Rapid Development of IBM Tivoli Compliance InSight Manager Product

About Our Client

Founded in 1986, Consul Risk Management is an authority in policy-based security audit and compliance. The Consul InSight™ Suite provides the unique ability to capture comprehensive log data, correlate the data through sophisticated log interpretation, and communicate results through a dashboard for full audit and compliance reporting. To reduce threats posed by privileged insiders, Consul InSight monitors change management procedures, acceptable use policies, and user authorization processes against company and regulatory policies.

More than 350 customers around the world rely on Consul to accelerate log management and user monitoring, including AEGON Canada, Blue Cross/Blue Shield, Fidelity Financial Services, Ford, Kroger, The New York Times, Office Depot, Philadelphia Stock Exchange, Wachovia, and government agencies. Consul has offices in the United States and the Netherlands, and 25 partners worldwide, including BMC Software.

In October 2006, Consul was acquired by IBM. It became a structural sub-division and was named IBM/Consul. This way, the IBM Tivoli product line was enhanced by the number of applications, aimed at ensuring the security in the local network of an enterprise. Accordingly, the product name was changed to Tivoli Compliance InSight Manager or TCIM.

Product

Focusing security on the inside, only TCIM provides the ability to consolidate, normalize, analyze, and report on vast amounts of user behavior and system activity. As a result, organizations can quickly and easily reveal who touched what within the company (with real-time alerts and proactive reports) and compare that activity to an established internal policy or external regulation. Organizations rely on the policy-based approach of InSight to simplify insider security auditing, compliance monitoring, and enforcement for heterogeneous environments, ranging from super servers to the desktop. Customers turn to IBM/Consul to manage one or more of the three urgent concerns:

• Data overload: Today’s organizations are drowning in an overwhelming volume of data delivered by diverse operating systems (Windows, Linux, UNIX, zOS, OS/400…), security devices (firewalls, intrusion detection systems), applications, and databases.
• Trusted user monitoring: Unfortunately, this flood of data delivers little actionable insight into what users are doing within the company – accessing, using, and releasing sensitive information vital to business operations, closely governed by regulations, and required for corporate information risk management initiatives.
• Regulatory compliance: The wave of Government regulations and Industry standards around information security and privacy (e.g., Sarbanes-Oxley, GLBA, HIPAA, ISO 17799, Basel II) is forcing organizations to institute more stringent policies and auditing processes to ensure compliance with new information assurance standards. Engaging in a TCIM development project, companies strive to solve these problems together with reducing risk and lowering costs.

The product quality analysis should not end at the stage of information gathering and analysis. The user interface is also very important. In this regard, the TCIM is a very mature product. It allows the user to receive the aggregate reports for a defined period of time; review any events happening in the system itself. If a customer has any specific needs, they may use a specially designed language of request creation that allows them to generate even very complex reports.

In such a way, TCIM is a unique product with an original technical solution allowing processing billions of informational units, as well as quickly, effectively, and reliably monitoring any attempts to break the security.

History and Solutions

ScienceSoft started work on TCIM development in 2004 on a sub-outsourcing approach. At that time services of one more outsourcing company, Miratech, were used.

Initially, ScienceSoft had the following goals:

• Create teams of multi-profile experts during very tough deadlines.
• Complete informational and development integration into the Consul working environment.
• Participate in the InSight product development.
• Establish the technical product support.
• Create the general development processes for both ScienceSoft and Consul, and implement them.
• Support the modernization of tools and employed technologies.

ScienceSoft successfully performed the majority of the above-stated tasks during a very short period of time. What ScienceSoft has done in two months:

• Established a team of 19 developers;
• Created TCIM Development and Test labs in accordance with the Consul requirements;
• Performed a number of technical events aimed to integrate the environment of the ScienceSoft company into the Consul environment, such as:
  • Merger of local networks (a dedicated VPN connection was established).
  • Installation and merger of knowledge databases and working environment on the basis of Lotus Domino DB.
  • Establishment of the communication channels between the development teams of both companies.

To ensure a smooth knowledge transfer and close partnership between companies, ScienceSoft organized a business trip for our developers to Consul. At the end of October 2004, the team was approved by the Consul’s management as the team, satisfying their requirements towards outsourcing suppliers, and started working on the TCIM development project.

In four months, the first version of the product (InSight 5.0 SP2) was launched. It was created in close cooperation with ScienceSoft.

During joint work, ScienceSoft proved to be a reliable partner, so the Consul’s management decided to transfer all the testing activities from Miratech to ScienceSoft.

In a couple more months, the next product version (InSight 6.0) was launched, and the next release version (InSight 7.0) was planned within a year.

The release of InSight 7.0 was rather complicated because Consul faced difficulty with managing and establishing effective development processes with Miratech. This might have led to a loss of product quality, as the deadlines were under the threat of being missed. But mostly thanks to the ScienceSoft input and hard work, the product was released on time and met the budget limits.

Consul appraised the high quality and dedication of our professionals’ work and made the final decision to transfer all the development works from Miratech to ScienceSoft. Thus, ScienceSoft became the only outsourcing supplier of Consul.

In a year, one more release version (InSight 8.0) and an interim strategic version (InSight 7.0 Day One) of the product were launched. While working on the Consul’s projects, ScienceSoft performed the Consul’s development processes analysis and, based on its experience, offered a number of measures for their improvement. It allowed the team to use the time and resources more effectively and increase the quality of development. New processes established a clearer definition of the roles and responsibilities in the project, a more accurate documentation process, an easier change tracking approach, and a more effective system of corrective measures.

ScienceSoft keeps using those established processes in its everyday work. Moreover, all the processes are ISO 9001 certified, which confirms their high level.

Changes to the TCIM development process were promptly accepted and employed by the Consul company. Well influence on the new processes, project quality, and deadlines is illustrated in the development of autonomous modules of the InSight product. InSight extracts log files of the audited application and transfers the information into the patented form of data presentation – W7. Those forms are named Event Sources, and they are developed separately from the main application.

The specificity of such projects is that all the required knowledge is gathered by the developers during work on the project. During module development, they carry out examination and analysis of the audited platform or application in order to reveal messages shown at various stages of the application’s work.

Before the updated processes were established, the time to launch one Event Source module was impossible to forecast and plan. ScienceSoft offered the following changes into the process of Event Sources development:

• Establishment of Pipeline Model, when 2 developers are working on the same module.
• The following order of development stages became obligatory: Specification → Implementation & Integration → Testing → Stabilizing. The system of gate meetings allowed fixing the result of the previous stage and moving to a new one.
• A system of checklists was developed to ensure control over each stage.
• System of each stage results review helped to increase the performance quality.

All those measures decreased the time needed for one Event Source project development from 5-6 to 3 months! Moreover, the developed documentation and received knowledge are stored in a special DB, which enables the use of existing tools and modules repeatedly. Thus, ScienceSoft keeps increasing the effectiveness of its processes. It is also worth mentioning that the well-established approaches and processes were so in line with IBM's native procedures that it was one of the key factors for a positive decision on the merger of Consul with IBM.

Results

• ScienceSoft proved itself to be a reliable partner, so Consul’s management decided to outsource all tasks to one outsourcing supplier, ScienceSoft. Thus, there was no need to divide the TCIM development work between several outsourcing partners to decrease risks.
• During collaboration between our companies, 4 major releases, one strategic release, and 20 Event Source modules were successfully completed.
• Each developer has skills in several technologies and fields. Experts are experienced in development, management, and architecture creation, taking into account application specifics and requirements.
• At this moment, all development and partial management are concentrated on ScienceSoft’s side. At Consul’s side, high-level architecture, requirements gathering for new product functionality, strategic planning, and partial project management have remained.
• ScienceSoft has a dedicated architect for Event Source modules development. Center of Consult’s customer support was established based on ScienceSoft’s team.
• Each month, 2 employees from ScienceSoft visit Consul onsite for knowledge transfer and process improvement.
• At this moment, ScienceSoft works on the following version of the InSight product, which will include special solutions and technologies of IBM.

Technologies and Tools

INSIGHT PRODUCT

Languages: C/C++, Visual Basic, Java, Install Shield, Perl, bash/shell, Win batch, VBScript

Technologies: TomCat, Lucene, SSH, SQL, ODBC

Employed OS: Windows, AIX 4/5, HP-UX, Sun Solaris 8/9/10, AS390/400, Linux (SuSe, Red Hat), Novell

Databases: Oracle 8/9/10g, DB2 Viper

EVENT SOURCE MODULES:

Platforms and applications: Symantec, BlueCoat, Tru64, Novell NSure, McAfee ePO, Solaris, MSSQL, DB2, Sun System Identity Manager, Oracle, MS Exchange, IBM Tivoli for e-business, IBM Tivoli for Operating Systems, IBM Tivoli Directory Service, IBM Tivoli Federating Manager, IBM Tivoli Identity Manager

SPECIFICS

• TCIM development is performed in a special environment with the use of Lotus Domino and Consul Version Control
• The phase process was employed for short-term projects and an iterative process for long-term projects.
• Event Source modules are developed with the help of Consul’s standards and specifications.
• A pipeline module is used for Event Source modules development. It helps to decrease the timeline and increase the product quality.
• ScienceSoft uses MS Project Server for project planning.
• MS Project Server and Lotus Domino were integrated for routine operations automation.
• All processes at ScienceSoft are transparent for Consul.