Advisory Note: Demystifying the Blockchain - 71555
by Ivan Niccolai
Investigating current and future blockchain use cases as it evolves from a secure distributed ledger to a full compute platform.
Building APIs without programming? New tools from CA make it possible
by Alexei Balaganski
Last week, CA Technologies has announced several new products in their API Management portfolio. The announcement was made during their annual CA World event, which took place November 16-20 in Las Vegas. This year, the key topic of the event has been Application Economy, so it is completely unsurprising that API management was a big part of the program. After all, APIs are one of the key technologies that drive the “digital transformation”, helping companies to stay agile and competitive, enable new business models and open up new communication channels with partners and customers.
Whether the companies are leveraging APIs to accelerate their internal application development, expose their business competence to new markets or to adopt new technologies like software-defined computing infrastructures, they are facing a lot of complex challenges and have to rely on third-party solutions to manage their APIs. The API Management market, despite its relatively young age, has matured quickly, and CA Technologies has become one of the leading players there. In fact, just a few months ago KuppingerCole has recognized CA as the overall leader in the Leadership Compass on API Security Management.
However, even a broad range of available solutions for publishing, securing, monitoring or monetizing APIs does not change the fact that before a backend service can be exposed as an API, it has to be implemented – that is, a team of skilled software developers is still required to bring your corporate data or intelligence into the API economy. Although quite a number of approaches exist to make the developer’s job as easy and efficient as possible (sometimes even eliminating the need for a standalone backend, like the AWS Lambda service), business persons are still unable to participate in this process on their own.
Well, apparently, CA is going to change that. The new CA Live API Creator is a solution that’s aiming at eliminating programming from the process of creating data-driven APIs. For a lot of companies, joining the API economy means the need to unlock their existing data stores and make their enterprise data available for consumption through standard APIs. For these use cases, CA offers a complete solution to create REST endpoints that expose data from multiple SQL and NoSQL data sources using a declarative data model and a graphical point-and-click interface. By eliminating the need to write code or SQL statements manually, the company claims tenfold time-to-market improvement and 40 times more concise logic rules. Most importantly, however, business persons no longer need to involve software developers – the process seems to be easy and straightforward enough for them to manage on their own.
CA Live API Creator consists of three components:
- Database Explorer, which provides interactive access to the enterprise data across SQL and NoSQL data sources directly from a browser. With this tool, users can not just browse and search, but also manage this information and even create “back office apps” with graphical forms for editing the data across multiple tables.
- API Creator, the actual tool for creating data-driven APIs using a point-and-click GUI. It provides the means for designing data models, defining logical rules, managing access control and so on, all without the need to write application code or SQL statements. It’s worth stressing that it’s not a GUI-based code generator – the solution is based on an object model, which is directly deployed to the API server.
- The aforementioned API Server is responsible for execution of APIs, event processing and other runtime logic. It connects to the existing data sources and serves client requests to REST-based API endpoints.
Although the product hasn’t been released yet (will become available in December), and although it should be clearly understood that it’s by nature not an universal solution for all possible API use cases, we can already see a lot of potential. The very idea of eliminating software developers from the API publishing process is pretty groundbreaking, and if CA delivers on their promises to make the tool easy enough for business people, it will become a valuable addition to the company’s already first-class API management portfolio.
AWS Security and Compliance Update
by Mike Small
Security is a common concern of organizations adopting cloud services and so it was interesting to hear from end users at the AWS Summit in London on November 17th how some organizations have addressed these concerns.
Financial services is a highly regulated industry with a strong focus on information security. At the event Allan Brearley, Head of Transformation Services at Tesco Bank, described the challenges they faced exploiting cloud services to innovate and reduce cost, while ensuring security and compliance. The approach that Tesco Bank took, which is the one recommended in KuppingerCole Advisory Note: Selecting your Cloud Provider, is to identify and engage with the key stakeholders. According to Mr Brearley it is important adopt a culture to satisfy all of the stakeholders’ needs all of the time.
In the UK the government has a cloud first strategy. Government agencies using cloud services must follow the Cloud Security Principles, first issued by UK Communications- Electronics Security Group’s (CESG) in 2014. These describe the need to take a risk based approach to ensure suitability for purpose. Rob Hart of the UK DVSA (Driver & Vehicle Standards Agency), that is responsible for road safety in UK, described the DVSA’s journey to the adoption of AWS cloud services. Mr Hart described that the information being migrated to the cloud was classified according to UK government guidelines as “OFFICIAL”. That is equivalent to commercially sensitive or Personally Identifiable Information. The key to success, according to Mr Hart, was to involve the Information Security Architects from the very beginning. This was helped by these architects being in the same office as the DVSA cloud migration team.
AWS has always been very open that the responsibility for security is shared between AWS and the customer. AWS publish their “Shared Responsibility Model” which distinguishes between the aspects of security that AWS are responsible for, and those for which the customer is responsible.
