IBM Corp. believes that before companies should even consider participating in e-business initiatives, they should put their own enterprise security measures in order.
In support of that IBM has introduced what it considers to be a complete, end-to-end enterprise-based security offering. Labelled the IBM Integrated Security Solutions, the secure e-business product is slated to be released this spring.
It consists of IBM SecureWay FirstSecure, which enables customers to integrate security for Web-based systems with legacy-based systems for the first time, as well as Tivoli Availability and Tivoli Administration products that provide centralized, consistent ways to manage a secure network. Included in the SecureWay FirstSecure announcement are updated versions of the IBM eNetwork Firewall(Version 3.3) and IBM Vault Registry products (Version 2.2).
According to Ted Julian, analyst at Cambridge, Mass.-based Forrester Research, this release is a significant move for Big Blue.
“This announcement is as much a statement of intent as it is anything,” he said. “It is in and of itself significant progress because [IBM has] struggled for years as a company to try to unify its security strategy.”
He said, historically, IBM has been bogged down with the fact that the company has so many different business units involved in security and it is difficult to get them all to march in the same direction to present a cohesive security solution to the customer.
“And it’s really with the assignment of Jeff Jaffe (general manager for SecureWay at IBM), and underneath him not only the marketing but also product responsibilities getting unified, that has sort of enabled them to make the announcement that they made,” he said.
Moving from the personnel side of IBM’s security strategy to the technical one, IBM says that the key component of the Integrated Security Strategy is FirstSecure’s use of a Policy Director. The policy director is a centralized, LDAP directory-based system integrating various policy schemes for a company’s security technologies — including firewalls, digital certificate servers, anti-virus and intrusion detection, as well as the software that enforces those policies.
“It’s what brings the system together, it’s what the other components integrate around,” said Bob Madey, director of security solutions, network computing software division for IBM in Raleigh, N.C.
Madey said the whole solution sets out to solve a number of problems, including the fact that security is too complex in this environment. According to Madey, it costs too much to purchase and manage products, and policy can’t be implemented given the way different security pieces are now set up.
“What FirstSecure is designed to do is alleviate that by allowing the components to work together,” he said. “It’s really the integration between the components that is key.”
Bill Malik, vice-president and research director at Stamford, Conn.-based Gartner Group Inc., called the Policy Director a sort of “big brother.”
“The idea is that this engine takes a look at news from, say, the intrusion detection piece and correlates it with things happening at, say, the firewall. And then it comes up with a decision like, ‘Whoa, we better shut off this port,’ or what have you,” he said.
“It’s a nice piece of aggregating work, frankly.”
IBM is partnering with several security vendors to fill out the security features, including Content Technologies, DASCOM, Equifax, Finjan, Intel, Security Dynamics and Symantec. DASCOM did most of the policy management work.
The first version of IBM Integrated Security Solutions is just a starting point for IBM’s new integration-focused e-business security direction, according to IBM’s Madey.
“We expect to deliver policy definition to the line of business, so they can actually say in their own words, ‘I’d like this user to have access to this application at this time,'” he said.
“We expect it to evolve to the point where application programmers can incorporate security components from FirstSecure seamlessly into their applications.
“So a lot of further integration work and a lot of further development has yet to be done,” he said.
Both Gartner’s Malik and Forrester’s Julian agreed that IBM is basically on the right track and has a good, clear message with this initiative. Malik gave the announcement a “thumbs up,” and Julian said: “They gave us some information on what their key areas of focus are and I think those areas play to IBM’s strengths, and are things that, frankly, the industry needs IBM to do because there aren’t that many companies that can.”
He said many enterprises want a complete security solution from one vendor and wouldn’t necessarily trust a start-up, for instance, with this type of thing.
“I’m going to want to bet on someone I can believe in, that’s going to be in it for the long haul,” he said. “And that’s why this is the right area for IBM to emphasize.”
The package of products (www.ibm.com/security/html/prod_secpol.html), as well as some of the separate components, will be available some time in March, according to IBM. Pricing has yet to be announced.
IBM Canada in Markham, Ont., is at 1-800-426-2255 or on the Internet at www.ibm.com.