IBM may be big, and in some people's eye beautiful, but what are they doing to prove that their offerings are as safe and secure as any other vendor?
Running a business the size and maturity of IBM is no simple task. The huge range of products, technologies and standards embraced by the organisation can be breathtaking, especially when you take into account that around 33,000 people work in packaged software development alone.
One problem that IBM, along with many other vendors with a large range of products, faces is the constant battle to enforce standards, ranging from a common look and feel through to the shared use of common components. Of course standards and guides are propagated through the various development groups but policing the adherence to these standards can be a nightmare. When one group's innovation is another group's violation of some core component politics always comes into play.
So how does this impact IBM's IT security strategy?
Product security has rapidly become the one area in which development teams have quickly learnt that politics should be put aside for the sake of building reliable and secure products.
At least we hope so anyway.
It's clear that over the past couple of years the tough men and women in IBM corporate management have been knocking heads together to drive home the security message. With a 40-odd year legacy and a large base of multi-decade employees, changing attitudes has no doubt been tough, even when most get the importance of security in the first place.
So it was off to meet the brightest and best of IBM's software development business headed up by long term IBM'er Steve Mills, and see what they had been up to in reality.
Listening to the top man speak you soon realise that, of course, IBM gets security and, of course, it is important. We all know the statistics and the horror stories emerging across the world as incompetent companies and organisations try and out-trump each other with ever more catastrophic and embarrassing data loss events. Of course few have managed to beat the British government and HMRC who rang the bell at 25 million records but I am sure some are trying.
It must be said that nothing in IBM's security strategy is particularly innovative and exciting, but I don't mean that in a pejorative way. Instead, what we see being presented is a reflection of a reality and a quiet determination that IBM will continue to keep its act together and not allow its hard won reputation to become tarnished due to sloppy and insecure products. In fact, for many banks and institutions running z/OS mainframes and the like, excitement is something they definitely don't want.
What they do want is good solid security from a conservative and trusted vendor.
IBM is actively touting z/OS as the gold standard in operating system security with facts and figures that would make some PC-based manufacturers and software developers blush with embarrassment. With an R+D budget around $6bn, a large proportion of which is IT security related, IBM are bound to be able to tighten up loose ends and innovate around this tricky subject.
This all said I wasn't comfortable with everything Mills had to say.
Arguing that Lotus Notes and Domino have a "stellar" reputation for security is probably more to do with their lower market share hence attractiveness to malware authors rather than innate security, certainly historically. Nevertheless IBM has been successful in US government sales for Notes, possibly fuelled significantly by this lack of hacker appeal. You only need look at how the browser Firefox has increasingly become a target as its market share has increased for a similar story.
Change is as change does. Security
just grins and bears it
Underpinning a lot of IBM's strategic view is data collected in their well respected Global CEO Survey that runs across 40 countries and touches on 32 industry sectors. Of those interviewed 19% have over 50,000 employees and 22% have less than 1,000 employees, so it's not just the big boys being spoken to.
Apparently 80% of CEOs are seeing significant change affecting their business, of which 39% feel unprepared to deal with such change. This does seem surprising as one of the oft quoted business school mantras has always been "The only constant in life is change."
Of course those that do embrace change can make significant market gains.
Look at the shenanigans going on in the banking sector at the moment. The more conservative banks have been able to take over their wilder competitors for much less outlay than they could ever have dreamed of. Crikey, even that bulwark of free market capitalism, the competition laws, have been put on hold to enable these mergers to take place.
According to this CEO survey we are now talking about creating an army of "prosumers", groups of consumers so hopelessly hooked on your product (of whatever description) that their advocacy can drive more sales than any advertising campaign. Couple this with the delightful world of the blogsphere and you can start to build some interesting networks. The report also highlighted the significant move towards corporate social responsibility (CSR) programs. More than a greenwash, these CSR programs are now actively hunted out by the brightest and the best on the graduate fair programs as the new generation of workers want to be associated with corporate social responsibility. This new group of users, dubbed by many as the Web 2.0 generation, expect their file sharing and social networking to happen at work as much as it does at home.
In fact I would wager that most in this generation do more Web 2.0 ‘stuff' at work than at home as quite simply they have access to huge bandwidths and storage capacities thanks to their corporate IT.
Now IT security must keep up with this change in the market place and be seen as an enabler, rather than as a barrier.
We IT security people are the poor suckers that are expected to facilitate access to the latest Web 2.0 fad whilst making sure corporate smarts don't go flouncing out of the door along with the latest downloadable music files.
To address this issue CSOs and CISOS must be able to sit comfortably at the top corporate table and make an impact on the organisation. For this to happen the IT security community needs to step up to the mark and be able to operate at a business level instead of confounding fellow executives with techy mumbo jumbo. Good IT security people need to be treasured and developed to fulfil this hugely complex role.
The biggest challenge of the Web 2.0 generation will always be the inside threat (you know—my competent/malicious vs. incompetent and non-malicious duo). As one of the IBMers pointed out we can't get people to stop smoking and this saves lives so what hope to convince people to look after IT security?
Apparently IBM X-Force (a kind of skunk works R+D function in pressed white shirts and blue suits) wanted to test how dumb some users really are. They sent out an email that when clicked brought up a pop up that said "Do you want your PC infected?"
Thousands of users said yes so their PCs were "infected", no doubt in a polite and easily remedied IBM fashion, but it sure does prove the point.
Clearly IT security needs to up its game. But what other security areas are seen by IBM as a challenge?
Securing the virtual environment
The trend to virtualisation seems to be growing each day.
More and more organisations see the benefits of consolidating their servers, many of which run at about 5% capacity. Making better use of a lower number of boxes hits the all important hot button of saving money as well as being environmentally friendly. What a perfect solution say many.
From an IT security viewpoint virtualisation can be a real headache. Of course virtualisation is nothing new and IBM mastered decent virtualisation before the PC was even thought of. The downside is the placing of multiple instances on one piece of hardware and the instant security problem that gives us. Denial of service attack? Simple, take out the server power supply and you have knocked out the instances in one go.
That said, virtualisation, done properly, is a sensible option for many. According to IBM the US military in Afghanistan much prefer the virtualisation approach as it cuts down on the number of physical servers they need to shift about in pretty horrible conditions.
Safer retail stores with IBM
IBM have identified that the retail sector is one of the most vulnerable to security problems. Of course there have been many stories of lost data from stores and retail head offices, probably due to various disclosure laws forcing retailers to ‘fess up when data goes missing. With regulations such as PCI DSS now gaining traction there seems to be a great opportunity for a vendor such as IBM to step into the breach and offer a secure retail solution.
IBM SecureStore is designed to offer retailers an integrated protection platform and help address the cost of compliance. According to IBM it helps with securing everything from assets through to networks, transactions and of course raw data. Believe me this is an issue—Wal-Mart alone believe they have something around 50,000 network devices based on the last time someone looked. The trouble is such audits can be fraught with errors and undiscovered endpoints.
All in all it will be interesting to see the uptake amongst the retail community of IBM SecureStore.
IBM - in summary
Of course IBM gets IT security. It is clear to me that IBM has managed to reinvent itself over the past few years into a good, solid and reliable vendor capable of delivering systems and innovations in a quiet, methodical way with little fanfare or razzmatazz. This contrasts hugely with many 'style over substance' vendors that occupy many of the same markets as IBM.
I for one will always opt for solid and safe, even if it may be boring, and I'll continue to follow IBM IT security with interest.