My esteemed colleagues Renee Murphy and Nick Hayes joined me in a fully collaborative, marathon evaluation of 19 of the most relevant GRC platform vendors; we diligently pored through vendor briefings, online demos, customer reference surveys and interviews, access to our own demo environment of each vendor’s product, and as per Forrester policy, multiple rounds of fact checking and review. The sheer amount of data we collected is incredible.
On January 22, 2014, a new mobile security player was born. This is the date that VMware announced its intention to purchase the mobile device management (MDM) firm AirWatch. With a price tag of $1.5 billion, this acquisition confirms that the mobile security market is scorchingly hot. This news comes on the heels of the November acquisition of Fiberlink by IBM. I expect additional mobile security market consolidation to occur throughout the remainder of 2014. This acquisition is a shot across the bow of any other major vendor looking to play in the mobile security market. If you don't step up and spend now, you might just be left holding the bag.
Privacy is on trial in the United States. Legal activist Larry Klayman asked US District Judge Richard J. Leon to require the NSA to stop collecting phone data and immediately delete the data it already has. His argument was that US citizens have a right to privacy and this is a violation of the Fourth Amendment of the Constitution protecting citizens from illegal search and seizure. Monday's ruling that this practice is unconstitutional has privacy activists cheering in the streets, but it will not be a lasting victory.
In the United States, there is not a single privacy law on the books. (You can argue that HIPAA is a privacy law, but nuances exist that can lessen its impact.) What is protected has come from judgments based on the application of the Fourth Amendment regarding search and seizure. US citizens were given "privileges,” thanks to Richard Nixon, which say we have an expectation of privacy when using a phone, which basically means that the government has to get a warrant for a wiretap. (It’s worth noting that in the UK, they don’t get that privilege.)
There is a 14-dog race going on, with a goal to win the wallets of the enterprise for mobile security spend. When lined up in the starting blocks, the racers may all seem to have equal chances, but a few are better poised to cross the finish line first and bask in the glory of the winners' circle. Three of these technologies are the odds-on favorites to lead from start to finish, with the rest of the racers struggling to remain relevant.
Coming off the starting block with the "holeshot" are the mobile device management vendors. With huge engines of revenue, large customer counts, and first-mover advantage, this dog is the odds-on favorite to take the championship trophy. Mobile device management vendors are already expanding their technologies and products into security platforms to diversify their rapidly commoditized product offerings. The move is paying off for the biggest and toughest MDM participants in the race, giving them the early, and potentially insurmountable, lead.
We are about to kickoff a Forrester Wave on Application Security Testing. The focus of this Wave is on both static application security testing (SAST) as well as dynamic application security testing (DAST) offerings. This Wave will cover both tools and SaaS based delivery methods. What does this mean for you?
Vendors: If you feel that your solution applies to this Wave, please contact us and let us know that you'd like to be sent the prequalification survey. We will be limiting the number of vendors participating in this evaluation.
Centrify's new Cloud SSO portal is much like the competition: Okta, OneLogin, Ping, Symplified, SecureAuth, i.e. the ones that we looked at in our Cloud IAM Wave.
What's really interesting about this offering is that Samsung KNOX OEMs the client side mobile application for SSO for its high-end devices. Forrester predicts that Apple (with its consumer fingerprint reader already making inroads into authentication) and others (Windows Phone, etc.) will follow suit and offer cloud based IAM and SSO services.
Does your organization still have a significant number of endpoints still running Windows XP? Don’t worry, you’re not alone: Forrester's Forrsights Hardware Survey, Q3 2013 shows that the average organization still has 20% of their employee endpoints running XP. Considering that most organizations spend 18 to 32 months when migrating to newer versions of Windows, many organizations will likely find themselves scrambling to batten down the hatches before Microsoft’s April 8, 2014 end-of-life deadline.
After this date, Microsoft will stop releasing security patches for the 13-year-old operating system, a terrifying situation for organizations still relying on XP. What can you do as an organization if you still have a substantial XP presence within your environment? You can:
Migrate to Windows 7 or 8 posthaste. Microsoft has come a long way in preventing certain classes of attacks, such as bootkit and rootkit attacks. In fact, Microsoft has told us that Windows XP is 21 times more likely to get infected with malware than Windows 8.1. To help our clients understand the pros and cons of Windows 8.1 security, I recently published a guide on this very topic.
Buy some extra time. For those that can afford it, Microsoft will offer “custom support” in the form of XP security patches past the April 8 deadline. I’ve spoken with a number of organizations that determined that it would be cheaper to pay this premium than to migrate away from XP. Of course, this is just prolonging the inevitable; custom support will not be available forever.
In a recent report titled “Technology Management In The Age Of The Customer,” Forrester defines the Age of the Customer as: "A 20-year business cycle in which the most successful enterprises will reinvent themselves to systematically understand and serve increasingly powerful customers." In this Age of the Customer, empowered consumers using social media can have tremendous influence. Technology gives the lone voice a platform to be heard across the Internet. Technology is the force multiplier for empowered consumers.
Jason Huntley, a UK-based IT consultant, is a perfect example of one of these increasingly powerful customers. He posted a blog titled “LG Smart TVs logging USB filenames and viewing info to LG servers.” In it Jason detailed how his Smart LG TV was spying on him. The TV was not only reporting data about viewing habits, but was also uploading the filenames from the storage devices he attached to the TV. His viewing habits data was collected despite the fact that he had opted out of the “Collection of watching info.” Jason wrote, “This information appears to be sent back unencrypted and in the clear to LG every time you change channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off.” He had a false expectation of privacy. See below:
This is big: Google opened up Android 4.4 KitKat to allow access to the NFC chip to Android apps and not just the trusted execution environment on the secure element.
What it means: any issuer, developer, 3rd party, current 3D Secure vendor, Payment Services Provider, etc. can create a mobile wallet application that can present credit card information to the NFC and allow the user to use the card information for payment. This might mean that traditional trusted service managers (companies that are authorized to provision the secure element on the mobile phone, like Gemalto, FirstData, CorTSM, etc.) may face fierce competition from really anyone who wishes to provision cards to the phone. Mobile network operators can now be easily cut from the payment chain, too.
I am about to kick off my next Forrester research on targeted attacks. Here is the short abstract: "The threat landscape has evolved but organizations haven't. Leveraging concepts of Zero Trust, this report will detail strategies for protecting against targeted attacks against your organization. We will focus on the pros and cons of various strategies and provide suggestions for maximizing your investments." If you'd like a preview to the tone of this research please see one of my previous blogs: "Kim Kardashian and APTs."
Vendors: The focus of this research is on overall strategy and NOT on specific vendor capabilities. We look forward to detailed vendor conversations when we do follow on Waves or Market Overviews in the future.
Enterprises: If you would like to provide us feedback on your experience with defending against targeted attacks, we would love to hear from you. If you purchased a magic anti-APT box and it is/isn't living up to your expectations, let us know. We are currently scheduling research interviews. Research interviews are open to more than just Forrester clients. If you aren't a client and would like to participate, we will provide you a complimentary copy of the final research upon completion.