Andras Cser

The National Institute of Standards and Technology (NIST) has not been recommending SMS OTP 2FA for a while precisely because of SMS inbox takeovers, MITM attacks, etc. From the license cost perspective, the price of moving away from SMS (to Google Authenticator, for example) is minimal. Google publishes guides on how to do this. From […]

With the latest change to the BofA online banking bill pay service (which added all sorts of unnecessary and distracting icons and ugly fonts), the bank decided to remove the one-time password two-factor authentication (OTP 2FA) requirement to force the customer to perform a one-time password-based step-up authentication before allowing the change. Instead, by default, […]

Palo Alto Networks (PAN) today announced plans to acquire Evident.io, a predominantly API-based cloud monitoring vendor for $300 million in cash. Evident.io has a large mind share among Forrester’s end user clients and is also regularly mentioned by other cloud workload security management (CWS) vendors as a viable competitor. With PAN expanding Aperture into a […]

In the light of large network security vendors (Cisco, Palo Alto, Symantec, Zscaler, etc.) acquiring or building Cloud Security Gateway (CSG, also known CASB) vendors, it comes as little to no surprise that McAfee also invested in this area. In Forrester’s estimates, SkyHigh annual revenues were around USD $40-45 million/year. Looking at similar deals, Forrester […]

Given Symantec's recent acquisiton of BlueCoat (and with it BlueCoat's earlier acquired Elastica and Perspecsys cloud security gateway (CSG) assets), and IBM's organic buildout of its Cloud Security Enforcer CSG solution it comes hardly as a surprise that Cisco today announced its intent to acquire CloudLock for US$293M (in Forrester's estimation this purchase price represents […]

As we predicted in our Brief: The Emergence of the Cloud Security Gateway, this market is consolidating fast. Blue Coat Systems announced this morning that they are acquiring Elastica. Forrester estimates that the acquisition price was between USD $280M-300M, while Blue Coat Systems has already spent an estimated $180-200M on Perspecsys. Here's how Forrester expects […]

Bank of America's website and press release says that you can use your TouchID on iOS to sign into BofA's mobile  application on iOS. This move is a major milestone in FIDO's and fingerprint biometrics' adoption in the mainstream consumer authentication market. Forrester expects fingerprint authentication will greatly improve the customer experience – no more […]

Today's acquistion of ViewFinity (an endpoint privilege escalation vendor) by CyberArk signals an important taxonomy shift in Priivileged Identity / Access Management. Of major PIM suite vendors, BeyondTrust, CA Technologies and Centrify have their own endpoint privilege escalation solutions for Windows and Linux. Dell and Microfocus have only Linux based solutions. Balabit, Hitachi-ID, Lieberman, and […]

Microsoft is doubling down on its cloud strategy and announced the acquisition of Adallom. Adallom offers transparent, cloud-based monitoring and alerting of cloud application use. It can detect if a user is performing suspicious actions (e.g. downloading the CRM database on a Friday afternoon). This signifies that cloud service provider vendors can no longer only […]

Here's a new exploit on Samsung Galaxy S4, S4 and S6 Swiftkey: remote code execution is possible which can lead to root access to the device, data loss, password sniffing and keylogging, Man-in-the-Middle attacks and compromised passwords. Another reason why we need to think about 'What's beyond passwords?'. We will shortly publish a report on […]

Today, not moving workloads to the cloud is not an option. Leaving these workloads not secured is also not an option. However, managing workloads within and across Infrastructure-as-a-Service cloud service providers, we find that S&R professionals struggle with ensuring that their cloud workloads (guest operating systems and data on those operating systems) are secure. Why? […]

Cloud Data Protection (protecting data in SaaS, IaaS and PaaS workloads with a centralized and industrial strenght solution) remains a key priority of CIOs, CISOs and architects.  In this market overview report, we identified 17 key vendors in the CDP space (see the figure below) that provide data protection in SaaS, IaaS and PaaS environments. […]

As we predicted in May 2012, user directories are moving into the cloud. Cloud workloads require that users who are authorized to access them are stored near the cloud workload and not just on-premises. While this offering announced now by AWS is not necessary technically groundbreaking (Cloud IAM vendors and Microsoft Azure have been offering […]

On the heels of the CrossIdeas acquisition (about which we have recently published a QuickTake), IBM today acquired another IAM cloud provider, Lighthouse Security Group. Its product and service, Lighhouse Gateway, is a small cloud provider that appeared in our Cloud IAM Wave and we were impressed by the "slickness" and ease-of-use of its customer […]

Centrify's new Cloud SSO portal is much like the competition: Okta, OneLogin, Ping, Symplified, SecureAuth, i.e. the ones that we looked at in our Cloud IAM Wave.  What's really interesting about this offering is that Samsung KNOX OEMs the client side mobile application for SSO for its high-end devices. Forrester predicts that Apple (with its […]

This is big: Google opened up Android 4.4 KitKat to allow access to the NFC chip to Android apps and not just the trusted execution environment on the secure element. What it means: any issuer, developer, 3rd party, current 3D Secure vendor, Payment Services Provider, etc. can create a mobile wallet application that can present […]

We regularly get the question: should we build our web authentication and single sign-on solution? Here's why you should not do it: OWASP 2013 lists "Broken Authentication and Session Management" as the No.2 item to pay attention to when you design your web site. OWASP.org says: "Application functions related to authentication and session management are […]

With 1) SalesForce and other large SaaS vendors announcing grandiose plans for cloud IAM, not just for access control but also provisioning and 2) long-standing IAM 'arms suppliers' extending into the cloud (CA CloudMinder, SailPoint) we are already seeing pureplay cloud IAM players (Okta, OneLogin, Ping, etc.) starting to scratch their heads as to how […]

Today we saw the announcement of the Samsung smartwatch, Galaxy Gear.  I am certain that this new smartwatch form factor will fill a niche: augmenting the input and output of a (Samsung, initially) mobile phone and device then with further miniaturization, take over more and more of the functionality of the smartphone. Beyond the cool […]