Keeping up with global regulations

Chris McClean

The Foreign Corrupt Practices Act (FCPA) has been seemingly more newsworthy than usual recently (even impacting Hollywood elite), with somewhat conflicting accounts of the US cracking down on bribery both here and abroad, and the rationale for the US to accept some level of bribery for the sake of broader national interests.

Read more

Risky by association

Chris McClean

The holiday season gave media and industry one more opportunity to discuss Mattel’s massive product recalls this year, and admittedly, I still find myself interested in the story. In this case, it was the World Business Council for Sustainable Development’s article calling out Mattel’s “Epiphany at Christmas”. 

The revelation: “If it's got your company's name on it, it's your problem.”

Read more

New Year's Resolutions for choosing online retailers

Andras Cser

With CardSpace and Higgins being in nascant and almost non-existent market adoption mode, you may wonder what authentication features you want to be looking for when shopping online. Usernames and passwords are a thing of the past: you can safely assume that you will use a computer to log in which has a keylogger or trojan capturing your keystrokes, and with it your username and password.

Savvy customers are increasingly turning towards online retailers and financial institutions which provide at least some form of multi-factor authentication to protect against password theft. The following list gives a compass to consumers and vendors to navigate the misty waters of online transactions.

Smart cards / USB tokens (very costly, high level of security, great user inconvenience)

Hardware based solution that contains applications, PKI certificates used to authenticate to a site. These cards can include a magstripe for physical access management and RFID proximity sensors.

Read more

Categories:

Risk Management Lessons from the ‘Mortgage Meltdown’

Chris McClean

Great article this morning in the Wall Street Journal about Goldman Sachs’ performance during the credit meltdown. The company has expectations of record income this year, while competitors are faltering left and right.

There are three important issues in this story — and in the sub-prime crisis in general — that all good risk management professionals know, and should keep in mind as often as possible.

Read more

Sun acquires Vauu

Andras Cser

Compliance requirements of large enterprise customers are too complex to satisfy with organically grown role management software. As a result, it appears that the role management acquisition storm is starting. With BridgeStream acquired by Oracle and now Vaau by Sun, enterprise role maintenance is finally coming of age and will be part of Sun's Identity Management portfolio. Vauu's large number clients will continue to demand vendor agnostic solutions from RBACx, and although Sun has traditionally been one of the strongest players in the market of multi-OS vendors, it remains to be seen how Sun will handle the multiplatform challenge and keeping RBACx alive non-Sun operating systems. System integrators now have one less choice for picking an independent role magagement vendor. Eurekify, BHOLD, and Omada will likely now to receive acquisition offers from other large IAM suite vendors trying to complete their provisioning role management portfolio.

Cisco Acquires Securent - moving policy decisions to the network layer

Andras Cser

The consolidation of the IAM market is not a new phenomenon and has been following the following pattern: a large software company with a follower IAM product set acquires a smaller IAM vendor with a proven track record to update the IAM product and services portfolio and to secure increased market presence. The acquisition of Securent by Cisco is fairly different and highlights the following trends: 1) Entitlement Management is needed so much by the market that Cisco – even though it has not traditionally been a player in the IAM space – enters the market first with an Entitlement Management product. It is surprising, as only CA has an EM product today – all other IAM vendors are still trying to build their own as the other serious competitors on the EM market, BEA ALES is not for sale as a startup.  2) Entitlement Management may be moving (along with to IAM) to operations and to the network protocol level. In fact, Cisco intends to incorporate the Secucent EMS product into the policy engine of their SONA architecture. Policy Enforcement Points (PEP) are currently implemented at the application endpoint. With this acquisition, in the future customers can implement hybrid PEPs distributed between the network and the application, thus starting to move non-business policy logic into the infrastructure layer.

Read more

EMC Buys MozyPro As It Enters The Market For Online Infrastructure Services

Stephanie Balaouras

Backup is a struggle for both enterprises and small and medium businesses. It’s a complex ecosystem of backup software, networks, servers, disk arrays, and tape systems. Most companies report they are having difficulty completing backups in the time available and when backups fail or complete with errors, it’s often very difficult to discover the root cause. Couple those troubles with the fact that the amount of data that you need backed up is growing conservatively at 30% to 50% per year. Aside from these challenges, most companies are also interested in keeping backups longer for version history and companies are interested in the ability to perform much faster restores if they could.

Given the headaches associated with backup, many small and medium business and even some enterprises are choosing to outsource their backups all together to a service provider. There are already numerous players in the marketplace from Evault (which is resold by a number of different service providers) to Iron Mountain, to your telecommunication provider, and to emerging entrants such as Berkeley Data Systems and its Mozy service offering. This opportunity is so huge that even Symantec (which acquired Veritas) launched a beta of its own online backup service called the Symantec Protection Network. EMC’s acquisition of Berkeley Data Systems is just further proof that the online backup market is a huge opportunity.

Read more

Play fair... or they'll come after your secrets

Chris McClean

I’m not usually one for ‘this-could-happen-to-you’ stories, but I’m still having trouble getting over last month’s story about grocery giant Tesco having to turn over 11 million emails to the UK’s Competition Commission for their investigation into possible anti-competitive practices against its suppliers.

Read more

Role Management and eSSO vendors - a call for action

Andras Cser

Part of a successful Identity Management (IdM) project is a successful role discovery and mapping phase. Many organizations -- after having mapped and optimized their business processes -- turn to role design and management solutions (VAUU RBACx, BHOLD, Oracle's BridgeStream, and others). While these solutions give a great initial insight into the existing role structure, they are not the only source of role interrelationship information. Role design can build

on

many other sources: demographics mined from helpdesk tickets from users requesting access, job descriptions, quality management systems (it certain cases this is wishful thinking...), and increasingly from Enterprise or Desktop eSSO solutions (PassLogix, ActivIdentity, CA). eSSO solutions store multiple login credentials for users to multiple applications. As such, extracting account linkage, mapping and correlating user IDs between user repositories based

on

access information built by end-users is much more reliable than any artificial role mining logic, usually based

on

Read more

CIOs Entitlement Management Worries

Andras Cser

While I was looking through current offerings in Entitlement Management (EM), I was struck with the questions that will likely be the next logical thoughts in the CIO’s mind after they are sold on the obvious ROI of an EM solution.

Read more