In April, IBM used two events to roll out important software elements of its Dynamic Infrastructure strategy. On the 20th, IBM chose the RSA Conference in San Francisco, the world’s largest security event, to highlight its progress with integrating products from existing brand families like Tivoli and Rational – with special focus on the Internet Security Systems (ISS) line and its X-Force R&D team, a preemptively focused organization whose work underpins much of the security innovation taking place.
A week later, IBM hosted a summit for hundreds of executives and a few industry analysts to roll out a series of products and initiatives, principally from the hardware side of the firm, but again featuring software from several company brands and IBM Research efforts. Common to both events was the increasing focus on end-to-end, suite-based deliverables with substantial services offerings from IBM’s own Global Business Services team as well as training, certification and support efforts for partners. IBM’s aggressive acquisition strategy was also much in evidence, as the integration, extension and rebranding of acquired products from 2007 and 2008 was showcased frequently.
Security Takes Center Stage in San Francisco
IBM made a very large set of announcements at the RSA conference and it was no surprise that change – accelerating and unpredictable – was a key focus. With billions of mobile devices, exploding social networks, the need for global market connections and enormous streams of real time data, IBM’s customers require both a dynamic infrastructure and the ability to “bake security into” their applications from design to deployment and beyond. “We have to treat it not as a cost but as a competitiveness-enhancing investment,” said Kristin Lovejoy, Director of Corporate Security Strategy, who joined IBM when Consul, where she was CTO, was acquired in 2007.
IBM’s customers want to stay ahead of the game with emerging technologies, especially network-based ones, but these new opportunities also contain huge challenges. Even typical numbers of defects in new software become much more of a threat when they represent potential security vulnerabilities. Mobile devices drive more participation – and increased value-bearing transactional and supply chain traffic – that needs securing and authentication. Finally, emerging industry standards in these value chains are a challenge to keep up with; CFOs, who typically have compliance responsibility, cannot keep up with all the required changes, and thus IBM is being asked to deliver expertise as well as technology. IBM used last year’s RSA event to introduce the security framework it is building upon and this year the company built on the model with a series of new announcements.
The framework represents IBM’s vision of an interconnected approach to tying together people, policies and technology investments into a coherent, structured approach – it guides a go-to-market definition for IBM services, a model and roadmap for its engineers to develop and integrate within, and a framework for customers to define and measure their execution against. Common policy, event handling and reporting processes are the most visible manifestations of delivery within this vision, and also represent IBM’s most significant internal challenge as it acquires technologies and binds them into this framework. Here as elsewhere, the company continues to battle to keep up with its own ambition, and simultaneously explicate a simple, clear message that illuminates its offerings in sufficient detail to be credible. Brands and sub-brands vie for attention, and IBM has much still to do if it hopes to clearly and successfully articulate the integrated power of its many brands.
Tivoli, Rational, ISS, Proventia, Optim – Sure, We’ve Got Brands
Tivoli was the point of the spear at this year’s RSA event, leading with identity-focused offerings that are increasingly, directly tied to its compliance portfolio. Bringing together policy and identification technologies with activity monitoring provides a more holistic management capability, which has been lacking because of the fragmentation in prior, overly complex sets of nonintegrated offerings. In addition, IBM’s legacy System z mainframe systems like RACF are now more integrated into the Tivoli offerings, as well.
Bringing security information into the development environment is also a focus, as Tivoli Directory Integrator provides access for Eclipse development tools to identity information in database, middleware and web services components. For the many clients who have preferences for specific strong third-party authentication solutions, IBM is making it easier for those firms to work with last year’s acquisition Encentuate, now rebadged as Tivoli Access Manager for Enterprise Single Sign-On (ESSO). At the conference, IBM announced out of the box support for such players as Upek, Charismathics, Digital Persona and RFIDeas, with more to come.
Turning to the data layer, Tivoli’s ability to tie back to identity and access management was a theme of IBM’s messaging. Data is commonly exposed in many places within enterprises: in database and file system stores on disk (and tape); in application “containers” associated with new application architectures; and in various stages of export to web sites, social media channels and other SOA-driven methods. The Optim brand was much in evidence here as well; its focus on the non-production environment, often a weak point in information architectures, got attention via coverage of privacy and de-identification techniques that aid compliance. Effective testing requires real data, and research has shown that many companies lack strong policies and tools for effective test data set management. More needs to be done here to tie these tools back to the central repositories of policy and access management.
IBM has also championed the management of encryption keys, which are spread across organizations in multiple places, often without unified, coordinated policies. The company announced here that its Tivoli Key Lifecycle Manager now has a z/OS version to complement the distributed platforms product announced last year. This is an increasingly important issue, and IBM’s advocacy is another sign of its thought leadership in its client base and the community at large.
On the application and process front, security from the developer’s perspective is growing as a key focus of IBM’s Rational brand, particularly as it leverages the July 2007 acquisition of Watchfire. With over half of the reported vulnerabilities in 2008 being associated with web-based applications, IBM’s focus and willingness to integrate these products into its software development portfolio should be welcomed by customers looking to reduce their number of trusted technology partners. Binding in ISS web protection capabilities and the Optim information products gives IBM a strong and compelling end-to-end story.
Increasing cross-unit partnerships also pervades and enhances other IBM security solutions, driving the addition of proactive malware scanning in Rational AppScan with the ISS X-Force team, and integration with the ISS Site Protector platform for automated reporting and monitoring. In addition, the company’s Proventia line now supports compliance with the PCI DSS 6.6 standard for protecting web-based applications in real time.
At systems endpoints, management integration, high-speed network support and security for virtualized environments were at the top of the page. Proventia linkage into Tivoli Security Information and Event Management Reporting was announced, and in the future linkage into ESSO is planned, as well. Preservation of investments even as they increasingly deploy high-speed networks is a big requirement for enterprise customers, and IBM delivered by providing add-on 10G connectivity that won’t require removing existing devices, while also providing content analysis options. Virtualized environments get their own version of the Proventia Network Security Platform, as well.
Bottom Line: Strong Progress, Confusing Brands
IBM’s progress in security is clear. As it has done in other software domains, the company is flexing its strong integration culture as it merges acquired products into its fabric, extends them to new platforms and establishes synergies that improve customer value. Continuing development of the vision present in the IBM Security Framework can only improve the picture, and the company’s focus on identifying and meeting threats before they emerge will likely sustain or enlarge its reputation as a trusted partner. Still, much needs to be done to clean up the branding and make the synergies more visible by packaging connected products into easily understood and consumed suites. There is no doubt IBM needs to make some tough choices and decisions, but clarity is important – both to customers and to the IBM sales teams who help clients choose the best solutions for their problems.