KuppingerCole Webinar recording
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
KuppingerCole Webinar recording
KuppingerCole Webinar recording
Good afternoon, ladies and gentlemen, welcome to our KuppingerCole webinar, extended enterprise, the news scope of information security. My name is Martin Kuppinger I'm founder and principal Analyst at Ko a Cole. And I'm your host and the presenter for today's webinar. Before we start with the content, some information about keeping a coal and some housekeeping information for the webinar. So keeping a coal is some Analyst company. We are providing enterprise it research advisory services, decision support, and networking for it. Professionals.
Our three groups of services include research services, our reports, our leadership documents, comparing vendors and various areas of the market segments of the market, our advisory services, suppose vendors and end organizations where we pro in strategy, vendor, selection, roadmaps, and other aspects, and our events, including these webinars, but also some present events. So two upcoming events we have here are our information risk and information security summit, which will be held November 27th and 28th Frankfurt. It's about solid leadership and interactive session performance.
So in this event, we'll have five key topics for information security and information, risk management, and we will have more sufficient time for every topic. So there will be a sort provoking initial presentation of one of the computer Analyst or in practitioner from the industry. Then we will have time to discuss, and we will end up with some resume where we put together the most important points. And we also will follow up with the Cola report on that specifically for the attendees, putting together the most important learnings from this event.
So it's a one and a half day went and you shouldn't miss it. It's a Frankfurt end of November this year. And then our leading went, the European identity and cloud conference 2014. This will event will be held May 13th to 16th in Munich. It's the leading event around identity management, cloud security information security center around Europe. We have some 500 5600 attendees.
And again, you shouldn't miss as event, have a look at our website regarding these events for the webinar, some guidelines you are muted centrally, so you don't have to mute or unmute yourself. We control these features. We will record the webinar and the recording will be available tomorrow. And the Q and a session will be at the end. So you can end the questions at any time using the questions, feature The go to webinar control panel, which you will find at the right side of your screen. Usually there's an area of questions and there you can enter questions.
My experience is that it's a good idea to enter these questions once they come to your mind. So that we end up with good list of questions when we start into the Q and a session. So let's have a look at the trend, which is fairly simple for today. Given though that, that I am the only speaker. So I will talk about the extended enterprise and new scope of information security. I will talk about what is changing today, what it means for information security, where to start with information security, how to address these challenges in a strategic way.
And this is really the topic of few days to starting a little bit with what, what really leads to this change and this evolution we are facing these days. And then moving forward to what, what, what to look at, what are the most important things to do to be able to, to cover and deal with these changes we are serving. So I want to start with a picture. Some of you might have seen before, so I'm using it very frequently and several of my colleagues are using it.
Now, some other persons in, in the market are using this picture. It's the computing dry cast slide. So there are in fact, three major changes. We are observing. One was the cloud computing stuff. So we have new deployment models, not only more, any on premise it anymore, but over the last few years, the cloud really has become a standard model for computing. We have the social computing stuff, which is in fact more than social computing. It's sort of, it means we are dealing with far more groups of people than ever before.
So it's not only to focus on internal users of applications and some externals, but it's about customers, leads, prospect, suspects, whatever we're opening up in that area. And we have to mobile computing stuff. So mobile computing, this is really about different types of devices. And the sense of was a situation where, you know, an external user might use mobile find to mobile phone, to access a cloud service. An organization is running and it might be the customer and the cloud service to transac external the mobile device.
And there's no touchpoint with the internal network with the internal it anymore. Everything happens out of the, let's say after traditional parameter. And in fact, this computing dry thing means the end of the parameter in the way we know it. So historically we have this sort of this inner traditional scope of information security, and this is really changing. It's breaking up and we have to rethink how we can protect information, information, security. That's not technology security. It's not about how can I make a smartphone secure, but it's not about how can I make a cloud service secure.
This is another main questions. These might be consequences. But the main question is how can I protect information in that changing world and for what's CS Analyst in our advisory business, virtually any company we are talking with any organization we are talking with is affected by this change. So during the last one and a half, or maybe two years, a lot of conversations really moved away from let's say, traditional on-premise identity, access management and information security towards how can I onboard my business partners? How can I deal with my customers, etcetera?
And I think this is because they are business challenges, which are tightly associated to this. So when we look at today's business challenges, there are various challenges. So there are the prominent challenges of globalization.
So we are, most organizations are becoming more global acting more in a global competition. We haven't prominently changing competitive elective landscape. We have the need for growth, for increase of earning services and more of the challenges to hunt for talent, a big issue of many areas. And we have occasional challenges like such as economic turmoil or changing regulations. And that means that organizations have to change the way they act. They have to become more at trial.
This is one of the really important thing they have to be able to far more quickly than ever before change their business processes, enhance the business process. And one of the important key elements in this is the extended enterprise. You also might name it connected enterprise, or you might name it open enterprise. I don't care. This extended or open enterprise is really about, we are enhancing our supply chains, more tightly integration with our suppliers.
It's about using, and that's more driven financial aspect using more cloud service, becoming more agile in the way we procure it services. And we supply this to the business. It's about the customers where we also extend where we also enhance our collaboration communication with customers, cetera. Many of these things, these success factors for businesses in fact are title related to this entire extended enterprise and the need to open up our it in various ways, in fact, to support and to accept computing stuff.
And so when we look at some of these business drivers such as actually extended enterprise and so on, on the end information security drivers, it's very clear that despite of growing this, despite of opening up our enterprise, this part of creating new business processes, onboarding business partners, customers, etcetera, who still need to be compliant, we have to care for breach notifications. And the more we have, the more people we have, the more we have to care about breach notifications. So the more people are accessing our applications.
It gets even worse when these applications run somewhere externally, where we don't have that much control, it might be better because the cloud provider might be far more mature in the way he does it. But still if something which makes a problem more complex, we have to protect our information value. A lot of organizations really depend on protecting their intellectual properties. So I think one of the changes we also see is that business right now cares more for information security and we have to deliver.
So we have to deliver, you might have might ask, why does this entire thing become relevant right now? Why is this happening now? I think if you go back, we had 85, some 20, 25, 30 years ago, we had some other things. So if I look at the B2B stuff around late nineties, early two thousands, and this new economy, we, we started with this B2B market based stuff, et cetera. But over the last, maybe one and a half, two years or something like that, or maybe a little more, this really became a topic for virtually any organization. So what is the reason for that?
I think it's just that several things are facing and exponential growth. So the number of outward facing processes we have to deal with is growing exponentially. The number of users we have to deal with driven by consumerization, by social computing, et cetera, is growing exponentially. The number of external it services we use to support the agility. Cetera is growing exponentially. And we are today at, at a point where we can deal with traditional approaches anymore with this exponential growth.
So at some point there's trusted threshold where, where we can't rely on, on old traditional technologies on siloed, inward facing it, we have to change the way we deal with it. And this is really the point of sort of an economist scale thing where we, we need to change the way we do information security together with these things such as what I call the identity explosion.
So the fact that, that we might have some 20 to thousand or 30,000 employees, but we might have four or 5 million customers, for instance, a far bigger number of identities to deal with a file number, bigger number of identities to give access to them. We have to, to keep this under control. And so over, over time, really we, we see this emerging need of need to share.
So from our centralized infrastructures for internal use, from the PCs where we started networking, shared a little bit more the internet, which came up the increasing business partner integration with the new economy and right now the tighter integration of customers. So it's really about this. And again, it's really about this end of the parameters, a parameters thing. So it's from the mainframe in the four 90 eighties to the first PCs, the internet, which came into play the first B2B marketplaces.
And so on right now, we are in a very complex connected world with external service, internal services, external users, internal users, mobile on mobile, whatever, and all these things work together. But at the end of the day, we still have to protect our corporate information in an adequate way. And this is really the challenge behind this extended enterprise stuff enable businesses to be at agile, to be open, to connect with others while not losing control about information, because information is at the core of organizations value.
And if you look at numbers that there are various statistics out, but organizations suspect at least 50% of their corporate value, it's based on the value of information. So this entire thing is about corporate value about protecting the business value. So what do we need to do? And I think this is the next point. We need to think strategic. We need to address the problem from stretch. Think about what does it mean?
And when we look at the three changes we have here, this more users, more devices and more deployment models, then all of them are about extending, opening up our organization, our it towards new models. So they have all of them have something in common. And when we look at this, it's not about saying, how can I protect my mobile device, my cloud, and how can I deal with what or a Facebook login it's about? How can I protect information in that context?
Because we have to protect information, regardless of whether an employee accesses, a cloud service or a business partner accesses an internal application with service automobile device, or whether employee using is mobile device access as the cloud service or whatever. All these cases are very, very tightly related. And so what we should avoid is starting with point solutions.
So saying, okay, there's a need for business partner onboarding. So we create something, we create a business partner.
Porwal, I've seen such concepts. I have seen such concepts where the word security didn't appear on any of the 50 pages. The concept had horrible a nightmare, but even if, if there's security and it means, okay, we build a security solution for onboarding business partners. Two months later, we build, start building a solution for protecting access of the employees to cloud service. Then we add something for oh, mobile access of our employees.
And, and, and we build a lot of solutions. All of them uncoordinated, what us is mean. We are wasting money. We are in this tactical curve. So we spend a lot of money, then nothing happens. Then the next problem appears we spend again money again.
And again, in most cases, this looks far worse than in this picture because the strategic curve will be, be far lower than the tactical curve. So clearly addressing this problem in a well structured well solved way sort of way means yes, we spend some more money at the beginning, maybe because we have to invest in a concept but done, right. It helps us to understand, okay, what can we do based on our standard solutions of today and how can we move forward? So what can we do with other types?
What do we else do we need to cover as much as we can with a stringent, consistent approach, and the only way to do it, strategic means that we focus on the core of the problem. The core of the problem is how do I protect access to the information regardless of the identities, regardless of the devices.
So from, from my, my perspective, in our a cold perspective, sort of the new ABCs, the agile business, connected businesses have to be agile and they have to connect. We have to support it. You might name it open enterprise or connected enterprise or extended enterprise, as I've said, I don't care, but it's about agility. It's about connected. And it's about doing what I've talked about before. There's a demand on the business side.
Demand is we need to use large services, access, business partner systems collaborate in industry networks enable the mobile workforce, onboard business partners, interact with customers, whatever we have this demand. And we have to understand what is the supply and the most important things in that supply are first of all, around identity access management technologies Federation using cloud directories, the more advanced cloud directors with integrated federations, which are popping up right now, look at what Microsoft is doing. Salesforce do.
Com has announced as we etcetera, etcetera, we need to look at cloud computing and cloud security versus indication and risk and context based access management as key technologies. Yes, there might be mobile device management, mobile security, as one of the elements. There might be some other things, but the key things in that really are around, how can I protect access of all these various persons with their identities and the various systems with their identities, to my corporate information, regardless of various results.
This allows us to this supply allows us to UN will to, to, to leverage the business value. Atactually compliance, innovation, collaboration, communication, and this, this becomes even more complex. I did on a webinar on the around APIs and their business value of APIs trust some two or three weeks ago. And we not only have to look at the user accessing the systems. We also have to look at applications using APIs, accessing being orchestrated, accessing other information. So it's not only about a person to system, but also a system to system interaction.
And this is also very much within this access to information. We have to be ready for that as well. This is part of it, and it's a part of the entire story, but going back to these key aspects, then I want to touch the authentication stuff first. So one of the things we clearly needs to have this flexibility and authentication, we need to be versatile. We need to be dynamic. We need to change the way we are doing so traditionally it's about sort of a black and white decision we have. So someone authenticates that, none single, okay, this is a good person. Yes.
Let him access what he's, where he's granted access to wrong. It doesn't work anymore.
So, so we probably won't let the same person do the same thing based, regardless of whether he used a strong one time, password, hardware, token, also cation, or whether he used the Facebook login. So the strengths of authentication comes into play. But also the question of which device is he using? Where is he?
