I am sometimes asked to clarify whether PowerTech is a security company or a compliance company. I also sometimes read comments from industry experts criticizing organizations for wasting time, effort, and money on compliance solutions without ever really becoming secure. Well, before I can weigh in on that argument, we have to discuss the basic difference between “security” and “compliance.”

Security is the act of creating a defense to prevent something from being attacked or injured. In the IT world, this usually pertains to preventing unauthorized access to computer servers, and more importantly, the application data that resides on them. For most businesses, the value of the technology infrastructure is found in the application data as hardware can be replaced relatively easily. Data is usually our primary intellectual property, for example: our customer information, order history, vendor data, employee information, and credit card transactions. Securing the data asset is necessary to prevent damage—both accidental and malicious—and to ensure that the data remains the property of the organization that owns it, and to allow it to add value to the buiness operations.

Although obviously tied to security, compliance is simply the adherence (and proof of aderence) to a set of baseline standards and procedures. While you can be secure without being compliant, and even be compliant without truly being secure, the terms are often used interchangeably. When I consult with PowerTech customers, I am usually asked to help achieve compliance, often with Sarbanes-Oxley, or the payment card industry’s PCI-DSS standards. However, sometimes it is a worthwhile investment of time and money to set the compliance objective aside, and to simply review how secure you actually are.

Unfortunately (or thankfully, depending on your perspective!), it is not difficult to satisfy an auditor during an IBM i audit due to the fact that many of them really are not trained in auditing the i platform. While this sometimes leads to answering questions that don’t really pertain to us, it also means that we can potentially talk our way out of a compliance violation. Getting the auditors off our backs may seem advantageous in the short term, but it may be doing the organization a huge disservice in the long term.

One of the challenges is to educate customers that security is NOT a destination, but more of a journey. You can never really be 100% secure. There are new threats making security a continuously moving target, but regular compliance checks can help the server remain as secure as possible by assessing the risk of threats, and the vulnerability that you could become subjected to it. But in order to do that, we have to accept a valid set of standards as our baseline.

So, back to our original question: Is PowerTech a security or a compliance company? Well, I say that we provide solutions that can align with both security and compliance objectives. Network Security’s access control facility, and Authority Broker’s restriction on powerful users, are both designed to provide tangible value to an organization’s security defenses. Compliance Monitor, a compliance tool per se, provides visibility into the security audit journal to enable security officers to respond in a more timely manner to possible intrusion events. These tools can also help satisfy common compliance criteria. For example, Network Security can satisfy a compliance requirement such as “audit and control access for network initiated activities,” and Compliance Monitor can generate compliance scorecards to compare security policy to current settings.

In summary, I am a proponent of working to secure a system and data from common and known vulnerabilities first. This typically involves an audit of configuration and procedures against best-practices, the creation and maintenance of a detailed security policy. Once you do that, you can work to secure your environment using the policy as your guideline. Then you can “simply” monitor for ongoing compliance to your objectives and standards. PowerTech can help you navigate through the entire project cycle!

Have a wonderful week!

- rt

Advisory Board

Last week was exciting, as PowerTech hosted an Advisory Board of customers from Minneapolis to the UK. The advisory board is a two-day session that is primarily an open forum about the security challenges that these companies are facing, and a discussion of how PowerTech solutions are helping mitigate many of them. It’s also an opportunity for our team to assign priorities for PowerTech’s future development initiatives that have been identified for the current product set, as well as to assess future directions.

PowerTech representatives spent time with each of the board members and performed product reviews to ensure that all of the members were up-to-date on the latest releases of our solutions. This also provided a great opportunity for networking between the members, and to get some insight into the creative ways that other organizations have deployed our products and services, especially in conjunction with many of the Robot solutions from Help/Systems.
Of course, it was not all work and no play. Although I won’t talk about individual scores—primarily as I didn’t get the highest—we all enjoyed a fun evening of bowling, pool, and dinner at a local entertainment center. The team-colored bowling shirts that had been designed for everyone ensured that the group competition remained intense but friendly.

