Blue Coat Systems Buy Elastica after Perspecsys

As we predicted in our Brief: The Emergence of the Cloud Security Gateway, this market is consolidating fast. Blue Coat Systems announced this morning that they are acquiring Elastica. Forrester estimates that the acquisition price was between USD $280M-300M, while Blue Coat Systems has already spent an estimated $180-200M on Perspecsys. Here's how Forrester expects Blue Coat Systems will assemble their Cloud Security Gateway solution:

* Elastica intellectual property (IP): will be used for a) behavioral profiling, b) predictive analytics and c) anomaly detection in access to cloud applications.

* Perspecsys IP: will be used for a) cloud encryption and b) key management.

Blue Coat Systems has a herculean task on their hands: they have to successfully manage

1) Understanding existing Elastica and Perspecsys product portolios

2) Integrating Elastica and Perspecsys product portfolios into one single CSG offering

3) Integrating the resulting CSG solution with existing Blue Coat Systems solutions,

4) while managing the natural differecens,  post-acquisition attrition of key management and engineering resources from both acquired companies. 

Forrester expects that Blue Coat Systems will be able to the above in 9-12 months successfully.

Fingerprint authentication enters online banking at Bank of America - and signals FIDO's first major adoption event

Bank of America's website and press release says that you can use your TouchID on iOS to sign into BofA's mobile  application on iOS.

This move is a major milestone in FIDO's and fingerprint biometrics' adoption in the mainstream consumer authentication market. Forrester expects fingerprint authentication will greatly improve the customer experience - no more fumbling with hard-to-type passwords on small smartphone keyboards. It's important to note that matching the fingerprint to authenticate the user happens in the mobile application on the mobile device. As such it is not a true two factor, strong authentication where the match happens on the server side.

CyberArk acquires ViewFinity underscores endpoint privilege escalation's importance in privileged identity and access management

Today's acquistion of ViewFinity (an endpoint privilege escalation vendor) by CyberArk signals an important taxonomy shift in Priivileged Identity / Access Management.

Of major PIM suite vendors, BeyondTrust, CA Technologies and Centrify have their own endpoint privilege escalation solutions for Windows and Linux. Dell and Microfocus have only Linux based solutions. Balabit, Hitachi-ID, Lieberman, and Thycotic do not have any, they usually partner with Avecto, and Bit9.

Today's acquisition will a) further reduce the already small number of eligible/acquirable endpoint privilege escalation vendors and b) create further differentiation between partial and full PIM suite providers.

Microsoft Acquires Cloud Access Security Intelligence vendor Adallom

Microsoft is doubling down on its cloud strategy and announced the acquisition of Adallom. Adallom offers transparent, cloud-based monitoring and alerting of cloud application use. It can detect if a user is performing suspicious actions (e.g. downloading the CRM database on a Friday afternoon). This signifies that cloud service provider vendors can no longer only offer IaaS security (see our Wave at ) but also help with understanding risks around non-sanctioned and sanctioned SaaS applications. Microsoft's success of incorporating Adallom's assets into the Azure portfolio will depend on the following:

1. How well will Azure AD premium work with Adallom?

2. How well will Office 365 work with Adallom?

3. How well  will Azure IaaS work with Adallom?

4. How Adallom will be able to support data protection and encryption?

5. How well Adallom will continue to work vendor agnostically with non-Microsoft IaaS and SaaS envrionments?

We will be publishing a Market Overview on Cloud Access Security Intelligence vendors (including Adallom) in Q3 of 2015. Stay tuned!

Samsung keyboard bug highlights vulnerability of passwords

Here's a new exploit on Samsung Galaxy S4, S4 and S6 Swiftkey: remote code execution is possible which can lead to root access to the device, data loss, password sniffing and keylogging, Man-in-the-Middle attacks and compromised passwords. Another reason why we need to think about 'What's beyond passwords?'. We will shortly publish a report on this topic. Stay tuned.

Market Overview: Cloud Workload Security Management Solutions — Automate Or Die

Today, not moving workloads to the cloud is not an option. Leaving these workloads not secured is also not an option.

However, managing workloads within and across Infrastructure-as-a-Service cloud service providers, we find that S&R professionals struggle with ensuring that their cloud workloads (guest operating systems and data on those operating systems) are secure. Why? Because S&R must ensure that installation and setup bootstraps with the right security and network configuration. They must control access to workloads as well as management consoles, file and configuration integrity, intrusion and endpoint protection. Manual management is simply not an option, you either automate security hardening for a large number of workloads or "die", i.e. fall victim to a breach.

Enter a new class of solution to offer a solution to this problem: Cloud Workload Security Management Solutions. These offerins  typically install a small agent on endpoints, connect these agents to a central service (available as SaaS or on-premises product) then offer centralized management of all the above cloud workload security aspects.

Our CWS market overview looks at and compares the features and company profiles of the most important vendors in this space.

Market Overview: Cloud Data Protection

Cloud Data Protection (protecting data in SaaS, IaaS and PaaS workloads with a centralized and industrial strenght solution) remains a key priority of CIOs, CISOs and architects. 

In this market overview report, we identified 17 key vendors in the CDP space (see the figure below) that provide data protection in SaaS, IaaS and PaaS environments. This report details trends and predictions in CDP and also our findings about how each vendor is approaching CDP and to help security and risk (S&R) professionals select the right partner for CDP.

You can find this market overview at


Inline image 1

Amazon Web Services Announces Cloud Active Directory

As we predicted in May 2012, user directories are moving into the cloud. Cloud workloads require that users who are authorized to access them are stored near the cloud workload and not just on-premises. While this offering announced now by AWS is not necessary technically groundbreaking (Cloud IAM vendors and Microsoft Azure have been offering AD integration for a relatively long time), obviously this announcement is relevant because of AWS's broad presence in IaaS. We urge Forrester's clients that plan to use AWS AD service to ask AWS the following questions:

1. What safeguards are there to protect information (user, computer, etc.) in AWS AD?

2. How does AWS integrate in real time with on-premises AD and shared folder infrastructures?

3. What types of true identity management (access governance and provisioning) services does AWS offer to complement this new AD service?


Check AWS's blog entry at for more details.

IBM Doubles Down Cloud IAM And Acquires Lighthouse Gateway

On the heels of the CrossIdeas acquisition (about which we have recently published a QuickTake), IBM today acquired another IAM cloud provider, Lighthouse Security Group. Its product and service, Lighhouse Gateway, is a small cloud provider that appeared in our Cloud IAM Wave and we were impressed by the "slickness" and ease-of-use of its customer interface for administration (policy management) and also for end users (Lighthouse Gateway provides its own front-end to ISIM and ISAM).


Now we recommend that IAM security and risk professionals should ask IBM the following questions about the acquisition:

1) How will IBM offer Lighthouse Gateway? Will it be an add-on to ISIM and ISAM licenses or will it be a standalone offering or both?

2) How will IBM integrate the beautiful user interface of Lighthouse Gateway into ISIM and ISAM on-premises offerings?

3) How will the new IBM IAM access governance ecosystem of ISIM+CrossIdeas be merged with Lighthouse Gateway?

Centrify Cloud SSO marks the beginning of mobile device manufacturers getting into the IAM space

Centrify's new Cloud SSO portal is much like the competition: Okta, OneLogin, Ping, Symplified, SecureAuth, i.e. the ones that we looked at in our Cloud IAM Wave. 

What's really interesting about this offering is that Samsung KNOX OEMs the client side mobile application for SSO for its high-end devices. Forrester predicts that Apple (with its consumer fingerprint reader already making inroads into authentication) and others (Windows Phone, etc.) will follow suit and offer cloud based IAM and SSO services.