Hi everyone!

After almost three weeks on the road in southern climes, I have returned to Minneapolis just in time to witness trees turning color and overnight temperatures slipping down into to the 40s. I am looking forward to being back in the office with the PowerTech team for a couple of weeks before I head South to San Antonio to present security sessions at COMMON.

Last week’s ISACA risk management conference in Las Vegas was a great success, and I had numerous conversations with auditors, IT staff, and others who were looking to understand more about managing security and compliance. While the IBM i platform may not be as common as others in the enterprise, I am happy to say that there were still a number of larger companies present who are entrenched on i. The new PowerTech security brochure was hard to keep on the table!

Based on various conversations, it seems that “proactive compliance” is something that everyone is aspiring to achieve, regardless of their platform affiliation. This is a term I use to describe the server doing the heavy lifting, rather than having to react to audits and security events. With fewer resources and more events to review, having to manually dig through configurations and event logs is something that is not going to be accomplished on a day-to-day basis. As such, there was a lot of interest in our Interact solution to report events in real-time to an enterprise monitoring solution. There was also much discussion about exit points, and it seemed that this is still an area that is thoroughly under-secured. Of course, we created our Network Security solution specifically to address that issue and so we are already setting up trials of this great solution for several of those organizations.

While I was in town, I also took the opportunity to meet one-on-one with a couple of large IBM i shops that have been looking at our security suite. I appreciated their time and interest, and I’m sure we’ll be doing business very soon. Las Vegas has always been a stable for IBM i systems, and many gaming organizations rely on the platform’s legendary security capabilities to host their application information. We are also considering this city to host one of our half-day workshops in the coming months.

One reason I am in Minneapolis this week is to spend time with the customers who have come to participate on the Help/Systems Advisory Board. This is a two-day event that gives us great insight into the various business challenges of our customers, and provides help with development direction for all of our various solutions. Of course, it’s not all about business; we are also planning to have some fun while they are here

You will be happy to know that I did get an opportunity to do some exploring while I was in Las Vegas last week. The first image I am posting here is a night shot of Hoover Dam, including the gargantuan new bridge that spans the famous chasm from one side of the canyon to the other. This bridge marks the state line for Nevada and Arizona, and also the jump from Mountain time to Pacific time. Unfortunately, I was unable to drive across the span as it is not going to be dedicated for another month. However, passing under the immense cement structure is awe-inspiring, and it’s a wonder to me how such a structure could ever stand up. The shot I have included was taken in near total darkness using a 60-second long exposure (as shown by the airplane trail coming over the hill in the center).

The second image I want to share is Arch Rock inside the Valley of Fire, Nevada’s largest and oldest state park. Located just 50 miles northeast of Las Vegas, the park is part of the Mojave Desert. I have visited the area several times, and each time I am humbled by the vast wilderness formed during the age of the dinosaur, approximately 150 million years ago. To anyone who has never visited this region, simply imagine landing on Mars! The red sandstone rocks and panoramic vistas are spectacularly desolate and dramatic. It’s amazing that such a landscape can be found so close (and yet seem so far) from the lights and dazzle of Las Vegas.

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt

Hi everyone!

Today is September 11th 2010, and I am writing this blog from 34,000 feet aboard a Delta flight.  I am happy to say that this started as a flight much like any other that I frequently entrust with my safety, but a brief cockpit announcement of the 9/11 anniversary—including an expression of gratitude to the men and women of the armed forces—was just met with a round of respectful applause by the entire passenger cabin.  I can’t help but think back nine short years ago (almost to the hour) when the World mourned, and our free lives changed forever.  Even though almost a decade has passed since these tragic events, it is still hard to even comprehend how and why thousands lost their lives that day, and how many thousands more were—and continue to be—affected by it.

Four years ago, an insurance company in Des Moines, Iowa, opened a temporary memorial with a flag representing each individual victim.  Each flagpole was labeled with a small yellow silk ribbon providing background information on every man, woman, and child whose life was lost that day.  While I am very proud that the following image won me a photography editing award, it is an image that I wish I had never had a reason to take.

The last few weeks have literally flown by with back-to-back business trips to Dallas, Atlanta, and now Las Vegas where I am headed to an ISACA risk management conference.

Not wanting to disappoint my regular readers, I have included a few recent photographs for you to enjoy after my security rhetoric.  I may need to put in a request for a bigger office soon as my walls are now totally filled with 16×20 frames.  But don’t worry; I will continue to shoot images for the blog, and I think today’s almost make up for foolishly leaving my camera at home during my recent visit to Pittsburgh.

