Fast Cloud Identity Provisioning

Eve Maler

Back in July, I wrote about a new RESTful API that cloud providers and provisioning vendors are working on for doing identity provisioning and synching: Simple Cloud Identity Management, or SCIM (like the milk). At last week's Internet Identity Workshop -- only five months after this draft spec made its formal debut! -- I had a chance to see the SCIM developers' live interop session in action. The interop saw successful participation by the likes of Cisco, Ping Identity, Sailpoint, salesforce.com, Technology Nexus, and UnboundID, with user accounts being securely created and torn down rapid-fire over the ether.

What's more, in talking with a more traditional on-premises identity vendor later in the week, I discovered that they loved how SCIM was shaping up, and planned to check it out ASAP as a way they could expose their own provisioning functionality.

In this Zero Trust world, with perimeters melting all over the place, I'm seeing signs that this lightweight API trend for IdM functionality is only going to accelerate. What do you think? If you're coming to Forrester Security Forum in a couple of weeks, I hope you'll grab me for a conversation about how this trend impacts your plans.

Categories:

Can You Join The API Economy While Maintaining Top-Notch Security?

Eve Maler

If anything exemplifies the extended enterprise, it's the notion of the "API economy": Unlocking value in your organization's unique data and services by publishing open APIs (application programming interfaces) for access by third parties. As Laura Koetzle notes, business leaders today are prioritizing growth above all -- and fostering a third-party developer ecosystem is becoming a great way to boost revenue. Best Buy, eBay, and USA Today are examples of companies with APIs and external developer communities.

But, but, but...just how secure is an open API? Especially if you, the security professional, can't fully control these external developers' actions? This is where it gets exciting, because security and identity-based access control are enablers of these new business opportunities. After all, an API of this sort is essentially a digital product whose use must be metered.

Many organizations in this position are turning to the OAuth technology to solve a host of security challenges that arise from opening up APIs. I'm excited to be bringing the latest in OAuth business cases, adoption news, and recommendations to my Forrester Security Forum track session on "Securing And Identity-Enabling Monster Mashups." Hope to see you at the Forum November 9-10 in Miami!

(Got a great API security story, or maybe some questions? Don't wait till November; feel free to share in a comment here, or ping me on Twitter using the #FSF11 hashtag.)

Protecting The Extended Enterprise

Laura Koetzle

“To succeed, Security & Risk leaders need to be part of the business strategy.” If I had a nickel for every time I’ve heard someone give some variation on that piece of advice, I’d be rich. As you all know, that’s an easy thing to say but a difficult thing to do. And that’s particularly true now, because our business leaders today are prioritizing growth – they’re entering new markets and releasing new products and services to grow revenue. Your business will unleash the creativity of its entire extended enterprise ecosystem – employees, partners, suppliers, and current customers – to find new ways to win and serve new customers. And your extended enterprise will connect via mobile and social applications and use cloud services. 

Read more

Compliance And Cloud – Responsible Or Accountable?

Andrew Rose

It’s interesting how many threads there are on the Internet that still debate the difference between these two words: “responsible” and “accountable.” Oddly enough, today I stumbled across two definitions, from seemingly respectable sources, that hold diametrically opposite views! To me, the answer is simple – you can delegate responsibility, but accountability remains fixed.

This is a key point in the extended enterprises in which we now function. Firms are now made up of a myriad of offshore and outsourced services, running on systems that are similarly fragmented and distributed across vendors. This complex tangle of people and data represents a huge challenge to the CISO, who remains accountable for the security, and often the compliance, of his employer yet is no longer responsible for their provision.

With a methodical and comprehensive process and a surfeit of resource (please stop laughing at the back!), the CISO does, however, have the ability to follow the data trails and manage risk down in this regard. Unfortunately, with the advent of cloud, things are taking a turn for the worse. Cloud vendors are reluctant to be scrutinized, and the security and compliance demands of the CISO can often go unanswered. If cloud really is to be a mainstay of computing in the future, something has to give – we need to find a balance where compliance and security assurance requirements are met without fatally undermining the cloud model. This is a key topic for 2012 and something we’ll be following with interest.  

As security professionals, we remain accountable for resolving these issues, no matter how much responsibility has been pushed to third parties and cloud vendors. So, how do you minimize the workload involved in managing the third parties that make up your extended enterprise, and how do you gain assurance around cloud vendors?

Read more

Categories:

Are Your Risk Management Efforts Enabling Partnership Opportunities?

Chris McClean

Forrester's Security and Risk Management clients often describe the frustration they feel when they are not included in important initiatives until after decisions have been made. Lately, this situation has been especially pronounced among decisions to enter partnership agreements based on service, performance, and cost considerations... with risk management only brought in later to identify and mitigate potential points of exposure.

At the same time, Forrester's Sourcing and Vendor Management professionals find themselves facing their own challenges when it comes to managing the risk of partner relationships. In a Q3, 2011 suvey of 575 Sourcing and Vendor Management professionals, top concerns related at "X-as-a-service" relationships included the lack of recourse if a vendor fails or goes out of business, the lack of a clear way to assess risk of a third party, and inability to manage how providers are handling data. ( Source: Forrsights Services Survey, Q3 2011)

In order to bridge this gap, Security and Risk Management professionals need to deliver a streamlined way to insert risk identification, analysis, and evaluation steps within their organization's existing vendor management lifecycle. Forrester customers who have taken this approach - for example, by introducing short, 10-15 question surveys to determine whether more detailed vendor risk assessments are warranted - report better oversight of vendor risk and better involvement in the decision making process. In some cases, Security and Risk Management professionals have even reported casting a decisive thumbs-down vote to block a new vendor contract because it represents unacceptable risk.

Read more

What’s Holding CISOs Back?

Stephanie Balaouras

According to our survey data dating back to 2008, despite year after year of high profile security breaches from Heartland Payment Systems to Wikileaks to Sony, security budgets have only increased by single digits. This is hardly enough to keep up with the increasing sophistication of attacks, the avalanche of breach notification laws and the changing business and IT environment.

The changing business and IT environment is perhaps the greatest concern. With a massive explosion of mobile devices and other endpoint form factors and an ever expanding ecosystem of customers, partners, clouds, service providers and supply chains, you increasingly have less and less direct control over your data, your applications and end-user identities. We refer to this expanding ecosystem as the “extended enterprise.” An extended enterprise is one for which, a business function is rarely, if ever, a self-contained workflow within the infrastructure boundaries of the company. We believe that the extended enterprise is such a major shift for CISOs and security professionals that we dedicated our upcoming Security Forum to it as well as a significant stream of research.

Read more

IBM To Acquire Algorithmics... GRC And Financial Risk Management Get A Little Closer

Chris McClean

Today IBM announced plans to acquire the Fitch Group’s Algorithmics, a heavy-hitter in financial risk management software and services market, for $387 million.

 Here are my initial thoughts about today’s announcement:

  • IBM is making a (relatively safe) bet that operational and financial risk functions will continue to comes together. Regulatory pressures from Basel III, Dodd-Frank, and Solvency II, as well as the competitive realities of the global market, are pushing for banks and insurance companies to have more comprehensive oversight of exposure across all domains of risk. In fact, analytics should be a top priority of any compliance program. It will be some time before IBM (or any other vendor) can deliver a single platform to manage operational, credit, market, liquidity, etc. in one place; however, the addition of Algo’s subject matter expertise and even basic integration of data for a single source of reporting offers customers attractive benefits.
  • IBM still faces heavy competition in financial services for both operational risk with its OpenPages product and financial risk with its new Algo offerings... however. there are very few significant competitors that have strength in both. IBM’s announcement today was a strong move against these other few, most notably Oracle and SAS.
Read more

Is CyberLiability Insurance Becoming A More Feasible Risk Management Strategy?

Andrew Rose

The cyberinsurance market today represents only a tiny segment of the overall insurance industry, and a recent Forrester paper on the topic identified that only a very small percentage of organizations that have purchased business insurance have also purchased cyberinsurance. Many insurance companies, however, are now estimating a period of significant growth in this area, and recent conversations suggest that more companies are either interested in this coverage or have recently purchased such policies.

I'm interested to know where your organization sits on this topic. If you have a minute, please respond to our short poll on the topic

You can find the poll in the right column of this page, below the “About the Analyst” or “About this Blog” section.

------------------------------------------------------------------------------------------------------

7/22 UPDATE - An interesting story which seems to suggest that Sony may be trying to leverage cover from existing 'traditional' insurance policies to cover for recent cyber-losses, much to the annoyance of the insurer... http://www.theregister.co.uk/2011/07/22/sony_breach_insurance/

In the unlikely event that Sony do manage to get the insurer to pay, that would be an interesting development for the future of cyberliability insurance...

In Cloud-Friendly Web Services Security, "There Is No Enterprise." Wait. What?

Eve Maler

“There is no enterprise — the work we do is a collection of people that dynamically changes through a mix of organization control.” That’s what I heard from one venerable old construction company while working on my new research report, Protecting Enterprise APIs With A Light Touch. I wanted to investigate how enterprises are using and securing lightweight RESTful web services, and in particular to figure out the problems for which OAuth is well suited. (You might recall my request for feedback in a prior post.)

 What I found was that forward-thinking enterprises of many types – not just hip-happenin’ Web 2.0 companies – are pushing service security and access management to the limit in environments that can truly be called “Zero Trust,” to use John Kindervag’s excellent formulation. This particular firm dynamically manipulates authorizations to control access to a variety of innovative lightweight APIs on which the whole company is being run, not actually distinguishing between “internal” and “external” users. They’ve kind of turned themselves inside-out.

Read more

InfoSec In The Supply Chain

Andrew Rose

The importance of data security throughout the supply chain is something we have all considered, but Greg Schaffer, acting deputy undersecretary of the Homeland Security Department of the National Protection and Programs directorate at the Department of Homeland Security, recently acknowledged finding instances where vulnerabilities and backdoors have been deliberately placed into hardware and software. This is not a risk that hasn’t been previously pondered as, in 1995, we watched Sandra Bullock star in ‘The Net," and address this very issue. However the startling realism of Mr. Schaffer’s admission means that it can no longer be categorized as a "hollywood hacking" or a future risk.

The potential impact of such backdoors here is terrifying and it is easy to imagine crucial response systems being remotely disabled at critical points in the name of financial or political advantage.

If we are dedicated to the security of our data, we must consider how to transform our due diligence process for any new product or service. How much trust can we put in any technology solution where many of the components originate from lowest cost providers situated in territories recognized to have an interest in overseas corporate secrets? We stand a chance of finding a keylogger when it’s inserted as malware, but if it’s built into the chipset on your laptop, that’s an entirely different challenge… Do we, as a security community, react to this and change our behavior now? Or do we wait until the risk becomes more apparent and widely documented? Even then, how do we counter this threat without blowing our whole annual budget on penetration testing for every tiny component and sub-routine? Where is the pragmatic line here?

Read more