Zero Trust Identity: Go From "Identity-As-A-Service" To "IAM-As-An-API"

Eve Maler

I just love the theme of our upcoming Forrester Security Forum (Las Vegas in May, and Paris in June -- check out Laura Koetzle's definitive blog post). Leapfrog Your Global Competition. Rethink Security; Run At The Threat. There's never been a better time to take a deep breath and rethink how security can contribute to business savvy and agility. The "Zero Trust Identity" report I'd telegraphed in my previous post on API access control is now out, and it's consonant with this theme. I found that if enterprises want to be nimble and secure in getting value out of mobile, cloud, and consumerization trends, they're going to have to get over some bad "unextended enterprise" habits, such as tight coupling to authentication functions.

Read more

Communication And Coordination Should Be The Cornerstone Of Your BC Plan

Stephanie Balaouras

In a recent Forrester/DRJ joint survey on BC preparedness, of organizations that have invoked a BC plan in the last five years, 37% said that their BC plans had not adequately addressed communication. In my experience, I’ve found that many organizations:

  • Don’t appreciate the importance of effective communication. Many organizations focus the content of their BC plans and the goals of their BC exercises on the details of recovery procedures but don’t focus on how they will contact and coordinate response teams, employees, partners, first responders and customers. If you can’t communicate, you can’t respond to anything.
  • Rely on manual procedures like call lists or email alone. By themselves, manual procedures are unreliable, they don’t scale for organizations with thousands of employees (or citizens) and they don’t provide any kind of reporting.
  • Underestimate the difficulty of communicating effectively under stress. During the incident is not the time to attempt to craft effective communication messages or look for a secondary mode of communication because your first mode of communication (land lines and email) is no longer available.
Read more

Calculating Breach Costs: An Accounting Problem For Risk Management Strategy

Edward Ferrara

Guest post from Researcher Heidi Shey.

 Calculating the cost of a data breach should be a part of every organization’s information security risk management strategy. It’s not an easy task by any means, but making efforts to do so upfront — as opposed to after a breach, when calculating cost is the last thing on the to-do list! — for your organization can help to assess risk and justify security investments. But where does one begin, and what should be considered in cost estimates? There are the usual suspects, or direct costs, relating to discovery, response, notification, and damage control such as: 

  • In-house time and labor (IT, legal, PR, incident response, call center, etc)
  • New technologies or services implemented as a result of the breach to change or repair systems
  • External consultants or services for incident response
  • Credit monitoring services for customers
  • Regulatory fines
  • Legal fees or settlements
  • Cyber insurance
Read more

Nine Managed Security Services Providers (MSSPs) Compete In The North American Market

Edward Ferrara

After months of diligent vendor evaluations, last week we officially published The Forrester Wave: Managed Security Services: North America, Q1 2012. This report features our detailed analysis on nine of the top managed security services providers (MSSPs) offering a robust set of security services to their North American clients.

Through this process, we uncovered a market that we believe is currently ripe for a major disruption: market demand for managed security services (MSS) remains extremely strong, customer satisfaction is higher than we’ve seen in the past, and current MSSPs tend to compete on delivery, customer service, and cost.

This isn’t to say MSSPs all currently offer the same services with the same level of quality – not by a long shot. Selecting the right provider still means that you must understand your needs and the areas you feel they can enhance your security program the most. Each MSSP we evaluated has solid overall security capabilities, but has unique strengths in certain security areas and use different deployment methods to bring their offerings to bear.

At the same time, however, we hear more decisions today come down to cost and execution, and as this becomes more commonplace, we begin to prepare ourselves for a shift in the market. In fact, we believe we’ll see significant changes over the next couple of years for three primary reasons:

Read more

Security Intelligence: Should We Send A Guy With A Gun Or A Wrench?

Andras Cser

We are kicking off research on security and identity intelligence, which is about understanding risk and detecting abnormal behavior.  One thing is clear: companies don't even *know* what kind of security (SIM, data,  identity, email, etc.) information they should be inspecting to detect security threats and where they should start eating the giant elephant of risk. They clearly need intelligent and automated systems to establish what a normal baseline means in user behaviors and events and then alert on any anomalies - and when they see any changes to normal patterns, understand whether they should send a guy with a gun or a guy with a wrench.  In this research (which will also be the topic of my Security Forum keynote speech) we will look at the interdisciplinary areas between enterprise fraud management, risk based authentication, data protection and identity management. I want to hear about your concerns, issues, and early case studies/solutions in this area.

Security & Risk Professionals: Leapfrog Your Global Competition. Rethink Security; Run At The Threat.

Laura Koetzle

One of the highest-stakes parts of my job as the leader of our Security & Risk business is the in-depth business review that I present to Forrester’s executive team twice a year.  And I always start those presentations with a single slide in which I attempt to capture the Security & Risk profession in as few words as possible.  My current formulation is: “We protect our company’s brand – and our Security & Risk program allows our company to pursue new business opportunities safely.”