But business comes first!

This week’s blog is a little longer than usual.  I hope that is okay with everyone as I close out my three-part introduction to the “7 Habits Of Highly Secure Organizations.” If you missed the first two parts of the series, you’ll want to scan back and read those before concluding with the final three habits today.

Habit 1:   Break The Ostrich Syndrome
Habit 2:   Develop a Security Policy
Habit 3:   Assess Current Standing
Habit 4:   Perform Security Event Logging and Review
Habit 5:   Use Existing “Best-of-Breed” Technologies
Habit 6:   Monitor For Ongoing Compliance
Habit 7:   Plan For The Future

Habit 5:  Use Existing “Best-of-Breed” Technologies

Take advantage of the expertise of companies that specialize in security technologies, and benefit from their R&D, industry knowledge, and dedicated development resources.  It’s not that you couldn’t hire staff and develop and support your own technologies, but auditors usually frown upon self-policing—somewhat akin to the fable of the fox guarding the hen house.

In addition, why spend countless hours performing repetitive tasks—sometimes relying on the manual review of thousands of log entries and events—when the technology exists to have the system notify you of an activity.  The criticality of security events typically means that you cannot afford to wait until month-end to discover a profile has been disabled, or a library deleted.  In addition, there are some types of activities that the operating system has no visibility to, such as downloading your payroll file via FTP.  In this case, it is imperative that you implement an exit point solution to ensure that accesses made to your server from your network are controlled—or at least audited.

As the leading provider of security solutions for IBM i, we at PowerTech still have a couple of tips for those that opt for commercial solutions: security technologies only add value in your enterprise if you deploy them (properly).  You should also leverage the security controls that are built into the operating system.  There are no “silver bullets” in security, and a realistic (and honest) explanation from the vendor of what their tools can and cannot do is critical.

Habit 6:  Monitor For Ongoing Compliance

Many people make the mistake of thinking that security is a final destination.  Hardly so; it is a more like a never-ending journey.  Even if you are “lucky” enough to escape the oversight of a government mandate or industry regulation, you probably still have a corporate or ethical responsibility to your clients, customers, and employees to protect various forms of information.

After you feel like you have accomplished becoming secure, your objective then alters to one of maintaining that security.  The best way to do that is via on-going compliance checks.

Not dissimilar to the initial assessment that helped to shape your security policy and subsequent server configuration in Habit 3, these compliance checks should verify that you are actually doing what your policy states you should be doing.  Find the cause of any non-compliant items and put additional controls in place to prevent them from recurring.  If you find that your business model has changed, you may need to adjust your policy to be a better fit to the current and future infrastructure.

In addition to compliance checks, use security tools to help keep you abreast of important events.  Don’t wait until the end of the month to discover something happened weeks earlier that caused a situation of non-compliance.  While this constant analysis might seem like a daunting task, the implementation of a good commercial security solution can alleviate much of the manual “heavy lifting” usually associated with this process.

Habit 7:  Plan For The Future

There is really only one definite in the world of technology: it won’t be the same tomorrow!  If you consider the technologies and challenges we were dealing with even just 10 years ago, you will see how much can affect your approach to securing it.

The events that happened exactly nine years ago have had a far-reaching impact on enterprise security, Disaster Recovery (DR) preparation, and operational resiliency.  Widespread adoption by businesses and consumers of internet-based technologies and powerful mobile devices such as phones, PDAs, iPads, and laptops now allow consumers and businesses to demand 24×7 access to information from anywhere around the world including coffee houses, book stores, or even while flying at 34,000 feet!

As businesses, we are forced to oblige these demands in order to stay competitive: we need to move product and services to more places, more quickly, and for less money.  And we have to do all of this while also dealing with more oversight; in other words, more compliance to standards, laws, and regulations.

While compliance requirements might change, it is extremely unlikely that they will lessen or go away.  My own recommendation is to look to the past to predict the future.  Privacy laws passed in California rolled quickly to more than 40 other states, and a Federal law is currently being discussed.  Businesses that are not required to be SOX-compliant are being forced to pass audits simply in order to do business with those that are.  While you may not be able to truly predict the future, it is a pretty safe bet to say that there will always be electronic data and the need to protect it, so keep your eyes on the horizon and prepare for a growing storm.

By working through and developing these seven habits you can become secure, and then maintain that security going forward no matter what new technology comes along.

Okay, now that you have persevered and learned the remaining security habits, please enjoy a few of my images from Dallas and Atlanta.  The first shot—which is one of my new favorites—was taken looking down the stairwell on the 14th floor of Dallas’ Hilton Anatole hotel.  I stumbled across this while I was searching for a better vantage point of the city, and I just loved this incredibly interesting pattern—it’s almost like an optical illusion.  It’s funny sometimes how great images just present themselves when and where you least expect them.

The next shot is of downtown Dallas, taken from atop the roof of the 30-story Renaissance Hotel.  I walked in and asked the concierge if there was anywhere within the hotel that might afford a panorama of the city.  Moments later, after it was determined that I wasn’t a “jumper” (apparently it has happened), I was escorted to the building roof by a security guard.  My gratitude goes to the folks at the hotel for being so willing to entertain my passion, and to give me an opportunity to witness such a spectacular view.

Due to a heavy electrical storm, my return to Minneapolis was delayed for a couple of hours on the tarmac at Dallas-Fort Worth airport.  Apparently, the ground crew is not allowed to prep the planes when there is the possibility of a lightening strike.  When we finally got to leave, my window seat afforded me on of the most dramatic sunset views that I have had the pleasure of witnessing.  This image, which I have entitled “an Angel gets her Wings,” is dedicated to my children’s maternal great-grandmother, Garland Reed, who had sadly passed from this world the day before.

Lastly, Atlanta revealed her surprisingly dramatic skyline.  Although my visit was brief, I managed to sneak a view of a small portion of it through the chain link fence of an overpass, and one from nearby Piedmont Park.

I hope you have enjoyed this “7 Habits” series, and will join me in San Antonio for COMMON’s regional event in October where I will be presenting this topic along with several others.

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt

One of the greatest challenges an organization faces when securing an IBM i environment is protecting the system from the people who are charged with its care: programmers, administrators, and security officers. These power users often need access to restricted objects and commands, but they rarely need that level of access 24 hours a day, and definitely not without accountability.

Join this session to learn about the vulnerabilities associated with powerful users. Then, explore Authority Broker, an award-winning approach to regaining the control your auditors demand while allowing your administrators and programmers to do their jobs.

Attendees are eligible to receive a FREE Compliance Assessment.

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, October 20, 2010
10 a.m. Central Time (15:00 GMT)

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios

Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for IBM i. A frequent speaker on security topics, he co-authored the RedbookIBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by e-mail at robin.tatam@powertech.com.

Jill Martin, PowerTech’s Product Support Manager, brings a strong IBM i background to any security discussion. Jill has worked in a number of roles in the industry, including technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

Few areas affect the security of your IBM i server as much as your user profiles. Knowing how to configure and maintain user profiles correctly is critical to preventing unauthorized access to your data.

Attend this important session to learn about the security aspects of user profiles, including:

• Special Authorities
• Limited Capabilities
• User Class
• Group Profiles
• User Auditing
• Changing to the Authority of Another User
• Common Ways that Users Circumvent Authority
• V6R1 enhancements

Attendees are eligible to receive a FREE Compliance Assessment.

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, October 13, 2010
10 a.m. Central Time (15:00 GMT)

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios

Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for IBM i. A frequent speaker on security topics, he co-authored the RedbookIBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by e-mail at robin.tatam@powertech.com.

Jill Martin, PowerTech’s Product Support Manager, brings a strong IBM i background to any security discussion. Jill has worked in a number of roles in the industry, including technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

At one time or another, every system administrator and security officer faces the question “who did it?” IBM i can audit numerous events and you should be using its capabilities. However, what happens after you collect the event data? How do you convert the raw data into useful information?

Auditors and internal policy controls often require the review of numerous security details and configuration metrics. Not only is this time-consuming—especially when multiplied across many systems—it’s a resource-intensive process. Often, we do it only when we have to instead of as part of an ongoing security plan.

Join this Webinar to understand:

• How to configure IBM i to record system and user events
• What activities can (and cannot) be audited
• What mechanisms are available to extract audit data from the audit journal
• What other information does an auditor want to see
• How to step up to the next level of audit reporting with PowerTech Compliance Monitor

Attendees are eligible to receive a FREE Compliance Assessment.

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, September 29, 2010
10 a.m. Central Time (15:00 GMT)

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios

Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for IBM i. A frequent speaker on security topics, he co-authored the RedbookIBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by e-mail at robin.tatam@powertech.com.

