Simplifying IAM through orchestration

The recent validated what many of us in the industry already knew: Identity has become the leading attack vector. The 2024 report showed a 71% increase in valid identities used in cyberattacks year-over-year. What really puts it into perspective is the realization that you are just as likely to have your valid identity used in a cyberattack as you are to see a phishing attack in your organization. Hackers don’t hack in; they log in.

The risk of valid identities being used as the entry point by bad actors is expected to continue with the ever-increasing applications and systems being added in today’s hybrid environments. We are finding an overwhelming majority of organizations are choosing to use different identity vendors that offer the best capability for each use case, instead of consolidating with one vendor. The use of various identity tools is further compounded with managing access to your legacy application infrastructure, integrating new users during mergers and acquisitions. The hybrid reality has also led to an inconsistent user experience for your workers, partners and customers, an increased risk of identity-based attacks, and added an additional burden on your admins. 

To solve the identity challenges created by today’s hybrid environments, businesses need a versatile solution that complements existing identity solutions while effectively integrating various identity and access management (IAM) silos into a cohesive whole. Solutions that help create a consistent user experience for your workers, partners and customers across all applications and systems. Organizations and industry analysts refer to this connected IAM infrastructure as an Identity fabric. Organizations have begun to move toward connecting multiple IAM solutions through a common identity fabric.

Securing the digital journey

To protect the integrity of digital user journeys, organizations use a range of tools spanning bot mitigation, identity verification and affirmation, user authentication, authorization, fraud detection and adjacent capabilities such as risk analytics and access management. Building and maintaining these integrations is complex and carries an operational overhead regarding time and resources. These various tools don’t easily interconnect and don’t generate standardized types of signals. As a result, the interpretation of the varied risk signals is siloed across different events along the digital user journey. This lack of an integrated approach to managing risk along the digital user journey hinders the adoption of continuous adaptive trust principles and adds undue risk into the system. Various, disconnected identity tools prohibit you from creating that consistent user experience and security controls. Orchestration solutions improve the efficacy and efficiency of risk management along digital user journeys.

Identity orchestration

Identity and access management projects are complex enough with many taking 12-18 months. They require skilled staff to solve today’s identity challenges such as integrating IAM silos together and modernizing access to legacy applications. Many of the solutions out there are not helpful and actually create more vendor lock-in. What is really needed is an open integration ecosystem that allows for flexibility and integrations that are simple and require fewer skills to accomplish. This is where an identity fabric and identity orchestration come into play. Orchestration is the critical component and the integration glue for an identity fabric. Without it, building an identity fabric would be resource-intensive and costly. Orchestration allows more intelligent decision-making and simplifies everything from onboarding to offboarding and enables you to build consistent security policies. Identity orchestration takes the burden off your administrators by quickly and easily automating processes at scale. This enables consistent, frictionless user experiences, while improving identity risk posture, and helping you avoid vendor lock-in. 

Benefits of identity orchestration

Design consistent, frictionless user experiences

Identity orchestration enables you to streamline consistent and frictionless experiences for your workers, partners and customers across the entire identity lifecycle. From account creation to login to passwordless authentication using passkeys to account management, makes it easy to orchestrate identity journeys across your identity stack, facilitating a frictionless experience. IBM’s identity orchestration flow designer enables you to build consistent, secure authentication journeys for users regardless of the application. These journeys can be built effortlessly with low-code, no-code orchestration engines to simplify administrative burden.

Fraud and risk protection

Orchestration allows you to combine fraud signals, decisions and mitigation controls, such as various types of authenticators and identity verification technologies. You can clearly define how trusted individuals are granted access and how untrusted users are mitigated with security authentication. This approach overlays a consistent and continuous overlaying risk and fraud context across identity journey. IBM Security® Verify orchestration allows you to bring together fraud and risk signals to detect threats. It also provides native, modern and strong phishing-resistant risk-based authentication to all applications, including legacy apps, with drag-and-drop work-flows.

Avoid vendor lock-in with identity-agnostic modernization

Organizations have invested in many existing tools and assets across their IAM stack. This can range from existing directories to legacy applications to existing fraud signals, to name a few. IBM Security Verify identity orchestration enables organizations to bring their existing tools to apply consistent, continuous and contextual orchestration across all identity journeys.It enables you to easily consolidate and unify directories, modernize legacy applications and streamline third-party integration for multifactor authentication (MFA), and risk and notification systems

Leverage IBM Security Verify

IBM Security Verify simplifies IAM with orchestration to reduce complexity, improves your identity risk posture, and simplifies the user journey by enabling you to easily integrate multiple identity system providers (IdPs) across hybrid environments through low-code or no-code experiences.

IBM provides identity-agnostic modernization tools enabling you to manage, migrate and enforce consistent identity security from one IAM solution to another while complementing your existing identity tools. By consolidating user journeys and policies, you can maintain security consistency across all systems and applications, creating frictionless user experiences and security controls across your entire identity landscape.

Source: ibm.com

Continue reading

Get more value from your data with a data transformation roadmap

Data Economy - The Transformation Roadmap

So, how can you get the most value from your data? A knowledgeable and phased approach facilitates a smooth transition from legacy practices and products to processes that tap into the advantages of Canada’s data economy. Defining policies and roles, developing data-sharing control mechanisms, understanding existing and potential data across the company and beyond, and planning best use cases will lead to increased profitability, reduced operating costs, expanded products and services, and valuable insights to benefit you and your customers. And efficiently shared data promotes constructive collaboration with partners and stakeholders, both internal and external.

I recommend a three-step tactic of migration, modernization and monetization. Migration moves the data to the most appropriate cloud environment, or target state architecture, where core data models can be rebuilt and modernized, and then monetized through effective data and digital agile ecosystems that are ready for growth.

Here are two examples of the positive impact of data monetization in two very different industries.

Internal data monetization: an international airline launches a transformative journey

A large international airline needed to transition to a more streamlined technology landscape with an optimized operating model. Analysis of their current data landscape revealed multiple legacy applications that could not yield the insights required for their growth.

With guidance from IBM, the airline launched a Data Platform Stability and Modernization journey, migrating select on-premise data platforms and workloads to the cloud. Within the modernized data landscape, they could create models for customer and passenger data, then expand the insights to different lines of business, such as cargo, loyalty and commercial applications.

Their data modernization journey has realized three significant benefits. Revenue has been increased through their transformed data sources, channels and products. They have developed a data-driven decision-making culture through the resilient, cloud-based data environment. And their data security and governance has been improved, setting a foundation for realizing a good return on investment through further data monetization and data-sharing initiatives in the future.

External data monetization: Yara goes from bushels to bytes

“Agriculture is one of the last industries that has focused on systematic process optimization.” — Pål Øystein Stormorken, Yara

Norway-based Yara is the world’s largest fertilizer producer. It has established a solid reputation as a reliable source of information and a distributor of agricultural products, with an ethical and balanced approach to best practices for food production. Yara is dedicated to the exploration of new technologies that promote sustainable intensification to protect the environment, growing more food on existing farmland and avoiding deforestation. With the United Nations estimate that the population will reach 9.7 billion by 2050, along with alarming statistics on climate change and soil loss, Yara wanted to find solutions to the challenges to the food supply.

Yara partnered with IBM to build a digital farming platform with two new products: weather forecasting and crop-yield forecasting, following a pay-as-you-go commercial model. The cloud-agnostic strategy enables consistent data governance and data security, using DataOps to automate data functions so that its scientists could focus on data models and innovation.

The platform provides holistic digital services and instant agronomic advice around the globe, with the ability to reach 620 million farmers and serve up to 7% of the world’s arable land. These accelerators are just the first of many: an open innovation layer will allow Yara to create new revolutionary algorithms and a cognitive roadmap for farmers through constructive decision-making insights.

This is an example of the power of data monetization, generating not only business value, but also societal value in sustainable practices.

Your Opportunity

Canada will generate value for all of its citizens, industries, businesses and researchers by developing a flourishing data economy. IBM can help you understand and monetize your data, guiding you through your journey as you assess and prioritize your needs, select the right governance and operations models, and design a plan that propels you into the exciting future of data-driven innovation.

Source: ibm.com

Continue reading

IBM ships new LTO 9 Tape Drives with greater density, performance, and resiliency

As data generation continues to explode around the world with some researchers suggesting a doubling of the ‘digital universe’ to more than 180 zettabytes by 2025, increasing pressure is being placed upon the administrators responsible for storing, managing, and securing that data.

To help enterprises contend with the challenge, IBM, which has been innovating in data storage for seven decades, announced today the general availability of the industry’s first magnetic tapes and drives that can store an unprecedented 45TB of compressed data on a single cartridge (18TB uncompressed). The new drive and tape are based on the new Ultrium LTO-9 specification and designed to provide organizations greater access, performance and resiliency for data stored on-prem, in the cloud, or at the edge.

In addition to the 50% capacity boost from its predecessor, LTO-8, which supports 12TB of data (30TB compressed), the new IBM LTO-9 Tape Drive, which comes in three models, the F9C (Fibre Channel), F9S (Fibre Channel), and S9C (SAS), features several key performance improvements over LTO-8. For example, the new drives support data transfer rates of up to 400 MB/s for full high and 300 MB/s for half high cartridges – an 11% boost from the previous generation.

The new drives also feature IBM’s new Open Recommended Access Order (oRAO), a new data retrieval accelerator that enables applications to retrieve data from tapes with dramatically reduced seek time between files. Specifically, oRAO, which can be used with compressed or uncompressed data, can reduce those access times by a whopping 73%. Developed from IBM file access acceleration technology, oRAO can also speed cyber resilience response times by shortening the time needed to recover data.

Building Up Cyber Resiliency with IBM LTO-9

The full-height IBM LTO-9 Tape Drive is designed to natively support data encryption, with core hardware encryption and decryption capabilities resident in the tape drive itself to ensure data privacy and reduce the risk of data corruption due to virus or sabotage.

According to a recent security report, from 2020 to 2021 the average total cost of a data breach increased by nearly 10% year over year, the largest single year cost increase in the last seven years. Today, ransomware is one of the costlier types of breaches, with an average cost of $4.62M per breach and one of the most common, with cybersecurity firm, SonicWall, reporting ransomware attacks rose to 304.6 million in 2020, up 62% over 2019.

In other words, ransomware is here to stay for the foreseeable future. It is no longer a matter of if your organization will be attacked, but when and how often. Looking to limit the impact of cyberattacks, the new IBM LTO-9 tapes and drives enable organizations to create cost-effective, cyber resilience strategies.

◉ The cost-effective data backup

Tape backups allow you to safely recover from a ransomware attack, helping you avoid expensive ransom and other fees. IBM tape solutions are also extremely cost-beneficial, costing less than 1 cent per GB per month, exactly 0.59¢/GB, in other words, $5.89 / TB. Also, by implementing an IBM LTO-9 tapes and drives, companies can store up to 1.04EB of compressed data per 18-frame tape library and up to 39PB of compressed data in a 10-sq-ft tape library with LTO Ultrium 9 tape cartridges.

Additionally, customers can reduce their Total Cost of Ownership of their tape library up to 39% by swapping in LTO-9 technology over LTO-8. And remember, tape technology does not add extra charges to retrieve your data.

◉ The best physical air-gap between your data and cyber criminals

Most organizations have a cyber recovery plan that relies on data backups. The best practice in this situation is create a physical “air-gap” to ensure the backup is going to a system that is secure and offline. Utilizing tape storage is the ideal way to provide customers with that physical gap. Tapes are portable, and can be easily stationed in remote, offline locations for superior protection from natural or manmade threats. When the new IBM LTO Ultrium 9 Data Cartridge is removed from the tape drive or library they are physically “air-gapped” greatly reducing the risk of cyber sabotage.