Look for more of an overview of the Advisory Board in our upcoming edition of the PowerNews eNewsletter due at the beginning of next month.

IBM i 7.1 Released

IBM officially announced v7.1 of the IBM i operating system last week. Due to the numerous security enhancements introduced in V5R4 and v6.1, IBM gave some attention to other areas of the operating system this time around. However, there were some new details that were presented to our advisory board and internal staff by Jeff Uhling, a guest speaker that we had visit us from IBM Rochester, home of the “AS/400.”

Some high level details of enhancements include:

• Two new user profile parameters pertaining to automatic disablement of the profile after a defined period of non-use, or on a specific date. If you choose the inactivity option, you can select from 1-365 days. This functionality has been available via the Analyze Profile Activity (ANZPRFACT) command as part of the IBM Security Toolkit, but these parameters make it more mainstream.

• Encryption enhancements include a field-level exit program. While read-based triggers previously were unable to perform changes to the data being read, this exit point’s program allows the data to be selectively decrypted. This exit program is not specifically tied to encryption/decryption functions, so expect to see other uses dreamed up by the ‘i’ community.

• V7 enhances full disk encryption with the ability to start and stop encryption on existing auxiliary storage pools, instead of requiring a new ASP to be created.

Regulatory News

In regulatory news, Washington became the third state to pass legislation incorporating the Payment Card Industry (PCI) standards to help financial institutions recover costs associated with credit/debit card breaches. Although there are some experts that doubt the effectiveness of such legislation (partly on the grounds that it really only affects those not already compliant with PCI regulations), HB1149 contains provisions for controlling organizations that process more than 6 million transactions per year. Recovery includes the cost of reissuing cards to Washington residents, as well as damages caused by defects in a vendor’s software or equipment related to encryption, if that defect caused the breach.

Have a wonderful week!

- rt

The PowerTech team is busy this week with the PowerTech Advisory Board. Please check the blog next week for a recap of the advisory board!

It was a fantastic weekend here in Minneapolis, and certainly one of celebration! Good Friday through Easter Sunday is one of the highlights of the Christian calendar, but even if you have different beliefs, perhaps there were still chocolate eggs and bags of candy to enjoy, not to mention an absolutely glorious sunny and warm spring weekend—something Midwesterners are so incredibly ready for!

I spent the weekend with a couple of close friends and my two teenage kids, Jordan and Sydney, and we had a wonderful time out enjoying the sunshine, picnicking at a local park, riding some hair-raising rides at the (in)famous Mall of America, and paying a visit to the beautiful Minnehaha_Falls. Although not quite as dramatic as the other two spectacular falls I have been fortunate to see this year in Niagara and Portland, this waterfall is a favorite attraction for visitors to Minneapolis, and is situated in a beautiful park close the Minneapolis International airport.

This week is going to pass quickly, as we are busy preparing for the PowerTech Advisory Board, a consortium of large customers who will be converging on our corporate offices in Eden Prairie next week. The purpose of this session is to share strategic direction on PowerTech product development, as well as garner opinions and insight into the future security and compliance needs of our customers. We also conduct these sessions with the assistance of Help/Systems’ Robot customers, and always find them extremely beneficial in helping define needs, and to ensure that we continue to meet (and hopefully exceed) the high expectations that our customers have.

We are reeling a little from the fevered interest we have been receiving for the updated 2010 “State of IBM i Security” released last week. I conducted a Webinar with Jill Martin—who did much of the work around the updated copy—on the day we published it, and were subsequently inundated with requests for copies of the study. We also received a wealth of interest in the use of our free assessment tool that (optionally) provides the data used in the report each year. Go to www.powertech.com for access to the full study, and to register for your own free system review using our Compliance Assessment tool.

I will also be teaching the PowerTech security workshop with local partner MSI Systems Integrators here in Bloomington. This is the last scheduled session, although we are discussing Chicago and Dallas as possible future host cities. If you think that you are in a geography that we should be visiting, send me a note at robin.tatam@powertech.com. I’d love to hear from you.

Have a wonderful week!