind, it is possible to examine some possible blockchain use cases in the financial sector.
Blockchain technology asset registries could be deployed to manage virtually any asset class (e.g. ships, aircraft, automobiles etc.) and provide a complete unalterable audit trail of ownership, maintenance and valuation.
By its nature the Blockchain is an unaltered chronological record of transaction history, delivered in a fully transparent and accessible form.
Many regulatory processes require a document to have gone through certain states before any given state (e.g. AML, KYC processes). Recording these state changes in the Blockchain conclusively demonstrates compliance with these processes without the need of an intermediary. This could be extended to include proof-of-audit/control whereby each new version of a document could be denoted to have changed according to a defined set of rules. The result of these rules-based processes could potentially dramatically reduce the cost of governing regulatory compliance
International Funds Transfer
The current process for cross-border payments, SWIFT, relies on intermediaries (correspondent banks) before reaching the ultimate physical location. The process is slow with expensive customer fees and bank risks due to weaker banking standards in some jurisdictions. Blockchain offers a new approach, with no geographical borders, middlemen or opacity that has plagued legacy cross-border payments with the added benefits of fast processing and no correspondent fees.
Also, as the recent breach of the Bangladeshi Reserve Bank demonstrates, centralised systems for the processing of electronic payments are a key target for well-funded attacks by cyber criminals. The SWIFT system is geographically distributed, but it depends on trusted, centralised control nodes maintained by all banks participating in the payment network. By compromising a single node, the criminals were able to fraudulently make transfers of almost a billion US dollars. A decentralised system with a trustless consensus mechanism such a blockchain instead would require 51% of all the participating nodes to be compromised in order to be able to add fraudulent transactions to its distributed ledger.
Securities Issuance and Settlement
The Securities Exchange Commission has approved the issue of public securities via Blockchain-based technology. This is often termed-post trade processing, allowing complex security agreement between multiple parties to be agreed to and stored in a distributed ledger, thus reducing administration costs and the risks of a party reneging on a trade.
Blockchain can facilitate the setup and management of insurance contracts using Smart Contracts technology to ensure data accuracy, correct payment and settlement of premiums, brokerage, commissions and claims. All parties to a contract will have access to identical exposure data which will resolve existing data quality issues and help to leverage better modelling models to measure aggregate exposures and to make capital allocation decisions.
While the potential for blockhain technology to have disruptive effect on the finance sector, and rattle the up until now comfortable market position of the largest players in this market such as global banks and insurance companies, some researchers think it is too early to hail the demise of traditional financial services providers. They cite a number of challenges to mainstream blockchain adoption, the greatest of these is regulatory resistance to the use of blockchains. This position is understandable, not necessarily due to any inherent technical limitations, but largely due to a perception of blockchains that has been dominated by the bitcoin cryptocurrency and the difficulties of non-technical regulators to grasp the core concepts behind blockchains. A fundamental paradigm shift in thinking is required when examining algorithmic consensus systems and approaches to insuring information confidentiality. Blockchains, permissioned or public, can easily make use of hashing and cryptographic algorithms to store confidential data, and the very nature of consensus only works if the consensus algorithm is known by all the participating nodes and all third-party auditors.
Another key hurdle is standardisation. Blockchains must be seen as platforms, over which applications and ecosystems can be built to leverage its key strengths, and platforms, more than any other technology require the adoption of standards to provide business benefits. The blockchain landscape today is still very new, and quite far off from widespread agreement over the adoption of some of the many standards proposed.
Executive View: Forum Systems Sentry and Identity Federation - 72511
by Matthias Reinwarth
Sentry, Forum Systems flagship product, implements a wide range of features: support for a wide range of federation use case scenarios are complemented with API Gateway functionality and mature Web Access Management services.
Data Loss Prevention Best Practice
The first step in protecting intellectual property and sensitive information is to classify it. This can be accomplished manually via author classification or automatically via content filtering. Some tools simplify the process and provide greater governance.
Executive View: Balabit Contextual Security Intelligence Platform - 71306
by Alexei Balaganski
Contextual Security Intelligence is a new IT security concept, which states that additional levels of security controls restricting business performance should be avoided and replaced with more efficient monitoring tools. Balabit’s CSI Platform combines Log Management, Privileged Activity Monitoring, and User Behavior Analytics into an integrated real-time security intelligence platform.