Over the past months AWS has made several important announcements around the security and compliance aspects of their services. There are too many to cover in here and so I have chosen 3 around compliance and 3 around security. Firstly announcements around compliance include:
- ISO/IEC 27018:2014 – AWS has published a certificate of compliance with this ISO standard which provides a code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
- UK CESG Cloud Security Principles. In April 2015 AWS published a whitepaper to assist organisations using AWS for United Kingdom (UK) OFFICIAL classified workloads in alignment with CESG Cloud Security Principles.
- Security by Design – In October 2015 AWS published a whitepaper describing a four-phase approach for security and compliance at scale across multiple industries. This points to the resources available to AWS customers to implement security into the AWS environment, and describes how to validate controls are operating.
Several new security services were also announced at AWS re:Invent in October. The functionality provided by these services is not unique however it is tightly integrated with AWS services and infrastructure. Therefore these services provide extra benefits to a customer that is prepared to accept the risk of added lock-in. Three of these include:
- Amazon Inspector – this service, which is in preview, scans applications running on EC2 for a wide range of known vulnerabilities. It includes a knowledge base of rules mapped to common security compliance standards (e.g. PCI DSS) as well as up to date known vulnerabilities.
- AWS WAF Web Application Firewall – this is a Web Application Firewall that can detect suspicious network traffic. It helps to protect web applications from attack by blocking common web exploits like SQL injection and cross-site scripting.
- S2N Open Source implementation of TLS – This is a replacement created by AWS for the commonly used OpenSSL (which contained the “Heartbleed” vulnerability). S2N replaces the 500,000 lines code in OpenSSL with approximately 6,000 lines of audited code. This code has been contributed to Open Source and is available from S2N GitHub Repository.
AWS has taken serious steps to help customers using its cloud services to do so in a secure manner and to assure that they remain compliant with laws and industry regulations. The customer experiences presented at the event confirm that AWS’s claims around security and compliance are supported in real life. KuppingerCole recommends that customers using AWS services should make full use of the security and compliance functions and services provided by AWS.
Executive View: Knowledge Vault - 71412
by Alexei Balaganski
Knowledge Vault is a cloud-based compliance platform that provides auditing, alerting, reporting and management functions for analyzing user and administrator activities across multiple data sources including Microsoft Office 365, Microsoft Azure Active Directory and popular file sharing services.
The Seven Keys to a Successful Privileged Account Management Strategy
How can IT professionals successfully walk the thin line between protecting their organization's critical data and at the same time enable users and administrators to work productively? First of all, it is absolutely important to control, monitor, and audit privileged access in order to mitigate the risks posed by insider threats, prevent data breaches, and meet compliance requirements.
Building a Cyber Defence Centre: IBM’s rules for success
by Mike Small
According to GCHQ, the number of cyber-attacks threatening UK national security have doubled in the past 12 months. How can organizations protect themselves against this growing threat especially when statistics show that most data breaches are only discovered some time after the attack took place? One important approach is to create a Cyber Defence Centre to implement and co-ordinate the activities needed to protect, detect and respond to cyber-attacks.
The Cyber Defence Centre has evolved from the SOC (Security Operation Centre). It supports the processes for enterprise security monitoring, defence, detection and response to cyber based threats. It exploits Real Time Security Intelligence (RTSI) to detect these threats in real time or in near real time to enable action to be taken before damage is done. It uses techniques taken from big data and business intelligence to reduce that massive volume of security event data collected by SIEM to a small number of actionable alarms where there is a high confidence that there is a real threat.
A Cyber Defence Centre is not cheap or easy to implement so most organizations need help with this from an organization with real experience in this area. At a recent briefing IBM described how they have evolved a set of best practice rules based on their analysis of over 300 SOCs. These best practices include:
The first and most important of these rules is to understand the business perspective of what is at risk. It has often been the case that the SOC would focus on arcane technical issues rather than the business risk. The key objective of the Cyber Defence Centre is to protect the organization’s business critical assets. It is vital that what is business-critical is defined by the organization’s business leaders rather than the IT security group.
Many SOCs have evolved from NOCs (Network Operation Centres) – however the NOC is not a good model for cyber-defence. The NOC is organized to detect, manage and remediate what are mostly technical failures or natural disasters rather than targeted attacks. Its objective is to improve service uptime and to restore service promptly after a failure. On the other hand, the Cyber Defence Centre has to deal with the evolving tactics, tools and techniques of intelligent attackers. Its objective is to detect these attacks while at the same time protecting the assets and capturing evidence. The Cyber Defence Centre should assume that the organizational network has already been breached. It should include processes to proactively seek attacks in progress rather than passively wait for an alarm to be raised.
The Cyber Defence Centre must adopt a systematized and industrialized operating model. An approach that depends upon the individual skills is neither predictable nor scalable. The rules and processes should be designed using the same practices as for software with proper versioning and change control. The response to a class of problem needs to be worked out together with the rules on how to detect it. When the problem occurs is not a good time to figure out what to do. Measurements is critical – you can only manage what you can measure and measurement allows you to demonstrate the change levels of threats and the effectiveness of the cyber defence.
Finally, as explained by Martin Kuppinger in his blog: Your future Security Operations Center (SOC): Not only run by yourself, it is not necessary or even practical to operate all of the cyber defence activities yourself. Enabling this sharing of activities needs a clear model of how the Cyber Defence Centre will be operated. This should cover the organization and the processes as well as the technologies employed. This is essential to decide what to retain internally and to define what is outsourced an effective manner. Once again, an organization will benefit from help to define and build this operational model.
At the current state of the art for Cyber Defence, Managed Services are an essential component. This is because of the rapid evolution of threats, which makes it almost impossible for a single organization to keep up to date, and the complexity of the analysis that is required to identify how to distinguish these. This up-to-date knowledge needs to be delivered as part of the Cyber Defence Centre solution.
KuppingerCole Advisory Note: Real Time Security Intelligence provides an in-depth look at this subject.
Controlling Access through Centralized Authorization
Access to applications have been managed effectively for the most part, through authentication and identity management. This has driven the combination of ease of use and security behind explosive growth of consumer and enterprise applications. However, with the proliferation of connected devices and smart phones brings a new set of challenges beyond these traditional controls requiring the use of authorization as a fundamental component for a complete access and security strategy.
Leadership Brief: Privileged Account Management Considerations - 72016
by Mike Small
Strong management of the use of the privileged accounts needed to manage IT infrastructure and applications is essential to protect against mistakes and misuse, as well as cyber-crime.
Jan 12, 2016: Dell Identity Manager 7.0: Why things have changed
IAM (Identity & Access Management) is a central discipline of Information Security. But it rarely starts on a green field – commonly there are already some IAM components in place such as directories, Single Sign-On etc. There might also be e. g. IT service management tools in the company. Thus, IAM must integrate well into the existing landscape. Depending on their current infrastructure and requirements, organizations therefore might want to start at different points with IAM. Successful implementations demand a holistic, unified view.
Microsoft to acquire Secure Islands – a significant investment in Secure Information Sharing
by Martin Kuppinger
Microsoft and Secure Islands today announced that Microsoft is to acquire Secure Islands. Secure Islands is a provider of automated classification for documents and further technologies for protecting information. The company already has tight integration into Microsoft’s Azure Rights Management Services (RMS), a leading-edge solution for Secure Information Sharing.
After completing the acquisition, Microsoft plans full integration of Secure Islands’ technology into Azure RMS, which will further enhance the capabilities of the Microsoft product, in particular by enabling interception of data transfer from various sources on-premise and in the cloud, and by automated and, if required, manual classification.
Today’s announcement confirms Microsoft's focus and investment into the Secure Information Sharing market, with protecting information at the information source (e.g. document) itself being one of the essential elements of any Information Security strategy. Protecting what really needs to be protected – the information – obviously (and if done right) is the best strategy for Information Security, in contrast to indirect approaches such as server security or network security.
By integrating Secure Islands' capabilities directly into Microsoft Azure RMS, Microsoft now can deliver an even more comprehensive solution to its customers. Furthermore, Microsoft continues working with its Azure RMS partner ecosystem in providing additional capabilities to its customers.
Executive View: MobilityLab WorksPad - 71402
by Alexei Balaganski
WorksPad is an integrated enterprise mobile workplace solution combining secure access to corporate file resources and e-mail with innovative collaboration functions.
KuppingerCole Analysts' View on Real Time Security Intelligence & Future SOC
Organizations depend upon the IT systems and the information that they provide to operate and grow. However, the information that they contain and the infrastructure upon which they depend is under attack. Statistics show that most data breaches are detected by agents outside of the organization rather than internal security tools. Real Time Security Intelligence (RTSI) seeks to remedy this.
Nov 30, 2015: Australasian Next Generation Cyber Security
Digital Disruption & Transformation in Industry and Government
A Joint event with the Australian Information Industries Association (AIIA)
November 30, 2015 at the RACV Club Melbourne, Australia
Executive View: NextLabs Rights Management Platform - 71272
by Martin Kuppinger
Comprehensive Rights Management solution including information classification, based on a well thought-out policy management model supporting XACML as a standard, with outstanding support for PLM environments and engineeering data.
Forget Firewalls - Enterprise Data is your New Perimeter
One of the biggest challenges modern enterprises are facing is the evolution toward connected businesses. To survive in this fiercely competitive environment, businesses strive to be as agile as possible, to continuously adopt new business models and to open up new communication channels with their partners and customers. Thanks to rapidly growing adoption of cloud and mobile computing, enterprises are becoming more and more interconnected, and the notion of a security perimeter has almost ceased to exist.