IBM does Security rather well

IBM may be
big, and in some people’s eye beautiful, but what are they doing to prove that
their offerings are as safe and secure as any other vendor?

Running a
business the size and maturity of IBM is no simple task. The huge range of
products, technologies and standards embraced by the organisation can be
breathtaking, especially when you take into account that around 33,000 people
work in packaged software development alone.

One problem
that IBM, along with many other vendors with a large range of products, faces is
the constant battle to enforce standards, ranging from a common look and feel
through to the shared use of common components. Of course standards and guides
are propagated through the various development groups but policing the
adherence to these standards can be a nightmare. When one group’s innovation is
another group’s violation of some core component politics always comes into
play.

So how does
this impact IBM’s IT security strategy?

Product security
has rapidly become the one area in which development teams have quickly learnt
that politics should be put aside for the sake of building reliable and secure
products.

At least we
hope so anyway.

It’s clear
that over the past couple of years the tough men and women in IBM corporate
management have been knocking heads together to drive home the security message.
With a 40-odd year legacy and a large base of multi-decade employees, changing
attitudes has no doubt been tough, even when most get the importance of security
in the first place.

So it was off
to meet the brightest and best of IBM’s software development business headed up
by long term IBM’er Steve Mills, and see what they had been up to in reality.

Listening to
the top man speak you soon realise that, of course, IBM gets security and, of
course, it is important. We all know the statistics and the horror stories
emerging across the world as incompetent companies and organisations try and
out-trump each other with ever more catastrophic and embarrassing data loss
events. Of course few have managed to beat the British government and HMRC who
rang the bell at 25 million records but I am sure some are trying.

It must be
said that nothing in IBM’s security strategy is particularly innovative and exciting,
but I don’t mean that in a pejorative way. Instead, what we see being presented
is a reflection of a reality and a quiet determination that IBM will continue
to keep its act together and not allow its hard won reputation to become
tarnished due to sloppy and insecure products. In fact, for many banks and
institutions running z/OS mainframes and the like, excitement is something they definitely
don’t want.

What they do want
is good solid security from a conservative and trusted vendor.

IBM is
actively touting z/OS as the gold standard in operating system security with
facts and figures that would make some PC-based manufacturers and software
developers blush with embarrassment. With an R+D budget around $6bn, a large
proportion of which is IT security related, IBM are bound to be able to tighten
up loose ends and innovate around this tricky subject.

This all said
I wasn’t comfortable with everything Mills had to say.

Arguing that
Lotus Notes and Domino have a “stellar” reputation for security is probably
more to do with their lower market share hence attractiveness to malware
authors rather than innate security, certainly historically. Nevertheless IBM has
been successful in US government sales for Notes, possibly fuelled significantly
by this lack of hacker appeal. You only need look at how the browser Firefox
has increasingly become a target as its market share has increased for a
similar story.

Change is as change does. Security
just grins and bears it
Underpinning
a lot of IBM’s strategic view is data collected in their well respected Global
CEO Survey that runs across 40 countries and touches on 32 industry sectors. Of
those interviewed 19% have over 50,000 employees and 22% have less than 1,000
employees, so it’s not just the big boys being spoken to.

Apparently
80% of CEOs are seeing significant change affecting their business, of which 39%
feel unprepared to deal with such change. This does seem surprising as one of
the oft quoted business school mantras has always been “The only constant in
life is change.”

Of course
those that do embrace change can make significant market gains.

Look at the
shenanigans going on in the banking sector at the moment. The more conservative
banks have been able to take over their wilder competitors for much less outlay
than they could ever have dreamed of. Crikey, even that bulwark of free market capitalism,
the competition laws, have been put on hold to enable these mergers to take
place.

According to
this CEO survey we are now talking about creating an army of “prosumers”,
groups of consumers so hopelessly hooked on your product (of whatever
description) that their advocacy can drive more sales than any advertising
campaign. Couple this with the delightful world of the blogsphere and you can
start to build some interesting networks. The report also highlighted the
significant move towards corporate social responsibility (CSR) programs. More
than a greenwash, these CSR programs are now actively hunted out by the
brightest and the best on the graduate fair programs as the new generation of
workers want to be associated with corporate social responsibility. This new
group of users, dubbed by many as the Web 2.0 generation, expect their file
sharing and social networking to happen at work as much as it does at home.

In fact I
would wager that most in this generation do more Web 2.0 ‘stuff’ at work than
at home as quite simply they have access to huge bandwidths and storage
capacities thanks to their corporate IT.

Now IT
security must keep up with this change in the market place and be seen as an
enabler, rather than as a barrier.

We IT
security people are the poor suckers that are expected to facilitate access to
the latest Web 2.0 fad whilst making sure corporate smarts don’t go flouncing
out of the door along with the latest downloadable music files.

To address
this issue CSOs and CISOS must be able to sit comfortably at the top corporate
table and make an impact on the organisation. For this to happen the IT security
community needs to step up to the mark and be able to operate at a business
level instead of confounding fellow executives with techy mumbo jumbo. Good IT
security people need to be treasured and developed to fulfil this hugely
complex role.

The biggest
challenge of the Web 2.0 generation will always be the inside threat (you know—my competent/malicious vs. incompetent and non-malicious duo). As one of the
IBMers pointed out we can’t get people to stop smoking and this saves lives so
what hope to convince people to look after IT security?

Apparently
IBM X-Force (a kind of skunk works R+D function in pressed white shirts and
blue suits) wanted to test how dumb some users really are. They sent out an
email that when clicked brought up a pop up that said “Do you want your PC
infected?”

Thousands of
users said yes so their PCs were “infected”, no doubt in a polite and easily
remedied IBM fashion, but it sure does prove the point.

Clearly IT
security needs to up its game. But what other security areas are seen by IBM as
a challenge?

Securing the virtual environment
The trend to
virtualisation seems to be growing each day.

More and more
organisations see the benefits of consolidating their servers, many of which
run at about 5% capacity. Making better use of a lower number of boxes hits the
all important hot button of saving money as well as being environmentally
friendly. What a perfect solution say many.

From an IT
security viewpoint virtualisation can be a real headache. Of course
virtualisation is nothing new and IBM mastered decent virtualisation before the
PC was even thought of. The downside is the placing of multiple instances on
one piece of hardware and the instant security problem that gives us. Denial of
service attack? Simple, take out the server power supply and you have knocked
out the instances in one go.

That said, virtualisation,
done properly, is a sensible option for many. According to IBM the US military in Afghanistan
much prefer the virtualisation approach as it cuts down on the number of
physical servers they need to shift about in pretty horrible conditions.

Safer retail stores with IBM
IBM have
identified that the retail sector is one of the most vulnerable to security
problems. Of course there have been many stories of lost data from stores and
retail head offices, probably due to various disclosure laws forcing retailers
to ‘fess up when data goes missing. With regulations such as PCI DSS now
gaining traction there seems to be a great opportunity for a vendor such as IBM
to step into the breach and offer a secure retail solution.

IBM
SecureStore is designed to offer retailers an integrated protection platform
and help address the cost of compliance. According to IBM it helps with
securing everything from assets through to networks, transactions and of course
raw data. Believe me this is an issue—Wal-Mart alone believe they have something
around 50,000 network devices based on the last time someone looked. The
trouble is such audits can be fraught with errors and undiscovered endpoints.

All in all it
will be interesting to see the uptake amongst the retail community of IBM
SecureStore.

IBM – in summary
Of course IBM
gets IT security. It is clear to me that IBM has managed to reinvent itself
over the past few years into a good, solid and reliable vendor capable of
delivering systems and innovations in a quiet, methodical way with little
fanfare or razzmatazz. This contrasts hugely with many ‘style over substance’
vendors that occupy many of the same markets as IBM.

I for one
will always opt for solid and safe, even if it may be boring, and I’ll continue to follow IBM IT security with
interest.

IBMSecuritySummit08