It is amazing to me that another year is already coming to an end. With the mad dash of last minute shoppers (yes, that would be me this year!), and the certainty of a white Christmas for us in much of the Midwest, it is definitely going out with a bang. In fact, although Winter officially began yesterday, the readers of this blog will know that we have been feeling it in Minneapolis for several weeks. December 21st is marked as Winter Solstice—the shortest day of the year due to the Earth’s tilt—so the good news is that summer is on its way. Ok, so I’m an eternal optimist!

In the spirit of the season, I thought I would create a last-minute holiday wish-list for the security officers that made Santa’s “good” list:

Perform an assessment

This is a good way to get the baseline metrics reviewed; identify the areas of weakness and strength so you can focus your resources where they are needed.

This one is a stocking stuffer, as PowerTech does it for free!

Create a policy

It is hard to measure your progress without a policy. You can even start with the open-source one at www.powertech.com!

Update your system values

Make sure that the server configuration reflects the directives in your security policy. After you set the correct attributes, use the policy feature of PowerTech Compliance Monitor to validate that nothing has changed with scorecard views of system value compliance.

Secure Your Borders

Internal employees are the cause of approximately 70% of data integrity events. Ensure that you don’t secure just your perimeter and leave corporate users with unrestricted network access. Any user with access to your servers should be audited and controlled. PowerTech’s Network Security provides both auditing and access control of powerful interfaces like FTP, ODBC, and remote command.

Don’t overlook your powerful users

Sure, we expect our programmers and administrators to run and maintain a system, but would we want them to have our social security numbers, bank balances, and the “skeleton key” to our corporate data? Try to reduce unnecessary assignment of special authorities, and then use a tool like PowerTech Authority Broker to facilitate on-demand access to super-users while auditing their activities.

Educate your staff

PowerTech conducts weekly online Webinars, as well as eTraining. In 2010, we are also taking some classes out on the road. Registration for the eTraining will open shortly at www.powertech.com. Get on our newsletter list while you are there and stay informed of events, as well as related security news and articles specific to IBM i.

We know that taking that first step can sometimes be a daunting one. If you are not sure how to get started, allow our team here to guide your compliance sleigh! After all, we have being doing it for years.

Happy Holidays!!

Well, it may have held off slightly longer than normal, but we knew it would just be a matter of time. This past week my home state of Iowa was pummeled with ice, snow, and bitterly cold temperatures. Although my weekly trek between Des Moines and Minneapolis was delayed by a day, it didn’t take too long for the hard-working road crews to get the highway infrastructure moving again.

Although I have survived my fair share of Midwest winter storms over the years, it struck me how there is similarity between how winter storm contingencies are planned for and how enterprise security should be handled.

In a computing environment, it’s important to perform what is known as “data classification.” This is where data is identified by its criticality to the organization. Data that is public, easily recreated, or has less intrinsic value to the organization (perhaps historical information) typically has less importance than data that would be costly if it were damaged or breached. Most organizations have limited resources (funding, security staff, etc.) and so the more important data gets prioritized first.

This classification is also necessary for our city planners. Obviously, with limited snow removal equipment and plow drivers, there is no way that every road can be cleared simultaneously. Routes are classified according to their importance. Classifications might include interstates, main trucking thoroughfares, secondary roads, and residential streets.

The next task is to perform a risk assessment. This is an important process by which risk is assessed based on a couple of factors: vulnerability and threat. Vulnerability is the possibility of the incident; threat is the likelihood that the vulnerability will occur. By reviewing the classification, the vulnerability, and the threat, we get an assessment of risk. If one of the factors is low then the risk is generally also going to be low, and may even fall in the category of “acceptable risk.” If the cost to secure an asset is more than the business value of the asset, then management is not likely to want to spend the money on it.

In the case of winter, the vulnerability is whether a particular location could get a disabling snowstorm. There is high vulnerability in northern states such as Iowa and Minnesota, but not much vulnerability in the South. Even in places where there is vulnerability, the threat may still be low and may mean that we don’t see it as ‘high risk’ overall. The threat of a winter storm is obviously minuscule during summer months, but high between December and January. Accordingly, road maintenance departments know when to prepare their snow removal equipment for deployment, and to stock up on road salt and snow-melting chemicals.