◉ Anti-corruption: tape provides data immutability with WORM capabilities

The IBM LTO-9 Ultrium WORM data cartridge model stores data in a non-erasable, non-rewritable format to prevent overwriting and reduce the risk of data loss due to human error.

Evaluating 10-year cyber security plans should consider IBM Tape Storage to keep critical data backed up, immutable with WORM data cartridges, and encrypted behind air gap protection to prevent blackmail. In case an attack occurs and restoring your entire storage is required, a clean copy of the data on IBM LTO-9 tape technology is likely to be the cheapest and most reliable recovery option without extra retrieval fees to a cloud provider.

As well as helping you protect against a malware or ransomware event, the WORM capabilities are often essential to meet regulatory and legal compliance across many industries and for publicly traded companies. With the immutability of LTO-9 WORM data cartridges, customers can be assured their data will always be available for audits, legal issues, and financial compliance.

Limit your exposure to malware and ransomware attacks with IBM LTO-9 tape storage.

Source: ibm.com

Continue reading

The hidden danger of outdated infrastructure: security risk

With all the talk about cloud solution adoption, it’d be easy to assume that on-premises IT infrastructure is fading in popularity. However, the recent IBM and Forrester Consulting study “The Key to Enterprise Hybrid Cloud Strategy,” found that on-premises infrastructure still has a strong presence for many enterprises. The study found that “firms are planning to increase investments toward on-premises infrastructure, and 85% of IT decision-makers (ITDMs) in our survey agree that on-premises infrastructure is critical to their hybrid cloud strategies.” In fact, 75% of IT decision makers plan to increase their infrastructure investment in the next two years.

Unfortunately, plans aren’t always followed through. On-premises infrastructure updates are often one of the first things to get pushed based on budget needs, project priority or unexpected disruptive events (such as COVID-19). The Forrester study found that 70% of responding organizations have delayed infrastructure refreshes at least a few times in the last five years or more (up from 61% in 2019).

When looking at IT projects and priorities, refreshing on-premises infrastructure is an easy candidate for delay. It’s not a flashy new project and it may be difficult to justify the cost to the C-suite. When juggling multiple projects or the need to slash the budget, IT teams may look at risk/reward equation for not refreshing existing on-premises infrastructure. A decision is arrived that everything is working well enough for now. What is often not taken into account is that there are security risks associated with this gear. In fact, the Forrester study found that half of IT decision-makers found infrastructure-based security issues and vulnerabilities following a delayed refresh.

Changing nature of cyber risk

Security isn’t getting any easier. While the overall number of reported data breaches decreased in 2020, RiskBased Security’s 2020 Year End Report found that more than 37 million records were breached last year, up 141% over 2019 and reportedly the highest number of breached records since RiskBased Security began its annual report.

While security risk is increasing, organizational commitment to updated hardware is diminishing. The Uptime Institute found that the average timeframe for a hardware refresh is now every five years (compared to an average of every three years in 2015). Think about how much has changed in the cyber security landscape over the past five years. In many cases, five-year-old infrastructure was never designed to handle the high-risk workloads and security challenges we now task it with.

With the increasing adoption of artificial intelligence (AI) and machine learning (ML) in business and technology applications, the need to support data-sensitive workloads is far greater than it was five years ago and will only increase. Forrester Consulting found that 84% of ITDMs anticipate greater data-sensitive workloads going forward. Couple all that with rigorous compliance standards that are closely tied to infrastructure security and it’s easy to see how not regularly refreshing infrastructure can create a dire security risk and impact an organization’s overall security posture.

Adopting a holistic security posture

Security isn’t a single headed monster, and the enterprise approach to strong, holistic security needs to remain equally multi-faceted. That includes not forgetting or dismissing the importance of regularly refreshing on-premises infrastructure, even as enterprises build out increasingly complex hybrid cloud solutions.

Source: ibm.com

Continue reading

Quantum-safe cryptography: What it means for your data in the cloud

Quantum computing holds the promise of delivering new insights that could lead to medical breakthroughs and scientific discoveries across a number of disciplines. It could also become a double-edged sword, as quantum computing may also create new exposures, such as the ability to quickly solve the difficult math problems that are the basis of some forms of encryption. But while large-scale, fault-tolerant quantum computers are likely years if not decades away, organizations that rely on cloud technology will want cloud providers to take steps now to help ensure they can stay ahead of these future threats. IBM Research scientists and IBM Cloud developers are working on the forefront to develop new methods to stay ahead of malicious actors.

Hillery Hunter, an IBM Fellow, Vice President and CTO of IBM Cloud, explains how IBM is bringing together its expertise in cloud and quantum computing with decades of cryptographic research to ensure that the IBM Cloud is providing advanced security for organizations as powerful quantum computers become a reality.

It’s probably best to start this conversation with a quick overview of IBM history in cloud and quantum computing.

IBM offers one of the only clouds that provides access to real quantum hardware and simulators. Our quantum devices are accessed through the IBM Q Experience platform, which offers a virtual interface for coding a real quantum computer through the cloud, and Qiskit, our open source quantum software development kit. We first made these quantum computers available in 2016. As of today, users have executed more than 30 million experiments across our hardware and simulators on the quantum cloud platform and published over 200 third-party research papers.

As a pioneer in quantum computing, we are taking seriously both the exciting possibilities and the potential consequences of the technology. This includes taking steps now to help businesses keep their data secure in the cloud and on premises.

How does security play into this? Why is it important to have a cloud that has security for quantum-based threats?

An organization’s data is one of their most valuable assets, and studies show that a data breach can cost $3.92 million on average. We recognized early that quantum computing could pose new cybersecurity challenges for data in the future. Specifically, the encryption methods used today to protect data in motion and at rest could be compromised by large quantum computers with millions of fault tolerant quantum bits or qubits. For perspective, the largest IBM quantum system today has 53 qubits.

To prepare for this eventuality, IBM researchers are developing a lattice cryptography suite called CRYSTALS. The algorithms in that suite are based on mathematical problems that have been studied since the 1980s and have not yet succumbed to any algorithmic attacks (that have been made public), either through classical or quantum computing. We’re working on this with academic and commercial partners.

These advancements build on the leading position of IBM in quantum computing, as well as decades of research in cryptography to protect data at rest and in motion.

How is IBM preparing its cloud for the post-quantum world?

We can advise clients today on quantum security and we’ll start unveiling quantum-safe cryptography services on our public cloud next year. This is designed to better help organizations keep their data secured while it is in-transit within IBM Cloud. To accomplish this, we are enhancing TLS and SSL implementations in IBM Cloud services by using algorithms designed to be quantum-safe, and leveraging open standards and open-source technology. IBM is also evaluating how we can provide services that include quantum-safe digital signatures, a high expectation in e-commerce.

While that work is underway, IBM Security is also offering a quantum risk assessment to help businesses discern how their technology may fare against threats and steps they can take today to prepare for future threats.

IBM also contributed CRYSTALS to the open source community. How will this advance cryptography?

Open-source technology is core to the IBM Cloud strategy. That’s why IBM developers and researchers have long been working with the open-source community to develop the technology that’s needed to keep data secured in the cloud.

It will take a community effort to advance quantum-safe cryptography and we believe that, as an industry, quantum-safe algorithms must be tested, interoperable and easily consumable in common security standards. IBM Research has joined OpenQuantumSafe.org and is contributing CRYSTALS to further develop open standards implementations of our cryptographic algorithms. We have also submitted these algorithms to the National Institute of Standards and Technology for standardization.

Some organizations might not worry about these security risks until quantum computing is widespread. Why should they be acting now?

Although large-scale quantum computers are not yet commercially available, tackling quantum cybersecurity issues now has significant advantages. Theoretically, data can be harvested and stored today and potentially decrypted in the future with a fault-tolerant quantum computer. While the industry is still finalizing quantum-safe cryptography standards, businesses and other organizations need to get a head start.

Source: ibm.com

Continue reading

Cyber defense: resilience and security go hand in glove

The interest in cyber defense as a way to mitigate the risks in today’s environment is understandably high. I recently hosted a session on Quora to answer questions on cyber security, resilience and the infrastructure needed to provide safe enterprise computing. The response was far beyond my expectations, with 25 questions asked and over 20,000 session views.

I answered twelve queries during the session, ranging from “How to build a secure hybrid cloud,” to “What are the emerging threats and security trends in the next ten years?” In this blog post, I’d like to recap and expand on a few of my responses.

Q: How can companies overcome cybersecurity challenges?

A: A company can’t overcome the cybersecurity challenges. You can only mitigate the risks the challenges present. Cybersecurity and cyber resiliency are two complimentary methods for mitigating the risks from determined attacks and events. Security helps you block and avoid disruption, while resiliency enables you to keep functioning when security is breached.

A consistent assessment of risk, using a method like FAIR, Factor Analysis of Information Risk, from the Open Group is valuable to reach consensus with all the stakeholders in your company on the magnitude of the risk. IBM Security uses this approach as part of the assessments it conducts for clients. FAIR looks at the frequency of the threat event and the potential impact on the business to rank risks. The other critical factor in addressing cybersecurity challenges is to identify the signs the provide indications and warnings of active attacks to trigger timely responses. Too often attacks go unnoticed for months before the impact is realized. 

Q: What types of emerging threats do I need to be prepared for?

A: AI is creating new types of security issues, and quantum computing and cryptography present new challenges. At the root of these new emerging threat vectors is the same criminal profit motive that makes cyberattacks so prevalent. The good news is that these new technologies can be used for defense as well. AI can be tied to indications and warning systems as well as keeping up with response tactics. Cryptography can be used not just for data at rest and in transit but in process as well. The in-processor cryptographic engines in IBM z15 systems remove the performance penalty of encryption at scale. Quantum computing has the potential to vastly increase the encryption strength protecting data.

The Internet of Things (IoT) encompasses a wide range of commercial and consumer devices and everyday items that are connected to the Internet, and communication occurs between these objects and other Internet-enabled devices and systems. Our transportation, factories, hospitals, offices, and homes are evolving into a complex networked ecosystem of interconnected data sharing software, services and devices. IoT devices, communications, and data stores need to be safe and secure and IBM believes the responsibility for ensuring security must be shared among device manufacturers, solution developers, and users.

Q: When organizations move data and workloads to the cloud, what are the cybersecurity considerations?

A: Organizations plan on spending notable sums on cloud security. Forrester predicts that the market for cloud security solutions will more than double by 2021 ($3.5 billion from $1.5 billion in 2017). Cloud security solutions must be able to address all security needs on premises, in private clouds and across multiple public clouds. Security for the cloud isn’t something that will be solved by bolting on new security tools. It must involve a holistic strategy and security capabilities to directly address: securing identity and networks, protecting data and workloads and managing threats and compliance.

There were also questions about security for hybrid cloud environments. As a member of IBM Garage, this was a great way to introduce our comprehensive approach to innovation and transformation that brings designers and developers together with business and IT stakeholders to address cyber defense for multiclouds. Take a look at this webinar, “Secrets from the C-Suite: Building a Secure Hybrid Cloud,” to learn more.

My takeaway from doing this session is that there is a keen interest in cyber defense, particularly in the resiliency and security of hybrid clouds.

Source: ibm.com

Continue reading

Unbound Tech unlocks liquidity and security for proven digital asset management

From time to time, we invite industry thought leaders to share their opinions and insights on current technology trends to the IT Infrastructure blog. The opinions in these blogs are their own, and do not necessarily reflect the views of IBM.

There are very few scenarios where security is more important than in the world of digital assets. If the key protecting a digital asset is compromised, then it’s game over.

At the same time, trading digital assets will only enter the mainstream when it’s possible to do it quickly and easily. For financial institutions accustomed to making transactions within a fraction of a second, waiting hours or even days for different keyholders to sign off on a digital asset trade is unthinkable.

At Unbound Tech, we saw an opportunity. By combining our unique multiparty computation (MPC) software with the IBM Hyper Protect Digital Assets Platform built on IBM LinuxONE, we’re bringing unprecedented liquidity and security to digital asset management.

Sizing up the challenge

Unbound is a pioneer in the use of MPC to secure cryptographic keys from every angle, splitting each key into multiple shares that are never united. By distributing trust, we ensure that a breach of any single machine never compromises the integrity of a key.

In the cryptographic world, there’s no such thing as “too secure.” However, we recognized that existing enterprise-class digital asset management solutions are forcing customers to choose between security and agility. What use is the most secure platform in the world if it’s unusable in real life?

We set out to build a new offering that pushes the boundaries of security without limiting liquidity of digital assets.

Creating the Unbound Crypto Asset Security Platform (CASP)

Developed with help from IBM, the Unbound Crypto Asset Security Platform (CASP) solution introduces lucrative benefits for digital assets service providers, including:

◉ The elimination of any single point of failure across the full digital asset lifecycle. IBM LinuxONE infrastructure offers unique resiliency features such as triple-redundant environmental sensors and Redundant Array of Independent Memory (RAIM) to keep applications running even in the unlikely event of a component failure. IBM LinuxONE can withstand a severe earthquake, with the mean time between failures (MTBF) measured in decades(!).

◉ Strict policy enforcement and cryptographic signing support across nearly unlimited asset types (no need for programming multi-sig, smart contracts).

◉ Insider-resistant, hardened infrastructure for Unbound CASP’s critical software elements. CASP services, key management, vaults, databases, chain connectors, and server-side bots all run within IBM Hyper Protect Virtual Servers, which are securely booted, protected memory enclaves. These enclaves help assure that administrators and operators do not have even technical access to the applications managing digital assets, such as policy enforcement mechanisms. For example, if an administrator initiates a memory dump, the dump is encrypted and does not include administrative access to the private key.

◉ Unbound CASP’s code build, signing, and deployment services run within IBM LinuxONE specialized Secure Image Build enclaves. These enclaves help rigidly enforce software review and attestation procedures, to frustrate potential malware, ransomware, and backdoor attackers. These defenses help assure that MPC is properly deployed without human interference. They also help accelerate testing and deployment of legitimate, authorized code updates if there’s ever an application security vulnerability requiring a quick fix. Secure Image Build solves two critical dilemmas: 1) proving the deployed software image is the right one and has not been modified or replaced by a privileged insider, and 2) proving the signed image is what it was supposed to be through the use of the secured source code manifest.

◉ Exploitation of IBM Crypto Express Hardware Security Modules (HSMs) for the CASP cold backup key and CASP disaster recovery. IBM Crypto Express is one of the only commercially available FIPS 140-2 Level 4 certified HSM, meaning it meets or exceeds the most rigorous standards for tamper protection and response. It enables exceptional business continuity, which is mandatory for enterprise-grade financial institutions.

◉ Only clients or their trustees control their assets—not Unbound Tech, nor IBM. Clients are issued special IBM smart card HSMs. During a trusted key ceremony, these smart cards collectively generate AES256 bit key parts that are securely transferred to the platform’s HSM and assembled into a master wrapping key inside an isolated HSM domain. Only the client retains control of their master wrapping key. HSM domains are highly isolated and protected by 360-degree envelope tamper detection and response.

◉ Solutions can be deployed to the IBM Cloud, on premises, or in a hybrid deployment, giving institutions and service providers full freedom to decide how and where they’d like to manage their digital asset platforms.

Better together

In partnering with IBM, Unbound achieved a real meeting of minds. IBM demonstrated that they understood our marketplace and our vision.

We participated in a two-day strategy session that helped us home in on what prospective customers are looking for, and how to deliver it to them. The result was a platform that combines our unique software with the IBM Hyper Protect Digital Assets Platform to bring something unmatched to the market, at a surprisingly competitive price point.

By building security into every transaction on the platform, we’re unlocking new liquidity around digital assets. Users don’t have to worry about risk or meeting even the most stringent regulations, as that’s taken care of for them.

Finally, the digital asset market can start reaching its full potential. Alongside IBM, Unbound is offering a platform that means no compromises for customers.

Source: ibm.com

Continue reading

Are you ready for tougher data security regulations?

An organization’s ability to comply with data security legislation has become absolutely critical. Any business that obtains client data has a responsibility to comply with regulations for handling and disposing of that data.

Major organizations have come under scrutiny for non-compliant data destruction and protection of devices bearing sensitive client information. Non-compliance with secure data destruction protocols presents financial and legal impacts—even more so for highly regulated industries such as financial services, government and healthcare, where mishandling of client data can have devastating consequences.

Traditional methods of data destruction are falling short. It is no longer sufficient to take data offsite, throw away devices without physical deformation, wiping and degaussing, or dispose of data without a tracking mechanism to certify the data is properly destroyed. Uncertified degausser tools exist, but without an industrial-strength magnet, the overwritten data can still be retrieved and misused.

Often, the dangers posed by data-bearing devices are hiding in plain sight. Common risks of data-bearing devices include:

◉ You cannot securely destroy what you do not possess. If you operate business on leased equipment, you cannot validate that the data or the data-bearing device is properly destroyed.

◉ More access is more exposure. Uncontrolled access to drop safes or storage solutions means greater susceptibility of data going missing. Drop safe combinations can be shared.

◉ Offsite is exposure. As soon as media leaves a data center, the risk of data loss increases exponentially.

To successfully control the availability of potentially sensitive data, organizations of all sizes and industries have to control the disposal of media that might contain sensitive information. Such compliance requires deep insight into the potential dangers posed by data-bearding devices in your environment and an environmentally compliant solution to mitigate those dangers.

Track, contain, destroy, verify

Compliant data destruction happens in four stages:

1. Track data with RFID/PIDs tagging, creating a transparent record of the data through its destruction and removal.

2. Contain data using a secure storage appliance or “smart safe” where access is exclusive to your organization.

3. Destroy data using industrial-grade methods to comply with the government definition of “destroyed”—media rendered smaller than two particles.

4. Verify with a two-person process to avoid potential errors or missed media.

Automating data destruction processes can help streamline the entire process and ensure compliant data handling every time. Using automation, you can electronically track and validate data from the time it is placed in a secure storage container to the moment that it is destroyed, with RFID/PIDs tagging to verify destruction.

Now is the time to evaluate your organization’s data destruction processes and make necessary adjustments to avoid non-compliance. Similar regulations to the European Union GDPR are expected to reach the United States in late 2020/early 2021. New regulations will require all businesses to safeguard client information and strengthen the rules for protecting and verifying that data is securely destroyed.

Source: ibm.com

Continue reading

IBM is recognized as a Leader in Gartner’s 2020 Magic Quadrant for Data Center Backup and Recovery Solutions for the ninth consecutive year

This week IBM has been recognized as a Leader in the Gartner Magic Quadrant for Data Center Backup and Recovery Solutions for the ninth time in a row. IBM is being recognized for its completeness of vision and its ability to execute in the data protection market.

According to Gartner, vendors in the Leaders quadrant “provide mature offerings that meet market demand and have demonstrated the vision necessary to sustain their market position as requirements evolve. The hallmark of Leaders is that they focus on, and invest in, their offerings to the point where they lead the market and can affect its overall direction. As a result, Leaders can become the vendors to watch as you try to understand how new market offerings might evolve.”

Why IBM?

“IBM’s ability to maintain its position as a Magic Quadrant Leader  has been a result of continuous improvements to IBM’s award-winning modern data protection and cyber resiliency portfolio,” says Eric Herzog, CMO and Vice President of Global Channel Sales for the IBM Storage Division. “Organizations struggle with the cost and complexity of protecting data as they embrace digital transformation, manage massive data growth, and the need for always-on services. The IBM modern data protection solutions address these challenges by combining simplicity, cyber security, and flexibility to optimize data backup, recovery, retention, and reuse across enterprise workloads in hybrid multicloud environments.”

This recognition comes right after IBM announced the latest enhancements to its acclaimed modern data protection portfolio.

In particular, the new release of IBM Spectrum® Protect Plus offers a wide range of further benefits like broader data protection for Amazon Web Services (AWS) workloads and enhanced container protection includes enhanced SLA management to enable SLA policy definition and assignment and the ability to back up and recover logical persistent volume groupings using Kubernetes labels.  Also, with the Spectrum Protect Plus agentless technology, users can now back up, recover, reuse, and retain data in Windows file systems running on physical servers or in virtualized environments.

In addition, IBM announced enhancements to IBM Spectrum Protect: The latest IBM Spectrum Protect release includes retention set to tape, which is the ability to efficiently copy and store data on tape for cost-effective and secure “air-gapped” long-term data retention. IBM Spectrum Protect also now enables users to back up the IBM Spectrum Protect database directly to object storage, including IBM Cloud Object Storage, AWS S3, Microsoft Azure, as well as other supported S3 targets.

And, IBM Spectrum Copy Data Management’s new release helps users simplify and improve SAP HANA Point in Time (PIT) recovery with native log backups using IBM Spectrum CDM and IBM Spectrum Protect for ERP. With the new log support, recoveries can be much more granular.

Source: ibm.com

Continue reading

IBM Z deepens data privacy capabilities with new air-cooled models and IBM Secure Execution for Linux

In September 2019, IBM announced IBM z15™, delivering industry-first data privacy capabilities with the ability to manage the privacy of customer data across hybrid multicloud environments and to scale from one to four frames. For our clients on their journeys to cloud, IBM z15™ and IBM LinuxONE III was a major step toward encrypting everywhere, cloud native development and IBM Z Instant Recovery–but we aren’t stopping there.

Announcing IBM z15 Model T02, IBM LinuxONE III Model LT2 and IBM Secure Execution for Linux

Every day, clients of all sizes are examining their hybrid IT environments, looking for flexibility, responsiveness and ways to cut costs to fuel their digital transformations. To help address these needs, today IBM is making two announcements. The first is two new single-frame, air-cooled platforms– IBM z15 Model T02 and IBM LinuxONE III Model LT2–designed to build on the capabilities of z15. The second, is IBM Secure Execution for Linux, a new offering designed to help protect from internal and external threats across the hybrid cloud. The platforms and offering will become generally available on May 15, 2020.

Expanding privacy with IBM Secure Execution for Linux

According to the Ponemon Institute’s 2020 Cost of an Insider Breach Report[1] sponsored by IBM, insider threats are steadily increasing. From 2016 to 2019, the average number of incidents involving employee or contractor negligence has increased from 10.5 to 14.5–and the average number of credential theft incidents per company has tripled over the past three years, from 1.0 to 3.2.[2] IBM Secure Execution for Linux helps to mitigate these concerns by enabling clients to isolate large numbers of workloads with granularity and at scale, within a trusted execution environment available on all members of the z15 and LinuxONE III families.

For clients with highly sensitive workloads such as cryptocurrency and blockchain services, keeping data secure is even more critical. That’s why IBM Secure Execution for Linux works by establishing secured enclaves that can scale to host these sensitive workloads and provide both enterprise-grade confidentiality and protection for sensitive and regulated data. For our clients, this is the latest step toward delivering a highly secure platform for mission-critical workloads.

For years, Vicom has worked with LinuxONE and Linux® on Z to solve clients’ business challenges as a reseller and integrator. On learning how IBM Secure Execution for Linux can help clients, Tom Amodio, President, Vicom Infinity said, “IBM’s Secure Execution, and the evolution of confidential computing on LinuxONE, give our clients the confidence they need to build and deploy secure hybrid clouds at scale.”

Simplifying your regulatory requirements for highly sensitive workloads

In addition to the growing risk of insider threats, our clients are also facing complexity around new compliance regulations such as GDPR and the California Consumer Privacy Act, demonstrating that workload isolation and separation of control are becoming even more important for companies of all sizes to ensure the integrity of each application and its data across platforms. IBM Secure Execution for Linux provides an alternative to air-gapped or separated dedicated hardware typically required for sensitive workloads.

Delivering cyber resiliency and flexible compute

Building on recent announcements around encrypting everywhere, cloud-native and IBM Z Instant Recovery capabilities, as well as support for Red Hat OpenShift Container Platform and Red Hat Ansible Certified Content for IBM Z, these two new members of the IBM Z and LinuxONE families bring new cyber resiliency and flexible compute capabilities to clients including:

◉ Enterprise Key Management Foundation–Web Edition provides centralized, secured management of keys for robust IBM z/OS® management.

◉ Flexible compute: Increased core and memory density with 2 central processor complex drawer design provides increased physical capacity and an enhanced high availability option. Clients can have up to 3 I/O drawers and can now support up to 40 crypto processors.

◉ Red Hat OpenShift Container Platform 4.3: The latest release, planned for general availability this month on IBM Z and LinuxONE.

Complementary IBM Storage enhancements

In addition, IBM also announced new updates to our IBM Storage offerings for IBM Z. The IBM DS8900F all-flash array and IBM TS7700 virtual tape library both now offer smaller footprint options. This week the TS7700 family announced a smaller footprint, with flexible configurations for businesses of all sizes and different needs that can be mounted in an industry-standard 19-inch rack.

Source: ibm.com

Continue reading

Announcing Red Hat Ansible Certified Content for IBM Z

We know that speed and agility are of utmost importance for our clients on their journey to cloud. But what we’ve also heard from them is that they’re looking for an enterprise-wide strategy to provide consistent automation across their hybrid environment — spanning their IT infrastructure, clouds and applications.

The reality of hybrid IT is here. Our clients are looking for solutions that leverage their investments in — and the strengths of — their existing IT infrastructure, clouds and applications in a seamless way. To deliver on this we’re focusing on three areas: developer experience, automation and operations that bring value to our clients no matter where they are on the hybrid IT continuum.

To help make this a reality, today IBM announced the availability of Red Hat Ansible Certified Content for IBM Z, enabling Ansible users to automate IBM Z applications and IT infrastructure. The Certified Content will be available in Automation Hub, with an upstream open source version offered on Ansible Galaxy. This means that no matter what mix of infrastructure our clients are working with, IBM is bringing automation for IBM Z into the fold to help you manage across your hybrid environment through a single control panel.

Ansible functionality for z/OS will empower IBM Z clients to simplify configuration and access of resources, leverage existing automation and streamline automation of operations using the same technology stack that they can use across their entire enterprise. Delivered as a fully supported enterprise-grade solution with Content Collections, Red Hat Ansible Certified Content for IBM Z provides easy to use automation building blocks that can accelerate the automation of z/OS and z/OS-based software. These initial core collections include connection plugins, action plugins, modules and a sample playbook to automate tasks for z/OS such as creating data sets, retrieving job output and submitting jobs.

Over the last several months, we’ve made significant strides to improve the developer experience by bringing DevOps and industry-standard tools like Git and Jenkins to the platform. We’ve announced IBM Z Open Editor, IBM Developer for z/OS V14.2.1, and, of course, we are a founding member of Zowe™.  In February we announced the availability of Red Hat OpenShift on IBM Z, which enables developers to run, build, manage and modernize cloud native workloads on their choice of architecture.

And with today’s announcement, we’re taking the next step toward this commitment.  For developers and operations, Ansible allows them to break down traditional internal and historical technology silos to centralize automation — all while leveraging the performance, scale, control and security provided by IBM Z. This brings the best of both worlds together with a practical and more economical solution. We’re excited about this important step both for our clients, and for our shared mission with Red Hat to provide a flexible, open and secured enterprise platform for mission-critical workloads.

Source: ibm.com

Continue reading

Keep customer data secured, private and encrypted with the latest IBM Z enhancements

In my discussions with CIOs and CISOs in organizations around the globe, I’ve noticed a common concern. How can these organizations keep business and customer data private and protected as they transform for hybrid multicloud?

As the volume and complexity of data sharing grows this concern is increasingly validated. According to the 2018 Third-Party Data Risk Study by Opus and Ponemon, 59 percent of companies experienced a data breach caused by a third party. As research company Enterprise Management Associates (EMA) notes in a recent paper sponsored by IBM, data sharing is a common part of business today and data theft is almost equally as common. And because applications span hybrid multicloud environments, much of your customer data may live in the public cloud and may be shared frequently with your external business partners.

Data security solutions to address these concerns exist, but many are siloed. As data moves from one place to another, that data must be independently protected at every stop along the way, resulting in protection that can be fragmented, rather than end-to-end.  Organizations moving more workloads to hybrid multicloud environments must ensure that data within these environments is protected effectively.

Extend data privacy and protection with Data Privacy Passports

One advantage IBM Z enjoys when it comes to security is that we own the z/OS operating system and software stack. This allows us to design security into the platform from the chip to the software stack, and continuously innovate and react to or anticipate customer needs by adding new capabilities. Recently we announced IBM Data Privacy Passports, a data privacy and security enforcement solution with off-platform access revocation. Now you can protect data and provide need-to-know access to data as it moves away from the system of record. Just as a passport allows you to travel beyond your home country’s borders with your government’s protection, Data Privacy Passports allows data to move beyond your data center while retaining the protection provided on IBM Z.

Securely build, deploy and manage mission-critical applications with IBM Hyper Protect Virtual Servers

Many technologies aim to protect applications in production, but the build phase may expose applications to vulnerabilities. IBM Hyper Protect Virtual Servers are designed to protect Linux® workloads on IBM Z and LinuxONE throughout the application lifecycle by combining several built-in capabilities from the hardware, firmware and operating system. You can build applications with integrity through a secure build Continuous Integration Continuous Delivery (CICD) pipeline flow. Through this CICD, developers can validate the code that is used to build their images, which helps reassure their users of the integrity level of their applications. After deploying, administrators can use RESTful APIs to manage the application infrastructure — without having access to those applications or their sensitive data.

