What do Britney, McCain, Obama, and Clinton have in common?

They have all been the subject of stories in the news lately which highlight the difference and the challenges between corporate security and privacy. All of the presidential candidates had their passport files improperly accessed by independent contracts who did not have authorization to access their information. Britney Spears' medical files were also inappropriately read during her most recent hospital stay. Heads have rolled at both organizations in response to the improprieties.

I've written research here at Forrester to show how privacy and security are related but different issues. All of these cases show how data privacy requires more than just technology, such as access control systems, but also employee training and enforcing consequences for bad behavior. Privacy and security teams need to work together to ensure that they aren't leaving a gaping hole between them where an authorized user or intruder can bypass their systems.


CeBIT 2008: Green Security?

Green IT was the key topic at the 2008 CeBIT, Europe’s biggest IT trade show held annually in Hanover, Germany (http://www.cebit.de). Great! While green giants like IBM and Microsoft, and also some public entities with junglesque floor representations were pushing the environmental aspects of IT mostly in noisy public announcements and glossy press material – taking a closer look at what exactly was featured on the floor displayed a different truth: Underneath the green mantle, most of CeBIT featured high-powered, Watt-hungry, fast pacing computing equipment – often assisted by sports cars, stretch limos, etc. when being presented on the floor. So much for Green IT.

Read more

IBM Acquires Encentuate

IBM acquired Encentuate for an undisclosed sum. This underscores the validity of Forrester's prediction that the enterprise single sign-on (E-SSO) market in identity and access management (IAM) will grow from E-SSO's $250 million in 2006 to $2 billion in 2014 - a CAGR of 28.5%. What are the likely implications of this acquisition in the E-SSO marketplace?

1.  After CA and Novell, now IBM will have a fully integrated IAM suite in which E-SSO will be first acquired, but later an organically grown product offering - provided that IBM is successful with integrating not only technologies, but the Encentuate engineering, support, and sales resources. Past experience with similar acquisitions show that this often sounds easier than it actually is.

2. Other E-SSO vendors (ActivIdentity and especially Passlogix) will lose some of their market share and will need to ramp up investment in product development to be able to keep their leading edge in product functionality.

Overall, IBM's move signals that E-SSO has become a mature and viable technology which - in conjunction with user account provisioning - will continue to drive the IAM market growth.

Surveillance Best Practices

This week the Office of the Privacy Commissioner of Canada put out guidelines for respecting the privacy of employees, customers, and potential passers-by when using video surveillance. Occasionally, our team here at Forrester is asked about physical security measures which can fall outside our area of expertise. Other times, such as the following best practices, the suggestions are a specific example of the steps one should think through for a privacy impact assessment. In fact, many times when a client has questions about best practices for privacy in business, I will recommend following the guidelines from Canada because they are leaders in the area. If you are using video surveillance, here are their universal recommendations and guidance for doing so in a privacy-respecting manner.

Read more


Ping Identity acquires Sxip Access

Ping Identity announced that it acquired Sxip Access for an undisclosed sum. The rationale of the acquisition is to allow Ping Identity's products to meet enterprise-wide, typically SSO challenges. This is important to be able to further extend Ping's market share with software-as-a-service providers. Is it a breakthrough?  Hardly. Questions still remain as to how major enterprises can integrate Ping Identity's new extended product line with an existing infrastructure in identity management and provisioning. Forrester increasingly sees broken ladder steps in the progression from the SMB market to the enterprise market for those identity and access management (IAM) vendors that have incomplete IAM product lines. Ping Identity still needs to make substantial investments to build an IAM suite, or forge strategic partnerships with pure-play provisioning and role vendors to successfully compete long-term in the IAM arena of large vendors.

Legislators to the rescue

One of the most substantial trends we expected to see in governance, risk, and compliance in 2008 is the tightening of regulations in response to major risk management failures. Yesterday, we saw a clear example of that, as the US Senate approved a bill that would nearly double the size of the Consumer Product Safety Commission, largely in response to the massive toy recalls that took place last year.

Also this week, the UK’s Medicines and Healthcare Products Regulatory Agency showed signs of cracking down on disclosure of drug trial results after problems persisted with certain anti-depressant drugs in relation to teenage suicide (even though criminal charges will not be filed).

The sub-prime issue may likely be the next major target for legislative changes, although most discussion seems to be focused on consumer protection at this point, not tighter control over lenders.

Read more