IBM Tivoli Security Management Blog
I'm Jeanette Fetzer, IBM Tivoli security portfolio manager. I'm blogging today because I'm lucky enough to be the track chair for the Security, Risk Management and Compliance track at our upcoming Pulse event in Las Vegas next week. I'm really excited about the agenda this year. We have over 30 of our security customers speaking in the track in a mix of panel and solo sessions. I can tell you that from having reviewed the drafts of the security presentations for the event over the past few weeks, this will be a very interesting event!
Last year, the panel on Identity and Access Management was a big hit, and therefore we're organizing that again this year with different participants. We've added a panel on Information Security that also features select Guardium customers. We also have a panel on how federation facilitates collaboration across organizations and drives business value. Many of our customers are eager to talk about identity services in the cloud - we'll host a panel on this very topic.
We've had several outstanding prep sessions with the panelists for each of these sessions, where the participants were able to share their input with the rest of the panel ahead of the event. The panelists were really dynamic, sharing their tips and tricks with each other.
These panels, as well as the other sessions, will feature good time for audience interaction - so bring your questions!
Overall the agenda is looking fantastic - with sessions on compliance and risk management, virtualization and encryption key management. We'll start the week with an exciting kickoff from Kris Lovejoy, VP of IBM Security Strategy and Greg Adams, Director of Tivoli Security, Risk Management and Compliance Product Management. They'll give you an update on our strategy and offerings. On the showfloor, you can find a wealth of security experts and a wide variety of demos from identity and access management to application security to virtualization security and even security management and compliance on System z.
I'll be there next week, taking it all in - hope to see you too!
Kelly Schupp 06000132TN email@example.com Tags:  compliance insider-threat risk-management compliance-management security 1 Comment 2,223 Visits
Today I spoke with Marne Gordon, IBM Security’s Expert on Governance Risk and Compliance Issues. The topic of our discussion was the concept of Compliance Fatigue. This conversation is captured as a podcast at http://ow.ly/psZD, but is documented below. Some useful links have been added.
1. Tell us about Compliance Fatigue.
Customers have told us that as they integrate globally, they have become tired of the increased complexity and cost associated with compliance management activities. Individuals and organizations have simply been overwhelmed with the amount of information security and privacy regulation in the past few years, and the prospect of more to come. When organizations become overwhelmed by compliance, the greatest temptation is to do nothing. But this is a mistake, security exposure, as well as legal exposure, and abandonment of ethical and moral obligations to customers, partners, shareholders, etc. are genuine risks.
2. Realistically, what is the biggest threat to information security? To compliance?
There has been a lot of buzz recently regarding state sponsored cyber attacks on US organizations and IP addresses. While this threat is high profile, it is not prevalent. US government officials are less worried about foreign-based cyber attacks than they are about garden variety insider threat. Insider threat has become the #1 source of concern for the information security community because it is often the most difficult type of activity to detect and mitigate. By virtue of their employment status, trusted insiders have access to our most sensitive system resources and data assets. How can an organization realistically defend against the malicious (or even accidental) actions of a trusted insider?
3. How much compliance is "enough"?
Often companies view compliance as a checklist -- a series of action items to be completed and then the project is "done". This is not a realistic view of infosec compliance, and can actually leave the organization with a poor security posture. Just like information security, compliance does not end, and organizations must remain vigilant to maintain a high security/compliance posture. This is where fatigue sets in. Most organizations are subject to multiple regulations -- from the Federal and state governments, and depending upon business model, international requirements. The best approach is to take an enterprise-wide view of information security controls deployment, and using the information security program to fulfill multiple compliance mandates.
4. How can someone learn more about the topics of security governance, compliance and risk management?
I have a video on YouTube where I address Insider Threat and Compliance. You can view it at http://www.youtube.com/watch?v=-vH3CKgCkqM. Furthermore, my colleague, Calvin Powers, often blogs on these type of topics at https://www-951.ibm.com/blogs/visible/. For a view IBM’s compliance management offerings please go to www.ibm.com/security
Join IBM’s security community at X IBM’s security Linkedin community at http://www.linkedin.com/groups?gid=1846255
There will be more security than ever at IBM Pulse 2011 event in Las Vegas, NVNot to worry, that doesn't mean there will be guards outside of each session to inspect the contents of your laptop bag, it means that the agenda will be jam packed with security content!
