Manufacturing

KuppingerCole recently has unveiled its view on the IT: The KuppingerCole IT Model. This model focuses on fulfilling the business needs: Providing the services business really needs – and ensuring that corporate information is adequately protected. Based on these targets, the model segments IT in three layers and allows mapping virtually anything. It supports in increasing the agility of IT in terms of quickly fulfilling business service requests. It explains on how to build your IT infrastructure as well as the Governance framework. It is the answer on how to best deal with the hybrid environments organizations have today, mixing different cloud environments with the existing on-premise IT. Thus it provides the logical answer for the strategic use of the Cloud. And it provides the cornerstones for building efficient on-premise environments. The model is a lean concept on which you can base your future-proof, business-driven IT.

IAM (Identity & Access Management) is one of the cornerstones of Information Security. Thinking in identities and putting the security of information and the access to information in the center of attention is the foundation for improving information security. Moving away from device-centric and network-centric security to information-centric security allows to better understand information risks and the required actions to mitigate these risks and better secure your enterprise. Leading industry experts, all with an analyst background, and KuppingerCole analysts discuss the role IAM plays for information security and the future of IT Security in general in this panel.

IT Organizations are on the move. The Cloud requires new skills in procurement, service orchestration and service management. An increasing number of CEOs nowadays aren’t IT veterans anymore but young managers which understand the CIO role as an important career step. And the demand for more Business/IT alignment drives the change of IT organizations as well. In this session, you will learn of how to fundamentally restructuring your IT, following the KuppingerCole IT Model. This results in an IT organization which is business-driven and focused. This also supports efficiency gains in IT production. It is about an agile organization, ready for the future.

Most organizations have done quite some investment into IAM and Access Governance. But they need much more. They need to integrate, they need to extend what they have done, and tey need to levarage developments like geographically dispersed infrastructures, mobile computing and cloud. Thus good solutions should add value to what these organizations have instead of putting most effort in redoing things which did cost a lot of money. In this panel, we will discuss strategies for IAM and Access Governance which focuses on adding value, enhancing what customers have and filling the gaps they might have, without ending in vendor clashes.

Information Security in the Cloud - that's in fact moving towards a location-independent and provider-independent approach for information security. In the days of on-premise only IT (plus maybe an outsourcer), the focus could be on securing the network and the device. In these days where IT services are a mix of on-premise, private and public cloud services - i.e. in days where things become hybrid - we can't rely on network or system security. We don't really know where our data remains and where services are run. The cloud sprawl, with chains of providers like your SaaS provider relying for example on Amazon Web Services, leads to a situation where we have to re-think the approach in Information Security.

The most important cornerstone is to move from system, network, device security towards information-centric security, which we might name "real Information Security". Another one is understanding Information Security as an initiative which isn't focused on technologies first of all, but on understanding risks, contracts and other aspects. Another important cornerstone is, without any doubt, the identity. We have to deal with more identities and with persons using different identities. Identity and Access Management is a key element in Information Security in, for, and with the Cloud.

There are many other aspects. In this session, we will provide our view on the future of Information Security - an approach that works seamless for the hybrid world of today and tomorrow, from classical on-premise IT to the public Clouds.

Identity management across multiple SaaS (software-as-a-Service) applications as well as on-premise systems is a challenge to most enterprises. Challenges in Identity Management in the cloud, simply goes beyond how we do authentication, authorization and auditing right. Cross domain authentication, provisioning, interoperability, multi-tenancy, delegation and security are few challenges to name. The best way to preserve interoperability is to adhere to open standards. Lots of proprietary standards came a long way, but at the time they felt a larger audience is needed and interactions with other systems, those became open standards. SAML2 Web SSO, OpenID, OAuth are some popular open standards, widely used across many cloud providers for authenticating users while facilitating identity portability. WS-Trust, WS-Federation used to cater the same aspect while dealing with systems. XACML is another open standard, which is considered to be the de-facto standard for authorization. It facilitates fine-grained authorization in a policy driven manner. Provisioning is also an important aspect in a cloud identity management system. SPML failed to be the de-facto standard for provisioning due to its heavyweight nature and being bias to SOAP. The latest emerging standard for provisioning is SCIM, which is still in progress at the specification level, but looks promising.

Privileged accounts like root, sysadmin or Oracle system, are necessary to run and manage databases, middleware and operating systems. These accounts are the most powerful within an organisation as they allow access to any type of business and in most cases ‘critical’ information. So if somebody wanted to severely damage your business, attacks targeting these privileged accounts would be the way to do it.

This leads us to the question: Would you at least find out if a privileged account is being misused? In other words: Do you actually know, who is using such accounts and whether this usage is necessary and allowed? If this is a question you are asking yourself from time to time - the auditor would dive much deeper and also ask, ‘Exactly what was done during a certain session?’ Considering, that according to the Ponemon Institute 2012 Cybercrime Survey, 62% of respondents reported malicious insider breaches, we can assume that the auditor´s questions are reasonable and it would be good to have an answer

In this panel discussion, we will look into the reliability of currently available solutions and talk about the different approaches to reach compliance with PCI-DSS, SOX, Basel and comparable regulations.

