Defining The Mobile Security Market

Tyler Shields
Understanding the terms and technologies in the mobile security market can be a daunting and difficult task. The mobile ecosystem is changing at a very rapid pace, causing vendors to pivot their product direction to meet the needs of the enterprise. These changes in direction are creating a merging and twisting of technology descriptions being used by sales and marketing of the vendor offerings. What we considered “Mobile Device Management” yesterday has taken on shades of containerization and virtualization today.
Mobile antivirus used to be a standalone vision but has rapidly become a piece of the mobile endpoint security market. Where do we draw the lines, and how do we clearly define the market and products that the enterprise requires to secure their mobile environment?
 
In an attempt to help the enterprise S&R professional understand the overlapping descriptions of mobile security products, I am working on new research that will help organize and quantify the market. Understanding the detailed state of each of the technology offerings in the market, and their potential impact on a five- to 10-year horizon, will help enterprises make more-educated purchasing decisions.
 
To begin the process of covering all of the technologies being offered today, I’ve divided the solutions in the space by technology type. Not only am I analyzing technologies that are available now, but I’m also researching any additional products, services, and vendors in the mobile security space that have innovative new concepts that they are bringing to bear. These new-age offerings will help shape the future of mobile security, and we need to get ahead of the concepts now if we wish to have a better understanding of the impact of the innovation.
 
 
Read more

RSA acquires Aveksa and finally joins the full-functionality IAM suites vendor party

Andras Cser

 

On July 1, 2013, RSA acquired Aveksa for an undisclosed sum. The Aveksa access governance solution, which includes access request management and approval, attestation, role mining and management, user account provisioning, identity administration and auditing will augment RSA's existing product lines for access control (RSA Access Manager, RSA Authentication Manager, RSA Federated Identity Manager, RSA Adaptive Federation, RSA Adaptive Directory, etc.). Short term, Aveksa will operate under its old management and will keep its OEM relationship with OneLogin for single sign-on into SaaS applications. Forrester expects that RSA will integrate its access management, VMware Horizon, and fraud management (SilverTail) product lines into a modern and full functionality IAM portfolio using risk and identity intelligence concepts -- and which will initially probably suffer from the growing pains that Dell's Quest IAM acquisition and Oracle's stack suffered from immediately after their IAM acquisitions. Forrester expects that long term, RSA also will revitalize and consolidate its access management portfolio, solidify its presence in the cloud IAM space (IAM as a SaaS offering), and offer the stack as a fully hosted option, similar to CA's CloudMinder.

What it means: After years of consolidation and vendors bailing out of the space (HP, BMC, etc.), we will have one more vendor to choose from in the complete, full-functionality IAM suites market. This will create greater competition and more innovation -- something we and our clients are particularly happy about.

Counter-Strike?

Rick Holland

On Monday the Wall Street Journal ran a story on hacking back titled, “Support Grows to Let Cybertheft Victims Hack Back.”  The article describes a growing desire to permit the private sector to retaliate against attackers. Being proactive is one thing, but the notion of enterprises retaliating against attackers is ludicrous. I honestly cannot understand why this topic is still in the public discourse. I thought debating this was so 2012.  Legality is an issue, but so is the ability of companies to successfully conduct these types of operations without blowback. 

The article explains, “… companies that experience cybertheft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information." I hate to be the bearer of bad news, but for most organizations, once the data has left your environment the chances of you retrieving it are very slim. Your data has left the building and it isn’t going to “re-spawn.”  If you couldn’t prevent exfiltration of this data in the first place, what would make you think that you could prevent the subsequent exploitation of it?  

As I said back in January in my “Five Steps To Build An Effective Threat Intelligence Capability” report, “If you have a mature security program, you can consider counterintelligence operations, but leave the hacking back to governments and militaries.” 

There are many suggested strategies for dealing with the threat landscape. Hacking back should not be one. 

Read more

Want to win an iPad and get hardcore data on access recertification? Take the UBC-Forrester Access Recertification survey!

Andras Cser
Want to know more about Access Certification and Attestation? Would you like to win an iPad and get a courtesy copy of a Forrester report on the findings of a survey on the topic?
 
