Cloud & Service Management blog
Jennifer Dennis 110000CSRM JBDENNIS@US.IBM.COM Tags:  planet ibm integrated software security smarter cloud storage illustrated wright steven tivoli computing service asset+management enterprise it explanation management 2 Comments 7,832 Visits
What is IBM Tivoli Software? We know you want the short version. Steven Wright of Tivoli Software breaks it all down for us in less than 7 minutes on a white grease board. Check it out while you have your morning coffee, afternoon tea, or while you get your miles in on the treadmill or trail with your smart phone. Then visit ibm.com/software/tivoli for more details on how IBM Tivoli Software can help you run a smarter business.
Kimberlee Kemble 120000GMAV KEMBLE@US.IBM.COM Tags:  service-management security integrated-service-manage... x-force 1 Comment 2,917 Visits
It almost goes without saying, but, hey, I'll say it anyway...Security is top of mind for everyone these days, no matter your industry, no matter the size of your organization - and even on a personal level, too. You certainly don't have to be a security manager to be concerned about security, particularly internet security.
Case in point: Which of the following internet vulnerabilities is keeping you up at night these days?
5. Remote access
Perhaps a more precise answer would be "All of the above plus a few more."
So, how can you stay ahead of these types of threats - understanding what the most critical and recurrent vulnerabilities are and what you can do to prevent them? One excellent source of emerging information is the IBM X-Force Research and Development team. For more than a dozen years, these security specialists have tracked well over 40,000 different vulnerabilities, from Trojan horses to malware to Web spoofing, and documented them in the world's largest and most comprehensive threat database.
The IBM X-Force researches and monitors the latest internet threat trends, develops security content for IBM customers, and helps advise customers and the general public on how to respond to emerging and critical threats. Twice a year, the team releases a detailed report discussing the latest security complexities. These reports are far more than just abstract information. They are actionable intelligence, designed to lead to more comprehensive security and a better business outcome. Take a look at the latest report.
For more information about how the IBM X-Force research can help your organization (and perhaps even keep you from losing sleep worrying about security threats), check out this Service Management in Action article.
Signing off for this week,
Your friendly roving Integrated Service Management reporter
Kimberlee Kemble 120000GMAV KEMBLE@US.IBM.COM Tags:  ibm-security ibm ibm-security-solutions security 1,997 Visits
IBM Wins SC Magazine's Best Identity Management Application Award! You can read more about this exciting news in Bryan Casey's IBM Software blog post.
IBM was at RSA Conference 2011 - "Where The World Talks Security " - in San Francisco this past week, and what a week it was! (BTW, this was the 20th anniversary for the event...congratulations, RSA!)
Your friendly roving Integrated Service Management reporter
Noah Kuttler 110000SVNJ email@example.com Tags:  security service-management integrated-service-manage... 1,855 Visits
Last Tuesday, we debuted new releases to the IBM Tivoli Access Management family with an announcement letter (210-159).
I suggested that we take the products down to the local Sears for a "family picture." We'd go for a tropical theme (to commemorate the ending of Lost) and maybe even let IBM Tivoli Unified Single Sign-On hold the teddy bear.
I was outvoted. I won't say by how much. But I was outvoted.
Instead, we did something a heck of a lot better. It's something that I retweeted last week.
As customers are driving new business initiatives, IBM can provide the secure access they need. Typical access requirements we're hearing from our customers are:
All of this is provided in detail on the Enhanced Security website, where there is more information on these initiatives. If you like what you read, contact your IBM sales representative or business partner.
And, no. See above, I do not have wallet-sized pictures of the Tivoli Security Policy Manager...maybe next time...
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM Tags:  financial services security ibm finance 1 Comment 4,501 Visits
Today's post comes from Perry Swenson, Market Manager, IBM Security Solutions.
IT departments at financial services firms are under tremendous pressure to ensure servers, desktops, mobile devices and other endpoints are secure and compliant. At the same time, they’re continually looking for ways to save time and resources in areas like software licensing, patch management, asset inventory and security configuration. IBM Tivoli Endpoint Manager, built on BigFix technology, is helping these firms better understand and manage the status of their endpoints, regardless of where they’re located.
In the below video of Nate Howe, VP of Risk Management at Western Federal Credit Union talks about how Tivoli Endpoint Manager provides real-time patching for operating systems and third party applications and utilities. With over $1.4 billion in assets and 32 branches in 10 states serving more than 120,000 members nationwide, Western Federal Credit Union is one of the leading credit unions in the United States. Nate explains that they now have a single view into all aspects of the systems and security for their 400 employees, 100 servers and 2 data centers, including a better inventory of installed software. And, they can do more with fewer people, which enables them to focus less on infrastructure and more on business applications and enabling business automation.
Another customer that’s realizing benefits from Tivoli Endpoint Manager is SunTrust Banks, Inc. Based in Atlanta, SunTrust enjoys leading market positions in some of the highest growth markets in the United States and also serves clients in selected markets nationally. SunTrust has a highly distributed environment with nearly 1,800 branch locations and no local IT resources at most of those locations. Using Tivoli Endpoint Manager, SunTrust now maintains a 98.5 percent patch and update compliance rate. They’ve also decreased update and patch cycle times from 2-3 weeks to 2-3 days while increasing productivity through automation. Read the SunTrust case study here.
By enabling improved endpoint visibility and new levels of automation, Tivoli Endpoint Manager is a powerful solution to help financial services firms enhance their security and compliance.
If you’d like to learn more about Tivoli Endpoint Manager, please visit ibm.com/tivoli/endpoint
Noah Kuttler 110000SVNJ firstname.lastname@example.org Tags:  pulse ibm-security trailer pulse-2011 ibm-security-solutions ibm-pulse security 1,851 Visits
We're still counting down to Pulse with a few more trailers for the Expo Center demos.
Today, we feature something pretty neat on Application Security Solutions. (YouTube link)
Kathleen Holm 2700009BHX KHOLM@US.IBM.COM Tags:  #ibminnovate security security-by-design service-management 1,671 Visits
IBM just introduced new software and services to help build security into the design of new applications instead of adding it later as an afterthought.
New technologies like cloud computing and virtualization are making organizations more efficient and competitive. These new technologies are also adding increased complexity and risk forcing businesses to find new ways to deal with compliance, risk management and data protection.
The new security software and services announced by
These new offerings help organizations ensure their infrastructure organizations lower cost, reduce risk, and ensure their infrastructures are secure by design. For more information about these new security offerings from
Tiffany Winman 12000065XB email@example.com Tags:  availiability process service service-providers governance asset management ibm soa green security itil eam performance it financial service-management 2,807 Visits
Welcome to the IBM Service Management blog. A variety of authors who represent different parts of IBM will discuss a range of Service Management topics such as service availability and performance, green IT, IT asset and financial management, IT governance, service delivery and process, storage management, SOA management, enterprise asset management, and service assurance for service providers.
We'll discuss industry trends and happenings, analyst
perspectives, new product and solution announcements, support and services
offerings, upcoming events, helpful resources, and heroes in the broader IBM
Service Management network. This blog provides multi-directional communication
with the public, and we encourage and look forward to your feedback, thoughts,
and questions. For extended sharing, check out our new IBM Service Management community.
I'm Tiffany Winman, the IBM Service Management community and social media program manager, and my blog topics tend to focus on communities, people, companies, heroes, and stories in the broader Service Management and Tivoli "ecosystem" and the use of innovative social technologies to facilitate online social networking and collaboration. When I'm not blogging on group blogs such as Service Management, Tivoli, Pulse, and Web 2.0 Goes to Work, you can join me in riveting conversation ;) on my individual blog.
Let us know if you have any questions or we can assist in any way.
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM Tags:  security federated government ibm identity 2,460 Visits
Today's post comes from Vidhi Desai, Market Manager, IBM Security Solutions.
Today’s business environment calls for information sharing at an unprecedented scale. Sensitive information is shared between organizations, end consumers and even business partners. The biggest challenge that organizations face in doing so, is how to ensure that sensitive information is securely shared with different parties and that the right people are accessing the data. With the adoption of cloud and Software as a service deployment models, ensuring secure access is even more critical and challenging.
Consider a scenario where a government agency needs to share information with different agencies, local governments, citizens or even with other business entities (eg. Revenue agency that needs to share information with citizens and other entities like a tax preparation service). If one of the entities is operating in a public cloud environment, its becomes critical for government to ensure that right person is accessing the right data without sacrificing privacy, security or scalability (party requesting information really is the government revenue agency or tax preparer they claim to be).
Over the past couple years, we have seen how the US government has taken steps to ensure secure sharing of data between agencies with regulations such as FISMA, which was introduced in 2002, bringing attention to the critical nature of cyber security and its impact on national security.
Identity is at the core of any information sharing transaction. Hence whenever an individual attempts to access secure online sites or web portals, their identity has to be verified to ensure they are authorized to view that data. Additionally from the end user or citizen’s perspective, they should be able to set up their identity once and then log in to multiple systems without having to log in multiple times.
Federated identity management is the solution which enables multiple applications to share user credentials based on trust. This is especially critical in supporting cloud deployments for secure information sharing across private, public and hybrid clouds. With federated SSO, users can log on to the sites of multiple businesses and organizations by using the same user id and password, hence gaining a seamless and secure entry to multiple applications.
Tivoli Federated identity manager from IBM is an access management solution that provides web and federated single sign on to end users across multiple applications resulting in improved user experience. Tivoli Federated Identity Manager enables central management of access, enhanced user productivity and facilitates trust by delivering single sign on across separately managed infrastructure domains, both within an organization and across organizations.
Learn how Agesic protects citizen information with IBM Security Solutions: http://www.ibm.com/software/success/cssdb.nsf/CS/LWIS-8CM8SV?OpenDocument&Site=tivoli&cty=en_us
Today's post comes from Veronica Shelley, Market Manager, IBM Security.
With IBM's October 12th SmartCloud launch, perhaps you're considering cloud computing for your organization. After all, the benefits of cloud computing are well known. Cloud computing is flexible, scalable, and cost-effective, and it's a proven delivery platform for providing business or consumer IT services over the Internet. Cloud computing can help you cut costs and IT complexity, provide new services to customers, and streamline business processes. Cloud computing is gaining in popularity and may be the wave of the future. Yet, many organizations hesitate to get started due to security concerns and confusion over how to get started.
Perceived risk versus actual risk
Cloud computing may seem new, but the fact is companies have been outsourcing services and technology for years. Providers already deliver hosted technology offerings that are located off-site with client access via the Internet. This is a common scenario for services such as remote storage or hosted email and other software as a service (SaaS) solutions. And just because companies may give up some control to the provider when they move to a cloud-based environment (just as they give up some control in any outsourced arrangement), it doesn't mean they have to compromise on security. By asking the right questions and adequate preparation, companies can build a "trust and verify" relationship with the cloud provider they are working with.
Questions to ask to ensure cloud security
It's important to remember that the same factors apply to ensuring security whether it is cloud-based or within a traditional IT infrastructure. The key difference in the cloud model is that it includes external elements, and those elements will be managed by the cloud service provider. This means companies need to understand the environment beyond their own data center and consider how it impacts the organization from a security standpoint. To help ensure security and peace of mind, as well as a good working relationship with the cloud provider, the client company should always identify and prioritize cloud-specific security risks beforehand. Often, companies will find they have the same amount of control, if not more, with a cloud service. There are specific tactics an organization can use to enhance cloud security. For identity and access management issues, companies need to control passwords, support privileged users and enable role-based access to these cloud services. With data protection, a key concern is knowing whether or not a company's hosted data is secure, especially if data from rival companies is also being stored on the provider's cloud service. Companies should also ensure the cloud provider is deploying antivirus software on all supported systems that could be exposed to attacks, and ensuring that selected programs can identify and protect against malicious software or processes. From an auditing and monitoring perspective, companies need to determine how the cloud provider is testing and monitoring the infrastructure to meet legal and regulatory requirements.
Reaping the benefits of cloud
Organizations interested in reaping the benefits of cloud can best begin by understanding the security ramifications of a cloud deployment to their business, keeping in mind they can start small by deploying cloud in low-risk workload areas like email services. This easing-in process gives organizations valuable time to become familiar with cloud on a scale that's simpler to grasp and doesn't put them at increased security risk. And as familiarity of cloud and trust in the provider grows over time, companies can expand their use of cloud computing into other areas of business. By following this gradual path, companies can start enjoying the benefits of cloud in a way that's safe and secure.
The IBM Cloud Virtual Briefing Center offers a rich set of assets to help you get started on your own cloud computing implementation. Go here to learn more https://events.unisfair.com/index.jsp?seid=25543&id=26378&eid=556
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM Tags:  virtualization pci security compliance 2,800 Visits
Today's post comes from Vikash Abraham, Market Manager, IBM Security.
Virtualization has proven its business worth as a technology, however there is still limited understanding about how to secure it. To many, the question still remains - why do virtual environments need separate security when we have already secured the physical environment i.e. physical servers and the network in a data center. To answer this, it is essential to understand that the virtual environment creates a totally new layer above the physical server, which in turn, acts like a mini data center with all the complexities of multiple virtual machines, hypervisors, virtual networks and virtual appliances. The biggest risk that comes with a virtualized environment is the lack of visibility into it. Thus even if the environment is being attacked it isn’t necessary that the administrators are aware of it. Hackers are also excited with the hope of unveiling a set of new vulnerabilities that this environment could come with.
Having realized this risk of vulnerability and possible loss of millions-worth of data, the PCI Security Standard Council has come up with compliance guidelines for virtual environments. In June 2011, PCI group released ‘PCI DSS Virtualization Guidelines’ that broadly describes aspects that need to be considered while securing a virtual cardholder data environment. The guidelines consider the new entities that pop up with virtualization, such as Hypervisors, Virtual Machines, Virtual Appliances, Virtual Switches or Routers, Virtual Applications & Desktops and provide the virtualization considerations across the 12 PCI DSS requirements.
It is clear that a new approach to security is required, with concepts like ‘secure by design’ making further sense in this multilayered environment. Also, a specialized security solution would be needed to provide visibility, control and proactive protection. The solution needs to protect all entities of the virtual environment and monitor data that is being shared between these entities. While securing virtual environments, the physical components of the data center should not be ignored. These physical components should continue to be secured as it would have been prior to virtualization. The PCI guideline points out that to ensure total security, the entire infrastructure hierarchy needs to be secured. This means that even if only one Virtual Machine (VM) is carrying cardholder data, both the hypervisor and the physical server need to be secured. Since the VM sits on the hypervisor and the physical server, a compromise to either of them can lead to the VM getting compromised.
Also with the increasing buzz around Cloud computing and Cloud-based service offerings, there would be further security requirements and considerations that need to be implemented to create a secure Cloud based cardholder data environment. However, if Cloud is considered as the next level of virtualization, the additional security required would be on top of the current virtualization considerations.
An enterprise would one day need to move on to the virtualized environment, considering the pressure to carry out continuous optimization and increase utilization. This would also mean that the ever growing cardholder data would need to move into this environment. The current deterrents that hinder this move are the lack of understanding of the environment and its security requirements to achieve a PCI compliant datacenter. However, sooner or later, the compelling business advantage of virtualization would push a CIO to take that leap.
For more information, visit, us on the web at: http://www.ibm.com/software/tivoli/products/virtual-server-protection/
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM Tags:  application ibm security mainframe 2,737 Visits
Today's post comes from Anne Lescher, Product Marketing Manager, IBM Security.
Many enterprises run their mission critical application workloads on their mainframe systems. They would like to centralize their application security controls, security policy enforcement, data protection, auditing reporting and compliance management for a consolidated view of security. They are looking for smarter security intelligence that will help them leverage the mainframe as their enterprise security hub. IBM Security zSecure suite V1.13 consists of multiple individual components designed to help you administer your mainframe security server, monitor for threats, enforce policy compliance, audit usage and configurations, and assist in compliance management and audit reporting.
• IBM Security zSecure Admin, Visual, and CICS Toolkit provide administrative, provisioning, and management components that can significantly reduce administration time, effort, and costs, and help improve productivity and response time, as well as help reduce training time for new administrators.
• IBM Security zSecure Audit, Alert, and Command Verifier provide security policy enforcement, audit, monitoring and compliance management components. These offerings help ease the burden of compliance audits, can improve security and incident handling, and can increase overall operational effectiveness.
New Security zSecure suite V1.13 capabilities offer enhancements for DB2, CICS, and IMS application security auditing that:
• Automates security analysis of CICS and IMS transactions and programs
• Provides automated determination of which System Authorization Facility (SAF) classes are being used by each active IBM DB2, IBM CICS, or IBM IMS subsystem
• Enhances Access Monitor and allows you to improve data consolidation
• Allows annotating userid displays with data from external human resource files such as department and employee number
• Adds globalization enhancements to support international language support and auditing
• Allows addition of your own sensitivity classification, audit concern, and priority to data set names and general resources
• Supports currency with z/OS V1R13, ACF2 R14 and R15, CICS V4R2, and Top Secret R12, R14, and R15
• Extends integration with Communications Server and provides various interface improvements
For more information on the functions available in the new version of IBM Security zSecure suite V1.13 visit our announcement letter and our zSecure product website.
Bryan Casey 270003BSJV BFCASEY@US.IBM.COM Tags:  z security key sklm mainframe encryption 3,890 Visits
Today's post comes from Anne Lescher, Product Marketing Manager, IBM Security Solutions.
As the mainframe continues to extend support for consolidated workloads on System z, enterprises should strongly consider utilizing the mainframe as their enterprise data and security hub. Mainframes are uniquely able to protect information with a rich collection of encryption capabilities that includes self-encrypting tape and disk storage for data at rest, in addition to robust access controls, file level encryption, database encryption, and communication encryption protocols. Now with the mainframe’s ability to support virtual workloads, organizations can create cloud environments with protected data available for shared innovative collaborative ventures.
Encryption is the ultimate solution for protecting sensitive data. But many practitioners are reluctant to utilize encryption due to concerns of performance overhead, disruption to their operations and changes required in their applications, and encryption key management complexity. But the biggest fear of all is losing all access to encrypted data if the encryption key is ever lost or forgotten.
In most cases, organizations have less and less choice over when and how to encrypt information as more and more industries and governments enact legislation and standards that mandate the use of encryption.
So a superior encryption key lifecycle management solution is essential in order to implement the best end-to-end security which protects enterprise mission critical data and sensitive personal information. This solution should include standards based key management and help:
IBM Security Key Lifecycle Manager for z/OS allows enterprises to fully exploit the security strengths of their mainframes to act as both an enterprise data hub and an enterprise security hub for the consolidated workloads that run on the newest System z platforms.
For more information, you can visit us online here.
Today's post comes from Veronica Shelley, Product Marketing Manager, IBM Security Solutions.
**Updated 11/29 New Podcast Available on Secure Cloud Desktops**
Today’s post is brought to you by Veronica Shelley, Product Marketing Manager, IBM Security Solutions.
A typical user can have multiple log-in and password combinations, often with different requirements and update intervals. With so many log-ins to keep track of, users either forget or resort to unsafe practices (i.e. writing them down) to help remember their passwords. Yet, there are times when your user community simply can’t remember their log-in information. How many calls to the Help Desk, how many hours of lost user productivity, can be attributed to workers who can’t log into a particular application or database because they forgot their password? Precious time is wasted finding, remembering, and resetting passwords, so this can become a major productivity issue for organizations of all sizes.
As the number of enterprise applications and access points continue to increase IBM Tivoli Access Manager for Enterprise Singe Sign-On (TAM ESSO) delivers a balance between easy access and strong security. This industry leading access management solution supports a wide variety of authentication factors (including smart cards, badges, tokens, and biometrics), meeting the needs of different user groups and industries. TAM ESSO provides single sign-on capabilities, meaning users have to remember just one password to automatically log into all their applications and data sources. No more time consuming and expensive help desk calls, no more frustrated users, no more lost hours of productivity. Users benefit from fast access to all of their applications, while organizations benefit from the increase in productivity, security and compliance with security regulations.
TAM ESSO just became more affordable, with a limited time 50% off promotion. Now through December 31, 2011, you can save 50% on new TAM ESSO license purchases. For more information on this offer, visit our promotion web page.
Don’t miss out on the chance to save 50% on the award winning TAM ESSO solution. Take advantage of this unique offering today!