Risk is not typically lauded as something good. From birth we’re counseled and coached by parents and teachers to avoid it or else bad things will most likely happen. Those same folks endeavor to mitigate risk for us. Our need for risk reduction follows most of us through every stage of life; starting simply with AC outlet covers, bumpers on the corners of coffee tables, skateboard helmets, even childhood immunizations.

In adulthood, risk continues to be avoided whenever possible. The insurance premium you shell out every month is based on incredibly complex risk models that enable the insurance companies to accurately predict the likelihood of a payout. As individuals, we wear seat belts, we eat right, and some of us even exercise. No actions can guarantee with 100% certainty that nothing bad will happen. If they did, those insurance policies wouldn’t be necessary.

In reality, some “big” risks may be smaller than they appear—and some may be larger. The safety record of commercial airlines doesn’t justify the paralyzing fear that many experience at the thought of boarding a plane, but how many of us still say a small prayer when the plane hits bad turbulence at 36,000 feet? Riding in a car without a seatbelt may seem low-risk to some; at least until we get into the accident that we never expected.

Okay, I’ll admit it: a certain amount of risk can be fun. I am not going to dust off any skeletons in my closet in case my kids read this, but I have rock climbed, I have parasailed, I have driven a car at over 150 mph, and I have commanded a tank. To some these activities might seem insane, while others might think I’m a wimp. Everyone has their own risk threshold at which the reward is exceeded by the possible cost.

This past weekend, I started down a path that many consider risky: I purchased my first motorcycle! As the proud new “papa” of a decked-out Harley Davidson Electra Glide Ultra, I’m looking forward to getting out on the open road this summer (if it ever arrives in Minnesota!) and enjoying an experience that I have always envied. Sure, I know I’m seven times more likely to be injured on two-wheeled transportation, but gosh-darned it’s fun!

Risk doesn’t have to mean recklessness. Most risks can be influenced by the amount of precautions that are taken. From bungee jumping to skydiving to spelunking, steps can be taken to limit the chances that the risk will be realized. It might mean safety lines, spare chutes, or a simple seatbelt, but there are usually things that people can do if they want to live to see another day. Although Minnesota state law doesn’t require the use of a helmet, I plan to wear one as others have learned the importance of this protection the hard way—and I’m all for learning from other’s mistakes.

Risk in the world of security is very similar. Risks are present due to hackers, wayward or careless employees, bad configuration settings, and even failing hardware. Many security risks can be reduced with the same precautionary mindset as personal risk. Installing backup systems, performing nightly saves, and activating auditing are common steps. When inexperienced we tend to set out with the goal of eliminating every risk no matter how trivial. But organizations without unlimited budgets learn quickly that there is a correlation between risk and cost: cost to mitigate and costs that will be incurred if the risk is realized.

When starting a security project, experts recommend performing a risk evaluation. Risks should be rated from high (likely to be exploited) to low (unlikely) and costs ascertained for mitigation (reduction or prevention) and damage control (reaction). A matrix can then be developed to allow high-risk/low-cost items to be resolved first. At some point, vulnerabilities might be acknowledged and accepted based on the high cost to mitigate versus the small risk they present.

Regulatory and legislative compliance might be a pain to those who have to comply, but in reality these are the safety guidelines that govern potentially risky business activities. As with most rules, these governances come after someone has already had a mishap. New rules are developed to prevent someone from making the same mistake again.

PowerTech has experience helping customers assess risk and allocate limited budgets to get the most “bang for the buck.” This might entail simple tweaks of IBM i’s own integrated controls, or the implementation of a commercial security solution.

If you would like to know more about IBM i security and risk analysis and reduction, send an email to robin.tatam@powertech.com.

As I write this, news is breaking of the explosions at the Boston Marathon. On behalf of PowerTech and Help/Systems, I want to send our prayers to the victims and their families.

Cheers!

—rt

The word ‘audit’ is rarely welcomed with open arms by the IT department, and administrators often employ all sorts of delay and escape tactics to avoid the inevitable. But what they may not realize is the full significance of passing these assessments, or how painless the process can be with the right combination of policy enforcement and activity monitoring tools in place.

