CA Acquires Arcot, VMWare Buys TriCipher

Andras Cser

How  Authentication-as-a-Service becomes a part of leading IAM stacks and why virtualization is no longer a viable technology without identity and access management.

CA’s acquisition of Arcot signals that partnering with an adaptive authentication vendor is no longer enough to offer a comprehensive access management strategy: you’d also have to have an adaptive authentication product to allow your customers to retire costly physical tokens. But this is not the primary reason  CA picked up Arcot. It is Arcot’s thriving hosted authentication and fraud management services that were the most lucrative assets to CA. Adaptive authentication is part of any organization’s fraud management strategy — however, CA’s inexperience here leaves a few questions to be answered. Will CA keep and grow Arcot’s fraud prevention service? If so, how will it integrate fraud management with IAM? The requirement for integration is clearly highlighted by Forrester’s conversations with its FinServ and other verticals’ customers.

Read more

Go Long On Glue Manufacturers

John Kindervag

FLASH TRAFFIC: This just in!

The Washington Post is reporting a new wrinkle in cyberwarfare. In the article Defense official discloses cyberattack, the Post reports that “malicious code placed on the [flash] drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military's Central Command.” Perhaps SkyNet has become self-aware, as this malware appears to be able to “upload” itself onto a military network. We ARE nearing August 29th

Fascinating. Blame the flash drive. Expect the USB bashing to start again soon. SysAdmins all over will be buying up the world’s supply of epoxy and shoving those nasty USB ports full of that goop. Go long on glue manufacturers.

According to Deputy Defense Secretary William J. Lynn III, "It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary." This must be one awesome piece of code – sentient, silent, and “poised.”

Read more

Categories:

Think You Know About All The Big US Government Regulations Coming Up? All 191 Of Them?

Chris McClean

There has been an interesting PR battle in Washington over the last few weeks about the number of massive regulations still on the administration's agenda. House Minority Leader John Boehner wrote a memo to President Obama citing a list of 191 proposed rules expected to have a more than $100 million impact on the economy (each!) and asking for clarification on the number of these pending rules that would surpass the $1 billion mark. The acting head of the Office of Management and Budget responded, saying that the number of "economically significant bills" passed last year actually represented a downward trend, and the current number on the agenda is more like 13.

For those of you wanting a little more clarification, you can search through the OMB's Unified Agenda and Regulatory Plan by economic significance, key terms, entities affected, and other criteria. Making sense of all of these proposed rules will take time, but it will help you get an idea of issues that your organization may have to face in the near future.

Coincidentally, my latest report, The Regulatory Intelligence Battlefield Heats Up, went live yesterday. In this paper, I offer an overview of different available resources to keep up with new and changing regulations as well as relevant legal guidance.

Read more

Preview Of PCI DSS 1.3 – Oops 2.0 – Released

John Kindervag

The PCI Security Standards Council released the summary of changes for the new version of PCI — 2.0.  Merchants, you can quit holding your breath as this document is a yawner — as we’ve long suspected it would be.  In fact, to call it 2.0 is a real stretch as it seems to be filled — as promised by earlier briefings with the PCI SSC — merely with additional guidance and clarifications. Jeff, over at the PCI Guru, has a great review of the summary doc so I won’t try to duplicate his detailed analysis. The most helpful part of the doc is an acknowledgement that more guidance on virtualization — the one function per server stuff — will finally be addressed.

Suffice it to say, it doesn’t look good for all those DLP vendors looking for Santa Compliance to leave them a little gift under the tree this year. I’ve been hearing hopeful rumors (that I assume start within the bowels of DLP vendor marketing departments) that PCI would require DLP in the next version.  Looks like it’s going to be a three year wait to see if Santa will finally stop by their house.

Remember that this is a summary of changes so there’s not that much meat yet. The actual standard will be pre-released early next month with the final standard coming out after the European Community Meeting in October.

The Forrester Information Security Maturity Model

Chris McClean

After an in-depth survey of IT security and risk professionals, as well as our ongoing work with leaders in this field, Forrester recognized the need for a detailed, practical way to measure the maturity of security organizations. You asked, and we responded. I'm happy to announce today we published the Forrester Information Security Maturity Model, detailing 123 components that comprise a successful security organization, grouped in 25 functions, and 4 high level domains. In addition to the People, Process, and Technology functions you may be familiar with, we added Oversight, a domain that addresses the strategy and decision making needed to coordinate functions in the other three domains.

Our Maturity Model report explains the research and methodology behind this new framework, which is designed to help security and risk professionals articulate the breadth of security’s role in the organization, identify and fix gaps in their programs, and demonstrate improvement over time.

What makes the Forrester Information Security Maturity Model work?

Read more

Building The High-Performance Security Organization

Stephanie Balaouras

I just completed my second quarter as the Research Director of Forrester’s Security and Risk team. Since no one has removed me from my position, I assume I’m doing an OK job. Q2 was another highly productive quarter for the team. We published 20 reports, ran a security track at Forrester’s IT Forum in Las Vegas and Lisbon, and fielded more than 506 client inquiries.

In April, I discussed the need to focus on the maturity of the security organization itself. I remain convinced that this is the most important priority for security and risk professionals. If we don’t change, we’ll always find ourselves reacting to the next IT shift or business innovation, never predicting or preparing for it ahead of time. It reminds me of the Greek myth of Sisyphus. Sisyphus was a crafty king who earned the wrath of the gods. For punishment, the gods forced him to roll a huge boulder up a steep hill, only to watch it roll back down just before he reached the top — requiring him to begin again. Gods tend to be an unforgiving lot, so Sisyphus has to repeat this process for the rest of eternity.

If my protestations don’t convince you, perhaps some data will. The following are the top five Forrester reports read by security and risk professionals in Q2:

Read more

Tips For Using Spreadsheets For Business Intelligence, Compliance, And Risk Management

Chris McClean

My colleague Boris Evelson, who covers business intelligence for Forrester and serves business process professionals, recently wrote a great post about the use of spreadsheets for business intelligence. He explains that while many BI vendors initially sought to replace spreadsheets in the corporate environment, it's now clear that they are not going anywhere any time soon.

Sound familiar? While many governance, risk, and compliance professionals and GRC vendors continue to work toward helping customers consolidate data and move away from spreadsheets, they are still basically ubiquitous. In fact, several of the top GRC vendors are now working to improve the way their tools interface with Excel... Not just for exporting reports, but for data input and analysis as well.

I recommend reading Boris' post, where he details three best practices regarding the use of spreadsheets for BI:

  1. Create spreadsheet governance policies.
  2. Monitor and enforce compliance with those policies.
  3. Give preference to vendors that work well with spreadsheets.

Creating clear policies for what information will and will not be managed on spreadsheets is critical here, and extremely important for the GRC universe. Unless you have specially-built controls, spreadsheets do not give you the level of security, access control, change control, or audit trail you should have for data related to compliance or risk management. Knowing Office tools are going to be handling substantial amounts of important information for the foreseeable future, so it's worthwhile to review and update your policies and make sure they are being appropriately enforced.

The Supreme Court Ruling Will Have Little Impact On SOX . . . Sorry

Chris McClean

Despite some speculation that today's Supreme Court ruling might overturn large portions of the Sarbanes-Oxley Act (if not all of it), the final opinion will likely have no significant impact on financial controls, auditing, or reporting requirements.

The Court found that the method by which Public Company Accounting Oversight Board (PCAOB) members are appointed does not grant the Executive branch sufficient oversight because of the restrictions on when members can be removed from their position. According to Chief Justice Roberts' opinion, "The consequence is that the Board may continue as before, but its members may be removed at will by the (Securities and Exchange) Commission." And for those arguing that SOX doesn't have a severability clause that maintains the act's legality even when a portion of it is overruled, Roberts clarifies that "the unconstitutional tenure provisions are severable from the remainder of the statute."

Read more

Enterprise Role Management - New Podcast!

Andras Cser

Last Monday, Stephanie Balaouras and I recorded a podcast on a recent hot topic amongst Forrester clients — Enterprise Role Management (ERM). For the most part, people understand fundamental provisioning so I wanted to take this time to go through ERM in a little more detail.

Over the past few months, I have been asked many questions about taking ERM to the next level — about how to expand and automate identity management infrastructure. Before determining whether this is the right step for your company, however, it's important to understand the two most important benefits from doing so and also recognize the prerequisites.

Among others, two benefits of ERM are security and compliance. Achieving a more mature role management system will increase your organization’s security around information sharing, and it will enable understanding of the segregation of duties. Before achieving this level of security and compliance,  it’s important to simplify your identity repository and create a clear-cut set of records. This allows for a recertification phase when managers can take the time to revoke or grant access to existing accounts. Once you have created a clean, up-to-date role management database, your organization is ready to look forward to taking ERM to the next level.

After speaking with many clients on this topic, I have garnered a solid list of best practices that everyone should be aware of before attempting to strengthen any ERM system. These practices include data points around user population and recertification timelines, whether or not a hierarchical approach should be adopted to organize roles, and the value of tools such as Web single sign-on and security incident and event monitoring as they relate to role management.

Read more

Risk Professionals' Window Of Opportunity

Chris McClean

In my ongoing work with risk management professionals, I've been encouraged to see how quickly the role is growing in influence and responsibility in today's business environment (even though the drivers for that elevation are often disastrous). Along those lines, I read a great article this morning in StrategicRISK, discussing the window of opportunity for risk experts, aptly entitled Keep Your Eyes on the Prize.

The article quotes the Institute of Risk Management's deputy chairman, Alex Hindson, who says that top executives and boards of directors are looking for risk management guidance, and if risk experts in their organizations can't step up to fill that role in their "window of opportunity," it will be filled instead by auditors, finance professionals, or external consultants.

In my recent engagements with Forrester's clients in risk management, I've certainly seen a lot of interest and participation from other functions in the business - most notably audit and IT. And just last week, my colleague Craig Symons published a report explaining key issues in risk management for the CIO.

Read more