Click on the slide!

Enabling Risk Based IT Gov

Live Webcast!             Join us for key concepts and challenges with IT governance.

Click on the slide!

A Breach Prevention Plan

On-Demand               Play now to gain insights and some key steps to prevent payment card…

Click on the slide!

Best Practices for eGRC

On-Demand               Play now and learn how to implement best practices for eGRC.

Click on the slide!

The Elements of Privacy Risk

Click above to download this GRC Illustration!             

Frontpage Slideshow (version 2.0.0) - Copyright © 2006-2008 by JoomlaWorks
KuppingerCole
KuppingerCole News

  • Why security increases agility, not inhibits it

    by Martin Kuppinger

    A common complaint against Information Security (be it IT security, OT security, or IoT security) is that security costs money but doesn’t deliver business benefits. Wrong!

    In a short-term perspective, security incurs cost. Thus, quarterly reporting by organizations and short-term targets pressure security to be an afterthought. However, mid-term and long-term, this changes. It obviously is cheaper to code using simple APIs for security functions than hard-coding security into every application and maintaining that code. Application Security Infrastructures reduce cost. Even more, it makes application development more rapid and agile – the security infrastructure can be changed, updated, and enhanced without affecting applications.

    Or, to bring up an example from another recent post:

    But that is only one part of the problem. The lack of Security by Design and Privacy by Design is also becoming an inhibitor for the Digital Transformation. An essential element of the Digital Transformation is the change of business models, including rapid innovation and (ever-changing) partnerships.

    A simple example that illustrates the limitations caused by the lack of security and privacy by design is the black box EDR (Event Data Recorder) becoming increasingly common an increasingly mandatory by legislation. Both automotive vendors and insurance companies are interested in “owning” the data held in such devices. While I come to the complexity of dealing with data access demands and requirements of various parties later in this post, it is obviously impossible to easily solve this conflict with technology that e.g. relies only on a single key for accessing that data. Modern concepts for security and privacy would minimize such conflicts by allowing various parties to have defined and controlled access to information they are entitled to access.

    Cynically said: automotive vendors are rushing to roll out new features to succeed in the Digital Transformation, but by failing to do it right, with Security by Design and Privacy by Design, they are struggling with exactly the same transformation. Neither security nor privacy can be an afterthought for succeeding in the Digital Transformation.

    Another example is the scenario described in the recently published Lloyd’s report “Business Blackout”. This report describes the cost of cyber-attacks against the US power grid. While this is more about the cost of security as an afterthought, there is also an indirect agility aspect: new regulations will require better security – and then security by design drives agility.

    In general, the ability to provide services in these times of ever-changing (and ever-tightening) regulations as well as massive differences in regulations depends on the ability to re-configure your services, instead of re-coding them.

    And maybe even Facebook would have been better advised in spending money for security and privacy by design instead of for lawyers and lobbyists in Europe. Then many more Europeans might use Facebook actively then do today, with more controls for privacy they could use to configure Facebook’s behavior.

    The good thing, though, is this: once you have prepared your organization for security by design and privacy by design, it becomes more agile. It is ready for faster development of software or connected things and for more agile transformation of business models. It is a one-time investment, so to speak – with massive long-term, as well as near-term benefits.



  • It really is worse than your nightmares – try Shodan

    by Martin Kuppinger

    Shodan is a computer search engine. They call themselves the “world’s first search engine for Internet-connected devices”, including buildings, refrigerators, power plants, the Internet of Things (IoT), webcams, and whatever else you can imagine. Shodan isn’t new. The search engine has been online for several years now. The only new thing is the change in the URL from www.shodanhq.com to www.shodan.io.

    When talking about the challenges we are facing in the IoT and in Smart Manufacturing, I commonly bring up Shodan as an example of what is visible today in this hyper-connected world. Interestingly, most CIOs and other Information Security Professionals, not to mention the rest of the world, are unaware of the fact that such a website exists.

    Just the fact that there is such a search engine around is scary. It allows searching for everything that is connected to the Internet. It even allows downloading results and creating reports or using that information in other ways. Running automated attacks based on search results is just one example, even while there clearly are “good” use cases as well.

    What is even scarier, though, are the results a simple query such as

    “default password” country:de

    will show. Just run such query. It proves that reality is worse than your worst dreams. When I ran it today, it delivered 664 results containing default passwords of a variety of systems. Even while you could argue that some of these are not current anymore, quite a number of these passwords will do their job.