Years ago, when the cloud became popular, KuppingerCole published a Cloud Roadmap with a simple target: One IT, not a separation of Cloud IT and On-Premise IT. However, there are still many offerings which are cloud-only, even while it is obvious that the reality for most organizations will remain hybrid. That’s true for many areas of IT, including IAM. There are also offerings for that. But is there really a value in solutions which only support the cloud? When do you need them, if at all? Which integration should cloud-based IAM solutions provide? And how might your future look like, if you focus on the One IT/One IAM approach but still have to rely on cloud-based solutions for example for an easier integration of external users like your customers and for using different types of Saas? That’s what you’ll learn in that session.

As the software-as-a-service (SaaS) market explodes, more and more organizations struggle to gain control over their user’s identities in the cloud. Some are also exploring outsourcing their identity and access management (IAM) functions to the cloud.

There are three architectural models for implementing cloud identity services:

• In the cloud – identity and access management as an on-demand service
• To the cloud – IAM from an on-premise platform
• Hybrid – a model that includes elements of both on-demand and on-premise solutions.

In this session, we will discuss the key architectural, platform, integration, security, scalability and reliability issues which organizations seeking to adopt cloud-based identity need to consider, including the increasingly significant role that Cloud Identity Broker/Cloud Security Broker technology is playing. The discussion will also assess current and evolving technology and industry standards available for managing SaaS account provisioning/de-provisioning, single sign-on, strong authentication, and other identity operations.

Objective:

When you finish this session, you will have a framework for analyzing the state of today’s technology options and selecting the most appropriate architectural platform to meet your businesses identity requirements in the cloud.

Doc Searls' vision of VRM just rings true. The common reaction is "Of course that's how things ought to work!" Now with his new book out—The Intention Economy: When Customers Take Charge—the vision is even stronger and clearer.

How do we build the intention economy? What infrastructure will undergird it? How will our understanding of identity, privacy, and rights change to support it? 

This session will explore the infrastructure for the intention economy and the role of identity in that infrastructure.

From our Advisory Services, KuppingerCole has a long and comprehensive experience in how to do Information Security Projects in a lean, efficient, and focused way. This session will provide you advice on how to mitigate your project risks, how to solve the IT/Business alignment challenge in such projects, and how to ensure that you end up with the solution you need – and not the solution your auditor’s preferred consultants or the technology vendor have in mind. There is a lot of room for improving your projects to better meet your targets while keeping the projects lean.

Security is now as much a question of visibility as it is of controls. Enterprises need to be able to see what’s happening throughout their physical and virtual environments, including both in house and in the cloud. This session discusses the role of identity management in security intelligence, including the kinds of information that enterprises need to collect, the kind of analysis that needs to be performed and the ways that the resulting security intelligence can be applied in making effective security decisions.

• Most things we look at in IAM systems like Identity Provisioning are focused on creating logs and historical reports, but not on analyzing real-time activities
• Most things we do for example in SIEM (Security Information and Event Management) or (even worse) at the firewall level (despite some advances in “next generation firewalls”
• Integrating IAM with DLP, SIEM, Firewalls thus is a must – security intelligence without taking identity into account is security stupidity
• When moving forward with new concepts like claims-based authentication and the underlying authorization another aspects comes into play – how do you monitor and analyze what is happening here? Things become even more complex and providing Governance and Intelligence here from the very beginning appears to be important
• In addition there will be some discussion about how to deal with “dynamic authorization management” environments from that perspective – when looking at XACML or claims-based concepts, we don’t rely on static access control lists but on policies and decisions made based on attributes/claims provided at real-time, which is a new aspect. That is probably a little outside of the key topic, nevertheless it makes sense
• Besides this there is the notion of Access Intelligence now which some vendors interpret just as using Business Intelligence technologies on identity-related log data (beyond reports) while other include real-time information from DLP or SIEM or whatever. You might discuss whether there is a need for that; whether this is really new (I’d say it is something which is just part of Access Governance); and what it should cover

In order to comply with internal and external regulatory requirements, Telecom Italia had built a "Traceability & Secure Logging Framework."

During this session we will cover this framework as a basis for a ‘best practice’ approch on how to implement a good Ideneity and Access solution.

Access Management is a hot topic. It is about controlling who has access to what or, in other terms, who is entitled. Entitlements are what we need to manage. A common approach on that is Role Management. Role Management is established, there is a lot of experience. However, this experience led to two important learnings:
1) You need more than roles - you need to understand competencies, context, and the businesses processes.
2) Role Management approaches are typically to coarse grain for a complete access management down to the system level. The result is that there is the high level management done by roles. The lowest level of this role model (which typically is 2- or  3-tiered) then is mapped to the highest level within the different systems: SAP roles, Active Directory groups or whatever else.
A better Access Management, really and fully managing the entitlements, needs to go beyond roles and beyond a static assignment of entitlements. It is about moving foward to a Dynamic Authorization Management that integrates with what you have. That is a longer journey, but you should start now. The session will provide best practices, experiences and advice on how to move forward to real entitlement management.