A Good Day for US Cloud Service Providers. And for Their Customers.
by Martin Kuppinger
Back in 2014, a US court decision ordered Microsoft to turn over a customer’s emails stored in Ireland to an US government agency. The order had been temporarily suspended from taking effect to allow Microsoft time to appeal to the 2nd US Circuit Court of Appeals.
I wrote a post on that issue back then and described the pending decision as a Sword of Damocles hanging atop of all of the US Cloud Service Providers (CSPs). While that decision raised massive awareness back then in the press, the news that hit my desk few days ago didn’t get much attention. In the so-called “search warrant case”, the 2nd US Circuit Court of Appeals ruled in favor of Microsoft, overturning an earlier ruling from a lower court.
The blog post Brad Smith, President and Chief Legal Officer at Microsoft, published is very well worth reading, particularly the part about the support Microsoft has experienced from other parties and the section that points out that legislation needs to be updated to reflect the world that exists today. The latter is currently on its way in the EU, with the upcoming EU GDPR, becoming effective in 2018.
From the perspective of US CSPs and their customers, the court decision is definitely good news. Despite the fact that it is “only” a court decision and updated legislation is still missing, it mitigates some of the risk particularly EU, but also, e.g., APAC customers perceived when relying on US CSPs. This helps US CSPs with their business, by removing barriers for rapid cloud adoption. It helps customers, because the risk for data being requested by US governmental agencies while being held in non-US data centers is reduced significantly. So it’s not a Sword of Damocles hanging around. Maybe it’s still a knife, so to speak, but the risk is far lower now.
What I definitely find interesting to observe is the rather low attention the good news received. But that’s not too surprising. Bad news always sells better than good news.
The decision, from my perspective, can have a significant impact on further speeding up the shift of customers from on-premise solutions to the cloud. Most are on their way anyway. Each risk that is mitigated eases customer’s decisions. Anyway, the next challenge to solve for US CSPs (and all other CSPs that do any business with the EU) will by to comply with EU GDPR. But there at least we have the legislation and do not rise or fall with court decisions.
Executive View: IBM QRadar Security Intelligence Platform - 72515
by Alexei Balaganski
IBM QRadar Security Intelligence Platform provides a unified architecture that combines security information with event management, real-time detection of advanced threats, attacks and breaches, forensic analysis and incident response, as well as automated regulatory compliance.
Executive View: Sophos Protection for Amazon Web Services - 71680
by Mike Small
Sophos UTM is a suite of integrated security applications that provides the same layered protection for applications and data hosted in the AWS cloud as for on premise deployments. This report provides a review of the functionality provided by this set of products and an assessment of its strengths and challenges.
Blockchains go mainstream – IBM and Crédit Mutuel Arkéa blockchain implementation for KYC
by Martin Kuppinger
IBM and the French Crédit Mutuel Arkéa recently launched the completion of a blockchain project that helps the bank verifying customer identities and remain compliant with KYC (Know Your Customer) requirements.
In contrast to common, transaction-focused use cases for blockchain implementations, the focus in that case is on having a tamper-resistant, time-stamped ledger that supports the bank in identifying their 3.6 million customers. Customers, even more in banks with a lot of branch offices, have a variety of systems for managing customer identities.
With the blockchain implementation based on IBM technology and the open-source Hyperledger project, the bank has realized a solution that federates information from various existing banking systems and delivers a (logically) centralized ledger that supports the consistency, traceability, and privacy requirements.
Blockchains are by nature ideal for such use cases, given that they create a tamper-resistant, time-stamped, and distributed ledger. In that implementation, a permissioned ledger is used, given that it is a bank-internal project that does not have to deal with specific requirements for anonymous users and public use cases such as e.g. the Bitcoin-Blockchain.
The ledger provides all information about e.g. all relevant identifying documents customers have signed with the bank. Thus, customers don’t need to re-sign when using other services or in different branch offices – plus the advantage, that the bank has a unique view on the customer, which is relevant from both a compliance and a customer service perspective.
The project has been implemented in rather short time. From my perspective, it is a great example for the breadth of use cases blockchains can serve. Blockchain will increasingly become a standard infrastructure element, as e.g. relational databases are today. This is greatly demonstrated by that particular project. Crédit Mutuel Arkéa has further plans for expanding the capabilities, e.g. by providing verification services to 3rd parties.
I strongly recommend analyzing the potential of blockchains for your business. There are many interesting use cases in virtually every industry. Blockchains will not solve everything, and it needs a thorough understanding of blockchain technology to identify the right blockchain type with the appropriate consensus model, depending on use cases and specific requirements. But clearly, there are far more use cases for blockchains than just cryptocurrency and smart contracts. Start analyzing the business potential of blockchains now. There is plenty of KuppingerCole research available, with a number of new reports to be published within the next few days – and you also can rely on KuppingerCole advisory services when starting to look at blockchains.
Advisory Note: Blockchains and Risk - 71608
by Mike Small
A blockchain is a data structure, originally used by bitcoin, that maintains a growing list of transaction records in a way that is extremely resistant to tampering. This technology is seen by many as the basis for creating distributed ledgers for a wide range of applications. This report considers the risks associated with the use of this technology and recommends an approach to managing these risks.
Advisory Note: The Disruptive Potential of Blockchains in IoT Security - 71612
by Ivan Niccolai
Blockchains have the ability offer many solutions regarding the security concerns currently limiting the growth of the Internet of Things (IoT). Blockchains, combined with other decentralised, peer-to-peer technologies can improve IoT security by enabling authenticity and integrity assurance of connected things, scalable management of connected devices, and secure information transmission.
Advisory Note: Blockchains and Cybersecurity - 71603
by Ivan Niccolai
From trusted third parties to algorithmic consensus: new cybersecurity opportunities and challenges with blockchains. Blockchains can provide distributed and decentralised improvements to the merely distributed critical systems the internet depends on today, but we cannot yet completely replace trusted third parties and human judgement with algorithms.
Executive View: SailPoint IdentityIQ - 71319
by Christian Himmer
SailPoint IdentityIQ is one of the leading products in the emerging market for Identity and Access Governance. The governance-based approach centralizes visibility and compliance, and minimizes risk by applying controls across all IAM services geared towards business users. They expand their libary of connectors and extend their integration of Mobile Device Management tools and cloud environments.
Executive View: IBM Privileged Identity Manager - 71557
by Ivan Niccolai
IBM’s Security Privileged Identity Manager is an across-the-board Privilege Management solution which protects, automates and audits the use of privileged identities and recourses across the extended enterprise, including cloud environments. It stands out from competitors for its fine-grained database privilege management capabilities and well-designed administrator endpoint monitoring.
Oct 18, 2016: The Future of Data-Centric Security
Business boundaries are dissolving as the ability to share information improves. For example, in agile and collaborative working environments, information has to be shared efficiently and securely between various internal and external business partners, mainly via cloud services and with mobile devices. This requires extensive access to what is often critical content, stored in well-protected databases. Sharing then presents a challenge: How can sensitive data be masked from people who are not permitted to see it and deliver it securely to those who are? And how can this be done dynamically, by removing access if necessary in real-time if user authorization rapidly changes?
GDPR and the post-Brexit UK
by Matthias Reinwarth
The Brexit-Leave-Vote will have substantial influences on the economy inside and outside of the UK. But the impact will be even higher on UK-based, but also on EU-based and even non-EU based organisations, potentially posing a major threat when it comes to various aspects of business. Especially seen from the aspects of data protection, security and privacy, the future of the data protection legislation within the UK will be of great interest.
When asked for his professional view as a lawyer, our fellow analyst Dr. Karsten Kinast replied with the following statement:
"On the 23rd June, UK carried out a referendum to vote about UK´s EU membership. About 52% of the participants voted for leaving the EU. The process of withdrawal from the EU will have to be done according to Art. 50 of the Treaty on the European Union and will take about two years until the process is completed.
The withdrawal of the UK´s membership will also have an impact on data protection rules. First of all, the GDPR will enter into force on the 25th May 2018, so that by this time, the UK will still be in process to leave the EU. This means that UK businesses will have to prepare and be compliant with the GDPR.