Outside Obligations
When IBM i users sit down to discuss reporting strategies and auditing exercises, the first image they often conjure up is that of a stern statistician holding a clipboard and waiting for the first opportunity to find fault with data center operations. Whether or not this perception is correct, it’s important to acknowledge the logic and process behind the standards qualified security assessors (QSAs) are referencing.

Whether companies are covered by HIPAA, SOX, PCI, FISMA or all of the above, IBM i users should remember that the objective of these frameworks is progress, not punishment. Regulatory bodies are a key component of the checks and balances that promote responsible IT administration and sensitive data protection. By keeping operations in line with federal, state and industry expectations, IBM i users will not only sidestep the potential expense of fines and unexpected upgrades, but position themselves as responsible corporate citizens as well.

Internal Improvements
Although external forces may be the most visible factor inspiring IBM i users to get their operations in order, true business leaders are driven by intrinsic motivation. That means even when an audit date isn’t lurking on the calendar, managers are applying proactive approaches toward policy enforcement and activity reporting to limit risk and promote progress. Through diligently designed plans and appropriately paired technologies, companies can gain the visibility they need to diagnose and resolve problems long before they surface on regulator radars.

Reliable Reporting
The secret to success in today’s increasingly crowded and complex IBM i ecosystems is the power of automation. In an era in which continuous monitoring is the rule rather than the exception, manual assessments simply do not cut it. Luckily, there are a variety of smart solutions which can help with the heavy lifting—so long as administrators guide them in the correct direction. By leveraging advanced reporting tools which allow managers to define network and data access privileges and set customized alert thresholds, compliance and risk management professionals are provided with a bird’s eye view of all the essential information needed to assess their standing and to correct course as needed.

I walked through the door of the Help/Systems offices the other day and was met with a tongue-in-cheek question asking if I was a new hire. Okay, so the past few weeks have mainly been spent in hotels, rental cars, and on airplanes; but I don’t think (hope) anyone has forgotten me quite yet!

After a great trip visiting the tri-state user groups in the New York area, I traveled to London for a day spent adjusting to the six-hour time difference and reconnecting—albeit briefly—with my dad and my brother. I then headed back to the airport to meet up with Terry Heath, a Help/Systems UK colleague, for a short-haul flight to Copenhagen, in Denmark, for the first of four roadshow seminars. Despite traveling extensively throughout Central Europe during my teen years, I had never been to any of the Scandinavian countries. Copenhagen is a gorgeous city steeped in history and clothed in amazing architecture. My positive impression was only bolstered by the great turnout at IBM for our security event. Although this was our “guinea pig” event, everything went exactly according to plan and we had a fantastic morning discussing known configuration weaknesses in IBM i installations and how to mitigate those risks.

After another short flight—this time to Amsterdam—we prepared for the next session. This one was held near Utrecht with only standing room left available. The final two events were hosted by IBM in the UK; firstly in London and then in Warwick, the home of spectacular Warwick Castle. Notch up two more successes, followed by a nine-hour flight home to see my family for the weekend, rounding out a totally exhausting but thoroughly worthwhile trip.

As we suspected when we put together this tour, geographical boundaries are irrelevant when it comes to security. While regulatory compliance standards might vary from country to country, and industry to industry; the mechanics are all the same. Critical data is housed on IBM i servers by companies all over the world. Many of these organizations care about compliance, but the majority of them care more about the security and integrity of their data assets. They learned that it’s possible to be compliant without being secure; however, being secure makes compliance a breeze.

Remarks from the attendees were extremely complimentary, rating the events as “outstanding” or “excellent” in all locations. Everyone reported that they were pleasantly delighted that the session focused on REAL education and were not used as an excuse to hard-sell software—I guess there must be other software providers that don’t invest in educating their customers!?  I was very flattered to discover that some folks had traveled internationally to attend, and I thank everyone for allowing me this opportunity to meet them. I am very excited by the buzz that this tour has generated, and the fact that we have already been engaged by several attending companies.

