Andras Cser

Vice President, Principal Analyst

Forrester Bio

Author Insights

BLOG

Cisco Acquires Duo, Or How Should You Do Two-Factor Authentication (2FA)?

Andras Cser August 2, 2018

The National Institute of Standards and Technology (NIST) has not been recommending SMS OTP 2FA for a while precisely because of SMS inbox takeovers, MITM attacks, etc. From the license cost perspective, the price of moving away from SMS (to Google Authenticator, for example) is minimal. Google publishes guides on how to do this. From […]

Read More
BLOG

Bank Of America Lowers Security, Removes One-Time Passwords At Payee Add/Change

Andras Cser April 24, 2018

With the latest change to the BofA online banking bill pay service (which added all sorts of unnecessary and distracting icons and ugly fonts), the bank decided to remove the one-time password two-factor authentication (OTP 2FA) requirement to force the customer to perform a one-time password-based step-up authentication before allowing the change. Instead, by default, […]

Read More
BLOG

Palo Alto Networks Acquires Cloud Monitoring And Workload Management Specialist Evident.io

Andras Cser March 14, 2018

Palo Alto Networks (PAN) today announced plans to acquire Evident.io, a predominantly API-based cloud monitoring vendor for $300 million in cash. Evident.io has a large mind share among Forrester’s end user clients and is also regularly mentioned by other cloud workload security management (CWS) vendors as a viable competitor. With PAN expanding Aperture into a […]

Read More
BLOG

McAfee acquires CSG / CASB vendor SkyHigh Networks – two years too late?

Andras Cser November 27, 2017

In the light of large network security vendors (Cisco, Palo Alto, Symantec, Zscaler, etc.) acquiring or building Cloud Security Gateway (CSG, also known CASB) vendors, it comes as little to no surprise that McAfee also invested in this area. In Forrester’s estimates, SkyHigh annual revenues were around USD $40-45 million/year. Looking at similar deals, Forrester […]

Read More
BLOG

Cisco buys Cloud Security Gateway vendor CloudLock for $293M

Andras Cser June 28, 2016

Given Symantec's recent acquisiton of BlueCoat (and with it BlueCoat's earlier acquired Elastica and Perspecsys cloud security gateway (CSG) assets), and IBM's organic buildout of its Cloud Security Enforcer CSG solution it comes hardly as a surprise that Cisco today announced its intent to acquire CloudLock for US$293M (in Forrester's estimation this purchase price represents […]

Read More
BLOG

Blue Coat Systems Buy Elastica after Perspecsys

Andras Cser November 9, 2015

As we predicted in our Brief: The Emergence of the Cloud Security Gateway, this market is consolidating fast. Blue Coat Systems announced this morning that they are acquiring Elastica. Forrester estimates that the acquisition price was between USD $280M-300M, while Blue Coat Systems has already spent an estimated $180-200M on Perspecsys. Here's how Forrester expects […]

Read More
BLOG

Fingerprint authentication enters online banking at Bank of America - and signals FIDO's first major adoption event

Andras Cser October 8, 2015

Bank of America's website and press release says that you can use your TouchID on iOS to sign into BofA's mobile  application on iOS. This move is a major milestone in FIDO's and fingerprint biometrics' adoption in the mainstream consumer authentication market. Forrester expects fingerprint authentication will greatly improve the customer experience – no more […]

Read More
BLOG

CyberArk acquires ViewFinity underscores endpoint privilege escalation's importance in privileged identity and access management

Andras Cser October 7, 2015

Today's acquistion of ViewFinity (an endpoint privilege escalation vendor) by CyberArk signals an important taxonomy shift in Priivileged Identity / Access Management. Of major PIM suite vendors, BeyondTrust, CA Technologies and Centrify have their own endpoint privilege escalation solutions for Windows and Linux. Dell and Microfocus have only Linux based solutions. Balabit, Hitachi-ID, Lieberman, and […]

Read More
BLOG

Microsoft Acquires Cloud Access Security Intelligence vendor Adallom

Andras Cser July 20, 2015

Microsoft is doubling down on its cloud strategy and announced the acquisition of Adallom. Adallom offers transparent, cloud-based monitoring and alerting of cloud application use. It can detect if a user is performing suspicious actions (e.g. downloading the CRM database on a Friday afternoon). This signifies that cloud service provider vendors can no longer only […]

Read More
BLOG

Samsung keyboard bug highlights vulnerability of passwords

Andras Cser June 17, 2015

Here's a new exploit on Samsung Galaxy S4, S4 and S6 Swiftkey: remote code execution is possible which can lead to root access to the device, data loss, password sniffing and keylogging, Man-in-the-Middle attacks and compromised passwords. Another reason why we need to think about 'What's beyond passwords?'. We will shortly publish a report on […]

