Tag Archives: BOSTON

Mature DevSecOps orgs refine developer security skills training

BOSTON — IT organizations that plan to tackle developer security skills as part of a DevSecOps shift have started to introduce tools and techniques that can help.

Many organizations have moved past early DevSecOps phases such as a ‘seat at the table‘ for security experts during application design meetings and locked-down CI/CD and container environments. At DevSecCon 2018 here this week, IT pros revealed they’ve begun in earnest to ‘shift security left’ and teach developers how to write more secure application code from the beginning.

“We’ve been successful with what I’d call SecOps, and now we’re working on DevSec,” said Marnie Wilking, global CISO at Orion Health, a healthcare software company based in Boston, during a Q&A after her DevSecCon presentation. “We’ve just hired an application security expert, and we’re working toward overall information assurance by design.”

Security champions and fast feedback shift developer mindset

Orion Health’s plan to bring an application security expert, or security champion, into its DevOps team reflects a model followed by IT security software companies, such as CA Veracode. The goal of security champions is to bridge the gap and liaise between IT security and developer teams, so that groups spend less time in negotiations.

“The security champions model is similar to having an SRE team for ops, where application security experts play a consultative role for both the security and the application development team,” said Chris Wysopal, CTO at CA Veracode in Burlington, Mass., in a presentation. “They can determine when new application backlog items need threat modeling or secure code review from the security team.”

However, no mature DevSecOps process allows time for consultation before every change to application code. Developers must hone their security skills to reduce vulnerable code without input from security experts to maintain app delivery velocity.

The good news is that developer security skills often emerge organically in CI/CD environments, provided IT ops and security pros build vulnerability checks into DevOps pipelines in the early phases of DevSecOps.

Marnie Wilking at DevSecCon
Marnie Wilking, global CISO at Orion Health, presents at DevSecCon.

“If you’re seeing builds fail day after day [because of security flaws], and it stops you from doing what you want to get done, you’re going to stop [writing insecure code],” said Julie Chickillo, VP of information security, risk and compliance at Beeline, a company headquartered in Jacksonville, Fla., which sell workforce management and vendor management software.

Beeline built security checks into its CI/CD pipeline that use SonarQube, which blocks application builds if it finds major, critical or limiting application security vulnerabilities in the code, and immediately sends that feedback to developers. Beeline also uses interactive code scanning tools from Contrast Security as part of its DevOps application delivery process.

“It’s all about giving developers constant feedback, and putting information in their hands that helps them make better decisions,” Chickillo said.

Developer security training tools emerge

Application code scans and continuous integration tests only go so far to make applications secure by design. DevSecOps organizations will also use updated tools to further developer security skills training.

Sooner or later, companies put security scanning tools in place, then realize they’re not enough, because people don’t understand the output of those tools.
Mark FelegyhaziCEO, Avatao.com Innovative Learning Ltd

“Sooner or later, companies put security scanning tools in place, then realize they’re not enough, because people don’t understand the output of those tools,” said Mark Felegyhazi, CEO of Avatao.com Innovative Learning Ltd, a startup in Hungary that sells developer security skills training software. Avatao competitors in this emerging field include Secure Code Warrior, which offers gamelike interfaces that train developers in secure application design. Avatao also offers a hands-on gamification approach, but its tools also cover threat modeling, which Secure Code Warrior doesn’t address, Felegyhazi said.

Firms also will look to internal and external training resources to build developer security skills. Beeline has sent developers to off-site security training, and plans to set up a sandbox environment for developers to practice penetration testing on their own code, so they better understand the mindset of attackers and how to head them off, Chickillo said.

Higher education must take a similar hands-on approach to bridge the developer security skills gap for graduates as they enter the workforce, said Gabor Pek, CTO at Avatao, in a DevSecCon presentation about security in computer science curricula.

“Universities don’t have security champion programs,” Pek said. “Most of their instruction is designed for a large number of students in a one-size-fits-all format, with few practical, hands-on exercises.”

In addition to his work with Avatao, Pek helped create a bootcamp for student leaders of capture-the-flag teams that competed at the DEFCON conference in 2015. Capture-the-flag exercises offer a good template for the kinds of hands-on learning universities should embrace, he said, since they are accessible to beginners but also challenge experts.

Using visualizations and analytics in media content

BOSTON — Among countless online newspapers and journals, blogs, videos and social media feeds, the modern digital consumer has a dizzying amount of media sources to choose from.

As content creators vie for consumer attention, some organizations have turned to data visualization and advanced analytics in media to gain an advantage.

Visualizing data analytics in media

Take, for example, Condé Nast, an American-based mass media company whose 19 brands attract around 150 million consumers.

With a diverse portfolio that includes The New Yorker, Wired and Teen Vogue, the media company needs to capture the attention of numerous social groups and niches around the world. Condé Nast has found that interactive charts and graphs seem to appeal to inquisitiveness of most types of consumers.

Compared with static images, interactive visualizations “introduce a whole new level [to content], and increase time spent” on content by consumers, said Danielle Carrick, a data visualization designer and developer at Condé Nast, during a presentation this week at the 2018 Data Visualization Summit.

Carrick showed examples of colorful, easy-to-read charts and graphs. Large gray and red bars with moveable sliders on the entertainment and culture site Glamour plainly illustrated the disparity between men and women Oscar nominees since 1928.

On Teen Vogue, an in-depth interactive scatterplot of tweets from @realDonaldTrump splashed red dots across the screen. Each visualization, though in itself an example of analytics in media, was different.

“Same type of data, totally different way to look at it,” Carrick said of the visualizations.

Danielle Carrick, Condé Nast, 2018 Data Visualization Summit Boston
Danielle Carrick of Condé Nast speaks at the 2018 Data Visualization Summit in Boston this week.

Static still around

The benefits of consistently changing the way data sets are illustrated are twofold, Carrick said. This varied approach gives consumers new and fresh ways to interact with different data sets, and also enables her and her team to be creative.

Same type of data, totally different way to look at it.
Danielle Carrickdata visualization designer and developer, Condé Nast

Carrick noted that despite the increased use of interactive visuals, static graphs and images are far from being phased out.

Static visuals still are used most often, and are developed separately by each brand, rather than a team working directly under the Condé Nast flag. Understandably, interactive data sets are harder to create, and require input from the local editor, writer and design team working on the content piece.

There’s a lot of communication, Carrick said, and ultimately, it’s up to the brand to decide if it will use the visual.

“They’re not going to publish something they don’t think they’re readers are interested in,” she said.

Internally, the team employs Qlik software, which has revamped its visualization capabilities recently to better compete with rival self-service BI vendor Tableau, for analytics in media.

And while Carrick admitted that more tracking needs to be done to measure the results of using interactive visuals, they seem to both draw in more consumers and keep them on the webpage longer.

Ad analytics

Visualizations aren’t the only ways organizations are using analytics in media, however.

In a separate presentation at the parallel 2018 Big Data Innovation Summit, Carla Pacione, senior director of data and systems at Comcast Spotlight, talked about how advanced analytics plays a role in the telecommunication conglomerate’s advertising efforts. In particular, Pacione highlighted the importance of digital metrics, which she claimed to have “really took the level of advertising to a whole new level.”

Thanks to new and updated technologies in TV and digital metrics, including embedding a pixel in commercials that can capture household and engagement data, organizations like Comcast can better measure metrics today and enable them to gain deeper insights, Pacione said.

Comcast is piloting more advanced “household addressable TV advertising” — the ability to send more targeted and relevant ads to different households watching the same TV program.

While Pacione noted Comcast uses third-party organizations to track purchases and predict future purchases, better being able to measure metrics has enabled such analytics in media advertising advancements.

With so many different ways of consuming media, Pacione said it will be important for media partners to work together to share information and advice and ultimately better target consumers.

Already, she said, “we’re starting to see that sharing in the industry because there’s just so much to learn.”

The 2018 Data Visualization Summit and the 2018 Big Data Innovation Summit were held Sept. 11 to 12 at the Renaissance Boston Waterfront Hotel.

HubSpot enterprise edition unveiled

BOSTON — Since its inception, HubSpot has been known as a software company for SMBs, providing low-cost or free versions of marketing automation and CRM software, eventually adding sales and service tools.

Now the inbound marketing automation software vendor is targeting the enterprise market, with new products that the company said are commercially available now.

At its annual user conference, Inbound 2018, HubSpot unveiled a lineup of HubSpot enterprise tools aimed at helping companies that have outgrown the vendor’s initial products stay with HubSpot.

HubSpot had to expand reach

HubSpot “was losing customers, so it needed to expand,” said Predrag Jakovljevic, principal analyst at Technology Evaluation Centers.

Jakovljevic said with the HubSpot enterprise products, the company can target larger companies that need more scalability. He said HubSpot enterprise products can scale up to companies with up to about 2,000 employees.

The launch was not without its glitches. Early Sept. 6, the morning after HubSpot introduced the enterprise platform, an outage occurred. Tweeters quickly exposed it via the #HubSpotDown hashtag. HubSpot got it back online, blaming “configuration code” issues in a company blog.

HubSpot also released a video creation tool and a CMS product.

HubSpot CEO and co-founder Brian Halligan
HubSpot co-founder and CEO Brian Halligan keynotes at Inbound, HubSpot’s annual user conference

The branding could be seen as slightly confusing, as the term “enterprise” is commonly used to refer to the largest of organizations — ones with multiple departments scattered across locations, said Laurie McCabe, an analyst and partner at SMB Group. HubSpot, however, is using enterprise in terms of scaling up an organization’s processes.

“In the tech industry, we’ve taken the word ‘enterprise’ to mean large businesses,” McCabe said. “HubSpot is just continuing to grow with its customers.”

Moving to enterprise

Among the new HubSpot enterprise offerings are Sales Hub Enterprise and Service Hub Enterprise.

Sales Hub Enterprise offers the capability to build out best practices and resources for a sales team — useful for enterprises trying to get large sales teams working in the same direction. Service Hub Enterprise includes features to help teams track against service-level agreements and other service metrics.

The existing Marketing Hub Enterprise received upgrades around analytics and custom bot capabilities. HubSpot now offers three levels of sales, marketing and service products: starter, professional and enterprise.

[HubSpot] was losing customers, so it needed to expand.
Predrag Jakovljevicprincipal analyst, Technology Evaluation Centers

Users at Inbound 2018 expressed enthusiasm about some of the new features, but also wondered whether HubSpot enterprise products were right for their organization.

“We’re trying to embrace tech and bring an old-fashioned niche market into the modern world,” said Chad Wiertzema, creative marketing manager at ITM TwentyFirst, an independent life insurance firm. “We’ve used [HubSpot Marketing Hub] for about a year now at the professional level, and we’re wondering if it makes sense for us to use the enterprise product.”

Wiertzema said he spoke to a HubSpot rep about the enterprise product and whether ITM TwentyFirst would benefit from it, as the company has grown over the past five years.

“We’re getting close to it,” he said, referring to his company’s growth and whether it is ready for larger scale platform from HubSpot.

HubSpot adds video creation

HubSpot said it hopes that its new suite of products will enable its customers to better sell customer experiences, rather than products or services.

“The product used to win,” said Brian Halligan, co-founder and CEO of HubSpot, in a keynote. “Now the customer experience is what wins.”

HubSpot’s CTO and other co-founder, Dharmesh Shah, echoed that sentiment from the conference stage.

“Improving your experience by 10 times is much easier than improving your product by 10 times,” Shah said.

HubSpot also released a video feature available across its suite of products. HubSpot Video — powered by partner Vidyard — will include video hosting, in-video forms and a video creation tool.

HubSpot Video enables marketers to host and manage video files for campaigns, according to the company. Sales reps can create and share personalized videos from the CRM and service teams can help customers more completely with personalized service videos.

“Videos are what customers want,” McCabe said. “And they are sometimes easier to produce than blog posts.”

Video for creating content

Other users spoke positively about the potential for HubSpot Video, with creating content becoming a bigger priority for many companies.

Meanwhile, other features across all three HubSpot enterprise products include Slack integrations, machine learning for predictive lead scoring and Conversations — HubSpot’s communication unifier, previewed a year ago and commercially released in August 2018.

HubSpot also released a stand-alone CMS tool to help with website creation, as well as a Service Hub Starter product, which helps organizations do entry-level service requests like ticketing, help desk services and connecting with customers through live chat.

Pricing for HubSpot products varies depending on whether an organization licenses the starter, professional or enterprise level.

Revenue ops main theme at Ramp by InsightSquared conference

Customers, potential customers and partners of InsightSquared Inc. gathered in Boston for two days for Ramp 2018, the dashboard and reporting software vendor’s second annual conference. The Pipeline podcast was there to take in the conference festivities.

Revenue ops was among the main topics discussed at Ramp, with keynotes and conversations dedicated to the idea of bringing together marketing, sales and service departments to improve ROI and revenue.

To help companies with that objective, InsightSquared also unveiled a new set of marketing analytics tools that may help companies uncover insights within the marketing process, including marketing attribution, demand management, and planning and analysis.

“There’s a natural tension between sales and marketing,” said Matisha Ladiwala, GM of marketing analytics for InsightSquared, on the conference stage. Ladiwala ran through a demo of some of the tools’ capabilities before two InsightSquared customers spoke about using the marketing analytics tools.

One of Ladiwala’s demos showed a dashboard that united data from the sales and marketing departments and determined how quickly sales followed up on leads and how many leads were making it into the funnel. This revenue ops approach is beneficial to companies that have traditionally used a more manual, time-intensive approach to reporting, according to InsightSquared.

Aggregating information from areas was very manual and time-consuming.
Guido BartolacciNew Breed

One InsightSquared user, Guido Bartolacci, manager of acquisition and strategy at New Breed, an inbound marketing and sales agency, told conference attendees: “Aggregating information from areas was very manual and time-consuming.”

By using InsightSquared’s new marketing analytics tools while in beta, the marketing and sales agency was able to pull together data from multiple sources quickly and with more insight, Bartolacci said.

Beyond discussing the revenue ops-focused conference, this Pipeline podcast also touches on some of the other speakers at Ramp, including Nate Silver, data scientist and founder of the FiveThirtyEight blog, and TrackMaven CEO Allen Gannett, who gave a lively, entertaining keynote on creativity.

InsightSquared unveils marketing analytics tools

BOSTON — InsightSquared unveiled new marketing analytics tools aimed at providing better insights to how marketing is getting leads into play and how they translate to sales.

“There’s natural tension between sales and marketing,” said Matisha Ladiwala, general manager of marketing analytics at InsightSquared, based in Boston. Ladiwala spoke to an audience of about 500 — mostly customers — at the data visualization and reporting vendor’s second annual Ramp 2018 conference at the Westin Boston Waterfront hotel.

InsightSquared executives at the conference on Aug. 7 said bringing together marketing, sales and service departments — collectively known as revenue ops — is its main business goal, and the new marketing analytics tools would help unlock those hidden insights.

