Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
Keynote at the European Identity & Cloud Conference 2014
May 13-16, 2014 at Munich, Germany
To the official opening of the European identity and cloud conference 2014, it's number eight right now. So we started several years ago, the conference crew year by year. And I think we have a very interesting trend again this year. So I will talk about a number of topics so that the main theme is privacy needs, security, security needs privacy, and the new ABC of it end of businesses needs both. I will talk about this then during my presentation. So keeping a call Analyst, Analyst, company, provid research, advisory events, a lot of information available here. So I skipped this.
Most of the housekeeping slides will be at, at the end, but this is usually the more important ones. There's wifi available, something around wifi at C. So I haven't looked it up, but you will probably be able to identify it and all the information around Y should be on also in the material you have received. So let's directly start with my, my presentation. I want to start with a short history of it, a pretty rough history of it.
Honestly, the impact on business security and privacy from the 90 eighties onwards. I can't talk that much about the time before, but that's sometimes, sometimes in the early 90 eighties, my it, hopefully this won't a sign that I should come to an end right now, Ladies and gentlemen, please join us now for the keynotes in. Okay. Obviously some people are still hanging around maybe next time we do it before the presentation starts. Okay. Let's let's go back and let let's look back.
So in the, this 80 of 85 period, we had personal computing first. IBM PC back then. Not that far later I've bought my first IBM PCT. I still have it. We thought on rather quickly local area networks we had on the client seem. And so the Internet's slowly becoming something which also was relevant outside of the education and the defense etc space. And didn't take that long. And then we had the new economy software as a service, the bubble, the stock markets, and going down again at some point of time, little after the year, 2000. Yeah. Then the search instance, Google.
And so becoming a standard tool, becoming a standard word. So we are Googling something or so this evolution of the internet becoming witches. And so then the next period, we saw a lot of things. So cloud computing, sort of the next generation of SaaS and some more things, really growing big smartphones, appearing at the market and Facebook and other types of networks appearing here.
So this, rather than right now, we are talking about big data. And the next thing we will see probably is the internet of everything and everyone. And I think it's more than the internet of sings because yeah, it's not only sings, it's sings and people and so on, which will sort of be the main theme of the next years, from what I expect and all these things had some impact on the business. So when we look at personal computing, it brought some agility for departments. They could do some things themselves they never could do before.
So they, they could calculate some things and spreadsheets, et cetera. The local networks started to bring in collaboration using the same documents by various people, client server, the internet brought some agility for it, making things easier to develop.
Again, there was clear impact on the business and logically this evolution there's a, some were more driven by it. So you're offering some were more driven by the demand, new economy stuff brought a lot of new business models for it. And for organizations, there was a lot of discussion. And that back in that time, we've seen with Google, we entered a face, Dr. Earls named the attention economy, where we tried to learn as much as possible about the people and then trying to catch their attention by displaying the right Edwards. Unfortunately, doesn't still doesn't work perfectly well.
So, so once you acquired, let's say a new car, you get a lot of other Edwards for next car, even while you might drive the one for several years from them, but, okay. So, and then all this cloud computing, smartphone, Facebook stuff from a business perspective, it meant, yes, it's changing the business. So we have to deal with mobile users are employees are getting increasingly mobile. They can do more things. We can work differently with our customers using social computing so we can deploy applications faster using cloud computing.
So this computing, dry cloud mobile social became a big theme here. And then the consumer analytics trying to understand more and more ideally, whatever a Google class or however this thing is called so that we can directly display what the person might want to do. Unfortunately, we still don't know it.
So, and then let's look what will happen next. And I think what really will happen next is, and this is one of the big themes is the connected or extended enterprise. And that's what I call the agile businesses that are connected. The ABC agile business connected. And this is really organizations are changing their supply chains there, business process beyond the border of the, beyond the performer pyramid. There's not this pyramid anymore. And this is a big change. On the other hand, the side of the business impact, there was also some security impact.
So when we go back to this sort of history of it and look at it from a security perspective, back in the 1980s, 90, 85, there was not that much in security, not much concern, honestly, very little in 85 90. So then we learned more about, oh, the first viruses, the first concerns popping up. So understanding, okay, there might be something which, which you yeah, causes some trouble. Then on the, the age of where, where client server started and the internet started, we also saw the rise of firewall.
So from an discussion, which started a little earlier, we saw more and more of these things to protect the parameter of the organizations when we open it up a little more network security stuff, but mainly focused on the local part even in the next years. And then when we go, go forward. So the impact in this next period, this was, was really the identity. Management's early days we've seen there in the 2,002,000 fives.
A lot of, yeah, in fact, identity management became a topic. We founded cope and colon 2003. So still in the relative early days, and this was what happened there.
And, and then with all this computing dry stuff, 2005, 2010, we experienced the end of the perimeter. In fact, so we don't have this, oh, this is our internal network. And nothing happens beyond that. We experienced really an end of this and a far more complex situation of handling security right now with the advanced persistence threats and nation state attacks occurring in the next period. Then. So we have seen a lot of new challenges there with opening up the things.
And when we look at the, the next decay internet of everything and everyone, what we definitely need there is to move from system server, network centric, security, towards information centric security in a world where we don't have to parameter anymore, where information is flowing more and more freely. We need to shift the way we do security, looking again at it from the perspective of privacy. So in the 1980s, interestingly, back in 1981, the CCC has been founded.
This is a German cows computer club club, which is sort of a group of people hacked with enthusiastic, etc, which are pretty prominent right now. They were founded back in 1981. So the very early concerns on that, interestingly, even in 1989, a was a topic in the press. There's a speed, which was a trauma political magazine, weekly magazine report on the Lon network of the NSA, which then at that time back, looked at the phone and the fax traffic. And so it's not that new.
What happened later on, we saw the first standards around securing information, PGP MI, and then little later SSL TLS technologies. So with more communication, more business models, the need for securing this for protecting, it popped up. I'm done when Google came and the others, we are had cookies everywhere. So we experience there are companies which try to learn as much as possible about us, even if we don't want this. I would say that the age of 2005 to 2010, wasn't that much the age of the digital natives. It's probably more has been the age of the digital natives.
So I've left sea out here. So people who, who really didn't understand the privacy challenges, the security challenges of all this, then we understood privacy a little bit more, especially after the Snowden revelations last year, I think very obvious. It became a hot topic. Interestingly, when I look back at that, so when the, the information about from Snowden came into the news, I thought, okay, let's wait for three weeks. And now one will talk about it anymore. I was wrong. And I think this really has changed the perception of information security.
I trust told one someone a little ago today. So, so in former times it took me five minutes to explain someone what, what I do right now, it takes maybe two sentences to explain what my business is, because information security is something which is understood by which we all people. And what, what should happen next is that we end up with privacy by side. So building applications in a way that they are privacy by decide. So this is basically the sort of the, the, the history, which, which I observed.
And when we look at this, so more, more in a complete picture ever were, was a lot of evolution. Many of this is related, not everything, but this is basically the big overview on that. And on the other hand, as part, as a consequence of this, we are moving towards a new area of it, where the connected business, the actual business and the connected business become sort of a standard theme in these days. So when we look at business today, they have to be at trial.
And some of you might have been at my key attending my keynote last year, where I, I talked about business, driving, what we are doing in an it, we have changing competitive landscape, economic turmoil, globalization, new business models. These things require organizations to become far at agile. You have to connect with others. And this is exactly where the connected part comes in.
We have to look at modern employees, they're the business partners, the customers, and many it departments currently struggle with the fact that their business come and say, Hey, help us rapidly onboarding our business partners and offboarding and them again, help us integrating our customers, help us to deal with these changes. This is a challenge. Organizations are connected. We have to access cloud services and not on any horizon anymore, but really becoming a reality. We have this internet of everything and everyone, the connected vehicle, the smart metering stuff.
A lot of other things where we have things which have an identity, which we have to integrate in what we are doing. And this is what businesses demand.
