This week I am in Orlando, Florida for the IBM Edge conference. Here is a recap of Day 4 morning sessions that focused on Tivoli products.
- IBM Tivoli Storage Productivity Center Overview and Update
IBM Tivoli Storage Productivit Center overview and update
With my colleague, Mike Griese, presenting TPC 5.1 and the IBM SmartCloud Virtual Storage Center earlier this week, you might wonder what is left to say. Mike's session was intended more for clients who already have TPC deployed, but my session is more of an introductory session.
I was the original architect of the product back in 2000-2003, so have some insight into the history, motivations and design principles applied to each version of the product. It has evolved nicely over the years, and while I am no longer working full-time on the product, I am still very much involved, and am consulted by the current architects and product managers for direction and opinion going forward.
I presented an overview of the overall product as it stands today in its current v4.2.2 version, and gave a few highlights of what to expect in the upcoming TPC 5.1 announced this week.
- Encryption and Key Management in the Cloud: The Top 6 Concerns to Ensure a Secure and Reliable Solution
This was a split session with two speakers. The first speaker was Richard Moulds, VP of Strategy and Marketing from Thales, and the second speaker was Gordon Arnold, IBM Senior Technical Staff Member (STSM) and Software Architect for Tivoli Security Management.
Richard presented security issues in the cloud. He is an author of several books, including "Key Management for Dummies" and "Data Protection and PCI Compliance for Dummies". Thales is a large French companay of 70,000 people nobody in the USA has heard of, but is a major company in the area of IT Security. He presented survey results about people's perceptions and attitudes towards encryption and security issues in the cloud.
The security threats in the Cloud were presented as the "Seven Deadly Sins":
- Data loss and leakage, including data that is not deleted with resources are re-used for other purposes
- Shared technologies, especially in Cloud environments that do not have robust multi-tenancy
- Malicious insiders, such as administrators being bribed to provide access to sensitive data
- Account or service hijacking, including those that pretend to be someone else, asking for password resets
- Insecure APIs for applications and services, many of these APIs were developed quickly, recently, and perhaps without the robust review from a security perspective
- Abuse of the Cloud, such as using the Cloud itself to crack passwords or break decryption passwords through parallel processing
- Unknown risk profile, as few Cloud providers have certified security capabilities
(Yesterday, [6.5 million LinkedIn passwords were compromised] by hackers. Hackers also got to eHarmony compromising 1.5 million user passwords.)
Gordon Arnold (IBM) presented IBM's Encryption and Key management. IBM has two products: IBM Tiovli Key Lifecycle Manager (TKLM) and IBM Security Key Lifecycle Manager (SKLM). These are KMIP v1.0 compliant today. The OASIS group is currently reviewing KMIP v1.1 enhancements that includes some suggestions from IBM.
IBM's use of Key Encrypting Keys on disk and tape has proven to be quite useful. The only copy of the encryption key is on the media, and is then encrypted by an authorization key. If you need to defensibly delete the data for compliance reasons, you can simply destroy the encrption key.
At lunch, I spoke with Scott Laningham who was doing video interviews. For years, Scott was the #1 blogger on IBM developerWorks until I took over the title last year. We discussed working on a video in the future on this.