I want to thank the amazing teams at our partners—Sosy in Denmark and TecTrade in the Netherlands—for hosting the events, and for the follow-up they are now providing for their customers. While we take pride in the competency of our sales teams, local partners are the key to developing and maintaining the all-important face-to-face relationship on a daily basis.

I may have been the one standing at the front of the room each day, but this was definitely a team effort—something that Help/Systems employees excel at—and I thoroughly enjoyed my time with everyone. Terry made for an awesome traveling companion and we shared a ton of laughs over what turned out to be the most eventful trip of my career. You may hear whispers of fantastic tales of lost passports, run-ins with border patrol agents, mislaid laptops, and hair-raising taxi rides to hotels we weren’t even booked to stay at—but none of it can be substantiated and I vehemently deny any involvement or responsibility. That’s my story and I’m sticking to it! James, Phil, and Ginny helped shoulder the workload with me in the UK, and I would certainly be remiss if I didn’t give a HUGE shout out to our wonderful Clare Monk for her patience and planning skills to ensure my transfer from Point A to Point B in such an efficient manner. These events would not have even been half as successful (because the speaker probably wouldn’t have arrived!) without her hard work.

I turned 43 years old shortly after returning from the UK, and I can honestly say that I’ve never been more excited about my career. After almost 24 years working in the IBM i industry you might think that everything would be “old hat” by now; however, I am amazed that each year that goes by continues to bolster my love of this amazing platform. I started writing RPG programs after high school and now I get to travel the world sharing my ideas about protecting enterprise data, as well as witnessing our blooming portfolio of solutions assisting customers in this critical battle.

Despite the fact that I was deeply missed by everyone (okay, I may be reaching there) I will only be back for a couple of weeks before heading to Texas for COMMON’s annual meeting. As a security SME, I am leading five security sessions, and I’ll be loitering around the Help/Systems booth in between. We’ve planned an IBM i birthday celebration replete with cake, champagne, and limited edition t-shirts so “be sure y’all come on over!” to the booth if you’re going to be down in Austin.

If you would like to know more about IBM i security and regulatory compliance—or the difference between the two—send an email to robin.tatam@powertech.com.

Cheers!

—rt

In January John Earl, one of PowerTech’s founders, succumbed to his brave and long-fought battle with brain cancer. At PowerTech, we talk about John often—usually recounting one of his great stories—and know that we’re not alone in missing him. After relying on John as mentor, friend, leader, and contributor for so many years, we had a duty to share John’s joy of knowledge with the IBM i community.

In order to properly recognize John’s impact on the security industry, we worked with the COMMON Education Foundation to establish a memorial fund that pays the conference fee for speakers to share their expertise at a COMMON spring event. There are other wonderful scholarships available to help finance attendees; however, we felt John’s special legacy came from his encouragement of people to share their knowledge with others.

Like many, I learned about AS/400 (and its descendants) from people willing to share their expertise with someone who knew less than them. As such, I have lived my career with that mentality and the desire to pay it forward.

I am honored to be a subject-matter-expert and attend all of the national events because of the generosity of Help/Systems, but in 2009 I remember having to beg and plead with my then-employer to let me attend my first COMMON conference. I had been invited to join the ranks of the speaking circuit and I saw that as a huge honor and badge of accomplishment for my career. Fortunately, I was able to negotiate my way to the conference (I had also been taught good sales skills!) but I realize there are many folks that are knowledgeable and unable to gain that funding. And, even as a COMMON attendee, perhaps you don’t feel like you are in a position to be a speaker?

While public speaking is not everyone’s favorite pastime, it can be enormously rewarding. Imagine the proud feeling that comes from sharing your experience with others—possibly influencing their careers. The crew at COMMON help new speakers via a mentoring program and special “first-time speaker” session to ensure a positive experience. Partial conference credits are granted to speakers based on the number of sessions they present; however, this memorial will pay 100% of the current conference fee for the Annual Meeting!

