Click on the slide!

Best Practices for eGRC

Live Webcast!             Join us as we identify the best practices for eGRC program implementation

Click on the slide!

Securing Payments in 2015

On-Demand               Play now and learn how to implement EMV, End-to-end encryption (E2EE), and Tokenization.

Frontpage Slideshow (version 2.0.0) - Copyright © 2006-2008 by JoomlaWorks
KuppingerCole News

  • Telcos & Innovation: A Contradiction?
    In European Identity and Cloud Conference

    Chema Alonso from Telefonica (Eleven Paths) will talk about Telefonica´s innovative identity strategy, and then discuss with his peers at Deutsche Telekom, Swisscom and Orange.

  • Executive View: IBM SoftLayer – Security and Assurance - 71281

    IBM SoftLayer provides infrastructure services direct to customers and is also the foundation for many of IBM’s cloud services such as BlueMix. The SoftLayer platform is able to provide “bare metal” access to computing resources resulting in high performance. This report provides an overview of the security and assurance aspects of these services.

  • Advisory Note: Top Cyber Threats - 71032

    Cyber threats are leaving large and well established businesses exposed to significant business risks, such as damage to brand and reputation, and large financial fines. This document discusses the most critical threats and the tactical countermeasures that can help organisations understand and counter these threats.  

  • Digital Risk Track Co-Moderation: Dr. Scott David LL.M, KuppingerCole Fellow Analyst
    In European Identity and Cloud Conference

    Together with Dr. Karsten Kinast LL.MScott will moderate the Digital Risk Track at EIC 2015

  • Digital Risk Track Co-Moderation: Dr. Karsten Kinast LL.M, KuppingerCole Fellow Analyst
    In European Identity and Cloud Conference

    Together with Dr. Scott David LL.M, Dr. Karsten Kinast LL.M will moderate the Digital Risk Track at EIC 2015

  • Executive View: Rackspace Managed Cloud Hosting – Security and Assurance - 71283

    This report provides an overview of Rackspace Managed Cloud Hosting services together with an assessment of the security and assurance provided in respect of five critical risks faced by a cloud customer. 

  • Visão Executiva: Prot-On - 71268

    A solução Prot-On para o Compartilhamento Seguro de Informações (Secure Information Sharing) fornece uma solução importante para a proteção de arquivos de dados não estruturados localmente, compartilhados com parceiros e armazenados em nuvem.

  • Leadership Compass: Infrastructure as a Service - 70959

    This report provides an overview and analysis of the market for Infrastructure as a Service (IaaS). IaaS provides basic computing resources that the customer can use over a network to run software and to store data. This report provides you with a compass to help you to find the IaaS service that best meets your needs.

  • Executive View: Imprivata OneSign - 70915
    Imprivata OneSign® is an integrated authentication and access management solution with a strong focus on the healthcare industry. It provides fast and secure access to workstations, virtual desktops and applications by combining strong authentication with enterprise single sign-on.

  • Apr 21, 2015: KuppingerCole Executive Luncheon & Afternoon Seminar: A "Krash" course on Identity & Access Management
    This Executive Luncheon & Afternoon seminar will provide an overall view on Identity & Access Management and Identity & Access Governance IAM/IAG and the various subtopics to allow you to - define your own "big picture" for your future IAM infrastructure.

  • Apr 21, 2015: KuppingerCole Executive Breakfast: How to embrace new technology – because your competitors are
    Companies today must manage their migration to the Cloud. Too many organisations find that they are already using Cloud services before they have planned their movement from “on-premise” applications to hosted services.

  • Really! Stop Your Employees Using Smart Phones!

    Why Not Just Switch off every piece of electric device and live in a cave. 

    I am on the record on several occasions for coming out in support of the UK government’s cyber initiatives including the Ten Steps to Cyber Security (Ten Steps) and their more recent Cyber Essentials.So, I was a bit surprised when a business owner asked if he should backtrack on his recent “smart phone for all” bonus for his employees. When I asked him why he mentioned an article he had just read in the Telegraph, titled “Spooks tell business: Consider stripping staff of smart phones to avoid cyber attacks”. 

    Cliches, oh cliches.

    The same article then adds the typical line about your staff are the ‘weakest link’ cliche. Oh let’s not forget the bit about being blackmailed by spies! What better way to draw attention to an article than to use an attention grabbing headline! Even when it’s not quite accurate and somewhat misleading. What’s even more displeasing is the way the article tries to impress the reader by implying that this information has been “seen” instead of mentioning that the Ten Steps is publicly available and accessible to every business. In fact what the article is referring to is but an updated and revised version of the UK Government’s advice that was first issued in 2012. So ditching the phone stop cyber attacks, right? Put simply: No.

    Why? You may ask.

    • Most people are not going to ditch their smart phones. I know I will not.
    • In fact most now carry multiple smart devices including a tablet, a phone, and more recently smart wearables like watches.
    • Any organisation that have a forward thinking revenue generating strategy will already have adopted a mobile first strategy.
    • Just a few days ago the much loved and sometimes loathed Uber was named the most valuable transport company in the world even though it does not own any vehicles of its own. Could it be because it has a mobile first strategy?
    • Cyber attackers will simply find some other way to attack a business. They could even consider trying to revert back to the good old ways of targeting your laptops and desktop computers!

    To be fair to the government they appear to have taken a sensible and I would argue risk based approach. Below is an excerpt of what they say Consider the balance between system usability and security. Yes there is the bit of external drives like USB sticks that have been the cause of many a hack and sleepless nights for security teams. I discuss the approach to this headache further down.

    Next, Humans, you guessed it, will be Humans!

