Microsoft Acquires Cloud Access Security Intelligence vendor Adallom

Microsoft is doubling down on its cloud strategy and announced the acquisition of Adallom. Adallom offers transparent, cloud-based monitoring and alerting of cloud application use. It can detect if a user is performing suspicious actions (e.g. downloading the CRM database on a Friday afternoon). This signifies that cloud service provider vendors can no longer only offer IaaS security (see our Wave at https://www.forrester.com/The+Forrester+Wave+Public+Cloud+Platform+Service+Providers+Security+Q4+2014/fulltext/-/E-RES113065 ) but also help with understanding risks around non-sanctioned and sanctioned SaaS applications. Microsoft's success of incorporating Adallom's assets into the Azure portfolio will depend on the following:

1. How well will Azure AD premium work with Adallom?

2. How well will Office 365 work with Adallom?

3. How well  will Azure IaaS work with Adallom?

4. How Adallom will be able to support data protection and encryption?

5. How well Adallom will continue to work vendor agnostically with non-Microsoft IaaS and SaaS envrionments?

We will be publishing a Market Overview on Cloud Access Security Intelligence vendors (including Adallom) in Q3 of 2015. Stay tuned!

Samsung keyboard bug highlights vulnerability of passwords

Here's a new exploit on Samsung Galaxy S4, S4 and S6 Swiftkey: remote code execution is possible which can lead to root access to the device, data loss, password sniffing and keylogging, Man-in-the-Middle attacks and compromised passwords. Another reason why we need to think about 'What's beyond passwords?'. We will shortly publish a report on this topic. Stay tuned.

Market Overview: Cloud Workload Security Management Solutions — Automate Or Die

Today, not moving workloads to the cloud is not an option. Leaving these workloads not secured is also not an option.

However, managing workloads within and across Infrastructure-as-a-Service cloud service providers, we find that S&R professionals struggle with ensuring that their cloud workloads (guest operating systems and data on those operating systems) are secure. Why? Because S&R must ensure that installation and setup bootstraps with the right security and network configuration. They must control access to workloads as well as management consoles, file and configuration integrity, intrusion and endpoint protection. Manual management is simply not an option, you either automate security hardening for a large number of workloads or "die", i.e. fall victim to a breach.

Enter a new class of solution to offer a solution to this problem: Cloud Workload Security Management Solutions. These offerins  typically install a small agent on endpoints, connect these agents to a central service (available as SaaS or on-premises product) then offer centralized management of all the above cloud workload security aspects.

Our CWS market overview looks at and compares the features and company profiles of the most important vendors in this space.

https://www.forrester.com/Market+Overview+Cloud+Workload+Security+Management+Solutions+Automate+Or+Die/fulltext/-/E-RES121266

Market Overview: Cloud Data Protection

Cloud Data Protection (protecting data in SaaS, IaaS and PaaS workloads with a centralized and industrial strenght solution) remains a key priority of CIOs, CISOs and architects. 

In this market overview report, we identified 17 key vendors in the CDP space (see the figure below) that provide data protection in SaaS, IaaS and PaaS environments. This report details trends and predictions in CDP and also our findings about how each vendor is approaching CDP and to help security and risk (S&R) professionals select the right partner for CDP.

You can find this market overview at https://www.forrester.com/Market+Overview+Cloud+Data+Protection+Solutions/fulltext/-/E-res120911

 

Inline image 1

Amazon Web Services Announces Cloud Active Directory

As we predicted in May 2012, user directories are moving into the cloud. Cloud workloads require that users who are authorized to access them are stored near the cloud workload and not just on-premises. While this offering announced now by AWS is not necessary technically groundbreaking (Cloud IAM vendors and Microsoft Azure have been offering AD integration for a relatively long time), obviously this announcement is relevant because of AWS's broad presence in IaaS. We urge Forrester's clients that plan to use AWS AD service to ask AWS the following questions:

1. What safeguards are there to protect information (user, computer, etc.) in AWS AD?

2. How does AWS integrate in real time with on-premises AD and shared folder infrastructures?

3. What types of true identity management (access governance and provisioning) services does AWS offer to complement this new AD service?

 

Check AWS's blog entry at http://aws.amazon.com/blogs/aws/new-aws-directory-service/ for more details.

IBM Doubles Down Cloud IAM And Acquires Lighthouse Gateway

On the heels of the CrossIdeas acquisition (about which we have recently published a QuickTake), IBM today acquired another IAM cloud provider, Lighthouse Security Group. Its product and service, Lighhouse Gateway, is a small cloud provider that appeared in our Cloud IAM Wave and we were impressed by the "slickness" and ease-of-use of its customer interface for administration (policy management) and also for end users (Lighthouse Gateway provides its own front-end to ISIM and ISAM).