And we, as the it, people, as the information sector, security people, as the identity management people, we have to provide answers. We have to support this, this new ABC, this agile business connected. These are the, this is really the thing, which is driving from my perspective, what we are doing here in information security. On the other hand, I think it's, maybe I'm too scared, but I don't think I'm too scared. Unfortunately, what miscarriage is that I'm, I'm not, not too scared. So to speak. I think we, we will experience a disaster. Not that far ahead, something will go wrong.
It might be hacking the connected vehicles on broad scale. I I'm really reluctant having my vehicles being controlled by someone else, running out of water on power attacks on the critical infrastructure, mass blackmail bypass, using big data. Someone has collected about millions of people. So whatever will happen, something will happen manage robot, but something will happen. It will happen. At least if you do not change the way we handle security and privacy.
And when I look at what currently is happening around the internet of everything and everyone, a lot of this is not happening with privacy and with security in mind. And that's what really scares me.
So, and I think there's a logic, privacy needs security. So we have the laws and regulations, and maybe we should come back to the privacy of correspondence, posts and telecommunications. When I go back some years, we had a situation where things were better regulated than they are today. So where's the, the SC my emails are obviously less secure. And the snail mail form days has been what we need there for is drafted identification and strong authentication. So we need to know with whom we are working and what we need is end to end encryption.
So we need security, which is really end to end in the context of people. So privacy need security. If we want to get back to a more sort of privacy, a fine world, we need security. We need trusted identification, strong authentication, and to end encryption on the other hand, security needs privacy as well. If you look at social networks, they're coming, starting point for advanced persistence threats. So you start with some, collecting some information from a social network to identify people.
You might send an email with some malware attachment, whatever in an organization, and then things go forward. This is in fact how the RSA secure idea attack started from what they've they've told in their Bronx identities. Have. The other thing is the person really the one you think it is, or is it really the service you think it is? So when we think about a more connected world, that's not about, only about change an email or authenticating a user, but where you have to services talking with other services or someone, a service talking with our car, whatever, how do we ensure that it works?
So we need to manage these aspects here as well. And I want to, to spend some time right now, looking at some of the, the evolutions I see in this broader market. So the digital future, from my perspective must be security, privacy enabled, and nevertheless convenient. So if it's not convenient, no one will accept security. Even in these days, not I think the, the acceptance of, oh, I have to authenticate a little bit better than before, might be bigger than ever before. But again, but it's still a situation.
If you, if it's not convenient enough, it's not enough. So here's my digital future password.
Bingo there application security infrastructures is a topic information-centric security, domain, independent security, security, secure information, sharing, layered security, and the firewall and antivirus or ware what's next, the realtime security intelligence, software defined environments, computing infrastructures, however you call it secure internet of everything and everyone, future of authentication, authorization, cloud IM future of email security and privacy life management platforms, and why this is all about identity and access.
This is what I will talk about in the remaining 20 minutes. Quick, quickly looking at all of these topics. So application security infrastructures, it's not that new. When we go back some five or seven, six or seven years, there was a, a very small, short type around this term of application security infrastructures. The idea behind us is saying we don't hard code security into applications anymore. We externalize security from replication. We rely on standards. We rely on services and we manage it more centrally.
So externalizing these four A's administration authentication authorization audit. The first two ones are relatively easy. We have well established standards held up Sam, whatever the other tools are a little bit more challenging, especially when we want to go to come to fine train authorization. There's exact as a standard other standards for audit. They're still not the established standard here, but overall, we are moving to a bigger number of standards to do that where we can say we rely on security services. We don't hard code security anymore.
We have more lightweight APIs based on rest chasing trade WT and tr C for security. So we are moving ahead on what we definitely must consider is how can we build a set of security services, security infrastructure, which provides our security services and the standardized and mature way, instead of doing security as point solutions, security as hard coding, we have to move away from doing that. Look at a topic of application security infrastructures. It will come back. I think it's one of the important evolution we are facing them for the ones who know my presentations.
