IBM vets ID management, access control technologies on own systems

Big Blue is working to embed antivirus, firewall and other security features into all of its software products

BOSTON -- IBM software chief Steve Mills receives a monthly report on employees and contractors who have left IBM, and the actions taken to close off their access to sensitive information as soon as they walk out the door. Ideally, the very second a person's affiliation with IBM ends, that person's active identity within the business and all passwords will be wiped out, removing any access to intellectual property.

"I look at this every month," Mills said Wednesday at an IBM-hosted security event. "There are some months where someone will leave and the loss of their access will flop over to the next day."

IBM considers that an "escape" in its system, and analyzes what caused the escape and what actions are being taken to prevent it from happening again. It's a huge priority because, Mills said, IBM has to protect the intellectual property related to its software, and data thefts are perhaps most likely to occur at the time an employee or contractor leaves the business.

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

BOSTON -- IBM software chief Steve Mills receives a monthly report on employees and contractors who have left IBM, and the actions taken to close off their access to sensitive information as soon as they walk out the door. Ideally, the very second a person's affiliation with IBM ends, that person's active identity within the business and all passwords will be wiped out, removing any access to intellectual property.

"I look at this every month," Mills said Wednesday at an IBM-hosted security event. "There are some months where someone will leave and the loss of their access will flop over to the next day."

IBM considers that an "escape" in its system, and analyzes what caused the escape and what actions are being taken to prevent it from happening again. It's a huge priority because, Mills said, IBM has to protect the intellectual property related to its software, and data thefts are perhaps most likely to occur at the time an employee or contractor leaves the business.

"This is a very complex and challenging problem," he said. "It requires thinking about it in a very holistic way."

Mills spoke in a keynote address to analysts, press and partners, and then expanded upon his views during an interview with Network World. Mills, the senior vice president and group executive for IBM's software business since July 2000, has overseen the acquisition of more than 50 software companies, and manages about 50,000 employees and business totaling 40% of IBM's profits.

Electronic identity and the ability to immediately de-authorize people as they move out of your business is paramount, both for employees and contractors, Mills said. But controlling access during their time of employment requires effort too.

IBM protects its software code with strict controls by granting most workers only partial access to code libraries, based upon their need to know. For example, only a small number of people would need to see all of the code related to a popular software product like WebSphere, Mills notes.

"We have fairly tight access controls for our code libraries to begin with," he said. "Only a limited number of people can get at the entire code itself." 

Mills said IBM works with clients who have had angry ex-employees or contractors cause damage to electronic systems, but he said IBM has controlled its own intellectual property "extremely well" over the years. "Not unlike other companies, we've certainly had some suspicious activity where we've had to go back in and investigate that, no, people were not doing anything we didn't authorize," he said.

IBM's expertise in identity management carries over to its product offerings, including Tivoli Identity Manager and Access Control. (Compare security products.) For example, if an employee is leaving the business on a Friday at 5 p.m., Identity Manager allows the employer to specify the de-authorization time in advance so the passwords will stop working right then, Mills said.

"When his identity is gone all of his access and authorities will be removed," Mills said.