    The important lesson to learn from the fact that there is Shodan (and that there are others around) is to do the best job you can do on security. Understand your potential attackers, know which devices expose themselves on the Internet (and stop the ones that don’t need to from doing so), avoid standard usernames and passwords, change passwords regularly, harden your systems, etc. At least follow the standard best practices for security. And clearly, “security by obscurity” is not the best, not a good, not even an acceptable practice – it never worked and clearly will not in the age of computer search engines.

    Furthermore, when providing connected things or moving towards smart manufacturing, first understand that all these connected things will be visible to the Internet. Thus, they can be attacked. Security must not be an afterthought in IoT and Smart Manufacturing, because the attackers already are waiting for you to connect more things or even entire plants.



  • Executive View: Virtustream IaaS – Security and Assurance - 71285

    by Mike Small

    An overview of the Virtustream Infrastructure as a Service together with an assessment of the security and assurance provided in respect of five critical risks faced by a cloud customer.



  • Connected Vehicle: Security First

    by Martin Kuppinger

    The recently discovered remote hack vulnerability of Fiat Chrysler Jeep cars, based on their Uconnect functionality, puts a spotlight on the miserable state of connected vehicle security these days. Another recently published article in a German newspaper not only identified a gap in functionality but also illustrates on how in particular German automotive vendors and suppliers implement (or plan to implement) security in their connected vehicles.

    While the U.S. has introduced the Spy Car Act (Security and Privacy in Your Car Act) which is about defining industrywide benchmarks and standards for security and privacy in connected vehicles and forces the industry to collaborate, similar legislation is still lacking in the EU.

    The automotive industry currently is in a rush to roll out new smart and digital features (or whatever they perceive as being smart), emulating many other industries facing the need for joining the Digital Transformation. Unfortunately, security is an afterthought, as recent incidents as well as the current trends within the industry indicate.

    Ironically, the lack of well thought-out security and privacy features is already becoming an inhibitor for the industry. While the cost of sending out USB sticks with a patch is still considerably low (and the approach is impressively insecure), the cost of calling back 1.4 million cars to the garages is significant, even without speaking of the indirect cost of reputation loss or, if something really goes wrong, the liability issues.

    But that is only one part of the problem. The lack of Security by Design and Privacy by Design is also becoming an inhibitor for the Digital Transformation. An essential element of the Digital Transformation is the change of business models, including rapid innovation and (ever-changing) partnerships.

    A simple example that illustrates the limitations caused by the lack of security and privacy by design is the black box EDR (Event Data Recorder) becoming increasingly common an increasingly mandatory by legislation. Both automotive vendors and insurance companies are interested in “owning” the data held in such devices. While I come to the complexity of dealing with data access demands and requirements of various parties later in this post, it is obviously impossible to easily solve this conflict with technology that e.g. relies only on a single key for accessing that data. Modern concepts for security and privacy would minimize such conflicts by allowing various parties to have defined and controlled access to information they are entitled to access.

    Cynically said: automotive vendors are rushing to roll out new features to succeed in the Digital Transformation, but by failing to do it right, with Security by Design and Privacy by Design, they are struggling with exactly the same transformation. Neither security nor privacy can be an afterthought for succeeding in the Digital Transformation.

    From my perspective, there are five essentials the automotive industry must follow to succeed with both the connected vehicle and, in its concept, the Digital Transformation:

    1. Security by Design and Privacy by Design must become essential principles that any developer follows. A well-designed system can be opened up, but a weakly designed system never can be shut down. Simply said: security and privacy by design are not inhibitors, but enablers, because these allow flexible configuration of the vehicles for ever-changing business models and regulations.
    2. Modern hardened implementations of technology are required. Relying on a single key for accessing information of a component in the vehicle or other security concepts dating back decades aren’t adequate anymore for today’s requirements.
    3. Identities and Access Control must become key elements in these new security concepts. Just look at the many things, organizations, and humans around the connected vehicle. There are entertainment systems, engine control, EDR systems, gear control, and many other components. There is the manufacturer, the leasing company, the police in various countries, the insurance company, the garage, the dealer, and many other organizations. There is the driver, the co-driver, the passengers, the owner, etc. Various parties might access some information in certain systems, but might not be entitled to do so in others. Some might only see parts of the EDR data at all times, while others might be entitled to see all of that information after specific incidents. Without a concept of identities, their relations, and for managing their access, e.g. for security and privacy by design, there are too many inhibitors for supporting change in business models and regulations. From my perspective, it is worth spending some time and thoughts in looking at the concept of Life Management Platforms in that context. These concepts and standards such as UMA (User Managed Access) are the foundation for better, future-proof security in connected vehicles.
    4. Standards are another obvious element. It is ridiculous assuming that such complex ecosystems with manufacturers, suppliers, governmental agencies, customers, consumers, etc. can be supported with proprietary concepts.
    5. Finally, it is about solving the patch and update issues. Providing updates by USB stick is as inept as calling back the cars to the garages every “patch Tuesday”. There is a need for a secure approach for regular as well as emergency patches and updates, which most become part of the concept. Again, there is a need for standards, given the fact that every car today consists of (connected) components from a number of suppliers.

