IBM Tivoli Security Solutions for the Cloud - GlenGooding · IBM: The only security vendorin the market with 10 end-to-end coverage of the security foundation Critical Security Processes

Business Unit Designation or other informationBusiness Unit Designation or other information

Everyday Security:Simple Solutions to Complex Security Problems

Sean Bergin

WW Sales Director Tivoli SecurityWW Sales Director, Tivoli Security

2Welcome to the smart planet… and a smarter infrastructure

Globalization and Globally Available

RResources

Access to streams ofBillions of mobile devices Access to streams of information in the Real Time

Billions of mobile devices accessing the Web

Dynamic Infrastructure

N F f C ll b ti

InfrastructureImprove Service:Reduce Cost: M Ri k

IBM Insight Forum 09®

Make change work for you

New Forms of Collaboration Manage Risk:

3Managing risks introduced by new opportunitiesopportunities

Emerging technologyVirtualization and cloud computing increase infrastructure complexity.

Web 2 0 and SOA style composite applications introduce new challenges with the

Data and information explosionData volumes are doubling every 18 months.*

Web 2.0 and SOA style composite applications introduce new challenges with the applications being a vulnerable point for breaches and attack.

Storage, security, and discovery around information context is becoming increasingly important.

Wireless worldMobile platforms are developing as new means of identification

Supply chainThe chain is only as strong as the weakest link… partners need to shoulder

Mobile platforms are developing as new means of identification.

Security technology is many years behind the security used to protect PCs.

y g ptheir fair share of the load for compliance and the responsibility for failure.

Clients expect privacyAn assumption or expectation now exists to integrate security into the infrastructure processes and applications to maintain privacyinfrastructure, processes and applications to maintain privacy.

Compliance fatigueOrganizations are trying to maintain a balance between investing in both the security and compliance postures



security and compliance postures.*Source: Pyramid Research, October 2007

4High-level cloud security concerns

Loss of Control Data SecurityLoss of ControlMany companies and governments are uncomfortable with the idea

of their information located on systems they do not control.

yMigrating workloads to a shared

network and compute infrastructure increases the potential for unauthorized

Providers must offer a high degree of security transparency to help

put customers at ease.Reliability

Hi h il bilit ill b k

exposure. Authentication and access technologies become

increasingly important.

High availability will be a key concern. IT departments will worry about aloss of service should outages

occur. Mission critical applications may not run in the cloud without

ComplianceComplying with SOX, HIPAA and other regulations may

hibit th f l d f

may not run in the cloud without strong availability guarantees. Security

ManagementProviders must supply easyprohibit the use of clouds for

some applications. Comprehensive auditing capabilities are essential.

Providers must supply easy, visual controls to manage

firewall and security settings for applications and runtime environments in the cloud.


Make change work for you 4

5Not all risks are created equal

Frequency ofFrequency ofOccurrences

Per Year Virus

W

Data Corruption

Data Leakage

1,000

100frequent Worms

Disk Failure

System Availability FailuresApplication Outage

N t k P blLack of governance

10

1

1/10

Network Problem

Terrorism/Civil UnrestFailure to meet

Compliance Mandates

Failure to meet Industry standards

/ 0

1/100

1/1,000

infr

equent

Pandemic

Natural DisasterWorkplace inaccessibility

Regional Power Failures

1/10,000

1/100,000 $1 $10 $100 $1,000 $10k $100k $1M $10M $100M

i

Consequences (Single Occurrence Loss) in Dollars per Occurrence

PandemicBuilding Fire



Consequences (Single Occurrence Loss) in Dollars per Occurrencelow high

6How would you rate Security as a business priority?business priority?

Select the most appropriate answer

1. Our primary business focus is Control: access to data, applications & environments

2. Our business focus extends to Visibility: monitoring incidents and events

3. Our focus extends to include Compliance: audit and prove performanceperformance

4. Security Management is a key business directive and is given e treme foc s from both an IT and an o erall b sinessextreme focus from both an IT and an overall business perspective



7Not all risk is created equally, neither are all security solutionsare all security solutions…

Find a balance between effective securityFind a balance between effective security and cost

The axiom… never spend $100 dollars on a fence to protect a $10 horse

Cost

Complexityessure

a fence to protect a $10 horseStudies show the Pareto Principle (the 80-20 rule) applies to IT security*

87% of breaches were consideredEffectiveness

Complexity

Pr

87% of breaches were considered avoidable through reasonable controls

Small set of security controls provide a disproportionately high amount of coverage

Agility

disproportionately high amount of coverageCritical controls address risk at every layer of the enterpriseO i ti th t it t l

Time

Organizations that use security controls have significantly higher performance* *Sources: W.H. Baker, C.D. Hylender, J.A.

Valentine, 2008 Data Breach Investigations Report, Verizon Business, June 2008ITPI: IT Process Institute, EMA December 2008



2008

8IBM provides the business answers you need in uncertain timeswith solutions for all IT domains

Improving service managingImproving service managing

with solutions for all IT domains

Improving service, managing risk and reducing cost of

Security without compromise

Improving service, managing risk and reducing cost of

Security without compromise



9How would you rate Security as an IT priority?


1. Our Security focus is primarily on Identity & Access Management

2. Our Security focus extends into Application Security

3. Our Security focus extends into securing information without negatively impacting service quality

4. We have an extensive Security program incorporated into our IT and business governance



10IBM: The only security vendor in the market withend-to-end coverage of the security foundation

Critical Security Processes

end to end coverage of the security foundation

IBM Solutions

Manage Identities, Access and Entitlement: Process for assuring access to enterprise resources has been given to the right people, at the right time, for the right purpose

Protect Data and Information: Capability that allows for granular protection of unstructured & structured data data leak prevention and acceptable use policy monitoringunstructured & structured data, data leak prevention and acceptable use policy monitoring

Implement GRC Information and Event Management: Log management capabilities designed to automate the process of auditing, monitoring and reporting on security and compliance posture across the enterprise

Assure Software and System Integrity: Process for assuring efficiency and integrity of the software development & release lifecycle.

Address Threats and Vulnerabilities: Process and capabilities designed to protect enterprise infrastructure from new and emerging threats

g y p y

Manage Assets: Process for maintaining visibility and control over service and operational assets, and their impact on the business

Manage Change and Configuration: Process for assuring routine, emergency and

Manage Problems and Incidents: Managed security operations center (SOC) or in-house Service Desk solutions designed to assure incidents are escalated and addressed in a timely manner Forensics teams ready to respond to an emergency

out-of-band changes are made efficiently, and in such a manner as to prevent operational outages



addressed in a timely manner. Forensics teams ready to respond to an emergency

11New Tivoli Security Solutions solve real customer challenges

Id tit d Provide efficient andIdentity and Access A

Provide efficient and compliant access for right people to right resources at right Assurance gtime

Data and Protect integrity and Data and Application Security

confidentiality of business data and transactions from b t di k

Leading Energy Utility

Security browser to disk

Security Secure and audit critical businessy

Management for z/OS

critical business services with your most trusted and resilient platform



resilient platform

12

Issues Select IBM Security OfferingsIssues Select IBM Security Offerings

Audit Readiness Workshops and Assessments: Security Health check, Security Workshop, Security Risk Assessment, Compliance Assessments

Increasing number of industry and regulatory requirements

Reputational and financial risks of non-compliance

Risk & Compliance Management

Controls Effectiveness Assessments: Penetration Testing, Regulation-specific Assessments

Controls and Governance Services: IBM ISS Governance Services for compliance and regulatory services, Information Security

compliance

Cost of preparing for audits and assessments

Difficulty determining and documenting effectiveness of controls

Internal policy violationsManagement

“How can I improve my security and

li i k

egu ato y se v ces, o at o Secu tyFramework

Compliance Management and Reporting: Tivoli Compliance Insight Manager, Tivoli zSecure Audit, IBM Compliance Warehouse, IBM Records Manager

Internal policy violations

Audit findings

compliance risk posture? How do I

prepare for security audits without a

significant effort and also address any

Demonstrable policy enforcement aligned to regulations, standards, laws, agreements

Decreases reputational risk and penalties and fines for non-compliance

Enables cost effective audit and assessment preparation by automating reporting and d i ff

Values

yfindings or

deficiencies?”

documentation efforts

Provides visibility into controls effectiveness and policy violations, reducing risk of internal and external threats

Improves security posture to reduce audit findings



13Which best describes your current Identity & Access Management capability?Management capability?


1. Users sign on to individual applications, minimal infrastructure exists for security monitoring and auditing.

2. Multiple user registries and access control policies are defined in multiple places.

3. A consistent practice and a consistent infrastructure for access control are implemented. Provisioning of account information is policy-based and consistently applied.policy based and consistently applied.

4. Identity and access management are tied to the employee life cycle in the organization Automated policy-basedcycle in the organization. Automated policy based administration of users' accounts streamlines administration across the organization.



14

PEOPLE AND IDENTITY

Issues Select IBM Security Offerings

Identity Lifecycle Management: Tivoli Identity and Access Management solution, Tivoli Security Management for z/OS

Understanding the identity risk gap

Cost of administering users and identities in-h

Manage Identities and

Access

solution

High-Assurance Digital Identities: Trusted Identity Initiative

Identity Audit: Tivoli Compliance Insight Manager, Tivoli zSecure Audit

house

Privileged user activity unmonitored

Dormant IDs or shared identities being used to inappropriately access resources

F ili ditAccess

“How can my

Identity Services: Identity & Access Design and Implementation Services, ISS Managed Identity Services, Identity Risk and Investigation Solution (IRIS) and other GBS Security services

Values

Failing an audit

How can my business benefit

from management of digital identity?”

Reduces the cost, increases efficiency and enables audit-ability of managing flow of users entering, using, and leaving the organization

Decreases risk of internal fraud, data leak, or operational outage

Supports globalization of operationsSupports globalization of operations

Enables shift from traditional brick & mortar sales to delivery of on-line services to customers and partners across the globe

Improves end-user experience with Web-based business applications by enabling such activities such as single sign-on



15DATA AND INFORMATION

Data Loss Prevention: ISS Data Security and DataData stored on removable media that can be


Data Loss Prevention ISS Data Security and Data Loss Prevention solution

Protecting Data at Rest or In Transit: Tivoli Application and Data Security solution, WebSphere MQ Extended Security Edition, WebSphere DataPower Appliances

SIEM: Ti li C li I i ht M ISS

lost/stolen

Data stored in the clear is easily accessible

Inconsistent data policies

Unstructured and/or unencrypted data

L l l d hi l f h SIEM: Tivoli Compliance Insight Manager, ISS SiteProtector

Data Encryption: Tivoli Key Lifecycle Manager, encrypted tape and disk drives

Data Classification: InfoSphere Information Analyzer Cognos Enterprise Content

Legal, regulatory and ethical exposure for the organization

Costs of data breaches, notification, brand value

Failing an audit

Protect Dataand

Information

“How can I reduce the Analyzer, Cognos, Enterprise Content Management, Discovery and Classification, , IBM Records Manager

Unstructured Data Security: Tivoli Access Manager

Data Confidentiality: Optim Data Privacy solution, L P f M il S i

cost and pain associated with

tracking and controlling who touched what data when? How do I assure

that my data is

Reduces the cost increases ability to meet audit and compliance mandates

Lotus Protector for Mail Security

Security Services: ISS Professional and Managed Security Services, Security Event and Log Management Services

that my data is available to the

business, today and tomorrow?” Values

Reduces the cost, increases ability to meet audit and compliance mandates

Provides a cost-effective way to meet legal discovery, hold and retention requirements

Assures data is available to the right people, at the right time

Assures data is not deliberately or inadvertently taken, leaked, or damaged

Decreases number and complexity of controls integrated within the enterprise



p g p

16

APPLICATION AND PROCESS


Application Security: Rational AppScan, Rational AppScan Malware Scanning, IBM Web Application Module WebSphere D t P A li

Web applications #1 target of hackers seeking to exploit vulnerabilities

Increasing number of attacks via XML scripting DataPower Appliances

Application Controls: Tivoli Access Manager

Messaging Security: Lotus Domino Messaging, WebSphere MQ File Transfer Edition, IBM ISS Mail Security solutions

Increasing number of attacks via XML scripting and virus insertion

Applications are deployed with vulnerabilities

Poor security configs expose clients to business loss

PCI regulatory requirements mandate application

Secure Web Applications

Security for SOA: WebSphere DataPower, Tivoli Security Policy Manager, Tivoli Federated Identity Manager, WebSphere Services Registry & Repository

Application Security Services: ISSApplication Security Risk Assessment S i ISS M d S i S i

PCI regulatory requirements mandate application security

80% of development costs spent on identifying and fixing defects

Real and/or private data exposed to anyone with access to development and test environments, “How can my business

Reduce risk of outage, defacement or data theft associated with web applications

Assess and monitor enterprise-wide security policy compliance

Services , ISS Managed Security Servicesincluding contractors and outsourcersbenefit from management of

application security?” Values

Assess and monitor enterprise wide security policy compliance

Improve compliance with industry standards and regulatory requirements (e.g., PCI, GLBA, HIPAA, FISMA…)

Improve ability to integrate business critical applications securely

Automated testing and governance throughout the development lifecycle, reducing long-term security costs



security costs

17NETWORK, SERVER AND END POINT

Mass commercialization and automation of

NETWORK, SERVER AND END POINT

Th t Miti ti : ISS N t k I t i


Mass commercialization and automation of threats

Parasitic, stealthier, more damaging attacks

Poor understanding of risks in new technologies and applications, including virtualization and cloud

Threat Mitigation: ISS Network Intrusion Prevention, WebSphere DataPower Appliances, ISS Server Intrusion Detection and Prevention products powered by X-Force®, ISS Endpoint Security Control, Network Mail Security, Vulnerability Management and Scanning

