Hi everyone!

One of the presentations I make to the IBM i community is coyly entitled “7 Habits of Highly Secure Organizations.” Although the title is just a play on the name of the famous series of books by motivational speaker Stephen R. Covey, its message is intended to identify several important habits that companies need to consider as part of an overall strategy for becoming secure, and then compliant. I am not really suggesting that these are the only habits you’ll need, but these ones are imperative for those organizations struggling to get started.

I have listed all seven of the habits below, and over the next few weeks I will give an explanation of what I feel each of them might mean to your organization.

• Habit 1:  Break The Ostrich Syndrome
• Habit 2:  Develop a Security Policy
• Habit 3:  Assess Current Standing
• Habit 4:  Perform Security Event Logging and Review
• Habit 5:  Use Existing “Best-of-Breed” Technologies
• Habit 6:  Monitor For Ongoing Compliance
• Habit 7:  Plan For The Future

Habit 1: Break the Ostrich Syndrome

The first habit to adopt—or break, depending on how you look at it—is to realize and acknowledge that the IBM i server is NOT inherently secure. Realize that I said secure and not securable, and the distinction comes from the fact that the server ships from the factory with its security configuration pretty much wide-open. To be fair, IBM has never said that you are going to be secure simply by plugging your IBM i into an AC outlet, but it’s staggering how many assessments we perform showing critical application data openly accessible to users of tools like Microsoft Excel or FTP.

Application developers often do not put much thought into that aspect of their programs; even many commercial application vendors add very little value when it comes to securing the data within their application.

Mitigation of security risk usually takes money, often takes time, and definitely takes expertise, but we all know that these three factors—money, time, and skill—are not things that just fall from the sky. Habit #1 requires us to acknowledge that there is some level of risk, and that we need to plan for the appropriate application of all three factors to bring that risk to an acceptable level.

After that, rest assured that the IBM i is one of the most securable servers on the market!

Habit 2:  Develop a Security Policy

If you don’t have a policy to oversee the numerous security controls and procedures in your environment—both for IBM i and beyond—then you stand very little chance of being able to maintain a clean configuration for any period of time. The bottom line is that computer servers don’t secure themselves! Even with the best of intentions, we are only human and usually become complacent unless we have controls and procedures in place to keep us true to those intentions.

Consider starting out by developing a policy based on industry best-practices. From there, customize the policy in conjunction with an assessment of the level of compliance of your current environment. This allows the determination of an appropriate balance between allowing the business to function, and affording it the security that prevents it from being abused.

It’s important that the security policy not be designed and implemented only by the IT department. This is not unusual, but to be successful there needs to be executive sponsorship and management buy-in. This ensures that the standards contained within the policy are consistent with the corporate directives and can be enforced; It’s tough to enforce strong password rules when the CEO doesn’t agree and writes his down on a post-it note!

Don’t make the mistake of having executives involved in technical decisions—they may not understand nor care—but instead place the responsibility for interpreting and documenting how to secure specific systems in the hands of a security officer, and task the security administrator with setting and monitoring the configuration involved to be compliant with the security policy.

The security policy should be a dynamic document with a defined lifespan. This helps to ensure that it stays abreast of changes in your business, your industry, and the types of technologies that your organization leverages.

Join me here next week, when we’ll discuss more habits of highly secure organizations.

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt

Hi everyone!

Anyone who has been following my blog this year knows that I am an ardent amateur photographer. It’s a hobby that I have enjoyed since my teen years, and I have progressed gradually from a cheap film-based point-and-shoot camera through to my current choice of a Sony A100 D-SLR.  In fact, one of my proudest moments was when two of my efforts were rewarded with 2nd place awards alongside the 3rd place award given to my (then) 11-year old daughter, at the Iowa State Fair. With the frequent travel that my job entails, I am very fortunate to have the opportunity to visit many places that I might otherwise never have seen. I love to create memories of the cities and landscapes that have impressed me; visitors to my office at PowerTech are now greeted with four walls filled with framed prints of my favorites. Humorously to me, you will even find a few of them adorning the walls in the Help/Systems’ restrooms!

Last week, I committed the cardinal sin of photography and decided to leave my camera at home. Sadly, it wasn’t even an oversight; rather a conscious decision to save lugging more stuff through an airport. A friend asked if I was taking my camera, but (and I apologize if this offends anyone) a 36-hour whistle-stop trip to Pittsburgh, Pennsylvania, was not a journey I anticipated presenting much photographic opportunity. Besides, I knew that in a pinch I always had my trusty Blackberry PDA—a device that’s practically velcro’d to my hip, and that has a fairly respectable 3-megapixel camera built in.

The purpose of my first ever visit to Pittsburgh was to meet with a couple of large PowerTech customers, and to discuss the possibility of hosting a security workshop at with one of our regional business partners. After those productive meetings, I headed back to the hotel and prepared for a “suitcase” evening. This is an expression I use to describe when I am on the road, and I grab a quick bite to eat and then work from my hotel room. However, one of my personal goals for the next couple of weeks is to try to capture an image of the Minneapolis skyline at night (can’t forget the home town after all). As such, I began to ‘google’ images of our downtown—an area that is still not overly familiar to me. As I planned out a couple of good vantage points to visit upon my return, I decided to do the same search for Pittsburgh.