We'll have over 30 security sessions at the event where security leaders from organizations like your own ( maybe even you! ) will share experiences using IBM products and services to address today's security challenges. The event will also feature IBM security leaders sharing best practices for managing security and compliance given the current threat landscape. This is an opportunity to mingle with security professionals from a variety of industries as well as the IBM security strategy, . You'll also have an opportunity to see demos and take hands on labs.
How are you addressing today's security challenges with IBM security solutions? Do you have some experiences and best practices you'd like to share? We invite you to submit a proposal to speak at this exciting event. There are many different types of speaking opportunities. You may present alone, jointly with an IBM rep or , or as part of a client panel.
Check out the Pulse website for more information on the event, the benefits of speaking at the event and information on how to submit a session proposal.
Elaine Tully 270000DC40 ETULLY@US.IBM.COM Tags:  annual xforce trend risk and report x-force 2009 1 Comment 1,325 Visits
The 2009 X-Force Trend and Risk Report is now available. This latest report from IBM X-Force reveals three main threats that demonstrate how, in 2009, attackers seeking to steal money or personal data increasingly targeted their victims via the Internet.
Download the full report here (registration required): http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=74711
Graphics from the report are available separately here (registration required): http://www.servicemanagementcenter.com/main/pages/IBMRBMS/SMRC/ShowCollateral.aspx?oid=74712
You can also read a great synopsis of the highlights of the report on the IBM X-Force blog, Frequency X: http://blogs.iss.net/archive/2009trendhighlights.html
The IBM X-Force Trend and Risk Report is produced twice per year: once at mid-year and once at year-end.
Elaine Tully 270000DC40 ETULLY@US.IBM.COM Tags:  security technical awards blog social best frequency x x-force 1,192 Visits
Frequency X, the IBM X-Force blog, is a finalist for the 2010 Social Security Blogger Awards, in the "Best Technical Security Blog" category.
If you are a member of the security bloggers network, or SBN, you can vote for your favorite security blog at http://www.zoomerang.com/Survey/?p=WEB22A8BWJVVAE. But hurry - as of now, there's less than one week of voting left. Polls close on Monday, March 1.
If you are lucky enough to be going to RSA Conference this year, be sure to stop by the IBM booth to meet the X-Force in person. They will be doing a number of presentations - including live hacking demonstrations - throughout the conference. Don't miss it.
Chris Bauserman 1200005JH3 firstname.lastname@example.org Tags:  security-management network-security insider-threat identity-management india access-management compliance-management ips security managed-security-services compliance data-privacy china iss tivoli 1,525 Visits
A small team from Tivoli development, product management, and sales enablement descended upon China and India recently to meet with customers, business partners, and the local IBM security teams. Aside from some seriously good food and some serious jetlag, what else did the Tivoli team get out of this trip? Read on my friends…
China: original architects of “perimeter defense”
We had the good fortune of working in a stop at the Great Wall of China on our travel day between stops in Beijing and Shanghai. Don’t think for one moment that this piece of the itinerary was a touristy boondoggle. Oh no. Our visit to the famous 5,000 mile long collection of walls, trenches, and other natural barriers was all business.
In security parlance, the Great Wall represents the ultimate in perimeter defense. Originally constructed over 2,000 years ago in the Qin Dynasty and improved through the 1600s during the Ming Dynasty to its present form today, the Great Wall performed well to keep the “bad guys out” – whomever the “bad guys” of the century happened to be.
While that is an impressive track record for any security professional, the Tivoli Security team decided to investigate a bit deeper. It turns out that the particular stretch of Wall that we visited was rather unique – and ripe with foreshadowing. We toured the Mutianyu section of the Great Wall, about 70km northeast of Beijing. What is unique about this stretch of the wall is that it was designed to fight off enemies on both the outer and inner sides of the wall.
This concept of finally looking at insider threat proved to be quite prophetic, but was too little, too late for the Ming Dynasty. A disgruntled insider, General Wu Sangui, opened the gates in 1644 from the inside at Shanhaiguan to the advancing enemy. Of course, this led to the fall of the government and certainly led to the loss of jobs for their security professionals.
Major banks and government institutions we visited in present day China have clearly followed suit with their predecessors and focused first on perimeter defense. Fortunately, we are seeing a renewed concern and focus inside these organizations to address insider threat and risk management. It is still a burgeoning area of investment for most firms, but the promising aspect is that the organizations we talked to were most interested in attacking the insider threat because true security risk management was the right thing to do and essential to protect valuable data – and not strictly as a “box to be checked” on an audit.
India: seeking wisdom, prosperity, good fortune…and security.
Our timing to visit Mumbai was very fortunate as we arrived during the annual Hindu festival of Ganesha Chaturthi. I admit that I did not know anything about this festival before traveling to India, but I am very glad the timing worked out to experience it. There are two important things I have learned about Ganesha Chaturthi: 1) worshipers of Ganesha seek wisdom, prosperity, and good fortune; and 2) visitors flying home during the festival should add extra hours to their travel time to the airport because of the processions in the streets. More on that later.
Security wisdom was something we did find in abundance in India. Not only does Tivoli security have major development labs in Pune and Bangalore, but the clients and business partners we met with had a sophisticated view of the types of security threats they were facing and evolving compliance landscapes domestically and abroad. This led to excellent discussions on perimeter defense, intrusion prevention, as well as identity and access management, insider threat and compliance reporting.
The Indian economy is booming and you could see signs everywhere of the country’s increasing prosperity. Organizations we met with clearly recognized the need to proactively handle insider and outsider threats and increasingly have the resources to do so. While there was wide agreement on the scope of security threats, the economics of how to handle those threats still seemed in flux.
Some organizations, like a large bank, saw custom development through a local services firm as the best way to meet its user provisioning and compliance auditing needs. They believed that they could deploy those security controls for a single important system more quickly and cheaply than with a leading commercial software solution. The problem with this approach became apparent when I asked them what happened when they wanted to add one more or 10 more or 20 more systems. Then the total cost of ownership advantages of partnering with a security leader like IBM, and taking advantage of the best practices of clients around the world, became obvious.
Other clients we talked with, like a large telco, expressed a strong desire to leverage IBM’s expertise in managing entire security functions and billing for this service as an operating expense (OPEX) vs. capital outlay (CAPEX). In this case, the client had already purchased intrusion prevention and perimeter defense technologies from IBM and had in-house skills to manage it, but was looking for IBM to deploy and operate new solutions for insider threats and compliance.
Now we come to good fortune. Our team was very fortunate to have such welcoming hosts, interesting clients, and fantastic food at all our stops in India and China. It was truly exciting to see security professionals in those countries embrace security and compliance challenges head on, in partnership with IBM.
I also had the good (?), or at least unintentional fortune of making this trip my first round the world flight. Heading from my home in Austin, the original intent was to fly West to China, then India, and return home through Delhi via the North Pole. One potential snag in this return home that I did avoid was traffic associated with Ganesha Chaturthi in Delhi. My hosts warned me it would take 3 hours or more (vs. the typical 45 minutes) to reach the airport – and I needed all of that extra time to make flight from Mumbai. Long story short, I didn’t make my connection in Delhi and ended flying through Brussels (directly over Kabul too!) on my way home. After 48 hours (and many connections later) from the time I left my last client I was finally home, sweet home! At least that detour gave me the chance to enjoy a fine mug of Hoegaarden on the way home and rack up my first round the world flight for security.
Jeanette Fetzer 0600009SUT email@example.com Tags:  security management vulnerability 2 Comments 1,948 Visits
Last week, IBM announced our intent to acquire BigFix. I wanted to point this out in case any of you missed this while on vacation or working furiously to get ready to go on vacation. This is exciting news! BigFix is a leading provider of security configuration and vulnerability management, systems lifecycle management, endpoint protection and power management. These capabilities will strongly complement IBM's service management portfolio to simplify IT operations and security, to deliver a single integrated architecture for endpoint management.
As business models spread out and the workforce is increasingly global and mobile, it is a large task to stay ahead of threats, ensuring that configurations are set to reduce vulnerabilities and that security patches are deployed in a timely fashion. This can be labor intensive or prone to incomplete coverage. Endpoints are where your employees and team members are getting the job done - recording transactions, designing products, helping customers, working on plans. This is where your enterprise value begins, with the generation of and collaboration with information on these systems spread around your enterprise and even the world. These systems are not contained in one area and can be out of reach from physical contact with the IT organization. But they come and go from your network daily. A poorly protected endpoint can have a vulnerability exploited that can not only impact the system itself, but potentially serve as an entrypoint for malware to enter the enterprise network.
BigFix provides real-time visibility and control of endpoints across a large number of computing platforms. This acquisition is intended to close later this year. Adding this to IBM's already strong service management portfolio will help clients improve the management of both their IT and operational assets. Enterprises can look to IBM for these solutions to help improve service delivery and overall business performance while helping to save time, labor and expense.
Read more about the acquisition here: http://www-03.ibm.com/press/us/en/pressrelease/32026.wss
Kelly Schupp 06000132TN firstname.lastname@example.org Tags:  risk compliance encryption security cloud-security virtualization identity-management single management sign-on pulse application-security data-security cloud key-management 1 Comment 2,296 Visits
Today I spoke with Jeanette Fetzer, who is leading the security, risk and compliance management track at Pulse 2010. The topic of our discussion was the Call for Papers that is taking place now for Pulse 2010. Jeanette is looking for customers, partners and analysts to submit proposals. See below what will catch Jeanette's eye when submitting abstracts.
What are hot topics in the area of Security, Risk and Compliance Management right now? Which topics would you really like to see presented at Pulse?
Security, Risk and Compliance Management is a broad topic area that covers managing people and identities, securing applications and information as well as the infrastructure. We plan to have a variety of topics on the Pulse agenda that spread across this spectrum. Some hot topics we know customers want to exchange ideas on include Privileged Identity Management, Role Management, Application Security, Data Security, Virtualization and Cloud security, Encryption and key management and datacenter security. Last year, we witnessed some really valuable exchanges in the sessions where presenters shared how technologies like Federation or Single Sign On helped reduce costs in their businesses or extend their business models cost effectively.
Who are good candidates for submitting abstracts? And why?
We are interested in abstracts from customers, partners and analysts who are familiar with today's security challenges and how IBM's security solutions help to address those challenges. We'd like speakers who can share real world experience from selecting the IBM solution to implementing it with their fellow attendees.
What are you looking for in a good proposal?
A good proposal should have a strong title that is indicative of the content of the session. The abstract should offer in 150 words or less some insight into the security and enterprise challenges you faced and how you solved them with IBM security solutions. Please try to steer clear of using lots of acronyms. You may wish to highlight your industry or the size of your deployment or some exciting statistics about your implementation like number of users, employees or customers served, managed systems, geographic locations involved in your deployment or cost savings anticipated or realized. Attendees are interested in best practice and "lessons learned" discussions as well as some sharing of architecture ideas.
What are the benefits of submitting an abstract for Pulse?
Your paper may be published in the Pulse 2010 proceedings and you will have the opportunity to present as part of the formal agenda. All accepted client speaker submissions will receive a full conference pass* ($2195 value) and admission to our on-site VIP client lounge. For more information on submitting abstracts for Pulse, visit http://ow.ly/r4ej
The Global Tivoli User Community is hosting an " Ask the Expert Online Jam session" today. The event is running 8am - 8pm EST on June 15.
Security experts for Tivoli Identity Manager and Tivoli Access Manager will be on hand to answer your questions on our security products.
Danyel Otteson, the IBM Global Tivoli User Community Manager has a great blog post that provides more details on the event.
Here's how it works in brief:
You can register and log in to the event through this link: https://secure.tivoli-ug.org/register?source=ATE063
Access Management has been around for a while, and to some might not be as exciting as talking about role management. However, as most of us security people know, it is an essential foundational element to the initiatives that our organizations undertake to securely drive productivity and growth.
We recently released three solution briefs that highlight how Access Management is an integral part of data security, cloud and SOA deployments as well as portal and web security. These are great reads and pass arounds for highlighting the value of this technology in your organization. You can find materials on these use cases and more here.
These solution briefs align with the latest releases of the products in this IBM product family. Just this week, we announced updated releases of IBM Tivoli Access Manager for e-business, IBM Tivoli Federated Identity Manager and IBM Tivoli Security Policy Manager. They all have been enhanced to support the use cases above.
Are you using IBM products for any of these initiatives? I'd be interested in hearing your experiences.
Kelly Schupp 06000132TN email@example.com 701 Visits
White paper - IBM end-to-end security for smart grids
Here is the URL for this bookmark: http://ow.ly/zin4
Kelly Schupp 06000132TN firstname.lastname@example.org Tags:  ibm-security single-sign-on access-management security 1,032 Visits
IBM's Enterprise Single Sign-on Solution reviewed by Chris Ahart, blogger and security expert.
Here is the URL for this bookmark: http://ow.ly/zyl0
Kelly Schupp 06000132TN email@example.com Tags:  compliance-management ism-jams security tivoli compliance insider-threat identity ibm management iss 1,351 Visits
On October 13th, speakers Jeff Crume, IBM Distinguished Engineer and IT Security Architect, IBM World Wide Tivoli Tiger Team and Jim Goddard, Business Development Executive, IBM Internet Security Systems addressed issues around Mitigating insider threats through proactive identity management
We've excerpted the following questions and answers from the live Q&A segment of this Jam.
1. What if I need authentication that is stronger than the userids/passwords?
Both Tivoli Access Manager for e-business and Tivoli Access Manager for Enterprise Single Sign-On support second factor authentication mechanisms such as smart cards, one time password tokens and biometrics.
2. How does the security logging work to ensure collection and analysis is done in a forensically sound manner?
One of the most important aspects of log analysis is to ensure that any analysis does not occur on the original log file. Tivoli Compliance Insight Manager does that by archiving the original log file thereby not contaminating the event source. This is something often overlooked with custom code.
3. If a user's SSO password is compromised, are all his applications now accessible via that account and password?
It is likely that users are already using one password for all their accounts in order to minimize the complexity of password management so this risk already exits. However, another option to minimize the risk is to use a second factor to strengthen authentication.
4. What are some of the ways to recertify access?
Tivoli Identity Manager comes with pre-built workflows to perform a recertification of all users for a given service. You can configure the actions to take such as deactivate or mark only if a user or manager does not recertify the account.
5. Was What kind of PII (personally identifiable information) is stored within the Identity Access Management (IAM) solution?
Whether information is considered PII must be judged at a local level based on regulations and policy. However, some elements the personnel feed will include might be name, country and address. It is a best practice to not include sensitive information in the feed such as social security numbers.
6. What about authentication of a user who logs in from multiple systems at multiple locations?
In some cases this behavior may be desirable but if this is not the case, Tivoli Access Manager for e-business has a Session Management Service which can be configured to restrict simultaneous logins.
7. Does TIM work with Domino Servers?
Yes. Tivoli Identity Manager also supports provisioning email accounts on Microsoft Exchange as well as many other IBM and non-IBM applications, data bases, operating systems, etc.
8. Is there a Best Practices Guide available for customers to use as a roadmap for planning a security deployment?
IBM Redbooks are an excellent source of practical information on best practices for configuring, customizing and implementing Tivoli security solutions. The full set of documents can be found at www.redbooks.ibm.com or an informal listing of Tivoli security-related content can be found at extranet.lotus.com/crume.
You can access the replay, podcast and PDF slides by registering here: http://ow.ly/vrjx
About ISM Jams
IBM Service Management Jams are weekly webcasts that address the hottest service management topics on a variety of levels from technological thought leadership to product tips and tricks. Jams air Tuesdays at noon EST, are available on-demand within 24 hours and are accessible for one year. ISM Jams are led by Wendy Whalen, ISM Jams Program Manager, Tivoli.
"It's the eye of the tiger, it's the thrill of the fight" EMA sees a promising future for the IBM Security Tiger Team
Lauren Mullins 270000QCXM firstname.lastname@example.org Tags:  data-security cloud cloud-security security virtualization pulse single compliance-management risk-management sign-on application-security compliance encryption key-management risk insider-threat management identity-management 1,838 Visits
IBM is rising up to the challenge to meet customer needs of purchasing integrated security solutions with its recently announced IBM Security Tiger Team. Last year IBM announced its security framework in order to unify its security message to the market. Now, IBM has made a bold move by creating a cross IBM Security Tiger Team, run by Kent Blossom, Vice President IBM Security Solutions. The Tiger Team will sell the entire set of IBM security capabilities spanning software, hardware and services, represented in the IBM Security Framework. The team will assess risk and compliance issues facing their client's business and develop the IBM solution to move a client into a secure environment. EMA says, " For IBM, this is an important step toward revealing the company as the large and powerful security vendor it truly is."
You can access the EMA article here (it will require registration):http://ow.ly/umqk