    Notably, all these points apply to virtually all other areas of IoT (Internet of Things) and Smart Manufacturing. Security must not be an afterthought anymore. The risk for all of us is far too high – and, as mentioned above, done right, security and privacy by design enable rapidly switching to new business models and complying with new regulations, while old school “security” approaches don’t.



  • Oct 20, 2015: Next Generation Cyber Security
    Die digitale Transformation steht für den Beginn eines Zeitalters, in dem praktisch alle Aspekte unseres Lebens mit Informationstechnologie in Berührung kommen. Cyberangriffe und die damit verbundenen Risiken sind ein fester Bestandteil dieses Zeitalters geworden. Die Chancen der digitalen Wirtschaft dennoch zu nutzen, digitale Risiken richtig einzuschätzen und auf ein sinnvolles Maß zu reduzieren erfordert neue Ansätze: Next Generation Cyber Security. Diese Dialogveranstaltung bietet Ihnen die Möglichkeit, einen Tag mit kreativen Vordenkern zu verbringen und gemeinsam eine Abwehrstrategie zu entwickeln, die die Agilität Ihres Unternehmens unterstützt statt einschränkt.

  • Executive View: Unify Identity Broker V5.0 - 71300

    by Graham Williamson

    In today’s environment, with so many demands on identity information, an advanced identity provider service is required that can integrate disparate technology and bridge mature identity management environments to the new requirements of Cloud services, mobile device management and the Internet of things.



  • Best Practice: European Identity Award 2015: dm-drogerie markt - 71400

    by Dave Kearns

    The European Identity Award 2015 for “Best IAM Project”: a strong example of an IAM solution encompassing not only the employees of the organization and its HQ, but also supporting a decentralized organization as well as the extended enterprise.



  • Leadership Compass: Secure Information Sharing - 72014

    by Graham Williamson

    In approaching the selection of a vendor for the provision of secure information sharing solution it is important to take an information lifecycle approach whereby the processes around data generation, its transformation and classification, as well as data storage and data destruction, are well defined. This requires policy to be established to advise on the proper location of records, the ownership and the value of data, and for retention periods to be determined and documented. The focus needs to be on deriving value for data assets which means ensuring data quality, improving the communication of data and deleting data when it’s no longer required.

    Solutions to the management of access to shared data are diverse. Each of the products featured in this Leadership Compass are different and takes a unique approach to the task of secure information sharing.



  • Executive View: neXus Dynamic Identity Platform - 70861

    by Alexei Balaganski

    neXus Dynamic Identity Platform is a complete identity lifecycle solution that unifies physical and digital access for a broad range of supported identity types, authentication standards, and communication protocols.



  • Sep 24, 2015: Neue WAN Infrastrukturen für sicheres Cloud-Enablement
    Das Internet hat ganze Industriezweige und Geschäftsmodelle revolutioniert und darüber hinaus unsere Arbeitsweise grundlegend verändert. Über Jahrzehnte gewachsene Arbeitsabläufe und Geschäftstätigkeiten wurden innerhalb kürzester Zeit ausgehebelt. Unternehmen öffnen sich zunehmend den Vorteilen von Cloud-Anwendungen, wie Office 365, Salesforce, etc. Allerdings stellen sie oftmals fest, dass zuerst die WAN-Infrastruktur aktualisiert werden müssen.

  • Sep 15, 2015: Im Mittelpunkt steht das Kundenerlebnis: Consumer Focused Identity Management
    In den letzten fünf Jahren haben sich die Bedürfnisse von Unternehmen, was den Zugriff auf kritische Anwendungen oder die Sicherheit von Kundenidentitäten betrifft, deutlich geändert. Zunehmend vernetzte Kunden, die auf neue Art und Weise über verschiedene Kanäle aktiv werden, lassen die Grenzen der Kundeninteraktion verschwimmen. Das neue Kundenverhalten zwingt Marketingabteilungen und Geschäftsbereiche nun dazu, eng mit den IAM-Verantwortlichen zusammenarbeiten: Sie müssen gemeinsam eine passende Lösung finden, die das Unternehmen bei der Schaffung, Pflege und Optimierung von Kundenbeziehungen unterstützt.

