I had a very interesting discussion this morning with an organization that is subject to compliance with International Traffic in Arms Regulations (ITAR). In a nutshell, they were in a position of having to report to the U.S. Department of State that they were out of compliance, and obviously that was a situation that needed to be rectified fast!

If you are not familiar with ITAR, it requires them to certify that numerous critical files are secured from any type of access by a foreign national. In their case, they had a Canadian system administrator who carries responsibilities and authorities that make that hard to accomplish using only IBM i security controls.

While ITAR is not as common as Sarbanes-Oxley or PCI, its requirement to secure data from access by powerful users can be applied to virtually any environment. Users often are given privileges in excess of their business need, or have responsibilities that overlap security restrictions. In this particular case, there was a very valid concern that the administrator was responsible for save and restore activities and could create a duplicate of the private data. What they didn’t know was that this user also potentially could delete the original data using the “storage free” option on the save commands!

Fortunately, this customer has a solid foundation of object-level security. This makes the addition of any commercial solution more robust. I discussed the “defense-in-layers” approach that I’ve spoken of previously in this blog, since no one can absolutely guarantee that those files can never be accessed. At least, not without removing the credentials belonging to any foreign national from the server. But, we do need to ensure that we make it painstakingly difficult to perform tasks not specifically related to their job, and then put a detection layer in place in case a possible circumvention is discovered.

We discussed several of PowerTech’s products during the call as they can immediately add significant value to this type of environment. Our solutions are modularized for those customers that require only specific functionality, but also have synergy when deployed together. Network Security provides firewall protection to prevent the data from being moved off the machine through tools such as FTP and ODBC. Interact enhances the firewall even further by monitoring both IBM i events and PowerTech solutions in real-time and escalating its findings to an enterprise monitoring solution. Our latest addition, Command Security, can ensure that restore operations involving these files and this user are performed only to the original library, and that copy or file editor commands are restricted and notified upon use. Authority Broker audits all commands entered by a privileged user, and DataThread can issue an alert when a user simply views a record in a restricted file.

In this case, the primary objective was definitely to prevent access. Classified national security data (or medical or credit card data, for that matter) is best served by preventing a user from seeing it in the first place. But if doors were guaranteed to be 100% secure, we wouldn’t need security cameras in the hallways. And it’s the same with data; without anyone being able to guarantee 100% that data never will be accessed, it’s just as critical to have that audit trail of access and real-time monitoring in place.

I’m excited to work with this customer as I love a challenge. They seemed thrilled to have someone on the line who understood the difficulty in trying to remediate this situation. And, they were even more excited that a company as reputable as PowerTech already had tools that could potentially help change their compliance standing with the U.S. Department of State.

If you’d like information on the solution modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

It’s been a remarkably mild winter so far here in Minnesota and we’ve seen the cancellation of several winter events due to the lack of snow and ice. The only commercial interests not feeling the pinch are those with capabilities to make their own snow. But last week, we finally got a cold (pun intended!) dose of reality in the Upper Midwest. Temperatures dipped down into the negatives, several inches of snow and freezing rain fell, and Minnesota experienced a day with more than 600 traffic accidents!

Fortunately, we have efficient heating systems here and have been heads down working on an upcoming product announcement, as well as a campaign about our free Compliance Assessment service. I’ve been squaring off with icy roads while out and about performing a number of deep-dive assessment contracts—I’m still amazed how many folks don’t know that we can help with general IBM i security services.

Last week, Help/Systems closed the books on a record 2011, and embarked on the journey to an even bigger goal for 2012. We’ve been making numerous organizational expansions to facilitate the next stage in our corporate growth. I’ve joined a new Technical Services team that consists of solutions experts across our various lines of business. As an ISO-certified software development company, we’re used to standardized quality procedures, but now we’re identifying ways to leverage the multitude of years of experience held by the various product evangelists for the common good. It’s a very exciting time to be part of Help/Systems and to see the investment in our strategic growth.