    It’s getting very tiring, borderline exhausting having to hear that staff, who happen to be mostly humans for now, are to blame for all cyber security woes. This needs to stop. Stop declaring the human as the primary problem. Yes, you and I, us humans that is, are part of the problem but being flippant about is not the way to solve this problem.

    Again, the government have taken a balanced approach and do not bang on the “it’s your staff’s fault” pronouncements. At least that’s how I have read it. Here is what one para from the Top Ten document set says: Without exception, all users should be trained on the secure use of their mobile device for the locations they will be working in. To me that sounds more like - “You businesses out there - spend some money and educate and train all your users” I concur.

    Yes, Mobile is Insecure, but…

    Mobile working is insecure. But any device, including your new TV and old laptop are insecure as long as they are switched on! Mobile working has several benefits that both employees and organisations recognise. So accept the facts and have a plan to prevent, detect and respond.

    The Top Ten document contains some good advice that I would encourage all to read and understand. In the meantime I strongly recommend every business owner to:

    • Stop blaming the employee for all your cyber security problems
    • Support the employee with the necessary technology to ensure that ‘mistakes’ cannot happen easily.
    • Yes there is sufficient technology available today that can help prevent and detect cyber attacks.
    • Some technologies to consider are automatic VPN connectors, micro virtualisation technologies, encryption technologies. Please engage KC for more information on how we can help you..
    • What the government is actually saying is be pragmatic, understand the risks, and educate the users.
    • Last, but not least, accept the facts, review the threats specific to your company and understand the risk and have a plan to prevent, detect and respond.

    Finally! Cut the Government a Break! Seriously.

    To be fair to the government it is quite hard producing a document that fits every organisation’s risk profile. The analogy of one size fits all come to mind.In my own customer dealings I have had more senior board members and business owners ask me about cyber security as a result of the UK government’s efforts to make cyber security a board issue. Finally, Please take a risk based approach and spend some time understanding the threats and those attackers that would want to target your company. Cyber or not, this is common sense threat and risk management. It’s no point spending on technology and preparing for spies monitoring your employees if you, for example, are producing regular cleaning products. In such a company it would make more sense if effort and time was spent on preventing insiders leaking financial or human resource data. That’s what I recommend and that’s actually what the government is trying to say.

    You can read about the UK Government’s Top Ten Steps to Cyber Security here.

  • Just say it! User Experience Trumps Security!

    I was about to file The Register’s mobile security article into my “just another article on mobiles and security” when I noticed what I believe to be a half-witted quote.

    So, in context. The Register published an article titled “Banks defend integrity of passcode-less TouchID login”. The banks and the quote in question are from the Royal Bank of Scotland (RBS) and NatWest.

    What’s the half-witted quote then?

    I will address the first two statements for this blog piece.

    We do everything we can to make banking secure for our customers and we've tested this to make sure it was safe before launch. Other banking institutions across the world are also using this technology with their customers.

    Where is the proof that the above statement is true? The banks could have chosen to have the BSI Kitemark Secure Digital Transaction. Barclays appears to be the only bank that has some of its products approved by the BSI (you can check this on the BSI site)

    API spoofing and access to data held in the secure keychain is only possible on a jail-broken iPhone. We strongly advise customers against tampering with the security of their phone.

    Really! Blaming it on jail-broken iPhones and users. Most non technical customers would not, in my opinion, know if their iPhone is jail broken or not. In addition the banks are appearing to acknowledge that there is a problem by admitting jail-broken phones are susceptible. So why not configure their app to check for and block installations on jail-broken iPhones?

    Also maybe the banks and their outsourcer should have read the recent Mobile Threat Assessment report from FireEye that discusses the increasing ease by which hackers can bypass Apple’s strict review process and invoke risky private APIs. This on non jail-broken iPhones! (the report is titled OUT OF POCKET: A Comprehensive Mobile Threat Assessment of 7 Million iOS and Android Apps)

    Be Nice to the Banks.. Come on. Surely they know what they are doing, right?

    Let’s give the banks the benefit of the doubt for a minute. They value their customer’s right? During their countless requirements workshops, user experience would have been at the forefront of all their requirements. Right?

    “What would our users want?” may have been one of their primary questions during their multiple brain storming sessions. Surely security would have come up during these discussions, right?

    So, what about security?

    Now I know banks, like most organisations, have to balance security versus cost. Banks have a risk appetite and tolerance and must make trade-offs when it comes to security versus usability. The 4 digit pin is a great example. I get that view and in many cases agree with that approach.

    I am guessing there must have been some trade-off with this Touch ID based app too. They must have made assumptions that there will be those who will hack and abuse the system for monetary gain. However, I am guessing, with their compute and brain power, they would have calculated the likelihood and the financial impact to be negligible. The risk acceptable and within their appetite.

    So why not come out with one of the first Touch ID only banking apps!

    On the other hand it could just be that no one actually thought about security! Maybe because they wrongly assumed that Apple products are super secure or they simply forgot about it altogether.

    What’s truly disappointing is that the bank had an opportunity to get both user experience and security right without necessarily sacrificing either. Sadly, it seems, security was again a second thought.

  • 1-day Workshop on Access Governance at EIC 2015
    In European Identity and Cloud Conference

    EIC 2015 Workshop-Friday: Roles, Recertification, Access Governance: The Lean Approach - moderated by KuppingerCole Senior Analyst Matthias Reinwarth.

  • The Future of Secure Collaboration - Best Practices at EIC 2015
    In European Identity and Cloud Conference

    Marek Pietrzyk, Business Project Manager at UBS, will present a Case Study on Digital Rights Management