It was another week on the road, this time heading slightly south to St Louis, Missouri. It was great to get away from the snow, although the air seemed just as cold as in Minneapolis. To say that it would be nice to feel a warm breeze at this point would be an understatement!

One of my first duties in town was to conduct our weekly PowerTech Webinar. The Webinar was titled Protect IBM i (AS400) Data From FTP, ODBC, and Remote Command, and it’s always one of the most popular Webinars that we do. It still surprises me that we have so many people attend this topic, and ask such great questions such as why IBM i is often exposed from a lack of access control, or auditing of network-initiated transactions. I suppose the statistic that 65% of IBM i servers that we audit still have no exit programs registered might explain some of the interest—even after two decades of awareness of this problem.

I was thrilled to also be presenting the first session of our new regional security workshops to a full room of attendees. For several hours, we whittled our way through numerous important aspects of IBM i security—from system values to adopted authority and from special authorities to network access. Based on the positive comments made on the evaluation forms, the class was a resounding success! It always makes it fun when an idea comes to fruition, and especially when it is so well received. Thanks to the IBM i team at MSI Systems Integrators for hosting the event at their downtown facilities, and for providing lunch for all of the attendees.

After the class, I traveled the 90 miles or so to Jefferson City and engaged with the mid-Missouri users group, presenting a session titled Top 10 Security Vulnerabilities. I would like to offer my appreciation to Huber and Associates for inviting me to present at their location, and also for the interest and interaction I received from the group. This presentation actually ran long because of some of the great discussion that we were having. Before I left, we emptied another box of cool PowerTech t-shirts, and raffled another gift-card.

I am now going to be back in the office for a couple of weeks to catch up on some of my other daily responsibilities, including helping host our upcoming online training classes for Network Security. After that, I will head out again for the next workshop and user group stops, this time in Nashville, Tennessee, and Buffalo, New York. I am especially excited about going to Buffalo, as it is being hosted at a PowerTech customer location. Plans are also being worked on for Reno and Portland events in early March, so if you work in those areas, we invite you to join us.

Before I close this week’s entry, I want to take a moment to say that my thoughts are with the family of IBM’s Craig Johnson, who died this past week in a car accident in Northern Iowa. Blizzard and whiteout conditions on Interstate 35 led to a massive 40-vehicle pile-up. This is the exact same route that I take weekly between Des Moines and Minneapolis, and I just happened to have stayed in Minneapolis that weekend due to my back-to-back travel plans. It certainly brings home how life can change in an instant, and how important it is to live each day as if it is your last.

Stay Warm!

Well, last week was a busy, but fantastic week. My travels started on Monday afternoon with a non-stop flight from the chilly air of Minneapolis to John F. Kennedy International in New York. Actually, I was surprised how fast the flight went, and after a few short hours I was programming the rental car’s GPS and heading into Manhattan.

It’s been 20 years since I was last there, and though the skyline might have been tragically altered forever, the hustle and bustle of the city that never sleeps is the same. I came to the United States in the summer of 1988 as a British foreign exchange student, and one of my most vivid memories is of being in New York City at night, and riding a tour bus across one of the bridges into Manhattan. It was one of the most spectacular nighttime skyline views that I had ever seen. As an amateur photographer, one of my personal goals of this trip was to try to recreate that view, and I was able to work my way down to the water line and get this photo.

New York Skyline

My work agenda started on Tuesday morning with a visit to a customer on Long Island. We had a great discussion regarding the ways they were using several of the PowerTech tools to help administer and audit access from users that normally would be hard to control, such as programmers. We also talked about how they see their developing security requirements.

After a 90-minute car-ferry ride from Port Jefferson, NY to Bridgeport, CT, it was a short hop down to Norwalk to meet my first user group. The group had selected the topic of “7 Habits of Highly Secure Organizations” and, for a couple of hours, we enjoyed dinner and interacted about the subject of auditing, access control, and regulations and policy. I raffled away a Starbucks gift card, as well as a number of free t-shirts, and it was a great evening.

Wednesday was a pretty easy day, riding the ferry back to Long Island, and then navigating to the location of the Long Island user group. I was met with a fantastic turnout from a crowd of very active System i users. The group started the evening early with some PHP training led by one of their own members, and there was a fun slideshow on some System i/iSeries/AS/400 history. I presented the “Top 10 Security Vulnerabilities,” based on data extracted from our annual security study. I really enjoyed interacting with this group, which included several of my own customers, as they had lots of great questions and discussion points. After another gift card drawing and distribution of a big box of t-shirts, I was off to my next stop in Morris Plains, NJ.