They probably all have been waiting for this slide. I think I have it in every presentation. It's my computing drag slide. It's about information security, centric security as well. So this computing drag, these are these three overarching trends. We have cloud computing, so different deployment models, social computings, different of populations, different ways to log in cetera. We have the mobile computing stuff. So more device types, cetera.
And this really has changed our, our scope of information security from the traditional scope of our inner parameter, our desktop systems, our employees, et cetera, towards the world where we have to deal with customers with mobile devices, more types of devices, etcetera, etcetera. And at the center of all. This is one thing it's information it's about the main question is how can we protect information? All of these things at the end are centered around the question of how to deal with information, how to protect information.
Interestingly, the term is information security, not technology security. Most of the things we are currently doing are technology security. So we protect the network. We protect the server. We should protect the information, information. Security should be about the I in it, not the T in it. The business does not care about the T the business cares about the, I, they care about I information, how to deal with information, how the worker's information, etcetera. And I think it's very important to change this, this focus.
And interestingly, regardless if we look at mobile computing, mobile security, or cloud security or whatever, the, at the end, it's, how can we protect our information? That's the basic question. If you solve the problem of protecting information, we have at least some part of the answer to cloud security, to mobile security, et cetera. If you start with mobile security, we are looking at one small part of it. We look at this only thing, this mobile computing, how can we make a little piece of this more secure? This is what we really are, are doing.
And does it make more sense to invest in the strategic center of this information security, or does it more sense to look at some point solution? I think the answer is obvious. Oops does not go ahead. Okay. And that leads us to the need for secure information sharing. So which technologies will allow us to protect information always at rest and move and use. So this is, I think the challenge we have, we are good in protecting information that resides on a server. But what about information you send around and information usually is moving around at some point of time.
So there's technology out there, rights management, for instance, where you encrypt the document where you attach the access controls to do document and the applications. And first the access controls when they decrypted that's where, which really makes things work. These technologies are not really new there. The approaches are out for, I think, more than 10 years, but right now, these things are getting more mature. It's one thing and there's more demand. So we have both, we have evolution of technology and we have growth in demand.
I see a lot of organizations really thinking about how can I protect my blueprints? How can I protect the data export from SAP? How can I protect whatever else this in fact is about a domain, independent security right now, our security is typically very domain dependent. We have a network security domain, and we look at this and how to protect our parameter, which doesn't exist anymore. That way. At least we had it before we look at how to protect our file service, how to protect whatever we look at domains, domain, independent security is about what is secure servers.
Yes, but not only networks. Yes, but not only systems.
Yes, but not only clouds, not so easy. So I think the point is, again, what is really at the center of attention, it's information. Information is the new parameter. And as I've said, we call it information security for a good reason. The main independent security is securing your information at rest in motion and use.
Nowadays, we are at a point where we can start doing this. We had, I think, a long way to go, but I think it's worse to look at this. And then I think trust last week, someone from Symantec announced that anti malware is that I think it's very common these days to claim the death of something.
So my, my colleague, former colleague, Greg bur once claimed that Analyst death, that I think it's a well living zombie these days. I think exactly. Also us said being that right now, it's anti Melver. I don't think they are that no, even while I'm not a big believer in that this solves all of our challenges, but that doesn't mean that these things are that because we still need a layered security. So even when we think start thinking from the information, if even if we go information centric, we need to have a layered protection.
I think the challenge for a company like Symantec is that the markets are changing. So things are becoming a commodity, et cetera. I think that is the reason why they think this might be that there's not that much business anymore, but it's a part of a larger story. And if you define it larger story, right, it works. And we also need it because threat landscapes are changing. So we have to look at it, but in a different view than we maybe did before. So it's not a single file or another single landing in malware or whatever, which, which finally protects us.
It's about the right combination of things. It's about understanding what happens at various points at the network parameter at the end point, cetera. And if you want to look at advanced ATX, we also need advanced security. If you want to be resistant against this, we have to do it, but we have to put it into context into a combination of things, not saying, okay, deploy an X generational firewall, and I'm done.