There are cities that have occasional snowfall. I have been stuck in Dallas Fort Worth International airport when freezing rain has started to fall. The difference in how these locations respond is almost comical. It is like they grind to a halt over an incident that Minneapolis would handle in its sleep. This is because snow removal is not a major threat, and therefore is typically deemed as an acceptable risk. I remember a few years ago when Iowa actually lent plows to another state that suffered a crippling snow storm, and had only 1 or 2 plows of their own (for the whole state!).

When an incident is discovered or predicted, the emergency response teams are called in. They use an Incident Response Plan (IRP) to know how to respond. For computer security, this may mean performing forensic analysis, management notification, or even disaster recovery; for winter storms it is the carefully orchestrated plowing of streets, parking bans, and widespread public notification of school closures.

A post-incident review, designed to analyze how effectively the response teams handled the situation, is the last step to determine if changes need to be made to the response plan. This may include additional notification methodologies, or requirements for new or additional equipment. In 2008, Iowa started to implement laser-guided plows to enable more accurate plowing with less chance of damage to the roads, and to help weary crews who are often faced with 12+ hour shifts.

Occasional risk assessments should also be performed to ensure that the incident is represented with the same level of risk. Risk levels will be impacted by the need to reclassify the asset (data or road), as well as different vulnerabilities, or changes in threat levels.

So, if you live in a part of the world where snow—or any type of large natural event—is possible, imagine how the response teams might be using the very same type of risk management technique as your I.T. security staff.

Did you know that IBM i includes powerful auditing features? In fact, our own class-leading audit reporting solution leverages the information captured by the operating system. Join this Webinar—based on content presented at the 2009 COMMON conference—to learn about activating and configuring the IBM i built-in auditing capabilities.

You’ll learn about:

• Security audit journal
• Audit data management
• Configuring the audit system values
• A user profile’s *AUDIT special authority
• Object auditing
• User auditing
• Basic reporting capabilities
• Advanced reporting options

You’ll also learn about what system auditing does NOT capture, and how to prevent it from causing you to fail an audit.

Attendees are eligible to receive a FREE compliance assessment.

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, January 13, 2010
10 a.m. Central Standard Time (16:00 GMT)
Check our chart for your local time >

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios
Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for the System i. As a frequent speaker on security topics, he was also co-author of the Redbook IBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by email at robin.tatam@powertech.com.

Jill Martin is Technical Services Manager with the PowerTech Group, and brings a strong IBM i background to a security discussion. Jill has worked in a number of roles in the industry including a Help/Systems technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

At one time or another, every system administrator and security officer faces the question “who did it?” IBM i can audit numerous events, and you should be using its capabilities. However, what happens after you collect the event data? The challenge becomes how to convert the raw data into useful information.

In addition, auditors and internal policy controls often require the review of numerous security details and configuration metrics. Not only is this painfully time-consuming—especially when multiplied across many systems—it’s a resource-intensive process that makes us do it only when we have to instead of as part of an ongoing security plan.

Join this Webinar to understand:

• How to configure IBM i to record system and user events
• What types of activities can (and cannot) be audited
• What mechanisms are available to extract audit data from the audit journal
• What other information does an auditor want to see
• How to step up to the next level of audit reporting with PowerTech Compliance Monitor

You’ll also learn about what system auditing does NOT capture, and how to prevent it from causing you to fail an audit.

Attendees are eligible to receive a FREE compliance assessment.

Presenters
Main Presenter: Tom Huntington, Help/Systems
Co-Presenter: Jill Martin, PowerTech

Wednesday, January 20, 2010
10 a.m. Central Standard Time (16:00 GMT)
Check our chart for your local time >

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios
Tom Huntington is Vice President of Technical Services at Help/Systems, Inc. and a 20-plus year veteran of the company. He oversees Webinars, business alliances, public relations, success stories, and large customer relationships, and ensures that Help/Systems’ software works with other major software and hardware vendors worldwide. Tom often speaks on automation topics, business intelligence, System i technology, and Help/Systems products, and hosts technical presentations on work management, security, automated operations, and backup/recovery. He has written several articles on automated operations and business intelligence for leading System i trade journals and newsletters.

Jill Martin is Technical Services Manager with the PowerTech Group, and brings a strong IBM i background to a security discussion. Jill has worked in a number of roles in the industry including a Help/Systems technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

PowerTech’s annual “State of System i Security” study shows that the vast majority of organizations still rely on menu security to protect their data. Unfortunately, users have access to numerous interfaces that completely bypass these controls, and make it easy to view, update, and even delete data in the database. If you need to comply with any type of regulation, or if you simply want to ensure the integrity of your application data, learning about the openness of these interfaces is critical.

