Auditing

What Makes Compliance Such an Elusive Goal?

Posted in Auditing, compliance on June 14th, 2013 by Robin – Be the first to comment

With cyber-security scares and corporate data breaches now becoming front-page news, companies can hardly plead ignorance to the importance of compliance. But with so few companies satisfying – much less optimizing – their risk management responsibilities, it’s worth examining which obstacles may be impeding progress.

The primary challenge faced by most firms is one of complexity. Regulatory bodies across industries have responded to their evolving risk climates by expanding compliance codes and ramping up enforcement efforts. In Thomson Reuters’ latest global survey of compliance practitioners, 43 percent were expecting a significant increase in the amount of regulatory provisions published over the next 12 months, while another 38 percent of respondents were anticipating at least a modest increase.

The due diligence required to interpret and apply this influx of information can carry a pretty hefty price tag as well. The Thomson Reuters report revealed that 67 percent of responding professionals are expecting an expansion of their team’s budget this year, with particular attention paid to recruiting and retaining senior compliance officers.

Another dangerous element hampering compliance management efforts is the false sense of security some companies retain. An independent assessment from Verizon found that only one in five covered companies were fully compliant with the Payment Card Industry Data Security Standard. Furthermore, the fact that many of these firms had previously confirmed their own compliance only serves to underscore the continuous vigilance required to maintain and expand protections.

Taming the Task
Corporate compliance officers may understandably feel as though the odds are stacked against them at times, but that doesn’t diminish their ability to respond with proactive, resourceful strategies. To ensure everything is up to date and in alignment with industry expectations, managers must divide their attention between people and processes.

  • Define policy – Without a clear blueprint of the task at hand, there is little chance of it getting accomplished. Compliance managers must proactively liaise with regulators and industry counterparts to get a clear sense of where their liability lies and how it must be addressed. The provisions then need to be communicated across teams and explicitly codified to promote frequent review.
  • Train personnel – Compliance isn’t a phrase stamped at the top of an audit, it’s the everyday orchestration of staff members who interact with the systems and control the assets covered by regulations. Management must then translate written rules into repeatable processes that employees can execute and report.
  • Enforce expectations – Even the best training protocol should have its results objectively verified with technologies that can’t be fooled. Back-office tools ranging from access control systems to network monitoring suites must be activated and aligned. It’s also essential that these checks and balances are extended to the senior IT staff tasked with execution, as insufficient privilege management can let deep-seated security issues linger out of view.

Finally, since there is no end zone for compliance campaigns, companies must continuously cycle through these steps to ensure everything is current and complete.

If you would like to learn more about tools that can help you manage and monitor your compliance, take a look at PowerTech Compliance Monitor, and if you would like to know more about how to protect your IBM i  from corporate data breaches and cyber-attacks, send an email to robin.tatam@powertech.com.

Passing Audits and Preserving Protection

Posted in Auditing, Security on April 4th, 2013 by Jill Martin – Be the first to comment

The word ‘audit’ is rarely welcomed with open arms by the IT department, and administrators often employ all sorts of delay and escape tactics to avoid the inevitable. But what they may not realize is the full significance of passing these assessments, or how painless the process can be with the right combination of policy enforcement and activity monitoring tools in place.

Outside Obligations
When IBM i users sit down to discuss reporting strategies and auditing exercises, the first image they often conjure up is that of a stern statistician holding a clipboard and waiting for the first opportunity to find fault with data center operations. Whether or not this perception is correct, it’s important to acknowledge the logic and process behind the standards qualified security assessors (QSAs) are referencing.

Whether companies are covered by HIPAA, SOX, PCI, FISMA or all of the above, IBM i users should remember that the objective of these frameworks is progress, not punishment. Regulatory bodies are a key component of the checks and balances that promote responsible IT administration and sensitive data protection. By keeping operations in line with federal, state and industry expectations, IBM i users will not only sidestep the potential expense of fines and unexpected upgrades, but position themselves as responsible corporate citizens as well.

Internal Improvements
Although external forces may be the most visible factor inspiring IBM i users to get their operations in order, true business leaders are driven by intrinsic motivation. That means even when an audit date isn’t lurking on the calendar, managers are applying proactive approaches toward policy enforcement and activity reporting to limit risk and promote progress. Through diligently designed plans and appropriately paired technologies, companies can gain the visibility they need to diagnose and resolve problems long before they surface on regulator radars.

Reliable Reporting
The secret to success in today’s increasingly crowded and complex IBM i ecosystems is the power of automation. In an era in which continuous monitoring is the rule rather than the exception, manual assessments simply do not cut it. Luckily, there are a variety of smart solutions which can help with the heavy lifting—so long as administrators guide them in the correct direction. By leveraging advanced reporting tools which allow managers to define network and data access privileges and set customized alert thresholds, compliance and risk management professionals are provided with a bird’s eye view of all the essential information needed to assess their standing and to correct course as needed.

PowerTech Scores Another Touchdown In the Security Super Bowl!

Posted in Auditing, Company News on February 7th, 2013 by Robin – Be the first to comment

pt_sbAs the most-watched TV sporting event of the year, last weekend’s Super Bowl between the Baltimore Ravens and San Francisco 49ers went from being totally one-sided to a pretty close call. Fans might cheer (or rant) that the 30-minute loss of power in half of the stadium—or the distraction of Beyonce’s sexy half-time show—was the only thing that allowed the 49ers to dig out of the hole they’d fallen into during the first half of the game, almost to pull an upset. Of course, many viewers watched only for the (over?) hyped TV commercials that cost close to $4 million for each 30-second spot during halftime. I won’t even start on the number of pizzas, hot wings, and beers consumed across the country. I’m no expert, but I’d say it probably wasn’t a good day of sales for Weight Watchers!

In the security “Super Bowl” we’re happy to announce that this week’s release of Authority Broker 4.0 furthers PowerTech’s lead over the competition, and has already been declared the clear champion in the game of managing powerful users!

“Why do I need to manage powerful users?“ I’m glad you asked!

One of the most cited IBM i audit issues is overly-powerful users—too many users with the ability to view, change, or even delete data, and to run host commands against the server. Even after the field is cleared of users’ unnecessary privileges, the challenge of how to oversee those users that have a proven requirement to wield significant power remains.

Authority Broker is PowerTech’s award-winning solution for enabling a powerful user to obtain system privileges on an as-needed basis—the only way that an auditor accepts them. By elevating their security clearance from their existing profile, a powerful user can still perform necessary tasks, but now it’s completed with oversight. Timed access to privileges, clear and concise reporting of the normally complex command audit trail, and notification to security personnel led IBM to include Authority Broker on the roster of IBM-supplied CDs.

This latest version upgrade—free to any customer on maintenance—debuts a significant new audit feature: Screen Capture! When a user elevates privileges, the security team has the ability to designate that screen captures of their movements around the system should be collected. The biggest benefit of this play comes when the user enters a “tunnel,” such as DFU, STRSQL, STRSST, and QSHELL, where traditional command auditing goes dark. Imagine pulling up the user’s actual screens (either afterwards, or even as it’s happening!) to view their activity. Don’t like what you see? Kill their privileges! You can even designate that screens be saved to an indexed PDF and emailed to an interested party the instant the privileges are relinquished.

Authority Broker 4 with Screen Capture ushers in a new generation of user auditing. No longer will IT have to confess that they don’t know what the consultant or vendor really did on the production system. Like a referee with the luxury of instant replay, audit staff can now review every move and prove it—even viewing the audited user’s screen in a game-changing LIVE VIEW mode!

If you’d like to know how Authority Broker can bring home the security trophy to YOUR organization, give me a call.

Cheers!

—rt

Don’t Be Sabotaged by “Shelfware”

Posted in Auditing, compliance on January 17th, 2013 by Robin – Be the first to comment

Most of us can comprehend that hackers, thieves, and other nefarious individuals represent a constant threat to our business assets—including corporate data. Many don’t realize, however, that there’s a more stealthy threat lurking; one that doesn’t come in the form of a person or even a virus! It’s our reliance upon protection that’s not (correctly) implemented, and it’s a threat that’s often overlooked—even during an audit.

The term “shelfware” describes software that is purchased and never installed. In my opinion, this is public enemy number two (behind the threats I listed above). Of course, even installed software is only going to provide protection if it’s activated and actually utilized. A good analogy is the home alarm system that never gets set, or is set and not working as expected. Unfortunately, this malfunction might not be discovered until the homeowner returns home and discovers they’ve been burglarized.

Despite our best efforts to keep in touch with our entire install base, we still encounter installations of our own software that are not actively running. PowerTech is certainly not unique in this regard as it’s a problem for all software vendors—but it’s a far bigger problem for the customer who’s suffering from the misconception that they’re protected.

So, why does this happen?

Occasionally it’s an intentional decision. Last year, I performed a deep-dive audit for a customer who had purchased Authority Broker to monitor the activities of their privileged users. During the interviews, I uncovered they’d stopped using the software “because of their auditors.” I was surprised because auditors love this solution! The administrator explained that using it raised a red flag when they performed restricted tasks (isn’t that the point!?) and responding to the auditor resulted in more work for them. Fortunately, management had not approved this process shortcut and a mandate was issued to resume its use immediately.

