Identity Access Mgt


Solutions in this category determine what each user can do across each of the organisation’s internal systems after they have entered, as well as solutions relating to the overall management, governance and administration of those user identities. Various nuances of identity governance, management, administration and user authentication solutions make up the core of this solution segment, as described further in Table 6.5.


Table 6.5 Identity and Access Management Subdomains Analysis

Key Product/Solution Subdomains

Identity and Access Management (IAM) Solutions can be further broken into several key market sub-domains, with categorisations varying depending on analyst source. Gartner’s present categorisation scheme is leveraged here, whereby IAM is broken up into (1) Identity Governance and Administration (IGA) solutions and (2) User Authentication (UA) solutions, both of which work in close concert in a typical IAM deployment. In broad terms, IGA is concerned with the administration and lifecycle maintainance of a users identity, whereas UA focusses on providing appropriate technical mechanisms for tight enforcement of that administrative policy in real-time. Other defined market sub-segments within IAM (and across IGA and UA), particularly the emerging notion of Identity and Access Management as a Service (IDaaS) which provides IAM services via the cloud across both cloud-based and traditional usage contexts (3).  

Identity Governance and Administration (IGA)

Focus: Solutions provide a set of processes to manage identity and access information across systems. This can include:

(1) Creation, maintainance and deletion of user’s identities

(2) Governance of access requests – including approval, certification, risk scoring and segregation of duties enforcement.

IGA solutions support provisioning of accounts among heterogenuous systems, access requests (either IT administered or via user self-service), and access to critical systems. Other typical IGA capabilities include role management, role and entitlements mining, and identity analytics and reporting. An IGA solution will typically be tightly integrated with one or more user authentication (UA) solutions in the target deployment scenario.  

Key Players (Products): Key leading IGA players in the space in EMC (RSA Aveksa), Sailpoint (IdentityIQ), Oracle (Identity Manager Suite), Courion (Access Assurance Suite), Hitachi (ID Identity Management Suite), Net IQ (Identity Manager, Access Governance Suite), IBM (Security Identity Manager) and Dell (Q1IM) among others.

Key and emerging Europe IGA players include Omada (HQed in Denmark), Atos (France), Beta Systems (Germany), CrossIdeas (Italy), Evidian (France), Bay31 (Switzerland), Brainwave (France) and Efecte (Finland).

User Authentication (UA)

Focus: UAvendorsdeliver on-premises software/hardware that makes real-time decisions for users using an arbitary end-point device to access one or multiple applications, systems or services across multiple possible use cases. Vendors also deliver client-side software or hardware allowing end-users to make real-time authentication decisions. While password methods are still most widely used, many other authentication methods providing higher trust levels have also been developed and adopted by the market. Broad methods include:

(1) Password-based approaches

(2) “Out of band” techniques leveraging SMS, voice, push and email factors among others (3) Hardware and software tokens

(4) Biometrics

(5) Emerging contextual authentication approaches among others.

Like many other PACs segments, cloud and mobile trends in particular are creating new UA challenges and market opportunities, as well as providing new authentication delivery options.

Key Players: A broad fragmented range of UA players exist in the market place - over 200 were identified in most recent Gartner market analysis.Leading players include SafeNet, EMC/RSA, Gemalto, Vasco Data Security, CA Technologies, and Technology Nexus. Symantec, Telesign, HID Global and SecurEnvoy are all viewed as other prominent players in the space.

Identity as a Service (IDaaS)

Focus: Emerging cross-cutting market subsegment within IAM that supports delivery of cloud-based services in a multi-tenant or dedicated/hosted delivery model, that supports IGA brokering, as well as access and intelligence functions to target systems on both customer’s premises and in the cloud. IDaaS originally focused on web-application use cases, supporting SMEs with most of their key applications in the cloud and with a preference for buying rather than building IAM infrastructure. IDaaS vendors typically create one-off connections to SaaS vendors to support authentication, single-sign on (SSO) and account management, with SaaS vendors typically providing enabling API support. They then reuse these APIs for multiple clients, relieving SaaS customers of the need to build their own customer connections, and by extention increased IAM automation.   

Key Players: Leaders in the emerging IDaaS segment include (1) Okta, (2) Ping Identity, (3) Covisint, (4) OneLogin, (5) Centrify, (6) CA Technologies, and (7) Lighthouse Security Groupamong others. Many large mainstream ICT players (Salesforce, Google, Microsoft etc) would also be regarded as IDaaS players in support of their own SaaS offerings, as well as offering IDaaS as part of their PaaS portfolios.

 

Other Sub-Segments

Other emerging IAM subsegments of note include solutions focussed on protecting access to highest-risk infrastructure access points, such as shared accounts and those managed by system administrators. Forrester refers to these as Priviliged Identity Management (PIM) solutions (referred to as PAM, or Privileged Account Management by other sources), with a solution focus on ensuring that authorised administrators can only access such high-risk environments; that irrefutable and tamper proof evidence of access is provided; ensuring access protection at the application/API level; and protection in highly scalable virtualised environments, particularly in the cloud provider context. 

Web Access Management (WAM), Federated Single Sign-On (SSO) and Virtual Private Networks (VPN) would also be regarded as overlapping subsegments within IAM.

Competitive Trends and Innovation Gaps

Despite being a well established market in its own right the IAM marketplace is still broadly viewed as a dynamic and growing one, particularly as notions of extended enterprises and more advanced B2B interactions become more commonplace, driven by rapid adoption of cloud services, new hosting models and diversity in mobile form factors, and diversifying partners and relationships. Hence, legacy IAM approaches are no longer sufficient. Core challenges exist around cross-domain user provisioning, weakened control of authentication and authorisation in these new distributed contexts, and siloed approaches to IAM across different user groups and purposes, the latter driving demand for federated single sign-on solutions. 

 

IGA: market is expected to experience significant yet volatile growth throughout the remainder of this decade, supporting new opportunities for many new entrants providing new IGA product features and delivery methods. Greater integration between previously seperate IAM functions will continue. Gartner estimated a 2013 IGA global market size of $2.2bn – up $400m on 2012 revenues. From there, double sigit IGA growth (10%) is anticipated over the next 5 years.  Service-based IGA revenues (i.e. consulting and system integration) are estimated to account for 2 to 3 times that of direct product revenues. A number of other emerging IGA innovation points exist – for example supporting flexible hybrid IAM/ÌGA deployment models that incorporate both cloud and on-premises delivery;  integration with other product solutions such as SIEM, DLP and similar security intelligence sources; tighter integration with PIM/PAM solutions mentioned above; and support for emerging issues around governing data access at more granular levels for both structured and unstructured data types.

 

 

UA: Despite being highly fragmented with a large number of players, the market is still relatively consolidated and dominated at the top tier, with approximately 10 or so key vendors dominating the majority of the UA market. Much of the market is mature, with some vendors offering key product lines existing over multiple decades. Despite this the market has remained innovative due to several factors, including increasing breadth of potential use cases in line with infrastructure changes (cloud and mobile in particular), as well as continued emergence of new innovative authentication techniques. While technically “strong” authentication is a key purchase decision factor, other overriding concerns include ability to implement proposed UA solution, as well as overall solution usability that meets ever higher business user expectations as IT becomes increasingly consumerised, and increasing emphasis on improving ease of managing authentication the customers of the IAM buyers, particularly buyer segments directly targeting consumer mass markets.

Cloud is increasingly relevant to UA in multiple ways, providing a new delivery option for new cloud offerings, as well as providing another integration target for UA offerings (see IDaaS in this section).  While many players exist in the segment the commercial credibility of a large proportion of them is questioned by key analyst sources. By year-end 2016, it is estimated that about 30% of enterprises will choose cloud-based services as the delivery option for new or refreshed user authentication implementations. Mobile computing is also highly relevant from several dimensions, for example as a new form factor for authentication tokens; as a new endpoint and context to which users must authenticate; and a new potential platform for biometric methods. It is also believed by some key UA market participants that compliance is still the most significant driver for UA purchase above actual threats.

Contextual authentication is another innovation trend, combining multi-source data and analytics to increase UA strength. By year-end 2016, it is predicted that more than 30% of enterprises will use contextual authentication for workforce remote access — up from approximately 5% today.

 

 

IDaaS: Most recent market estimates estimated that the overall global IDaaS market was worth $215m in 2013. Presently it is estimated that IDaaS will be the preferred delivery model for 10% of the overall space at present, increasing to 20% by 2017. The IDaaS market is still at an early stage, with vendors coming from distinctly different backgrounds, and with significant variances among providers with regard to IAM functional depth and support provided for different use cases. Key market drivers in the IDaaS space include the need to enforce proper IAM discipline over SaaS application usage, enhancing  and speeding SaaS ROI vs traditional on-premise software, reducing IAM implementation risks, and reduced IT operational costs around cloud-related IAM implementations.

Existing client concern around IDaaS implementations focuses on data security and protection of enterprise users' passwords, as well as the possibility that IDaaS may introduce single points of failure. Web-centric IDaaS vendors (e.g. Centrify, Okta, OneLogin, Ping Identity and Symplified) are gaining best traction with SMEs without heavy IAM legacy infrastructure, whereas other vendors with deeper functionality and greater support for hybrid scenarios are gaining more traction in larger enterprise sites where larger but more custom implementations are necessary. Complete replacement of existing IAM solutions with IDaaS deployments is still rare, hence the ability of IDaaS vendors to integrate with existing systems is desirable.

 

Key Source Data: : (all downloaded from publically available sources, both online (vendor-based) and via third party libraries)

“Gartner Magic Quadrant for Identity Governance and Administration”, Dec 2013

“Gartner Magic Quadrant for User Authentication”, Dec 2013

“Forrester Wave, Identity and Access Management Suites”, Sept 2013

“Gartner Magic Quadrant for Identity and Access Management as a Service”, June 2014

“Forrester Wave: Privileged Identity Management”, Q1 2014

“Forrester TechRadar: Data Security”, Q2 2014

 

 

Data Content Security

Data and Content Security solutions focus on security at the data level across structured, unstructured and emerging non-relational data types, including access to documents, applications and crucial details therein. Encryption technologies have traditionally been a core solution area within this category, but a broad range of other newer solutions have also emerged (Table 6.4).

