It has been a busy few weeks of news for whistleblowers. Earlier this month, former Merck sales manager H. Dean Steinke was awarded $68 million of the roughly $400 million recovered by states and federal agencies when the company settled a lawsuit he brought against it seven years ago. (This was part of a larger $671 million Merck paid to settle complaints of overcharging government health plans and offering inappropriate incentives to doctors to prescribe its products.)
While a number of whistleblowers have been lauded by the press over the years, Steinke’s $68 million presents the possibility of more tangible incentives to those aspiring to expose corporate crimes. Other recent, related news includes:
- Court extends SOX whistleblower protection. Last week, a US District Court judge in New York found that whistleblower protection under the Sarbanes-Oxley Act applies to employees outside the United States, helping empower virtual armies of international employees that may have something to report.
It’s official, the future of information management and infrastructure is software as a service (SaaS). Today, Dell announced its intent to acquire the powerhouse in email continuity and archiving, MessageOne. This acquisition will give Dell the cornerstone that it needs to build out its own suite of SaaS offerings. Dell clearly didn’t want to be left out of race as it watched Iron Mountain successfully building out its SaaS offerings and watched its competitors and partners complete significant acquisitions in the market including Seagate Services’ acquisition of Evault, EMC’s acquisition of Mozy and IBM’s recent acquisition of Arsenal Digital Solutions. Then there’s Symantec who is building out its Symantec Protection Network.
With Google, IBM, Microsoft, VeriSign, and Yahoo! joining the OpenID Foundation, we may actually feel that something in federated access management is going to change. It is finally not the case of a vendor proposing a new standard – and adding to the cacophony of federation standards – but a set of moves towards a simple technology that today can alleviate password management woes at service providers.
Technology aside, OpenID will greatly help with reducing and removing the legal obstacles in the way of identity federation’s proliferation. When payment-grade, commercial, and trusted identity provider service becomes a reality – VeriSign’s joining the OpenID camp clearly points in that direction – and software-as-a-service companies (like salesforce.com), accept OpenID authentication from these trusted identity providers, then enterprises can truly start thinking about outsourcing password management identity management processes. When required, strong authentication integration with OpenID can rely on VerSign’s VIP or other vendors’ strong authentication acceptance network.
The media yesterday (Wall Street Journal, Associated Press, Economist, etc.) were all over 31-year-old Jérôme Kerviel, the trader at France’s Société Générale who has apparently confessed to fraudulent trades resulting in an estimated loss of roughly $7.2 billion.
In further coverage, we hear that the bank has apologized to share holders, filed legal claims against Kerviel, and promised the public that the incident does not suggest any larger issues with the company’s risk management. The Wall Street Journal however, follows up with a story questioning the effectiveness of regulatory oversight that can let something like this transpire despite Société Générale’s claims that controls were adequately tested and did not fail.
The Foreign Corrupt Practices Act (FCPA) has been seemingly more newsworthy than usual recently (even impacting Hollywood elite), with somewhat conflicting accounts of the US cracking down on bribery both here and abroad, and the rationale for the US to accept some level of bribery for the sake of broader national interests.
The holiday season gave media and industry one more opportunity to discuss Mattel’s massive product recalls this year, and admittedly, I still find myself interested in the story.In this case, it was the World Business Council for Sustainable Development’s article calling out Mattel’s “Epiphany at Christmas”.
The revelation: “If it's got your company's name on it, it's your problem.”
With CardSpace and Higgins being in nascant and almost non-existent market adoption mode, you may wonder what authentication features you want to be looking for when shopping online. Usernames and passwords are a thing of the past: you can safely assume that you will use a computer to log in which has a keylogger or trojan capturing your keystrokes, and with it your username and password.
Savvy customers are increasingly turning towards online retailers and financial institutions which provide at least some form of multi-factor authentication to protect against password theft. The following list gives a compass to consumers and vendors to navigate the misty waters of online transactions.
Smart cards / USB tokens (very costly, high level of security, great user inconvenience)
Hardware based solution that contains applications, PKI certificates used to authenticate to a site. These cards can include a magstripe for physical access management and RFID proximity sensors.
Great article this morning in the Wall Street Journal about Goldman Sachs’ performance during the credit meltdown. The company has expectations of record income this year, while competitors are faltering left and right.
There are three important issues in this story — and in the sub-prime crisis in general — that all good risk management professionals know, and should keep in mind as often as possible.
Compliance requirements of large enterprise customers are too complex to satisfy with organically grown role management software. As a result, it appears that the role management acquisition storm is starting. With BridgeStream acquired by Oracle and now Vaau by Sun, enterprise role maintenance is finally coming of age and will be part of Sun's Identity Management portfolio. Vauu's large number clients will continue to demand vendor agnostic solutions from RBACx, and although Sun has traditionally been one of the strongest players in the market of multi-OS vendors, it remains to be seen how Sun will handle the multiplatform challenge and keeping RBACx alive non-Sun operating systems. System integrators now have one less choice for picking an independent role magagement vendor. Eurekify, BHOLD, and Omada will likely now to receive acquisition offers from other large IAM suite vendors trying to complete their provisioning role management portfolio.
The consolidation of the IAM market is not a new phenomenon and has been following the following pattern: a large software company with a follower IAM product set acquires a smaller IAM vendor with a proven track record to update the IAM product and services portfolio and to secure increased market presence. The acquisition of Securent by Cisco is fairly different and highlights the following trends: 1) Entitlement Management is needed so much by the market that Cisco – even though it has not traditionally been a player in the IAM space – enters the market first with an Entitlement Management product. It is surprising, as only CA has an EM product today – all other IAM vendors are still trying to build their own as the other serious competitors on the EM market, BEA ALES is not for sale as a startup. 2) Entitlement Management may be moving (along with to IAM) to operations and to the network protocol level. In fact, Cisco intends to incorporate the Secucent EMS product into the policy engine of their SONA architecture. Policy Enforcement Points (PEP) are currently implemented at the application endpoint. With this acquisition, in the future customers can implement hybrid PEPs distributed between the network and the application, thus starting to move non-business policy logic into the infrastructure layer.