Andras Cser
VP, Principal Analyst

Author Insights
Blog
Okta Acquires Identity Orchestration And CIAM Vendor Auth0 For $6.5B
Forrester analysts take a detailed look at what's driving the unprecedented premium being paid in this acquisition.
Read More
Blog
Look Beyond Compliance When Choosing An Anti-Money Laundering Solution
When looking for an AML services provider, there are three primary factors organizations need to keep in mind.
Read More
Blog
Cisco Acquires Duo, Or How Should You Do Two-Factor Authentication (2FA)?
The National Institute of Standards and Technology (NIST) has not been recommending SMS OTP 2FA for a while precisely because of SMS inbox takeovers, MITM attacks, etc. From the license cost perspective, the price of moving away from SMS (to Google Authenticator, for example) is minimal. Google publishes guides on how to do this. From […]
Read More
Blog
Bank Of America Lowers Security, Removes One-Time Passwords At Payee Add/Change
With the latest change to the BofA online banking bill pay service (which added all sorts of unnecessary and distracting icons and ugly fonts), the bank decided to remove the one-time password two-factor authentication (OTP 2FA) requirement to force the customer to perform a one-time password-based step-up authentication before allowing the change. Instead, by default, […]
Read More
Blog
Palo Alto Networks Acquires Cloud Monitoring And Workload Management Specialist Evident.io
Palo Alto Networks (PAN) today announced plans to acquire Evident.io, a predominantly API-based cloud monitoring vendor for $300 million in cash. Evident.io has a large mind share among Forrester’s end user clients and is also regularly mentioned by other cloud workload security management (CWS) vendors as a viable competitor. With PAN expanding Aperture into a […]
Read More
Blog
McAfee acquires CSG / CASB vendor SkyHigh Networks – two years too late?
In the light of large network security vendors (Cisco, Palo Alto, Symantec, Zscaler, etc.) acquiring or building Cloud Security Gateway (CSG, also known CASB) vendors, it comes as little to no surprise that McAfee also invested in this area. In Forrester’s estimates, SkyHigh annual revenues were around USD $40-45 million/year. Looking at similar deals, Forrester […]
Read More
Blog
Cisco buys Cloud Security Gateway vendor CloudLock for $293M
Given Symantec's recent acquisiton of BlueCoat (and with it BlueCoat's earlier acquired Elastica and Perspecsys cloud security gateway (CSG) assets), and IBM's organic buildout of its Cloud Security Enforcer CSG solution it comes hardly as a surprise that Cisco today announced its intent to acquire CloudLock for US$293M (in Forrester's estimation this purchase price represents […]
Read More
Blog
Blue Coat Systems Buy Elastica after Perspecsys
As we predicted in our Brief: The Emergence of the Cloud Security Gateway, this market is consolidating fast. Blue Coat Systems announced this morning that they are acquiring Elastica. Forrester estimates that the acquisition price was between USD $280M-300M, while Blue Coat Systems has already spent an estimated $180-200M on Perspecsys. Here's how Forrester expects […]
Read More
Blog
Fingerprint authentication enters online banking at Bank of America – and signals FIDO’s first major adoption event
Bank of America's website and press release says that you can use your TouchID on iOS to sign into BofA's mobile application on iOS. This move is a major milestone in FIDO's and fingerprint biometrics' adoption in the mainstream consumer authentication market. Forrester expects fingerprint authentication will greatly improve the customer experience – no more […]
Read More
Blog
CyberArk acquires ViewFinity underscores endpoint privilege escalation’s importance in privileged identity and access management
Today's acquistion of ViewFinity (an endpoint privilege escalation vendor) by CyberArk signals an important taxonomy shift in Priivileged Identity / Access Management. Of major PIM suite vendors, BeyondTrust, CA Technologies and Centrify have their own endpoint privilege escalation solutions for Windows and Linux. Dell and Microfocus have only Linux based solutions. Balabit, Hitachi-ID, Lieberman, and […]
Read More
Blog
Microsoft Acquires Cloud Access Security Intelligence vendor Adallom
Microsoft is doubling down on its cloud strategy and announced the acquisition of Adallom. Adallom offers transparent, cloud-based monitoring and alerting of cloud application use. It can detect if a user is performing suspicious actions (e.g. downloading the CRM database on a Friday afternoon). This signifies that cloud service provider vendors can no longer only […]
Read More
Blog
Samsung keyboard bug highlights vulnerability of passwords
Here's a new exploit on Samsung Galaxy S4, S4 and S6 Swiftkey: remote code execution is possible which can lead to root access to the device, data loss, password sniffing and keylogging, Man-in-the-Middle attacks and compromised passwords. Another reason why we need to think about 'What's beyond passwords?'. We will shortly publish a report on […]
Read More
Blog
Market Overview: Cloud Workload Security Management Solutions — Automate Or Die
Today, not moving workloads to the cloud is not an option. Leaving these workloads not secured is also not an option. However, managing workloads within and across Infrastructure-as-a-Service cloud service providers, we find that S&R professionals struggle with ensuring that their cloud workloads (guest operating systems and data on those operating systems) are secure. Why? […]
Read More
Blog
Market Overview: Cloud Data Protection
Cloud Data Protection (protecting data in SaaS, IaaS and PaaS workloads with a centralized and industrial strenght solution) remains a key priority of CIOs, CISOs and architects. In this market overview report, we identified 17 key vendors in the CDP space (see the figure below) that provide data protection in SaaS, IaaS and PaaS environments. […]
Read More
Blog
Amazon Web Services Announces Cloud Active Directory
As we predicted in May 2012, user directories are moving into the cloud. Cloud workloads require that users who are authorized to access them are stored near the cloud workload and not just on-premises. While this offering announced now by AWS is not necessary technically groundbreaking (Cloud IAM vendors and Microsoft Azure have been offering […]
Read More
Blog
IBM Doubles Down Cloud IAM And Acquires Lighthouse Gateway
On the heels of the CrossIdeas acquisition (about which we have recently published a QuickTake), IBM today acquired another IAM cloud provider, Lighthouse Security Group. Its product and service, Lighhouse Gateway, is a small cloud provider that appeared in our Cloud IAM Wave and we were impressed by the "slickness" and ease-of-use of its customer […]
Read More
Blog
Centrify Cloud SSO marks the beginning of mobile device manufacturers getting into the IAM space
Centrify's new Cloud SSO portal is much like the competition: Okta, OneLogin, Ping, Symplified, SecureAuth, i.e. the ones that we looked at in our Cloud IAM Wave. What's really interesting about this offering is that Samsung KNOX OEMs the client side mobile application for SSO for its high-end devices. Forrester predicts that Apple (with its […]
Read More
Blog
NFC Adoption Becomes Much Simpler: Google Opens Android 4.4 KitKat So That The NFC Can Be Provisioned By Anyone
This is big: Google opened up Android 4.4 KitKat to allow access to the NFC chip to Android apps and not just the trusted execution environment on the secure element. What it means: any issuer, developer, 3rd party, current 3D Secure vendor, Payment Services Provider, etc. can create a mobile wallet application that can present […]
Read More
Blog
Why You Should NOT Build Your Own Authentication Framework And Solution In-House. See OWASP A2.
We regularly get the question: should we build our web authentication and single sign-on solution? Here's why you should not do it: OWASP 2013 lists "Broken Authentication and Session Management" as the No.2 item to pay attention to when you design your web site. OWASP.org says: "Application functions related to authentication and session management are […]
Read More
Blog
Forrester expects a wave of acquisitions of cloud IAM providers
With 1) SalesForce and other large SaaS vendors announcing grandiose plans for cloud IAM, not just for access control but also provisioning and 2) long-standing IAM 'arms suppliers' extending into the cloud (CA CloudMinder, SailPoint) we are already seeing pureplay cloud IAM players (Okta, OneLogin, Ping, etc.) starting to scratch their heads as to how […]
Read More