Forrester's 26-criteria evaluation of managed security service providers (MSSPs) published today! The report focuses on the 13 most significant vendors in the North American market — AT&T, CenturyLink, CSC, Dell SecureWorks, HP, IBM, Leidos, SilverSky, Solutionary/NTT, Symantec, Trustwave, Verizon, and Wipro. This report details how well each vendor met our criteria and where they stand in relation to each other. This report will help you refine your selection criteria and choose the right partner for your outsourced security needs.
Cloud adoption has historically been hampered by security concerns. All of Forrester's research shows this to be the number one impediemtn to adoption. Forrester just finished evaluating four cloud platform providers on the depth and breadth of their security controls. This Forrester Wave™ evaluates four of the leading public clouds along 15 key security criteria evaluations to answer this question. The participating cloud services providers were: AWS, CenturyLink Cloud, IBM SoftLayer, and Microsoft Azure. This report details our findings about how well each vendor fulfills our criteria and where they stand in relation to each other, to help S&R professionals select the right public cloud partner with the best options for security controls and overall security capabilities.
For the past few months, we've been using our newsletter and podcast to highlight one of our analysts on Forrester's Security & Risk Team. This month, we decided to interview an S&R consultant. Todd Barnum is our consulting director, a two-time CISO, and a leading expert in information security governance, design, and operations! Click below to hear our consultant spotlight on Todd. If you're not signed up for our newsletters, I highly encourage you to do so; please email firstname.lastname@example.org for additional details.
To download the MP3 version of the podcast, please click here.
If you’re a security and risk leader, it’s either the best of times or the worst of times. Today, it feels as if not a week goes by without yet another revelation of a large scale cyberattack targeting a trusted corporate brand. Suddenly, business executives who used to avoid you want to be your best friend and are looking at security as an integral piece of the business technology agenda. Why the sudden corporate conviviality? Well, now when there is a major customer breach, it’s not just your job that’s on the line, it’s their job on the line as well - and potentially up to a $1 billion in corporate profits. This means that protecting customers’ data and preserving their privacy can no longer be limited to the CISO or chief privacy officer. In fact, if your company execs are smart, they’ll make it one of their top business and corporate social responsibilities in 2015 - and if they’re not, look for a new job, because you don’t want to be working there.
This is why we predict that in 2015 there will be:
We are in a golden age of data breaches - just this week, the United States Post Office was the latest casualty - and consumer attitudes about data security and privacy are evolving accordingly. If your data security and privacy programs exist just to ensure you meet compliance, you’re going to be in trouble. Data (and the resulting insights) is power. Data can also be the downfall for an organization when improperly handled or lost.
In 2015, Forrester predicts that privacy will be a competitive differentiator. There is a maze of conflicting global privacy laws to address and business partner requirements to meet in today’s data economy. There’s also a fine line between cool and creepy, and often it’s blurred. Companies, such as Apple, are sensitive to this and adjusting their strategies and messaging accordingly. Meanwhile, customers — both consumers and businesses — vote with their wallets.
We have even seen law enforcement documents on threat actors. In August, Mr. Su Bin, a Chinese national, was indicted for the theft of Boeing’s trade secrets. The criminal complaint regarding Su Bin’s activities became public in June and offers a fascinating perspective into espionage as a service.
EY has released its Global Information Security Survey 2014. The survey, published every year, focuses on the issues facing information security pros for the coming year. Many of the trends identified in the report are trends that Forrester has seen evolve in the past two years. At the same time, these trends are accelerating. I am one analyst that is reluctant to paint information security with the fear, uncertainty, doubt (FUD) brush, but after reading the EY report I am not sure that FUD is inaccurate. We live in challenging times and the EY report validates this assertion. For example the research shows:
Attack power on the part of adversaries continues to grow. The capabilities and attack power of the adversary are on the rise. Criminal syndicates, hacktivists, and state-sponsored attackers top EY's respondents' list of top attack sources. This is not surprising based on the level of political instability in the world and the financial gains cybercrime can provide criminal groups derived from cybercrime.
Organizations are in battle with outdated weapons and strategies. Business today is using a set of outdated strategies and technologies to combat adversarial groups that are well financed and supported using some of the best offensive technologies available. These groups are well trained in the use of social engineering and technical cyberattack craft.
Organizations continue to see a dissolution of the perimeter. Mobility, outsourcing, cloud computing, and third-party consulting agreements continue to poke holes in companies' perimeters. All of these issues point to the need of a more flexible defense that uses a variety of smart detection and protection methods.
Yesterday, Proofpoint announced it will acquire social risk and compliance (SRC) vendor Nexgate for approximately $35 million.
The Acquisition Signals The SRC Market Is Maturing
This acquisition points to a budding and rapidly evolving SRC market. With the proliferation of social media, organizations face a slew of emerging regulatory challenges, brand threats, and security vulnerabilities – just look at recent incidents with Cole Haan, Zarbee’s, US Airways, British Gas, among countless others, even including our own US military. While once a niche market helping financial services firms meet FINRA obligations, SRC solutions now offer more than just compliance support, helping organizations better manage today’s wide gamut of social risks with social threat detection, account protection, and risk monitoring.
Proofpoint Has To Prove The Sum Is Greater Than Its Parts
Last week Salesforce.com (SFDC) hosted its annual Dreamforce Conference in San Francisco, and for the first time, the cloud giant’s products could soon have some major implications in the governance, risk, and compliance (GRC) market.
Amidst the chaos of keynotes, partner sessions, guest speakers like Hilary Clinton, wil.i.am, Al Gore, and our very own George Colony, two of SFDC’s major announcements demonstrated how its new offerings and future strategy will position the company to compete in the very big business intelligence market:
As we predicted in May 2012, user directories are moving into the cloud. Cloud workloads require that users who are authorized to access them are stored near the cloud workload and not just on-premises. While this offering announced now by AWS is not necessary technically groundbreaking (Cloud IAM vendors and Microsoft Azure have been offering AD integration for a relatively long time), obviously this announcement is relevant because of AWS's broad presence in IaaS. We urge Forrester's clients that plan to use AWS AD service to ask AWS the following questions:
1. What safeguards are there to protect information (user, computer, etc.) in AWS AD?
2. How does AWS integrate in real time with on-premises AD and shared folder infrastructures?
3. What types of true identity management (access governance and provisioning) services does AWS offer to complement this new AD service?
Check AWS's blog entry at http://aws.amazon.com/blogs/aws/new-aws-directory-service/ for more details.