IBM Doubles Down Cloud IAM And Acquires Lighthouse Gateway

On the heels of the CrossIdeas acquisition (about which we have recently published a QuickTake), IBM today acquired another IAM cloud provider, Lighthouse Security Group. Its product and service, Lighhouse Gateway, is a small cloud provider that appeared in our Cloud IAM Wave and we were impressed by the "slickness" and ease-of-use of its customer interface for administration (policy management) and also for end users (Lighthouse Gateway provides its own front-end to ISIM and ISAM).

 

Now we recommend that IAM security and risk professionals should ask IBM the following questions about the acquisition:

1) How will IBM offer Lighthouse Gateway? Will it be an add-on to ISIM and ISAM licenses or will it be a standalone offering or both?

2) How will IBM integrate the beautiful user interface of Lighthouse Gateway into ISIM and ISAM on-premises offerings?

3) How will the new IBM IAM access governance ecosystem of ISIM+CrossIdeas be merged with Lighthouse Gateway?

Centrify Cloud SSO marks the beginning of mobile device manufacturers getting into the IAM space

Centrify's new Cloud SSO portal is much like the competition: Okta, OneLogin, Ping, Symplified, SecureAuth, i.e. the ones that we looked at in our Cloud IAM Wave. 

What's really interesting about this offering is that Samsung KNOX OEMs the client side mobile application for SSO for its high-end devices. Forrester predicts that Apple (with its consumer fingerprint reader already making inroads into authentication) and others (Windows Phone, etc.) will follow suit and offer cloud based IAM and SSO services.

NFC Adoption Becomes Much Simpler: Google Opens Android 4.4 KitKat So That The NFC Can Be Provisioned By Anyone

This is big: Google opened up Android 4.4 KitKat to allow access to the NFC chip to Android apps and not just the trusted execution environment on the secure element.

What it means: any issuer, developer, 3rd party, current 3D Secure vendor, Payment Services Provider, etc. can create a mobile wallet application that can present credit card information to the NFC and allow the user to use the card information for payment. This might mean that traditional trusted service managers (companies that are authorized to provision the secure element on the mobile phone, like Gemalto, FirstData, CorTSM, etc.) may face fierce competition from really anyone who wishes to provision cards to the phone. Mobile network operators can now be easily cut from the payment chain, too.

Why You Should NOT Build Your Own Authentication Framework And Solution In-House. See OWASP A2.

We regularly get the question: should we build our web authentication and single sign-on solution?

Here's why you should not do it: OWASP 2013 lists "Broken Authentication and Session Management" as the No.2 item to pay attention to when you design your web site. OWASP.org says:

"Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities."

Implementing your own session and key management, validation, update, periodic rollover, etc. mechanisms in a scalable and fault tolerant way is extremely difficult. We regularly get inquiries from clients who want to replace their own in-house built web single sign-on framework -- mostly because they have been hacked or it's too expensive to operate and update.

This is why we see open source and commercial Web Access Management packages and solutions critically important to protect your web assets. Since they are mostly mature technologies, they protect against not just authentication and session management problems but often against cross site scripting and other older threats as well. If you use a newer product or a pure federation product, make sure that the vendor or supplier can help you answer your questions based on the the OWASP list.

Check out https://www.owasp.org/index.php/Top_10_2013-Top_10 for more details on the OWASP Top 10 for 2013.

 

 

Forrester expects a wave of acquisitions of cloud IAM providers

With 1) SalesForce and other large SaaS vendors announcing grandiose plans for cloud IAM, not just for access control but also provisioning and 2) long-standing IAM 'arms suppliers' extending into the cloud (CA CloudMinder, SailPoint) we are already seeing pureplay cloud IAM players (Okta, OneLogin, Ping, etc.) starting to scratch their heads as to how to deal with the pressure. 

 

Forrester expects that we will see the following in the next 12-18 months:

1) Wave of acquisitions of cloud IAM providers. Those IAM vendors (SAP, Oracle, NetIQ, Quest, McAfee, RSA and even Symantec and Cisco etc.) that have not yet built an IAM framework or don't have on-premise IAM products they could turn into a cloud service will probably want to get into the game sooner rather than later. This will start a wave of acquisitions of cloud IAM providers. Now is the time to acquire and to get acquired in the cloud IAM space.

2) Moving of user stores into the cloud. We predicted this in 2012, but it's becoming a reality now. It is increasingly clear that on premise user directories (AD, LDAP, etc.) are starting to be only used for basic services and there is a great need for cloud based directories to support an increasing number of SaaS applications. Cloud IAM vendors we talk to (UnboundID and Okta) have announced plans to help customers with this migration.  SalesForce.com OEM agreement with ForgeRock to create SalesForce Identity Connect is the first step in this direction. Identity bridges or connectors which connect on-premise user stores to the cloud provider’s user store will play a critical role and be the hardest first step in this transition.  

Read more

What does the smartwatch mean for IAM? Safer, more versatile authentication, easier mobile payments and less fraud

Today we saw the announcement of the Samsung smartwatch, Galaxy Gear. 

