Rapid Development of IBM Tivoli Compliance InSight Manager Product

Customer

Founded in 1986, Consul risk management is an authority in policy-based security audit and compliance. The Consul InSight™ Suite provides the unique ability to capture comprehensive log data, correlate the data through sophisticated log interpretation, and communicate results through a dashboard for full audit and compliance reporting. To reduce threats posed by privileged insiders, Consul InSight monitors change management procedures, acceptable use policies and user authorization processes against company and regulatory policies.

More than 350 customers around the world rely on Consul to accelerate log management and user monitoring, including AEGON Canada, Blue Cross/Blue Shield, Fidelity Financial Services, Ford, Kroger, The New York Times, Office Depot, Philadelphia Stock Exchange, Wachovia and government agencies. Consul has offices in the United States and the Netherlands, and 25 partners worldwide, including BMC Software.

In October 2006 Consul was acquired by the IBM. It became a structural sub-division and was named IBM/Consul. In such a way the IBM Tivoli product line was enhanced by the number of applications, aimed to ensure the security in the local network of an enterprise. Accordingly, the product name was changed to Tivoli Compliance InSight Manager or TCIM.

Product

Focusing security on the inside, only TCIM provides ability to consolidate, normalize, analyze and report on vast amounts of user behavior and system activity. As a result, organizations can quickly and easily reveal who touched what within the company (with real-time alerts and proactive reports) and compare that activity to an established internal policy or external regulation. Organizations rely on the policy-based approach of InSight to simplify insider security auditing, compliance monitoring and enforcement for heterogeneous environments, ranging from super servers to the desktop. Customers turn to IBM/Consul to manage one or more of the three urgent concerns:

• Data overload: Today’s organizations are drowning in an overwhelming volume of data delivered by diverse operating systems (Windows, Linux, UNIX, zOS, OS/400…), security devices (firewalls, intrusion detection systems), applications and databases.
• Trusted user monitoring: Unfortunately, this flood of data delivers little actionable insight into what users are doing within the company – accessing, using and releasing sensitive information vital to business operations, closely governed by regulations, and required for corporate information risk management initiatives.
• Regulatory compliance: The wave of Government regulations and Industry standards around information security and privacy (e.g., Sarbanes-Oxley, GLBA, HIPAA, ISO 17799, Basel II) are forcing organizations to institute more stringent policies and auditing processes to ensure compliance with new information assurance standards. Engaging into a TCIM development project, companies strive to solve these problems together with reducing risk and lowering costs.

The product quality analysis should not end at the stage of information gathering and analysis. The user interface is very important also. In this regard the TCIM is a very mature product. It allows the user to receive the aggregate reports for a defined period of time; review any events happening in the system itself. If the customer has any specific needs, he/she may use a specially designed language of requests creation that allows to generate even very complex reports.

In such a way TCIM is a unique product with an original technical solution allowing processing billions of informational units; as well as quickly, effectively, and reliably monitoring any attempts to break the security.

History and Solutions

ScienceSoft started work on TCIM development in 2004 on a sub-outsourcing approach. At that time services of one more outsourcing company, Miratech, were used.

Initially ScienceSoft had the following goals:

• Create teams of the multi-profile experts during very tough deadlines;
• Complete informational and development integration into Consul working environment;
• Participate in the InSight product development;
• Establish the technical product support;
• Create the general development processes for both: ScienceSoft and Consul, and implement them;
• Support the modernization of tools and employed technologies;

ScienceSoft successfully performed majority of the above-stated tasks during a very short period of time. What ScienceSoft has done in two months:

• Established a team of 19 developers;
• Created TCIM Development and Test labs in accordance with the Consul requirements;
• Performed a number of technical events aimed to integrate environment of the ScienceSoft company into Consul environment, such as:
  • Merger of local networks (dedicated VPN connection was established);
  • Installation and merger of knowledge databases and working environment on the basis of Lotus Domino DB;
  • Establishment of the communication channels between development teams of both companies.

To ensure a smooth knowledge transfer and close partnership between companies, ScienceSoft organized a business trip of our developers to Consul. At the end of October 2004, the team was approved by the Consul’s management as the team, satisfying their requirements towards outsourcing suppliers, and started working on TCIM development project.

In four months, the first version of the product (InSight 5.0 SP2) was launched. It was created in close cooperation with ScienceSoft.

During joint work ScienceSoft proved to be a reliable partner, so the Consul’s management decided to transfer all the testing activities from the Miratech to ScienceSoft company.

In a couple more months the next product version (InSight 6.0) was launched and the next release version (InSight 7.0) was planned within a year.

The release of InSight 7.0 was rather complicated, because Consul faced difficulty with managing and establishing effective development processes with Miratech. This might have led to a loss of product quality, as the deadlines were under the threat of being missed. But mostly thanks to the ScienceSoft input and hard work the product was released in time and met the budget limits.

Consul appraised the high quality and dedication of our professionals’ work and made the final decision to transfer all the development works from Miratech to ScienceSoft. Thus, ScienceSoft became the only outsourcing supplier of Consul.

In a year, one more release version (InSight 8.0) and an interim strategic version (InSight 7.0 Day One) of the product were launched. While working on the Consul’s projects ScienceSoft performed the Consul’s development processes analysis and, based on its experience, offered a number of measures for their improvement. It allowed to use the time and resources more effectively and increase the quality of development. New processes established clearer definition of the roles and responsibilities in the project, more accurate documentation process, easier changes tracking approach, and more effective system of corrective measures.

ScienceSoft keeps using those established processes in its everyday work. Moreover, all the processes are ISO 9001 certified that confirmed their high level.

Changes into the TCIM development process were promptly accepted and employed by the Consul company. Well influence on the new processes’, project quality and deadlines is illustrated on the development of autonomous modules of the InSight product. InSight extracts log-files of the audited application and transfers the information into the patented form of data presentation – W7. Those forms are named Event Sources, and they are developed separately from the main application.

Specificity of such projects is that all the required knowledge is gathered by the developers during work on the project. During module development, they do carry examination and analysis of the audited platform or application in order to reveal messages showed at various states of application’s work.

Before the updated processes were established, the time to launch one Event Source module was impossible to forecast and plan. ScienceSoft offered the following changes into the process of Event Sources development:

• Establishment of Pipeline Model, when 2 developers are working on the same module
• The following order of development stages became obligatory: Specification → Implementation & Integration → Testing → Stabilizing. System of gate-meetings allowed fixing the result of the previous stage and moving to a new one.
• System of check-lists was developed to ensure the control over each stage results.
• System of each stage results review helped to increase the performance quality.

All those measures allowed to decrease the time needed for one Event Source project development from 5-6 to 3 months! Moreover, the developed documentation and received knowledge is stored in the special DB, which helps to use existing tools and modules repeatedly. Thus, ScienceSoft keeps increasing the effectiveness of its processes. It is also worth mentioning that well established approaches and processes were so in line with IBM native processes, that it was one of the key factors for a positive decision on the merger of the Consul with IBM company.

Results

• ScienceSoft proved itself to be a reliable partner, so Consul’s management decided to outsource all works to one outsourcing supplier – ScienceSoft. Thus, there was no need any more to divide TCIM development work between several outsourcing partners in order to decrease risks.
• During collaboration between our companies 4 major releases, one strategic release and 20 Event Source modules were successfully completed.
• Each developer has skills in several technologies and fields. Experts are experienced in development, management, architecture creation taking into account application specifics and requirements.
• At this moment all development and partially management are concentrated at the ScienceSoft’s side. At Consul’s side high-level architecture, requirements gathering to new product functionality, strategic planning and partially project management has remained.
• ScienceSoft has a dedicated architect for Event Source modules development. Center of Consult’s customers support was established on the basis of ScienceSoft’s team
• Each month 2 employees from ScienceSoft visit Consul onsite to knowledge transfer and process improvement.
• At this moment ScienceSoft works on the following version of InSight product, which will include special solutions and technologies of IBM.

Technologies and Tools

INSIGHT PRODUCT

Languages: C/C++, Visual Basic, Java, Install Shield, Perl, bash/shell, Win batch, VBScript

Technologies: TomCat, Lucene, SSH, SQL, ODBC

Employed OS: Windows, AIX 4/5, HP-UX, Sun Solaris 8/9/10, AS390/400, Linux (SuSe, Red Hat), Novell

Databases: Oracle 8/9/10g, DB2 Viper

EVENT SOURCE MODULES:

Platforms and applications: Symantec, BlueCoat, Tru64, Novell NSure, McAfee åPO, Solaris, MSSQL, DB2, Sun System Identity Manager, Oracle, MS Exchange, IBM Tivoli for e-business, IBM Tivoli for Operating Systems, IBM Tivoli Directory Service, IBM Tivoli Federating Manager, IBM Tivoli Identity Manager

SPECIFICS

• TCIM development is performed in the special environment with usage of Lotus Domino and Consul Version Control
• The phase process was employed for short-term projects and iterative process for long-term projects.
• Event Source modules are developed with the help of Consul’s standards and specifications.
• Pipeline module is used for Event Source modules development. It helps to decrease the timeline and increase the product quality.
• ScienceSoft uses MS Project Server for project planning.
• MS Project Server and Lotus Domino were integrated for routine operations automation.
• All processes at ScienceSoft are transparent for Consul.