John had many friends at PowerTech and Help/Systems, and he was a popular guy with everyone who ever attended COMMON or worked in this industry. We hope this memorial reflects how we feel about John and the lives that he touched.

The recipient of the first award will be announced at the opening session in Austin in a few weeks. After that, the award is up for grabs. Why not make it yours?

If you would like more information about the John Earl Memorial Fund, please contact the COMMON Education Foundation at:

Michelle A. August
Executive Director, COMMON Education Foundation
8770 W. Bryn Mawr Avenue, Suite 1350
Chicago, Illinois  60631
(708) 974-5622
michelle_august@common.org

I recently embarked on my annual week-long pilgrimage to speak with the user groups of Fairfeld, Connecticut (FASUG), Long Island (LISUG), and New Jersey (NESTU). During three consecutive nights I presented no less than five sessions to the groups on topics that included IFS security (everyone’s favorite challenge), good habits of secure organizations, and a new 90-minute instructional session aimed at developing secure applications. As an RPGer for more than 12 years, I always love to talk to the programmers and developers as they have so much influence over how secure the corporate application database is. I think they appreciate that I can relate on a technical level and that I have experienced the same struggles with auditors. I always love the reception I get from these groups as well as reconnecting with some of their well-known members, such as Pete Massiello and Charlie Guarino.

Listen to this blog post:

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

If you belong to a regional user group, and would be interested in having me come and speak to your group, let me know as Help/Systems and PowerTech are extremely supportive of the IBM i user group community.

As my first port of call into the United States when I was a teenager (many years ago!) from England, the New York skyline holds a special memory in my heart. My night photograph was taken from atop the roof of the Rockefeller Center, looking south past the Empire State Building. Despite this city’s hectic personality (is honking your car horn really necessary!?) this year she also gave me a glimpse of the resilience born from the events that shook her foundations in 2001.

During my visit, I was honored to access the memorial that opened on last year’s anniversary of the September 11 attacks. Two beautiful fountains now flow into infinity where the north and south tower of the World Trade Center once stood; every victim’s name carefully engraved around the edges. After the hustle and bustle of Times Square, the subway, Broadway, and just about every block in Manhattan, these gardens call for a quiet, peaceful reflection. Although not yet complete, the memorial has been built on probably the most hallowed ground in the United States, and is a deeply moving experience. I am sharing one of many photos that I took—I hope you feel that I captured the essence of the sadness and national strength that this site represents.

I was back in the office most of this week; however, my suitcase didn’t get put away for long. I’m flying to the United Kingdom later this evening for the first stop on an exciting European speaking tour. In four days I am going to be speaking at IBM in London and Warwick in the UK; Copenhagen, Denmark; and Utrecht (nr. Amsterdam) in the Netherlands. I will be evangelizing a message of security and compliance to more than 80 people representing 50 companies, and it’ll be very interesting to hear if the challenges facing these organizations mirror what I hear from U.S. companies every day. During these sessions, I will unveil a brand-new presentation on IBM i security entitled “Security Is Not the Same as Compliance.”

(It’s also a wonderful opportunity to say a quick “hello” to my dad and brother whom I haven’t seen in 3 years! Thanks Help/Systems!)

If you would like to know more about the comprehensive message I’ll be sharing, or discuss the ways that PowerTech is being engaged around the globe to assist organizations as they become more secure, send an email to robin.tatam@powertech.com.

Cheers!

—rt

Regulating the relationship between individual employees and corporate data is one of the most challenging tasks faced by the IT department. On the one hand, companies have been calling for a more seamless flow of information across the organization so that each worker can let relevant and timely data shape their decisions. But at the same time, overly permissive practices may afford users more power than they are equipped to handle.

As a result, managers must align policy and technology to ensure the company is not promoting productivity at the expense of security and compliance.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

From satisfying HIPAA mandates to guarding trade secrets, companies are well aware of how important it is to protect their sensitive data. Too often, however, their focus is directed at the wrong targets. Considering the majority of data breaches are triggered by employee action, companies would be better served to get their own houses in order before worrying about external attackers.

