The Forrester Blog For Security & Risk Professionals
This blog is a roll-up of all the posts from analysts who serve Security & Risk Professionals. Individual analyst blogs are listed below. Visit Forrester.com to learn how we make Security & Risk Professionals successful every day.
Moody’s recently launched their Vendor Information Risk (VIR) ratings service. The main objective of this service is to reduce the overall burden of conducting risk assessments for organizations, as well as their service providers. The whole idea being that if Moody’s can do a risk assessment on behalf of multiple subscribers, it can make the assessment process a lot more efficient. The service provider will not have to go through multiple assessments and the subscribers will share the cost, and therefore have a much lower price point.
Many CISOs I talk to are sick of performing third party risk assessments; it takes up valuable time, is expensive, and most importantly, pulls resources away from doing actual security work within the company. On the other hand service providers are also having a hard time keeping up with these assessments. A compliance manager at a large service provider estimated that they responded to over 300 audit requests in 2007, and that number would be around 400 in 2008. Thus, a service like this could potentially save millions of dollars for service providers and subscribers.
On May 12th, 2008 VMware announced that nine storage replication vendors have tested and certified their technology with VMware’s long awaited Site Recovery Manager (SRM) offering. SRM is an important step forward in DR (DR) preparedness because it automates the process of restarting virtual machines (VM) at an alternate data center. Of course, your data and your VM configuration files must be present at the alternate site, hence the necessary integration with replication vendors. SRM not only automates the restart of VMs at an alternate data center, it can automate other aspects of DR. For example, it can shutdown other VMs before it recovers others. You can also integrate scripts for other tasks and insert checkpoints where a manual procedure is required. This is useful if you are using the redundant infrastructure at the alternate data center for other workloads such as application development and testing (a very common scenario). When you recover an application to an alternate site, especially if your redundant infrastructure supports other workloads, you have to think about how you will repurpose between secondary and production workloads. You also have to think about the entire ecosystem, such as network and storage settings, not just simply recovering a VM.
Essentially, VMware wants you to replace manual DR runbook with the automated recovery plans in SRM. It might not completely replace your DR runbook but it can automate enough of it. So much so that DR service providers such as SunGard are productizing new service offerings based on SRM.
The number of pure-play vendors in user account provisioning decreased on April 7, 2008 when Hitachi announced that it acquired M-Tech Information Technology, and changed the name to Hitachi ID. Although Hitachi has been lacking an identity and access management (IAM) pedigree, this move can prove important due to the following reasons: 1) Using IAM for provisioning of physical resources and hardware resources. 2) Extending enterprise role definitions to previously uncharted verticals and cultures. 3) Evangelizing user account provisioning and IAM in Japan and other APAC regions. 4) Hitachi becoming a major player in Japanese SOX (JSOX) implementation.
Needless to say, the above will hinge on Hitachi's ability to retain and grow the existing customer base of M-Tech IT in North America and Europe, and also on Hitachi's ability to compete against EMC's selling of Courion and RSA products. How Hitachi will create an access and adaptive access management (Web and desktop) portfolio to complement its identity management and provisioning portfolio also remains to be seen.
Overarching causes described in the report are not surprising; control failures, an overly aggressive focus on short-term growth, and excessive risk taking are among the high level issues addressed. Also in the report, however, are scores of more detailed explanations of control failures in more than 20 different categories. Specific problems on the list include:
On April 18th, IBM announced its intent to acquire virtual tape library (VTL) and deduplication vendor Diligent Technologies. For IBM, Diligent is a good fit. The company offers both mainframe and open systems virtual tape libraries and they are a pioneer of deduplication. However, IBM already offers a market leading mainframe VTL based on its own intellectual property and an open systems VTL based on FalconStor technology — although the open systems VTL has very limited adoption — so there is also a lot of overlap. Because Diligent is a software solution, IBM can quickly integrate Diligent with any of its storage systems and bring new VTLs to market relatively quickly. It’s very likely that IBM will in fact pursue this route so it can bring an inline deduplicating VTL to market as quickly as possible.
On April 10, 2008, IBM announced its intent to acquire FilesX, a small startup that offers server-based replication and continuous data protection technology. The acquisition will become part of the Tivoli Storage Manager (TSM) family of products.
This acquisition will help IBM Tivoli fill a gap in their current portfolio of offerings for data protection. The vendor currently offers Tivoli Storage Manager (TSM), which is one of the leading enterprise-class backup software applications, and Tivoli Continuous Data Protection for Files, a product mostly used to protect PCs. In addition to traditional backup to tape or disk, TSM can also manage Microsoft Virtual Snapshots (VSS) and its own IBM storage-based snapshot technology in support of instant restore or snapshot assisted backup. But the company didn’t really have an offering for customers who wanted something that was better than backup but not as expensive as storage-based replication, this is where FilesX comes in. With FilesX, IBM can now address the recovery requirements of small enterprises that can’t afford storage-based replication. They can also meet the recovery requirements of large enterprises that want to protect more servers within their company with a more affordable replication offering as well as servers at the remote office.
IBM acquired Encentuate for an undisclosed sum. This underscores the validity of Forrester's prediction that the enterprise single sign-on (E-SSO) market in identity and access management (IAM) will grow from E-SSO's $250 million in 2006 to $2 billion in 2014 - a CAGR of 28.5%. What are the likely implications of this acquisition in the E-SSO marketplace?
1. After CA and Novell, now IBM will have a fully integrated IAM suite in which E-SSO will be first acquired, but later an organically grown product offering - provided that IBM is successful with integrating not only technologies, but the Encentuate engineering, support, and sales resources. Past experience with similar acquisitions show that this often sounds easier than it actually is.
2. Other E-SSO vendors (ActivIdentity and especially Passlogix) will lose some of their market share and will need to ramp up investment in product development to be able to keep their leading edge in product functionality.
Overall, IBM's move signals that E-SSO has become a mature and viable technology which - in conjunction with user account provisioning - will continue to drive the IAM market growth.
Ping Identity announced that it acquired Sxip Access for an undisclosed sum. The rationale of the acquisition is to allow Ping Identity's products to meet enterprise-wide, typically SSO challenges. This is important to be able to further extend Ping's market share with software-as-a-service providers. Is it a breakthrough? Hardly. Questions still remain as to how major enterprises can integrate Ping Identity's new extended product line with an existing infrastructure in identity management and provisioning. Forrester increasingly sees broken ladder steps in the progression from the SMB market to the enterprise market for those identity and access management (IAM) vendors that have incomplete IAM product lines. Ping Identity still needs to make substantial investments to build an IAM suite, or forge strategic partnerships with pure-play provisioning and role vendors to successfully compete long-term in the IAM arena of large vendors.
One of the most substantial trends we expected to see in governance, risk, and compliance in 2008 is the tightening of regulations in response to major risk management failures. Yesterday, we saw a clear example of that, as the US Senate approved a bill that would nearly double the size of the Consumer Product Safety Commission, largely in response to the massive toy recalls that took place last year.
Also this week, the UK’s Medicines and Healthcare Products Regulatory Agency showed signs of cracking down on disclosure of drug trial results after problems persisted with certain anti-depressant drugs in relation to teenage suicide (even though criminal charges will not be filed).
The sub-prime issue may likely be the next major target for legislative changes, although most discussion seems to be focused on consumer protection at this point, not tighter control over lenders.
This article in GSN caught my attention on the proposed IT budget numbers released by OMB (Office of Management and Budgets). The 10% spending on cyber-security may seem surprising to some, especially when compared to an average 8% of IT spend in the commercial sector across North America and Europe. As many of us have seen stagnation in our security budgets, the US government has increased its cyber-security budget by a whopping 73% since 2004. The media has picked up on things such as DOT (Department of Transportation) more than doubling its budget while DHS (Department of Homeland Security) had less than a 5% increase, they don’t have their priorities right or that we should fund federal agencies based on how well they do on FISMA. These numbers may seem a little out of whack, but here is why I think the US government is headed in the right direction.