Security and Privacy
Today’s digital society is built on the fast flow and analysis of information. The strides we make in gathering, routing and analyzing torrents of data hold the promise of an ever-brighter future, a vision we at IBM refer to as Smarter Planet. But behind these data are real people, real organizations and real concerns about privacy and security.
Balancing the potential of this modern technology with the privacy and security of our employees, our clients and their customers, and citizens in general is something we take very seriously at IBM. Our business depends on it. As a company, we are constantly evaluating these issues in the context of technological and cultural change. In doing this, we consider the role that IBM can and should play in addressing privacy and security concerns, both as a seller of information technology products and services and as a responsible corporate citizen.
We advocate an approach known as “privacy and security by design.” By that we mean that leaders responsible for the systems that serve society—systems like healthcare, transportation and utilities—should ensure that privacy and security are addressed from the start and not as afterthoughts. A holistic approach to doing so means the right policies, frameworks and technologies are put in place to facilitate ongoing security and privacy and earn the confidence of stakeholders.
In 2010 we engaged these issues in multiple ways. We have been leading developers of privacy- and security-enabling technologies. We have collaborated with business and government leaders to work toward public policies that enable both individual privacy and continued innovation. And as always, we worked to give our own employees the knowledge and reinforcement they need to champion security and privacy, both inside and outside of IBM.
Privacy by Design
New privacy-protective technologies. A focus on innovation-friendly, business-ready privacy protection in government policy. Informed and enabled employees and consumers. These elements must work together to protect individual privacy, support economic growth and clear the path for innovative, world-changing uses of data.
Some see technology as a threat to individual privacy. But we know that technology can protect privacy as well. For decades IBM has been a leader in developing privacy-enabling technologies, or PETs. Over the course of 2010, IBM developed or refined our portfolio of critical PETs, such as homomorphic encryption, privacy-sensitive identity management, data masking and management techniques, privacy-enabled RFID and anonymization.
These technologies, and others like them, will play a critical role in protecting privacy in the digital age—as long as they are adopted and broadly applied. One way to encourage broader adoption is through collaborative standards bodies that combine public and private sector leadership. That’s why IBM joined forces with Microsoft to pilot cryptographic technologies that will enable European citizens to better protect their privacy and identities. The project, called ABC4Trust, uses privacy-enabling technology that will be piloted at a university in Greece and a secondary school in Sweden.
The four-year project will test privacy-preserving Attribute-Based Credentials (ABC) that allow the user to prove just the required information, without giving away a full identity. For example, instead of sharing the exact birthday or address, by providing a copy of an identification card users only prove that they are over 18 years of age and a student of a university or a citizen of a specific municipality, state or country. The ABC system will make use of IBM’s Identity Mixer and Microsoft’s U-Prove technologies.
Within IBM, we mandate information security education for all employees from senior executives to recent hires, and have tailored a Privacy: What You Need to Know course for all employees who may handle personal data. We have implemented a global privacy self-assessment tool that guides employees who handle personal data.
Going forward, IBM is working with the academic community to better understand the privacy and security implications of the analytics age. In 2010, the company worked with Paul M. Schwartz, a University of California at Berkeley law professor, on a paper entitled Data Protection and the Ethical Use of Analytics. The paper was presented at an OECD conference to an audience of business and government professionals. Our hope is that it will serve as the starting point for an important conversation on the privacy implications of analytics.
Secure by Design
Security is an important aspect of the entire life cycle of a system, from design and architecture through to implementation, testing, deployment, maintenance and retirement. Systems designed and architected without security as a required attribute must be protected by other external means. But when one attempts to “bolt on” security to an existing system, the result is likely to be less effective, more expensive to maintain, harder to use and slower than desired. The resulting collection of systems may also still be vulnerable to security or reliability problems.
At IBM, we advocate a Secure by Design approach. We recognize our responsibility to shoulder our share of the technological challenge when conceiving, developing and marketing our technology solutions. But we also recognize the need for collaborating with public and private organizations that build market awareness of these issues and implement policy governing them. We understand our educative responsibility, not just our engineering responsibility.
Along these lines, in March 2010 IBM announced the formation of an Institute for Advanced Security, which helps clients, academics, partners and other businesses understand, address and mitigate the complex, multidisciplinary issues associated with securing cyberspace. Based in Washington, D.C., the Institute provides a collaborative environment for public and private sector officials worldwide to tap IBM’s vast security expertise to help them more efficiently and effectively secure and protect critical business information threatened by cyberthreats.
The global nature of information technology development today necessitates the application of secure engineering principles across the industry and across global development teams regardless of their physical location. Thus in December 2010, IBM announced its founding role in The Open Group Trusted Technology Forum (TTF), a global standards initiative that will provide a collaborative, open environment for technology companies, customers, governments and supplier organizations to create and promote guidelines for manufacturing, sourcing and integrating trusted, secure technologies. The forum’s objective is to shape global procurement strategies and best practices to help reduce threats and vulnerabilities in the global supply chain.
The TTF is a proactive response to the changing security and cyberthreat landscape and will address the mitigation of risks potentially introduced by vulnerable supply and development processes. Founding members are Boeing, Carnegie Mellon SEI, CA Technologies, Cisco, HP, IBM, Kingdee, Microsoft, MITRE, NASA, Oracle and the U.S. Department of Defense. Chaired by an IBMer, the forum will operate under the stewardship of The Open Group, an international vendor- and technology-neutral standards consortium.
In addition, IBM last year published a RedguideTM, in which we shared IBM’s Secure Engineering Framework (SEF). The Secure Engineering Framework describes IBM’s experience in creating an end-to-end approach to product delivery, with security taken into account. IBM published this Redguide in the hope that interested parties—whether they be clients, other IT companies, academics or others—can find these practices to be a useful example of the type of security practices that are increasingly a must-have for developing products and applications that run in the world’s digital infrastructure.
It includes sections on education and awareness, project planning, risk assessment and threat modeling, security requirements, secure coding, test and vulnerability assessment, documentation, and incident response. The Redguide can be downloaded here.
Featured IBM Initiatives
A Century of Shared Value
As IBM celebrates 100 years of building a responsible enterprise, we look back at several moments that have defined our values and served as cornerstones in our pursuit of progress.Launch Feature
Smarter Cities Challenge
The Smarter Cities Challenge is a competitive grant program awarding $50 million worth of services and expertise over the next three years to help 100 cities around the globe address a wide range of challenges.Launch Feature
Celebration of Service
IBMers worldwide are improving the communities in which they work, learn and live by pledging time and expertise. IBM honors their commitments with a program of new and expanded grants, and the opportunity to join a global effort.Launch Feature