No, I'm not. I have to understand what it is. And I have to start information centric. That should be my main viewpoint. There's some interesting evolution there. We have various threats around it, which is called, which we call real-time security intelligence. It's still, still in its early stages, I would say, but I see various vendors moving forward in that space.
So, so what, what is it about we had cm? And so if I had to say something, is that, then I would say, cm is that, which also would not be fully true. But if I have to declare something that then I would start here, cm security information and event management struggles with the fact that it's a tool, not a solution.
So, and it's from an analytical perspective, most are too limited to cover everything, but it still has its place as a pre-processor for new types of solutions, as a part of an broader solution, even while it never will develop to the promise that has been made at the beginning. So you have information from various to cm, privilege management activity, monitoring locks, etcetera.
You bring this together with real time threat information and you add managed services because the main challenge in security, a analytics is people who understands the complex relationships, the complex patterns, etcetera. You only cancel it with managed services apart for configuration, for analytics. So this is where really realtime security intelligence comes into play. And then you can provide information to your it GRC. You can think about controlling your software, defined computing infrastructure, provide information to your service desk with the remaining incidents.
But it's a new type of analytics where it's not only rules. It brings in big data analytics, realtime information, pattern based, anomaly, beha, anomaly detection, etcetera. And there are some interesting things going on from various vendors. I think IBM is here. Some others in the are in the market as well. Definitely worse to have a look at what's what is happening here? And this directly relates to this topic. I've touched before the Ste S D C I part.
So the software defined, whatever you can find different names, software defined environments, computing infrastructures, clearly it's more than software defined, networking and network functional virtualization. This is just a small part. And if you start making a strategy for SDM, you definitely make, make a mistake. There is SDM is not strategic for itself. It's strategic as part of the bigger story full stop.
So it's really about the entire infrastructure, your virtualization, infrastructure, storage, firewalls routers, whatever the entire infrastructure, making it more flexible based on standard APIs, centrally managed and applying one set of policies, a consistent governance on that. So you have one set of policies to manage the entire infrastructure. You don't have to network people creating their policy, which is not in sync was policy. The virtualization people have created and not in sync was policy that storage people have created deal.
That means you have to re rethink your organization and get rid of some of the silos you might have in there. And it provides agility for your business. So I think about a vision of you have an incident detected and you reconfigure your software, defined it environment, because it's the only way to reduce your, to mitigate your risk on the fly. I think it's not that far away. And it's a interesting potential. We're observing here.
This, this is really some of my vision. Imagine a world where new Strat information ly medically changes to protection. Yeah. Then security of D I O E E. Everything has its identity. So if you look at a connected vehicle, there are many things in that vehicle. It's not only one. There are many things and they all have their identity. You have to understand their identity. They have APIs, they communicate, they can communicate, you need access controls per identity. You have to understand which part of this is allowed to communicate with which other part.
So some information might go to the police, but only under specific circumstances. You're so the leasing car company might not get access to all of the information while the driver might not get access to some other part of the information, the garage might access some others. So it's about access controls about in fact, privacy settings for these things. And we have to understand this entire story will only be successful. And we only will avoid a disaster.
If you understand that things have entities and that we need to manage these identities and their access and the privacy for these identities. We see that a lot of things are also changing in the authentication authorization space. So when looking at the future for authentication or authorization, this will be versatile. So we will have different types of authentication mechanisms supported, step up, cetera, it'll be dynamic.
So this is part of the application security infrastructure stuff we rely on services at is this user allowed to do that right now in his context, based on his authentication, using that mobile device, doing that thing and risk based having policies in place. So we will have to move away from black, white decisions in that area towards far high crane Farran decisions. This is mandatory for this computing dry car where we have not the inner perimeter anymore, where we have farmer complex environment. So where does this entities come from? Yeah. Good question.
Honestly, I don't have the perfect answer on that. Maybe an Andrew has, there will be bring your own device and bring your own identity. I thought strong authentication devices, driving a lot of things. So there's a for instance, vital Alliance workshop on Friday. A lot of other talks around that, but who will be in the middle? I'm not a hundred percent sure. I think we will see a lot of changes in that space with cloud providers, et cetera, with new things, but all these things finally are important for this new ABC.