Weak application controls

Lack of skills to monitor and manage security inputs

Compounding cost of managing an ever increasing array of security technologies

Manage Infrastructure

Security

SIEM: Tivoli Compliance Insight Manager

Security Governance: Regulatory assessments and remediation solutions, Security architecture and policy development

Incident Response: Incident Management and increasing array of security technologies

Undetected breaches due to privilege access misuse and downtime from incidents

Inability to establish forensic evidence or demonstrate compliance

Systems Storage

Virtual Network

Emergency Response services

Virtualization: Proventia Virtualized Network Security

Security Services: Security Intelligence and Advisory Services, Managed Intrusion Prevention

d D t ti M d fi ll i

Reduces cost of ongoing management of security operations

Improves operational availability and assures performance against SLA, backed by industry’s only guaranteed SLA for managed protection services

“How does my business benefit from

infrastructure security protection?”

and Detection, Managed firewall services, Security Event and Log Management ServicesValues

Increases productivity by decreasing risk of virus, worm and malcode infestation

Decreases volume of incoming spam

Drill down on specific violations to quickly address resolution

Readily show status against major regulations



18IBM professional security services

Proven integrated lifecycle methodology that delivers ongoing security solutions

Phase 5: Education Phase 1: Assessment

IBM ISS P d t C Th t Miti ti

ongoing security solutions

Ph 4: M t

IBM ISS Product Courses

– On-site & off-site classes

Threat Mitigation

Governance Risk and Compliance

Data Security

Identity & AccessPhase 4: Management and Support

Phase 2: DesignStaff Augmentation

Emergency Response

Physical Security

Application Security

Phase 3: Deployment

ServicePolicy Development

Incident Response Planning

Standards and Procedures Development

Phase 3 DeploymentImplementation Planning

Implementation and Optimization

Migration Services



19Analysts Recognize IBM Security LeadershipF t L d hiG d hi Forrester Leadership

Managed Security Services Wave (October 2007)Risk Consulting Services Wave (June 2007)

IDC Market Share Leadership

Gartner LeadershipSecurity Information & Event Management Magic Quadrant (May 2009)Web Access Management Magic Quadrant (November 2008) #1 Identity & Access Management (2008)

#1 Identity Management Provider (2007)#1 Security & Vulnerability Management Software Worldwide (2007)#1 V l bilit A t S ft W ld id

(November 2008)User Provisioning Magic Quadrant (August 2008)Master Data Management for Customer Data Magic Quadrant (July 2008)Managed & Professional Network Service #1 Vulnerability Assessment Software Worldwide

(2007)#1 Application Vulnerability Assessment Software Worldwide (2007)

Frost & Sullivan Leadership

Managed & Professional Network Service Providers, North America Magic Quadrant (May 2008)Business Intelligence and Performance Management Services, North America Magic Quadrant (May 2008) Frost & Sullivan Leadership

Managed Security Services (2008, 2009)North American Network Security Infrastructure Protection Company of the Year (2008, 2009)North American Video Surveillance Software

Quadrant (May 2008)Managed Security Service Providers, APAC Marketscope – Strong Positive (May 2008)Managed Security Service Providers, Europe Marketscope - Strong Positive (May 2008)

Developer Company of the Year (2008, 2009)#1 Vulnerability Assessment Provider (2006, 2007, 2008)IDS/IPS Market Leader (2007)

a e scope S o g os e ( ay 008)FilesX – Cool Vendors in Data Protection (March 2008)Network Intrusion Prevention System Appliances Magic Quadrant (February 2008)

Global Application Security Product Line Strategy Award (2008)

Managed Security Services Providers, North America Magic Quadrant (August 2007)



20Tivoli is established leader in IAM and SIEM marketsSIEM markets

#1 Identity and Access Management Market Share (IDC) – past 3 years#1 Identity and Access Management Market Share (IDC) – past 3 years#1 SIEM Market Share (Gartner)Over 2,700 customers worldwide#1 SIEM Market Share (Gartner)Over 2,700 customers worldwide



21IBM: Comprehensive Security Risk & ComplianceManagementManagement

The only security vendor in the market with end-to-end coverage of the security foundation

15 000 researchers developers and SMEs on15,000 researchers, developers and SMEs on security initiatives

3,000+ security & risk management patents

200+ security customer references and 50+published case studies

40+ years of proven success securing the mainframe environment



22



23

Thank oThank you

Questions?



Documents

IBM Tivoli Security Solutions for the Cloud - GlenGooding · IBM: The only security vendorin the market with 10 end-to-end coverage of the security foundation Critical Security Processes