Will ISS give IBM some credit on the security market ? That's of course a provocative thought, as IBM - owner of the Tivoli brand - is a major player in Identity & Access Management. Nevertheless, the last Forrester Research report (see footnote) crowns Big Blue as a "market leader" in managed security services (MSS). And that's clearly thanks to ISS.

When IBM buys Internet Security Systems (ISS) in august 2006, it snatches a MSS pioneer : ISS is being practicing in this area since the end of the 90's. All it took was to create a special expert team (the X-Force) and let it help clients having trouble to manage their IDS probes. In 1999, ISS buys Michigan-based MSSP Netrex Secure Solutions. Eight years later, ISS oversight more than 7500 security equipments across the world, for more than 1800 customers, from five Security Operations Centers (SOCs). And while ISS is now an IBM Business Unit, the focus stays on services. "The market has long answered security needs through products. But I believe that tomorrow, it will do it through an unified service offering", says Gérald Bourtguize, Country Manager IBM ISS France. But it will probably goes a step further than mere log management, the basic service a MSSP offers. "We do include in security services the audit, certification and risk management processes", explains Loïc Guezo, Security and Privacy Consultant (CISSP) at IBM Global Technology Services.

Of course, letting another company handle its security still is a sensitive area for many companies. While ISS achievements were so far noteworthy, it now counts on its parent company's reputation to boost its results and help convince customers to trust them with the crown's jewels. "IBM already has a reputation for managing sensitive equipments across many companies", notes Gérald Bourtguize.

Forrester's report about MSS confirms IBM's view in that manages security services will evolve from simple management to full service offerings, embracing strategic views and risk management. With IBM's stature, its already tuned-up Services business unit, ISS is in a very good position to take MSS to the next level. Nothing has been reveled yet in Big Blue's MSS strategy, but every pieces of the puzzle are in place : upstream, the risk management and security policies definitions, and downstream traditional log and equipments management, along with the daily expertise of security. IBM Global Technology Services already assists customers with building an Identity Federation service so they can offer it to their own business partners. We can very well imagine ISS handling all authentication services in this offering.

Nevertheless, it does not seem that IBM is forgetting about products in favor of services within its security practice. This November, Big Blue announced its intention to spend $US 1,5 billion in 2008 for security products development. This is twice what it usually spend on this. And of course, this R&D investment will benefit to current products as well, both within the IBM original security lineup (Tivoli) and ISS (Proventia). Five main areas of investments are mentioned :

• Information Security
• Threat and Vulnerability
• Application Security
• Identity and Access Management
• Physical Security

To fire-off this strategy, IBM unveiled three new security tools, mainly within the audit & compliance business : IBM User Compliance Management Software, IBM Quickstart Services for Tivoli Compliance Insight Manager and IBM Online Application Security and Compliance Management. ISS also announced Proventia Network Mail Virtual Appliance, a security solution aiming at protecting emails within virtual environments.