With Cloud Pak for Security, IBM Security is positioning itself as a best-of-breed security technology integration enabler, but its promising effort at creating a security platform integration framework (SPIF) is somewhat hindered by complexity related to corporate priorities.
Difficulty integrating best-of-breed security solutions from different vendors is a legitimate problem for CISOs and enterprise cybersecurity architects. If an organization's security products can't work in unison to share telemetry, accelerate detections, and coordinate responses, it can never achieve optimal ROI on its technology investments, and its security efficacy will be mediocre at best.
IBM Security's newly announced integration enablement solution, Cloud Pak for Security, is therefore a positive development. It is designed to enable rapid integration of best-of-breed security tools, helping organizations to generate deeper security insights. The containerized platform can be deployed in public, private, and hybrid cloud environments, and launches with support for Amazon Web Services, Microsoft Azure, and Google Cloud Platform.
Interestingly, unlike other SIEM-like integration solutions that gather information into their own data lake, Cloud Pak for Security's unified data service uses existing data repositories to avoid redundant data storage and to allow other solutions to do what they do best. IBM Security's Resilient security orchestration technology has also been built into it, providing the ability to enable orchestrated and automated response actions across products integrated with the SPIF.
Cloud Pak for Security is based on IBM Security's STIX-Shifter initiative, an open source project that uses the Structured Threat Information eXpression (STIX) language and serialization format for the exchange of cyberthreat intelligence.
STIX-Shifter provides a standardized mechanism for security products to connect to other security, cloud, and software data repositories. Specifically, it provides a library on Github comprised of Python-based software adapters that allow a standardized data query to be translated into a proprietary message query for a supported product, which in turn can return standardized results. It functions like a buffet of middleware whereby enterprises can integrate a given security product into a broader threat intelligence collection, analysis, and response infrastructure using one of its pre-made adapters, or eventually cook up their own adapter.
Cloud Pak for Security falls into the emerging security platform integration framework product segment. These integration hubs offer bidirectional connectivity among security products. Instead of numerous point-to-point integrations among various solutions, each product integrates just once to the SPIF, gaining the ability to interact with all the other SPIF-integrated products in a standardized way to share telemetry, identify threats, and undertake coordinated remediation. SPIFs enable faster, easier, more effective integration, and help to future-proof constantly evolving enterprise security product ecosystems.
The announcement comes on the heels of the launch of the Open Cybersecurity Alliance. The OASIS-based industry consortium, co-founded by IBM Security and McAfee, aims to improve the ability of cybersecurity products to transmit and receive data in a standardized format. IBM has donated its STIX-Shifter intellectual property to the initiative.
Unfortunately, like other commercial SPIFs, the first iteration of Cloud Pak for Security is struggling to overcome its own complexity. It requires adoption of IBM's recently acquired Red Hat OpenShift hybrid cloud application platform based on Kubernetes, the open source container orchestration system. Cloud Pak for Security is pre-integrated with Red Hat OpenShift and includes licensing, but some organizations might balk at the complexity. In addition, IBM's library of connectors is still limited, meaning that many organizations will have to learn how to develop or work with other vendors or solution providers to acquire the connectors they need.
Even its name, Cloud Pak for Security, poorly articulates what the solution actually does. The original name, IBM Security Connect, was dropped in order to align with the Cloud Pak brand, which IBM uses to identify various cloud-enablement efforts. In this case, regrettably, the desire for corporate synergy outweighed pragmatic product branding.
Issues aside, enterprises are increasingly understanding the importance of integrating disparate security products, and IBM Security deserves credit for making a significant investment to tackle the problem head on. Cloud Pak for Security will evolve considerably in the months and years to come, but is already worth a look by existing IBM Security customers that want tighter, more effective security architecture integration.
Platform Plays and the Future of Security Management, INT005-000023 (August 2019)
"Open Cybersecurity Alliance to push for easier and better security product integration," INT005-000051 (November 2019)
"RSA 2019: Consolidation and integration were major themes this year," ENS004-000060 (April 2019)
Eric Parizo, Senior Analyst, Infrastructure Solutions