Ice Dams And Identities: Remove Dams Before They Remove You

Merritt Maxim

This winter in Boston has been a record breaker. Bostonians are tired of the weather, while non-Bostonians are tired of hearing Bostonians complain about the weather. However, this never-ending winter provides a useful analogy for assessing your organization’s identity and access management (IAM) processes.

My analogy is based on two words that strike fear into many Boston-area homeowners: ice dams. Ice dams are ice structures that form on roofs, following heavy snowfall, that can cause leaks.[1]



Ice dams often dissipate naturally, but record snowfalls and persistent cold temps have exacerbated ice dams this winter.

Just as ice dams can cause leaks, “identity dams” can cause data leaks and other internal problems. Identity dams may result from reorganizations or may just be existing business processes, but they should be removed.  

The challenge is overcoming complacency. Just as many homeowners hope ice dams will dissipate naturally, organizations delude themselves with “This is how we’ve always done it,” and conclude that therefore removing identity dams is not necessary. For complacent organizations, the worst case is having users become accustomed to complicated manual processes for requesting access to new applications, waiting weeks to get access to new applications, and having multiple passwords.

Organizations and homeowners should follow these three steps to minimize the potential damage caused by ice dams and identity dams:

Read more

Infosec On The Go: What Do Your Road Warriors Know About Cybersecurity?

Heidi Shey

Did I pack socks? Check. Toothbrush? Check. Business cards, phone charger, passport? Check, check, and check. Do I know what I need to do and what not to do to protect myself, my devices and the company’s data while I’m on the road and traveling for work? [awkward silence, crickets chirping]

S&R pros, how would employees and executives at your firm answer that last question? It’s an increasingly important one. Items like socks and toothbrushes can be replaced if lost or forgotten; the same can’t be said for your company’s intellectual property and sensitive information. As employees travel around the world for business and traverse through hostile countries (this includes the USA!), they present an additional point of vulnerability for your organization. Devices can be lost, stolen, or physically compromised. Employees can unwittingly connect to hostile networks, be subject to eavesdropping or wandering eyes in public areas. Employees can be targeted because they are an employee of your organization, or simply because they are a foreign business traveler.

So what to do? Rick Holland and I are conducting research now to produce a guide to security while traveling abroad. It’s going to provide guidance for S&R pros to better prepare your executives and employees for travel, including actions to take before, during, and after a trip. We’ll be looking at considerations for things like:

  • OPSEC. How to determine if employees are being targeted, the pros/cons of using burner equipment, the use of privacy screens on laptops, etc.
Read more

Android For Work Upends Multiple Markets

Tyler Shields

On February 25, 2015, Google publicly announced its latest functionality and updates to the Android OS, titled "Android for Work" (AFW). Some of the new functionalities include secure work profiles, secure personal information management, and an enterprise app store through "Google Play for Work." These new changes in AFW will impact the businesses, the Android ecosystem, and the overall market in a far-reaching way. EMM vendors and enterprise EMM buyers must review these technology changes and understand how they will influence future product direction before making any purchases. It took just a few years for core MDM functionality to commoditize to a $0 price tag. I wonder how long until the advanced security components being folded into Android via AFW are also essentially free? 

 
Read my latest report here to see how this announcement will upend multiple mobile and security markets market: "QuickTake: Android For Work Upends Multiple Markets."

Market Overview: Cloud Data Protection

Andras Cser

Cloud Data Protection (protecting data in SaaS, IaaS and PaaS workloads with a centralized and industrial strenght solution) remains a key priority of CIOs, CISOs and architects. 

In this market overview report, we identified 17 key vendors in the CDP space (see the figure below) that provide data protection in SaaS, IaaS and PaaS environments. This report details trends and predictions in CDP and also our findings about how each vendor is approaching CDP and to help security and risk (S&R) professionals select the right partner for CDP.

You can find this market overview at https://www.forrester.com/Market+Overview+Cloud+Data+Protection+Solutions/fulltext/-/E-res120911

 

Inline image 1

Analyst Spotlight Podcast With John Kindervag

Stephanie Balaouras

It's February: time for another S&R Analyst Spotlight Podcast! This month, Forrester VP, principal analyst, and Zero-Trust creator, John Kindervag, joins us. Listen in to learn more about John and his research. While you're at it, be sure to check out our First Look newsletter, which contains an interview with John along with links to his most recent and upcoming research. If you are not already signed up for our First Look newsletters, please email srfl@forrester.com. 

New to the podcast and want to hear more?  Check out our past interviews with analysts Ed Ferrara, Heidi Shey, Renee Murphy, and Tyler Shields.

Click below to listen to the podcast!

John Kindervag Image

To download the mp3 version of the podcast, click here.

Application Security Technologies List

Tyler Shields

Roughly a year and a half ago I began a process of measuring the importantance of technologies in the mobile security space. I'm currently beginning that same process for the application security market. Many technologies exist that provide business value to enterprises for the security of their applications, but which ones are better at delivering on the business value that the enterprise really wants? Have any of these technologies outlived their usefullness, falling to innovation and new ideas? Which technologies should the enterprise prioritize spending their limited security budget on? I hope to answer these questions and more!

I've identified nine distinct application security technologies that make up the application security market. (Link to additional details!). I'm sure there are technologies that I've missed and arguments to be made to remove something. As always, my research is significantly improved with your help! 

If you are interested in participating in this research or have feedback on the technology list, respond via this web form, in the comments below, or via email / tweet to tshields@forrester.com (@txs). 

Read more

Security Of Your Data Doesn't Matter To Smart Device Vendors At CES Tech West . . .

Tyler Shields

The CES Tech West Expo has a number of specific areas of coverage including fitness and health, wearables, connected home, family safety, and some young innovative companies located in the startup area of the section. I spent a few hours interviewing and discussing the Internet of Things (IoT) with as many vendors as I could find. I had many good laughs and shed a few tears during the process. To describe the process, the general communication would go something like this:

Me: "Can you point me at the most technical person you have at your booth? I'd like to talk about how you secure your devices and the sensitive / personal data that it accesses and collects."

Smartest tech person at the booth: "Oh! We are secure; we [insert security-specific line here]."

Me: "Never mind . . ." (dejected look on my face).

Read more

Just When We Thought Santa Forgot To Put CISOs On His “Nice List,” Along Comes The Sony Breach

Stephanie Balaouras
Security pros got the Target breach for Christmas last year. The breach hit the retailer during its busiest time of the year and cost them millions in lost business. For security pros desperate for more budget and business prioritization, you couldn’t have asked for a more perfect present - it’s as is if Santa himself came down the chimney and placed a beautifully wrapped gift box topped with a bow right under your own tree. This year it looked as if all we were getting was a lump of coal - but then Sony swooped in to save us like a Grinch realizing the true meaning of Christmas.
 
The Sony Picture Entertainment (SPE) breach is still unfolding, but what we know so far is that a hacktivist group calling themselves the Guardians of Peace (GoP) attacked Sony in retribution for the production of a movie, “The Interview,” which uses the planned assassination of North Korea’s leader as comedic fodder. The hacktivists supposedly stole 100 TBs of data that they are gleefully leaking bit by bit (imagine Jingle Bells as the soundtrack). The attack itself affected the availability of SPE’s IT infrastructure, forcing the company to halt production on several movies.
 
Read more

Are Corporations Getting More Responsible? Risk Management And Customer Obsession Are Pushing Them To

Chris McClean

Casual spectators of business behavior can't help being jaded; every day they see news stories about corporate fraud, security breaches, delayed safety recalls, and other sorts of general malfeasance. But what they don't see is the renewed time and investment companies around the world are putting  toward implementing and reporting on responsible behavior (this less sensational side of the story gets far less coverage).

This week, Nick Hayes and I published an exciting new report, Meet Customers' Demands For Corporate Responsibility, which looks at the corporate responsibility reporting habits of the world's largest companies. While it's easy to think that the business community is as dirty as ever, we actually found a substantial increase over the past 6 years in what these companies included in their CSR and sustainability reports.

Read more

Happy Birthday Angry Birds! Thanks For The (In)Security!

Tyler Shields

Image Source: http://www.jbgnews.com/2014/09/angry-birds-developer-rovio-entertainment-struggling/430304.html

We’ve all done it. We've spent hours flinging birds at pigs, only to be frustrated with that one little piggy that got away. We can all thank the phenomenon “Angry Birds” for this wonderful experience. Today marks the fifth birthday of the release of the original Angry Birds. Since its release, the highly successful mobile game creator Rovio has gone on to sell hundreds of millions of dollars of mobile apps, licenses, and merchandise amassing $216M in revenue in 2013 alone. Who knew that a simple change in game mechanics could gain such a cult foothold with the public? From a business perspective, the team at appfigures did a great write-up on the history of the franchise, along with its successes and failures in the eyes of the public. If you’re interested in the business life cycle of apps in the public app store, I highly recommend you go read their research: Angry Birds Turns Five: What We Can Learn From The Franchise’s Success.

Read more