What, which location is he on? This is device secure, whatever. There are a lot of factors there. So the context of the user additional attributes we might have around the user. So from public identity providers, from other types of identity providers, the credentials or strengths of it, this is really what decides on what do we do with authentication authorization. This must be based on policies so that we then can access the service providers, whether they are on premise or in the cloud. So we need to, to understand it's not about static anymore. It's about dynamic.
It's about changing the way we do that, working in the context and ideally that not only during a syndication, but also during authorization, this is model long term journey clearly because it means over time, we will have to, to change the authorization models of applications towards the dynamic approach, which does not rely on. Yes. Also indicated.
Yes, no, but on what has been the context and departing on the con, depending on the context and deciding based on policies, what someone is allowed to do, the second element within this is versatility. So I see a lot of organizations currently asking for, Hey, my, my, my marketing department came in and said, oh, we need to support a Facebook login right now.
Then the, it, people might say, okay, first of all, I don't know why. The second thing is we might have a customer who might do a financial transaction, which is worth several thousand euros. So we can't rely on a Facebook login for that. We just won't do this. So understanding the risk stuff. And this means we need to be able to, to work with various types of authentications. And when we look at all the discussions around, bring your own identities, so approaches where people can use sort of one of their identities they commonly use, then it becomes an even bigger challenge here.
So it's about supporting passwords, talking biometric certificates, whatever various types of authentication, but also understanding that that every authentication will allow access to everything. Again, it's about understanding the risk of the information, the context taking and using policies to design about what is allowed or not the areas where we mainly find that type of versatility today are finance industry banking and eCommerce. So it's about also supporting step up authentication, etcetera.
So there, there, there is technology out there, and I am a strong believer that this is a key technology for every enterprise to gain the flexibility in dealing with various types of mobile devices. So we have different authentications. One might be the, the, the fingerprint stuff from, from an iPhone, for instance, where we say, okay, if it's the fingerprint, we trusted murder. It's not a fingerprint when it's a standard pin stuff.
One, one example. So it helps for that. It helps for Facebook, etcetera. It helps for the social computing stuff. So this goes into every of these areas we are facing, and this is through the next step. And then it's about making risk based decisions about authentication and authorization. So understanding the context, the credentials, etcetera, understanding the information, risk using policies, and then deciding on what is allowed for whom this is really the fundamental thing around this. And that means this is one of the key aspects. It's not the only thing clearly.
I mean, I don't think that say does solve everything, but this is a key of information security for the extended enterprise, understanding how I can use various types of indications deal with various identities, manage various services to, and then based on the context and all the other information make not only black and white decisions, but understand what is allowed under which circumstances and which context does this really thing we have to look at. There are, there are more things to do. So when we look at, at cloud computing, clearly we need cloud assurance.
We had various webinars around cloud assurance around our standard approaches on cloud providers, Turing cloud service provider assurance their awareness reports out our website around this topic. So there's, there's a lot of material from our side area. You might have a look at the podcast around the, so this is one of the areas really it's. It is also about the mobile security stuff. So when we look at the mobile security securing mobile access, we, we can look at it at this as a layer security approach.
So that the most common solution currently is looking at the ultra circle of it, which means things like mobile device management, cetera, the problem is mobile device management. We also did various webinars around mobile device management. We have a report out on mobile device management and all that stuff. Looking at mobile device management. It means we, we, we try to protect a specific system. We always might end up with systems that we can protect. And it's a permanent challenge to make these systems secure.
And we don't address the problem from, from the core and the core, the information, the same as through this network security. So if I use a mobile device and access a cloud service network, security might not help. It's about understanding authentication. So risk and context based authentication authorization. It's about protecting information. So look at all the things which are happening in information, rights management, these days, a lot of things going on.
So, so encrypting information ensuring that it can be used only a specific way. And that's what it's really about. Information risk. So information risk that occur, we need to protect information. We need to manage access to this information. And then the other things might come in in addition. But if you don't solve the key problems in the middle of the circle, then we will fail. And this is really the key message. And the good thing with the good news is if you look at the inner part of the circle that not only helps with mobile security, it also helps with cloud challenges.
It helps with onboarding new types of users, et cetera, et cetera. One important thing to to understand is to do this correctly. We also will have to change to, to review at least the way our it structured. We have trust. We've just published an updated version of this. We have a product which is called the future of it organization. So really looking at how it organizations from our perspective might need to change. And this is based on our S future it paradigm, which structures it and, and the Quin sense of this for, for today's webinars is a very simple point.
We have to understand that or to look at every type of it service as a service in a consistent way. So regardless of it's on-prem or cloud or whatever type of on-prem and cloud service, it is, we have to look at at this consistently.
So at our, the level of service and information management, we should look at, we are using the service. We don't care where it comes from.
In fact, we apply our service management, our information management. Clearly there will be other compensatory controls depending on, on where the service comes from. But if we don't manage it consistently, it will be hard to really in enforce information security and the changing landscape. I just can recommend have a look at this new report, the future of it organizations. So going back to my, my initial slide, when we look at this, this challenge, one thing is very clear. The extended enterprise is really a reality today. It's what is the big challenge for the business?
The business has to change. It has to open up. It has to connect. It has to become more at agile, and there are several other things. So if you look at all the internet of things or internet of everything and everyone stuff, it's, it's an even bigger challenge here. So the business has to open up, it has to manage this, and it still has to ensure that information is protected well. And that's why I say we need to start in the middle in the middle, where information resides. We have to protect information and we should protect information. It helps us for the cloud.
We understand what a risk of information is. We understand we, we talk about encryption. We understand, we talk about consistent approaches for access of information, regardless of Westridge resides internally or external. A lot of this stuff is here.
Yes, we might need some other specific things for the cloud, but the major, the, the, the essential challenges in the middle, how to protect information consistently the same is true for social computing. It's about how can we onboard every type of identity and access fit? How can we open up this stuff? And the same is true for mobile computing. If we protect our information, if we have adequate approaches for access, depending on the context. So which mobile devices used, our strongest authentication, etcetera, cetera, then we have made a big step forward.
When we look at mobile device management, we just tackle a little bit on the lower left edge of this, this graphic. So we don't cover everything. When we start in the middle, we address a far bigger picture. So when looking at the end extended enterprise, this is really the new scope of information security. And I'm absolutely convinced that we have to move forward to an information set centric approach on information security, moving away from a network centric, moving away from a device centric approach towards Putting information in the middle.
This is the way I see what is happening and what we need to do there is we need to do it strategic. So not by point solutions, not by strategic approaches, moving forward on that, that clearly not only needs technology. It needs the organization to process, to concept the strategy, the tuition things, where we can assist you. For sure. So there's a product we call extend, which supports you in defining your strategy, roadmap you way towards the extended enterprise. Just ask my colleagues when you're interested in this. So I'm bound with my part of the presentation.
So I hope it could provide you with some valuable insight into our syncing around the extended enterprise and new scope of information security. Feel free to get in touch with us. If you need more information, if you need wanted to dive deeper into this Analyst. And right now it's time for Q a. So if you have any questions, it's time to enter these questions, using the questions area and the go to webinar control panel so that I can pick your questions and answer them.
I, again, want to highlight that we have two upcoming events, the informational risk and security summit will as one of the key topics, dive very deep into this topic of the extended enterprise and what it means for information security. So it's a great opportunity to go into discussions, not only with the Analyst, but this peers. So it's really will be a very much peer to peer driven type of went focus on the business users, the end users, and discussing between these and the Analyst to move forward. And then as I've said, there's CRP night energy conference.
There will be also a lot of news, a lot of new ideas around this topics have a look at our research as well. So we have a lot of research here. Various types of research, have a look at our website. There's the select access program, which allows you to access up to five of the reports for free. For sure. We have also our program for full research access, which you should not miss. So if there are no questions at that point of time, it's time for me to thank you for attending this group. A cold webinar. We will have a lot of upcoming events, a lot of upcoming webinars.
If you want to learn about a future of information security today, come back to us. Thank you. Bye.