 

Table 6.4 Data and Content Security Subdomains Analysis

Key Product/Solution Subdomains

Key Infrastructure product and solution and solution areas vary in existing market analyst literature. Key market sub-categories (both product and service-oriented) discussed here include (1) Data Governance Tools (DG); (2) Data Discovery and Classification (DDC); (3) Data Loss Prevention (DLP); (4) Encryption-Based Solutions (ES); (5) Cloud Encryption Gateways (CEGs); (6) Enterprise Rights Management (ERM); and (7) Application Security Testing (AST)

Data Governance Tools (DG)

Focus: Data governance tools provide capabilities that support the administrative tasks and processes of data stewardship. These tools support the creation of data policies, manage workflow, and provide monitoring and measurement of policy compliance and data use. Concerns around data security, privacy and compliance are prioritise alongside improving operational excellence and realising value potential in data.

A key concern for players in the space is to move from overly technical solutions towards ones that are also integrated more effectively with business stakeholders and their commercial perspective. Another desired goal is a single solution to govern data across the five areas of data governance — data quality, MDM/reference, metadata management, security, and information life-cycle management — and, more importantly, the ability to tie data compliance to quantifiable business impact. Some increasingly important domains like privacy will require collaboration across the five typical and historical domains.

Leading Players (Products): a diverse set of vendors from multiple perspectives participate in this segment, including (1) data management platform vendors such as IBM, Informatica and SAP; (2) Business Intelligence (BI) vendors such as Information Builders and SAS; (3) data governance specialists such as Collibra and Global IDs; (4) metadata repository vendors such as Adaptive and ASG; and (5) quality governance specialists such as Trillium. IBM (via Infosphere and OpenPages suites), Collibra (Data Governance Center) and Informatica are viewed as having the most progressive strong solutions in a segment that is still viewed as an emerging one.  

 

Data Discovery and Classification (DDC)

Focus: Data discovery and classification tools support scanning of content in corporate networks to identify legacy resources that could contain sensitive information such as credit cards, social security numbers among other types. Discovery and classification tools on the market are each sold as standalone tools or as part of a combined suite. Scanned resources can include endpoints, hosts, database columns and rows, web applications, storage networks, ­file shares, and, in some cases, cloud storage.

Data classification functionality parses structured and unstructured data, looking for sensitive data that matches prede­ned patterns or custom policies established by customers. Classifi­ers generally look for data that can be matched deterministically, such as credit card numbers or social security numbers. Some data classi­ers also use fuzzy logic, syntactic analysis, and other techniques to classify less-structured information. Many data classi­cation tools also support user-driven classi­cation so that users can add, change, or confi­rm classi­fication based on their knowledge and the context of a given activity. They can also apply security labels to information enabling it to be tracked by other tools such as DLP solutions.

Leading Players: players competing in the space include EMC Kazeon, Ground Labs, Guidance Software, IBM, Identify Finder, StoredIQ (now IBM), and Verdasys. Vendors strong on data classification features include AnyDoc Software, Boldon James, janusNet, Mantech International, NextLabs, Titus, Varonis, Verdasys and Watchful Software

Data Loss Prevention (DLP)

Focus: Data loss prevention (DLP) tools detect and prevent unwanted dissemination of, or violations to corporate policies regarding the use, storage, and transmission of sensitive information. DLP tools can inspect information intercepted over multiple channels, including email, HTTP, FTP, fi­le shares, printers, USB/portable media, databases, instant messaging, and endpoint hard disks. Once the content is intercepted and analysed, policy enforcement points at the gateway, server, or endpoint allow the operation to continue, block it, or protect the content as required by policy. Enforcement decisions are made dynamically, based on whether the inspected content violates handling policies. DLP functionality is also commonly bundled as a feature within other solutions, particularly secure email and web gateways. 

Leading Players: include CA Technologies, General Dynamics Fidelis Cybersecurity Solutions, McAfee, RSA, Symantec, Websense and Verasys.

Encryption-Based Solutions (ES)

Encryption-based aproaches are used widely to protect data and content across many different infrastructure elements, with a broad range of available products across various protected areas. Encryption-based products are available both as standalone products or as features within broader solutions, typically within the domain of the particular asset being protected. These include encryption solutions at the email or file-level, or for protecting entire hard drives (full-disk encryption). Products can also apply encryption at the storage area network (SAN) level or to databases at the macro level or for specific fields. Products for encrypting storage backup images are also available, often as an available feature with backup software and hardware.

Tokenisation solutions are a related area, whereby a randomly generated value (the token) is substituted for the content being protected (credit card numbers, bank account numbers, social security numbers etc, and mapping between both is stored ina hardened database. This approach is suitable where it is preferable to use the same syntactic data format to ensure application and database operations are not affected. The approach has become particularly relevant in the PCI-DSS context.

Key players: come from diverse set of backgrounds for different encryption products depending on the asset being protected; for example backup players such as EMC, IBM, HP and Commvault; email security vendors such as Barracuda, Cisco, Intel/McAfee, Proofpoint, Sophos and Symantec among others; file encryption vendors include Absolute Software, Credant (now Dell), Cryptzone; hardware disk vendors such as Credant, Seagate and other major vendors selling enterprise storage arrays; and leading database vendors such as Oracle, IBM, Informatica Microsoft, Safenet and Vormetric among others. Key vendors in the tokenisation space include Akamai, CyberSource, EMC RSA and Merchant Link among others.

Cloud Encryption Gateways (CEGs)

Focus: CEGs are an emerging technology that encrypts sensitive data before it leaves the enterprise network, without compromising the operational usability of the cloud provider (such as Google, Microsoft Offi­ce 365, or salesforce.com). A key selling point for CEGs is that the data is not just encrypted - but the enterprise, and not the cloud provider maintains the keys.

Demand for such technologies is supported by the need to comply with emerging data protection legislation around cross-border data transfers, as well as corporate privacy concerns around the use and risk posture of third-party cloud providers, particularly in light of recent surveillance scandals such as NSA and PRISM.  

Key Players: AlephCloud, CipherCloud, nCrypted Cloud, PerspecSys, Porticor, Skyhigh Networks, Vaultive and Voltage Security.

Enterprise Rights Management (ERM)

Focus: Enterprise rights management (ERM) tools provide persistent protection for valuable business documents, enhancing traditional information control capabilities. ERM helps enterprises control  usage, circulation, and compartmentalisation of sensitive content via encryption and supporting technology. Knowledge intensive industries such as aerospace, electronics, manufacturing, and pharma among others use ERM to protect valuable industrial secrets. Law ­rms, intelligence services, fi­nancial services companies, and mergers and acquisitions (M&A) teams also choose ERM to help them compartmentalise information on a need-to-know basis.

Key Players: include Adobe, NextLabs, EMC, and Microsoft.

Application Security Testing (AST)

Focus: Key to overall data and content security is ensuring that the applications processing and managing such data/content are secure in themselves. While much of application security is a process-driven endeavour, products exist to assist the security testing approach across different application categories.

Application security testing (AST) products and services are designed to analyse and test applications for security vulnerabilities using static AST (SAST), dynamic AST (DAST) and interactive AST (IAST) technologies. SAST technology analyses application source, byte or binary code for security vulnerabilities at the programming and/or testing software life cycle (SLC) phases. DAST technology analyses applications in their running state (in real or "almost" real life) during operation or testing phases. It simulates attacks against a web application, analyses application reactions and, thus, determines whether it is vulnerable. IAST technology combines the strengths of SAST and DAST - typically implemented as an agent within the test runtime environment (for example, Java Virtual Machine [JVM] or .NET CLR) that observes possible attacks and is capable of demonstrating a sequence of instructions that leads to an exploit. AST technology can be delivered as a tool or a cloud service, and has been introduced for analysis of Web applications and some legacy applications. AST has also evolved to analyse mobile applications.

Key players: Industry leaders HP and IBM both provide leading products in this space across a number of technologies; Veracode is an established thought leader and provider of solutions (DynamicMP and Dynamic DS); WhiteHat is viewed as a leading player in providing application security testing as a service.  Other key innovating firms in the space include Checkmarx, Trustwave, Acunetix, Appthority, Quotium, and Contrast Security.

Other Sub-Segments

Many other solution areas beyond the categories profiled above also encompass some element of data/content security and privacy support; examples include  archiving solutions (EMC, Global Relay, HP, IBM, Mimecast etc), database monitoring and auditing (Trustwave, Fortinet, IBM, Imperva etc), enterprise key management (IBM, RSA, Venafi, Voltage Security), network analysis and visiblity (Lumeta, Cisco/Sourcefire, Arbor Networks, FlowTraq, Lancope, Riverbed), secure file sharing (Accelion, AirWatch, Box, Brainloop, Citrix ShareFile), and security information management (EMC/RSA, IBM, HP, LogRhythm).

Competitive Trends and Innovation Gaps

 

DG: Data Governance has shifted in recent years, moving from a technology management endeavor to a business imperative where realising the value potential of data is the core priority. Hence vendors are offering new tools and capabilities to support the business-oriented program of data governance rather than merely automating data governance tasks. Business stakeholders have also traditionally had difficulty in conveying to technology management how they want to collect, aggregate, and use data more freely and in self-service. Unifying key areas of data governance — data quality, MDM/reference, metadata management, security, and information life-cycle management has also been a challenge area. In the PACs context, domains like privacy will especially require collaboration across the five typical and historical domains.

Vendors competing in the DG marketplace still provide full data governance management coverage and collaboration. Desired next-generation data governance requires improvements such as:

(1) Broader coverage beyond just data quality or metadata.

(2) More flexible collaboration than predefined workflows.

(3) Providing value to business users with specific capabilities like business-oriented dashboards.

Even though data governance initiatives ultimately lead to operational efficiency and tangible business outcomes in the long run, buyers often cite difficulties in sustaining initiatives beyond one-off projects, and by extension difficulties in showing ROI value, particularly in the short term.

 

 

DDC: While data discovery and classification tools have been available for years, adoption has never taken off unless driven by compliance and despite some of the adjacent benefi­ts to storage optimisation and capacity management. Nevertheless,  data classification is the foundation for all of data security, and it is especially important for the success of other data security solutions, such as DLP. Similar to other PACs domains, DDC tools are increasingly consolidating with each other as well as with other adjacent market areas, particularly DLP solutions which are expected to subsume much of their functionality over the medium term. Practical technical challenges also exist in the domain, particularly in scanning diverse assets to identify sensitive data from petabytes of content, which has many scaling and operational challenges.  Also, ability to effectively classify data by data type varies heavily – for example basic technology such as credit card recognition is mature, but it less complete for other sensitive data types (like words in context).

 

DLP: Given the high levels of feature roll-up appearing across different data and content silos, it is expected that DLP suite and DLP functionality vendors will subsume many data classification capabilities in the coming years. In turn, DLP functionality now exists in some form or another in many other silos, such as email security gateways, web security gateways, and even mobile and endpoint security solutions. While there has been much hype around DLP, clients have reported much failed implementation of solutions, as well as experiencing deployments often took longer than expected and required more resources than they had anticipated and budgeted for. In addition, while a DLP product might easily find some categories (e.g. a social security number), difficulties in identifying and protecting others (e.g. intellectual property) were common. In addition, DLP products can be ineffective in stopping leaks across every unique channel in the organisation (e.g., email, web, network, and endpoint). Hence, while DLP implementation can require much upfront work to be successful and can be especially effective when used in conjunction with other tools such as data classi­fiers. However, when successfully deployed across channels, such as email, HTTP, and endpoints, and appropriately tuned, they are still rated as a valuable approach to preventing data leaks.

 

ES: Broadly speaking, it is presently viewed as a golden age for deployment of encryption techniques across many infrastructure and data/content categories, driven by growing concerns regarding data theft, privacy and government surveillance among others. Yet within encryption solution categories, market outcomes are varying. Strong growth in use of database and file encryption solutions exists, as well as email encryption in highly regulated industries. Demand for backup encryption solutions is still expected to remain critical because the enterprise, not the cloud provider, remains liable for the security of the data. In addition, some regulated industries will continue to opt for on-premises and/or private cloud deployments of IT services, which will require backup encryption. On the other hand there are fewer and fewer standalone fi­le-level encryption solutions, with such functionality most often delivered via an endpoint security suite or as part of a broader endpoint encryption solution that combines full disk encryption with ­file-level encryption, with this trend to continue in the next few years. Encrypting data-at-rest in a storage area network (SAN) is important, but it turns out that tech management professionals prefer to use other solutions. For encrypting backup data to disk or tape, tech management pros prefer to use the native encryption capabilities available in backup software or hardware (disk libraries and tape libraries). And when it comes to proving the security of data stored on decommissioned drives, using self-encrypting drives with an enterprise storage array is often deemed a much simpler approach.  

 

CEGs: As enterprises become aware of extensive NSA government surveillance of major technology and telecommunication service providers, it has led to increased significant interest in the ability to encrypt data with their own solutions and hold onto their own keys, rather than relying on a cloud or other provider’s native encryption solution. Cloud encryption gateway techniques also benefit from a value proposition and benefits that are easy to convey to core business decision makers. While this solution is very new and questions remain whether these solutions can preserve functionality across a broad array of cloud providers, strong growth within this subsegment is anticipated, particularly as enterprises want to take advantage of the business and ­nancial bene­ts of moving to the cloud, and cloud encryption can remove some of the biggest impediments to adoption, such as signi­cant concerns about security (threats of cyberattack, malicious insiders, lack of data separation in multitenancy environments), privacy (concerns regarding government surveillance), and regulatory compliance (concerns regarding privacy and data residency). The ability to use desired cloud services while also shielding the enterprise from costs and other liabilities of breaches and regulatory noncompliance is enormous. However from a competitiveness standpoint it is likely that during this time frame more vendors will enter the space and the cloud providers themselves will attempt to offer their own cloud encryption solutions.

 

ERM: ERM technologies are viewed as sitting uncomfortably between security and information management domains, and enterprise uptake has been poor relative to other data security areas. Most existing niche deployments are department-specific, not enterprise-wide, in industries such as aerospace, electronics, manufacturing, and intelligence services that need to compartmentalise information on a need-to-know basis. Applying protection to the data itself is a core capability of data-centric security; however, the appeal of standalone ERM tools  that don’t integrate with classification, DLP, or other data security tools is limited.

 

AST: While dynamic and static application testing tools initially competed with each other in marketing literature at earlier stages of market maturity, a more holistic application security approach involving holistic use of both kinds of toolset in tandem has prevailed. Vendors have evolved these technologies over time, addressing such client needs as user-friendly interfaces, integration with nonsecurity systems (such as application development and testing), integration between security technologies (for example, SAST and DAST), analytics and reporting, and compliance and governance. They have also been building integration capabilities with protection technologies, specifically with Web Application Firewalls (WAFs) or Mobile Device Management (MDM) solutions for mobile platforms. Also to make adoption even easier and broader, many vendors now offer cloud-based security as a service. As a result, these technologies have reached the point where cost and risk of adoption are well-balanced. Emerging innovation areas include focus on Runtime Application Self-Protection (RASP), an emerging technology that "instruments" the application runtime environment, extending the functionality by additional functionality — namely, security detection and protection. Thus, becoming an integral part of an application runtime environment (for example, JVM), RASP monitors the execution of an application by the application runtime environment, gets controls when specified security conditions are met, and takes the necessary protection measures. Most application security vendors have begun to deliver their capabilities as a service, and offer these alongside their application security products. Some vendors have exclusively focused on security as a service and do not offer products at all.

 

 

Key Source Data: : (all downloaded from publically available sources, both online (vendor-based) and via third party libraries)

“Forrester Wave: Data Governance Tools”, Q2 2014

“Forrester TechRadar: Data Security”, Q2 2014

“Gartner Magic Quadrant for Application Security Testing”, July 2014

“Forrester Wave: Email Content Security”, Q4 2012

 

Return to Supply SIde 

 

Context: Post incident forensics examination tools implement techniques that enable an investigator to develop an insight of past events, and prove or disprove allegations relating to the use of computers to perform criminal acts. Such support is often built on top of audit and monitoring tools deployed on a given infrastructure. Two key strands of forensics tools that can collectively support an incident response investigation include (1) computer (system) forensics tools supporting functionality such as evidence acquisition, analysis of file systems, event logs, retrieval of contents of interest, deleted items, application/browsing history etc; (2) network forensics tools include applications for data packet capturing, network server log analysis (time of connection, originator’s address etc), deep packet inspection etc. Some forensics tools can also be equipped to deal with live acquisition in real time (often dealing with memory contents acquisition), whereas others are more oriented towards static post-event analysis. Ability to securely preserve evidence in a tamperproof format is also essential.

Challenges – Technology Gaps: Several domain challenges exist, particularly the juxtaposition between investigation practices vs. privacy, and the related increased use of encryption as a barrier to supporting forensic efforts, recent widening of encryption use in Apple iOS 8 being one example [ARS14]. Also, the development of tools that adhere to relevant privacy laws; also issues around dealing with growing volumes of evidence, via techniques such as predictive coding for certain evidence categories, and the ability to elastically step up evidence gathering in line with escalated events; issues around managing cross-jurisdictional and cross-lingual investigation gathering are also providing strong research avenues of enquiry, particularly in supporting LEAs in developing new procedures for cross border evidence management and sharing.

 

References:

[ARS14] "Apple expands data encryption under iOS 8, making handover to cops moot", arstechnica.com, Sept 18th 2014.

Return to SOTA

PACS Governance

“Governance” solutions focus on supporting holistic security and privacy protection, supporting management and enforcement of the overall security processes across different PACs problem sub-categories. Governance solutions act as an overarching co-ordinator of the overall cyber security infrastructures and systems of relevance, with strong emphasis on enabling combination of broader PACs service offerings with narrower PACs product offerings (Table 6.2).

 

Key Product/Solution Subdomains

Key Governance product and solution and solution areas vary in existing market analyst literature.  Key market sub-categories (both product and service-oriented) discussed here include:

(1) Governance Risk and Compliance (GRC) Solutions

(2) Managed Security Services (MSS)

(3) Security Information and Event Management (SIEM)

(4) Security Consulting and Integration Services (SCI)

(5) Business Continuity Management Solutions (BCM)

Governance, Risk and Compliance (GRC) Solutions

Focus: Organisations reach a size where coordinated control over governance, risk management and compliance (GRC) activities is required to operate effectively. Each of these three disciplines creates information of value to the other two. Each of the three GRC disciplines also touch and impact the same technologies, people, processes and information in any organisation. Hence GRC solutions support streamlining and reduced duplication of effort and reporting across siloed GRC initiatives. Typical solutions include:

(1) A relational database for storing GRC data and its organisational context.

(2) Workflow support for facilitating GRC process management and execution.

(3) Content management capabilities to store critical documents.

(4) Reporting and risk analysis capabilities to drive understanding and decision making.

Historically, silo solutions dealing with risk in each organisational division existed (e.g. IT, finance, health and safety), however many vendors are increasingly targeting broad solutions in order to capture deals with largest clients. This has resulted in a complex marketplace of diverse competitors in the GRC space. Support for PACs-specific GRC issues may exist within broadest enterprise level GRC tools, within IT GRC solutions, or within PACs specific solutions in the market, often built around ISO 2700x or similar PACs standards frameworks.

Leading Players (Products): Leading solutions in space include:

(1) MetricStream (MetricStream GRC)

(2) EMC/RSA (RSA Archer)

(3) Bwise (Nasdaq OMX)

(4) Rsam (Rsam GRC Platform)

(5) Enablon (Enablon Risk Management Suite)

(6) IBM (IBM Openpages) among many other competitors

Niche PACs-specific GRC solutions include Neupart (SecureAware ISMS), Onformonics (PCI-DSS focussed) and IT Governance Ltd (VS-Risk). 

Managed Security Services (MSS)

Focus:Many PACs technologies traditionally installed and managed internally by end-users are now provided and managed directly by third parties on a pay as you use basis across Infrastructure, Systems, Content and Governance solution types in PACs. Such providers are viewed as being crucial to allowing organisations to reduce capital spending on security technology and in allowing them to increase bandwidth for handling security issues within corporate IT teams.

Typical services provided include: APT detection and remediation, distributed denial of service (DdoS), email filtering, emergency response services, endpoint AV, endpoint patch management, firewall management, host and network IDS/IPS management, IAM services, log management and monitoring, server patch management, SIEM managed services, threat intelligence, vulnerability testing, web application firewall, and web application monitoring.

Key characteristics of leading MSSP providers include significant breadth of security technology skills, effective cost structures, strong customer services, experienced and trained staff, and strong operational flexibility depending on client needs.

Leading Players: See section 5.1 for summary of key leading and emerging players.

Security Information and Event Management (SIEM)

Focus: Security information and event management (SIEM) market is defined by the customer's need to analyse security event data in real time for internal and external threat management, and to collect, store, analyse and report on log data for incident response, forensics and regulatory compliance. While larger enterprises and government organisations will typically staff and maintain their own SOC, small and mid-sized players are increasingly looking to MSSPs to provide SIEM-based support.

SIEM technology aggregates event data produced by security devices, network infrastructures, systems and applications. The primary data source is log data, but SIEM technology can also process other forms of data, such as network flows and packet capture. Event data is combined with contextual information about users, assets, threats and vulnerabilities. Data is normalised so that events, data and contextual information from disparate sources can be correlated and analysed for specific purposes, such as network security event monitoring, user activity monitoring and compliance reporting. SIEM technology provides realtime security monitoring, historical analysis and other support for forensics, incident investigation and compliance reporting. Forensics support within SIEM tools is typically oriented around drill-down support for investigation compound events and individual event logs, as well as support for network forensics and deep packet inspection – similar to standalone tools such as those provided by EnCase, Solera (now Bluecoat) and other specialist data and network forensics vendors. 

Many of the leading edge solutions in the space have been acquired by key influencing ICT companies from pure-play PACs vendors, allowing them bolster their overall security portfolios.

Leading Players (Products): Leading players in the space include:

(1) IBM (QRadar SIEM)

(2) HP (ArcSight)

(3) McAfee (Enteprise Security Manager)

(4) LogRhythm

(5) EMC/RSA (RSA Security Analytics)

(6) NetIQ (Sentinel)

Splunk has also developed its horizontal IT log management solution significantly to support SIEM-type use cases over the past 12-18 months. Blackstratus, Accelops and AlienVault also offer innovative features in their SIEM offerings.  S21sec and Tango are other niche players with focus in Europe and Latin America in particular.

 

Security Consulting and Integration Services (SCI)

Focus: Provide end-to-end PACs service and solution support to enterprises that are increasingly struggling to acquire necessary security skills and breadth of expertise in-house. A broad number of large and small players provide such PACs consultancy and integration support, both wider ICT and pure-play PACs organisations, assisting the internal CISO and security management function in strategic and tactical initiatives. Strategic support includes aligning business and information security objectives, developing security budgets, supporting buy-in and participation among key business individuals for PACs initiatives, and evaluating and managing third party relationships. Tactical support can include periodic security auditing and testing, implementing new security processes around changing trends (e.g. BYOD), providing third-party assurance around use of cloud services, insuring appropriate integration of security and privacy concerns in rollout of new software and hardware/infrastructure rollout, and ensuring compliant and privacy-preserving use of social media in the corporate context.

This holistic support forms the basis for executing on PACs strategy and planning initiatives, with such players providing product and service rollout themselves or via third party partnerships, providing in-house integration or managed service support.

Leading Players: key players are mainly the large and well-known ICT companies and global consultancies. See section 5.1 for further summary of key global and European players.

Business Continuity Management Solutions (BCM)

Focus: Business Continuity Management (BCM) is defined as a holistic management process that identifies potential threats to an organisation and the impacts to business operations if those threats are realised. Provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities (Source: ISO 22301:2012). As with other security disciplines, BCM procedures can apply to ICT systems specifically (within which PACs-specific concerns will apply), as well as to the wider business context which will typically also include non-technical concerns.

A wide range of market solutions provide platform support for the BCM function within enterprise, with the market in existence for over 20 years. Early solutions were driven by templates generated from word processors, but have now evolved towards highly interactive decision support tools. Key needs include support for reusable recovery plans of all types, and workflow support for plan development and execution. Integration with other BCM solution types is also an increasingly prominent feature (e.g. emergency and mass notification services, crisis and incident management, IT asset management, change and configuration managment databases among others). Common functionality includes:

(1) Support for BCM risk assessment and Business Impact Analysis (BIA).

(2) Business process and IT dependency mapping.

(3) Resource inventory recording.

(4) Plan development and management.

(5) Support for analytics and BCM metrics development to support operations and mitigation planning.

Key Players (Products): Key pure-play leaders in the space include RecoveryPlanner (RPX Suite), and Strategic BCP (ResilienceOne).Other leaders in this space also appear prominently in the Enterprise/IT GRC segment - including MetricStream, EMC/RSA and Modulo.     

 

Others

Other overlapping areas developing in line with increased technology and infrastructure convergence is that around mobile device management (MDM), often called Enterprise Mobility Management (EMM) - and bring-your-own-device (BYOD). These areas also have significant security and privacy considerations. Key MDM/EMM players include AirWatch, MobileIron, Citrix, Good Technology and IBM.

Key players: Entering the BYOD space include established telco operators such as AT&T, Verizon, Vodafone and Orange, large ICT players such as HP and IBM, and niche specialists such as DMI, Vox Mobile, Tango, Cass and Amtel.

Competitive Trends and Innovation Gaps

Strong market growth is evident across many of the governance market subsegments highlighted here, with opportunities existing for incremental innovation based on some of the key ICT macro trends already discussed (big data, cloud and mobile in particular).

 

 

GRC: GRC platform buyers certainly see increased business value in such solutions, but despite being a relatively mature market, there are still perceived shortcomings in solution usability, reliability and aligning available technical functionality with their needs. This makes the overall supporting consultancy and service proposition of GRC vendors highly important aside from the core technology solution – supported by a large breadth of feature capabilities. Much of these market challenges however are due to the highly diverse nature of GRC needs across many business and IT domains of which PACs GRC elements are just one target example. This is reflected in the GRC approach of many larger organisations, where many deploy more than one GRC solution across their organisation to handle such diversity. In the IT/PACs GRC space, Agiliance, IBM, Modulo and Protiviti score highly on analyst ratings.

