HP's 3D Future: Sprout Visual Tour

Security experts are beginning to agree that, when it comes to secure computing, we don't need one line of defense, such as the firewall at the network's perimeter. We need multiple lines of defense that detect, block, and otherwise stymie malware and intruders. 

IBM has taken that approach with one of the first data center-to-cloud product sets for in-depth security. The Dynamic Cloud Security portfolio, introduced Wednesday, is meant to protect applications and data whether they're in the enterprise, in the cloud, or in motion somewhere between. Its products and services will become available in the fourth quarter.

"We're seeing a lot of customers move critical workloads to the cloud," said Marc van Zadelhoff, VP of strategy for IBM Security Systems. "We're providing security in three key areas: secure business user access; visibility on what's going on in the workload, including cloud workloads; and protecting the data," he said in an interview with InformationWeek.

IBM's protections do not consist of firewalls, antivirus software, or some of the other commonly used safeguards, because most IT managers already have those defenses and know they are leaky. Instead IBM has adopted a three-tiered approach that can be applied and monitored from a single pane of glass, trying to unite defenses against the usual variety of threats.

[Venture capitalists are backing startups that provide responsive, adaptive security. See Illumio Takes New Cloud Data Security Approach.]

One thing this combined view does is provide a constant watch over cloud workload activity, including what data individuals are accessing and from where they are accessing it. The IBM security tools are backed up by analytics built by IBM's Security Systems unit, based on experience on 20 billion daily security events that its Managed Security Services team encounters while monitoring systems around the globe. The team's platform is available as a service, providing background intelligence on the pattern of events that may be affecting the security of cloud workloads.

A review of online information about IBM's security offerings indicates that many of the monitoring and data protections existed previously in one form or another for defense of on-premises systems. With the advent of Dynamic Cloud Security, they've been extended to also work with IBM's SoftLayer cloud, software-as-a-service applications such as Salesforce.com, and the Amazon Web Services cloud.

If other parts of IBM are limping or missing -- x86 servers, for example, are gone from the product line -- IBM Security Systems is a business that has been growing at double digits for the past eight quarters, van Zadelhoff said. Gartner's research concluded IBM's unit was the third-largest security company in the world.

Dynamic Cloud Security provides visibility across a variety of cloud workloads, thanks to the IBM QRadar security analytics platform, which IBM obtained when it acquired Q1 Labs in 2011. QRadar receives a stream of information, including server log data, which it uses to establish the normal patterns of an application. It then can detect patterns that depart from the norm and alert an administrator or, in certain cases, block activity that is already underway. The Target breach doesn't qualify as a cloud security incident because it occurred on Target store premises. But if systems like Target's were running in SoftLayer, and a source in Russia started ordering the removal of 40 million credit card numbers, QRadar would detect it, alert managers, and interrupt such a move, van Zadelhoff said.

QRadar also dynamically analyzes the operations of individual users, running applications, networks, and mobile devices to determine their security posture. In a sense, it knows something about what they're supposed to be doing and matches it against what's going on, in a near-real-time sense. In addition to QRadar, other visibility tools will be made available in the suite.

Dynamic Cloud Security also includes a single sign-on service to authenticate users for a variety of applications and purposes. For example, a Salesforce.com user might also be able to check results from an application running on AWS or SoftLayer after signing in through the service. The service grants the correct privilege level and can decide whether the user is entitled to access a database or other service based on that privilege level.

The single-sign-on access is "a federated access system," Zadelhoff said. It extends to the cloud "the same risk-based authentication as used on-premises."

The portfolio also includes a set of data protection products and services, based in part on IBM's acquisition of Guardium in 2009. The protections include an ability to automatically discover, classify, and assess the sensitivity of data in the cloud. It can provide monitoring of activity concerning the data, both structured and unstructured, Zadelhoff said.

In a field not normally covered by data-protection products, Dynamic Cloud Security will inspect both Web applications and mobile apps for weaknesses in how they handle data. The service is located on IBM's BlueMix platform-as-a-service, where it "spell checks code for exposures and vulnerabilities," said Zadelhoff. It can pinpoint problem areas and allow developers to correct bad practices and remove vulnerabilities before the applications start running in production.

The data-protection modules will pay particular attention to activity by database administrators, enforcing the two-administrator rule (when called for) as a good practice for changes to data or attempted deletions.

Zadelhoff said there are no antivirus or firewall protections in the Dynamic Cloud Security package, but it draws information from those products and uses it in threat evaluation and response. Each of the three major security areas -- visibility into mixed workloads, user access, and data protection -- will include three or four offerings, and customers will decide what parts fit their security profile, he added.

Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data. In the Partners' Role In Perimeter Security report, we'll discuss concrete strategies such as setting standards that third-party providers must meet to keep your business, conducting in-depth risk assessments, and ensuring that your network has controls in place to protect data in case these defenses fail. (Free registration required.)