Additionally, if UK businesses trade in the EU, a similar framework to that of the GDPR will be required in order to carry out data transfers within the EU member states. The British DPA, ICO, published a statement regarding the existing data protection framework in the UK. According to ICO, 'if the UK wants to trade with the Single Market on equal terms we would have to prove adequacy – in other words UK data protection standards would have to be equivalent to the EU´s General Data Protection Regulation framework starting in 2018'.
Currently, the GDPR is the reference in terms of data protection and organizations will have to prepare to be compliant and, even if the GDPR is not applicable to UK, a similar framework should be in place by the time the GDPR enters into force."
So it is adequate to distinguish between the phase before the UK actually leaving the EU and the time afterwards. In the former phase, starting right now EU legislation will still apply, so in the short term organisations might be probably well advised to follow all steps required to be compliant to the GDPR as planned anyway. With the currently surfacing reluctance of the British government to actually initiate the Art. 50 process according to the Lisbon treaty by delaying the leave notification until October, this first phase might even take longer than initially expected. And we will most likely see the UK still being subject to the GDPR as it comes into effect by May 2018 and before the actual exit.
For the phase after the actual exiting process the situation is yet unclear. What does that mean for organisations doing business in and with the UK as soon as GDPR is in full effect?
- In case they are UK-based and are only acting locally we expect them to be subject to just the data protection regulations as defined in Britain after the exit process. But any business with the EU will make them subject to the GDPR.
- In case they are based in the EU they are subject to the GDPR anyway. In that case to have to be compliant to the rigid regulations as laid out in the EU data protection regulation.
- In case they are based outside of the EU but are doing business with the EU as well, they are again subject to the GDPR.
- We expect the number of companies outside the EU doing business only with a post-Brexit UK (i.e. not with the EU at all) to be limited or minimal. Those would have to comply with the data protection regulations as defined in Britain after the exit process.
Reliable facts for the post-Brexit era are not yet available. Nevertheless, CEOs and CIOs of commercial organisations have to make well-informed decisions and need to be fully prepared for the results of the decisions. An adequate approach in our opinion can only be a risk-based approach: organisations have to assess the risks they are facing in case of not being compliant to the GDPR within their individual markets. And they have to identify which mitigating measures are required to reduce or eliminate that risk. If there is any advice possible at that early stage, it still remains the same as given in my previous blog post: Organisations have to understand the GDPR as the common denominator for data protection, security and privacy within the EU and outside the EU for the future, starting right now and effective latest by May 2018. Just like Karsten concluded in the quote cited above: To facilitate trading in the common market the UK will have to provide a framework similar to the GDPR and acceptable to the EU.
So any organisation already having embarked on their journey for implementing processes and technologies to maintain compliance to all requirements as defined by the GDPR should strategically continue doing so to maintain an appropriate level of compliance by May 2018 matter whether inside or outside the UK. Organisations who have not yet started preparing for an improved level of security, data protection and privacy (and there are still quite a lot in the UK as well, as recent surveys have concluded) should consider starting to do so today, with the fulfilment of the requirements of the GDPR adapted to the individual business model as their main goal.
We expect stable compliance to the regulations as set forth in the GDPR as a key challenge and an essential requirement for any organisation in the future, no matter whether in the EU, in the UK or outside of Europe. Being a player in a global economy and even more so in the EU single market mandates compliance to the GDPR.
Sep 22, 2016: Identity and Access Management Crash Course
Identity & Access Management (IAM) is one of the core disciplines in IT and as such it is getting more and more important. Reaching far beyond its traditional scope of managing employee's access to information stored inside the perimeter, IAM nowadays has to integrate cloud access on the one side, and has to include the customer on the other side, instead of just managing employee access.
Executive View: Auth0 Authentication Service - 71325
by Graham Williamson
A perennial problem for programmers is the need to authenticate users. In some cases, there is no infrastructure to support access control and in many cases there is no single identity repository of user data to be used as an authentication source. In a federated environment there are multiple identity providers to accommodate and problems are compounded when members of the public are accessing applications with varying levels of assurance. Auth0 is a service that can help.
