With Google, IBM, Microsoft, VeriSign, and Yahoo! joining the OpenID Foundation, we may actually feel that something in federated access management is going to change. It is finally not the case of a vendor proposing a new standard – and adding to the cacophony of federation standards – but a set of moves towards a simple technology that today can alleviate password management woes at service providers.
Technology aside, OpenID will greatly help with reducing and removing the legal obstacles in the way of identity federation’s proliferation. When payment-grade, commercial, and trusted identity provider service becomes a reality – VeriSign’s joining the OpenID camp clearly points in that direction – and software-as-a-service companies (like salesforce.com), accept OpenID authentication from these trusted identity providers, then enterprises can truly start thinking about outsourcing password management identity management processes. When required, strong authentication integration with OpenID can rely on VerSign’s VIP or other vendors’ strong authentication acceptance network.
The media yesterday (Wall Street Journal, Associated Press, Economist, etc.) were all over 31-year-old Jérôme Kerviel, the trader at France’s Société Générale who has apparently confessed to fraudulent trades resulting in an estimated loss of roughly $7.2 billion.
In further coverage, we hear that the bank has apologized to share holders, filed legal claims against Kerviel, and promised the public that the incident does not suggest any larger issues with the company’s risk management. The Wall Street Journal however, follows up with a story questioning the effectiveness of regulatory oversight that can let something like this transpire despite Société Générale’s claims that controls were adequately tested and did not fail.
The Foreign Corrupt Practices Act (FCPA) has been seemingly more newsworthy than usual recently (even impacting Hollywood elite), with somewhat conflicting accounts of the US cracking down on bribery both here and abroad, and the rationale for the US to accept some level of bribery for the sake of broader national interests.
The holiday season gave media and industry one more opportunity to discuss Mattel’s massive product recalls this year, and admittedly, I still find myself interested in the story.In this case, it was the World Business Council for Sustainable Development’s article calling out Mattel’s “Epiphany at Christmas”.
The revelation: “If it's got your company's name on it, it's your problem.”
With CardSpace and Higgins being in nascant and almost non-existent market adoption mode, you may wonder what authentication features you want to be looking for when shopping online. Usernames and passwords are a thing of the past: you can safely assume that you will use a computer to log in which has a keylogger or trojan capturing your keystrokes, and with it your username and password.
Savvy customers are increasingly turning towards online retailers and financial institutions which provide at least some form of multi-factor authentication to protect against password theft. The following list gives a compass to consumers and vendors to navigate the misty waters of online transactions.
Smart cards / USB tokens (very costly, high level of security, great user inconvenience)
Hardware based solution that contains applications, PKI certificates used to authenticate to a site. These cards can include a magstripe for physical access management and RFID proximity sensors.
Great article this morning in the Wall Street Journal about Goldman Sachs’ performance during the credit meltdown. The company has expectations of record income this year, while competitors are faltering left and right.
There are three important issues in this story — and in the sub-prime crisis in general — that all good risk management professionals know, and should keep in mind as often as possible.
Compliance requirements of large enterprise customers are too complex to satisfy with organically grown role management software. As a result, it appears that the role management acquisition storm is starting. With BridgeStream acquired by Oracle and now Vaau by Sun, enterprise role maintenance is finally coming of age and will be part of Sun's Identity Management portfolio. Vauu's large number clients will continue to demand vendor agnostic solutions from RBACx, and although Sun has traditionally been one of the strongest players in the market of multi-OS vendors, it remains to be seen how Sun will handle the multiplatform challenge and keeping RBACx alive non-Sun operating systems. System integrators now have one less choice for picking an independent role magagement vendor. Eurekify, BHOLD, and Omada will likely now to receive acquisition offers from other large IAM suite vendors trying to complete their provisioning role management portfolio.
The consolidation of the IAM market is not a new phenomenon and has been following the following pattern: a large software company with a follower IAM product set acquires a smaller IAM vendor with a proven track record to update the IAM product and services portfolio and to secure increased market presence. The acquisition of Securent by Cisco is fairly different and highlights the following trends: 1) Entitlement Management is needed so much by the market that Cisco – even though it has not traditionally been a player in the IAM space – enters the market first with an Entitlement Management product. It is surprising, as only CA has an EM product today – all other IAM vendors are still trying to build their own as the other serious competitors on the EM market, BEA ALES is not for sale as a startup. 2) Entitlement Management may be moving (along with to IAM) to operations and to the network protocol level. In fact, Cisco intends to incorporate the Secucent EMS product into the policy engine of their SONA architecture. Policy Enforcement Points (PEP) are currently implemented at the application endpoint. With this acquisition, in the future customers can implement hybrid PEPs distributed between the network and the application, thus starting to move non-business policy logic into the infrastructure layer.
Backup is a struggle for both enterprises and small and medium businesses. It’s a complex ecosystem of backup software, networks, servers, disk arrays, and tape systems. Most companies report they are having difficulty completing backups in the time available and when backups fail or complete with errors, it’s often very difficult to discover the root cause. Couple those troubles with the fact that the amount of data that you need backed up is growing conservatively at 30% to 50% per year. Aside from these challenges, most companies are also interested in keeping backups longer for version history and companies are interested in the ability to perform much faster restores if they could.
Given the headaches associated with backup, many small and medium business and even some enterprises are choosing to outsource their backups all together to a service provider. There are already numerous players in the marketplace from Evault (which is resold by a number of different service providers) to Iron Mountain, to your telecommunication provider, and to emerging entrants such as Berkeley Data Systems and its Mozy service offering. This opportunity is so huge that even Symantec (which acquired Veritas) launched a beta of its own online backup service called the Symantec Protection Network. EMC’s acquisition of Berkeley Data Systems is just further proof that the online backup market is a huge opportunity.
I’m not usually one for ‘this-could-happen-to-you’ stories, but I’m still having trouble getting over last month’s story about grocery giant Tesco having to turn over 11 million emails to the UK’s Competition Commission for their investigation into possible anti-competitive practices against its suppliers.