News Stay informed about the latest enterprise technology news and product updates.

PCI compliance drives identity management spending, says IBM's GRC chief

Kristin Lovejoy came to IBM as chief technology officer of Consul Risk Management, which was acquired by Big Blue in early 2007. Lovejoy helps contribute to IBM's company-wide security strategy, overseeing the company's governance, risk and compliance program. In this interview, Lovejoy talks about the challenges of being acquired and integrated into a new company, how compliance is driving spending on new identity and access management technologies and the importance of auditing.

We're also seeing a massive surge in the small and medium size markets. What we're seeing is that PCI in particular is driving activity.
Kristin Lovejoy
directorIBM Governance and Risk Management Strategy
When Consul was acquired, how difficult was the technology integration?
There was a good bit of integration work that had to occur. Most of it was around assuring that the product offering met the scalability requirements that had to be defined by IBM. IBM's acquisition of the technology undergoes a blue-washing process. The blue washing process assures that the technology sold to IBM customers are not packaged with any kind of code that is not documented—no open source components. Also the database infrastructure had to be reworked and released for DB2. Typically we see some staff leave a recently acquired company. Was Consul able to maintain its staff?
We maintained 95% of our employees, which is higher than the industry average. As part of the process of buying technology, what IBM does is make an extraordinary effort to acquire not only company and technology assets, but maintain the talent. So prior to the acquisition we had lengthy conversations about maintaining a partnership with the employees of the company. Some folks left right off the bat—our sales boss for example had worked for big companies and didn't want to work with big company. The only folks we've lost are those who we knew were not going to be staying with business. Also, from an IBM perspective, it wasn't as if people couldn't find a home in their geographical locations. For us and our employees, they didn't have to pack up and move. Have you invested in new hires?
There have been a large number of hires made. There's been a strong investment within the product development organization to extend the capabilities and functionality within the core product line. A second group was hired in the sales organization. Did Consul's existing customers have any problems with the transition to IBM?
It's impossible to have a perfect transition so there may have been one or two problems. By and large the customers transitioned quickly and effectively. We heard from customers that they were extremely happy with the confidence that IBM brought to them, because with startups, which was what we were, you never know. They were also confident that IBM was going to be investing in the product offering. Customers also said to us that they were much happier with what the IBM service agreements had to offer versus what we offered as a smaller company. And finally from a third perspective—in particular the security market—many companies are moving toward unified platforms. So our customers were excited about the potential to leverage the consul technology in context of the IBM infrastructure they already had in place.
IBM identity management:
IBM to acquire compliance software firm: IBM plans to acquire Consul Risk Management Inc., a Delft, Netherlands-based firm whose software tracks non-compliant behavior of employees.

IBM aims identity suite at compliance, audit pains: IBM has been on a shopping spree over the last several years to beef up its Tivoli identity and access management suite. Over the summer, Big Blue rolled out the results of its acquisitions.

IBM to boost security spending, push PCI DSS program: IBM plans to invest $1.5 billion on security research in 2008. The company is also using recent acquisitions to introduce a PCI DSS program.
You've been viewed as a leader in driving the implementation of auditing as a required step in identity and access management. Talk about the importance of auditing.
Of course it was Sarbanes Oxley where the concept was initiated. Section 404 required organizations to not only look at their business controls but also their IT controls. It points to a requirement that organizations adopt a control framework within the finance, accounting organization, making sure there's no conflict of interest. Sarbanes Oxley made people say trust is ok but now I have to verify. We saw a lot of companies want to be able to monitor privileged users such as database administrators and developers. They wanted to ensure that those that were working in the preproduction environment were only working in the preproduction environment.

In addition to Sarbanes Oxley, there have been over time lots of requirements like PCI DSS and HIPPA that requires you to do audit logging. These requirements, which always said you need to maintain the logs, are now beginning to indicate that it's not simply collecting logs, but you also have to be able to review the activity in logs and identify areas potentially anomalous activity. Many companies have already made investments for Sarbanes Oxley compliance. Is there still growth in investments in technology for compliance reasons?
Most large enterprises have effectively accomplished implementation of log management infrastructure. They're focusing today less on logging and more on analysis. We're also seeing a massive surge in the small and medium size markets. What we're seeing is that PCI in particular is driving activity. An organization accepting credit card transactions still has to comply with PCI and your outsourcers have to comply as well. Maybe software development that develops processing applications are using real customer data in testing, well they have to conform to PCI and do audit logging as well. There's a lot of room for growth here. We're doing a lot of businesses working with the outsourcers themselves. Talk a little bit about insider threats – more specifically threats posed by super users or privileged users. Can't insider threats be reduced by good hiring practices and employee reviews?
There are multiple levels of controls. Good hiring practices and security awareness programs are always important. Keeping track of negative performance reviews is another area. Keep employees well documented. Don't necessarily monitor, but review employee performance on a regular basis. Still, From an IT operational perspective, insiders by and large do not perpetrate harm deliberately. They're human. They make mistakes inadvertently or look at data they shouldn't be looking at because they're curious. By monitoring, you have ability to identify when people are going outside the established policies. Most threats can be minimized through ongoing training and awareness programs but not all of them.

Dig Deeper on PCI Data Security Standard

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.