Authentication market segment and future

Electronic authentication (e-authentication) is the process of establishing confidence in user identities electronically presented to an information system.

Authentication provider Market size estimated by Gartner estimate stand at 2 billion dollar growing at average 30% year on year with about 150 vendors.

Authentication technologies companies can be segmented to 3 types :

  1. Client-side software or hardware, such as PC middleware, smart cards and biometric capture devices (sensors)
  2. Software, hardware or a service, such as access management or Web fraud detection (WFD), that makes a real-time access decision and may interact with discrete user authentication software, hardware or services (for example, to provide “step up” authentication)
  3. Credential management software, hardware or services, such as password management tools, card management (CM) tools and public-key infrastructure (PKI) certification authority (CA) and registration authority (RA) tools (including OCSP responders)
  4. Software, hardware or services in other markets, such as Web access management (WAM) or VPN, that embed native support for one or many authentication method.

Specialist vendor provide SDK,while commodity vendor provide one-time password (OTP) tokens (hardware or software) and out of band (OOB) authentication methods.

Shift is happening in industry from traditional hardware tokens to phone-based authentication methods or supporting knowledge-based authentication (KBA) methods or X.509 tokens (such as smart cards). NIST defines three types of authentication methods:

Agile project management for security project

As Agile project management incorporates principles of Lean techniques , kaban and six sigma into software development life cycle. Lean comes into picture as instead of huge inventory of requirements getting stacked in Product/Project Backlog an inventory is kept as small or as lean as possible. Security feature or requirements are more costly if not caught early in life cycle or product development life cycle. Paper discusses lean management of security requirements. Also application of Security Testing Methodology , application of Security patterns anti-patterns to increase Reuse and reduce time and reduce cost.


click to download document in word format:

Separation of Duties is not answer to problem its only corrective part where is preventive?

What Separation of duty does is It pins responsibility to one person in chain of command who can be hold responsible for the failure..But that’s only corrective part of problem. What about preventive part? For preventive part there should be one person in security Team who can work across technology from OS layer to network layer to application layer…and also at data mining level he can do statistical analysis of logs or of huge logs on hadoop clusters of server , create BI report to know the expectation of damage. It does not mean 1 person has to do everything it only means is he can take control of situation.he is director of symphony.

Also analyse most incidents logs to make relevant judgement based on gathered data and make analytic on data a possibility. As technology changes requirement gathering techniques are also at shows faults for not being able to identify gaps.Gaps which exists and come at Each step of SDLC which can be identified using six sigma methodology and tested using techniques like Test of hypothesis. There is integration architect which can integrate any two different system or technology or create road map for it.But there are people who need to understand all the technology could offer to tell and go across the big picture. It is like everyone grappling with elephant tale problem..Where a blind people(specialist in one skill) holding the elephant tail (part of problem from there domain) assuming This tail is whole elephant while other holding Ear say Ear is elephant…While a person who sees whole picture hand experiences from development, networking, storage, data warehousing, Business intelligence ,ERP,EAI, java like languages can say what is really elephant (mean what is problem) and say how to solve it? where to fix what…?Image

a person with higher level overview and not experience can not make judgement as his hands are not dirty with other skill set and other skill set out of his range on which he never worked. he has theoretical knowledge and not have his hand dirty on implementation of technology..hence cannot contribute even in discussions of cross functional team. Usually enterprise architect are are expected to be working right from first phase of project till last phase And provide interface between different technology specialization for developers and between general functional requirements of user, domain requirement of functional specialist and implementation detail as well project management…What should we normally call this? When we should call Business Architect Managers..As this role cut across all three areas of business Analyst, Technical Architect (in some company both roles are combined called as Business Architect. But here when we add domain , user expectations and project management. So business Architect managers can work across these teams funnel the requirements as well go deep into domain.Now  are one will be in huge demand in future….

IAM is most important in cloud security

IAM is most important thing in cloud security. Cloud computing has three paradigm SAAS, PAAS and IAAS. but to provide entry to any user to cloud first authentication has to happen and then authorization…

Identity and access management in short IAM tools provide cloud ability to validate user. There are many vendors on IAM lists..Authentication stops the non repudiation,.

The main task in security is to ensure Confidentiality , integrity, and Availability. Authentication validates confidentiality, while integrity and confidentiality is preserved by Authorization…because this i from where attacker may come in whether BI or any application.

While for SAAS and PAAS IAM palys very important role same way for IAAS takes it user specific deails from IAM. it plays vital role across securing software and well platform and infrastructure access.