Attend this informative Webinar to learn more about IBM i security and how to close the “backdoors” not covered by traditional menu security schemes. You’ll also learn how to implement policies that restrict access to only those users who need it.

Attendees are eligible to receive a FREE compliance assessment.

Featuring a live Network Security demo.

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, January 27, 2010
10 a.m. Central Standard Time (16:00 GMT)
Check our chart for your local time >

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios
Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for the System i. As a frequent speaker on security topics, he was also co-author of the Redbook IBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by email at robin.tatam@powertech.com.

Jill Martin is Technical Services Manager with the PowerTech Group, and brings a strong IBM i background to a security discussion. Jill has worked in a number of roles in the industry including a Help/Systems technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

For the past six years, PowerTech has compiled audit data trends from over 1,500 servers into the annual “State of System i Security” study. Each year, the study identifies many of the same vulnerabilities, suggesting that IBM i shops are still not where they need to be in terms of security and auditing. Join us for this Webinar where you’ll learn how to get started auditing your IBM i server, and how PowerTech’s compliance assessment tool can perform a personalized review of your environment—in under 15 minutes! You’ll learn about auditing these critical areas:

• System Values
• Network Access, such as FTP and ODBC
• User Profiles
• Special Authorities
• Event Auditing

Attendees are eligible to receive a FREE compliance assessment. Featuring a live Compliance Assessment demo. Presenters Main Presenter: Robin Tatam, PowerTech Co-Presenter: Jill Martin, PowerTech Wednesday, February 3, 2010 10 a.m. Central Standard Time (16:00 GMT) Check our chart for your local time > Cost Free of charge Registration To register, please visit our WebEx site. Speaker Bios Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for the System i. As a frequent speaker on security topics, he was also co-author of the Redbook IBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by email at robin.tatam@powertech.com. Jill Martin is Technical Services Manager with the PowerTech Group, and brings a strong IBM i background to a security discussion. Jill has worked in a number of roles in the industry including a Help/Systems technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

Last week I was on the road again, spending five days with a brand new PowerTech customer in Montreal, Canada. I always love these types of trips as they allow me to spend time with the customers who are really seeing the benefit of our solutions. It is also interesting to go to places that speak a different language, and all that entails.

It was an extremely productive trip, built around a packed agenda. Our original goal was to install our popular exit point solution, Network Security (NS), on two separate production machines, and start auditing the users’ activities that were previously invisible. I was also there to perform a formal security assessment; a combination of tasks that I expected would require some long days to accomplish in the time available.

When I arrived, I discovered that there was also a desire for me to help design a new security infrastructure for the application environment. A recent business acquisition, and an open vendor application environment, was driving the desire to secure user access based on business need, instead of hoping that users were doing only what they should. An admirable goal—and a service that we can certainly provide—but I didn’t anticipate we would have enough time to accomplish it during this particular trip.

The installation, initial configuration, and user training on Network Security went so smoothly that by the end of the first day we had already started to enter access control rules, and were hungrily awaiting more user transactions to come in. I was glad when my ‘trainee’ told me that he felt that the PowerTech software was intuitive and easy to use, and that the biggest challenge would be for them to identify whether a user was using a network access tool with approval or not (we later discovered that some activities were questionable). We also made some immediate and dramatic improvements in their security environment. For example, with a single NS rule we were able to protect the critical QSYS.LIB file structure from network access by any user on the system—even the ones with powerful access rights like *ALLOBJ.

Day two had me getting a jump-start on the security assessment, and some deeper insight into the strengths and weaknesses of this particular environment. Most of the issues were typical of most IBM i shops: overly powerful users, a few default passwords, some system value change recommendations, and confirmation of that open application data access model. And like most typical issues, some could be remedied easily; others require careful planning and testing. I had been able to perform some of the data analysis ahead of time using a proprietary data collection tool, and so I was able to provide the customer with a draft of the assessment for review before the end of the day.

