With 1) SalesForce and other large SaaS vendors announcing grandiose plans for cloud IAM, not just for access control but also provisioning and 2) long-standing IAM 'arms suppliers' extending into the cloud (CA CloudMinder, SailPoint) we are already seeing pureplay cloud IAM players (Okta, OneLogin, Ping, etc.) starting to scratch their heads as to how to deal with the pressure.
Forrester expects that we will see the following in the next 12-18 months:
1) Wave of acquisitions of cloud IAM providers. Those IAM vendors (SAP, Oracle, NetIQ, Quest, McAfee, RSA and even Symantec and Cisco etc.) that have not yet built an IAM framework or don't have on-premise IAM products they could turn into a cloud service will probably want to get into the game sooner rather than later. This will start a wave of acquisitions of cloud IAM providers. Now is the time to acquire and to get acquired in the cloud IAM space.
2) Moving of user stores into the cloud. We predicted this in 2012, but it's becoming a reality now. It is increasingly clear that on premise user directories (AD, LDAP, etc.) are starting to be only used for basic services and there is a great need for cloud based directories to support an increasing number of SaaS applications. Cloud IAM vendors we talk to (UnboundID and Okta) have announced plans to help customers with this migration. SalesForce.com OEM agreement with ForgeRock to create SalesForce Identity Connect is the first step in this direction. Identity bridges or connectors which connect on-premise user stores to the cloud provider’s user store will play a critical role and be the hardest first step in this transition.
We are about to kickoff our next Forrester Wave on web content security. The inclusion criteria for vendor prequalification will be sent out within the next two weeks. We will be focusing on both traditional web gateways as well as the hybrid and SaaS delivery models. What does this mean for you?
Vendors: If you feel that your solution applies to this Wave, please contact us and let us know that you'd like to be sent the prequalification survey. We will be limiting the number of vendors participating in this evaluation.
Enterprises: If you would like to provide us feedback on your experience with web content security solutions and vendors, we would love to hear from you. We plan to leverage your feedback for evaluation criteria as well as score weighting.
Please contact Kelley Mak (kmak at forrester.com) if you are interested in participating. We expect this Wave will publish in the Spring of 2014. (Fine print: This is a publication estimate and this date is subject to change.)
I attend numerous security and IT conferences each year, most of which simply blur together into a vendor cacophony about the perils of social, cloud, and mobile device adoption or the ever present danger from devious cybercriminals and nefarious state-sponsored agents. The uniform repetition of this narrative from every vendor in the industry reminds me of the drowning din of thousands of cicadas awakening from hibernation. McAfee Focus had a different feel. And overall, compared to other conferences, it was a worthwhile trip, and not just because Chris McClean and I won at craps, but because while McAfee did pay homage to the technical security pros in the audience with the requisite discussion of the changing threat landscape and accompanying hacking demo, there was a palpable difference in their narrative, particularly in CEO Mike DeCesare’s keynote. Here are a few notable highlights from the conference:
Technology is essential in any managed security operations center. Technology has come a long way to create an active defense of the enterprise. There are vendors that offer solutions for log management, web application defense, firewall, incident event correlation, and many others. In order to understand the size of the security technology market, Forrester and the MSP Alliance are partnering in a survey to look at the managed security functions and the technology MSSPs use to deliver their services. If you are an MSSP or an end user of these technologies, you can complete this survey at:
Peter Kujawa CEO of Locknet, Steve Tallent from Fortinet, and I were speaking at the recent MSPWorld Conference in San Jose, California about the cloud revolution. Steve was interested in the conversation because Fortinet is now offering virtualized versions of their Fortigate UTM solution. Peter was interested because his business is built on taking the pain away that platform management entails. Obviously security intersects both of these worlds.
We discussed the changes cloud computing was making to the MSP/MSSP markets and the differences between the SMB and enterprise businesses and what motivates them to consider the cloud IaaS, SaaS, and PaaS model.
Peter talked about one of his clients – a smaller client – that managed their business from a small server stashed in the closet of their offices. Peter’s company offered to replace the box with a cloud-based system that took over patching, updates, and maintenance for the system for a simple monthly fee. The client would access their applications via the Internet. The risk to this business was huge for so many reasons. The customer leapt at the chance to get rid of the box.
In another case, I was speaking with a large client and we talked about the motivation for the cloud. Inasmuch as maintenance and support are an issue, the larger issues for large companies are the IT assets on the balance sheet. This company liked cloud because of their need to “clean up” the balance sheet. There were too many IT assets loading down the balance sheet – distorting the company's return on assets.