On the security front, if you’ve never taken proactive steps to secure your IFS, you might want to keep an eye on your inbox for an upcoming edition of PowerNews. I’ve put together information on common IFS vulnerabilities, along with some basic steps that you can follow to help control access. It’s probably one of the most neglected areas of configuration and one of the most commonly requested areas for help.

Some recent newsworthy security items have included the arrest of a programmer at the Federal Reserve on charges of stealing software used by the Department of Treasury, and a breach at online retailer zappos.com that could affect 24 million customers. Fortunately, it appears that Zappos had their own critical data protected with encryption, but customer passwords might have been exposed. The primary concern now is that customers who use common passwords for other websites (such as personal banking and investment websites) will become victims of subsequent crimes. I’d say it sounds like a good time to check your own vulnerabilities.

If you’d like information on the solution modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

Most of you probably know that I’m an avid photographer and that my interest focuses (pun intended) on an emerging photographic technique called High Dynamic Range (HDR) imaging. This process helps to address one of the most frustrating challenges a photographer will encounter, where a camera can capture only a fraction of the contrast seen by the human eye. Either the ground is exposed correctly and the sky is too bright, or the sky is okay and the foreground is too dark. And, if you’ve ever tried taking a photograph that included parts from both inside and outside of a building, you’ll recognize immediately what I’m talking about. HDR combines three or more photographs taken at different exposures to form a single image that can span a far greater dynamic range than any one photograph ever could. For some phenomenal examples of HDR, check out www.hdrcreme.com.

So, why am I talking about HDR in an IBM i security blog? Well, there’s an interesting similarity between the two topics. Just like photographing a high-contrast scene, no single security control or add-on application is going to make your IBM i data completely safe from misuse. The best protection comes from combining several different security measures to form a more complete picture. While the term “exposure” carries a very different connotation in security versus photography, I want you to think of it today in the context of three variations, each used to address one specific part of the picture.

IBM has taken the first of our three main “exposures” by integrating extremely robust security controls into IBM i. There are dozens of options for user profiles, such as password settings and special authorities, and a set of system values for the server itself. Objects and libraries can be secured quickly and effectively through a number of authorization commands, and these cannot be circumvented by any known mechanism. All this adds significant value, but has left some administrators wondering how their data or server still was compromised. The problem stems from the fact that the controls may be complex, aren’t always particularly flexible, and don’t have the necessary functions to do everything the modern Security Officer and auditor require.

The next “exposure” balances the first and is provided by PowerTech. Our solutions are not designed to replace the security functionality integrated into the operating system—no solution can ever do that. However, they can make the existing controls easier to use. They also extend the capabilities that IBM i doesn’t inherently provide. Things like real-time event monitoring, audit reporting, powerful user control, and controlling access from PC interfaces are just a few quick examples. Commercial security solutions often are deployed over a foundation of minimal IBM i security and, while this provides better protection than nothing, it’s always best when the two are implemented together.

Lastly, the Security Officers (SO) are responsible for providing the final “exposure.” This provides the balance between the other two and helps form the final picture. So what do these SOs have to do? Quite simply, they must USE the tools they are given! Year after year, PowerTech’s security study shows that far too many organizations are leaving all of the security settings in IBM i at their default shipped value. They often don’t realize that those defaults leave their system wide open. Some of them have purchased and installed third-party tools, however many don’t take advantage of their full capabilities. Without these users providing that final middle “exposure,” the effectiveness of the operating system’s controls and any add-on tools are reduced significantly.

Just like a single photograph that fails to capture the full range of contrast of a scene, the end result of relying on only one “exposure” of these three security components can result in grave disappointment. By extracting the best parts of each of the three “exposures,” we take advantage of their synergy.

If you would like to learn how to combine all of the three exposures I’ve outlined (in your photographs or IBM i security) please feel free to contact me at robin.tatam@powertech.com.

Cheers!

- rt

Now that we’ve rolled through another New Year’s celebration, we’ve left behind one of the worst years on record for data breaches. Privacyrights.org, a consumer advocacy organization, reports that 2011 witnessed a staggering 547 breaches involving more than 30 million records. Companies ranged from small non-profits all the way up to industry giants such as Bank of America, Sony, and Epsilon. Interestingly, 86 of those breaches (involving almost 120,000 records) involved insiders with some level of legitimate access. With mitigation costs now surpassing an estimated $200 per record breached, we’re talking about some pretty serious money!

With all of the current investment and focus on legislative compliance, how is this even still possible? How can huge multi-national companies continue to fall so hard? It’s actually not that hard to understand. In my opinion, one of the biggest culprits is that too many companies are focused solely on achieving compliance at the expense of security.

A simple analogy is to think of obtaining your first driver’s license. As young adults, we study a handbook and take a test to verify that we understand and are compliant with the basic laws of the road. But do we let newly “certified” drivers loose on the busiest of highways with the expectation that they are now perfect drivers and will never get into an accident? Of course not! The guidelines (hopefully) help us avoid making basic mistakes, but there are many other factors to be considered. The flaws in the guidelines start with the assumption that everyone else also is adhering to the same rules—something that every speed limit sign and red light camera knows isn’t true. And experienced drivers understand that there are many things that aren’t even included in the handbook. We have to expect the unexpected, adapt and use learned experiences to read between the lines, and even improvise—sometimes with little or no warning—to avoid an unplanned disaster.

The same holds true with computer security. Regulations like Sarbanes-Oxley and HIPAA were never intended to intricately detail how to protect your IBM i database from every possible type of misuse. These two common regulations, and many others just like them, are nothing more than basic guidelines to overview access to critical business data. While important, focusing solely on satisfying compliance can be misguided, and might lead an organization into the assumption that they are also secure. In 2011, hundreds of organizations joined the ranks of those that have already discovered the reality of this assumption.

Compliance is an important objective, but it shouldn’t be pursued at the expense of a comprehensive security plan. In fact, taking the time to build and implement a solid security infrastructure undoubtedly will make that objective easier to achieve. New business processes and procedures typically will be required by a compliance standard, but the technology aspect of compliance usually is left to interpretation of an auditor who is often unfamiliar with IBM i. It’s critical, therefore, that compliance directives not be relied on as the sole guideline to protecting data access.

In the analogy of our new drivers, testing is important and has its place to ensure that we understand and acknowledge the basic rules of the road. However, it’s ultimately the focus on learning and deploying good driving skills that’s going to have the greatest impact on the likelihood, magnitude, and consequence of an accident.

Businesses are going to have to get smarter and more committed to security. They must allocate a budget to assess and mitigate the largest risks, and acknowledge that, sooner or later, controls probably will be compromised. The goal is to develop a plan to address possible breach scenarios BEFORE you’re unlucky enough to find yourself in the midst of one. The plan should include the deployment of appropriate technologies to assist with the timely detection and alerting of a problem, but also (gasp!) the training of employees who are designated to respond and react. This is not just theoretical as a number of recent breaches involved warning signs that were not correctly responded to. Many employees never receive adequate training on their company’s security tools—this simply leads to a false sense of security by management.

Don’t secure only the data at rest in the data center; take a look at the entire data lifecycle. And, expect the unexpected. Many of the breaches from last year involved the collection of credit card information from point-of-sale (POS) devices and ATMs. This came from skimming devices, employee theft, and even unauthorized replacement devices at retail store cash registers! We cannot control the intent of the criminal element so we have to devise better ways to deter, detect, and respond. Similarly, lost and stolen laptops might be out of your corporate control, but securing the data stored on them isn’t. And, while we might not classify this like a traditional breach, the Ponemon Institute reports that it happens 637,000 times at U.S. airports every year!

For most organizations, corporate budgets already have been established for the upcoming year. If yours doesn’t include monies for security-related projects, focus on fully leveraging the existing investments and the staff resources already in place for now. Ensure that employees are trained and optimizing the tools they’ve been given. And remember, while we hope that this year shows a vast improvement over last, it’s never too early to start planning for next year.

In 2012, let’s all resolve to start taking security more seriously.

If you would like information on the solutions modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt