IBM to Pump $1.5 Billion into Security Products, Services
November 5, 2007 Timothy Prickett Morgan
For years, IBM has been focusing on creating more flexible and virtual computing environments and has sunk billions of dollars in research and development into these areas. If last week’s announcements were any indication, then Big Blue will be focusing rather heavily on security and risk management in 2008.
As part of a broad array of product plans that IBM put together last week in the wake of its acquisition of Watchfire this year (for an undisclosed sum, but the rumor mill has suggested it was around $100 million) and Internet Security Systems in 2006 for $1.3 billion, the company said that it would be spending $1.5 billion in 2008 to roll out new security and risk management products and services and to pay for ongoing research that will ultimately yield more products and services. IBM did not say how much of this spending was incrementally new and how much was already in the plan, as it never does when it says it will invest a billion dollars here or there on some key area in IT.
For many enterprises, security is broken,” explained Tom Noonan, general manager of the Internet Security Systems unit at IBM. “The nature of evolving threats is such that installing point solutions to ‘keep the bad guys out’ is no longer a viable way to secure a business. We advocate new approaches to reduce complexities, adapt to new business imperatives and enable business value versus just threat protection. The path to a more secure world begins with a risk management strategy that limits the impact of threats, improves business resilience and creates an enterprise free of fear.”
The Watchfire WebXM and AppScan products fill in a gap in IBM’s security and compliance software offerings, and also link the Rational family of application development tools to the Tivoli family of systems management and security products. WebXM, is an auditing tool for making sure companies are compliant with myriad government regulations that cover how information and applications are accessed by employees, partners, and customers, while AppScan suite is a complementary toolset that can find security vulnerabilities in Web-style applications. When IBM bought it last August, ISS had over 11,000 customers, who use its X-Force security intelligence service or who use its intrusion detection and prevention appliances. Since that time, IBM has been integrating its Tivoli systems management and security products with the X-Force service.
IBM bought these two companies and broadened the Tivoli line of systems management tools to cope with compliance and security issues for a good reason. According to AMR Research, companies in North America will spend nearly $30 billion on products related to governance, risk, and compliance. That’s a lot of dough. And that is what the Data Security Service Initiative from IBM aims to chase.
As part of the announcements last week, the ISS unit announced a new feature called Proventia Content Analyzer for its Proventia Network Security System appliances, which can sniff IP packets in real time to look for confidential information on corporate networks. IBM also committed to partnering with other security experts, including Application Security, which does database security, Fidelis Security Systems, which sells extrusion protection (data leaking out, not hackers getting in) products, PGP Corporation, which does data encryption on disks, and Verdasys, which has created a set of security products to monitor and manage access to documents and files on servers and PCs inside a company and by supply chain partners. IBM plans to weave its own products and these products from its partners into a set of services that IBM will peddle to its corporate customers.
As you might expect, the System z mainframe always gets its own top billing among IBM’s platforms when it comes to security, and last week was no exception. There were no new products here–just references to security improvements in z/OS release 1.9 and Tivoli zSecure, which is the result of IBM’s acquisition of a company called Consul and which created a security auditing tool for mainframes.
IBM Research is also being tasked to work with techies at colleges and universities and within IBM’s own Software Group in the area of security risk management, which is involved with security at the business process level, not among a collection of hard and soft devices on a network. Security risk management is all about doing dynamic risk quantification in real time and across different business units and partner chains.