To say that I was surprised at what I found is definitely an understatement! Thanks to the Internet, I discovered that there is fantastic skyline of the entire downtown area, and one that is readily accessible from numerous dramatic lookouts atop the opposing hill; an area known as Mt. Washington (previously Coal Hill). There were still a couple of hours before dark, so I decided to make an effort and jump into my rental car and see if it was a place worth returning to the next time I am in town.

Overlooking Heinz Stadium, home of the Steelers football team, as well as the two rivers that converge around the city, the picturesque walk along the aptly-named Grandview Avenue offers breathtaking views of a panorama that I was shocked to find that was, in my humble opinion, at least as good as the one I saw earlier this year in Manhattan. Two funicular railways run at opposing ends of the street, and provide riders with a quick and affordable way to traverse the side of the hill. The riverfront area at the bottom was alive with hip restaurants, shopping, and restored artifacts from the city’s history as a producer of steel. While I was there, a gathering of motorcycle enthusiasts provided the hustle and bustle, but I get the sense that the district is a constant hub of nightlife activities.

Pittsburgh is known for its vast number of bridges, facilitating a network of routes to join the city with her surrounding communities. Some estimates have the number exceeding Venice, Italy! These are not characterless bridges providing only function, but many are historic and have been restored to their original glory.

There are a number of places that I like to call my travel favorites; locations I like to visit whenever possible. Surprisingly to me, Pittsburgh has just jumped clear to the top of that list. And next time, I promise, my camera and tripod will be in-tow! If you get an opportunity to visit, be sure to check out the riverfront area and ride the incline rails to the top of the Mt. Washington hill. If you appreciate man-made beauty, it will be the best $2 you will ever spend – I guarantee it.

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt

Hi everyone!

As we quickly roll towards back-to-school time, Mother Nature is cooking Minneapolis with summer temperatures and the kind of humidity that the Midwest is known for. Despite the heat, the city still has a few fun tricks up her sleeve with the Minnesota State Fair and Renaissance Festival just around the corner.

Last weekend, I spent a few days up at the (much) cooler Lake Superior—a quick 2 hour drive from the Twin Cities. Although the drive along the North shore is renowned for its spectacular Fall colors, the scenery along the way was still very beautiful and afforded me the two photographic images included here. The first is of the dramatic Aerial Lift Bridge in Duluth, a vertical lift structure which, at its peak, raises and lowers 25-30 times a day to allow tall ships to pass under it’s road and walkway. The other image is of Split Rock Lighthouse, a dramatic cliff-top building that celebrated the centennial of its first lighting just a few weeks ago. Although it is no longer a working lighthouse, it was built in response to the loss of 29 ships in a storm some five years earlier. You can find Split Rock Lighthouse State Park about an hour north of Duluth. I can’t wait to go back and experience this whole region later in the season.

Back at PowerTech, the Fall is already gearing up to be filled with the colors of busy! I have a security workshop scheduled in Dallas on September 1, and one in Atlanta on September 8.  We anticipate a couple more workshops to be scheduled before closing out the year, so watch this space! After Atlanta, I head to Las Vegas for the ISACA Risk and Compliance Conference, and then on to San Antonio to present four security sessions at COMMON in early October. If you plan to be at any of these events, I invite you to stop by and say hi!

One of the initiatives that the PowerTech staff is currently working on is to give our open-source security policy a facelift. This popular document will continue to be a free resource to the IBM i security community, and we invite anyone to download, edit, and return the changes to us for possible (and credited) inclusion in a future edition. If you do not currently have a security policy—and a surprising number of ‘i’ shops don’t—then this is a great place to get started. Look for the announcement of the publication of this updated document in a future blog/twitter/newsletter posting.

I am headed off to Pittsburg, PA, tomorrow to visit a couple of large customers. We are planning to discuss how our tools are deployed to protect their Enterprise, and to look for some ways that they can get squeeze even more mileage out of their investment. As regular readers of this blog will know, this is one of my favorite “pastimes,” as I love to see our solutions hard at work!

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt

Hi everyone!

I can’t imagine we’ll ever see a gecko selling it on television, but I just read an interesting blog on the topic of cyber liability insurance, by Linda Harty of SystemiNetwork.com.  The premise of the discussion was that obtaining specialized insurance to insure against the costs associated with data breaches is not only for large corporations, but rather for anyone whose business is connected to the Internet (virtually everyone).

Linda’s blog taps into commentary made by a managed hosting provider who suggests that the need for this type of insurance coverage stems from the fact that there may be activities, such as hacking and system attacks, which are not covered under general liability, or errors and omissions insurance.

Another issue cited in the blog is that this is a new type of insurance and therefore there’s not much precedence (yet) of claims to base premiums on.  As such, the process of determining risk typically involves individually assessing the type of data being processed, how much data is maintained, and, especially, how good the security controls are.

While the IBM i has an envious reputation as one of the most securable platforms available, the issue is that the included controls are often not well implemented.  There also is typically a need for commercial tools to help to secure a system—from exit point programs to powerful profile management to audit reporting—as well as to help provide alerts of events that are happening as they happen.

At PowerTech, I have never really considered our solutions as providing a way to potentially reduce the cost of insurance.  However, with the exponential increase in the number of data breaches, and the fact that we provide the type of security controls that reduce the risk of (and increase the visibility to) those breaches, I see that as becoming another part of your return on security investment (ROSI).

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt