Gartner Blog Network

Mark Diodati
Research VP
6 years at Gartner
21 years IT industry

Mark Diodati is a Research Vice President with Gartner's IT Professionals research and advisory service. His focus topics include mobility, authentication, cloud idenitity, federation, directory services, provisioning, identity services, Active Directory interoperability, Web access management…Read Full Bio

Déjà Vu – The Sykipot Attack on Smart Cards

by Mark Diodati  |  January 15, 2012

Kelly Jackson Higgins at Dark Reading provides an excellent summary of the Sykipot malware variant attack on smart cards. The malware opens the smart card and uses it for private key signing functions. Signing functions are the backbone of public key technology—they enable users to authenticate to mutually authenticated SSL and Microsoft Windows sessions, for example. […]

Read more »

How Soon is Now: NFC Smartphones and Physical Access Control Systems

by Mark Diodati  |  October 31, 2011

You may have read about a recent pilot at Arizona State University, where 30+ students used their smartphones augmented with NFC (near field communication) to access facilities at the college. Instead of building access cards, the students used their smartphones. The pilot has fueled an already intense industry interest regarding the use of NFC and […]

Read more »

Of Identities, Clouds, and Bridges

by Mark Diodati  |  October 20, 2011

In response to the large number of client inquiries about identity management and the cloud, Gartner has recently published a research document that discusses identity management as a service (IDaaS)—turnkey identity management services that exist in the cloud. In the document (Market Profile: Identity Management as a Service (IDaaS) [subscription required]), I discuss over 20 vendors […]

Read more »

Quest Acquires Symlabs

by Mark Diodati  |  June 6, 2011

Quest is actively building out its identity management product portfolio.  Some notable acquisitions: Vintela (Active Directory Bridge – 2005) Völcker Informatik AG (provisioning/access governance – late 2010) e-DMZ Security—privileged account management – early 2011) Today, Quest announced the acquisition of Symlabs, a vendor with virtual directory and federation products. In its early days, virtual directories […]

Read more »

The Seed and The Damage Done: RSA SecurID

by Mark Diodati  |  June 2, 2011

The fallout from the March attack on RSA has arrived. Per the news agencies—and the excellent blog post by Bob Cringely—several large defense contractors (Lockheed Martin, L-3, and potentially Northrop Grumman) were attacked using the information stolen in the March attack. The tokens associated with the stolen information should now be considered compromised. Recent events […]

Read more »

SCIM and the Future of Standards-Based Provisioning

by Mark Diodati  |  May 6, 2011

Here at Gartner/Burton Group, we have been closely tracking identity standards—including Service Provisioning Markup Language (SPML)—since 2003. The standard has some serious flaws, which we have articulated in our research documents and blog posts. In the summer of 2010, the participants at the Gartner Catalyst Conference Standards-Based Provisioning Special Interest Group issued a consensus statement […]

Read more »

Perspectives on OTP Authentication and Migration

by Mark Diodati  |  April 1, 2011

At last measurement, authentication dialogues were 25% of the total number of dialogues in our Identity and Privacy Strategies service. A common dialogue request goes something like this: “We have a one-time password (OTP) authentication solution. We want to evaluate another vendor’s lower cost OTP solution, or a smart card solution for physical and logical […]

Read more »

RSA SecurID: What If?

by Mark Diodati  |  March 22, 2011

While we wait for more information from RSA about the recent attack on its SecurID tokens, I’d like to revisit a potential attack vector that I discussed in my first blog entry on the topic (March 18). The OTP device’s seed and the serial number are present during the manufacturing process. What if the OTP […]

Read more »

SecurID Redux

by Mark Diodati  |  March 21, 2011

After writing about the recent SecurID attack on Friday, I began thinking about the utility of the SecurID symmetric keys (AKA “seeds”) in the hands of the attacker. Specifically, what would the attacker need in order to leverage these seeds to access protected resources? I must emphasize that RSA has (at this point) not stated […]

Read more »

Just What Happened to SecurID?

by Mark Diodati  |  March 18, 2011

As I write this, RSA has announced it experienced an attack on its RSA SecurID one-time password (OTP) products. You can see Art Coviello’s letter to RSA’s customers here. The letter is very light on the nature of the attacks and what was stolen. In the interest of full disclosure, I worked at RSA for […]

Read more »