Over the past few years, IBM has invested heavily in rebuilding its product portfolios. It has made many point acquisitions to address perceived weaknesses and aligned many of its internal tools to ensure a coherent product strategy.
The IBM Security product portfolio in Figure 1 below is both multilayered and multicolumned. Products can be layered on top of each other to create different levels of security based on customer requirements. At the same time, the tools are designed to deal with the threefold challenge of people, process and technology. This means that customers can start with the outline framework, then, as they deploy new solutions or adopt new platforms, they can bring in the tools that best fit their security challenge.
Figure 1: IBM Security Portfolio
This security portfolio is designed to be an intelligence-led approach that draws on other parts of IBM’s product portfolio. Using advanced analytics, the security portfolio can provide the detailed information to carry out profiling users, traffic and services to identify advanced persistent threats and complex cyberattacks.
Built into this portfolio are the tools that make it possible to integrate security with compliance and other high-level functions. That integration includes rules engines and auditing to ensure any breach of compliance can be tracked, identified, reported and rectified. At the same time, the built-in forensics ensure that if there is a need to escalate a situation to law enforcement, the right level of data will be gathered in such a way that meets prosecutorial standards.
IBM Dynamic Security for Hybrid Cloud
Despite the comprehensive approach that this security portfolio presents, the cloud is still not an endemic part of the security design. To address that gap, IBM announced on Nov. 5, 2014, the latest update to its security tools: IBM Dynamic Security for Hybrid Cloud, as shown in Figure 2 below.
Figure 2: Updated Cloud Security Portfolio
One of the reasons for creating a separate set of tooling for the cloud is to address differences between an in-house environment and the cloud. One of the biggest differences is agility. The cloud is constantly changing, which means security processes need to be flexible and highly automated to keep up with threats and changes. While the tools used for in-house environments are now automated to a large degree, they are mainly focused on static legacy systems.
Addressing the cloud means having the ability to not only deploy security policies and solutions as soon as new cloud services are instantiated, but also ensuring consistency across cloud instances. High levels of automation and dynamic deployment are essential to a functional security solution. Rules are also needed to stay with the cloud service, application and data as they move around multiple locations to ensure there is no risk of security breaches. While IBM is moving fast down that route, there is still work to be completed there in order to protect virtual machines and application containers.
For companies that are building out their hybrid cloud with a single cloud provider, it is possible to deploy virtual appliances into the cloud in order to extend security. Unfortunately, business units are not buying services from one cloud vendor, but rather from many cloud vendors. Even IT departments are making decisions on which cloud platform to use based on a project, its finances and its importance. This means any solution must be capable of supporting multiple cloud platforms. This is where the ability to deliver a federated security solution is essential.
A Four-Staged Approach to Cloud Security
This all leads to IBM taking a four-stage approach to security in the cloud to manage access, protect data, increase visibility and optimize security operations. The advantage for IBM is that this easily aligns with the way it currently protects data inside its own data centers and those of customers. What changes is the use of federated solutions and increased automation.
1. Manage Access
IBM is managing access through the use of cloud identity and access along with a cloud privileged identity manager for customers running on IBM-hosted services. For customers who are planning to write and deploy applications to other platforms, IBM is providing support for OpenID and OAuth 2.0. These are security standards used by many other vendors, such as software-as-a-service (SaaS) and platform-as-a-service (PaaS) provider Salesforce.com. This means customers can quickly build and deploy a multivendor federated security solution capable of addressing cloud services from multiple vendors.
2. Protect Data
The extension of IBM Guardium technology to the cloud is already possible by deploying a virtual appliance into IBM SoftLayer and Amazon Web Services. This means data deployed into the cloud can be quickly protected. IBM is looking to extend this to other cloud providers. For end users deploying data into the cloud, it is now possible to protect cloud data repositories as securely as if they were a local data repository.
Testing applications before they are deployed is often expensive and time-consuming. IBM has released new cloud-based testing tools for both Web (Dynamic Analyzer) and mobile applications (Mobile Analyzer) as part of Bluemix, its easy-to-access PaaS offering for the development community. What remains to be seen is how IBM will charge for testing. The existing AppScan security product is expensive, but for this to be successful, IBM will need to deliver a much more commoditized testing price.
3. Gain Visibility
One of the most important aspects of IBM Dynamic Security for the hybrid cloud is its integration with QRadar. Cloud security intelligence is QRadar for hybrid clouds and SoftLayer. It provides deep insight into what is happening with users, applications and any other assets in both the enterprise and the cloud.
In addition to supporting SoftLayer, IBM has also ensured it has a high level of integration with similar services from other cloud vendors, such as Amazon CloudTrail, Qualys, Salesforce.com, CloudPassage, Zscaler, OpenStack and IBM Security Trusteer Apex. This breadth of support for both the cloud and enterprise makes it a one-stop security analytics solution that will track any attack, user or device regardless of where it is operating.
4. Optimize Security Operations
As was expected, this is all underpinned by IBM’s own security and professional services teams. For those customers who do not want to perform the analytics or monitor risk profiles, IBM is making it easy to use its own internal staff to fill in the knowledge gaps. Three new services are included in the announcement: Security Intelligence and Operations Consulting Services, Cloud Security Managed Services for SoftLayer and Intelligent Threat Protection Cloud. The most important advantage of this is that it opens up IBM’s capabilities not just to large enterprise customers, but also to midsize enterprises.
A Masterful Stroke for Security Across Multiple Cloud Services
IBM has managed to match its enterprise security portfolio with a new set of cloud tools that are integrated with existing tools and extend to deal with the specific demands of the cloud. It has adopted a federated security approach both in gathering information from multiple cloud services and in the way developers can design their own applications.
At the same time, by ensuring everything is addressable through a set of comprehensive application programming interfaces, customers can integrate products from IBM’s competitors and not feel that they are locked into a single vendor solution.
IBM’s only caution to what is otherwise a strong portfolio addition is one of pricing. Customers are moving to the cloud to get usage-based pricing, and purchasing security products and tools has to reflect that. Presently, IBM has not outlined how it will introduce cloud-friendly pricing for its new security tools. Without this, customers may look elsewhere if competitors address this issue more cost-effectively with their cloud security solutions. Ultimately, long-term success and widespread adoption will depend on IBM getting the pricing right for a customer audience that is demonstrating greater maturity and higher expectations for the cloud payment model.