It’s an unfortunate reality to think about, but there have been a number of cases in which malicious insiders abused their access privileges for personal gain. From hospital attendants selling personal health records to disgruntled software engineers downloading proprietary code to take to a rival, there may be more going on beneath the surface than administrators initially see.

Even if employees have only the best intentions, there’s no telling what could happen if someone gets a hold of their network privileges without their knowledge. In fact, some of the most damaging data breaches have followed that pattern. The scandal that shook the South Carolina Department of Revenue late last year began with a simple phishing email that enabled cybercriminals to usurp the credentials of a legitimate user with wide-ranging database privileges.

Comprehensive Solutions

While these scenarios may send chills down executives’ spines, the good news is that the solutions are well within their control. By developing and enforcing a role-based data governance system, IT teams can give users access to all they need to succeed without handing them added privileges which could be abused.

The first part of the equation includes categorizing data and applications according to sensitivity, and determining access needs for each employee group. Some rules will have to be customized to the individual, but it is important to establish the same sense of accountability from entry level to C-level by ensuring everyone adheres to the rule of least privilege.

Finally, IT teams must choose their technology of choice to monitor access behavior and confirm group- and object-based rules are being followed. As network ecosystems expand to include more users, devices, and transactions, companies should look toward centralized platforms which afford administrators all the visibility they need to spot signs of trouble and intervene early.

If you would like help configuring the tools you own within IBM i, or would welcome an introduction to PowerTech’s security solution portfolio, send an email to robin.tatam@powertech.com.

The Federal Reserve has been breached! BankInfoSecurity.com, an online security news source, reports that the attack occurred on February 3, 2013. Although the identity of the attackers has not been confirmed, claim has been laid by the hacktivist group Anonymous who announced that they broke into servers and accessed credentials and other information for more than 4,000 U.S. bankers.

It’s believed that the group may have taken advantage of a zero-day vulnerability—a newly discovered weakness that exists until a patch can be issued. This permitted the group to gain unauthorized access.

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

An expert interviewed by BankInfoSecurity spoke to the difficulty in protecting against these opportunistic attacks. Instead, companies need to deploy strong detection capabilities so that an early warning can be received.

For those of you running on IBM i, consider the following action plan:

• Configure IBM i’s integrated IDS 
(for an introduction, replay PowerTech’s recent IDS Webinar featuring IBM expert Lindsay Reiser)
• Deploy an Exit Program Solution such as PowerTech Network Security to facilitate auditing and control of network-based access
• Activate IBM i’s integrated auditing functionality 
(download the free white paper “Auditing In The Real World” from powertech.com)
• Utilize real-time server monitoring technology such as Interact, PowerTech’s syslog agent

While the mindset that “it will never happen to us” has become less prevalent, there remains tremendous naivety in the IBM i community as so many still believe that the server is secure and not prone to attack. Sadly, as I work through the data for the 2013 State of Security Study, I see that this continues to be a fallacy.

If you would like help configuring the tools you own within IBM i, or would welcome an introduction to PowerTech’s security solution portfolio, send an email to robin.tatam@powertech.com.

Cheers!

—rt

As the most-watched TV sporting event of the year, last weekend’s Super Bowl between the Baltimore Ravens and San Francisco 49ers went from being totally one-sided to a pretty close call. Fans might cheer (or rant) that the 30-minute loss of power in half of the stadium—or the distraction of Beyonce’s sexy half-time show—was the only thing that allowed the 49ers to dig out of the hole they’d fallen into during the first half of the game, almost to pull an upset. Of course, many viewers watched only for the (over?) hyped TV commercials that cost close to $4 million for each 30-second spot during halftime. I won’t even start on the number of pizzas, hot wings, and beers consumed across the country. I’m no expert, but I’d say it probably wasn’t a good day of sales for Weight Watchers!

In the security “Super Bowl” we’re happy to announce that this week’s release of Authority Broker 4.0 furthers PowerTech’s lead over the competition, and has already been declared the clear champion in the game of managing powerful users!

