IBM Wins Kudos for Work in Security
March 15, 2010 Alex Woodie
IBM is doing its best to foster a new company saying: “Nobody gets fired for buying IBM security.” After being named the best security company by a leading security magazine, Big Blue confirmed why it’s among the leading security research, consulting, and product development organizations when it unveiled a slew of new SIEM and network security tools, completed another security-related acquisition, and announced the formation of the IBM Institute for Advanced Security. Not bad for a week’s work.
The IT security-focused SC Magazine (www.scmagazine.com) named IBM the “best security company” of the year for 2010 two weeks ago at the RSA conference in San Francisco. Al Zollar, head of IBM’s Tivoli division (and former general manager of the iSeries business), accepted the award on behalf of the company.
The magazine noted several reasons why IBM deserved the award. These included 50 years of work in the IT security business; its very secure databases, applications, operating systems, storage, and servers (including i/OS and z/OS servers, widely viewed as the most secure in the industry); and its “comprehensive” security solutions and services offerings, which run the gamut and include: compliance, identity and access management, networks, threat prevention, systems security, e-mail, encryption, virtualization, and cloud security.
To put it simply, IBM is a huge presence in the security business. Through its software and services, IBM managed more than 7 billion security events each day. Its X-Force branch employs more than 15,000 researchers, who probe IT systems for new security vulnerabilities, and keep the database of 48,000 known problems up-to-date. IBM currently holds more than 3,000 patents in the security business. More than 4,000 customers around the world outsource their security to IBM.
In other words, IBM does it all in security. “Through an end-to-end approach to security across people and identity, data, applications, infrastructure, compliance and the physical infrastructure, IBM’s security capabilities are among the top in the industry,” the magazine writes. “With multiple leadership awards in market presence and technology innovation, IBM is able to offer more than 120 security products and the experience of over 15,000 researchers, developers, and SMEs [small and medium-sized enterprises] focused on security initiatives.”
With that said, IBM didn’t take home any of the individual awards SC Magazine handed out for top products, including “best anti-malware solution” (won by McAfee), “best encryption solution” (won by PGP Corp., “best enterprise firewall” (won by Check Point Software Technologies), “best IPsec/SSL solution” (won by Barracuda Networks), “best SIM/SIEM solution” (won by ArcSight), or a dozen other categories.
But then IBM did something that reminded us why it’s one of the safest bets in the security business: It went out and bought another security company that shows promise in its particular niche. In this case, it was National Interest Security Company (NISC), which IBM had announced its intention to acquire in January. The company, which is based in the Washington D.C. suburb of Fairfax, Virginia, does a lot of work providing security consulting services to the federal government, in addition to other branches of government and companies in the defense, healthcare, energy, logistics, and security industries. (That’s right: NISC provides security for the security companies.) NISC had 1,000 employees, and will operate as a subsidiary of IBM’s Global Business Services unit.
NISC was IBM’s eighth security-related acquisition since the $1.3 billion acquisition in October 2006 of Internet Security Systems (ISS), the Georgia developer of network security tools that also netted IBM the ISS X-Force security research group. The list of buys (and planned buys) includes:
Many of these products have been integrated into the Tivoli division, the systems management and security software brand that itself is a former IBM acquisition.
IBM built on some of these acquisitions with a slew of new products announced at the RSA show. This includes a new Web application security service called Secure Web Gateway Service 2.0; a new service that allows IBM security to update CheckPoint firewall products; a new release of IBM’s SIEM offering; a spam filter development tool called the Security Content Analysis SDK; a source code analysis tool for detecting security vulnerabilities, called AppScan Source Edition; a new client-agnostic e-mail encryption tool for Lotus Notes called Lotus Protector for Mail Encryption; a new security offering that looks for abuse of privileged user profiles, called Security Privileged Identity Management and Compliance Solution; and z/OS version 1.12, which IBM says offers more security capabilities.
IBM also announced the creation of its Institute for Advanced Security, a new group that will focus on bolstering cybersecurity around the world. The group has lofty goals, including getting organizations to build security into their applications from the beginning, instead of applying after-the-fact “bolt on” enhancements to close security gaps.
The group will “engage with government clients and other constituents to help them comprehensively understand how to develop and integrate effective security protections into the fabric of their critical systems and services,” says Charles Palmer, the Institute for Advanced Security director, and also the chief technologist of cybersecurity and privacy for IBM Research.
With all the progress in IBM security offerings, one statement stands out. In an announcement, the company said: “Central to IBM’s approach to addressing clients’ security challenges is a shift in focus from securing assets to securing critical services.”
This is a curious statement, as it generally goes against a growing consensus in the IT security business that organizations need to focus more on securing data, instead of concentrating efforts on network or infrastructure security. Security experts are even talking about a paradigm shift to protect the average organization’s single most important asset–its data.
Perhaps IBM was hoping to put more emphasis on selling more security services? In any event, it will be interesting to see if the “best security” company in the world adopts the emerging consensus that more focus needs to be on securing the data itself, rather than the computers, applications, and networks in which it lives.