System i Security Products
Agenda • Security Issues regarding System i • Who is PowerTech? • Customer Requirements • System i Security Vulnerabilities • PowerTech Solutions Overview
The PowerTech GroupDefinitive iSeries Security • World lead company for System i security • PowerLock AuthorityBroker Ships with iSeries OS. • Acquired leading iSeries SSO Technology 2005 • Winner of prestigious Industry Driver APEX Award from iSeries News in 2004 • Over 1.000 Enterprise and Small Business customers • More than 3,000 licenses installed • Advanced Level IBM Partner
Where to Begin Demonstrate Compliance Real time Monitoring Audit for Compliance Be Compliant Access Control Security Change Config Mgmt Business Continuity Data Privacy PowerUsers Data Access PW/User Mgmt System Settings Source Control High Avail Data Recov Data Xfer Data- base
IT Controls Being Raised Legislators are doing their best to raise security from a technology issue to a business concern Auditors are defining what security is for companies Companies are documenting in-scope processes and procedures All are looking to CobIT and ISO 17799 for guidance Risks inherent in IT Control are being identified and addressed
iSeries Environment Can users perform functions/activities that are in conflict with their job responsibilities? Can users modify/corrupt iSeries data? Can users circumvent controls to initiate/record unauthorized transactions? Can users engage in fraud and cover their tracks?
iSeries Security Study • 87% of libraries were accessible by *PUBLIC (any user on the system) – Auditors recommend 0% • 80% of access points on iSeries were not monitored or controlled, leaving the possibility for un-audited access to critical data – A violation of CoBIT recommended standards and a threat to data integrity. • 78% of systems had more than 40 user profiles with default passwords (password = user name) – A red flag for auditors and a violation of CoBIT recommended standards. • 84% of systems had more than 10 users with *ALLOBJ (all-powerful users) – A red flag for auditors, and a threat to data integrity and accountability.
Data Access - Public Authority to Libraries iSeries Security Study 2005 Source: The PowerTech Group
REMOTE EMPLOYEES Ramifications No Visibility to Network activity No Control of Network Activity No Security Monitoring Menu Access Only Menu Access Only CUSTOMERS iSeries Security Gap In the old days you could rely on menu security. But once PCs came along and the iSeries was opened up to ODBC, FTP, Remote command, the iSeries became vulnerable. EMPLOYEES
IBM Recognizes the Problem • “ODBC introduced a plethora of desktop applications that offer easy access to data on the as/400 via a few mouse clicks.” • “COMMON BACKDOORS - Several servers offer methods to submit AS/400 commands via the client. Restricting command line usage does not block this.” From IBM technote: “Security Issues with Client Access ODBC Driver” http://www-1.ibm.com/support/docview.wss?uid=nas1936b3cdad3645bd98625667a00709a29
Customer Data Can users perform functions/activities that are in conflict with their job responsibilities? Can users modify/corrupt application data? Can users circumvent controls to initiate/record unauthorized transactions? Can users engage in fraud and cover their tracks?
Data Access Public Authority Can users perform functions/activities that are in conflict with their job responsibilities? Yes
Data Access Special Authorities - *ALLOBJ Can users modify/corrupt iSeries data? Yes Can users circumvent controls to initiate/record unauthorized transactions? Yes
Data Access Network Access Can users engage in fraud and cover their tracks? Yes
FlashAudit on iSeries Security Product Overview Compliance Monitor Data Encryption Control Powerful Users (Separation of Duties) AuthorityBroker Back Up Encryption NetworkSecurity Access Control ISS - Robot Access Control SSO Single Sign-On SecurityAudit Regular Auditing Real Time Monitoring
Case Study • Large multinational retail company dealing with SOX compliance issues • Problem: • No staff available to develop new custom reports • IT security group is not familiar with iSeries • Overwhelmed with burden of tracking more than 10 systems • Answer: PowerLock ComplianceMonitor • IT staff save development time • Expert guidance built in to product • Consolidated reports
Requirements • Be compliant with regulations • Sox, HIPAA, PCI, Privacy laws • Demonstrate compliance through regular reporting • Automatic scheduling • Focus on exceptions to policy • Historical comparisons of audit results • Process to report on • User profile/account data • System Values • Authority to objects • Network access control
Systems arranged in user defined groups to match the business environment A system (or endpoint as it is called in the product) can belong to more than one group. This allows you to selectively audit and report on sets of systems.
System Value scorecard highlights exceptions to policy with red down triangle. Green up arrow shows settings that match policy. Policy is stored in an xml file. We can update this to match specific company policy.
Consolidated report across three systems – The system value view shows them next to each other for comparison purposes PLCM can collect all system values. In this report, we are looking specifically at the security system values
Effective special authority – it’s not just the authority of the user profile, but we also check to see if the user has inherited special authorities from their membership in a group profile.
Features • Customizable reporting • PowerTech recommended reports • GUI to create custom SQL queries (filters) • Flexible Interface and grid view • Expert guidance • Scorecards rate compliance against security policy • Exceptions are highlighted • Compliance guide • Consolidation across multiple systems • Drastically cut the number of reports
PowerLock NetworkSecurity Technology • IBM recognizes the security problems with network access to iSeries assets, and has added and continues to add network access exit points. • NetworkSecurity implements exit point programs that monitor and control iSeries access through the network interfaces • Exit point programs intercept and can record inbound requests. • Access requests can be controlled by: • User Profile, Group Profile, Supplementary Group profile, *PUBLIC • Device Name, IP address, PowerLock IP address groups or generic names • Server and Function type • Remote command, FTP download, FTP upload, etc, • Can be configured to emulate an increase or decrease in object authorities
PowerLock NetworkSecurity Technology What is an exit point anyway? A point in a process where control can be passed to a User-Supplied program. The User-Supplied program can usually perform processing that overrides or compliments the processing done by the main process. Main program IBM’s FTP Server Access Request Call to Exit program Continue Processing... User-Supplied exit program Analyze request & return data
PowerLock NetworkSecurity Technology • PowerLock NetworkSecurity provides exit point programs that allow iSeries customers to monitor and take control of their network interfaces (FTP, ODBC, Telnet, DDM, Client Access, etc...)
Network Exit Points • 4 Major categories of network exit points • Original PCS Servers (PCSACC) • DDM & DRDA Servers (DDMACC) • Optimized Client Access Servers (WRKREGINF) • TCP/IP Servers (WRKREGINF) • More than 30 network servers • More than 250 combinations of servers & functions that regulate network access
Network Servers that can be monitored and controlled • Original ServersVirtual Print Server File Transfer Function Message Function Data Queue Remote SQL License Management Shared Folders • DDM (Including DRDA) Server • Optimized ServersFile Server Database Server Data Queue Server Network Print Server Central Server Remote Command ServerSignon Server • TCP/IP ServersFTP TELNET WSG (V5R1) etc...
iSeries Network Access with PowerLock NetworkSecurity P O W E R L O C K FTP Server TELNET Server Database Server DDM Server DRDA Server PowerLock NetworkSecurity is the software that controls and monitors access to the iSeries through the network interfaces
Reporting current exposures • To help you get a current view of your network access exposures, NetworkSecurity includes comprehensive reporting capabilities. NetworkSecurity includes several reports that may be run at any time. The Reporting Menu is accessed using option 4 from the NetworkSecurity Main Menu. • If you want information on all network access attempts, you can run the NetworkSecurity reports for All users at All locations. While this will create a lengthy report, it will provide all the detail you need to determine who is connecting to your system, and what functions are being performed. • Right after activation there will be few if any entries on the reports. NetworkSecurity activation begins to record access attempts. Some applications like JDE OneWorld and FastFax can generate lots of entries very quickly.
Sarbanes-Oxley Implications • COBIT DS5.3 – Security of Online Access to Data“… IT management should implement procedures in line with the security policy that provides access security control based on the individual’s demonstrated need to view, add, change, or delete data.”
Reactive security Employees Many companies use Reactive security trying to respond to breaches as they occur. The problem with trying to find all the different ways people can get to you data is that you will never find all the different approaches. Instead, PowerTech takes and exclude based security approach. Customer
Exclude Based Security Employees PowerTech allows you to determine what type of activity you want to allow first. Then you lock everything else out and set up alerts so you know if someone is trying to do something you don’t allow, you can decide at that point whether you want to allow them to do it or not. Customers
Case Study: The Solution • Remove special authorities from the programmer on the production system • Implement PowerLock AuthorityBroker • Programmer “switches” into powerful profile when needed • All actions are audited to a secure journal • Management gets alerts (to cellphone!) • Management reviews and signs off on regular reports • Compliance - Auditors are happy!
Customer Requirements • Log and record activity of powerful users • Flexible Reporting options • 3 levels of detail • Filter out unnecessary information • Print, Database, .csv • Time specific controls • Limit duration of profile switch • Specific Day, Date, and Time restrictions • Delegate “Firecall” to Helpdesk personnel
PowerLock SecurityAudit • Assesses your iSeries and AS/400 systems • Complete history • Instant view of changes • Used by internal auditors • No Special Authorities (like *ALLOBJ) required for auditors • 200+ reports available • Network transactions • Object level assessments • User profiles and system values • Continuous auditing of events, objects, users and system values • Comprehensive reporting and analysis
System Requirements • V5R1 of OS/400 or later • 100 MB of disk space • *ALLOBJ special authority for installation • Users without *ALLOBJ should be added to the SECAUDADM authorization list to allow them to run reports
Value Proposition • SOX related usage opportunities • Security Audit generates reports that can be used to test the effectiveness of AS/400 related logical access IT General Controls. • Improves efficiency of audits • Improves quality and consistency of audits