Designing a resource security model for the corporate application was next. I’m always interested to see how so many commercial software vendors completely miss the mark when it comes to securing their application. I won’t name names, but this particular application relied on the QPGMR user profile owning the application objects and base IBM i security to control user access. The problem with this approach is that most customers have no idea how to implement a solid security model. Leaving their application open, or worse, requiring application users have *ALLOBJ special authority is shameful. Engineering security into an existing commercial application is not easy. You often have little to no control over the way the application executes its code and the objects it accesses. Good security can be incorporated into an application much more easily when it is part of the design. For example, have a custom (non-IBM) profile own all of the objects. Also, don’t require that application users have special authorities for tasks that can be handled through application code (like starting print writers).

Why do we frequently see this openness? Honestly, I think it is for two main reasons. First, IBM i security knowledge is rare and it is easier to put the burden on the end customer as they are the “owner” of the machine. Sure, every customer has different configurations to be accommodated, but a little forethought goes a long way. PowerTech does this with our own applications, so we know it is entirely feasible even when we have no idea of the configuration of the customer’s server. Second, I think that many vendors believe that that a wide open application reduces the support burden. Ironically, designing the application correctly often means fewer calls, as there are no unknown variables at play. I personally feel the responsibility for a secure environment is shared by the customer as the owners of the data, and with the application vendors whose software we trust to house and maintain that data.

In this particular case, we were fortunate to be able to map out a detailed application model that would work without requiring any application modifications. We started by identifying the types of users on the system. We mapped those users into one of four new group profiles to make life much easier when granting access to the numerous application objects. We secured at the library level first, and then at the object level using a couple of authorization lists. The programs are configured to use adopted authority, providing the users with the necessary elevated access only when using the line-of-business application. The group profiles also provide *USE access to certain command line users when using Query/400. As you would expect, there were a number of additional tasks identified, including a creative modification of the application subsystem (as adopted authority does not normally carry through to submitted jobs).

By the end of the week, we had accomplished everything outlined in the project scope; a detailed step-by-step task document would walk through the actual implementation of the object resource model for the application environment. There was even enough time left to help present PowerTech’s free weekly education Webinar; discussing the findings from our annual “State of System i Security” study.

I would like to thank the wonderful customer staff, Sylvain and Louise, for their kind hospitality and excellent French-English translation skills (putting my own to shame!). I am glad to report that everyone was extremely satisfied with what was accomplished in such a short period of time. I really enjoyed assisting them with all of their security initiatives, and I feel proud knowing that the data served from their IBM i servers is more secure than when I arrived.

If you weren’t aware that PowerTech performed professional services—revolving around our products, and also the base IBM i security controls—then I invite you to drop me a note. I think you will be pleasantly surprised to hear what we bring to the table.

Which leaves me with one final question: “Parlez Vous PowerTech?”

Over the past few months, the press has been discussing an increasing pressure to develop some form of government-mandated security breach notification infrastructure, and also reporting on whether the U.S, government will appoint a so-called “cyber czar.”

The immediate question that comes to mind is how a federal regulation would measure up against the plethora of state laws currently on the books. Interestingly, there are still several states that have not followed the California Act (SB-1286) that started it all in 2003. The residents of these states currently have no protection, and the Federal disclosure law would provide the coverage that they also deserve. While many state breach notification laws address electronically-stored data, the Federal law would likely be more encompassing of private information, regardless of how or where it is stored, as well as provide strict guidelines regarding how notification is handled.

Like any type of formal regulation, there are many arguments made for and against government control. Proponents site the reduced cost and administrative overhead from complying with a single law rather than numerous overlapping state laws, and that there needs to be some form of oversight in order to be able to prosecute those who do not adequately control access to our personal information. Detractors fear that legitimate firms are being burdened with the cost of compliance, while businesses that are not staying within the confines of the law continue to find workarounds and ignore the directives anyway.

Always of interest to me, we will likely to continue to see a range of companies that are truly interested in protecting themselves from the staggering costs of a breach, while others will do the least necessary in order to satisfy a “checkmark” on an auditor’s questionnaire. And with auditors interpreting laws on a server platform that many are still not familiar with, it will continue to be a game of cat-and-mouse between the regulators and the security officers.

Whichever argument you feel carries the most weight, the exponential growth of breach events over the past few years is likely to drive change. Expect 2010 to see more government control over how we react to those events, as well as discussion regarding the consolidation of existing data notification and data protection requirements. For those firms “lucky” enough to have avoided the requirement to comply with formal regulations, be forewarned that those days are probably numbered.