I am certain that this new smartwatch form factor will fill a niche: augmenting the input and output of a (Samsung, initially) mobile phone and device then with further miniaturization, take over more and more of the functionality of the smartphone.

Beyond the cool factor, there are immense and also immediate security benefits to be gained from a smartwatch:

  • You can use the smartwatch as an "invisible" token. If the watch is on your wrist, an application  running on the smartphone, mobile device or even a PC will sense the proximity of the smartwatch and thus authenticate and let you in. Without the smartwatch being nearby, you won't be able to (easily) log into the mobile application. This is very similar to Entrust's mobile phone token paired on Bluetooth with a PC, except now the smartphone is the PC and the token is the smartwatch. Further, it's a lot harder to steal your watch than it is to steal your mobile phone. The watch can also use motion, gait, etc. as extra factors for authentication beyond just "being there." Putting a fingerprint reader on a smartwatch may also be an easy way to authenticate users.
  • Voiceprint authentication to the watch and through the watch. This is where voice control and voiceprint authentication will come of age. Since the smartwatch lacks any other usable input interface other than voice control, using your voiceprint to authenticate to the 1) smartwatch  and its applications and 2) through the smartwatch to the smartphone or mobile device will be the easiest option. We expect that the above use case will give a whole new boost to the voiceprint biometrics market.
Read more

2013Q3 IAM Suites Wave is out today

 In Forrester's 16-criteria evaluation of comprehensive identity and access management (IAM) suites, we identified the nine most significant vendors in the category — Aveksa, CA Technologies, Courion, Dell, IBM, NetIQ, Oracle, Ping Identity, and SecureAuth — and researched, analyzed, and scored them. This report details our findings about how well each vendor fulfills our criteria and where they stand in relation to each other to help security and risk (S&R) professionals select the right partner for their enterprise, business-to-business, and consumer-facing IAM deployments. Get the document at http://www.forrester.com/The+Forrester+Wave+Identity+And+Access+Management+Suites+Q3+2013/fulltext/-/E-RES99281

RSA acquires Aveksa and finally joins the full-functionality IAM suites vendor party

 

On July 1, 2013, RSA acquired Aveksa for an undisclosed sum. The Aveksa access governance solution, which includes access request management and approval, attestation, role mining and management, user account provisioning, identity administration and auditing will augment RSA's existing product lines for access control (RSA Access Manager, RSA Authentication Manager, RSA Federated Identity Manager, RSA Adaptive Federation, RSA Adaptive Directory, etc.). Short term, Aveksa will operate under its old management and will keep its OEM relationship with OneLogin for single sign-on into SaaS applications. Forrester expects that RSA will integrate its access management, VMware Horizon, and fraud management (SilverTail) product lines into a modern and full functionality IAM portfolio using risk and identity intelligence concepts -- and which will initially probably suffer from the growing pains that Dell's Quest IAM acquisition and Oracle's stack suffered from immediately after their IAM acquisitions. Forrester expects that long term, RSA also will revitalize and consolidate its access management portfolio, solidify its presence in the cloud IAM space (IAM as a SaaS offering), and offer the stack as a fully hosted option, similar to CA's CloudMinder.

What it means: After years of consolidation and vendors bailing out of the space (HP, BMC, etc.), we will have one more vendor to choose from in the complete, full-functionality IAM suites market. This will create greater competition and more innovation -- something we and our clients are particularly happy about.

Want to win an iPad and get hardcore data on access recertification? Take the UBC-Forrester Access Recertification survey!

Want to know more about Access Certification and Attestation? Would you like to win an iPad and get a courtesy copy of a Forrester report on the findings of a survey on the topic?
 
Forrester is collaborating with the University of British Columbia (UBC) on an Identity and Access Management survey. The main topic of the survey is Access Certification and Attestation, also known as Access Governance. It takes only 15 minutes to complete the survey. In August 2013, Forrester, in collaboration with UBC, will publish the highlights of survey results. 
Here's what we offer for your participation:
 
Read more

XACML is dead

Conversations with vendors and IT end users at Forrester's Security lead us to predict that XACML (the lingua franca for centralized entitlement management and authorization policy evaluation and enforcement) is largely dead or will be transformed into access control (see Quest APS, a legacy entititlement management platform based on BiTKOO, which will probably be morphed by Dell into a web SSO platform).

Here are the reasons why we predict XACML is dead:

Lack of broad adoption. The standard is still not widely adopted with large enterprises who have written their authorization engines.

Inability to serve the federated, extended enterprise. XACML was designed to meet the authorization needs of the monolithic enterprise where all users are managed centrally in AD. This is clearly not the case today: companies increasingly have to deal with users whose identities they do not manage. 

PDP does a lot of complex things that it does not inform the PEP about. If you get a 'no, you can't do that' decision in the application from the PEP, you'd want to know why. Our customers tell us that this can prove to be very difficult. The PEP may not be able to find out from the complex PDP evaluation process why an authorization was denied.

Not suitable for cloud and distributed deployment. While some PEPs can bundle the PDP for faster performance, using a PEPs in a cloud environment where you only have a WAN link between a PDP and a PEP is not an option. 

Read more