Clients such as KORE Technologies and Phoenix Systems can address tampering and unauthorized access to data by isolating memory and restricting command-line access for administrators. “It’s crucial that we can push code out to our customer environments quickly and efficiently, ” says Isabella Brom, COO at KORE Technologies. “With IBM Hyper Protect Virtual Servers we can do that, while protecting our clients’ digital assets from compromise either from outside or from within.”

Protect data in flight with IBM Fibre Channel Endpoint Security

With pervasive encryption, you can decouple data protection from data classification by encrypting data for an application or database without requiring costly application changes. The design of new IBM Fibre Channel Endpoint Security for IBM z15™ extends the value of pervasive encryption by protecting data flowing through the Storage Area Network (SAN) from IBM z15™ to IBM DS8900F or between Z platforms. This occurs independent of the operating system, file system, or access method in use, and can be used in combination with full disk encryption to ensure SAN data is protected both in-flight and at-rest.

Redact sensitive data with IBM Z Data Privacy for Diagnostics

Even though IBM has earned a reputation for being a stable platform, problems do occur and diagnosing these problems often requires organizations to send diagnostic reports to IBM or other vendors. It is possible for sensitive data to be captured as part of the error reporting process and there is no easy way for an organization to determine what data has been captured. This can pose a problem for compliance with data privacy regulations. With IBM Z Data Privacy for Diagnostics, a z/OS capability available on IBM z15™, you maintain control when working with third-party vendors by redacting data tagged as sensitive and creating a protected diagnostic dump that can  be shared externally.

Source: ibm.com

Continue reading

Three ways to collaborate to improve cybersecurity

The stakes are high in enterprise security. Data breaches can damage your organization’s reputation and result in significant costs (USD 3.86 million for every breach on average according to this Ponemon Cost of a Data Breach study). They can also destroy customer trust. Recent research has found that more than 78 percent of customers would not automatically return to a business following a data breach. In short, data breaches are just bad for business.

You’re likely aware that data breaches impact the whole organization. All enterprise systems are potential cyberattack targets, and the negative impact of a breach can reverberate throughout the business. Whether you’re in security, IT, or operations, data security is your concern.

Collaboration enhances data security

When it comes to enterprise data security, you may find it challenging at times to connect the dots. If you’re in security, you need information about the IT solutions required to secure the data perimeter. If you’re in IT or operations, you need insights from your security counterparts to inform technology development and deployment.

Collaboration can bridge this gap. IT and security groups can work together to ensure that security needs are baked into IT initiatives, and that security issues are optimally addressed by technology. By collaborating closely, your two groups can maximize transparency and make the best security and IT decisions.

Here are three ways security and IT can collaborate to enhance cybersecurity.

1. Consider security needs in technology development

If you’re a security practitioner, you’re plugged into the most urgent and relevant security concerns. You also understand how these concerns impact the enterprise. If you’re an IT practitioner, you’re aware of these issues and that they may impact applications you build. You can incorporate security peers’ insights into your IT projects to ensure your initiatives address all potential data-security risks and mandates.

For example, the recently enacted GDPR standards apply to virtually any personal data gathered by an enterprise that does business with or in the European Union. Before developing a new program that will use or request customer data, you must ensure that the program complies with GDPR mandates. Involve your security peers as early as possible here. Their early insights will help ensure that GDPR compliance is built into the application, not tacked on as an afterthought. A little collaboration at the start can save you a lot of headaches later.

2. Use IT to solve security challenges

The solution for an enterprise data-security challenge is often technology. This creates a natural synergy between security and IT practitioners. If you’re looking to address a data-security concern, one of your first conversations should be with your counterparts in IT. Often they will have the hammer for your nail, or they will be able to build the hammer.

Say you’re a security practitioner and your CISO has informed you that only a small portion of your enterprise data is encrypted. You probably both know, as the Breach Level Index has detailed, that unencrypted data is significantly more likely to be stolen by cybercriminals. Since expanding data encryption will likely require technology, you should then meet with your IT counterparts to discuss a solution. Perhaps they can find a way to devote more computing power to encryption so that a larger percentage of data – or at least the most sensitive data – can be encrypted. Ideally, they will be able to efficiently encrypt all database, application and cloud enterprise data through the mainframe.

When pondering your most vexing security challenges, make a discussion with your IT and operations counterparts a priority. They’ll often have just the tool you need to get the job done.

3. Reframe security conversations

It can be tempting to view security as the naysayer of the business, always warning about what could happen or what should not be done. Such a view may steer some IT practitioners away from engaging with the security team as they should.

Security conversations don’t have to be negative. You and your security counterparts are responsible for making them productive and positive. Discussions should focus less on how security concerns are holding business back, and more on understanding risks and alternatives. For instance, as mentioned earlier, in the age of GDPR security practitioners will likely raise a red flag about any application that collects and uses customer data. This doesn’t mean that the application can’t be developed or even has to be drastically changed. The developer simply needs to make sure that processes for collecting, using and storing this data comply with the mandate. IT and security practitioners should work together before development begins to outline a process that is compliant without compromising user experience.

A final thought: Stay informed

Enterprise security is everyone’s job. Accounting for security in technology development, and the other way around, will create an ongoing positive feedback loop in which security is woven into the enterprise needs and solutions.

If you’re a security practitioner, you’re already living and breathing security, but some time with your IT counterparts can help inform your security strategies. If you’re in IT, consider investing some time in cybersecurity education. You don’t have to become an expert. But you should be plugged in on the latest security issues, from the most recent high-profile data breach to any new data regulations. SecurityIntelligence.com provides news and insights that keep you in the loop on today’s critical data security issues.

Collaboration, supported by a base of security and IT knowledge, will help ensure an engaged team, improving cyber security for your enterprise.

Discover how to stay secure while remaining efficient and agile

Download the Solitaire Report

Source: ibm.com

Continue reading