Active Directory Moving To The Cloud?

Andras Cser

We hear a lot about cloud IAM vendors offering metadirectories or user repositories in the cloud. We predict that in 1-2 years we'll see AD being moved from on-premises installations into cloud based services. This has a benefit of simpler provisioning, higher availability, muc, much easier support for federation both into SaaS applications and with business partners. Today the only technical difficulty is latency of access to AD in the cloud from on-premises applications, but we believe this will be resolved by some type of customer premises equipment (much like the reverse of Symplified's Identity Router today).  Moving AD into the cloud will also have a huge impact on reducing the cost of AD management and improving delegated administration by providing easy-to-use web interfaces.

Business Continuity Standards Don’t Matter -- But They Should

Stephanie Balaouras

The current state of business continuity management (BCM) standards? Abysmal. According to a joint Forrester/DRJ study, 69% of respondents said that British Standard (BS) 25999 did not influence or only somewhat influenced BCM at their company. It’s not much better for NFPA 1600, 70% of respondents said that it did not, or only somewhat, influenced BCM at their company. I find this shocking. BS 25999 is one of the most widely recognized standards for BCM worldwide and NFPA 1600 has been popular in the US for years. In addition, the U.S Department of Homeland Security’s Private Sector Preparedness Program (PS‑Prep) recognizes both of these standards for assessing preparedness. If you’re wondering what standards respondents named in the “Other” category, it was mostly the Federal Financial Institutions Examination Council (FFIEC) and NIST. Not surprising but also a little disheartening, it’s clear that unless compelled to do so, most BC professional would not adopt or follow a BCM standard.

 

 

 

 

 

 

 

 

 

 

 

 

Even if you don’t intend to certify to these standards, they should strongly influence your BCM program. Why? It’s because:

  • They provide a foundation and a common vocabulary for BCM best practices and processes. This is important if you need to implement BCM across a geographically dispersed enterprise or you have to work with a multitude of global partners on joint preparedness.
Read more

Communication And Coordination Should Be The Cornerstone Of Your BC Plan

Stephanie Balaouras

In a recent Forrester/DRJ joint survey on BC preparedness, of organizations that have invoked a BC plan in the last five years, 37% said that their BC plans had not adequately addressed communication. In my experience, I’ve found that many organizations:

  • Don’t appreciate the importance of effective communication. Many organizations focus the content of their BC plans and the goals of their BC exercises on the details of recovery procedures but don’t focus on how they will contact and coordinate response teams, employees, partners, first responders and customers. If you can’t communicate, you can’t respond to anything.
  • Rely on manual procedures like call lists or email alone. By themselves, manual procedures are unreliable, they don’t scale for organizations with thousands of employees (or citizens) and they don’t provide any kind of reporting.
  • Underestimate the difficulty of communicating effectively under stress. During the incident is not the time to attempt to craft effective communication messages or look for a secondary mode of communication because your first mode of communication (land lines and email) is no longer available.
Read more

Security Intelligence: Should We Send A Guy With A Gun Or A Wrench?

Andras Cser

We are kicking off research on security and identity intelligence, which is about understanding risk and detecting abnormal behavior.  One thing is clear: companies don't even *know* what kind of security (SIM, data,  identity, email, etc.) information they should be inspecting to detect security threats and where they should start eating the giant elephant of risk. They clearly need intelligent and automated systems to establish what a normal baseline means in user behaviors and events and then alert on any anomalies - and when they see any changes to normal patterns, understand whether they should send a guy with a gun or a guy with a wrench.  In this research (which will also be the topic of my Security Forum keynote speech) we will look at the interdisciplinary areas between enterprise fraud management, risk based authentication, data protection and identity management. I want to hear about your concerns, issues, and early case studies/solutions in this area.

Security & Risk Professionals: Leapfrog Your Global Competition. Rethink Security; Run At The Threat.

Laura Koetzle

One of the highest-stakes parts of my job as the leader of our Security & Risk business is the in-depth business review that I present to Forrester’s executive team twice a year.  And I always start those presentations with a single slide in which I attempt to capture the Security & Risk profession in as few words as possible.  My current formulation is: “We protect our company’s brand – and our Security & Risk program allows our company to pursue new business opportunities safely.”

Our CEO, George F. Colony, sat bolt upright and said, “Wow – I didn’t know that CISOs saw their roles in such business-centric terms!”  To which I replied, “And that’s exactly the problem.  Strong CISOs are generally all action and very little talk – they put the brand and business opportunity at the center of everything they do, but they don’t brag about it.  And thus they don’t get the recognition they deserve.”

And my team and I are on a mission to help you change that.  Because we know that a strong security & risk program can be a competitive differentiator.  We can help our businesses win on the global stage by enabling our firms to accept more (and different!) risks than others can afford.  Rethinking your security assumptions and your security infrastructure means that you will have the skills, processes, and tools your business needs to seize new opportunities.  So now you just have to get the word out that you can help.

Read more

Don’t Forbid Employees From Using The Escalator, Give Them Reasons To Use The Stairs

Chris McClean

Guest post from Researcher Nick Hayes.

If you had to go up one level in a train station, would you take the stairs or use the escalator? Most people would choose the escalator. But what if the staircase played musical notes like an interactive piano? This may change things, right? A couple of years ago, Volkswagen began sponsoring an initiative called The Fun Theory that tested the degree to which they could change people’s behavior for the better by introducing an element of fun. In one example, they found that by adding a unique element to the stairs – transforming it into an interactive piano – they were able to increase staircase use by 66%. You can watch the short video here.

You can apply this same principle to your training and awareness programs -- find your own piano staircase, and use it to begin guiding people to choose the right thing on their own. Chris and I have been working on a report that stresses the importance of organizational culture in the development of risk and compliance programs. Throughout the research process, we asked risk and compliance professionals and vendors in the space the same question: “How are you influencing and promoting positive behavior?”

You can create new technical controls and policies, and you can require employees to sign attestations all day, but these efforts have minimal value (or worse) when there’s no positive reinforcement. When compliance and risk management are considered obligatory tasks, rather than meaningful efforts that the company values, it diminishes the perceived importance of ethical behavior.

Read more

Blending Cloud IAM Delivery Flavors: Convergence Of In-House And IAM Suite Offerings

Andras Cser

Today we see two basic flavors of cloud IAM. One archetype is the model offered by Covisint, VMware Horizon, Symplified, Okta, OneLogin, etc.: these vendors provide relatively tight integration, but less capable identity services based on their respective firm's own intellectual property. Because of the above, these offerings clearly have a short implementation time. The other camp of vendors believes in providing hosted services of "legacy" IAM products: CA Technologies coming out with CloudMinder, Lighthouse adding their own IP to IBM TIM/TAM, Simeio Solutions blending OpenAM and Oracle's identity stack with their own secret sauce, and Verizon Business using NetIQ's IDM stack as a basis for their hosted offering solution.

Read more

How To Survive And Thrive At #SXSW If You’re Not From Texas

John Kindervag

I’ll be in Austin, TX this weekend to participate in South-by-Southwest Interactive. My panel “Big Data Smackdown on Cybersecurity” will be held Sunday, March 11 from 12:30PM - 1:30PM at the Austin Hilton Downtown. Hope to see you there.

Now, I wasn’t born in Texas, but I got here as soon as I could. I’ve lived in Dallas, TX for 30 years so I consider myself an adopted native-Texan. I’ll be at South-by-Southwest Interactive this weekend, so I thought I’d share some tips for all my current and future friends. For those of you from out-of-state – known as furriners – I hope you’ll find this advice helpful.

You’re coming to a foreign country.

Read more

An Unexpected RSA Encounter

Rick Holland

Last Friday, after a long week of RSA conference events and meetings, I eagerly looked forward to slipping on my headphones and enjoying the relative silence of my flight back to Dallas. As I approached my seat, I saw I was sitting next to a United States Air Force (USAF) officer. I looked at his rank and saw two stars on his uniform, making him a major general. I had a sudden sense of nostalgia and I instinctively wanted to salute him. I resisted the urge, introduced myself, and thanked him for his service.

Over the next two hours I had the most unexpected and fascinating conversation of my RSA week. It turned out that my fellow traveler is the commanding officer of the Air Force Research Laboratory (AFRL). According to the website, the AFRL is “the Air Force’s only organization wholly dedicated to leading the discovery, development, and integration of war fighting technologies for our air, space, and cyberspace forces.” We discussed a variety of open source topics, including electromagnetic pulse weapons, cyberweapons, Stuxnet, unmanned aerial vehicles, USAF renewable energy initiatives, as well as national policy.

Read more

Lies, Damn Lies, Security Metrics, And Baseball

John Kindervag

The legendary British Prime Minister Benjamin Disraeli is said to have noted that “There are lies, damn lies, and statistics.” Much of the technology world is focused on statistics and metrics. You’ve often heard it said, “If I can’t measure it, it doesn’t exist.” Known as the McNamara fallacy — named after the business tycoon turned Vietnam-era Secretary of Defense — this famous idea failed miserably as a strategy. While it sounds good to the CEO’s ears, there is a corollary bubbling up below him that implicitly states that “If my boss wants to measure something that doesn’t exist, then I’ll invent it!”

Read more