So if you want to move there at the end, a lot of these things are about the same and especially a lot of the requirements businesses bringing in are about the same access to cloud applications, access to business partners on and off boarding of business partners, customer interaction, mobile user access, API access. All this is about the same set of technologies. This is about moving forward to a system which allows us to handle this sort of outer space relationships in whichever way we do. So don't start with point solutions on any of these challenges.
If one of these challenges pops up in your organization, think about a strategy. The future of IM will be hybrid with cloud components with on premise components. It will be fully on premise over time, nor will it be fully in the cloud. We have a lot of legacy applications. We need to manage external users, external access. I strongly believe that the future will be hybrid. We will see a lot of evolution, hopefully around email security and privacy. That's something where you should listen to a lot of levels.
And later on, clearly it's about end to end encryption, not only SSL between your client and the email provider, it's about reli identification and strong authentication. So we need to move forward in the space. And it's about user control of privacy. So the user consent is a very important concept here. One of the concepts and we have round table on around this live management platforms.
One of the concepts we have here, we introduced it two years ago are what we call live management platforms, where it becomes really clear there as the business behind privacy, you can make businesses think about selecting the insurance company of choice. That's something where the insurance company can get rid of the brokers. So savings on that side, and you don't have to tell people you don't trust too much about you. There are many other use cases. Don't have the time to go into detail, but this is the thing. And all these things in fact are in some way about who or what.
If you look at the services, the things is granted access to what, who can access the information who can access privacy, who is allowed to do what in a dynamic authorization, what are the things allowed to do? It's about identity and access. This is the key scene around all those things. What we need is privacy by the design and security by design. It's time to make that paradigm shift security has an afterthought, never works. And I think we have a long experience in this masses of standards, mass of it solutions, which were invented without security.
And then it takes a while until security comes into play web services, okay. We started with web service and then said, oh, we need security. Always the same mistake. It's far better to build it in. And we need also to bring in privacy, the paradigms are here for both. And the technologies are here as well. We can do it. There's no reason not to do it. Let's stop the endless story of it. Failing in security and privacy. We are at a point where we need to do it to support the new ABC. And we are at a point where we can do it. Otherwise the new ABC will turn out being dyslexia.
And that's what I want to invite. And this is driven last slide by business need and demand. So this is really business needs. Security business needs, privacy protection of intellectual properties, etcetera, et cetera. All these things are business demands. And this is what really drives date. It's not the admin need, which drives it. It's really the other way around. So it's about agile businesses connected, which we need to enable, and we need to do it because without information security, without add the access, businesses will fail in their, in what they need to do today.
Some housekeeping information. We have several meeting points on the first floor this year, Deloitte Truva IBM, ourselves and Microsoft. So there's stages to the first floor. Have a look up there. Wifi have talked about it. There are some beer garden trucks between probably 10:00 AM on 2:00 PM would be more appropriate. So excuse to type for here on both Wednesday and Thursday. So don't pop up during the night. There will be over there. So 10:00 AM to 2:00 PM. Interesting, because you can get in more, more detail, better contact with the vendors tomorrow evening.
We have our awards ceremony, Eddie auditorium for our European identity cloud award. Don't miss it. There's a B dinner afterwards and there's the EIC raffle with some sports Mayo ping drew on IQ and some interesting prizes to win a very cool bike. A cool watch.
Oh, no smart watch, but a cool watch. Maybe it's contradictory wireless high sound system on monster on your headphones. How cool I'm too old for this headphones. If I look at a color, okay. How to try and whistle the booth. Talk with their experts, collect a sticker, complete place, a completed card into the raffle box. I will talk about it again before and after break. So yeah. And one important thing. We have an additional keynote at 7:00 PM. Don't miss it. So I am best practices, meat and potatoes best practice with after here, constant. So this is missing in the agenda.
So we have one more, but I'm sure you all will attend all the keynotes so you will hear it anyway. That's it. We wish you an interesting thought provoking and informative or wish you informative days at ESC 2013. Thank you.