Click here to view the embedded video.

It’s not too late to weigh in with your opinion, however. Watch the videos and “Like” away!

People power will come to life 
Click here to view the video and vote for this as the coolest IBM 5 in 5 prediction by clicking the “Like” button below the video.

You will never need a password again
Click here to view the video and vote for this as the coolest IBM 5 in 5 prediction by clicking the “Like” button below the video.

Mind reading is no longer science fiction
Click here to view the video and vote for this as the coolest IBM 5 in 5 prediction by clicking the “Like” button below the video.

The digital divide will cease to exist
Click here to view the video and vote for this as the coolest IBM 5 in 5 prediction by clicking the “Like” button  below the video.

Junk mail will become priority mail
Click here to view the video and vote for this as the coolest IBM 5 in 5 prediction by clicking the “Like” button below the video.

Technorati Tags: IBM 5 in 5

To vote for this as the coolest IBM 5 in 5 prediction, click the “Like” button below.

Read an in-depth blog post about the prediction by an IBM researcher.

Please participate in the Twitter conversation at #ibm5in5

In that vein, this summer a small team of privacy professionals coalesced around a promising idea–providing non-profit organizations with free legal advice on responsible and pragmatic practices for protecting individual privacy and data security.

Our work led to this month’s pilot launch of the Pro Bono Privacy Initiative, under which over a dozen professionals are engaging with a handful of human services agencies, helping them to navigate mission-critical privacy and data protection considerations.

I’m hopeful that our pilot is the start of a meaningful movement that will unite lawyers and other experts in privacy and data protection in service to a cause bigger than any one of us or our organizations. 

Why is this important? Because a powerful convergence of developments has created a real need for every sector, not just non-profits, to boost attention to privacy and data security. Just consider these defining characteristics of our world:

• More data. IDC predicts that between 2009 and 2020 the world’s digital data will grow expontentially, 44 times over, to a volume — 35 zettabytes (10 to the 21st power) – that defies easy understanding. And because it’s digitized, much of that data will be easily accessed and manipulated.
• More risk. Access to more data brings with it obligations to use it properly:  to safeguard it, to meet privacy expectations, to comply with law. And given an evolving cybersecurity landscape, everyone—even the most sophisticated players—must continue rising up to the security challenge.  My colleague Jeff Jonas blogs eloquently on this point.

These trends affect every organization, regardless of industry or size. So it’s no surprise that in the past decade many more organizations have appointed individuals to help them chart a course thru the shifting industry standards, regulations and best practices that have emerged. It’s no wonder that the International Association of Privacy Professionals has grown from 15 to over nine thousand members in just a decade!  Surely this is a sign that the “profession” of privacy has arrived, and just like any profession, is now ready to give back of its expertise to society for the greater good.

As it happens, most of us in this field work in business or large government agencies. But according to Independent Sector, there are 1.4 million non-profits in the United States serving the broad public interest by providing services such as homeless shelters, domestic violence assistance, and nutrition support. These organizations are just like business, in that they too are looking to tap into ever-increasing amounts of data to do things like improve their services and understand and engage their supporters.

And just like others, these non-profits are increasingly likely to encounter privacy and personal data security-related issues that they must understand, analyze and plan to address. Many would welcome a source of expert assistance, particularly if it came at no cost.

That’s where the Pro Bono Privacy Initiative can help. During the 6-month pilot phase, privacy and security experts will advise participating non-profit organizations on responsible and pragmatic practices they should consider and follow, to protect individual privacy and data security. As part of the pilot, I’m delighted that my team at IBM is sharing their data security and privacy expertise with an outstanding organization: Safe Horizon, the largest victims assistance agency in the United States.

After the pilot ends, the Initiative’s leaders will assess what we’ve learned, and decide how to take this promising idea forward.  I’m not sure where our path will lead, but I’m confident that with the committed group of privacy leaders and advisers assembled, we will have positive impact on our communities and our professions.

P.S. If your non-profit or other type of organization wants more information on the Pro Bono Privacy Initiative, contact us via its Web site.

Technorati Tags: IBM, International asociation of privacy professionals, Pro Bono Privacy Initiative, Safe Horizon

Andreas Wespi

Harm could come in many forms, but some of the most hurtful scenarios for attacks on the Internet of Things  include electrical power and communications blackouts, disruption of air traffic and roadway traffic lights, interruption of oil and gas exploration and contamination of water. So far, these concerns are mostly theoretical, but the spread of  Stuxnet, the computer worm that targets control systems at nuclear power plants, shows just how dangerous such attacks can be. The worm knocked out about 1,000 centrifuges at Iran’s Natanz uranium enrichment plant last year–and atomic energy experts warn that it has the capability of creating Chernobyl-like disasters. “We have to understand the new threats and understand how to protect our own infrastructure,” says Andreas Wespi, a cybersecurity expert at IBM Research’s Zurich laboratory.