  • Amazon enters another market with their API Gateway

    by Alexei Balaganski

    What a surprising coincidence: on the same day we were preparing our Leadership Compass on API Security Management for publication, Amazon has announced their own managed service for creating, publishing and securing APIs – Amazon API Gateway. Well, it’s already too late to make changes in our Leadership Compass, but the new service is still worth having a look, hence this blog post.

    Typically for Amazon, the solution is fully managed and based on AWS cloud infrastructure, meaning that there is no need to set up any physical or virtual machines or configure resources. The solution is tightly integrated with many other AWS services and is built directly into the central AWS console, so you can start creating or publishing APIs in minutes. If you already have existing backend services running on AWS infrastructure, such as EC2 or RDS, you can expose them to the world as APIs literally with a few mouse clicks. Even more compelling is the possibility to use AWS Lambda service to create completely managed “serverless” APIs without any need to worry about resource allocation or scaling.

    In fact, this seems to be the primary focus of the solution. Although it is possible to manage external API endpoints, this is only mentioned in passing in the announcement: the main reason for releasing the service seems to be providing a native API management solution for AWS customers, which until now had to manage their APIs themselves or rely on third-party solutions.

    Again typically for Amazon, the solution they delivered is a lean and no-frills service without all the fancy features of an enterprise API gateway, but, since it is based on the existing AWS infrastructure and heavily integrates with other well-known services from Amazon, with guaranteed scalability and performance, extremely low learning curve and, of course, low prices.

    For API traffic management, Amazon CloudFront is used, with a special API caching mechanism added for increased performance. This ensures high scalability and availability for the APIs, as well as reasonable level of network security such as SSL encryption or DDoS protection. API transformation capabilities, however, are pretty basic, only XML to JSON conversion is supported.

    To authorize access to APIs, the service integrates with AWS Identity and Access Management, as well as with Amazon Cognito, providing the same IAM capabilities that are available to other AWS services. Again, the gateway provides basic support for OAuth and OpenID Connect, but lacks the broad support for authentication methods typical for enterprise-grade solutions.

    Analytics capabilities are provided by Amazon CloudWatch service, meaning that all API statistics are available in the same console as all other AWS services.

    There seems to be no developer portal functionality provided with the service at the moment. Although it is possible to create API keys for third-party developers, there is no self-service for that. In this regard, the service does not seem to be very suitable for public APIs.

    To summarize it, Amazon API Gateway is definitely not a competitor for existing enterprise API gateways like products from CA Technologies, Axway or Forum Systems. However, as a native replacement for third-party managed services (3scale, for example), it has a lot of potential and, with Amazon’s aggressive pricing policies, it may very well threaten their market positions.

    Currently, Amazon API Gateway is available in selected AWS regions, so it’s possible to start testing it today. According to the first reports from developers, there are still some kinks to iron out before the service becomes truly usable, but I’m pretty sure that it will quickly become popular among existing AWS customers and may even be a deciding factor for companies to finally move their backend services to the cloud (Amazon cloud, of course).



  • Leadership Compass: Access Control / Governance for SAP environments - 71104

    by Matthias Reinwarth

    This report provides an overview and analysis of the market for Access Control & Access Governance Solutions for SAP environments. By adding the right Access Control components to their SAP infrastructure, organizations can significantly improve enterprise risk management and corporate compliance with applicable laws and regulations. This report provides you with a compass to help you to find the Governance solution for SAP that best meets your needs.



  • Leadership Compass: API Security Management - 70958

    by Alexei Balaganski

    This report provides an analysis of the market for API Management solutions with a strong focus on security features. Rapidly growing demand for publishing and consuming APIs, which creates new business models and communication channels, has introduced new security challenges. This Leadership Compass helps you find the best solution that addresses your requirements, while maintaining the highest level of security and threat protection.



  • Oct 15, 2015: Universal SSO: Strategies & Standards for Single Sign-on Across Web and Native Applications
    Many organizations have had some form of Web Access Management solution deployed for years. Whether this is pure-play Web Access Management, providing Web Single Sign-On capabilities and coarse-grain Access Management, or more advanced technology including Web Application Firewall functionality, one target is to manage access of employees and business partners to these applications.