CRN Interview: Mike Twomey, IBM Tivoli

A year ago, IBM's Tivoli unit was the trailing player in IBM Software's drive to the channel. Today, Tivoli is quickly becoming the point guard that sets the play for IBM Software in the channel. As Tivoli moves to enrich ITS product suite, the latest addition to the company's game plan includes a recent upgrade to IBM's identity management software. In an interview with Editor in Chief Michael Vizard, Tivoli Vice President for Business Development/Channels Mike Twomey talks about the role that identity management plays in security solutions and explains why identity management is at the root of IBM's overall On-Demand computing solutions for the channel.

CRN: How do you draw the connections between IBM's identity management tools and the rest of the Tivoli product line that is focused on storage, system management and other areas of security?

TWOMEY: The storage products today that we offer are backup and recovery solutions under Tivoli storage management. That provides a level of protection to data as well, and our storage resource manager product offering provides customers the ability to optimize their storage resources. The linkage is the on-demand operating environment. Security and identity management is about provisioning of identities in your environment and doing that in a dynamic way. Storage management, with our latest acquisition of a product we call Provisioning Orchestrator, is really around provisioning the IT resources to the identity. We see it as a triangle where you have a relationship between the user and the IT resource, a relationship between the business process and the IT resource and a relationship between the user and the business process. We link that all together.

CRN: What kind of role does IBM play in the security space, given the perception that companies such as Symantec and Check Point Software Technologies are the specialists in this area?

TWOMEY: Companies like Symantec and Check Point, who we partner with, provide antivirus capability and firewall capability. Those are things that users recognize most readily. But I think if you talk to CIOs, they would clearly recognize this higher level of security around access, authorization and administration. There are higher levels of security such as policy-based management around identities, around access to applications, around privacy policies, around access to directories and integration and coordination among various directories. That's the space we're playing in.

Our approach is that we are delivering a higher-level management above operational security that does not compete with antivirus, firewall and VPN providers. We integrate with their products and partner with them.

CRN: How cognizant are people of application-level security and identity management in general these days?

TWOMEY: We are seeing a big push in the last six months, especially around managing identities and policy-based access management to applications. That interest is really coming from the major business application providers. We're working with all of the major business application ISVs to ensure that our products are tightly integrated. Right now we've integrated our access management with SAP, PeopleSoft and Siebel and we're working with all of them to ensure they provide integration of all of our products. There is an imperative coming from the customers that is being placed on the business application ISVs to provide efficient and effective identity and access management capability in an automated way.

CRN: What kinds of ways are there for partnering with Tivoli?

TWOMEY: One way is out-of-the-box integration with some of the leading security vendors so that we take their alerts and we can, for example, correlate those alerts in our risk manager product. We have out-of-the-box integration with all of the leading firewall and antivirus providers. In addition to that, we have the Ready For Tivoli program, where we work with ISVs around their solutions and then we certify that our solutions work together with their solutions. And we're working with another 20 or so ISVs that we're going to certify by the end of the year. That's the way a partner would bring the solution to the marketplace. In some cases, the ISV is the reseller. At the same time, we partnered with systems integrators and VARs. And we're seeing VARs now out there creating their own solutions and ISVs are also choosing to resell more products.

CRN: In terms of long-term security trends, how long will it be before the industry as a whole can be proactive rather than reactive to security threats?

TWOMEY: More and more you see system and security management providers looking to be proactive in terms of doing the analysis and then being able to take action based upon that analysis. We have a data warehouse that has reporting capability. What we will be announcing soon is significantly enhanced reporting capabilities, and we signed a deal with a major reporting vendor. This will allow us to do proactive analysis based upon events that occurred and build some of that analysis into our products so that actions become preventative instead of reactive.