As a side note, if you are not from the East Coast, a GPS is a prerequisite to navigate your way around a city as large as this. Although mine had some trouble acquiring a signal at times (ahhh! technology) and wanted to send me in circles, I managed to successfully navigate the 90 or so miles to my destination.

Thursday morning begin early with another customer visit to a great customer of Help/Systems and now a new PowerTech customer. I learned about some of the challenges that they had faced trying to implement an object security infrastructure. I offered some advice and also offered the PowerTech services team to provide assistance if desired. After all, as I have stated in my blog several times, we are not just a software company.

Thursday evening had me in Fairfield, NJ, at my final user group meeting. I spent several hours with another lively crowd of about 30 people who learned about the dangers of “FTP, ODBC, and Remote Command.” I included a small demo of how simple it is to access corporate data through common tools, and the conversation was very active, which is typical after people see just how easy it can be. I cleared out my final box of t-shirts, handed out my last gift card, and headed the 90 miles to Philadelphia.

I wanted to use this travel opportunity to visit with another (very well-known) customer on Friday morning. They are an active user of several of our security tools, and are evaluating another one to add to the suite. I spent a couple of hours learning about how they are implementing security in their environment, as well as identifying areas where we can provide some relief.

This is one of my favorite types of work. Meeting with customers to discuss their successes and future needs, and also mingling with the types of user groups that I used be an attendee at in my past jobs. These are the folks that are the diehards of the technology on which our software runs. You don’t have to sell them on the attributes of the System i (or AS/400, as many still call it), and their biggest complaint is that it is not more prevalent than it is.

I want to thank the customers who took time from their busy schedules to meet with me, and also the three user groups that invited me to present to their membership. At the request of a number of people, I am looking forward to returning to the area in the future—to meet with the user groups again as they support the local ‘i’ community, and to host our IBM i security workshop.

I am finalizing this blog entry on Friday afternoon, while awaiting my return flight from Philadelphia, Pennsylvania. After a brief return to Minneapolis, I leave again to head to St. Louis, Missouri, to teach a security workshop, and give a user group presentation in Jefferson City.

Interestingly, although I added “ferry” to the list of my various modes of transportation used last week, I still have yet to use a train!

With Gregg Bury and Jill Martin

JM:  Before we get started with the questions, why don’t you give us a quick introduction?

GB:  Well, my name is Gregg Bury. I’m a technical support consultant at PowerTech and I work with the System i and our software in security.  I live in the Pacific Northwest, in Seattle.

JM:  How long have you been with PowerTech?

GB:  It’s 10 years this year; joined in 2000.

JM:  Have you always been in customer support?

GB:  I have.  In the early days, it wasn’t just customer service. We did QA, and wrote our own documentation and guides and best practices, so it’s kind of narrowed now.  In the original days, there was a lot broader job description.

JM:  What makes our support unique?

GB:  Those of us in support have been here a long time, so we’re very aware of not just our software, but security needs and the System i.  Myself and my co-worker, Pablo Tellez—he’s been here 11 years—just by virtue of our length of time in service at this one company, I think gives us a lot of credibility and skill here.  And, we both like what we do and we care about the customers.

JM:  What is the knowledge level of our support?  (Level 1, 2, 3 etc)

GB:  Three being the highest?  At least 2 and edging into 3; generally when I consider 3, you’re getting into the development and the code and the software functions at a program level.

JM:  You take it further than level 2 often times, I bet you do a lot of research.

GB:  Yes, we research.  We dig into the deepest parts sometimes.  Sometimes with help.

JM:  What type of closure rate do we have for incoming calls? How often do you close calls after the initial contact?

GB:  Well, I’d say between 80%-90% easy.  While we’re on the call, we open it.  We may be creating the ticket at the moment they call, and most of the time by the time the call is done, it’s finished.  We’ve closed the call.

JM:  You’ve solved the problem for the customer?

GB:  Correct.

JM:  In addition to phone calls, what are some other ways to contact support?

GB:  Email; we have a support email address.  It’s mailbox that we monitor: support@powertech.com.  The phone and email are primary ways.  Often some will be referenced by either an account rep or someone else who transfers the call to us, but generally it’s the phone.

JM:  What do you like best about working with our customers?

GB:  I like problem solving.  People will call, they have a problem – often they’re stressed, and people often vent which is normal, but we don’t take it personally in that respect; but when we’re done, they’re often happy or satisfied that they’ve got your answer or at least we’re working on the problem.  So, I just like to solve problems.

JM:  Would you say that most of the calls or questions you guys get are related to defects or how-to questions?

GB:  At least 75%-80% are how-to questions.  Some of them might be dealing with the iSeries and how it works with security, or how to use our software.  Often they’re dealing with forensics: they had an event that happened that shouldn’t have or something, and they’ll call us about how to get some history and documentation of what happened.  Often it’s just on the iSeries or using our software.

JM:  So most of the calls you take are how-to questions on the software or on the operating system.  For instance, it’s not always just when there’s an actual problem.

GB:  Yeah, I think people have learned to trust us; not all of the calls we get have to do with our software, and maybe don’t even have to do with security, they just know that somehow we know what to do in this situation, and we’ll get calls on that just because they trust us.

JM:  What are some of the other things you get involved in as part of support?

GB:  QA (testing) often from the customer standpoint.  I know we have QA people who make sure the code is working, but we, in support, will do QA from a customer perspective; we know customers like to do a particular process in a particular way just by virtue of our calls.  Whether it’s running a report, adding access control rules, installing or uninstalling – various things like that.  We also find customers do things in unexpected ways that when development built the product, they didn’t foresee; Pablo and I know that and we will run our QA from that perspective.  Also, we have ideas and enhancements that we will supply back to development by virtue of repeated calls that we get from customers.  We are often involved in usability meetings with the products.

JM:  So, by being on the front lines and getting involved with new version product testing and enhancements, you’re able to add a lot of value to the direction of the product.

GB:  I think so and I hope so.

JM:  Any other thoughts you would like to share?

GB:  Well there’s a loaded one!  You know, our software targets security, but often people view our software as an end-all solution, but it should probably be viewed more as a tool to dealing with security.  Also, security is a verb, it’s not that you just put the software on and then forget about it, it’s ongoing.  The environments are changing, the laws change, the users – as everybody knows – come and go from the business, so they have to be added and removed, the way users do things – as users get smarter they’ll try new things, software applications are added – you know, the old thing with ODBC, and through Microsoft Excel, that was more or less a catalyst for Network Security – but they’re just tools and they can’t be forgotten, they have to be worked and used.  I think at PowerTech we do offer more than just the tools, we are offering our security expertise and experience.

Regardless of how much effort we expend to plan for “unexpected” events, sometimes things happen that are simply out of our control. Last week in Seattle, for example, a failed network component at the local communication service provider’s data center forced a temporary outage of our voice and data lines at our technical support center. Fortunately, having multiple locations means we could do some creative magic and reroute our callers to different offices. This ensured that anyone looking for help could still talk to a live person; something that Help/Systems companies take pride in.

Although the outage was sporadic, it did mean that our call handlers sometimes had to seek other people when they couldn’t forward the call to a technical support employee. Rather than simply take call-back information, I fielded one of the calls myself, and I am extremely glad that I did. It came from a large customer located in Niagara Falls, NY, who initially was a little surprised that a director was answering level 1 support calls (perhaps their surprise was less about my title than the concern of a “pencil pusher” trying to help them!). I explained that the support team was not available, but that I was interested in knowing what their question was, and that I would do my best to address it for them, or escalate it as soon as Seattle came back online. As we worked through some troubleshooting steps, it gave me a great opportunity to visit with them.

I was very happy to hear that they are “huge fans” of the PowerTech security solutions, and frequent listeners of my weekly educational Webinars, but especially proud of how complimentary they were of the support team that they (normally) talk to if they call in. Regardless of whether they had an actual technical issue, or they were simply looking for advice or assistance on how best to utilize the solutions to secure their numerous systems, I was told that the support they had received had always been first class.

I started thinking about how quality technical support can make an enormous difference in a customer relationship. It doesn’t matter how good a solutions is, if at the end of the day the solution is not well supported. I think everyone at one point has purchased a product or service, and found that they had a question about its use, or needed some assistance with it. The instant a phone call is made to the vendor’s support number, there is a “Y” in the road that says whether it will actually increase the customers’ level of satisfaction, or make them question their purchase. In fact, I remember hearing a tale of a cellular phone company that deliberately provided a number of their customers with phones that were not working. This was done as an experiment to see if the way that the support calls were handled would have an impact on a customer’s perception of the company. Interestingly, the level of satisfaction after the issue was handled promptly and courteously was recorded as higher than even those customers who had received a working phone from the start! That is a powerful statement of the impact that good support can have.

Of course, PowerTech does not provide solutions that will deliberately cause issues to customers, but we do have the type of support response that gets praised frequently. That is good for the customer and good for our business. From my perspective, I wish to send my thanks to the members of the PowerTech support team, and also the professional services team that—based on the satisfaction surveys that pass my desk—do an equally superb job at making PowerTech look good. It takes a lot of patience and skill to help customers in a way that makes them thankful for calling.

I am going to be in Buffalo, NY, in February (for some reason, everyone laughs when I say that) to speak at a local user group, and to host a half-day IBM i security class. During that trip, I have arranged to stop by and visit with this particular customer. I want to thank them for their business, and also to have some discussion about how they use the PowerTech products. It is invaluable to us to hear customer insight about what security and compliance issues are important to them in their business, as well as features they would like to see us include in an upcoming release of one of our products. I think it makes us more of a security company than a software company.

Oh, and in case you were wondering, I was able to resolve the question that the customer had called in about. My single call may pale in comparison with the volume of questions that the professionals in Seattle typically handle, but at least I can hold my head up high in the break room!

Watch for an upcoming blog and PowerNews newsletter interview with a member of our (real) support team.

I guess it is a sign of my age that the years seem to slide past faster nowadays. It is staggering to think that it is the start of yet another decade, and ten years ago the I.T. industry just got done holding its collective breath for Y2K—a computing event that many thought would be cataclysmic. While no disaster ever materialized, it did help to point out how technology-dependent we have all become in our businesses and in our personal lives.

Security should be considered the new Y2K as it demands the attention of every citizen in every country, and has the potential of bringing us to our computing knees. While the year 2000 came and went without major incident, barely a day goes by that another breach doesn’t occur, or someone pays the price of one. We have seen an increasing barrage of attacks come from every direction, from every country, and via every form of communication. And even some “legitimate” businesses have turned out to be the culprit, and their actions have resulted in a new requirement for yet another regulation or legislation (think Sarbanes-Oxley). As someone who works in this industry full-time, I only see this continuing to worsen as cyber-criminals become more sophisticated and well-funded.

So as we embark on the ride into the next decade, I really hope that the vulnerabilities that I see every day are seriously contemplated and then addressed. For that to happen, it is critical that management gives the necessary consideration to their I.T. budget to help protect the very assets that their business survives on. This is true even in a tepid economy as employees fear for their jobs, and those that remain have to perform even more responsibilities. “ROSI” is an industry term, meaning “Return On Security Investment,” and although it might be calculated slightly differently from the more traditional “ROI,” there is a return nonetheless. One of the returns is that your business stays IN business—a pretty significant return, and something that should get the attention of your corporate management.

The good news is that many of us continue to run our core businesses applications on IBM i. While it does not come pre-configured as an overly secure environment, it has the ability—with a little help from your friends at PowerTech—to be one of the most secure servers available today. The features that are built in to the operating system all work together as a tightly integrated ring of protection around the data. And our popular software provides additional tools to make the life of the security officer more productive, and your data more secure.

So, as we start another new year and a new decade, resolve to finally take the steps you know you need to take to get your server in shape. If you don’t, it might mean more than your system just gaining a few extra holiday pounds!

Happy New Year, everyone!

It is amazing to me that another year is already coming to an end. With the mad dash of last minute shoppers (yes, that would be me this year!), and the certainty of a white Christmas for us in much of the Midwest, it is definitely going out with a bang. In fact, although Winter officially began yesterday, the readers of this blog will know that we have been feeling it in Minneapolis for several weeks. December 21st is marked as Winter Solstice—the shortest day of the year due to the Earth’s tilt—so the good news is that summer is on its way. Ok, so I’m an eternal optimist!

In the spirit of the season, I thought I would create a last-minute holiday wish-list for the security officers that made Santa’s “good” list:

Perform an assessment

This is a good way to get the baseline metrics reviewed; identify the areas of weakness and strength so you can focus your resources where they are needed.

This one is a stocking stuffer, as PowerTech does it for free!

Create a policy

It is hard to measure your progress without a policy. You can even start with the open-source one at www.powertech.com!

Update your system values

Make sure that the server configuration reflects the directives in your security policy. After you set the correct attributes, use the policy feature of PowerTech Compliance Monitor to validate that nothing has changed with scorecard views of system value compliance.