More commonly, the customer is not even aware that something is wrong. It can be as simple as not staying up to date with anti-virus signatures. Perhaps the application was migrated to new hardware and this invalidated the license keys, or an upgrade to a new OS release required some additional PTFs or steps to be taken. Maybe it was never configured correctly in the first place, or the only administrator left the organization and the application is languishing due to a lack of education. Regardless of the cause, if the software is no longer providing the anticipated protection then action needs to be taken as soon as possible. And we’re here to help!

An ongoing security initiative should include running occasional tests. If you don’t expect to be able to use FTP to transfer a file from the server, then attempt it and ensure that the request is rejected. If you’re monitoring database changes, make a change and verify that it’s logged. And, if you’re auditing events in real time, validate that the message is received when that event occurs.

We want you to see the purchase of our software as an investment. If you suspect a problem with this investment, give the appropriate support team a call to verify the state of the application. Not sure how to reach us? Simply go to www.helpsystems.com and click the tab for the software brand you are using. I can’t speak for all vendors, but Help/Systems backs its solutions with class-leading live technical support—and we will get you up and running quicker than you can say “no more shelfware!”

Cheers!

—rt

Can We Really Trust IBM i Security?

Posted in Auditing, Security, compliance on August 2nd, 2012 by Robin – Be the first to comment

ibmi-for-business-logoOccasionally, I’m confronted by a frustrated C-level executive questioning the fallacy of “AS/400″ security and how they were falsely sold on how impenetrable this infamous server is. These comments are typically heard when I’m working on an assessment project and discussing the opportunities their users have to access application data and perform server administration tasks.

Almost a decade has passed since FTP and ODBC were enabled on the iSeries, but I still hear remarks that IBM should be ashamed of itself for facilitating transparent data access through these interfaces, and for providing an open door to critical data. This opinion might rear its head after an auditor discovers just how easy it is to use network-based tools to access DB2 data.

Much of the controversy stems from the server’s default security configuration. Under most operating systems, if a user is not granted access then they have no access. IBM i, however, operates with a unique concept called “public authority,” which grants a default level of access to anyone who is not explicitly given—or denied—access to an object. IBM ships this default value as *CHANGE, which provides rights to read, change, and delete data.

So, in light of these issues, how did IBM i gain its reputation as a highly secure operating system? Can we trust IBM i to run our critical applications? I have been working on the platform for more than two decades—nine of those years in security—and I say unequivocally “Yes!”

I inform those frustrated C-level executives that this operating system earned its reputation with world-class integrity features. When configured correctly, IBM i stands head and shoulders above most others. The problem is that most organizations do not adequately configure the integrated security controls, instead choosing to retain the shipped defaults or to leave the security configuration in the hands of an application software vendor.

IBM i has incredible security capabilities. But, like virtually every other operating system, those controls don’t come configured out of the box. You wouldn’t dream of deploying a Windows server without carefully architecting its security. So why would anyone think that IBM failed their responsibility by requiring the same?

Perhaps it’s not unreasonable to question why IBM i isn’t shipped in a deny-by-default configuration, however this would conflict with the execution of many applications. IBM designed the mechanism, but it’s the responsibility of the server’s owner and the provider of the applications to configure it appropriately. Sadly, many applications do not incorporate well-designed security controls. Of those that do, it’s possible for overly-powerful users to undermine the controls.

Many applications are written with no regard to security. Programs are compiled without any consideration to the users that will utilize them and the configuration of the server that will server them. Regardless of whether your applications are home-grown or commercial, if they rely on menu security—or controls that are internal to the application—then there’s a good likelihood that the data could be accessed by users; possibly without an audit trail.

You should be aware that some aspects of IBM i security are best fulfilled by commercial providers, such as PowerTech. Our Network Security product is a good example—one that provides access controls and auditing of the FTP and ODBC connections I mentioned earlier. We have established our sixteen-year reputation by developing a portfolio of security solutions that leverage and extend the controls included within IBM i. We also have experts on staff who can help you assess what controls are currently in place, and what could and should be implemented based on the server’s purpose.

Utilizing IBM i’s world-class integrity features will establish an unshakable foundation for any security initiative, but you have to use and deploy the configuration options that are available. If you don’t, you only have one person to blame… and it’s not IBM.

If you’d like more information on PowerTech’s security solutions, visit www.powertech.com or contact me at robin.tatam@powertech.com.

Cheers!