Measuring marketing revenue

The marketing analytics tools are intended to relieve some of the tension often found between those departments by providing interactive, current dashboards that display how marketing campaigns are doing and when and how many leads entered the sales funnel. The new tools also include more planning and reporting capabilities.

InsightSquared executive Matisha Ladiwals speaking at Ramp, the vendor's annual user conference
Matisha Ladiwala, GM for marketing analytics at InsightSquared, demos new marketing analytics tools.

“It’s a great way to build trust and credibility with other departments and optimize which marketing campaigns are giving you results,” Ladiwala said. “The dashboards are there to give you the confidence that you’re investing in the right things.”

Most InsightSquared customers at the conference hadn’t yet seen the marketing analytics software in action to gauge how it could affect revenue operations or how well it brings different departments together. But a few customers used the marketing analytics tools in beta, and while speaking onstage at the conference, they said the software helped find key insights that were often somewhat hard to unearth.

The marketing analytics tools are commercially available now, according to InsightSquared.

Automation key to efficiency

There’s natural tension between sales and marketing.
Matisha Ladiwalageneral manager of marketing analytics at InsightSquared

“Aggregating that information from those areas was very manual and time-consuming,” said Guido Bartolacci, manager of acquisition and strategy for New Breed, a marketing and sales agency based in Winooski, Vt. “We were taking all this time pulling together information, rather than analyzing it.”

Bartolacci said New Breed was having difficulty bringing together its own information from its disparate sources, including Google Analytics and Salesforce.

By using the marketing analytics tools, New Breed was able to measure the value of marketing processes and help its sales department focus on the right leads, he said.

“What we’ve been able to do with a marketing-generated revenue [report], we can tell how much revenue marketing is creating for the bottom line,” Bartolacci said. “It’s been great for sales and marketing and helps unify our teams to work more efficiently. Marketing exists to drive revenue, but these reports help us understand how and why that happens.”

Dashboards help sales enablement

Another customer, ThriveHive, a digital marketing company based in Quincy, Mass., is using InsightSquared’s marketing analytics software to help connect its disparate marketing and sales tools.

“We have a complicated marketing and sales stack,” said Adam Blake, ThriveHive’s chief marketing officer. “Every week, I’d make my team go through a day of hell by compiling data from all these different platforms and put them in Excel.”

By doing those reports manually, Blake said ThriveHive employees often wouldn’t know if something went wrong with a prospect until it was too late. By switching to live reporting and dashboards with the InsightSquared marketing analytics tools, ThriveHive was able to find more insights in its prospect funnel.

 “We now have dashboards showing how quickly sales reps follow up with leads,” Blake said.

Cybersecurity and physical security: Key for ‘smart’ venues

When Boston Red Sox President and CEO Sam Kennedy joined the organization in 2001, the team’s management was facing questions about the then-89-yearold Fenway Park.

There was a campaign to tear down Fenway and build a new baseball stadium elsewhere in the city — a plan that was quickly nixed by Red Sox management in favor of one to preserve, protect and enhance the Boston landmark. One big obstacle they had to consider was how to handle potential threats more dangerous than the New York Yankees.

“Our job is to anticipate threats — probably the biggest threat to the sports industry, in general, would be some type of massive security breach or failure,” Kennedy said. “It’s certainly something that keeps us up at night.”

Kennedy made his remarks during the Johnson Controls Smart Ready Panel last week at Fenway Park, where panelists discussed how venues, buildings and cities are striving to become smarter and more sustainable.

To upgrade the park for the 21st century, the Red Sox organization began a project called Fenway 2.0 that would improve the fan experience via technology upgrades, additional seating and renovations to the area surrounding the park.

Another big part of the Fenway 2.0 project was working closely with city officials to protect fans’ cybersecurity and physical security.

“We have incredible partners at the city of Boston,” Kennedy said. “We work very closely with those guys and the regional intelligence center to make sure we’re doing everything we possibly can … to make sure that Fenway is safe.”

Cybersecurity a ‘smart’ priority

During the panel, Johnson Controls’ vice president of global sustainability and industry initiatives, Clay Nesler, pointed to a company-issued survey that showed cybersecurity capabilities were among the top technologies that respondents predicted would have the most influence on smart building and smart city development over the next five years.

Cities and large venues like Fenway Park certainly deliver many benefits to patrons through advanced technology, but these amenities also create potential risk, Nesler added. Several questions have to be answered, he said, before making upgrades to tech such as Wi-Fi capabilities: “Can systems be easily updated with the latest virus protection? Do you really limit user access in a very controllable way? Is the data encrypted?”

Our job is to anticipate threats — probably the biggest threat to the sports industry, in general, would be some type of massive security breach or failure.
Sam Kennedypresident and CEO, Boston Red Sox

Questions such as these are exactly why thinking ahead is essential to smart facility development, said panelist Elinor Klavens, senior analyst at Sports Innovation Lab, based in Boston.

“This is an open space that possibly could have Amazon drones flying over soon. What does that mean for the security of the people inside of it?” Klavens said. “We see venues really struggling to figure out how to secure themselves on that cyber level.”

Technology is certainly an enabler to get smarter about cybersecurity and physical security capabilities, Nesler said, but it’s still up to humans to interpret data. For example, new tech allows venues to create a 3D heat map of exactly how many people are in a 10-square-foot area to determine how fast they’re moving and find ways to avoid large groups slowing down during normal ingress and egress times. This information can also prove very valuable to prepare for emergency evacuations, Nesler said.

“We need to be clever about what’s really valuable to both the operations side and the fans and really be smart-ready in putting [in] place the systems and infrastructure to support things we haven’t even thought of yet,” Nesler said. 

The data access conundrum

The new technology offered by smart venues poses other concerns, as well, Kennedy said. For example, fans distracted by looking at their smartphones or digital screens could be putting themselves in danger of being hit by a foul ball at a baseball game, and ones watching events through smart glasses bring up potential legal questions regarding the event’s distribution rights. 

This goes back to the importance of communication for a smart venue to be successful, Kennedy said, with building management working together to ensure all of Fenway’s cybersecurity and physical security bases are covered.

“We need to be very, very careful in terms of providing fan safety,” Kennedy said.

And, of course, taking advantage of these technological advances often requires smart venues and cities to analyze a plethora of consumer-generated data. As a result, they must balance tapping into readily available data to improve amenities, cybersecurity and services with privacy concerns, Klavens said.

“Figuring out how to balance what is good for your fans and what is also your public’s appetite for giving up privacy in a public space is another way which we see venues really helping cities improve their understanding about how these new technologies will be deployed,” Klavens said.

How to know if, when and how to pursue blockchain projects

BOSTON — There is no shortage of blockchain platforms out there; the numbers now run in the dozens. As for enumerating potential blockchain projects, it may be easier to list the blockchain use cases companies are currently not exploring. Moreover, although blockchain’s approach to verifying and sharing data is novel, many of the technologies used in blockchain projects have been around for a long time, said Martha Bennett, a CIO analyst at Forrester Research who’s been researching blockchain since 2014.

Even the language around blockchain is settling down. Bennett said she uses the terms blockchain and distributed ledger technology interchangeably.

But the growth and interest in blockchain projects doesn’t mean the technology is mature or that we know where it is headed, Bennett told an audience of IT executives at the Forrester New Tech & Innovation 2018 Forum. Just as in the early days of the internet when few anticipated how radically a network of networks would alter the status quo, today we don’t know how blockchain will play out.

“It is still a little bit of a Wild West. I should clarify that and say, it is the Wild West,” she said. Additionally, no matter how revolutionary distributed ledger technology may prove to be, Bennett said “nothing is being revolutionized today from an enterprise perspective,” because distributed ledger technology is not yet being deployed at scale.

Dirty hands

Indeed, IT leaders have their work cut out for them just figuring out how these nascent distributed ledger platforms perform at enterprise scale, and where they would be of use in the businesses they serve.

“At this stage, you really need to open up the covers and understand what a platform offers and what is in there. You have to get your hands dirty,” she said.

Blockchain projects today are about “thinking really big but starting small,” she said. If what gets accomplished is “inventing a faster horse” — that is, taking an existing process and making it a bit better — the endeavor will help IT leaders learn about how blockchain architectures work. That’s important because it’s hard “to catch up on innovation,” she said. “If you wait until things are settled it may be too late.” 

While CIOs get up to speed, they also need to think about using blockchain to reinvent how their companies function internally and how they do business. “That is the big bang,” she said, but added it may take decades for blockchain to give birth to a new order.

Martha Bennett, analyst at Forrester, on blockchain at the Forrester New Tech & Innovation 2018 Forum.
Forrester analyst Martha Bennett presents on blockchain at the Forrester New Tech & Innovation 2018 Forum.

In a 90-minute session that included a talk by the IT director of the Federal Reserve Bank of Boston about how the Fed is approaching blockchain (blogged about here), Bennett ticked through:

  • Forrester’s definition of blockchain and why the wording merited close attention;
  • why blockchain projects remain in pilot phase;
  • a checklist to assess if you have a viable blockchain use case; and
  • situations when blockchain can help.

Here are some of the salient pointers for CIOs:

What is blockchain?

Blockchain, or distributed ledger technology, as defined by Forrester, “is a software architecture that supports collaborative processes around trusted data that is shared across organizational and potentially national boundaries.”

The wording is important. Architecture, because blockchain is a technology principle and not about any one platform. Collaborative, because blockchain is a “team sport, not something you do for yourself,” Bennett said, requiring anywhere between three and 10 partners. (Under three will not provide the diversity of views blockchain projects need, while more than 10 is “like herding cats.”) Blockchain requires data you can “trust to the highest degree,” she said, and it is about sharing. In many cases, CIOs will find they can deliver the service in question “better, faster, cheaper with existing technologies,” she said. “But what you don’t get is that collaborative aspect, extending processes across organizational boundaries.”

What factors hold back enterprise-scale deployment?