Managing the customer journey
by Matthias Reinwarth
Every one of us, whether a security professional or not, is also a part-time online customer or a subscriber of digital services. Providing personal information to a service organisation, to a social media platform or a retailer is a deliberate act. This will be even more the case with the upcoming GDPR being in full effect soon. Ideally the disclosure of potentially sensitive information should always lead to a win-win-situation with both directly involved parties, the customer and the provider of services benefiting from information provided by the end user.
So organisations need to make sure that managing customer information needs to be performed at an utmost level of diligence to the benefit of both the customer and the organisation. That means that the customer identity is to be put into the centre of all processes. And organisations need to understand that there are more sources available within (and outside of) the organisation, where information about a single customer is available, providing social, behavioural, interest, transactional and much more data, including historical data. Combining and consolidating this data into a single unified customer profile while maintaining scalability, security and compliance is most probably one of the essential challenges organisations will have to solve in the future.
Customers interacting with a service provider or any other internet-facing organisation typically start with eight registration process, either from scratch by creating a new account or by reusing and complementing existing 3rd party account information, e.g. from social logins. From that moment on they are interacting with the system and thus they implicitly provide a constant flow of information through their behaviour. But Customer Identity and Access Management strategically goes far beyond that. Information about a single specific customer might already be available in the enterprise CRM system, providing in-depth insight into former interactions, e.g. with helpdesk. Previous purchases or subscriptions will be documented in their respective systems and more information might be available in the enterprise IAM system (especially when the organisation needs to understand, that a customer is also an employee) or the corporate ERP system.
These types of information and valuable when it comes to understanding customer identity as a whole. The actual task of retrieving and leveraging this information should not be underestimated: in many organisations these different systems are usually run by different teams and different parts of the organisation and this often leads to so-called information silos. Getting to a unified customer profile necessarily requires breaking up the barriers between those organisational and technical silos. Cross-organisational and cross-functional teams are typically required to consolidate the information already available within a single enterprise. Aligning different sources of information and different semantics resulting from different business purposes to get to a meaningful pool of consumer profiles requires expertise from various teams.
After having done their“homework”(by exploiting their already existing knowledge about each customer identity), many organisations are also looking into integrating information available from third parties, which means data sources outside of the organisation. Potential sources are manifold: they range from social media (Facebook, Twitter, Google+ and many others, including regional and special interest social media services) and the reuse of profile data (including likes, recommendations, comments) to sources of commercial marketing data, and from existing sources for Open Data to credit rating organisations.
When it comes to comparing effort and benefit, it becomes obvious, that greedily collecting each and every information available cannot be effective. Identifying the right set of information for the right business purpose is one of the major challenges. Having the right information available for the end user to improve his user experience and for the organisation to support decision-making processes has to be the key objective. Nevertheless, the definition of an adequate set of “right” information is a moving target that needs to be adjusted during the life time of a customer identity and the underlying CIAM system.
However, it must be made sure that the reuse of all the above mentioned information is only possible, when the owner of this data, i.e. the customer, has agreed to this processing of the information for additional purposes. User consent is key, when it comes to recombining and analysing existing information.
Know and Serve Your Customer: Why KYC is not enough
by Martin Kuppinger
Know and Serve Your Customer: Why KYC is not enough
Today’s connected businesses need to communicate, collaborate and interact with their customers in a way that’s more flexible than ever before. Knowing and, based on that knowledge, optimally serving the customer is key to success in the Digital transformation.
Customer-facing IAM needed
With the accelerating digital transformation, we intrude deeper into the subject of customer identity management than ever before. Several external drivers change economic partnerships, such as a different competitive landscape, ever-changing regulation and at the same time an increasing number of cyber-attacks. There are also internal drivers such as the need for more agile, innovative and flexible organizations. Both internal and external drivers are encompassed in overarching core topics like smart manufacturing, the Internet of Things (IoT) and Know Your Customer (KYC). To be successful in digital transformation we need to change our customer contacts. For this we need to deploy a string of key enabling technologies, e.g. identity relationship management, security and privacy, big data, right up to blockchain and distributed ledgers.
