Defining The Mobile Security Market

Tyler Shields
Understanding the terms and technologies in the mobile security market can be a daunting and difficult task. The mobile ecosystem is changing at a very rapid pace, causing vendors to pivot their product direction to meet the needs of the enterprise. These changes in direction are creating a merging and twisting of technology descriptions being used by sales and marketing of the vendor offerings. What we considered “Mobile Device Management” yesterday has taken on shades of containerization and virtualization today.
Mobile antivirus used to be a standalone vision but has rapidly become a piece of the mobile endpoint security market. Where do we draw the lines, and how do we clearly define the market and products that the enterprise requires to secure their mobile environment?
 
In an attempt to help the enterprise S&R professional understand the overlapping descriptions of mobile security products, I am working on new research that will help organize and quantify the market. Understanding the detailed state of each of the technology offerings in the market, and their potential impact on a five- to 10-year horizon, will help enterprises make more-educated purchasing decisions.
 
To begin the process of covering all of the technologies being offered today, I’ve divided the solutions in the space by technology type. Not only am I analyzing technologies that are available now, but I’m also researching any additional products, services, and vendors in the mobile security space that have innovative new concepts that they are bringing to bear. These new-age offerings will help shape the future of mobile security, and we need to get ahead of the concepts now if we wish to have a better understanding of the impact of the innovation.
 
 
Read more

RSA acquires Aveksa and finally joins the full-functionality IAM suites vendor party

Andras Cser

 

On July 1, 2013, RSA acquired Aveksa for an undisclosed sum. The Aveksa access governance solution, which includes access request management and approval, attestation, role mining and management, user account provisioning, identity administration and auditing will augment RSA's existing product lines for access control (RSA Access Manager, RSA Authentication Manager, RSA Federated Identity Manager, RSA Adaptive Federation, RSA Adaptive Directory, etc.). Short term, Aveksa will operate under its old management and will keep its OEM relationship with OneLogin for single sign-on into SaaS applications. Forrester expects that RSA will integrate its access management, VMware Horizon, and fraud management (SilverTail) product lines into a modern and full functionality IAM portfolio using risk and identity intelligence concepts -- and which will initially probably suffer from the growing pains that Dell's Quest IAM acquisition and Oracle's stack suffered from immediately after their IAM acquisitions. Forrester expects that long term, RSA also will revitalize and consolidate its access management portfolio, solidify its presence in the cloud IAM space (IAM as a SaaS offering), and offer the stack as a fully hosted option, similar to CA's CloudMinder.

What it means: After years of consolidation and vendors bailing out of the space (HP, BMC, etc.), we will have one more vendor to choose from in the complete, full-functionality IAM suites market. This will create greater competition and more innovation -- something we and our clients are particularly happy about.

Small And Mid-Size Business Have Security Issues Too

Edward Ferrara

I think that small and mid-size businesses are the most underserved in the information security market today. These companies have not paid the necessary attention to information security, and the data indicates they will pay a steep price for not doing more.

Robert Plant, writing for the Harvard Business Review on June 4, 2013, spoke very plainly and clearly on the need for the CSO in companies today. Mr. Plant in his blog writes:

“First off, if the company doesn't have a CSO and the chief executive thinks the "S" has something to do with sustainability, just fire him. If it does have a CSO and the CEO chooses to eliminate that position, do the same thing, because it's the wrong answer. While you're firing him, inform the CEO that data security is the number one critical need for U.S. corporations today, and that the CSO is kind of like the chairman of the Joint Chiefs of Staff. You wouldn't get rid of the chairman of the joint chiefs in wartime.”[1]

While Mr. Plant is speaking of large corporations, the reality is the CEOs of smaller firms should have the same concerns as large companies when it comes to information security. It may not seem like it, but we are at war — an economic war — and the prize is the intellectual property held by companies large and small. The number of cyber attacks is on the rise and the level of effort being applied by both nation states and cyber criminals is huge. All of us in the security field have heard this before. However, there has been a real challenge in the industry to get information security the role it deserves as a critical component of enterprise risk.

Read more

Call Record Privacy Is Not Just A US Issue

Andrew Rose

As individuals get better access to the technology that enables their participation in the information age, so privacy has to be considered and regulation applied to raise standards to those that are acceptable across that society. It was interesting, therefore, to note the cultural recoil that occurred in response to the NSA’s recently discovered, and rather widespread, caller record collection (not to mention other 'PRISM' related data!) - it’s clear that this has crossed a boundary of acceptability.

This isn’t however, just a US problem. A news story recently broke in India highlighting that local law enforcement agencies had, over the past six months, compelled mobile phone companies to hand over call detail records for almost 100,000 subscribers. The requisitions originated from different sources and levels within the police force and their targets included many senior police officers and bureaucrats.

Unlike the NSA scrutiny, which although potentially unreasonable, at least appears legal, the vast majority of these data requests did not have the required formal documentation to uphold or justify the demand, yet they were fulfilled. This revelation was revealed by Gujarat’s State Director General of Police, Amitabh Pathak, and came hot on the tail of a similar story originating from New Dehli where the mobile phone records of a senior political leader, Arun Jaitley, were also acquired by a very junior law enforcement officer.

Read more

Counter-Strike?

Rick Holland

On Monday the Wall Street Journal ran a story on hacking back titled, “Support Grows to Let Cybertheft Victims Hack Back.”  The article describes a growing desire to permit the private sector to retaliate against attackers. Being proactive is one thing, but the notion of enterprises retaliating against attackers is ludicrous. I honestly cannot understand why this topic is still in the public discourse. I thought debating this was so 2012.  Legality is an issue, but so is the ability of companies to successfully conduct these types of operations without blowback. 

The article explains, “… companies that experience cybertheft ought to be able to retrieve their electronic files or prevent the exploitation of their stolen information." I hate to be the bearer of bad news, but for most organizations, once the data has left your environment the chances of you retrieving it are very slim. Your data has left the building and it isn’t going to “re-spawn.”  If you couldn’t prevent exfiltration of this data in the first place, what would make you think that you could prevent the subsequent exploitation of it?  

As I said back in January in my “Five Steps To Build An Effective Threat Intelligence Capability” report, “If you have a mature security program, you can consider counterintelligence operations, but leave the hacking back to governments and militaries.” 

There are many suggested strategies for dealing with the threat landscape. Hacking back should not be one. 

Read more

The Demise Of The Player/Manager CISO

Andrew Rose

The role of the CISO is changing.

For years we have talked about the requirement to make the top security and risk (S&R) role increasingly business-facing, and this is now turning into a reality. Surprisingly, however, we see an increasing number of non-IT security folk stepping up to take the CISO role, often ahead of experienced IT professionals.

These "next-gen" CISOs are commonly savvy business professionals, experienced at implementing change and evolving processes, and adept at dealing with strategies, resource plans and board-level discussions. Their placement into these S&R roles often comes as an unwelcome surprise to those that have been working within the IT security teams; however, we have to recognise that this new breed are simply filling a gap. Unfortunately, although we have talked about the professionalization of the role and the need for greater business engagement, many S&R professionals are still not ready for the leap, and this opens up an opportunity for others to steal their way in. 

Make no mistake; this is a significant change in the traditional S&R professional career path. 

Read more

Deloitte Acquires Vigilant - Harbinger of a Push By Consultancies Into The MSSP World

Edward Ferrara

This week Deloitte announced the acquisition of Vigilant. This is important news for several reasons. With over 14,000 consultants that specialize in information security, Deloitte is the largest and broadest of any security consultancy globally. Deloitte provides customized security solutions across a broad number of vertical industries, including financial services, aerospace, defense, retail, manufacturing, technology, communications, energy and pharmaceuticals. The company's offerings include[i]:

  • Application security — secure coding practices, code review
  • Business continuity/disaster recovery planning
  • Consumerization — iOS, Android, Endpoint Security
  • Regulatory compliance certification, assessment, and audit services (excluding penetration and vulnerability testing)
  • Information security certification, compliance assessment, and audit services (excludes vulnerability and penetration testing, includes SOC 2, and ISO 27001 certification)
  • Data loss prevention
  • Fraud investigation
  • Governance — strategy, design, and implementation
  • Identity and access management
  • Computer emergency response team (CERT) services
  • Information security architecture — strategy, design, and implementation
  • Network security — strategy, design, and implementation
  • Penetration testing (includes cloud, infrastructure, mobile, SCADA, social engineering, and/or wireless)
  • Physical security — strategy, design, and implementation
  • Privacy — strategy, design, and implementation
  • Risk identification and management
  • Security awareness — strategy, design, and implementation
  • Security organization management — strategy, design, and implementation
Read more

Want to win an iPad and get hardcore data on access recertification? Take the UBC-Forrester Access Recertification survey!

Andras Cser
Want to know more about Access Certification and Attestation? Would you like to win an iPad and get a courtesy copy of a Forrester report on the findings of a survey on the topic?
 
Forrester is collaborating with the University of British Columbia (UBC) on an Identity and Access Management survey. The main topic of the survey is Access Certification and Attestation, also known as Access Governance. It takes only 15 minutes to complete the survey. In August 2013, Forrester, in collaboration with UBC, will publish the highlights of survey results. 
Here's what we offer for your participation:
 
Read more

CLOUD SECURITY - EXPECT ACCELERATED DEPLOYMENTS DUE TO STRONG MOVES BY PROVIDERS TO IMPROVE SECURITY

Edward Ferrara

Forrester research has always identified security as a major impediment to broad scale implementation for cloud, regardless of the model, SaaS, PaaS, IaaS, the adoption rate has been slowed by security concerns. Cloud providers recognize this is an impediment to selling cloud services and in response are strengthening their security controls. In Forrester’s Forrsights® research program we interview over 2000 security decision makers on a variety of security issues and topics. Cloud security tops the list of concerns regarding cloud deployments.

The appetite on the buy-side is very real for secure IT cloud infrastructures. Our research shows a lot of very strong interest in the deployment of private cloud platforms because of the elasticity, reduced cost and cycle times required to deploy solutions in these environments.

This week Amazon Web Services (AWS) announced that AWS GovCloud (U.S.) and all U.S. AWS Regions have received an Agency Authority to Operate (ATO) from the U.S. Department of Health and Human Services (HHS) under the Federal Risk and Authorization Management Program (FedRAMP) requirements. 

Obtaining FISMA Moderate certification indicates AWS’ focus on providing strong security controls for its cloud offerings. Forrester assumes AWS commercial clients could benefit from this as well by AWS security processes propagating to other areas of AWS’ cloud business.

Read more

XACML is dead

Andras Cser

Conversations with vendors and IT end users at Forrester's Security lead us to predict that XACML (the lingua franca for centralized entitlement management and authorization policy evaluation and enforcement) is largely dead or will be transformed into access control (see Quest APS, a legacy entititlement management platform based on BiTKOO, which will probably be morphed by Dell into a web SSO platform).

Here are the reasons why we predict XACML is dead:

Lack of broad adoption. The standard is still not widely adopted with large enterprises who have written their authorization engines.

Inability to serve the federated, extended enterprise. XACML was designed to meet the authorization needs of the monolithic enterprise where all users are managed centrally in AD. This is clearly not the case today: companies increasingly have to deal with users whose identities they do not manage. 

PDP does a lot of complex things that it does not inform the PEP about. If you get a 'no, you can't do that' decision in the application from the PEP, you'd want to know why. Our customers tell us that this can prove to be very difficult. The PEP may not be able to find out from the complex PDP evaluation process why an authorization was denied.

Not suitable for cloud and distributed deployment. While some PEPs can bundle the PDP for faster performance, using a PEPs in a cloud environment where you only have a WAN link between a PDP and a PEP is not an option. 

Read more