Click on the slide!

The Elements of Privacy Risk

Click above to download this GRC Illustration!             

Click on the slide!

Best Practices for eGRC

Live Webcast!             Join us as we identify the best practices for eGRC program implementation

Frontpage Slideshow (version 2.0.0) - Copyright © 2006-2008 by JoomlaWorks
KuppingerCole
KuppingerCole News

  • Lean, Intelligent IAM Processes for the ABC - Agile, Business, Connected
    The constantly accelerating pace of change in today's businesses and their requirements influence all types of organizations, their business and operational processes and the underlying IT. Keeping up to speed with agile, innovative businesses and their requirements increases the demand for intelligent IAM processes.



  • Jun 02, 2015: Ground Control to Major CRO: Is Identity Governance a risky experience?
    In today’s fast changing world the digitalization of businesses is essential to keep pace. The new ABC – Agile Businesses Connected – is the new paradigm organizations must follow. They must connect to their customers, partners and associates. They must become agile to respond to the changing needs of the market. They must understand, manage, and mitigate the risks in this connected world. One important aspect of this is the governance of the ever-increasing number of identities – customers, things, together with their access.

  • Executive View: Avencis SSOX - 71065

    by Alexei Balaganski

    Avencis SSOX is an Enterprise Single Sign-On solution with a focus on flexible strong authentication and mobile device support. Combined with Avencis’ own IAM platform, it provides a foundation for a long-term Identity and Access Management strategy for any organization.



  • Enabling Cloud Governance
    While many organisations have good governance over their on-premise identity and access management environment with authentication monitoring and attestation reporting this too often gets relegated to the “too-hard” basket when it comes time to migrating the Cloud services.



  • External IAM & Your CRM - A Winning Combination
    Identity and Access Management (IAM) projects have the notorious reputation of being complex, time-consuming and expensive. Fresh thinking and new approaches are now changing how IAM solutions are being deployed so that you can enable revenue generating services faster than ever. One of these advances is the ability to integrate your IAM solution with your CRM – leveraging your customer and partner data as a powerful component of your IAM strategy. To learn more about the technology and the business benefits, we invite you to join our upcoming webinar.



  • Executive View: Dell One Identity Cloud Access Manager - 71250

    by Martin Kuppinger

    Dell One Identity Cloud Access Manager is an on-premise solution for Identity Federation and Web Access Management, enabling both business users to seamlessly access cloud services and external users to connect to internal, web-based applications.



  • Executive View: AirWatch and Bring Your Own Device (BYOD) - 71259

    by Alexei Balaganski

    AirWatch enterprise mobility management platform provides an integrated combination of technology, support and certification services to address every organization’s unique requirements for implementing a viable Bring Your Own Device strategy.



  • Risk-based Realtime Security Intelligence: Prime Time for the Next Generation of IAM Solutions

    in European Identity and Cloud Conference

    The days of old school IAM (Identity and Access Management) and IAG (Identity and Access Governance) are counted. Strong innovations are paving the way for Risk-based Realtime Security Intelligence. Join Martin Kuppinger for his groundbraking talk at EIC 2015



  • Redesigning access controls for IAM deployments?

    by Martin Kuppinger

    A few weeks ago I read an article in Network World, entitled “A common theme in identity and access management failure: lack of Active Directory optimization”. Essentially, it is about the fact that Microsoft Active Directory (AD) commonly needs some redesign when starting an IAM (Identity and Access Management) project. Maybe yes, and maybe no.

    In fact, it is common that immature, chaotic, or even “too mature” (e.g. many years of administrative work leaving their traces with no one cleaning up) access control approaches in target systems impose a challenge when connecting them to an IAM (and Governance) system. However, there are two points to consider:

    1. This is not restricted to AD, it applies to any target system.
    2. It must not be allowed to lead to failures in your IAM deployment.

    I have frequently seen this issue with SAP environments, unless they already have undergone a restructuring, e.g. when implementing SAP Access Control (formerly SAP GRC Access Control). In fact, the more complex the target system and the older it is, the more likely it is that the structure of access controls, be they roles or groups or whatever, is anything but perfect.