Outside of Tempe is a place called Sahuarita, Arizona. Sahuarita is the home of Air Force Silo #571-7 where a Titan missile, that was part of the US missile defense system and had a nine-megaton warhead that was at the ready for 25 years, should the United States need to retaliate against a Soviet nuclear attack. This missile could create a fireball two miles wide, contaminate everything within 900 square miles, hit its target in 35 minutes, and nothing in the current US nuclear arsenal comes close to its power. What kept it secure for 25 years? You guessed it...four phones, two doors, a scrap of paper, and a lighter.
Photo Credit: Renee Murphy
Technology has grown by leaps and bounds since the cold war. When these siloes went into service, a crew supplied by the Air Force manned them. These men and women were responsible for ensuring the security and availability of the missile. Because there was no voice recognition, retinal scanning, biometric readers, and hard or soft tokens, the controls that were in place were almost entirely physical controls. All of the technology that we think of as keeping our data and data centers secure hadn’t been developed yet. It is important to note that there was never a breach. Ever.
It might be an occupational hazard, but I can relate almost anything to security and risk management, and my visit to the Titan Missile Museum at AF Silo #571-7 was no exception. The lesson I took from my visit: there's room for manual controls in security and risk management.
Emergency management professionals say, “The plan is useless, but the planning is priceless.” There is a lesson in there for risk managers and it’s about the value of scenario modeling.
The Federal Emergency Management Administration (FEMA) conducted a study to determine the likelihood and impact of a hurricane hitting New Orleans. FEMA assembled the paramedics, fire department, emergency room doctors, parish officials, and other responders in a hotel in New Orleans for "Hurricane Pam". Their goal was to plan for the worst-case scenario. The group was given the following scenario:
A slow moving, category-3 hurricane would directly hit New Orleans.
The storm surge would cause the levees to top, but not break.
The National Weather Service showed how the storm would form, what track it would take and what parishes would be effected.
Ok, so NASA failed an audit. Don’t we all? I think it is important to understand the government’s cloud computing adoption timeline before passing judgment on NASA for failing to meet its cloud computing requirements. And, as someone who has read NASA’s risk management program (and the 600 pages of supporting documentation), I can say that this wasn’t a failure of risk management policy or procedure effectiveness. Clearly, this was a failure of third-party risk management’s monitoring and review of cloud services.
The Cloud Is Nebulous
Back in 2009, NASA pioneered cloud technology with a shipping container-based public cloud technology project named Nebula -- after the stellar cloud formation. (I love nerd humor, don’t you?)
Photo Source: NASA
During 2009, NASA, to determine if current cloud provider service offerings had matured enough to support the Nebula environment, did a study. The study proved that commercial cloud services had, in fact, become cheaper and more reliable than Nebula. NASA, as a result of the study, moved more than 140 applications to the public sector cloud environment.
In October of 2010, Congress had committee hearings on cybersecurity and the risk associated with cloud adoption. But remember, NASA had already moved its noncritical data (like www.nasa.gov or the daily video feeds from the international space station, that are edited together and packaged as content for the NASA website) to the public cloud in 2009. Before anyone ever considered the rules for such an adoption of these services.
Before joining Forrester, I ran my own consulting firm. No matter how ridiculous the problem or how complicated the solution, when a client would ask if I could help, I would say yes. Some people might say I was helpful, but I was in an overconfidence trap. There was always this voice in the back of my mind that would say, “How hard could it be?” Think of the havoc that kind of trap can have on a risk management program. If any part of the risk program is qualitative, and you are an overconfident person, your risk assessments will be skewed. If you are in an overconfidence trap, force yourself to estimate the extremes and imagine the scenarios where those extremes can happen. This will help you understand when you are being overconfident and allow you to find the happy medium.
Have you ever padded the budget of a project “just to be safe”? I hate to tell you this, but you are in the prudence trap. By padding the project budget, you are anticipating an unknown. Many other managers in your company may be using the same “strategy.” But the next time you do a project like this, you will pad the budget again, because the inherent uncertainty is still there. The easiest way to keep your risk management program out of the prudence trap is to never adjust your risk assessments to be “on the safe side,” There is nothing safe about using a psychological trap to predict risk.
There are many ways to skin a cat. The same can be said of innovation. When I mention innovation in conversation, people generally think about a process of making a product bigger, faster, better, or stronger. However, product improvement is just one type of innovation. Innovation can target the process around creating a product, resulting in lower costs such as the "lean manufacturing" innovations from the automobile company Toyota. Innovation can target improvements in the design of marketing materials, creating a more emotionally appealing advertising campaign and resulting in higher revenue. Marketing innovation has been used by numerous firms over the years to reinvigorate their concepts and company. Samsung designed their Bordeaux television line after being inspired by a wine glass. They have been on the top of the television market ever since. Innovation can even mean cultural innovation in which the culture of the company changes and innovates to come in line with a newly updated corporate vision increasing employee loyalty, retention, and overall happiness. Innovation has many faces.