Our CEO, George F. Colony, sat bolt upright and said, “Wow – I didn’t know that CISOs saw their roles in such business-centric terms!”  To which I replied, “And that’s exactly the problem.  Strong CISOs are generally all action and very little talk – they put the brand and business opportunity at the center of everything they do, but they don’t brag about it.  And thus they don’t get the recognition they deserve.”

And my team and I are on a mission to help you change that.  Because we know that a strong security & risk program can be a competitive differentiator.  We can help our businesses win on the global stage by enabling our firms to accept more (and different!) risks than others can afford.  Rethinking your security assumptions and your security infrastructure means that you will have the skills, processes, and tools your business needs to seize new opportunities.  So now you just have to get the word out that you can help.

Read more

Don’t Forbid Employees From Using The Escalator, Give Them Reasons To Use The Stairs

Chris McClean

Guest post from Researcher Nick Hayes.

If you had to go up one level in a train station, would you take the stairs or use the escalator? Most people would choose the escalator. But what if the staircase played musical notes like an interactive piano? This may change things, right? A couple of years ago, Volkswagen began sponsoring an initiative called The Fun Theory that tested the degree to which they could change people’s behavior for the better by introducing an element of fun. In one example, they found that by adding a unique element to the stairs – transforming it into an interactive piano – they were able to increase staircase use by 66%. You can watch the short video here.

You can apply this same principle to your training and awareness programs -- find your own piano staircase, and use it to begin guiding people to choose the right thing on their own. Chris and I have been working on a report that stresses the importance of organizational culture in the development of risk and compliance programs. Throughout the research process, we asked risk and compliance professionals and vendors in the space the same question: “How are you influencing and promoting positive behavior?”

You can create new technical controls and policies, and you can require employees to sign attestations all day, but these efforts have minimal value (or worse) when there’s no positive reinforcement. When compliance and risk management are considered obligatory tasks, rather than meaningful efforts that the company values, it diminishes the perceived importance of ethical behavior.

Read more

Blending Cloud IAM Delivery Flavors: Convergence Of In-House And IAM Suite Offerings

Andras Cser

Today we see two basic flavors of cloud IAM. One archetype is the model offered by Covisint, VMware Horizon, Symplified, Okta, OneLogin, etc.: these vendors provide relatively tight integration, but less capable identity services based on their respective firm's own intellectual property. Because of the above, these offerings clearly have a short implementation time. The other camp of vendors believes in providing hosted services of "legacy" IAM products: CA Technologies coming out with CloudMinder, Lighthouse adding their own IP to IBM TIM/TAM, Simeio Solutions blending OpenAM and Oracle's identity stack with their own secret sauce, and Verizon Business using NetIQ's IDM stack as a basis for their hosted offering solution.

Read more

The Psychology Of Bad News

Andrew Rose

 

Last night I stumbled across a documentary on BBC2 (content only available to UK residents – sorry!) about the human brain. One section talked about how the brain perceived risk issues – obviously an interesting topic for security folk!

A test subject was placed into a brain scanner and asked to estimate the likelihood of 80 different negative events occurring to him in the future – from developing cancer, to his house being burgled, to breaking a leg etc.  Once he had stated his opinion, the real likelihood was then displayed to him.

At the end of the 80 events, the process resets and the subject is presented with the same events and asked to, once again, state his perceived likelihood, although this time with some knowledge of the actual answers.

The results are surprising. 

Where his initial response had been too pessimistic, the test subject adjusted his perception to align with the actual likelihood. However, where he had initially been too optimistic, his opinion remain largely unchanged by the facts! It was apparent that the brain proactively maintained a ‘rose-tinted’ view of the risks, accommodating a more optimistic view but shunning anything more negative.

The scientists argued that this was the brain did this for two main reasons

1 – To minimise stress and anxiety, for the resultant health benefits; and

2 – Because an optimistic outlook helps drive success, support ambition and keep humanity striving for a better future.

Read more

A New Venn Of Access Control For The API Economy

Eve Maler

Cloud providers and many federated IAM practitioners are excited about OAuth, a new(ish) security technology on the scene. I’ve written about OAuth in Protecting Enterprise APIs With A Light Touch. The cheat-sheet list I keep of major OAuth product support announcements already includes items from Apigee, Covisint, Google, IBM, Layer 7, Microsoft, Ping Identity, and salesforce.com. (Did I miss yours? Let me know.)

OAuth specializes in securing API/web service access by a uniquely identified client app on behalf of a uniquely identified user. It has flows for letting the user explicitly consent to (authorize) this connection, but generally relies on authorizing the actions of the calling application itself through simple authentication. So does the auth part of the name stand for authentication, authorization, or what? Let’s go with “all of the above.”

However, OAuth is merely plumbing of a sort similar to the WS-Security standard (or, for that matter, HTTP Basic Authentication). It doesn’t solve every auth* problem known to humankind, not by a long shot. What other IAM solutions are popping up in the API-economy universe? Two standards communities are building solutions on top of OAuth to round out the picture:

Read more