Most of you probably know that I’m an avid photographer and that my interest focuses (pun intended) on an emerging photographic technique called High Dynamic Range (HDR) imaging. This process helps to address one of the most frustrating challenges a photographer will encounter, where a camera can capture only a fraction of the contrast seen by the human eye. Either the ground is exposed correctly and the sky is too bright, or the sky is okay and the foreground is too dark. And, if you’ve ever tried taking a photograph that included parts from both inside and outside of a building, you’ll recognize immediately what I’m talking about. HDR combines three or more photographs taken at different exposures to form a single image that can span a far greater dynamic range than any one photograph ever could. For some phenomenal examples of HDR, check out www.hdrcreme.com.

So, why am I talking about HDR in an IBM i security blog? Well, there’s an interesting similarity between the two topics. Just like photographing a high-contrast scene, no single security control or add-on application is going to make your IBM i data completely safe from misuse. The best protection comes from combining several different security measures to form a more complete picture. While the term “exposure” carries a very different connotation in security versus photography, I want you to think of it today in the context of three variations, each used to address one specific part of the picture.

IBM has taken the first of our three main “exposures” by integrating extremely robust security controls into IBM i. There are dozens of options for user profiles, such as password settings and special authorities, and a set of system values for the server itself. Objects and libraries can be secured quickly and effectively through a number of authorization commands, and these cannot be circumvented by any known mechanism. All this adds significant value, but has left some administrators wondering how their data or server still was compromised. The problem stems from the fact that the controls may be complex, aren’t always particularly flexible, and don’t have the necessary functions to do everything the modern Security Officer and auditor require.

The next “exposure” balances the first and is provided by PowerTech. Our solutions are not designed to replace the security functionality integrated into the operating system—no solution can ever do that. However, they can make the existing controls easier to use. They also extend the capabilities that IBM i doesn’t inherently provide. Things like real-time event monitoring, audit reporting, powerful user control, and controlling access from PC interfaces are just a few quick examples. Commercial security solutions often are deployed over a foundation of minimal IBM i security and, while this provides better protection than nothing, it’s always best when the two are implemented together.

Lastly, the Security Officers (SO) are responsible for providing the final “exposure.” This provides the balance between the other two and helps form the final picture. So what do these SOs have to do? Quite simply, they must USE the tools they are given! Year after year, PowerTech’s security study shows that far too many organizations are leaving all of the security settings in IBM i at their default shipped value. They often don’t realize that those defaults leave their system wide open. Some of them have purchased and installed third-party tools, however many don’t take advantage of their full capabilities. Without these users providing that final middle “exposure,” the effectiveness of the operating system’s controls and any add-on tools are reduced significantly.

Just like a single photograph that fails to capture the full range of contrast of a scene, the end result of relying on only one “exposure” of these three security components can result in grave disappointment. By extracting the best parts of each of the three “exposures,” we take advantage of their synergy.

If you would like to learn how to combine all of the three exposures I’ve outlined (in your photographs or IBM i security) please feel free to contact me at robin.tatam@powertech.com.

Cheers!

- rt

This entry was posted on Monday, January 16th, 2012 at 9:55 am and is filed under Other, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.