Leadership Brief: Prevent, Detect, Respond: the Changing Face of IAM - 71305
by Mike Small
As well as providing the means to control and manage legitimate access, Identity and Access Management is now in the critical line of defense against cyber threats.
Leadership Brief: How to Justify your IAM Investments - 71410
by Mike Small
IAM is an essential enabler for the agile business connected. Justifying investments in IAM needs to emphasize the business benefits like better agility, not just the IT process improvements.
Vulnerability Assessment 2.0: Improving Accuracy and Reducing Costs with Behavior Analysis
Vulnerability scanners and management tools have been an important part of every information security specialist’s arsenal for decades. Nowadays, with the continued erosion of corporate perimeters and overwhelming increase in advanced targeted attacks exploiting known and unknown vulnerabilities, they are more important than ever before. Learn more about the emerging new generation of vulnerability assessment tools, which focus on clear and concise actionable reports instead of raw detection logs, providing considerable time and cost savings for your security team.
Advisory Note: Eight Fundamentals for Digital Risk Mitigation in the Age of Transformation - 71302
by Martin Kuppinger
Digital Transformation is on its way. Unstoppable, inevitable, with increasing speed. Organizations have to react, in particular for avoiding unpredictable risks. Digital Risk Mitigation is a key success factor in the digital transformation of businesses.
Executive View: Using Certification for Cloud Provider Selection - 71308
by Mike Small
An overview of how to use certification to assist in selecting a cloud service provider.
Best Practice: European Identity Award 2015: Nantes University Hospital - 71402
by Dave Kearns
The European Identity Award 2015 for “Best IAM Project”: a strong example of an IAM solution encompassing not only the employees of the organization and its HQ, but also supporting a decentralized organization as well as the extended enterprise.
Oct 22, 2015: One IT, One Identity: Mastering the Security Challenge in the Age of Digital Transformation
A few years ago, KuppingerCole's Analysts came up with the term "identity explosion", meaning the exponential growth of identities organizations have to deal with caused by Cloud Computing, Mobile Computing, Social Computing, Big Data, the Internet of Things and more. The digital transformation of business is now raising the impact of this explosion - which means that we have to transform our understanding of identities and access.
Executive View: BalaBit syslog-ng - 71201
by Martin Kuppinger
The Balabit syslog-ng product family provides technologies that allow collecting, processing, and analyzing log events from a variety of different sources, going well beyond the standard syslog component. The products are both relevant as complement and replacement of standard SIEM solutions.
Leadership Compass: Access Control/Governance für SAP-Umgebungen - 71104
by Matthias Reinwarth
Dieser Report bietet einen Überblick und eine Analyse des Markts für Access Control & Access Governance-Lösungen für SAP-Umgebungen. Unternehmen können ihr Risikomanagement und ihre Corporate Compliance bezüglich geltender Gesetze und Verordnungen signifikant verbessern, indem sie die richtigen Zugangskontrollkomponenten in ihre SAP-Infrastruktur integrieren. Dieser Report bietet Ihnen einen Leitfaden, der Sie dabei unterstützt, eine für Ihre Bedürfnisse geeignete Governance-Lösung für SAP zu finden.
Windows 10: new anti-malware features and challenges
by Alexei Balaganski
Offering Windows 10 as a free upgrade was definitely a smart marketing decision for Microsoft. Everyone is talking about the new Windows and everyone is eager to try it. Many of my friends and colleagues have already installed it, so I didn’t hesitate long myself and upgraded my desktop and laptop at the first opportunity.
Overall, the upgrade experience has been quite smooth. I’m still not sure whether I find all visual changes in Windows 10 positive, but hey, nothing beats free beer! I also realize that much more has been changed “under the hood”; including numerous security features Microsoft has promised to deliver in their new operating system. Some of those features (like built-in Information Rights Management functions or support for FIDO Alliance specifications for strong authentication) many consumers will probably not notice for a long time if ever, so that’s a topic for another blog post. There are several things however, which everyone will face immediately after upgrading, and not everyone will be happy with the way they are.
The most prominent consumer-facing security change in Windows 10 is probably Microsoft’s new browser – Microsoft Edge. Developed as a replacement for aging Internet Explorer, it contains several new productivity features, but also eliminates quite a few legacy technologies (like ActiveX, browser toolbars or VB Script), which were a constant source of multiple vulnerabilities. Just by switching to Edge from Internet Explorer, users are automatically protected from several major malware vectors. It does, however, include built-in PDF and Flash plugins, so it’s potentially still vulnerable to the two biggest known web security risks. It is possible to disable Flash Player under “Advanced settings” in the Edge app, which I would definitely recommend. Unfortunately, after upgrading, Windows changes your default browser to Edge, so make sure you change it back to your favorite one, like Chrome or Firefox.
Another major change that in theory should greatly improve Windows security is the new Update service. In Windows 10, users can no longer choose which updates to download – everything is installed automatically. Although this will greatly reduce the window of opportunity for an attacker to exploit a known vulnerability, an unfortunate side effect of this is that sometimes your computer will be rebooted automatically when you’re away from it. To prevent this, you must choose “Notify to schedule restart” under advanced update options – this way you’ll at least be able to choose a more appropriate time for a reboot. Another potential problem are traffic charges: if you’re connecting to the Internet over a mobile hotspot, updates can quickly eat away your monthly traffic limit. To prevent this, you should mark that connection as “metered” under “Advanced options” in the network settings.
Windows Defender, which is the built-in antivirus program already included in earlier Windows versions, has been updated in a similar way: in Windows 10, users can no longer disable it with standard controls. After 15 minutes of inactivity, antivirus protection will be re-enabled automatically. Naturally, this greatly improves anti-malware protection for users not having a third party antivirus program installed, but quite many users are unhappy with this kind of “totalitarianism”, so the Internet is full of recipes on how to block the program completely. Needless to say, this is not recommended for most users, and the only proper way of disabling Windows Defender is installing a third party product that provides better anti-malware protection. A popular site AV Comparatives maintains a list of security products compatible with Windows 10.
Since most anti-malware products utilize various low level OS interfaces to operate securely, they are known to be affected the most by the Windows upgrade procedure. Some will be silently uninstalled during the upgrade, others will simply stop working. Sometimes, an active antivirus may even block the upgrade process or cause cryptic error messages. It is therefore important to uninstall anti-malware products before the upgrade and reinstall them afterwards (provided, of course, that they are known to be compatible with the new Windows, otherwise now would be a great time to update or switch your antivirus). This will ensure that the upgrade will be smooth and won’t leave your computer unprotected.
Executive View: Zscaler Internet Security Platform - 71010
by Alexei Balaganski
Zscaler is a unified Security-as-a-Service platform integrating various security services like web and mobile security, next generation firewall, data leakage prevention, advanced threat protection and bandwidth management in an entirely cloud-based solution without any on-premise hardware.
Windows 10: Finally - Stronger Authentication
by Matthias Reinwarth
Windows 10 comes with the promise of changing computing from ground up. While this might be marketing speak in many aspects that might be true for one central aspect of daily computing life: secure user authentication for the operating system, but also for websites and services.
Microsoft goes beyond the traditional username and password paradigm and moves towards strong authentication mechanisms. While traditionally this was only possible with having costly additional hardware, infrastructure and processes available, e.g. smartcards, Microsoft does it differently now.
So, although the comparison might be difficult for some readers: improving security by implementing all necessary mechanisms within the underlying system is quite similar to what Apple did when they introduced secure fingerprint authentication with the recent models of the iPhone and the iPad, beginning with the iPhone 5S (in comparison to ridiculously inadequate implementations within several android phones as made public just recently).
The mechanism called "Windows Hello" supports various authentication scenarios. So with Windows 10 being an operating system designed to run across a variety of devices, Microsoft is going for multifactor authentication beyond passwords for authentication purposes for mobile phones, for tablets, mobile computers, the traditional desktop and more flavors of devices. One factor can be a device itself and can be enrolled (by associating an asymmetric key pair) to be part of a user authentication process.
The account settings dialog offers new and additional mechanisms for identifying valid users: User authentication with user name and password can be augmented by alternative authentication scenarios using PINs or gestures.
While passwords are typically used globally across all devices, PINs and gestures are specific to a single device and cannot be used in any other scenario.
Picture authentication records three gestures executed with any pointing device (e.g. stylus, finger, mouse) on any desired image (preferably cats, as this is the internet). Reproducing them appropriately logs you into the specific Windows 10 system without the need of typing in a password.
Actually, the combination of your device (something you have) plus PIN or gesture (something you know) can be considered as two-factor authentication for access to your data, e.g. in the OneDrive cloud service.
Other factors deployed for authentication include biometrics like the fingerprint scan, whenever a fingerprint sensor is available or a retina scan when a capable camera is available. Finally, "Windows Hello" adds facial recognition to the login process, although this might be scary for several users to have a camera scanning the room (which of course is nothing new for Xbox users deploying Kinect having their living room scanned all day) while the login screen is active. The requirement for deploying cameras that are able to detect whether it is a real person in 3-D or just the picture avoids simple cheating scenarios.
Once authenticated a user can access a variety of resources by deploying the Microsoft Passport mechanism which deploys asymmetric keys for accessing services and websites securely. A user successfully authenticated towards Microsoft Passport through Microsoft Hello will be able to access information securely by applications acting upon his behalf deploying the necessary APIs. This brings asymmetric key cryptography to different types of end-users, ranging from business users to home users and mobile phone users alike. Depending on the deployment scenario the user Data is then stored within the corporate Microsoft Active Directory infrastructure of the individual organisation, within Microsoft Azure Active Directory for cloud deployments, or -for the home user- within the associated Microsoft Live account, e.g. at Outlook.com.
While Microsoft has been contributing to the standardisation of the FIDO (Fast IDentity Online) protocols for quite some time now, Windows 10 finally claims to come with support for the current versions of the final protocol specifications. This will allow Windows 10 users to connect securely and reliably to Internet sites providing services based on the FIDO standards, especially to prevent man in the middle attacks and phishing scenarios. As of now the FIDO standard implementations were relying on the support from e.g. browser providers like Firefox or Chrome. Support for the FIDO standards built into the Windows 10 operating system might give the standards an enormous boost and allow for a win-win situation for security and the OS.
Windows 10 is now in its early weeks of deployment in the field. It will be interesting to see whether the new authentication mechanisms will be broadly understood as a real game changer for securing identity information and providing stronger authentication. Any appropriately secure way allowing to get rid of password authentication is a chance to improve overall user security and to protect identity data and every connected transaction. So each and every Windows 10 user should be encouraged to deploy the new authentication mechanisms ranging from biometrics to PINs and gestures and to the deployment of the Fido standards through the Microsoft Passport framework. Why not at least once use Windows and be a forerunner in security and privacy?
Oct 13, 2015: Cyber Security in 2015 – 2016
KuppingerCole (asia Pacific) is pleased to announce a special Chief Security Officer and Security Analyst afternoon seminar immediately prior to the Australasian Information Security Annual conference (AISA) welcoming drinks. The numbers are strictly limited and a discount rate applies to AISA Members attending the AISA Conference.
Sep 29, 2015: The CISO Imperative: Taking Control of SAP Cyber Attacks
It is impossible to overestimate the importance of SAP system security for modern enterprises. SAP solutions are widely used in all industries to store sensitive information and run critical business processes: from Enterprise Resource Planning and Human Resources systems to Business Intelligence to Customer Relationship and Supply Chain Management. Constant availability and protection of SAP systems is critical for over 250,000 enterprises around the world, as is their continued visibility and auditability to ensure compliance.
Windows 10: How to Ensure a Secure and Private Experience
by Mike Small
Together with many others I received an offer from Microsoft to upgrade my Windows 7 desktop and Windows 8.1 laptop to Windows 10. Here is my initial reaction to successfully performing this upgrade with a specific focus on the areas of privacy and security.
As always when considering security the first and most important step is to understand what your requirements are. In my case – I have several computers and I mainly use these with Microsoft Office, to use the internet for research and to store personal ‘photos. My main requirements are for consistency and synchronization across these systems together with security and reliability. The critical dimensions that I considered are privacy, confidentiality, integrity and availability. Let’s start with availability:
- Make sure you back up your files before you start the upgrade! My files were preserved without problems but it is better to be safe than sorry. It is also a good idea to understand how you could roll back if there is a catastrophic failure during the upgrade. One really big improvement over Windows 8 is the ability to restore files from a Windows 7 backup.
- Check that your computer is compatible with the upgrade. The Microsoft upgrade tool checks your computer for compatibility and some manufacturers provide information on which systems they have tested. The Dell support site informed me that my new laptop was tested but my old desktop wasn’t. However both upgraded without problems, but I did need to re-install some software – for my HP printer.
- Consider whether you want new features as soon as they are available (with the risk that they may cause problems). The default setting for updates is for these to be automatically installed. You can change this through the advanced setting menu by checking the box to defer upgrades. You will still receive security fixes but new features will be delayed.
- Windows 10 has a number of recovery options – you can roll back to your previous OS for up to 30 days after the upgrade as well as performing a complete reset.
- Windows 10 automatically includes Windows Defender for protection – make sure this is activated. If you prefer another anti-malware product you will need to install this yourself.
- If you already use OneDrive then you will notice some changes. Previous versions of the OneDrive App supported a placeholder function that allowed File Explorer to display files that were held online but not sync’d onto your PC. This is no longer available; any directories that are not sync’d are not visible through file explorer. I experienced sync problems with files that were previously held online only. I was able to resolve this using the OneDrive Setting menu – first uncheck the folder(s) and save the settings. The folders and files are then erased on your device (scary!). Then repeat the process but this time check the folders for sync in the menu. When you save these settings the files in the folders are re-synced from the cloud.
- The user accounts are copied from your previous OS – if these were all local accounts then they remain so. If you have a Microsoft account than you can link this with one of these local accounts. Doing this allows you to use a PIN instead of a password to log-in.
- If you are using Office 365 you will already have a Microsoft Account, you can also set up a free account which provides some free OneDrive space. However if you use the Microsoft account it is a good idea to understand and manage your privacy settings.
- The files in OneDrive are all held in the Microsoft cloud and you need to accept the risk that this poses bearing in mind that most breaches result from weak user credentials.
- If you are using BitLocker to encrypt your files then the encryption key will also be held on your OneDrive unless you opt out.
- You should review the privacy setting from the Express setup and decide what to change.
A future blog will provide more detailed advice on what these mean and how best to set things up. My short advice is to go through these settings carefully and chose which Apps you are happy to allow to access the various functions. In particular I would disable the App Connector since this gives access to unknown apps. I would also not allow Apps to access my name, picture and other info – but then I’m just paranoid.
- You also need to consider the privacy setting for the new Edge browser. These are to be found under “Advanced Settings”. Consider whether you really need Flash enabled since this has been a frequent target for attacks. Also consider enabling the “Do not Track Requests Button”.
- If you decide to use Cortana – this may involve setting region, language and downloading language pack – make sure you check out the privacy agreement:
My personal experience with this upgrade has been very positive. The upgrades went smoothly and the performance especially the boot up time for my old Desktop is much faster than with windows 7. The settings are now much more understandable and accessible but you need to take the time to review the defaults to achieve your objectives for privacy and confidentiality. KuppingerCole plan a series of future blogs that will give more detailed guidance on how to do this.