Attacks will likely come in two ways: to the sensors and to the servers that gather, store, and analyze information from the sensors. Both kinds of vulnerability must be addressed.

Let’s start with the sensors, which Wespi calls “the weakest link in the system.” Sensors connected to the Internet can take many forms, ranging from simple devices that measure things like temperature to video cameras that monitor the physical security of anything from city streets to remote oil pipelines. We have to develop and deploy new technologies that signal when sensors are not working reliably or have been tampered with. IBM  scientists are developing technology that can be embedded in sensors, to do just that. One of the challenges is that simple sensors much be very inexpensive to be affordable on a mass scale, so the modules that IBM is developing must be extremely cheap–costing just pennies per device. Also, it will be vital to embed security in the sensor networks before they’re installed, rather than trying to retrofit them later.

A lot of work has been done over the past two decades to defend computer servers and networks from malicious attacks, but the emergence of the Internet of Things is forcing cybersecurity experts to rethink how such assets are protected. In the past, one of the key strategies for protection control systems was to isolate them from other networks. But now that control systems are being connected to the Internet, that approach won’t work well anymore. What’s needed, Wespi says, is a multi-tier security system–combining protections for individual servers and applications with more powerful access controls and network monitoring.

The Internet of Things creates exciting new possibilities, but it can only deliver on its promises if it’s reliable and trustworthy. Now is the time to start addressing these concerns.

Technorati Tags: IBM, security, sensors, Stuxnet, The Internet of Things

That’s why a claim by one of IBM’s security mavens, Harold Moss, chief technology officer of cloud computing strategy, seems so surprising. “There’s a misconception that cloud is less secure than traditional IT environments,” says Moss. “The cloud can actually be more secure.”

How is that possible? I’m sure some of you disagree with his conclusion, and I invite you to weigh in with comments…

Moss gives three reasons for his assessment:

1) When companies shift computing tasks to the cloud, they’re on guard. They make sure a good strategies and technologies are in place to protect their data.

2) They don’t just move everything at once and treat it all the same. The company, or the third-party cloud service provider, can set up a security regime that’s suitable for the applications they’re moving.

3) A third-party cloud service provider is likely to have superior security technology and expertise than does a company that’s just protecting its own data. That’s because it can spread the cost of security over a number of clients, while an individual company has to shoulder the entire burden itself. (This consideration is especially important in the case of small companies.)

The key to safeguarding data in the cloud, Moss says, is specialization. “One size doesn’t fit all. Not all clouds are the same,” he says. For instance, when IBM engineers designed the security for Lotus Live social networking and collaboration services, their focus was on giving users the maximum amount of control over who they share their information with and under what circumstances. The security considerations are quite different for an SAP financial application hosted in a cloud environment.

The idea that all clouds aren’t the same came to IBM gradually. In the early days of cloud computing, some of the industry pioneers painted the vision of vast data centers equipped with one kind of computer and running one kind of software. Everything would be treated the same. At IBM, the various business units pursued strategies aligned with the capabilities they offer and the needs of their clients. So they ended up producing differentiated cloud services–and different security schemes. “It sort of evolved that way. But it turns out it’s a good idea,” says Moss.

Is Moss right? Or is this a bunch of self-serving IBM marketing spin?

Technorati Tags: cloud computing, Howard Moss, IBM, security

Today’s society is built on the fast flow and analysis of bits and bytes of information. The strides we make in gathering, routing, and analyzing this torrent of data holds the promise of an ever-brighter future. Still, behind these data are real people, real organizations, and real concerns, so we need to reconcile the competing goals of free information flow and individual privacy.

To support the ongoing discussion of this critical issue, IBM is joining other leading global businesses, non-profits, individuals and governments in celebrating international Data Privacy Day.

Digital privacy can seem elusive. If you’re a consumer, it can be difficult to figure out what information companies have about you, or where they’re getting it, or how they’re might use it. If you’re a business or government leader, it can be hard to figure out how to  responsibly use the personal data concerning individuals to do things such as conserve energy, reduce traffic congestion and suppress crime.

What’s at stake? Plenty. Getting data privacy “right” is an economic and social imperative. Trust and confidence in the security and privacy of the critical systems of our planet – especially the digital version of its central nervous system, the Internet – is foundational to individuals’ continued engagement and reliance on such things as online commerce, e-health and smart grids. If individual consumers don’t feel that their privacy and security are protected, they will not support modernization efforts, even though the capabilities of technology advancements are proven and the potential benefits to society are extensive.

Here’s an example of the tensions we face: The ability of smart grids to conserve resources relies on the ability of, and commitment from, consumers to monitor and modify their individual usage. An individual using a smart meter understands the difference in the cost of using electricity at peak versus non-peak hours and could opt to lower their usage during more costly time periods. At the same time, data from the meters can reveal sensitive information such as work habits, shower schedules, use of medical devices such as dialysis, and whether or not a house is occupied.

So, how does society move ahead with smart grids and other technology advances that rely upon individual or personal data, while addressing consumer privacy?

We need to foster new partnerships between governments and industry. One goal must be to build balanced commercial privacy policy frameworks that make it simple to share and analyze information responsibly, especially when it crosses borders.  An important element of such frameworks is the idea of industries voluntarily adopting enforceable privacy-protecting codes of conduct. We welcome some promising new thinking along these lines that is coming from the Obama administration.

We need to improve awareness of threats to privacy among people of all ages. People need to know how to protect their own personal data and how to properly manage data that relates to others. Within IBM, we mandate information security education for all employees from senior executive to recent hire, and have tailored a Privacy: What you Need to Know course for all employees who may handle personal data. IBM is also producing technology that allows people to give out just the information they want to share and no more–some of which is being showcased in a new data privacy research initiative, ABC4TRUST.

We need to foster widespread adoption of the principles of Privacy by Design. That’s the idea that organizations should build new technology systems and business processes from the ground up to protect privacy–rather than trying to tack protections on later. Our analytics guru Jeff Jonas is speaking today at the preeminent global conference on this topic.

New privacy-protective technologies. A focus on innovation-friendly, business-ready privacy protection in government policy. Informed and enabled employees and consumers. These are the elements that must work together to protect individual privacy, support economic growth and clear the path for innovative, world-changing uses of data.

And then we’ll really have something to celebrate.

Harriet Pearson is VP Security Counsel & Chief Privacy Officer at IBM

Technorati Tags: Analytics, Data Privacy Day, IBM, privacy, security, Trusted Technology Forum

The answer is yes, and a European research consortium is leading the way to delivering this capability on a mass scale.

The consortium, called ABC4Trust, is building safeguarding systems based on privacy-protecting technologies from IBM and Microsoft.  It plans on testing the systems in a university in Greece and a secondary school in Sweden. The technologies, called Attribute-Based Credentials (where the ABC in the name comes from), make it possible to build Web services and electronic ID systems that get just enough information to authenticate peoples’ identities, qualifications and permissions–but no more.

Today’s announcement of the research consortium and its project was timed to coincide with international Data Privacy Day, which is intended to bring attention to privacy threats that go hand in hand with living the digital life. “The more we use electronic communications and media, we’re revealing more and more information about ourselves–and it’s impossible to keep track of where the information goes and to keep it under control,” says Jan Camenisch, a cryptography researcher at IBM Research in Zurich who led the development of IBM’s Identity Mixer technology.

The first pilot program will be conducted at Norrtullskolan, a school in Soderhamn, Sweden. The system will allow pupils and parents to authenticate themselves when accessing the school’s social network and when communicating with medical and counseling personnel. The second pilot will be run at the Research Academic Computer Technology Institute in Patras, Greece. There, students using the university’s faculty evaluation system will be able to give their feedback anonymously. At the same time, the university will be able to confirm that a student is eligible to participate.

Participants in the pilots are issued electronic identity credentials, which they keep on a smart card or mobile phone. The credentials confirm that they’re eligible to take part–without giving our their names or other sensitive information. The Greek pilot will include a system for gathering feedback. “The hope is that students will participate in the evaluation system more readily if they’re assured of anonymity,” says Yannis Stamatiou, a math professor at the University of Ioannina who is the technical lead on the Greek pilot.

While Attribute-Based Credentials only address a narrow slice of the threats to digital privacy, they’ll be useful in a host of situations. For instance, electronic identity cards are proliferating rapidly in Europe, but along with their convenience they also bring problems. When a student uses their government-issued e-ID card to prove their age to access a teenage chat room or some vacationing family shows their passport at a hotel, they’re also handing over a lot of additional information. No good. So this kind of technology will be a key piece of our data defense systems going forward.

While new privacy-enabling technologies are being developed, Camenisch has some practical advice for consumers: “Minimize the information you send out, and, once you decide to give out information, try to control it by attaching usage policies that the people you give it to are obliged to follow.” That will take some effort, but, as anybody who has had their identity stolen will tell you, the effort to protect yourself is well worth it.

