Deliver Your News to the World

IBM Acts to Transform Risk Management for Businesses


New Services, Products and Research Aim to Manage Risk From the “Enterprise to the Edge”

ARMONK, NY.-IBM (NYSE: IBM) today introduced new security services, products and research breakthroughs designed to help businesses more effectively manage operational and information technology risk.

IBM sees information technology security changing as more collaborative business models, sophisticated criminal attacks, and increasingly complex infrastructures emerge. As a result, today’s wide array of security technologies, implemented tactically in silos, are not sufficient to deal with the new reality of risk. IBM’s approach is to strategically manage risk end-to end across all five domains of information technology security -- Information Security; Threat and Vulnerability; Application Security; Identity and Access Management and Physical Security.

“For many enterprises, security is broken,” said Tom Noonan, general manager IBM Internet Security Systems. “The nature of evolving threats is such that installing point solutions to ’keep the bad guys out’ is no longer a viable way to secure a business. We advocate new approaches to reduce complexities, adapt to new business imperatives and enable business value versus just threat protection. The path to a more secure world begins with a risk management strategy that limits the impact of threats, improves business resilience and creates an enterprise free of fear.”

Fueled by recent security business acquisitions, the company-wide initiative by IBM arrives as companies around the globe face increased regulatory and private scrutiny. The daily risk of security exposure and the cost to combat it are growing. In North America alone, companies are expected to spend almost $30 billion on governance, risk and compliance this year estimates AMR Research, Inc.(1)

The first wave of IBM security services and products tackle Information security concerns from the enterprise to the edge of companies’ networks. IBM’s Internet Security Systems (ISS) unit, acquired just over a year ago, is helping lead the way, teaming with IBM Research and integrating with IBM’s Software and Systems businesses to deliver the world’s most advanced risk management capabilities.

New Technology, Services and Software for Information Security

IBM ISS today announced new technology for information security designed to address the growing challenges of managing confidential information.

* IBM Proventia Content Analyzer Technology - new data inspection capabilities built into the market-leading Proventia Network Intrusion Prevention System line of products. The technology analyzes data packets as they move across the network, detecting the transmission of many types of confidential information, thereby increasing broad visibility of potential data loss. This embedded functionality utilizes existing IPS infrastructure to provide insight into information flow, enabling an organization to better define, manage, and optimize its data protection solution. The IPS- based content analyzer expands IBM’s coverage across the information lifecycle and provides network traffic analysis that can be leveraged to provide increased visibility into data loss issues. To expand on this capability, IBM will be offering more comprehensive data loss prevention (DLP) services with technology partners, including Fidelis Security Systems and Verdasys, Inc.

To deliver a total data protection solution throughout the information lifecycle, IBM ISS is partnering with leading data security vendors, including Application Security, Inc., Fidelis Security Systems, PGP Corporation, and Verdasys, Inc. By leveraging key technologies from these partners and IBM Tivoli, IBM ISS will offer a comprehensive set of asset-based data security services:

* IBM Data Security Services for Activity Compliance Monitoring and Reporting -new services that help protect companies from insider abuse and enhance audit preparedness by assessing, monitoring, and alerting on malicious and non-compliant database activity and vulnerabilities.
* IBM Data Security Services for Endpoint Data Protection - new services that help clients encrypt and manage data on endpoint devices, such as laptops and PCs.
* IBM Data Security Services for Enterprise Content Protection - new Data Loss Prevention services that monitor and help protect against intentional and inadvertent leakage of critical data.

IBM also today introduced new data security and compliance management solutions to help businesses track, report and investigate non-compliant behavior across the data infrastructure. They include:

* IBM User Compliance Management Software - performs ongoing audits via established work policies and alerts when violations are detected that may affect the availability of revenue-generating applications. This combined IBM Tivoli and Services solution comprehensively covers user provisioning, access control, federation, user activity monitoring and compliance reporting for heterogeneous environments.
* IBM QuickStart Services for Tivoli Compliance Insight Manager - facilitates implementation of IBM’s automated security information and event management software, helping clients better manage compliance and realize rapid time to value. IBM Tivoli provides information on common practices, installation and customized software configuration services, and audit-setting recommendations based on selected reports for each event source type.
* IBM Web Application Security and Compliance Management - web application security and online compliance management software from recently acquired Watchfire. IBM Rational AppScan and IBM Rational Policy Tester identify vulnerabilities to mitigate risks associated with data breaches, helping customers guard against online breaches of security, privacy and compliance, enabling them to reduce costs by automating manual processes.

New Mainframe-Strength Information Security from IBM

The IBM System z mainframe helps protect data by including security mechanisms, such as secure access controls and strong audit capability, encryption solutions using highly available key-store and tamper-resistent key processing, and network security features like built in intrusion detection services and network security policy agent. Together, these elements can inhibit identity theft. Updates include:

* IBM Mainframe z/OS - recent operating system updates include features that increase the software’s already substantial security for online commerce as well as the next generation of highly secure business transactions. For example, the z/OS, in conjunction with the Cryptographic Coprocessor hardware device, helps to restrict access to sensitive information -- such as customers’ credit card information, addresses and social security numbers -- by unauthorized users.
* IBM Tivoli zSecure - The IBM Tivoli zSecure suite, leveraging technology from the January 2007 acquisition of Consul, is security administration, compliance and audit software developed specifically for the mainframe computing environment. The software automates security administration and audit processes.