In order to reach a competitive advantage, we also have to improve our customer relationships and the way we handle data. We need to be able to deal with customers and their identities better than ever before. In times of the cloud advantages can’t be reached simply by better IT and lower costs any more. The cloud delivers equal services to everyone at an affordable price.
What’s needed is a customer-facing IAM (Identity & Access Management). While companies were traditionally only looking at employees and some external business partners in their IAM deployments, with focus on administrative efficiency and compliance, in recent times federation and the management of partners became more and more important as a B2B element. Now, finally, the customers play a role as well. And they should, obviously, given that the customer is where the money comes from. There are also, e.g., ecommerce processes that have to supported. In the future, we need to take all resources into focus. How can we, for instance, serve the customer better and safer in the cloud? How can we deal with the customer with ever-changing business partnerships and in new business models?
Besides cloud services and the access to them, we also need to manage mobile devices such as computers, tablets, smartphones and wearables as well as logins to social networks and, last but definitely not least, IoT and operational technologies (OT) in manufacturing environments. We also need ways to protect the ownership of customer data. This requires the further development and perfection of identity relationship management (IRM), as one important element. In a sense this is the advancement of IAM in the digital context. How can I still steer and control access in this much more complex world?
Holistic look at identity
Identity Relationship Management (IRM) means having a single identity model across different identities, from employees, customers, partners, but also services, things and devices. It needs to be scalable internet-wide, not only on an enterprise dimension. Most companies have many more customers than employees. Customers often deploy a number of various devices. This means other quantity structures and thus performance and scalability requirements. The people responsible for CRM (Customer Relationship Management) need to see their system in a context of IAM, since this is the biggest identity store in most companies. It provides a whole customer history. This is actually a point I already wrote about ten years ago. Other IAM sources are, for instance, ERP, Finance (credit history) and Governance. We need to add and understand context information, social logins and access paths. What is really happening there? What does the customer look like and how can he get access? Is he at the same time an employee of the company? Are there any conflicts arising out of this, e.g. when employees manage their own customer data sets?
Instead of information silos, a cross-system approach for IAM is necessary, along with an improved customer experience, faster time to market and context-sensitive, adaptive security measurements. If someone wants to get access via a relatively weak social login, another risk evaluation is needed than if she or he gets authorization via a registered account or an ID card. We need to understand the respective risk and context and adapt our evaluations accordingly. The more information we have the more precise will be each risk evaluation.
Daily breaches show that passwords are not enough anymore, especially not the same across various services. However, access has to remain user friendly to be accepted by customers. One useful additional security feature could be, for example, adaptive push authentication and notification. A new KuppingerCole Webinar provides more information about this method (in German).
KYC goes beyond CIAM
How can you know and optimally serve your customer during the whole lifecycle? Important elements here are customer self-service and integration of customer data. KYC (Know Your Customer) goes even further than CIAM (Customer Identity & Access Management). It encompasses Customer Tracking & Marketing Automation as well as Analytics (Big Data) and Privacy & Information Protection. The customer needs to give his consent about what’s being done with his data and for which reason it might be used. He must be able to withdraw this consent any time. This brings the concept of Life Management Platforms closer to reality than ever before.
KYC can best be seen as the intersection between CRM (and Marketing automation), IAM and Privacy, i.e. the marketing view of the customer, the technical or identity view of the customer and the (not only) legal perspective. Active interaction plays an important role here as well as governance. The question is: Who in the company may do what in which form with the customer? Drivers of this development are compliance topics such as anti-money laundering (AML). Technologies such as IRM are really helpful in this context to understand how different identities are connected to each other.
The term KYC is also not really accurate, since it is not only about knowing the customer, but also optimally serving him. Thus I’d prefer the term KSYC, Know & Serve Your Customer, an appropriate evolutionary step of doing CRM. If enterprises in addition finally start looking at their employees as a special kind of customers, who are granted access to more applications than others, it will improve enterprise IAM as well, bring different business divisions smoothly under one roof and help getting rid of unnecessary discussions about special applications for the management of consumer identities.