 

 

MSS:  Gartner estimated that the 2013 global market for security outsourcing was $12 billion, with a forecast compound annual growth rate of 15.4% through 2017.TheMSSPmarket place is best segmented by scale of provider organisations and scope of services provided. The largest enterprise carriers typically offer multiple security operations centers (SOCs) in multiple geographies, employ from 100 to more than 1,500 engineers, and have revenues between $70 million and $400 million. Mid-sized players range from 20 to 100 engineers, one or two SOCs, and revenues between $25 million and $70 million, with smaller niche players ranging from a small staff of security analysts numbering no more than 10 and revenues of less than $25 million.Many emerging MSSPs are reporting strong year-on-year revenue growth (between 20-40% per annum). Larger players tend to provide a greater degree of proprietary technology in support of their services, whereas smaller players rely largely on third party partnerships and reseller deals. There can also be great variation in the buyer uptake of different service solutions within the MSSP providers portfolio – typically ranging from anywhere between 2% and 80%.

Newer MSSP service trends include more advanced capabilities around threat intelligence around the most advanced attacks, and distinct service offerings to acquire, retain and analyse large volumes of customer data - so called "security big data" — from IT infrastructure and other sources. 

 

 

SIEM: Despite being a mature and competitive market,  demand for SIEM technology has remained strong throughout 2014 with key analyst firms indicating a double-digit growth increase in related inquiry calls from end user clients, and most vendors reporting increases in customers and revenue. The SIEM market is now dominated by relatively few large vendors - HP, IBM, McAfee, EMC (RSA) and Splunk - that command about 60% of market revenue. This has led to increasing stress on smaller vendors, with many consolidating with larger players or exiting the market entirely. During 2013, the SIEM market grew from $1.34 billion to approximately $1.5 billion, achieving a growth rate of about 16%. Demand for SIEM technology in Europe and the Asia/Pacific region is still strong, driven by a combination of threat management and compliance requirements. Growth rates in Asia and Latin America are higher than those in the U.S. and Europe at present. SIEM buyer emphases in recent years are increasingly focused on security use cases, even though compliance continues to be an important driver. The primary focus continues to be targeted attack and breach detection. While vendors can meet the basic log management, compliance and event monitoring requirements of a typical customer, unmet needs still exist around targeted attack and breach detection. Organisations are failing at early breach detection, with more than 9 in 10 breaches are reported still undetected by the breached organisation. Many SIEM vendors have large existing customer bases, and there is an increasing focus on the expansion of SIEM technology deployments within existing accounts.

 

SCI: Key global leaders in the security consulting space are reporting strong revenue growth (15%+ year on year), with the largest having as many as 14,000 clients globally. They are also in the middle of impressive expansion and training programs to offer new services and provide the necessary skills and bandwidth CISOs need to meet these new challenges. Firms are quickly maturing their security consulting offerings, building up staff resources, and expanding into the wider global marketplace. 

 

 

BCM: Most recent market size estimates (FY 2012) estimated a global market of $130m, with strong adoption uptake since then (one Gartner source estimated a 51% uptake increase between 2012 and 2013, indicating that organisations are realising the importance of the use of these products to help standardize and manage recovery plan development, as well as management of the BCM program itself. Typical site sale is estimated around the $50K mark but can vary from this greatly depending on buyer needs. 

 

Key Source Data: (all downloaded from publically available sources, both online (vendor-based) and via third party libraries):

 

“Forrester Wave: Governance, Risk and Compliance Platforms”, Q1, 2014

“Forrester Wave: Emerging Managed Security Service Providers”, Q1, 2013

“Gartner Magic Quadrant for Global MSSPs”, July 2014

“Gartner Magic Quadrant for Security Information and Event Management”, June 2014

“Forrester Wave: Information Security Consulting Services”, Q1 2013

“Gartner Magic Quadrant for Business Continuity Management Planning Software”, August 2013

 

Return to Supply Side

Cryptology

Context: as one of the more mature scientific sub-areas within PACs, cryptographic algorithms are an essential tool to protect data, both at rest and in transit. Algorithms can be dimensionalised in several ways, for example in separating algorithms that ensure confidentiality of data, versus those that establish the data’s authenticity and integrity; algorithms can also be distinguished by symmetric approaches where senders and receivers share the same key, versus asymmetric methods where one key is made public and the other remains private (more commonly known as public key algorithms). Cryptographic hash functions support generation of a short string that determines if potentially much larger file is authentic; and can also be used for other functions such as password protection.

Challenge – Technical Gaps: Several ENISA reports have provided detailed technical assessments of available cryptography algorithms [ENISA13], identifying several weaknesses in legacy approaches that are still used. However much progress has been made in developing more complex algorithms leveraging simpler predecessors as a base. Key innovation improvements in the area are being driven by demands from next generation computing such as IoT, for example development of ultra-lightweight cryptography providing low power consumption, low latency and high-speeds, as well as mitigating concerns that future developments in quantum computing would render existing cryptographic algorithms ineffective, regardless of key lengths employed.

References:

[ENISA13] Recommended cryptographic measures - Securing personal data, ENISA report, https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/recommended-cryptographic-measures-securing-personal-data

Return to SOTA

 

Getting Started

Which type of company are you? Choose one of the options below and get a head-start.

Framework Overview

Navigate through the different parts of the Framework

leeg

Joomla! Debug Console

Session

Profile Information

Memory Usage

Database Queries