Secure Your Borders

Internal employees are the cause of approximately 70% of data integrity events. Ensure that you don’t secure just your perimeter and leave corporate users with unrestricted network access. Any user with access to your servers should be audited and controlled. PowerTech’s Network Security provides both auditing and access control of powerful interfaces like FTP, ODBC, and remote command.

Don’t overlook your powerful users

Sure, we expect our programmers and administrators to run and maintain a system, but would we want them to have our social security numbers, bank balances, and the “skeleton key” to our corporate data? Try to reduce unnecessary assignment of special authorities, and then use a tool like PowerTech Authority Broker to facilitate on-demand access to super-users while auditing their activities.

Educate your staff

PowerTech conducts weekly online Webinars, as well as eTraining. In 2010, we are also taking some classes out on the road. Registration for the eTraining will open shortly at www.powertech.com. Get on our newsletter list while you are there and stay informed of events, as well as related security news and articles specific to IBM i.

We know that taking that first step can sometimes be a daunting one. If you are not sure how to get started, allow our team here to guide your compliance sleigh! After all, we have being doing it for years.

Happy Holidays!!

Well, it may have held off slightly longer than normal, but we knew it would just be a matter of time. This past week my home state of Iowa was pummeled with ice, snow, and bitterly cold temperatures. Although my weekly trek between Des Moines and Minneapolis was delayed by a day, it didn’t take too long for the hard-working road crews to get the highway infrastructure moving again.

Although I have survived my fair share of Midwest winter storms over the years, it struck me how there is similarity between how winter storm contingencies are planned for and how enterprise security should be handled.

In a computing environment, it’s important to perform what is known as “data classification.” This is where data is identified by its criticality to the organization. Data that is public, easily recreated, or has less intrinsic value to the organization (perhaps historical information) typically has less importance than data that would be costly if it were damaged or breached. Most organizations have limited resources (funding, security staff, etc.) and so the more important data gets prioritized first.

This classification is also necessary for our city planners. Obviously, with limited snow removal equipment and plow drivers, there is no way that every road can be cleared simultaneously. Routes are classified according to their importance. Classifications might include interstates, main trucking thoroughfares, secondary roads, and residential streets.

The next task is to perform a risk assessment. This is an important process by which risk is assessed based on a couple of factors: vulnerability and threat. Vulnerability is the possibility of the incident; threat is the likelihood that the vulnerability will occur. By reviewing the classification, the vulnerability, and the threat, we get an assessment of risk. If one of the factors is low then the risk is generally also going to be low, and may even fall in the category of “acceptable risk.” If the cost to secure an asset is more than the business value of the asset, then management is not likely to want to spend the money on it.

In the case of winter, the vulnerability is whether a particular location could get a disabling snowstorm. There is high vulnerability in northern states such as Iowa and Minnesota, but not much vulnerability in the South. Even in places where there is vulnerability, the threat may still be low and may mean that we don’t see it as ‘high risk’ overall. The threat of a winter storm is obviously minuscule during summer months, but high between December and January. Accordingly, road maintenance departments know when to prepare their snow removal equipment for deployment, and to stock up on road salt and snow-melting chemicals.

There are cities that have occasional snowfall. I have been stuck in Dallas Fort Worth International airport when freezing rain has started to fall. The difference in how these locations respond is almost comical. It is like they grind to a halt over an incident that Minneapolis would handle in its sleep. This is because snow removal is not a major threat, and therefore is typically deemed as an acceptable risk. I remember a few years ago when Iowa actually lent plows to another state that suffered a crippling snow storm, and had only 1 or 2 plows of their own (for the whole state!).

When an incident is discovered or predicted, the emergency response teams are called in. They use an Incident Response Plan (IRP) to know how to respond. For computer security, this may mean performing forensic analysis, management notification, or even disaster recovery; for winter storms it is the carefully orchestrated plowing of streets, parking bans, and widespread public notification of school closures.

A post-incident review, designed to analyze how effectively the response teams handled the situation, is the last step to determine if changes need to be made to the response plan. This may include additional notification methodologies, or requirements for new or additional equipment. In 2008, Iowa started to implement laser-guided plows to enable more accurate plowing with less chance of damage to the roads, and to help weary crews who are often faced with 12+ hour shifts.

Occasional risk assessments should also be performed to ensure that the incident is represented with the same level of risk. Risk levels will be impacted by the need to reclassify the asset (data or road), as well as different vulnerabilities, or changes in threat levels.

So, if you live in a part of the world where snow—or any type of large natural event—is possible, imagine how the response teams might be using the very same type of risk management technique as your I.T. security staff.