© 2006 IBM Corporation
IT Service ManagementSecurity and Compliance Portfolio and Roadmap
Venkat RaghavanProgram Director – Security & ComplianceIBM Software GroupTivoli Software
IT Service Management
© 2006 IBM Corporation2 Tivoli Software
Open Process Automation
Library(OPAL)
IBM Global Technology
Services
Ecosystem of System
Integrators and Business Partners
IBM Tivoli Unified Process(ITUP)
IBM IT Service Management
IBM IT Service Management
Change and ConfigurationManagement Database (CCMDB)
Server, Network & Device
ManagementStorage
ManagementSecurity
ManagementBusiness
ApplicationManagement
Service Delivery
& SupportService
DeploymentInformation
ManagementBusinessResilience
IT CRM & Business
Management
A Comprehensive Approach to IT Service Management
Best Practices
IT Service Management Platform
IT Process Management Products
IT Operational Management Products
IT Service Management
© 2006 IBM Corporation3 Tivoli Software
IT Service Management: Security & Compliance
Best Practices
IT Service Management Platform
IT Process Management Products
IT Operational Management Products
Identity & Access Mgmt
Directory
SOA Security
Management
Security EventMgmt
(Micromuse)
Federated Identity Mgmt
Server, NetworkCompliance
Change and ConfigurationManagement Database (CCMDB)
IT Compliance Automation
Console
Compliance & Governance Processes
Security and Compliance Products
Single Sign On
IT Service Management
© 2006 IBM Corporation4 Tivoli Software
Marketplace insightTraditional views on models are changing
Corporate governance/regulatory compliance has C-level execvisibilityAnytime, anywhere access required for many services and informationNew threats motivated by financial gains - phishing, ID Theft, SpamAttackers exploiting vulnerabilities at the IT service or business process level (e.g., Choicepoint)
Trends
Emerging need to secure composite & SOA applications – Private Label, Joint-Ventures, M&A, Software-As-ServicesReduce cost of Audit, Compliance & Governance – Automation of IT ControlsStrong Authentication & Data Protection
Customer Requirements
IT Service Management
© 2006 IBM Corporation5 Tivoli Software
ITSM Portfolio Focus Areas – Security & Compliance
Governance, Risk and Compliance
Change Integrity
Identity & Access Management
SOA Security and Federated Identity Management
Security Information Event Management
Employees, Contractors, Suppliers, Partners, Brokers
IT Service Management
© 2006 IBM Corporation7 Tivoli Software
Governance-related
topics rank high
In the first three weeks, more than 300 members used the CIO Executive Board’s IT Governance (ITG) competency diagnostic to assess functional capabilities
Governance is top of mind for CIOs
IT Service Management
© 2006 IBM Corporation8 Tivoli Software
Control Objectives for Compliance Initiatives Compliance
Red = most often required control objective
IT Service Management
© 2006 IBM Corporation9 Tivoli Software
Governance, Risk and Compliance
Business Governance Objectives
Risk & Compliance
Posture
Selection & Testing of Controls
Measure Performance
Set Objectives
IT Activities
Measure Performance
Verify & Improve
Provide Direction
IT Service Management
© 2006 IBM Corporation10 Tivoli Software
Set Objectives
IT Activities
Measure Performance
Verify & Improve
Provide Direction
Compliance is a big part of IT Governance Establish Controls and Measurement
Verify & ImproveEstablish
Metrics and Controls
Verify Controls
Audit Change
Monitor Status
IT GovernanceIT GovernanceComplianceCompliance
AuditAudit
•Compliance is the proactive implementation of IT process controls•Audit is the reactive analysis of implemented IT process controls
IT Service Management
© 2006 IBM Corporation11 Tivoli Software
Compliance Architecture
IT and Application Controls Monitoring Tasks
IT Data Model (IT Controls)
Processes and Workflow
Various IT Tools, products and “bespoke” applications
Business Process (Application Controls)
Compliance Architecture ElementsControl objectives
CCMDB
Policies
Rules
Standards
IT Service Management
© 2006 IBM Corporation12 Tivoli Software
Compliance Automation Strategy Platform for management and enforcement of IT Controls
Helps Clients manage IT controls using CoBIT, ISO 17799 to address regulations etc. Generic IT Compliance technology that can be with a number of external (SOX, Basel II, HIPAA etc) and internal regulations
COBIT controls ties together security, change, data/storage, Threat management and other domains
Value is focused on integrated reporting and compliance data management across OMPs
Open platform for connecting third-party applications
Target CIO’s office “ compliance designee”Key influencers: Auditors, LOB, CFO office
Security OMP(Implement IT Controls)
COBIT IT Compliance Controls
Automation
Storage (Implement IT Controls)
IT Process ManagementIT ProcessManagement Products
IT Service Management Platform
Best Practices
IT OperationalManagement Products
CCMDB
Define and Instantiate
best practices
Define Compliance
ControlsPlan
TestCompliance
Controls
Assess & Report on
Compliance
Identify Compliance
Requirements
Implement Remediation activities
Define Compliance
ControlsPlan
TestCompliance
Controls
Assess & Report on
Compliance
Compliance Process Manager (Roadmap)
Compliance Task Automation
IT Service Management
© 2006 IBM Corporation14 Tivoli Software
Challenges with Managing IT Changes
• Fewer than 1% of IT organizations perform configuration management beyond simple desktop and server network configurations, making change management risk and impact assessment extremely difficult1
• Hundreds of changes are made every week without a change ticket or authorization2
• 40% of unplanned downtime caused by operations failures, typically people and process issues related to infrastructure changes, as well as configuration and problem management3
• “The #1 predictor of a security event is a change”
Source: Gartner reports
85% of problems are caused by changes
IT Service Management
© 2006 IBM Corporation15 Tivoli Software
UnAuthorized Change Scenario – 4 Steps
CMDB(manages
CI)TADDM
(part of CCMDB)
Access Manager
A A A
AdministratorsUnAuthorized
Change Reports
Discovers Financial Applications and populates CMDB
12
3
4
Policy DB
“Applications” that need to under “unauthorized”change are published to TAM
IT Service Management
© 2006 IBM Corporation16 Tivoli Software
IT – Challenges to Compliance
Can IT processes tell you “which users are authorized to access what applications?”
Can IT processes prevent unauthorized changes?
Can IT processes tell you “which”Applications are dealing with “client data”?
Controls to mitigate “privileged administrator abuse”
Controls that implement role-based access to critical apps
Controls to reduce risk of customer data disclosure
IT Service Management
© 2006 IBM Corporation18 Tivoli Software
Division “A” Division “B” Division “C” Division “D” Division “E”
The Vertical Silo Problem
IT Service Management
© 2006 IBM Corporation19 Tivoli Software
Service Composition – Security Challenges in composing Services
ClientsOutsourced Provider
White Label
Secu
rity
XMLWSDL
SOAP
Identity Management
AccessManagement
/Rules
Identity Management
AccessManagement/
Rules
Internal Service Provider
Acquisition
Secu
rity
XMLWSDL
SOAP
AccessManagement
User Authentication
User Access Control
User Provisioning
Federated Audit
Single Sign On
Fine-grained access control to Business Applications
Constrain: Has to work with Web Services, HTTP, SMS, MMS and various intermediaries
Service Composition
Retail Insurance Product Portal
Pain Points
Identity Mgmt
Brokers, Customers
IT Service Management
© 2006 IBM Corporation20 Tivoli Software
Where Are We Heading – Service Oriented Architecture
Outsourced
SupplierSupplier
Shared ServicesShared Services
Division (s)
CustomerCustomer
Process
Services
Components
BusinessComponent
Resources
<<compose>>
<<choreograph>>
<<interface>>
<<implement>>
IT Service Management
© 2006 IBM Corporation21 Tivoli Software
Common Security Questions in an SOA context
How do we provision access rights and entitlements to SOA services?How do services “identify” and “authenticate” Users ?How do services enforce access control – Gold vs. Platinum ? How do services associate user or identity context? How do services enforce user specific rules to services across multiple channels ?How do we implement role-based access to services ? (Portal Context) How can we protect service integrity by detecting & preventing unauthorized changes?How do we integrate security with new Application components: Message Broker, Process Servers across vendor solutions ? How can we deliver end-to-end security, transactional audit and compliance for services?How do we identify users of service metadata ?
IT Service Management
© 2006 IBM Corporation22 Tivoli Software
SOA and Federated Identity Buying Occasions
Business TransformationOutsourcingSoftware-As-ServicesWeb Services SSOIntra-Enterprise IntegrationSystem Z Integration
User Strong AuthenticationUser & Business Access ControlUser Application SecurityUser Federated AuditFederated Access to z-based Web ServicesCentralized Policy Management
WebSphere Process Server
Portal
ITCAM
DataPower
Business Drivers Technical Drivers Relational Products
IT Service Management
© 2006 IBM Corporation23 Tivoli Software
Security Services for SOA – Application Pattern
Insurance PORTAL
Client-usersDirect
Authentication Access
ESB
Portal/Presentation
Insurance Process
Business Tier(Application Server)
Client-users(Federated access from Local portal)
Federation &Access Gateway
(FIM)
First Line of Defense (identity verification & authentication layer)
Data/Legacy
TierClient-users
Admin users
Third-Party Credit Scorers
Identification & Authentication
Authorization &Privacy
Audit
Policy Services
Identity ProvisioningIdentity FederationSOA Security
Management
Internet
DataPower
SAML/Liberty/WS-Security
WebSphere, .NET, SAP
IT Service Management
© 2006 IBM Corporation24 Tivoli Software
Identity Integration Challenges – Federation Gateway
Multi Protocol Federation Gateway
Partners using WS-Federation
Partners using Liberty
Partners using SAML in their Portal or Web
Partners using WS-Security
SAP Platform
WebSphere Platform
MS .NET Platform
“Identity”
“Identity”
“Identity”
“Identity”
“Identity”
“Identity”
“Identity”
How to share information How to share information with trusted providers?with trusted providers?
Identity Management as a business process for cross-enterprise collaboration
A way to associate “identities” to “services” in an SOA
Identities can be “external” or “internal”
IT Service Management
© 2006 IBM Corporation25 Tivoli Software
TFIM on System Z – Enabling System Z as a first class security platform for Applications
Mainframe integrity
z/OS platform
z/OS Security Admin & Management
CICS IMS DB2
WAS
Federated ID on System Z
TIM on Z
Vanguard(RACF mgr)
CTS
RACF
Support for RACF PassticketsIdentification of scenarios leveraging TFIM to integrate with WebSphereWorking on CICS Transaction Gateway (CTG), CICS Transaction Server (CTS)HATS
IAM
Active Directory
Distribution Platforms
Federated ID
WAS
CTG
Distribution Platforms
Federated ID
WAS
CTG
Position System Z as first class platform for Application Security – Hub for Applications
IT Service Management
© 2006 IBM Corporation26 Tivoli Software
Application Enabler
Strategic PartnersApplication
Service Provider
Employees
ENTERPRISE HUB
Partner Users
USERS
White LabelServices
USERS
A large service provider integrating their business processes with a number of their smaller clients –
Easier to integrate Application Services – “Software-As-Services”, M&A, Private Labels, Partnerships, Resells
Federated Identity Lifecycle Management
FIM Business Gateway
SAMLDirect Users
FIM Business Gateway
FIM Business Gateway
IT Service Management
© 2006 IBM Corporation27 Tivoli Software
FIM Business Gateway
Application Enabler for enabling clients to Enterprise ProvidersSolution that is targeted to enable our enterprise customers to quickly and secure integrate their “clients”
Key differences – Does not include TAM eb– Focus on SSO for Web and Web Services– Optimized for Business Applications: MS .NET, WebSphere, …..
Focus– Process Transformation: Supply chain, Financial Services, Healthcare, Government– ISVs Simpler solution that replaces “home-grown” Web SSO and Access Control solutions
Turnkey Solution with best practices and GTM focus
IT Service Management
© 2006 IBM Corporation29 Tivoli Software
Server, Network
Compliance
Identity Management
Authentication &Access
Management
Enterprise Single Sign On
Portfolio: Identity, Access and Security Event Monitoring
Users & Applications
User-centric SOA & Federated Identity Management
Directory Server
Directory Integrator
Security Information
Event Management
IT Service Management
© 2006 IBM Corporation30 Tivoli Software
Tivoli Approach – Tivoli IdM is foundation for Strong Auth
Soft Certificate And Soft OTP
All-in-one Token (OTP & USB Smart Card)
PKI-USB Token
Mobile Devices
Smart Card For Physical & Network
Access
OTP Only
All-in-one Token with secure
storage
BiometricOperating System Based
Tivoli Security Platform
IT Service Management
© 2006 IBM Corporation31 Tivoli Software
Tivoli Identity Manager – Product & Roadmap
Role-based, self-service, and hybrid user account provisioning and deactivation
Centralized, pre-built and customizable access rights reports to efficiently support IT governance and compliance audits
Challenge/response self-care password reset reduces help desk calls
Risk-based compliance issue remediation: automatically detects violations and applies risk-appropriate corrective actions
Policy simulation provides “what-if”analysis of automated management policies
Powerful workflow builder and custom adapter toolkit supports virtually any business process
User Experience Adaptable to Corporate Branding Needs:– Business-friendly provisioning requests
and approvals– Tailored, configurable user interface
views for different user personas – Look and feel customizable via style
sheets and custom text– Section 508 Accessibility complianceSimplified Deployment Options– Supported auto-upgrade paths between
TIM Express and TIM (middleware upgrade a prerequisite)
– Simplified post-install configuration and fixpack application
Automated Compliance Lifecycle– Auditor-centric UI view and reports– Business-friendly revalidation of
granular user access rights– Additional compliance related reports – Integration with compliance & reporting
systems/processes
Automated identity and user access rights lifecycle management
IT Service Management
© 2006 IBM Corporation32 Tivoli Software
Access Control
Tivoli Access Manager— Strategy & Roadmap
Strong Authentication
Platform
Flexible choice among diverse authentication mechanismsStep-upForced re-authentication
Native—Desktop and Web SSOIntegrate w/TFIM for federated SSOIntegrate w/partner products for client/server SSO
Policy-drivenResource “agnostic”Standards-based (Java, .NET, C/C++)
Single Sign-On
Unauthorized change management
Reporting
COBIT Controls support
Compliance
Tivoli AccessManager Family(EAL-3 certified)
SOA Security
Management
XACML Policy Management engine
Integration with Process Server and Service Registry
IT Service Management
© 2006 IBM Corporation33 Tivoli Software
Tivoli Access Manager for Enterprise Single Sign On
Simplify user experience and increase security by eliminating the need to remember and manage passwordsLogon and password change support for almost any Windows, Web, Java and Host-based applicationSingle secure strong authentication for initial authentication, re-authentication and forced authenticationAutomatic password generation and policy supportIntegrated with Tivoli Identity Manager to provision and remove credentials Integrated with Tivoli Access Manager to enable fine-grained authorization and entitlements to web applications
Reduce help desk costs and extend audit capabilities
IT Service Management
© 2006 IBM Corporation34 Tivoli Software
Tivoli Security Operations Manager (NeuSecure)
Security incident managementand policy monitoring– Real-time correlation– Broad device support– Added TAM and TIM monitoring in 2006
Automate regulatory compliance reporting– Sarbanes Oxley, GLBA, HIPAA, FISMA etc.
New integrations to support ITSM strategy in 2006– Escalate critical security events to TEC and Netcool– Common data collection with Netcool
IT Service Management
© 2006 IBM Corporation35 Tivoli Software
Tivoli Security Operations Manager (NeuSecure)
Customers increasingly seeking solutions integrated with network & systems operations, and identity & access managementFocus Areas
Security Operations Center (SOC) automation (real-time event correlation, incident management)Compliance focused log aggregation, monitoring, and reporting.
TSOM 3.1 integration - Netcool, TEC, TIM and TAM
IT Service Management
© 2006 IBM Corporation36 Tivoli Software
Tivoli Security Compliance Manager
OperatingSystems
Applications
Workstations
Databases
ITSecurityCxO
IT Environment
Business Issues,Regulations,Standards
IT ConcernsSlammer, MSBlaster
OS patchesPassword violations
Users
Server ComplianceSecurity policy compliance product that checks systems and applications for vulnerabilities and identifies violations against security policies
Key benefits:Helps to secure corporate data and integrityIdentifies software security vulnerabilitiesDecreases IT costs through automation, centralization, and separation of dutiesAssists in complying with legislative and governmental standards
r
IT Service Management
© 2006 IBM Corporation37 Tivoli Software
Products include:• Tivoli Access
Manager for e-business
• Tivoli Access Manager for Operating Systems
• Tivoli Access Manager for E-SSO
• Tivoli Identity Manager Family
• Tivoli Federated Identity Manager
• Tivoli Directory Server
• Tivoli Directory Integrator
• Security Compliance Manager
• Tivoli Security Operations Manager (NeuSecure)
Security Management
Products include:
• Tivoli Storage Manager
• Tivoli Continuous Data Protection for Files
• TotalStorage Productivity Center
Storage Management
Products include:Tivoli Enterprise Console
• Tivoli Monitoring• Tivoli
OMEGAMON• Tivoli NetView• Tivoli Remote
Control• Tivoli Systems
Automation• Tivoli Workload
Scheduler• Tivoli Provisioning
Manager• Tivoli
Configuration Manager
• Tivoli Decision Support for z/OS
• Netcool/OMNIbus• Netcool/Proviso• Netcool/Precision• Netcool/Monitors
Server, Network & Device Management
Products include:Tivoli Composite Application Manager
• Tivoli Business Systems Manager
• Tivoli Intelligent Orchestrator
• Tivoli Service Level Advisor
• Tivoli License Manager
• Tivoli License Compliance Manager
• Netcool/Impact
Business ApplicationManagement
IT Operational Management Products
IT Service Management Platform
IT Process Management Products
IBM IT Service Management
Best Practices
IT Operational Management Products
Tivoli Product PortfolioAvailable TODAY!
Integrated across silos through the ITSM platform to the IT process management products
IT Service Management
© 2006 IBM Corporation38 Tivoli Software
Disclaimers and TrademarksNo part of this document may be reproduced or transmitted in any form without written permission from IBM Corporation.Product data has been reviewed for accuracy as of the date of initial publication. Product data is subject to change without notice. Any statements regarding IBM's future direction and intent are subject to change or withdrawal without notice, and represent goals and objectives only.THE INFORMATION PROVIDED IN THIS DOCUMENT IS DISTRIBUTED "AS IS" WITHOUT ANY WARRANTY, EITHER EXPRESS OR IMPLIED. IBM EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. IBM products are warranted according to the terms and conditions of the agreements (e.g. IBM Customer Agreement, Statement of Limited Warranty, International Program License Agreement, etc.) under which they are provided. IBM customers are responsible for ensuring their own compliance with legal requirements. It is the customer's sole responsibility to obtain advice of competent legal counsel as to the identification and interpretation of any relevant laws and regulatory requirements that may affect the customer's business and any actions the customer may need to take to comply with such laws. The following terms are trademarks or registered trademarks of the IBM Corporation in either the United States, other countries or both: DB2, e-business logo, eServer, IBM, IBM eServer, IBM logo, Lotus, Tivoli, WebSphere, Rational, z/OS, zSeries, System z.Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States and/or other countries.Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States and/or other countries.UNIX is a registered trademark of The Open Group in the United States and other countries.Linux is a trademark of Linus Torvalds in the United States and other countries.Other company, product, or service names may be trademarks or service marks of others.ITIL® is a Registered Trade Mark, and a Registered Community Trade Mark of the Office of Government Commerce, and is Registered in the U.S. Patent and Trademark Office.IT Infrastructure Library® is a Registered Trademark of the Central Computer and Telecommunications Agency which is now part of the Office of Government Commerce.