“Why do I need to manage powerful users?“ I’m glad you asked!

One of the most cited IBM i audit issues is overly-powerful users—too many users with the ability to view, change, or even delete data, and to run host commands against the server. Even after the field is cleared of users’ unnecessary privileges, the challenge of how to oversee those users that have a proven requirement to wield significant power remains.

Authority Broker is PowerTech’s award-winning solution for enabling a powerful user to obtain system privileges on an as-needed basis—the only way that an auditor accepts them. By elevating their security clearance from their existing profile, a powerful user can still perform necessary tasks, but now it’s completed with oversight. Timed access to privileges, clear and concise reporting of the normally complex command audit trail, and notification to security personnel led IBM to include Authority Broker on the roster of IBM-supplied CDs.

This latest version upgrade—free to any customer on maintenance—debuts a significant new audit feature: Screen Capture! When a user elevates privileges, the security team has the ability to designate that screen captures of their movements around the system should be collected. The biggest benefit of this play comes when the user enters a “tunnel,” such as DFU, STRSQL, STRSST, and QSHELL, where traditional command auditing goes dark. Imagine pulling up the user’s actual screens (either afterwards, or even as it’s happening!) to view their activity. Don’t like what you see? Kill their privileges! You can even designate that screens be saved to an indexed PDF and emailed to an interested party the instant the privileges are relinquished.

Authority Broker 4 with Screen Capture ushers in a new generation of user auditing. No longer will IT have to confess that they don’t know what the consultant or vendor really did on the production system. Like a referee with the luxury of instant replay, audit staff can now review every move and prove it—even viewing the audited user’s screen in a game-changing LIVE VIEW mode!

If you’d like to know how Authority Broker can bring home the security trophy to YOUR organization, give me a call.

Cheers!

—rt

As some of you know, I spent my formative years in the UK. The closest things we had to energy drinks back then were “Irn Bru” and “Lucozade.” I have no idea if there was a medical-based correlation, but the only time my mom “splurged” for a bottle of the latter was when I was sick.

My kids—like most teenagers—love energy drinks. Although I’ve had a couple of cans in my adult life, I don’t see the fascination with a quick burst of flavor, a racing heart, and a subsequent crash. But plenty of people do, making it one the fastest growing segments of the soft drink industry. Sadly, it seems the short-term spike in energy is now being accompanied by a spike in emergency room admissions.

We often observe a similar trend in security and compliance. A new threat comes around and there is an immediate surge as we scramble to develop and implement regulatory controls to prevent the second lightning strike. Likewise, some of the resulting solutions promise to pleasure our security taste buds with the quick fizz of compliance, only to leave us with some previously unknown side-effects—typically the crash that follows our realization that we didn’t properly eliminate the risk in the first place.

The software industry—like any dynamic community—sees companies that come and go. There is a flurry of activity as the “newbie” introduces what they tout as the latest and greatest technology. However, this is often followed by a lull as customers ultimately choose to partner with a company that will still be around tomorrow. PowerTech is not alone in the IBM i security space, but we have definitely been a constant—even when the economy saw many of our competitors cutting back. Over 16 years of tenure in the market has meant that we have seen other security organizations peak and fail; and yet we continue to grow stronger every year.

Our acquisition by Help/Systems in 2008 was a major milestone, benefitting us with the experience of a company that has lived on the top rung of the software industry ladder for more than three decades. Unbelievably, competitors actually called on our customers during the acquisition to advise them to expect game-over, but the reality was that we had further strengthened our position and were transforming quickly into the global force that we are today.

It’s not about introducing the new flavor of the month. It’s not about working with the wanna-be that has developed dozens of vague solutions. It’s about having market-proven solutions to the critical challenges YOUR business is facing. It’s about knowing that you can pick up the phone and talk live to a real person.

Ultimately, it’s about strengthening your own market position by partnering with your vendors… and no-one does partnering like us.

If you’d like to know how PowerTech’s security solutions are providing long-term benefits to organizations just like yours, give me a call.

Cheers!

—rt