subscribe: Daily Newsletter

 

IBM gets serious about risk

0 comments

IBM has introduced new security services, products and research breakthroughs designed to help businesses more effectively manage operational and IT risk. 

IBM sees IT security changing as more collaborative business models, sophisticated attackers, and complex infrastructures emerge. As a result, today’s wide array of security technologies, implemented tactically in silos, is not sufficient to deal with the new reality of risk. IBM’s approach is to strategically manage risk end-to-end across all five domains of information technology security – information security; threat and vulnerability, application security; identity and access management and physical security.
“Security is broken. The nature of evolving threats is such that installing point solutions to ‘keep the bad guys out’ is no longer a viable way to secure a business,” says Johannes Rheeder, IBM Global Technology Services’ Security Lead. “We need new approaches to reduce complexities, adapt to new business imperatives and enable business value versus just threat protection. The path to a more secure world begins with a risk management strategy that limits the impact of threats, improves business resilience and creates an enterprise free of fear.”
Fueled by recent security business acquisitions, the companywide initiative by IBM arrives as companies around the globe face increased regulatory and private scrutiny. The daily risk of security exposure and the cost to combat it are growing.
The first wave of IBM security services and products tackle information security concerns from the enterprise to the edge. IBM’s Internet Security Systems (ISS) unit, acquired just over a year ago, is helping lead the way, teaming with IBM research and integrating with IBM’s software and systems businesses to deliver the world’s most advanced risk management capabilities.
IBM ISS announced new technology designed to address the growing challenges of managing confidential information. This includes IBM Proventia content analyser technology; IBM data security services for activity compliance monitoring and reporting; IBM data security services for endpoint data protection; IBM data security services for enterprise content protection; IBM user compliance management software; IBM QuickStart services for Tivoli compliance insight manager; and IBM online application security and compliance management
The IBM system z mainframe helps protect data by including security mechanisms, such as secure access controls and strong audit capability, encryption solutions using highly available key-store and tamper-resistent key processing, and network security features like built in intrusion detection services and network security policy agent. Together, these elements can inhibit identity theft. It includes updates to IBM mainframe z/OS and IBM Tivoli zSecure.
IBM’s risk management approach differs from that of vendors who sell piece parts rather than full solutions. IBM arms clients with the complete spectrum of products and services that address security compliance requirements. To that end, IBM ISS announced the industry’s first end-to-end solution to help address PCI compliance.
The new programme from IBM provides clients with the products and services required to achieve compliance with all 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS). Unlike competitive offerings, the comprehensive programme is designed to take companies through the entire PCI compliance process, from assessment to compliance to certification.
Leveraging IBM services and technology provided primarily by IBM ISS, Tivoli, Watchfire and IBM systems, IBM can help clients meet PCI requirements for safeguarding customer payment card data.
Increasingly, chief information officers (CIOs) and chief information security officers (CISOs) are focusing on securing critical business processes, not just the underlying IT assets, and translating operational metrics into business measurements. CIOs and CISOs are now using this new capability to manage IT security as an operational risk.
A key component in IBM’s strategy to arm CIOs and CISOs with risk management tools is a collaborative initiative among IBM research, IBM software group, and academia called Security Risk Management (SRM).
SRM aligns security controls with critical business processes and their risk management objectives. IT executives can manage and allocate risk across all security domains to optimise business results. SRM performs critical assessments, compares business-level risks across the enterprise, quantifies the risk managed and the cost of each IT control, as well as automating control testing, to allow the firms to make significant cost savings.
Specific capabilities include: Dynamic risk quantification;  peer group risk comparison; business control optimisation; security portfolio optimisation; and event risk calculation.
With risk management becoming an important measure for audits and appraisals, security risk management provides strong evidence of effective IT security operational risk management. The closed-loop process improvement model, from business alignment and risk quantification, helps the firm optimise business results over time.
As a major contributor to collaborative, industry open standards, IBM took a leadership role in driving the recent acceptance of Web Services Policy 1.5 as a recommendation by W3C, the international consortium for Web standards. The Web Services Policy Framework provides a significant open standard for organisations to manage the policies for computer systems and users in a Web services-based system.
Implementations of the WS-Policy framework include different policy domains. WS-SecurityPolicy defines security policies that fit into this framework, and policy implementations that support these standards help automate the process of managing secure user provisioning and access to systems, speeding the process with a policy and helping to reduce risk of errors if otherwise handled manually and without a defined policy.
“Customers deploying Web services-based solutions with advanced quality of service characteristics, such as security, want to avoid the need for manual exchange of configuration information,” says Anthony Nadalin, chief security architect at IBM Tivoli. “The WS-Policy specifications facilitate interaction between producers and consumers of Web services within context of a ‘Quality-of-Service’ policy. IBM offers support for these important standards in IBM WebSphere and Tivoli products, and helps our customers manage business policy to improve the overall capabilities of risk management.”
In the small and medium-sized business (SMB) marketplace, IBM is collaborating with business partners around the globe to deliver advanced security solutions.