    There is no doubt that redesign of the security model is a must in such situations. The question is just about “when” this should happen (as Jonathan Sander, the author of the article mentioned above, also states). In fact, if we would wait for all these security models to be redesigned, we probably never ever would see an IAM program succeeding. Some of these redesign projects take years – and some (think about mainframe environments) probably never will take place. Redesigning the security model of an AD or an SAP environment is a quite complex project by itself, despite all the tools supporting this.

    Thus, organizations typically will have to decide about the order of projects. Should they push their IAM initiative or do the groundwork first? There is no single correct answer to that question. Frequently, IAM projects are so much under pressure that they have to run first.

    However, this must not end in the nightmare of a failing project. The main success factor for dealing with these situations is having a well thought-out interface between the target systems and the IAM infrastructure for exposing entitlements from the target systems to IAM. At the IAM level, there must be a concept of roles (or at least a well thought-out concept for grouping entitlements). And there must be a clear definition of what is exposed from target systems to the IAM system. That is quite easy for well-structured target systems, where, for instance, only global groups from AD or business roles from SAP might become exposed, becoming the smallest unit of entitlements within IAM. These might appear as “system roles” or “system-level roles” (or whatever term you choose) in IAM.

    Without that ideal security model in the target systems, there might not be that single level of entitlements that will become exposed to the IAM environment (and I’m talking about requests, not about the detailed analysis as part of Entitlement & Access Governance which might include lower levels of entitlements in the target systems). There are two ways to solve that issue:

    1. Just define these entitlements, i.e. global groups, SAP business roles, etc. first as an additional element in the target system, map them to IAM, and then start the redesign of the underlying infrastructure later on.
    2. Or accept the current structure and invest more in mappings of system roles (or whatever term you use) to the higher levels of entitlements such as IT-functional roles and business roles (not to mix up with SAP business roles) in your IAM environment.

    Both approaches work and, from my experience, if you understand the challenge and put your focus on the interface, you will be quickly able to identify the best way to handle the challenge of executing your IAM program while still having to redesign the security model of target systems later on. In both cases, you will need a good understanding of the IAM-level security model (roles etc.) and you need to enforce this model rigidly – no exceptions here.



  • Executive View: Imprivata OneSign - 70915

    by Alexei Balaganski

    Imprivata OneSign® est une solution de gestion d'authentification et d'accès intégrée fortement axée sur le secteur de la santé. Elle offre un accès rapide et sécurisé aux postes de travail, aux bureaux virtuels et aux applications en combinant une authentification forte avec l'identification unique pour les entreprises (entreprise single sign-on - E-SSO).



  • Executive View: BeyondTrust PowerBroker Auditor Suite - 70891

    by Alexei Balaganski

    Die BeyondTrust PowerBroker Auditor Suite ist ein Set aus Auditing-Tools für Windows-Umgebungen. Zusammen bieten diese Tools einen einheitlichen Echtzeiteinblick sowie ein Prüfprotokoll für Zugriffe und Änderungen bezüglich Dateisystemen, SQL Server, Exchange und Active Directory.



  • Executive View: Imprivata OneSign - 70915

    by Alexei Balaganski

    Imprivata OneSign® ist eine integrierte Authentifizierungs- und Zugriffsmanagementlösung mit einem klaren Fokus auf das Gesundheitswesen. Sie bietet schnellen und sicheren Zugriff auf Workstations, Virtual Desktops und Anwendungen, indem sie die Vorteile der starken Authentifizierung mit Enterprise Single Sign-on vereint.



  • Make your Enterprise Applications Ready for Customers and Mobile Users
    Rapidly growing demand for exposing and consuming APIs, which enables organizations to create new business models and connect with partners and customers, has tipped the industry towards adopting lightweight RESTful APIs to expose their existing enterprise services and corporate data to external consumers. Unfortunately, many organizations tend to underestimate potential security challenges of opening up their APIs without a proper security strategy and infrastructure in place.



  • Monitor Your Cloud Administrators and Managed Service Operators – Avoid Privilege Abuse and Fraud
    Both the use of cloud services and outsourcing services to MSPs (Managed Service Providers) are on the rise. Managing cloud services or opening on-premise, hybrid, and external services for management by external operators requires the ability for controlling access, particularly privileged operator and administrator access, to these services. Who can manage your cloud services, particularly the ones that offer just one shared administrative account? And who controls the access of external operators to your services?



  • The New Meaning of “Hacking your TV”

    by Alexei Balaganski

    After a long list of high-profile security breaches that culminated in the widely publicized Sony Pictures Entertainment hack last November, everyone has gradually become used to this type of news. If anything, they only confirm the fact that security experts have known for years: the struggle between hackers and corporate security teams is fundamentally asymmetrical. Regardless of its size and budgets, no company is safe from such attacks simply because a security team has to cover all possible attack vectors, and a hacker needs just a single overlooked one.

    Another important factor is the ongoing trend in the IT industry of rapidly growing interconnectivity and gradual erosion of network perimeters caused by adoption of cloud and mobile services, with trends such as “Industry 4.0”, i.e. connected manufacturing, and IoT with billions of connected devices adding to this erosion. All this makes protecting sensitive corporate data increasingly difficult and this is why the focus of information security is now shifting from protecting the perimeter towards real-time security intelligence and early detection of insider threats within corporate networks. Firewalls still play a useful role in enterprise security infrastructures, but, to put it bluntly, the perimeter is dead.

    Having that in mind, the latest news regarding a hack of the French television network TV5Monde last Wednesday look even more remarkable. Apparently, not just their web site and social media accounts were taken over by hackers calling themselves “Cybercaliphate” and claiming allegiance to the Islamic State, they also managed to disrupt their TV broadcasting equipment for several hours. Political implications of the hack aside, the first thing in the article linked above that attracted my attention was the statement of the network’s director Yves Bigot: “At the moment, we’re trying to analyse what happened: how this very powerful cyber-attack could happen when we have extremely powerful and certified firewalls.”

    Now, we all know that analyzing and attributing a cyber-attack is a very difficult and time-consuming process, so it’s still too early to judge whether the attack was indeed carried out by a group of uneducated jihadists from a war-torn Middle-Eastern region or is was a job of a hired professional team, but one thing that’s immediately clear is that it has nothing to do with firewalls. The technical details of the attack are still quite sparse, but according to this French-language publication, the hackers utilized a piece of malware written in Visual Basic to carry out their attack. In fact, it’s a variation of a known malware that is detected by many antivirus products and its most probable delivery vectors could be an unpatched Java vulnerability or even an infected email message. Surely, the hackers probably needed quite a long time to prepare their attack, but they are obviously not highly-skilled technical specialists and were not even good enough at hiding their tracks.

    In fact, it would be completely safe to say that the only people to blame for the catastrophic results of the hack are TV5Monde’s own employees. After deploying their “extremely powerful firewalls” they seemingly didn’t pay much attention to protecting their networks from insider threats. According to this report, they went so far as to put sticky notes with passwords on walls and expose them on live TV!

    We can also assume with certain confidence that their other security practices were equally lax. For example, the fact that all their social media accounts were compromised simultaneously probably indicates that the same credentials were used for all of them (or at least that the segregation of duties principle isn’t a part of their security strategy). And, of course, complete disruption of their TV service is a clear indication that their broadcasting infrastructure simply wasn’t properly isolated from their corporate network.

    We will, of course, be waiting for additional details and new developments to be published, but it is already clear that the case of Sony hack apparently wasn’t as educational for TV5Monde as security experts have probably hoped. Well, some people just need to learn from their own mistakes. You, however, don't have to.

    The first thing every organization’s security team has to realize is that the days of perimeter security are over. The number of possible attack vectors on corporate infrastructure and data has increased dramatically, and the most critical ones (like compromised privileged accounts) are actually working from within the network. Combined with much stricter compliance regulations, this means that not having a solid information security strategy can have dramatic financial and legal consequences.

    For a quick overview of top 10 security mistakes with potentially grave consequences I recommend having a look at the appropriately titled KuppingerCole’s Leadership Brief: 10 Security Mistakes That Every CISO Must Avoid published just a few days ago. And of course, you’ll find much more information on our website in form of research documents, blog posts and webinar recording.