Companies are exploring a plethora of blockchain projects, from car sharing and tracking digital assets to securities lending, corporate loans and data integrity. Full deployment can’t happen until experimenters figure out if the software can scale; if it needs to integrate with existing systems and if so, how to do that; what regulatory and compliance requirements must be met; and what business process changes are required both internally and at partner organizations in the blockchain, among other hurdles.

“We are seeing projects transition beyond the POC [proof of concept] and pilot phase, but that is not the same as full-scale rollout,” Bennett said.

How to decide whether to take on a blockchain use case

“If you don’t have a use case, don’t even start,” Bennett said. A company can come to Forrester and ask for examples of good use cases, she said, but ultimately only the company knows its organization and industry well enough to be able to pinpoint how blockchain might make the process better. She suggested asking these questions to help clarify the use case:

  • What problem are you trying to solve with blockchain?
  • Do other ecosystem participants have the same or related issues?
  • What opportunity are you trying to capture?
  • Do you have your ecosystem (which can comprise competitors) on board?

On the last question, Bennett explained that even rich industries like investment banking need to address process efficiency. “Everybody needs to worry about how much it costs to run IT operations,” she said. If competitors have common processes that are costly and cumbersome, why not consider sharing them using blockchain?

How to know when blockchain helps

Here is Bennett’s checklist for identifying when blockchain can be of use:

  • Are there multiple parties that need access to the same data store?
  • Does everybody need assurance that the data is valid and hasn’t been tampered with?
  • What are the conditions of the current system — is it error-prone, incredibly complex, unreliable, filled with friction?
  • Are there good reasons not to have a single, centralized system? Distributed ledger technology introduces complexity and risk precisely for reasons listed above. In addition to making the technology scale, adopters still are wrestling with how to balance transparency and privacy, and how to handle exceptions.

Avoid preserving ‘garbage in a more persistent way’

Distributed ledger technology, Bennett stressed, also cannot fix problems with the data. “If your data is bad to start with, it will still be bad. You’re just preserving garbage in a more persistent way,” she said. A lot of blockchain projects target tracking and provenance of goods to take cost out of the supply chain and reduce fraud. Those are “great use cases,” she said. But if the object being tracked has been tampered with — even if you have established an unbreakable link between the physical object and the data on the blockchain — “the representation on the blockchain is a problem because suddenly you are tracking a fake item,” she said. Physical fraud issues need to be fixed for the blockchain to be of value.

The 80/20 rule

The digitization of paper processes has been the “real breakthrough,” but blockchain cannot “turn paper into anything digital,” Bennett said. If processes haven’t been digitized yet, CIOs need to get their enterprises to ask themselves why because that is the starting point.

Finally, CIOs must understand that technology problems notwithstanding, blockchain projects are 80% about the business and 20% about technology. 

“Technology problems have a habit of being addressed and of being resolved,” Bennett said. Business issues — digitizing, dismantling internal silos, redesigning processes — can take far longer.”

As AI identity management takes shape, are enterprises ready?

BOSTON — Enterprises may soon find themselves replacing their usernames and passwords with algorithms.

At the Identiverse 2018 conference last month, a chorus of vendors, infosec experts and keynote speakers discussed how machine learning and artificial intelligence are changing the identity and access management (IAM) space. Specifically, IAM professionals promoted the concept of AI identity management, where vulnerable password systems are replaced by systems that rely instead on biometrics and behavioral security to authenticate users. And, as the argument goes, humans won’t be capable of effectively analyzing the growing number of authentication factors, which can include everything from login times and download activity to mouse movements and keystroke patterns. 

Sarah Squire, senior technical architect at Ping Identity, believes that use of machine learning and AI for authentication and identity management will only increase. “There’s so much behavioral data that we’ll need AI to help look at all of the authentication factors,” she told SearchSecurity, adding that such technology is likely more secure than relying solely on traditional password systems.

During his Identiverse keynote, Andrew McAfee, principal research scientist at the Massachusetts Institute of Technology, discussed how technology, and AI in particular, is changing the rules of business and replacing executive “gut decisions” with data intensive predictions and determinations. “As we rewrite the business playbook, we need to keep in mind that machines are now demonstrating excellent judgment over and over and over,” he said.

AI identity management in practice

Some vendors have already deployed AI and machine learning for IAM. For example, cybersecurity startup Elastic Beam, which was acquired by Ping last month, uses AI-driven analysis to monitor API activity and potentially block APIs if malicious activity is detected. Bernard Harguindeguy, founder of Elastic Beam and Ping’s new senior vice president of intelligence, said AI is uniquely suited for API security because there are simply too many APIs, too many connections and too wide an array of activity to monitor for human admins to keep up with.

There are other applications for AI identity management and access control. Andras Cser, vice president and principal analyst for security and risk professionals at Forrester Research, said he sees several ways machine learning and AI are being used in the IAM space. For example, privileged identity management can use algorithms to analyze activity and usage patterns to ensure the individuals using the privileged accounts aren’t malicious actors.

“You’re looking at things like, how has a system administrator been doing X, Y and Z, and why? If this admin has been using these three things and suddenly he’s looking at 15 other things, then why does he need that?” Cser said.

In addition, Cser said machine learning and AI can be used for conditional access and authorization. “Adaptive or risk-based authorization tend to depend on machine learning to a great degree,” he said. “For example, we see that you have access to these 10 resources, but you need to be in your office during normal business hours to access them. Or if you’ve been misusing these resources across these three applications, then it will ratchet back your entitlements at least temporarily and grant you read-only access or require manager approval.”

Algorithms are being used not just for managing identities but creating them as well. During his Identiverse keynote, Jonathan Zittrain, George Bemis professor of international law at Harvard Law School, discussed how companies are using data to create “derived identities” of consumers and users. “Artificial intelligence is playing a role in this in a way that maybe it wasn’t just a few years ago,” he said.

Zittrain said he had a “vague sense of unease” around machine learning being used to target individuals via their derived identities and market suggested products. We don’t know what data is being used, he said, but we know there is a lot of it, and the identities that are created aren’t always accurate. Zittrain joked about how when he was in England a while ago, he was looking at the Lego Creator activity book on Amazon, which was offered up as the “perfect partner” to a book called American Jihad. Other times, he said, the technology creates anxieties when people discover they are too accurate.

“You realize the way these machine learning technologies work is by really being effective at finding correlations where our own instincts would tell us none exist,” Zittrain said. “And yet, they can look over every rock to find one.”

Potential issues with AI identity management

Experts say allowing AI systems to automatically authenticate or block users, applications and APIs with no human oversight comes with some risk, as algorithms are never 100% accurate. Squire says there could be a trial and error period, but added there are ways to mitigate those errors. For example, she suggested AI identity management shouldn’t treat all applications and systems the same and suggested assigning risk levels for each resource or asset that requires authentication.

“It depends on what the user is doing,” Squire said. “If you’re doing something that has a low risk score, then you don’t need to automatically block access to it. But if something has a high risk score, and the authentication factors don’t meet the requirement, then it can automatically block access.”

Squire said she doesn’t expect AI identity management to remove the need for human infosec professionals. In fact, it may require even more. “Using AI is going to allow us to do our jobs in a smarter way,” she said. “We’ll still need humans in the loop to tell the AI to shut up and provide context for the authentication data.”

Cser said the success of AI-driven identity management and access control will depend on a few critical factors. “The quality and reliability of the algorithms are important,” he said. “How is the model governed? There’s always a model governance aspect. There should be some kind of mathematically defensible, formalized governance method to ensure you’re not creating regression.”

Explainability is also important, he said. Vendor technology should have some type of “explanation artifacts” that clarify why access has been granted or rejected, what factors were used, how those factors were weighted and other vital details about the process. If IAM systems or services don’t have those artifacts, then they risk becoming black boxes that human infosec professionals can’t manage or trust.

Regardless of potential risks, experts at Identiverse generally agreed that machine learning and AI are proving their effectiveness and expect an increasing amount of work to be delegated to them. “The optimal, smart division of labor between what we do — minds — and [what] machines do is shifting very, very quickly,” McAfee said during his keynote. “Very often it’s shifting in the direction of the machines. That doesn’t mean that all of us have nothing left to offer, that’s not the case at all. It does mean that we’d better re-examine some of our fundamental assumptions about what we’re better at than the machines because of the judgment and the other capabilities that the machines are demonstrating now.”

IAM engineer roles require training and flexibility

BOSTON — As identity and access management become more critical to security strategies, organizations must be on the lookout for good identity engineers — and there are a few different ways IT can approach this staffing.

Identity and access management (IAM) is increasingly essential as mobile devices add new access points for employees and fresh ways to leak corporate data. But the job market still lacks skilled IAM engineer candidates, so organizations may be better off training existing IT staff or hiring general security engineers to educate on IAM expertise, experts said here at this week’s Identiverse conference.

“Focus on general IT skills and roles [when you] hire engineers,” said Olaf Grewe, director of access certification services at Deutsche Bank, in a session. “Don’t wait for this elusive candidate that has all of this baked in. Bring them up to where you need to be.”

IAM job market landscape

Job growth in IAM has surged in the past year, with about 1,500 IAM engineer openings currently in the Boston area, 4,800 in the D.C. area and 3,320 in Silicon Valley, according to a presentation by Dave Shields, a senior security architect for IAM at DST Systems, a financial technology company in Kansas City.

“It is finally reaching a state where people see that it’s a viable place to have [a career],” said Shields, who was also recently the managing director of IT and ran IAM at the University of Oklahoma. “There are so many things you can do with it.”

There aren’t enough people already skilled in IAM to fill these roles, however, and ones that are may not live nearby. Instead, IT departments can train up existing staff on IAM — but the key is to choose the right people.

“The best engineers you’re going to find are the people who aren’t afraid to break stuff,” Shields said. “Maybe you have a sysadmin who gets into systems and was able to make them do things they were never able to do before. Talk to that person.”

The person should also be flexible, adaptable to change and willing to ask questions others don’t want to hear, he said. Other desirable qualities for an IAM engineer are creativity and an ability to understand the business’ functions and the technology in use.

“Find someone who can look at something and say, ‘I can make that better,'” Shields said. “There are some things that simply cannot be taught.”

IAM and security go hand in hand

Deutsche Bank is currently building up an IAM team that includes existing IT staff and external hires, which the company then trains on IAM skills. That involves four major steps: baseline IAM training, then vendor-specific education, then CISSP, followed by continuous learning over time via conferences, lunch and learns, and updated vendor training.

We need to make sure people have access to the right resources.
Olaf Grewedirector of access certification services, Deutsche Bank

“We need to make sure people have access to the right resources,” Grewe said. “We want to have people who are continuously developing.”

General security skills are especially important for IAM engineer candidates, experts said. Sarah Squire, a senior technical architect at Ping Identity, started out by learning the important security specs and standards as a way toward training up on identity management.

“It’s a lot of on-the-job training,” Squire said. “We’re starting to realize that we really need a base body of knowledge for the entire field.”

For that reason, Squire along with Ian Glazer, vice president for identity product management at Salesforce, founded IDPro, a community for IAM professionals. Launched at last year’s Identiverse (then Cloud Identity Summit), IDPro is currently forming the body of knowledge that an IAM engineer must know, and plans to offer a certification in the future, Squire said.

“It’s really important that people who come in not only understand IAM but also really understand security,” Grewe said.

It’s also important to determine where within the organization those IAM professionals will live. Is it operations? Development? Security?

“A lot of people just don’t know where that fits,” Shields said. “There is nowhere better for them to be in my opinion than on the IT security team.”

Grewe’s team at Deutsche Bank, for instance, works under the chief security officer, which has a lot of budget to work with, he said. At IBM, the team that handles internal identity management works closely with HR and other groups that are involved in employees’ access rights, said Heather Hinton, vice president and chief information security officer for IBM Hybrid Cloud.

“[Organizations] need to figure out how to be less siloed,” she said.

New types of authentication take root across the enterprise

BOSTON — When IT professionals develop a strategy for user password and authentication management, they must consider the two key metrics of security and usability.

IT professionals are looking for ways to minimize the reliance on passwords as the lone authentication factor, especially because 81% of hacking breaches occur due to stolen or weak passwords, according to Verizon’s 2017 Data Breach Investigations Report. Adding other types of authentication to supplement — or even replace — user passwords can ensure security improves without hurting usability.

“Simply put, the world has a password problem,” said Brett McDowell, executive director of the FIDO Alliance, based in Wakefield, Mass., here in a session at Identiverse.

A future without passwords?

Types of authentication that only require a single verification factor could be much more secure if users adopted complex, harder-to-predict passwords, but this pushes up against the idea of usability. The need for complex passwords, along with the 90- to 180-day password refreshes that are an industry standard in the enterprise, means that reliance on passwords alone can’t meet security and usability standards at the same time.

“If users are being asked to create and remember incredibly complex passwords, IT isn’t doing its job,” said Don D’Souza, a cybersecurity manager at Fannie Mae, based in Washington, D.C.

IT professionals today are turning to two-factor authentication, relying on biometric and cryptographic methods to supplement passwords. The FIDO Alliance, a user authentication trade association, pushes for two-factor authentication that entirely excludes passwords in their current form.

We want to take user vulnerability out of the picture.
Brett McDowellexecutive director, FIDO Alliance

McDowell broke down authentication methods into three categories:

  • something you know, such as a traditional password or a PIN;
  • something you possess, such as a mobile device or a token card; and
  • something you are, which includes biometric authentication methods, such as voice, fingerprint or gesture recognition.

The FIDO Alliance advocates for organizations to shift toward the latter two of these options.

“We want to take user vulnerability out of the picture,” McDowell said.

Taking away password autonomy from the user could improve security in many areas, but none more directly than phishing. Even if a user falls for a phishing email, his authentication is not compromised if two-factor authentication is in place, because the hacker lacks the cryptographic or biometric authentication access factor.

“With user passwords as a single-factor authentication, the only real protection against phishing is testing and training,” D’Souza said.

Trickle-down benefits of new types of authentication

Added types of authentication increase the burden on IT when it comes to privileged access management (PAM) and staying up-to-date on user information. But as organizations move away from passwords entirely, IT doesn’t need to worry as much about hackers gaining access to authentication information, because that is only one piece of the puzzle. This also leads to the benefit of cutting down on account access privileges, said Ken Robertson, a principal technologist at GE, based in Boston.

With stronger types of authentication in place, for example, IT can feel more comfortable handing over some simple administrative tasks to users — thereby limiting its own access to user desktops. IT professionals won’t love giving up access privilege, however.

“People typically start a PAM program for password management,” Robertson said. “But limiting IT logon use cases minimizes vulnerabilities.”

Organizations are taking steps toward multifactor authentication that doesn’t include passwords, but the changes can’t happen immediately.

“We will have a lot of two-factor authentication across multiple systems in the next few years, and we’re looking into ways to limit user passwords,” D’Souza said.