—rt

Using Authority Broker to Audit Yourself

Posted in Auditing, Other, Security on July 14th, 2010 by Robin – Be the first to comment

I had a customer ask me recently if you could audit yourself in PowerTech’s Authority Broker tool. I responded, “Of course!” It seems that the auditors within this particular company wanted to ensure that all the powerful profiles were audited, but the I.T. department was resisting. Their main concern was that they didn’t have a good way to deal with finding and deciphering all of the raw audit records that the operating system places into the audit journal when performing profile auditing.

Fortunately, this customer was already making extensive use of Authority Broker to handle elevation of authority for “break-glass” type emergency situations. In their shop, there were also certain functions that had to be run using specific profiles like QSECOFR, not just a profile running under the guise of QSECOFR. The solution was very simple: Install an Authority Broker PTF to enhance the base product, and permit the ability for a profile to switch to itself, thereby creating the audit and reporting environment that they were already familiar with when using normal profile switching.

We occasionally get notes about creative ways that customers wish to use one of our products—sometimes in ways that our development team never originally anticipated. While the base functionality of the products satisfies the vast majority of auditors’ requirements for regulatory compliance, we welcome “wish lists” and suggestions of how we can enhance any of our solutions. Simply send a note about your idea to support@powertech.com to get your idea added into an enhancement list database. In this particular case, we already had this little trick up our sleeve, but we love to get ideas from those of you who have found requirements to use the tool in ways outside of the original scope. Another suggestion that was turned into reality was the ability to invoke exit programs as part of an Authority Broker swap. What? You didn’t know about that capability either?  Well, check out the administrator’s guide, and the sample exit programs found on the PowerTech website.

If you are new to Authority Broker, or would simply like to brush up on your skills, we are in the process of putting together a product eTraining class that will be rolled out at the beginning of September.

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt

What Comes First: Security or Compliance?

Posted in Auditing, Other, Security on April 28th, 2010 by Robin – Be the first to comment

I am sometimes asked to clarify whether PowerTech is a security company or a compliance company. I also sometimes read comments from industry experts criticizing organizations for wasting time, effort, and money on compliance solutions without ever really becoming secure. Well, before I can weigh in on that argument, we have to discuss the basic difference between “security” and “compliance.”

Security is the act of creating a defense to prevent something from being attacked or injured. In the IT world, this usually pertains to preventing unauthorized access to computer servers, and more importantly, the application data that resides on them. For most businesses, the value of the technology infrastructure is found in the application data as hardware can be replaced relatively easily. Data is usually our primary intellectual property, for example: our customer information, order history, vendor data, employee information, and credit card transactions. Securing the data asset is necessary to prevent damage—both accidental and malicious—and to ensure that the data remains the property of the organization that owns it, and to allow it to add value to the buiness operations.

Although obviously tied to security, compliance is simply the adherence (and proof of aderence) to a set of baseline standards and procedures. While you can be secure without being compliant, and even be compliant without truly being secure, the terms are often used interchangeably. When I consult with PowerTech customers, I am usually asked to help achieve compliance, often with Sarbanes-Oxley, or the payment card industry’s PCI-DSS standards. However, sometimes it is a worthwhile investment of time and money to set the compliance objective aside, and to simply review how secure you actually are.

Unfortunately (or thankfully, depending on your perspective!), it is not difficult to satisfy an auditor during an IBM i audit due to the fact that many of them really are not trained in auditing the i platform. While this sometimes leads to answering questions that don’t really pertain to us, it also means that we can potentially talk our way out of a compliance violation. Getting the auditors off our backs may seem advantageous in the short term, but it may be doing the organization a huge disservice in the long term.

One of the challenges is to educate customers that security is NOT a destination, but more of a journey. You can never really be 100% secure. There are new threats making security a continuously moving target, but regular compliance checks can help the server remain as secure as possible by assessing the risk of threats, and the vulnerability that you could become subjected to it. But in order to do that, we have to accept a valid set of standards as our baseline.

So, back to our original question: Is PowerTech a security or a compliance company? Well, I say that we provide solutions that can align with both security and compliance objectives. Network Security’s access control facility, and Authority Broker’s restriction on powerful users, are both designed to provide tangible value to an organization’s security defenses. Compliance Monitor, a compliance tool per se, provides visibility into the security audit journal to enable security officers to respond in a more timely manner to possible intrusion events. These tools can also help satisfy common compliance criteria. For example, Network Security can satisfy a compliance requirement such as “audit and control access for network initiated activities,” and Compliance Monitor can generate compliance scorecards to compare security policy to current settings.

In summary, I am a proponent of working to secure a system and data from common and known vulnerabilities first. This typically involves an audit of configuration and procedures against best-practices, the creation and maintenance of a detailed security policy. Once you do that, you can work to secure your environment using the policy as your guideline. Then you can “simply” monitor for ongoing compliance to your objectives and standards. PowerTech can help you navigate through the entire project cycle!

Have a wonderful week!

- rt

On the Last Day of Christmas, PowerTech gave to me …

Posted in Auditing, Security on December 22nd, 2009 by Robin – Be the first to comment

It is amazing to me that another year is already coming to an end. With the mad dash of last minute shoppers (yes, that would be me this year!), and the certainty of a white Christmas for us in much of the Midwest, it is definitely going out with a bang. In fact, although Winter officially began yesterday, the readers of this blog will know that we have been feeling it in Minneapolis for several weeks. December 21st is marked as Winter Solstice—the shortest day of the year due to the Earth’s tilt—so the good news is that summer is on its way. Ok, so I’m an eternal optimist!

In the spirit of the season, I thought I would create a last-minute holiday wish-list for the security officers that made Santa’s “good” list:

Perform an assessment

This is a good way to get the baseline metrics reviewed; identify the areas of weakness and strength so you can focus your resources where they are needed.

This one is a stocking stuffer, as PowerTech does it for free!

Create a policy

It is hard to measure your progress without a policy. You can even start with the open-source one at www.powertech.com!

Update your system values

Make sure that the server configuration reflects the directives in your security policy. After you set the correct attributes, use the policy feature of PowerTech Compliance Monitor to validate that nothing has changed with scorecard views of system value compliance.

Secure Your Borders

Internal employees are the cause of approximately 70% of data integrity events. Ensure that you don’t secure just your perimeter and leave corporate users with unrestricted network access. Any user with access to your servers should be audited and controlled. PowerTech’s Network Security provides both auditing and access control of powerful interfaces like FTP, ODBC, and remote command.

Don’t overlook your powerful users

Sure, we expect our programmers and administrators to run and maintain a system, but would we want them to have our social security numbers, bank balances, and the “skeleton key” to our corporate data? Try to reduce unnecessary assignment of special authorities, and then use a tool like PowerTech Authority Broker to facilitate on-demand access to super-users while auditing their activities.

Educate your staff

PowerTech conducts weekly online Webinars, as well as eTraining. In 2010, we are also taking some classes out on the road. Registration for the eTraining will open shortly at www.powertech.com. Get on our newsletter list while you are there and stay informed of events, as well as related security news and articles specific to IBM i.

We know that taking that first step can sometimes be a daunting one. If you are not sure how to get started, allow our team here to guide your compliance sleigh! After all, we have being doing it for years.

Happy Holidays!!

Don’t Gamble with Your Audit

Posted in Auditing on October 13th, 2009 by Robin – Be the first to comment

It’s always an eye-opening experience to speak with an auditor about the intricacies of auditing an IT environment. I respect their views, and I can only imagine how difficult it is trying to be an expert on the wide variety of technologies found in an average enterprise.

Last week, I spent a couple of days at the ISACA conference in Las Vegas, meeting and talking with auditors from around the country. While some had heard of the System i (or iSeries or AS/400), it was very evident that there weren’t any subject matter experts on hand. I was left wondering: “How can anyone receive an effective audit of a platform that IT auditors have such limited knowledge of?”

PowerTech security experts perform a healthy number of audits each year, but there are not many firms with our professional capabilities. Yet, we’re barely scratching the surface of the immense number of organizations that must maintain compliance with the seemingly-endless list of regulations and legislations found throughout the world. What about the others—are they just ignoring the mandates? Or, are they being subjected to questionable recommendations made from a comparison to an old checklist compiled from numerous online sources. I fear it’s probably a mix of the two!

PowerTech developed the wildly popular Compliance Assessment tool to perform a review of six major areas of vulnerability. We have made this tool available to users as a free service, and now include one-on-one time with a security expert to help interpret the findings. The auditors I talked to were extremely excited to know that there was someone out there to help make their lives easier, and to be an expert they can talk to when they encounter a System i. I’m excited and encouraged at the opportunities that brings to the PowerTech table as we continue to grow, and as we continue to service the IBM i community with world-class security solutions.

While you might not think of an IBM i-savvy auditor as a benefit, the fact that you’re talking with someone who understands real-world vulnerabilities, as well as the inherent strengths of security on the platform, adds protection to your corporate data. And the availability of a speedy tool that provides an educated view into the infrastructure makes your IBM i data even safer.

And, after all, isn’t that the purpose of a security audit in the first place?