IBM Expects Customers to Build Security Best Practices Through SaaS
September 2, 2008 Dan Burger
Never let them see you sweat. That’s easier said than done if you’re in charge of corporate security. You’re watching those X64 boxes like a cat watching for a mouse. What about the System i? No worries, right? It’s not even top 10 on your security priorities list. It’s been that way for years, but that doesn’t make it the right way. The bright lights of regulatory compliance can make things hot for you, and suddenly that looks like sweat on your forehead. Tsk-tsk.
If you ask Kris Lovejoy, IBM‘s director of corporate security strategy, she’ll tell you the emphasis on IT security in many organizations is directly related to compliance requirements. She’ll quickly follow that up by noting that it’s driving a lot of IT managers nuts.
A lot of the insanity results from the implementation of best practices. For System i shops, this means making use of the features that come with the box. Out on the server farm, it’s a different story–bolt-on rather than built-in solutions are the norm and have led to shopping carts full of disparate devices and programs that create integration problems.
“When it comes to the System i, the good news is that in one box you get probably the best value for your dollar from a security perspective,” Lovejoy says. “A lot of the capabilities that you would otherwise have to buy from a third-party if you were using another type of system are integrated into the System i. Most [i-based] organizations are concerned with determining the optimum level of security. What level needs to be established and what kinds of user profiles should be created and how to configure it.”
In a medium to large enterprise that’s using one or several System i servers, there’s likely to be an expert on the IT staff that knows what’s required to lock down the box. In a small to mid-size business, on-staff security expertise is a lot less likely. Yet that smaller organization still needs a best practices security policy and the tools to implement it. Lovejoy says those companies are already turning to outsourcing. “They are consuming applications in the software as a service model,” she says, “and the SaaS provider is going to be responsible for that security configuration. The provider can afford to have that subject matter expert and then that expertise is part of the value-add proposition.”
As often happens, much of the “new” technology and highly touted capabilities in the distributed computing world has been available in the System i and its predecessors for years. Things like the use of account management, data security management, resource management, user profiles, and group profiles have always been available in the System i. Just because those features were built in doesn’t, however, mean there was an operator or administrator that knew how to make use of them. Evidence of this can be found in the annual State of System i Security report produced by System i security vendor PowerTech.
Commenting on the “what’s old is new” aspects of security technology, IBM’s Lovejoy refers to it as “the back to the future effect” or “the reverse big bang theory.”
“We started with very centralized environments and we devolved our architectures to a distributed world,” she explains. “We’re now seeing a reversion. It is starting with server consolidation. Although we’ve painted that concept to be ‘green,’ it really means that it has become too expensive to run all these data centers. Energy is costs are skyrocketing. The more servers that are added to an environment, the more floor space and cooling features are needed. And therefore, more hardware and software licenses are needed.”
As chairman of the security architectural board within IBM, Lovejoy hears a lot of customer feedback. She says customers want to cut costs, reduce the number of data centers, and then go to a shared model. These shared (virtualized) environments are going to become very elastic. It means organizations will be able to dynamically shift workloads from one data center to another. A ready example that she puts on the table is that when a company has a data center in China, it will switch workloads there during off hours to take advantage of cheaper energy costs.
“In order to take advantage,” she says, “organizations are asking us for help building the environment that IBM had conceptually architected for them twenty years ago.”
Consider that an IBM-sponsored testimonial for reducing or eliminating server sprawl because it goes a long way toward relieving security headaches.
“When it comes to distributed environments, the architecture requires a hypervisor to manage all those virtual images, and now you need a lot of attention to be spent in terms of what needs to happen to isolate the code. It’s not an object oriented approach like the System i, where things can be kept isolated,” Lovejoy says. “We believe once the market figures out what we have figured out on the System i a long time ago, the security problem will be easier to deal with. Once you isolate the data and the resources, you have a centralized environment rather than a distributed environment. It makes the security issues easier to deal with.”
From an organizational perspective, Lovejoy says IBM customers (including the small to mid size System i customers) are beginning to integrate security operations with IT operations. The security organization within a company is becoming much less hands-on and is taking on a much more consultative role. “In the future,” she predicts, “we imagine security becomes an organization that defines and enforces policy. There would be an iSeries expert responsible for defining iSeries policy–what security levels need to be established, what user profiles or data security requirements need to be established, how single sign-on will be used, how those systems will be configured, and who will be responsible for assuring that the configurations will be implemented by the operations folks and that they are routinely checked from the compliance perspective.”
Returning to the topic of SaaS and its value to the smaller companies that don’t have the staff expertise, Lovejoy warns that service level agreements will need to include security coverage over and above operations.
“There are some basic tenets that have to be covered. Assure that the provider is using user profiles, has a policy in place for user account and password management, has a policy for data access or resource management, has a network access control policy in place, has a policy for auditing and system security values in place. Those are the basics, the fundamentals,” she says.
Will companies be willing to outsource security without fear? That’s yet to be determined, but two years ago IBM bought Internet Security Systems (ISS) to provide managed services to its customers because security was becoming such a pain. ISS provides services such as vulnerability scanning, antivirus, managed firewall services, managed content control, managed spam, and patching. Beyond those tasks are projects with wide scope such as managed application vulnerability assessments and information and event management.
Application security is a favorite security topic for IBM because frequently problems are associated with breeches to the application layer. There are tools that scan Web applications to prove they are quality-checked for security. This has become a bigger issue since it’s become popular to outsource application development. Built-in application security has missed the boat and basic functions that support auditing, for instance, have been overlooked. With regulatory auditors peering over your shoulder, it’s necessary to identify who touched an application and when they touched it. IBM believes there will be more emphasis in encryption and in preventing data leaks for data that is stored on premises, too.
Simplifying the security environment is key. Companies keep saying they want IT solutions that are less complex. Bolt-on security solutions have not helped in this regard. Cases where too many devices have been added reveal a lack of integration and a disregard for standardization that comes back to haunt companies after this has gone on for a number of years.
As a result of those mistakes, companies are now focused on foundational controls, which is about standardizing and improving the efficiency. Examples in the data protection area would be change and configuration management, identity and access management, and threat vulnerability management.
Lovejoy says companies are recognizing they need to do something from a financial and legal liability perspective, as well as from a customer perspective. They are looking for cost effective ways to manage security.