IBM software chief Steve Mills receives a monthly report on employees and contractors who have left IBM, and the actions taken to close off their access to sensitive information as soon as they walk out the door. Ideally, the very second a person’s affiliation with IBM ends, that person’s active identity within the business and all passwords will be wiped out, removing any access to intellectual property.
“I look at this every month,” Mills said Wednesday at an IBM-hosted security event. “There are some months where someone will leave and the loss of their access will flop over to the next day.”
IBM considers that an “escape” in its system, and analyzes what caused the escape and what actions are being taken to prevent it from happening again. It’s a huge priority because, Mills said, IBM has to protect the intellectual property related to its software, and data thefts are perhaps most likely to occur at the time an employee or contractor leaves the business.
“This is a very complex and challenging problem,” he said. “It requires thinking about it in a very holistic way.”
Mills spoke in a keynote address to analysts, press and partners, and then expanded upon his views during an interview with Network World. Mills, the senior vice president and group executive for IBM’s software business since July 2000, has overseen the acquisition of more than 50 software companies, and manages about 50,000 employees and business totaling 40% of IBM’s profits.
Electronic identity and the ability to immediately de-authorize people as they move out of your business is paramount, both for employees and contractors, Mills said. But controlling access during their time of employment requires effort too.
IBM protects its software code with strict controls by granting most workers only partial access to code libraries, based upon their need to know. For example, only a small number of people would need to see all of the code related to a popular software product like WebSphere, Mills notes.
“We have fairly tight access controls for our code libraries to begin with,” he said. “Only a limited number of people can get at the entire code itself.”
Mills said IBM works with clients who have had angry ex-employees or contractors cause damage to electronic systems, but he said IBM has controlled its own intellectual property “extremely well” over the years. “Not unlike other companies, we’ve certainly had some suspicious activity where we’ve had to go back in and investigate that, no, people were not doing anything we didn’t authorize,” he said.
IBM’s expertise in identity management carries over to its product offerings, including Tivoli Identity Manager and Access Control. For example, if an employee is leaving the business on a Friday at 5 p.m., Identity Manager allows the employer to specify the de-authorization time in advance so the passwords will stop working right then, Mills said.
“When his identity is gone all of his access and authorities will be removed,” Mills said.
IBM also has worked on giving customers a single point of entry for various authentication schemes, including those existing on other vendors’ systems.
“A lot of our focus is on federation,” Mills said. Customers “have many different applications from different vendors. They’ve chosen different forms of authentication schemes, they may have nested or embedded identity function in those applications. How can we layer on top of that in a way that can give them a common point of integration and consistency, and not cause them to rip out the systems and applications they’ve already bought?”
That single point of access is available through IBM’s Identity Manager and Access Control products. IBM also added new single sign-on technology to Tivoli earlier this when it acquired the vendor Encentuate, Mills noted.
“What that acquisition did is widen our capability to deal with single sign-on across a broader range of single sign-on scenarios,” Mills said. “Customers were saying they wanted more flexibility, ease of setup and administration.”
IBM used its security event to discuss how it’s trying to embed security features across all of its software products. Rather than selling only stand-alone security tools, the idea is to build antivirus, firewall, identity management and other types of tools into products like Lotus Notes, WebSphere and Enterprise Content Management.
“The ingredient of security is essential to all the technologies we deliver,” Mills said. “Thousands of IBM programmers are working on a lot of [security] features across our portfolio.”
But that doesn’t mean we’ll reach a point any time soon when stand-alone security products are obsolete, said Val Rahmani, general manager of IBM’s Internet Security Systems division. “Not in the short term. In the long term, who knows,” she said.
With server virtualization gaining increasing importance in IT, IBM is focusing on the security of virtualization, last week offering a glimpse at a Virtual Intrusion Prevention System appliance that will operate in VMware’s virtual machine environment and be available early next year.
Security related to virtualization of x86 machines isn’t as mature as that of mainframe virtualization security, Mills said. “IBM’s virtual machine product on the mainframe is well known for its security and ability to uniquely isolate each one of those virtual machine instances,” Mills said.
Developers who work on securing virtualized x86 servers are still trying to find the best ways to isolate applications and memory, he said.
“It’s important to never say never,” Mills said. “The challenge is given enough time, enough resources, and the lack of any triggering that would lead someone to believe that someone’s trying to do something bad, [hackers] can eventually figure out how to break into anything.”