Jill Martin, PowerTech’s Product Support Manager, brings a strong IBM i background to any security discussion. Jill has worked in a number of roles in the industry, including technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

Did you know that IBM i includes powerful auditing features? In fact, our own class-leading audit reporting solution leverages the information captured by the operating system. Join this Webinar—based on content previously presented at COMMON—to learn about activating and configuring the auditing capabilities inherent to IBM i.

You’ll learn about:

• Security audit journal
• Audit data management
• Configuring the audit system values
• A user profile’s *AUDIT special authority
• Object auditing
• User auditing
• Basic reporting capabilities
• Advanced reporting options

You’ll also learn about what system auditing does NOT capture, and how to prevent it from causing you to fail an audit.

Attendees are eligible to receive a FREE Compliance Assessment.

Presenters
Main Presenter: Robin Tatam, PowerTech
Co-Presenter: Jill Martin, PowerTech

Wednesday, September 22, 2010
10 a.m. Central Time (15:00 GMT)

Cost
Free of charge

Registration
To register, please visit our WebEx site.

Speaker Bios

Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for IBM i. A frequent speaker on security topics, he co-authored the RedbookIBM System i Security: Protecting i5/OS Data with Encryption. Robin can be reached by e-mail at robin.tatam@powertech.com.

Jill Martin, PowerTech’s Product Support Manager, brings a strong IBM i background to any security discussion. Jill has worked in a number of roles in the industry, including technical trainer, sales account manager, and most recently as a key member of the security team. Contact Jill at jill.martin@powertech.com.

Hi everyone!

This week I am flying down to Dallas, Texas, to conduct another security workshop with one of our regional partners, Clear Technologies. I also have plans to meet and have dinner with one of our many great customers. In the meantime, I am certainly not going to leave you empty-handed! Rather, here’s another couple of my “7 Habits of Highly Secure Organizations.”

If you missed last week’s blog, you’ll want to read back over the first two habits revealed in Part I. I am listing all seven of the habits again for you as a reminder:

• Habit 1: Break The Ostrich Syndrome
• Habit 2: Develop a Security Policy
• Habit 3: Assess Current Standing
• Habit 4: Perform Security Event Logging and Review
• Habit 5: Use Existing “Best-of-Breed” Technologies
• Habit 6: Monitor For Ongoing Compliance
• Habit 7: Plan For The Future

Habit 3: Assess Current Standing

After you have identified the desired standards for your security infrastructure, it is important to measure yourself against them. You will probably be startled by the results when you do this for the first time, but I would suggest that it’s far better to discover the gaps yourself than someone with malicious intent. As you review the findings, decide if the server’s security configuration needs to be adjusted, or if the security policy needs to be adapted to better match the needs of the business.

Self-assessment might seem like a good option, but I would argue that it’s not any where near as effective as a professional review. It’s a strange expression, but “you don’t know what you don’t know”, and a knowledgeable expert can zero-in on deficiencies that might not yet be identified in your policy. In addition, your own I.T. staff might not be the most objective in assessing the controls that they are often responsible for designing and maintaining. After all, who wants to audit their own work?

If you need one, PowerTech can get you started quickly with a free high-level assessment (see image inset) that compares your IBM i server against industry best-practices. The process only takes about 10 minutes, and the findings are interpreted with your team by an IBM i security specialist.

Habit 4: Perform Security Event Logging and Review

According to the annual PowerTech “State of IBM i Security” study, almost 20% of IBM i shops are still not performing any type of event logging. I would venture that this number would be even higher if we excluded those using the system events for High Availability (HA) replication, rather than for security monitoring.

Most regulatory and industry compliance standards require user activities and system events to be logged and stored for subsequent forensic analysis. The collection of audit data is a built-in function of the operating system; however you have to configure it. After determining what types of activities should be audited, there are several operating system commands to quickly and easily facilitate it.

The challenge for most enterprises lies in the review of large volumes of event log data, and this is usually best handled by a commercial solution. Even if there is no way to realistically review the raw log data (the operating system only includes some basic extraction commands), then I am still a proponent of collecting the data as you can always load a tool after a security event and review what was collected. If there is no audit data, there are no tools that can reconstruct it.

You will also typically be required to plan for the retention of the event log data, and should defer any decision about retention periods to corporate auditors, or legal advisors.

Join me here next week, when we’ll discuss the final three habits of highly secure organizations, and we’ll see if I have any news or pictures to relay from the home of the “Cowboys!”

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt