We are kicking off research on security and identity intelligence, which is about understanding risk and detecting abnormal behavior. One thing is clear: companies don't even *know* what kind of security (SIM, data, identity, email, etc.) information they should be inspecting to detect security threats and where they should start eating the giant elephant of risk. They clearly need intelligent and automated systems to establish what a normal baseline means in user behaviors and events and then alert on any anomalies - and when they see any changes to normal patterns, understand whether they should send a guy with a gun or a guy with a wrench. In this research (which will also be the topic of my Security Forum keynote speech) we will look at the interdisciplinary areas between enterprise fraud management, risk based authentication, data protection and identity management. I want to hear about your concerns, issues, and early case studies/solutions in this area.
Today we see two basic flavors of cloud IAM. One archetype is the model offered by Covisint, VMware Horizon, Symplified, Okta, OneLogin, etc.: these vendors provide relatively tight integration, but less capable identity services based on their respective firm's own intellectual property. Because of the above, these offerings clearly have a short implementation time. The other camp of vendors believes in providing hosted services of "legacy" IAM products: CA Technologies coming out with CloudMinder, Lighthouse adding their own IP to IBM TIM/TAM, Simeio Solutions blending OpenAM and Oracle's identity stack with their own secret sauce, and Verizon Business using NetIQ'sIDM stack as a basis for their hosted offering solution.
With only 4 stack players in Identity and Access Management, it is always welcoming news to see a new company joining the space. Quest Software is on a shopping spree: it acquired e-DMZ (privileged identity management), Völcker Informatik AG (provisioning), Symlabs (virtual directories), and now BiTKOO (XACML entitlement management). Forrester expects that in reaction to its main competitor NetIQ taking over Novell’s IAM portfolio, Quest will expand significantly into the non-Windows, heterogeneous IAM space. Forrester further expects that Symantec and to some degree Intel will follow suit, as both of these companies announced cloud-based IAM offerings.
Many IT end-user companies deployed hard tokens at a time when intermediate-risk choices were thinner on the ground, and some of these companies would have benefited from a more granular approach anyway. In general, we are seeing companies moving towards risk-based authentication augmented by mobile soft tokens (sometimes called from a mobile application through an API). These software-only solutions are easier and cheaper to deploy, particularly if the target population is on smartphones, and a lot easier to patch in case of an attack. Interestingly, risk-based authentication is now asked about not only in the B2C context (which was a norm about a year ago), but also in the B2E context as well. Right now, end-user companies are thinking about:
How they can ditch hardware tokens altogether; and
How can they can move risk-based authentication, and increasingly authorization (fraud management), into the cloud.
As we speak to companies worldwide, many express their frustration with the cost and complexity of physical tokens. Our staple response is: "Oh yes, these solutions are hard to integrate and operate, but they provide the extra level of security required in an enterprise environment." However, today’s RSA SecureID breach goes against our typical advice and demonstrates that even the most hardened solution is vulnerable to insider threats – as it appears that the information leaked by (or social-engineered out of?) an RSA insider caused the security hole.
This situation draws attention to two basic themes that we are consistently hearing about:
Monitor your employees' activities and behavior patterns; and
Use lighter-weight authentication such as adaptive and risk-based authentication.
Both topics are areas we plan to discuss in greater depth this year. Please stay tuned for more reports from us on these topics!
IBM's Watson (natural language processing, deduction, AI, inference and statistical modeling all served by a massively parallel POWER7 array of computers with a total of 2880 processors with 15TB RAM) beat the greatest Jeopardy players in three rounds over the past 3 days — and the matches weren't even close. Watson has shocked us, and now it's time to think: What's in it for the security professional?
The connection is easy to see. The complexity, amount of unstructured background information, and the real-time need to make decisions.
Forrester predicts that the same levels of Watson's sophistication will appear in pattern recognition in fraud management and data protection. If Watson can answer a Jeopardy riddle in real time, it will certainly be able to find patterns of data loss, clustering security incidents, and events, and find root causes of them. Mitigation and/or removal of those root causes will be easy, compared to identifying them . . .
Quest is making aggressive moves to extend into the heterogeneous, non-Microsoft-centric land of identity and access management. After acquiring Voelcker Informatik for provisioning, Quest just announced the acquisition of e-DMZ, an enterprise-class, high-performance PIM appliance vendor. Novell (now Attachmate) acquired host access control specialist Fortefi, Oracle bought Passlogix (vGO-SAM), CA extended Access Control, and IBM integrated Encentuate's eSSO solution with ITIM as a service offering to manage privileged access. The remaining major PIM players like Cyber-Ark, Lieberman, and BeyondTrust will now face added client RFP scrutiny and price pressures from the competition. Forrester expects that new IAM entrants like Symantec/VeriSign, NetIQ (to compete with arch-rival Quest), or MSSPs will look at acquiring the remaining above vendors.
Mobile authentication is nothing new. SiteMinder, a prominent web access management tool, has been able to handle mobile browsers and sessions for at least 7-8 years. Some users complained of WAP and its limitations, but most could access information and log in to websites with minimal issues.
WAP is gone and it is now replaced by a multitude of devices: tablets, PDAs, smartphones, etc. With the proliferation of Splinternet, we are witnessing not only a boom of content, but also the need to limit access to sensitive applications and data not only from the device but also on the device. Authentication, authorization, and data protection challenges multiply as companies embrace the post-PC tablets, etc.
What do we see people asking about? From the enterprise security perspective, the biggest challenges seems to be protecting the data on the device, performing a remote wipe on a lost or stolen piece of equipment, and making sure corporate information is separated clearly from any private data. Writing mobile applications or designing mobile-capable and still rich, interactive web pages is no easy task either. Companies also wonder about how to deliver and (de)provision applications quickly and securely.
What do we see companies do? Sandboxing corporate data and mandating the use of remotely wipeable devices is the first step. Storing certificates and using transaction signature mobile authenticators to defend against stolen or compromised text messages with one-time passwords is a logical follow-on.
In a rather unsurprising move, Oracle acquired its longtime OEM partner of eSSO solutions, Passlogix. The sale has closed after a relatively long courtship – the eSSO market has been consolidating for a long time: Novell’s OEM agreement with ActivIdentity, IBM’s acquisition of Encentuate all signal IAM stack consolidation. Beyond the obvious — 1) eSSO integration with Oracle Access Manager and Oracle Adaptive Access Manager to integrate with web single sign on, 2) a multitude of second factor and adaptive authentication mechanisms using v-GO User Access Manager, and 3) using v-GO SSO’s screenscraping technology to create Oracle Identity Manager connectors to arcane, no-CLI systems — large tasks remain for Oracle: a) providing access management for mobile devices and b) getting to be a credible player in Privileged User Management (where Passlogix’s v-GO Shared Accounts Manager is a second-tier player).
How Authentication-as-a-Service becomes a part of leading IAM stacks and why virtualization is no longer a viable technology without identity and access management.
CA’s acquisition of Arcot signals that partnering with an adaptive authentication vendor is no longer enough to offer a comprehensive access management strategy: you’d also have to have an adaptive authentication product to allow your customers to retire costly physical tokens. But this is not the primary reason CA picked up Arcot. It is Arcot’s thriving hosted authentication and fraud management services that were the most lucrative assets to CA. Adaptive authentication is part of any organization’s fraud management strategy — however, CA’s inexperience here leaves a few questions to be answered. Will CA keep and grow Arcot’s fraud prevention service? If so, how will it integrate fraud management with IAM? The requirement for integration is clearly highlighted by Forrester’s conversations with its FinServ and other verticals’ customers.