“Whether your security initiative is part of compliance adherence or business continuity, one important step is to ensure that data integrity mechanisms are in place,” said Debbie Wheeler, Chief Information Security Office at Fifth Third Bank. “We’re proud to leverage IBM’s 40 years of mainframe encryption technology to drive stronger customer confidence. Fifth Third Bank has formed an internal team focused on proper and effective use of cryptographic controls. That team is working closely with IBM to ensure that our emerging needs are understood, as well as developing strategic partnerships between IBM and other vendors to maximize the value of our existing and future investments.”

IBM’s risk management approach differs from that of vendors who sell piece parts rather than full solutions. IBM arms clients with the complete spectrum of products and services that address security compliance requirements. To that end, IBM ISS today announced the industry’s first end-to-end solution to help address PCI Compliance. (See release at

PCI Compliance End-to-End

The new program from IBM provides clients with the products and services required to achieve compliance with all 12 requirements of the Payment Card Industry Data Security Standard (PCI DSS). Unlike competitive offerings, the comprehensive program is designed to take companies through the entire PCI compliance process, from assessment to compliance to certification. Leveraging IBM services and technology provided primarily by IBM ISS, Tivoli, Rational and IBM Systems and Technology Group, IBM can help clients meet PCI requirements for safeguarding customer payment card data.

Hughes Network Systems, the world’s leading provider of broadband satellite networks and services, selected IBM to take its HughesNet® broadband network service through the PCI compliance process.

“As a leading managed services provider to major enterprises, Hughes strives to provide a wide range of services and applications to our customers,” said Mike Cook, senior vice president, Hughes Network Systems. “PCI DSS compliance is critical to our customers’ operations, and it is imperative that the network services we provide meet those requirements. IBM’s comprehensive program took us successfully through the entire process, from assessment through to certification.”

IBM Research Project - Security Risk Management

A key component in IBM’s strategy to arm CIOs and CISOs with new risk management tools is a collaborative initiative among IBM Research, IBM Software Group, and academia called Security Risk Management (SRM).

Increasingly, Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) are focusing on securing critical business processes, not just the underlying IT assets, and translating operational metrics into business measurements. CIOs and CISOs are now using this capability to manage IT security as an operational risk.

SRM aligns security controls with critical business processes and their risk management objectives. IT executives can manage and allocate risk across all security domains to optimize business results. SRM performs critical assessments, compares business-level risks across the enterprise, quantifies the risk managed and the cost of each IT control, as well as automating control testing, to allow the firms to make significant cost savings.

SRM capabilities include:

* Dynamic risk quantification: critical assessments; e.g. Business Value at Risk, can be performed in a more precise, automated and objective manner.
* Peer group risk comparison: the CISO can compare business-level risks among different groups within the enterprise over time. If a line of business’ risk is drifting away from its peers, management can act much earlier than by relying solely on IT operational metrics.
* Business control optimization: SRM quantifies both the risk managed and the cost of each IT control, as well as automates control testing, to achieve significant cost savings for a better-governed enterprise.
* Security portfolio optimization: sophisticated attackers don’t target technology per se, they target weaknesses in business process. SRM provides an effective way for CISOs to assess these weaknesses and optimize their security investments in terms of managing real risks to the business.
* Event risk calculation: external events can be assessed in terms of real impact to the business, and elevated appropriately so that CIO/CISOs can deal with issues as a business executive to their peers, not as part of the “IT police.”

With risk management becoming an important measure for audits and appraisals, Security Risk Management provides strong evidence of effective IT security operational risk management. The closed-loop process improvement model, from business alignment and risk quantification, helps companies optimize business results over time.

Driving Risk Management Open Standards

As a major contributor to collaborative, industry open standards, IBM took a leadership role in driving the recent acceptance of Web Services Policy 1.5 as a recommendation by W3C, the international consortium for Web standards. The Web Services Policy Framework provides an open standard for organizations to manage the policies for computer systems and users in a Web services-based system.

Implementations of the Web Services Policy Framework include different policy domains. Web Services SecurityPolicy defines security policies that fit into this framework, and policy implementations that support these standards help automate the process of managing secure user provisioning and access to systems, speeding the process with a policy and helping to reduce risk of errors if otherwise handled manually and without a defined policy.

“Customers deploying Web services-based solutions with advanced quality of service characteristics, such as security, want to avoid the need for manual exchange of configuration information,” said Anthony Nadalin, chief security architect, IBM Tivoli . “The Web Services Policy specifications facilitate interaction between producers and consumers of Web services within context of a ’Quality-of-Service’ policy. IBM offers support for these important standards in IBM WebSphere and Tivoli products, and helps our customers manage business policy to improve the overall capabilities of risk management.”

Security for Small and Medium Sized Business Around the Globe

IBM is collaborating with innovative business partners around the globe to deliver the most advanced security solutions to small and mid-market (SMB) clients. In Germany, channel distributor Azlan has broadened its existing relationship with IBM to include the ISS portfolio of security services.

“The IBM ISS portfolio offers unique cross-selling opportunities for small and mid-market businesses. We appreciate the commitment from IBM to the channel and SMB,” said Marc Muller, Managing Director of Azlan. “Together with our value add resellers (VAR) in Germany, we will follow our successful strategy in the SMB market, investing in sales, marketing and technical enablement resources at our site and in the VAR community to meet client needs in consolidation, data protection and security integration in new and existing business opportunities.”


This news content was configured by WebWire editorial staff. Linking is permitted.

News Release Distribution and Press Release Distribution Services Provided by WebWire.