 

Now we recommend that IAM security and risk professionals should ask IBM the following questions about the acquisition:

1) How will IBM offer Lighthouse Gateway? Will it be an add-on to ISIM and ISAM licenses or will it be a standalone offering or both?

2) How will IBM integrate the beautiful user interface of Lighthouse Gateway into ISIM and ISAM on-premises offerings?

3) How will the new IBM IAM access governance ecosystem of ISIM+CrossIdeas be merged with Lighthouse Gateway?

Centrify Cloud SSO marks the beginning of mobile device manufacturers getting into the IAM space

Centrify's new Cloud SSO portal is much like the competition: Okta, OneLogin, Ping, Symplified, SecureAuth, i.e. the ones that we looked at in our Cloud IAM Wave. 

What's really interesting about this offering is that Samsung KNOX OEMs the client side mobile application for SSO for its high-end devices. Forrester predicts that Apple (with its consumer fingerprint reader already making inroads into authentication) and others (Windows Phone, etc.) will follow suit and offer cloud based IAM and SSO services.

NFC Adoption Becomes Much Simpler: Google Opens Android 4.4 KitKat So That The NFC Can Be Provisioned By Anyone

This is big: Google opened up Android 4.4 KitKat to allow access to the NFC chip to Android apps and not just the trusted execution environment on the secure element.

What it means: any issuer, developer, 3rd party, current 3D Secure vendor, Payment Services Provider, etc. can create a mobile wallet application that can present credit card information to the NFC and allow the user to use the card information for payment. This might mean that traditional trusted service managers (companies that are authorized to provision the secure element on the mobile phone, like Gemalto, FirstData, CorTSM, etc.) may face fierce competition from really anyone who wishes to provision cards to the phone. Mobile network operators can now be easily cut from the payment chain, too.

Why You Should NOT Build Your Own Authentication Framework And Solution In-House. See OWASP A2.

We regularly get the question: should we build our web authentication and single sign-on solution?

Here's why you should not do it: OWASP 2013 lists "Broken Authentication and Session Management" as the No.2 item to pay attention to when you design your web site. OWASP.org says:

"Application functions related to authentication and session management are often not implemented correctly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users’ identities."

Implementing your own session and key management, validation, update, periodic rollover, etc. mechanisms in a scalable and fault tolerant way is extremely difficult. We regularly get inquiries from clients who want to replace their own in-house built web single sign-on framework -- mostly because they have been hacked or it's too expensive to operate and update.

This is why we see open source and commercial Web Access Management packages and solutions critically important to protect your web assets. Since they are mostly mature technologies, they protect against not just authentication and session management problems but often against cross site scripting and other older threats as well. If you use a newer product or a pure federation product, make sure that the vendor or supplier can help you answer your questions based on the the OWASP list.

Check out https://www.owasp.org/index.php/Top_10_2013-Top_10 for more details on the OWASP Top 10 for 2013.

 

 

Forrester expects a wave of acquisitions of cloud IAM providers

With 1) SalesForce and other large SaaS vendors announcing grandiose plans for cloud IAM, not just for access control but also provisioning and 2) long-standing IAM 'arms suppliers' extending into the cloud (CA CloudMinder, SailPoint) we are already seeing pureplay cloud IAM players (Okta, OneLogin, Ping, etc.) starting to scratch their heads as to how to deal with the pressure. 

 

Forrester expects that we will see the following in the next 12-18 months:

1) Wave of acquisitions of cloud IAM providers. Those IAM vendors (SAP, Oracle, NetIQ, Quest, McAfee, RSA and even Symantec and Cisco etc.) that have not yet built an IAM framework or don't have on-premise IAM products they could turn into a cloud service will probably want to get into the game sooner rather than later. This will start a wave of acquisitions of cloud IAM providers. Now is the time to acquire and to get acquired in the cloud IAM space.

2) Moving of user stores into the cloud. We predicted this in 2012, but it's becoming a reality now. It is increasingly clear that on premise user directories (AD, LDAP, etc.) are starting to be only used for basic services and there is a great need for cloud based directories to support an increasing number of SaaS applications. Cloud IAM vendors we talk to (UnboundID and Okta) have announced plans to help customers with this migration.  SalesForce.com OEM agreement with ForgeRock to create SalesForce Identity Connect is the first step in this direction. Identity bridges or connectors which connect on-premise user stores to the cloud provider’s user store will play a critical role and be the hardest first step in this transition.  

Read more