Some related links:

http://abc4trust.eu

http://idemix.wordpress.com/

Technorati Tags: ABC4Trust, cybersecurity, Data Privacy Day, IBM

Today we released the IBM X-Force Mid-Year Trend and Risk Report that gives insight into the latest Internet threats, trends among attackers, and a projection on future potential risk areas like cloud security.

The report is the industry’s most comprehensive analysis of vulnerabilities and security threats.  IBM is the only company with an extensive primary research team that uncovers, researches and catalogs vulnerabilities with a database that goes back 15 years.  Our Web crawler is second only in size to Google, allowing us to uncover malicious sites and categorize web pages.  We manage more than 20,000 security devices to gain firsthand insight into the types of attacks organizations face today.  As X-Force, we sign up for a lot of spam to stay in the know so that we can protect clients and educate the industry.

Click here to view the embedded video.

X-Force findings for the first half of 2010

Having this breadth and depth gives us an insightful, and sometimes surprising view into the security landscape.  One of the first things to note within the research findings is that the total number of vulnerabilities escalated to an all-time high, growing at a rate of 36 percent over the first half of last year.  The interesting observation here is the community in general is getting more diligent about reporting vulnerabilities and increasing public disclosure rates.

Other top findings include:

• –Web application vulnerabilities have surpassed all other threats to now account for 55 percent of all disclosures.

• –There are increasingly sophisticated attacks–especially with JavaScript–by computer criminals to hide their exploits within document files and web pages.

• –While phishing volume actually declined, financial institutions are still the number one phishing target, representing almost half of all phishing emails.

A trend to watch is virtualization. This is an area our report explored since historically there wasn’t a lot of vulnerability data existing. In the report, you’ll see that out of the vulnerabilities within this space, 35 percent open a door to the hypervisor, or core layer of the network.  Once an attacker has access to the hypervisor, they essentially have unfettered access to the data, systems and operations powered by the virtual network.

Why are tracking and identifying vulnerabilities important?  Vulnerability counts aren’t just impacting the IT security community. As the world becomes more instrumented, interconnected and intelligent, it means that power grids, cars, airplanes, utilities, food safety and many other products and industries are dependent on software and digital connections.  Any vulnerabilities can pose a threat to each of us on a daily basis.  The need for organizations to protect their computing infrastructure is becoming more critical every day.

Our goals in issuing this report are simple—to raise awareness and understanding of computer security issues and to shine a light on vulnerabilities to preempt disaster.  By understanding the vulnerabilities and risks within software, we can mitigate catastrophic events.

If anything, this report underscores how security is an increasingly complex undertaking for any organization.  In addition to the X-Force research team, IBM brings to bear a vast portfolio of resources to help clients strategically manage information technology and operational risk, including: six worldwide research labs, nine security operations centers, and 200 security-related products, and the world’s largest security services practice — 3,500 skilled security services professionals.
As you’ll see in the report, we’ve packaged the data in a way that you can easily put them into your own reports and presentations to share what is happening in security. You can also read updates on the findings of the reports and the latest threat information at the X-Force blog.

Many eyes word cloud of vulnerabilities against other word usage on the Web

Many eyes visualization of victims of phishing attacks

Many eyes visualization of the growth of web application vulnerabilities over the last decade

Tom Cross is the manager of the IBM X-Force Research Team. He is based in Atlanta, GA.

A key factor to achieving this is having the right security solutions for a shrinking, changing world. Protecting a company’s infrastructure with the right security approach allows it to take advantage of new technologies for collaboration, innovation and business growth – and respond to the changing dynamics of business more quickly. And IBM managed security services, along with the world-renowned X-Force research team, helps companies achieve that.

The new Security Operations Center in Bangalore

The newest addition to IBM’s managed security services infrastructure is found in Bangalore, India, where IBM is opening its ninth global security operations center (SOC). This state-of-the-art facility enhances IBM’s ability to provide managed security services clients with a high level of around-the-clock protection and service against threats. Building upon the global SOC network, clients will receive real-time analysis and early warning notification of security events, along with services such as 24/7/365 intrusion monitoring, virus and password protection and disaster recovery and data backup.

This new addition – which expands IBM’s infrastructure and security research and development activity – is yet another way in which we are expanding our security teams to match the traction and growth in this region of the world. IBM’s security professionals can already look at the billions of security events a day from Japan to India to the United States to Latin America from multiple types of businesses and industries. And the X-Force research team continues to use artificial intelligence, scanning and analysis capabilities to further improve the effectiveness of IBM’s security identification. As director of IBM managed security Rick Miller puts it, “With less downtime and less intense types of remediation provided by the new center, our security R&D and analysis allows us to be quicker and more pre-emptive than we already are.”