Forrester is collaborating with the University of British Columbia (UBC) on an Identity and Access Management survey. The main topic of the survey is Access Certification and Attestation, also known as Access Governance. It takes only 15 minutes to complete the survey. In August 2013, Forrester, in collaboration with UBC, will publish the highlights of survey results. 
Here's what we offer for your participation:
 
Read more

XACML is dead

Andras Cser

Conversations with vendors and IT end users at Forrester's Security lead us to predict that XACML (the lingua franca for centralized entitlement management and authorization policy evaluation and enforcement) is largely dead or will be transformed into access control (see Quest APS, a legacy entititlement management platform based on BiTKOO, which will probably be morphed by Dell into a web SSO platform).

Here are the reasons why we predict XACML is dead:

Lack of broad adoption. The standard is still not widely adopted with large enterprises who have written their authorization engines.

Inability to serve the federated, extended enterprise. XACML was designed to meet the authorization needs of the monolithic enterprise where all users are managed centrally in AD. This is clearly not the case today: companies increasingly have to deal with users whose identities they do not manage. 

PDP does a lot of complex things that it does not inform the PEP about. If you get a 'no, you can't do that' decision in the application from the PEP, you'd want to know why. Our customers tell us that this can prove to be very difficult. The PEP may not be able to find out from the complex PDP evaluation process why an authorization was denied.

Not suitable for cloud and distributed deployment. While some PEPs can bundle the PDP for faster performance, using a PEPs in a cloud environment where you only have a WAN link between a PDP and a PEP is not an option. 

Read more

Forrester’s 2013 Update To The Data Privacy Heat Map Shows Increasing Global Momentum Towards Data Protection Standards

Christopher Sherman

As data flows between countries with disparate data protection laws, firms need to ensure the safety of their customer and employee data through regulatory compliance and due diligence. However, multinational organizations often find global data privacy laws exceedingly challenging. To help our clients address these challenges, Forrester developed a research and planning tool called the Data Privacy Heat Map (try the demo version here). Originally published in 2010, the tool leverages in-depth analyses of the privacy-related laws and cultures of 54 countries around the world, helping our clients better strategize their own global privacy and data protection approaches.

Regulation in the data privacy arena is far from static. In the year since we last updated the heat map, we have seen many changes to how countries around the world view and enforce data privacy. Forrester has tracked and rated each of these 54 countries across seven different metrics directly within the tool. Among them, seven countries had their ratings change over the past year. Some of the most significant changes corporations are concerned with involve:

  • New national omnibus data privacy laws spanning private and/or public industry. Data privacy regulation, when looked at globally, forms a spectrum of maturity beginning with spotty industry or situation-specific laws all the way to omnibus frameworks. As you might expect, responsible corporations prefer to engage in business practices where the data privacy laws are clearly-defined and transparent. For instance, countries such as Brazil and China are in the process of moving towards potential omnibus laws which will replace a multitude of sectoral and situation-based laws. Other countries, such as Colombia and Singapore, have recently passed far-reaching omnibus laws, also replacing a patchwork of prior sectoral laws.
Read more

Adding social network, geolocation, IAM logs, text analytics and link analytics Big Data to the arsenal of Fraud Management

Andras Cser

A common theme during this week's SAS and FICO user conferences was how to use Big Data to make fraud decisions faster, more accurately and without impacting the customers in any negative way.

Big Data is basically about 3Vs: Volume, Velocity and Variety of data to gain veracity and value in fraud management. Volume and Velocity are nothing new: fraud management products have long been capable of analyzing terabytes of data in billions of transactions - in real time.

What's really new for Fraud Management about Big Data is Variety. Using all types of new information to make better decisions with lower false positive rates. The new data sources that are increasingly used in Fraud Management are:

  • Social network data. Has this user been writing about committing fraud on Facebook? After seeing how dumb some criminals can be, this data source is pretty important.
  • Geolocation of a mobile devices. The fraud management system should warn ahead of time if a user has been in the same location as the ATM when he/she used her ATM card to empty her bank account)
  • Identity and Access Management systems logs. The fraud management system should warn ahead of time if the authentication system in front of my customer facing system see any evidence of the user logging in from a risky geography or from a new device before the user emptied their bank online by making unauthorized transfers to a mule account)
  • Textual and unstructured data. The fraud management system should warn ahead of time if, for example, a medical provider or insurance adjustor is always using the same combination of terms of "suture removal" or "rear hit accident" in suspicious contexts or just in an excessively repeated way)
Read more

AP’s Twitter Hack: This Isn’t About Twitter’s Security Protocols, It’s About Yours

Nick Hayes

Let’s put it this way: social media and security don’t work together very well today. Marketing professionals who see social media as a vital communication channel view security as a nuisance, whereas Security pros view services like Facebook and Twitter as trivial pastimes that expose the business to enormous risk. The problem is, when it comes to social media, these two facets of the organization need to come to terms with each other – and this was clearly on display Tuesday when the Dow Jones briefly plummeted over 100 points due to false Tweets from AP’s hacked Twitter accounts that indicated President Obama had been injured by explosions at the White House.

This recent breach signifies two things: 1) the potentially damaging impact of social media is real and growing, and 2) companies today aren’t doing enough to mitigate the risks.

As social media becomes a legitimate source of news and information, the implications for inaccurate or inappropriate behavior continue to grow. Damaging or disparaging comments on Twitter (whether intended or not), can have a real impact on your business and the way customers view your company and brand. Companies need to do more to protect their organization from social media risk because:

Read more

Why the Samsung Galaxy S4 is important to watch for Fraud Management professionals?

Andras Cser

Well, we just saw Samsung launch its latest ubergizmo with tons of interesting features, like pause video playback at the blink of the eye. However, there is an important hardware feature of the Samsung Galaxy S4 to note here: finally a Near Field Communications (NFC) chip is embedded in the device (something that Apple left out of the iPhone 5), making it useful for mobile payments, building access control, and lots of other security uses. Issuers, payment services providers and trusted services managers have long been dreaming of mobile phones with NFC chips: not having to send plastic credit cards with EMV chips (or magstripes in the US) but being able to personalize the credit card right on the phone reduces card management costs, improves end user  satisfaction. There is nothing new here. But here's where NFC finally in a mainstream mobile phone can revolutionize fraud management:

1) GPS verification. So if you use it to make a card present transaction by touching your phone NFC credit card to a PayPass or other proximity based credit card reader, the payment authorization platform can immediately know where you are, correlate it with the riskiness of the location (country) and use your location to build a risk score. 

2) More factors and better capabilities for payment authentication. Instead or in addition to asking for a PIN code for transaction authentication, the payment processor can contact your registered phone and - based on risk - can ask for a PIN code signature, or secondary authentication like facial recognition or biometric retina vein recognition to authorize a higher value transaction.

3) Linking the NFC chip to an eWallet. This will be easier than ever before. If the NFC chip is initialized to be a credit card, the eWallet application can check for the presence of it and maybe even use it in a card present transaction. 

 

Collaborate With Your Non-Security Peers To See How Objectives Intersect (Hint: Mobile Context For Mobile Authentication)

Heidi Shey

“Enterprise rights management? What does that even mean?! You’re using security speak!” exclaimed my colleague TJ Keitt.

TJ sits on a research team serving CIOs, and covers collaboration software. We were having a discussion around collaboration software and data security considerations for collaboration. “Security speak” got in the way. It wasn’t the first time, and it will likely not be the last, but it is a good reminder to remember to communicate clearly using non security speak – and not just to fellow S&R pros, but to the rest of the business (in this case – the CIO) – to talk about what we really mean. That’s how collaboration starts.

Collaboration is also not just about S&R pros engaging the rest of the business to bring them into the security-minded fold, but to also listen and be aware of what’s bubbling up in other parts of the organization as it can have implications for security too. One of the more interesting examples that I see today come from the marketing side of the business, specifically those involved with strategies for customer experience and digital marketing. Mobile is huge (no surprise, right?), and is transforming how companies interact with customers. The future of mobile is all about context: 1) situation, 2) preferences, and 3) attitudes.

Read more