Read More
BLOG

Market Overview: Cloud Workload Security Management Solutions — Automate Or Die

Andras Cser June 2, 2015

Today, not moving workloads to the cloud is not an option. Leaving these workloads not secured is also not an option. However, managing workloads within and across Infrastructure-as-a-Service cloud service providers, we find that S&R professionals struggle with ensuring that their cloud workloads (guest operating systems and data on those operating systems) are secure. Why? […]

Read More
BLOG

Market Overview: Cloud Data Protection

Andras Cser February 26, 2015

Cloud Data Protection (protecting data in SaaS, IaaS and PaaS workloads with a centralized and industrial strenght solution) remains a key priority of CIOs, CISOs and architects.  In this market overview report, we identified 17 key vendors in the CDP space (see the figure below) that provide data protection in SaaS, IaaS and PaaS environments. […]

Read More
BLOG

Amazon Web Services Announces Cloud Active Directory

Andras Cser October 22, 2014

As we predicted in May 2012, user directories are moving into the cloud. Cloud workloads require that users who are authorized to access them are stored near the cloud workload and not just on-premises. While this offering announced now by AWS is not necessary technically groundbreaking (Cloud IAM vendors and Microsoft Azure have been offering […]

Read More
BLOG

IBM Doubles Down Cloud IAM And Acquires Lighthouse Gateway

Andras Cser August 11, 2014

On the heels of the CrossIdeas acquisition (about which we have recently published a QuickTake), IBM today acquired another IAM cloud provider, Lighthouse Security Group. Its product and service, Lighhouse Gateway, is a small cloud provider that appeared in our Cloud IAM Wave and we were impressed by the "slickness" and ease-of-use of its customer […]

Read More
BLOG

Centrify Cloud SSO marks the beginning of mobile device manufacturers getting into the IAM space

Andras Cser December 2, 2013

Centrify's new Cloud SSO portal is much like the competition: Okta, OneLogin, Ping, Symplified, SecureAuth, i.e. the ones that we looked at in our Cloud IAM Wave.  What's really interesting about this offering is that Samsung KNOX OEMs the client side mobile application for SSO for its high-end devices. Forrester predicts that Apple (with its […]

Read More
BLOG

NFC Adoption Becomes Much Simpler: Google Opens Android 4.4 KitKat So That The NFC Can Be Provisioned By Anyone

Andras Cser November 6, 2013

This is big: Google opened up Android 4.4 KitKat to allow access to the NFC chip to Android apps and not just the trusted execution environment on the secure element. What it means: any issuer, developer, 3rd party, current 3D Secure vendor, Payment Services Provider, etc. can create a mobile wallet application that can present […]

Read More
BLOG

Why You Should NOT Build Your Own Authentication Framework And Solution In-House. See OWASP A2.

Andras Cser October 29, 2013

We regularly get the question: should we build our web authentication and single sign-on solution? Here's why you should not do it: OWASP 2013 lists "Broken Authentication and Session Management" as the No.2 item to pay attention to when you design your web site. OWASP.org says: "Application functions related to authentication and session management are […]

Read More
BLOG

Forrester expects a wave of acquisitions of cloud IAM providers

Andras Cser October 25, 2013

With 1) SalesForce and other large SaaS vendors announcing grandiose plans for cloud IAM, not just for access control but also provisioning and 2) long-standing IAM 'arms suppliers' extending into the cloud (CA CloudMinder, SailPoint) we are already seeing pureplay cloud IAM players (Okta, OneLogin, Ping, etc.) starting to scratch their heads as to how […]

Read More
BLOG

What does the smartwatch mean for IAM? Safer, more versatile authentication, easier mobile payments and less fraud

Andras Cser September 5, 2013

Today we saw the announcement of the Samsung smartwatch, Galaxy Gear.  I am certain that this new smartwatch form factor will fill a niche: augmenting the input and output of a (Samsung, initially) mobile phone and device then with further miniaturization, take over more and more of the functionality of the smartphone. Beyond the cool […]

Read More
BLOG

2013Q3 IAM Suites Wave is out today

Andras Cser September 4, 2013

 In Forrester's 16-criteria evaluation of comprehensive identity and access management (IAM) suites, we identified the nine most significant vendors in the category — Aveksa, CA Technologies, Courion, Dell, IBM, NetIQ, Oracle, Ping Identity, and SecureAuth — and researched, analyzed, and scored them. This report details our findings about how well each vendor fulfills our criteria […]

Read More