Mark Diodati

A member of the Gartner Blog Network

Entries Categorized as 'Uncategorized'


RSA SecurID, Crypto, and Satan’s Computer

by Mark Diodati  |  June 27, 2012  |  Comments Off

You may have read about two recent vulnerabilities associated with RSA authentication products. Last month, a researcher specified how to copy a SecurID software token from one computer to another, which can enable an impersonation attack (Ars Technica). This week, researchers described a way to decrypt data encrypted with a SecurID smart card (again, Ars [...]

Comments Off

Category: Authentication IAM Mobility Uncategorized     Tags:

Dialoguing about SCIM

by Mark Diodati  |  February 23, 2012  |  1 Comment

Gartner’s Identity and Privacy Service (IdPS) has closely tracked provisioning standards since 2003. I published our first research document on Service Provisioning Markup Language (SPML v2) in early 2006. Additionally, I published a realistic assessment of developing an SPML service in early 2010. A few months later, I worked with industry leaders to publish a [...]

1 Comment »

Category: Uncategorized     Tags:

Déjà Vu – The Sykipot Attack on Smart Cards

by Mark Diodati  |  January 15, 2012  |  2 Comments

Kelly Jackson Higgins at Dark Reading provides an excellent summary of the Sykipot malware variant attack on smart cards. The malware opens the smart card and uses it for private key signing functions. Signing functions are the backbone of public key technology—they enable users to authenticate to mutually authenticated SSL and Microsoft Windows sessions, for example. [...]

2 Comments »

Category: Uncategorized     Tags:

How Soon is Now: NFC Smartphones and Physical Access Control Systems

by Mark Diodati  |  October 31, 2011  |  1 Comment

You may have read about a recent pilot at Arizona State University, where 30+ students used their smartphones augmented with NFC (near field communication) to access facilities at the college. Instead of building access cards, the students used their smartphones. The pilot has fueled an already intense industry interest regarding the use of NFC and [...]

1 Comment »

Category: Uncategorized     Tags:

Of Identities, Clouds, and Bridges

by Mark Diodati  |  October 20, 2011  |  Comments Off

In response to the large number of client inquiries about identity management and the cloud, Gartner has recently published a research document that discusses identity management as a service (IDaaS)—turnkey identity management services that exist in the cloud. In the document (Market Profile: Identity Management as a Service (IDaaS) [subscription required]), I discuss over 20 vendors [...]

Comments Off

Category: Uncategorized     Tags:

Quest Acquires Symlabs

by Mark Diodati  |  June 6, 2011  |  Comments Off

Quest is actively building out its identity management product portfolio.  Some notable acquisitions: Vintela (Active Directory Bridge – 2005) Völcker Informatik AG (provisioning/access governance – late 2010) e-DMZ Security—privileged account management – early 2011) Today, Quest announced the acquisition of Symlabs, a vendor with virtual directory and federation products. In its early days, virtual directories [...]

Comments Off

Category: Cloud IAM Uncategorized     Tags:

The Seed and The Damage Done: RSA SecurID

by Mark Diodati  |  June 2, 2011  |  Comments Off

The fallout from the March attack on RSA has arrived. Per the news agencies—and the excellent blog post by Bob Cringely—several large defense contractors (Lockheed Martin, L-3, and potentially Northrop Grumman) were attacked using the information stolen in the March attack. The tokens associated with the stolen information should now be considered compromised. Recent events [...]

Comments Off

Category: Uncategorized     Tags:

SCIM and the Future of Standards-Based Provisioning

by Mark Diodati  |  May 6, 2011  |  1 Comment

Here at Gartner/Burton Group, we have been closely tracking identity standards—including Service Provisioning Markup Language (SPML)—since 2003. The standard has some serious flaws, which we have articulated in our research documents and blog posts. In the summer of 2010, the participants at the Gartner Catalyst Conference Standards-Based Provisioning Special Interest Group issued a consensus statement [...]

1 Comment »

Category: Uncategorized     Tags:

Perspectives on OTP Authentication and Migration

by Mark Diodati  |  April 1, 2011  |  Comments Off

At last measurement, authentication dialogues were 25% of the total number of dialogues in our Identity and Privacy Strategies service. A common dialogue request goes something like this: “We have a one-time password (OTP) authentication solution. We want to evaluate another vendor’s lower cost OTP solution, or a smart card solution for physical and logical [...]

Comments Off

Category: Uncategorized     Tags:

RSA SecurID: What If?

by Mark Diodati  |  March 22, 2011  |  2 Comments

While we wait for more information from RSA about the recent attack on its SecurID tokens, I’d like to revisit a potential attack vector that I discussed in my first blog entry on the topic (March 18). The OTP device’s seed and the serial number are present during the manufacturing process. What if the OTP [...]

2 Comments »

Category: Uncategorized     Tags: