I had a customer ask me recently if you could audit yourself in PowerTech’s Authority Broker tool. I responded, “Of course!” It seems that the auditors within this particular company wanted to ensure that all the powerful profiles were audited, but the I.T. department was resisting. Their main concern was that they didn’t have a good way to deal with finding and deciphering all of the raw audit records that the operating system places into the audit journal when performing profile auditing.

Fortunately, this customer was already making extensive use of Authority Broker to handle elevation of authority for “break-glass” type emergency situations. In their shop, there were also certain functions that had to be run using specific profiles like QSECOFR, not just a profile running under the guise of QSECOFR. The solution was very simple: Install an Authority Broker PTF to enhance the base product, and permit the ability for a profile to switch to itself, thereby creating the audit and reporting environment that they were already familiar with when using normal profile switching.

We occasionally get notes about creative ways that customers wish to use one of our products—sometimes in ways that our development team never originally anticipated. While the base functionality of the products satisfies the vast majority of auditors’ requirements for regulatory compliance, we welcome “wish lists” and suggestions of how we can enhance any of our solutions. Simply send a note about your idea to support@powertech.com to get your idea added into an enhancement list database. In this particular case, we already had this little trick up our sleeve, but we love to get ideas from those of you who have found requirements to use the tool in ways outside of the original scope. Another suggestion that was turned into reality was the ability to invoke exit programs as part of an Authority Broker swap. What? You didn’t know about that capability either?  Well, check out the administrator’s guide, and the sample exit programs found on the PowerTech website.

If you are new to Authority Broker, or would simply like to brush up on your skills, we are in the process of putting together a product eTraining class that will be rolled out at the beginning of September.

Drop me a line at robin.tatam@powertech.com for more information about PowerTech, or visit www.powertech.com.

Cheers!

- rt

I am sometimes asked to clarify whether PowerTech is a security company or a compliance company. I also sometimes read comments from industry experts criticizing organizations for wasting time, effort, and money on compliance solutions without ever really becoming secure. Well, before I can weigh in on that argument, we have to discuss the basic difference between “security” and “compliance.”

Security is the act of creating a defense to prevent something from being attacked or injured. In the IT world, this usually pertains to preventing unauthorized access to computer servers, and more importantly, the application data that resides on them. For most businesses, the value of the technology infrastructure is found in the application data as hardware can be replaced relatively easily. Data is usually our primary intellectual property, for example: our customer information, order history, vendor data, employee information, and credit card transactions. Securing the data asset is necessary to prevent damage—both accidental and malicious—and to ensure that the data remains the property of the organization that owns it, and to allow it to add value to the buiness operations.

Although obviously tied to security, compliance is simply the adherence (and proof of aderence) to a set of baseline standards and procedures. While you can be secure without being compliant, and even be compliant without truly being secure, the terms are often used interchangeably. When I consult with PowerTech customers, I am usually asked to help achieve compliance, often with Sarbanes-Oxley, or the payment card industry’s PCI-DSS standards. However, sometimes it is a worthwhile investment of time and money to set the compliance objective aside, and to simply review how secure you actually are.

Unfortunately (or thankfully, depending on your perspective!), it is not difficult to satisfy an auditor during an IBM i audit due to the fact that many of them really are not trained in auditing the i platform. While this sometimes leads to answering questions that don’t really pertain to us, it also means that we can potentially talk our way out of a compliance violation. Getting the auditors off our backs may seem advantageous in the short term, but it may be doing the organization a huge disservice in the long term.

One of the challenges is to educate customers that security is NOT a destination, but more of a journey. You can never really be 100% secure. There are new threats making security a continuously moving target, but regular compliance checks can help the server remain as secure as possible by assessing the risk of threats, and the vulnerability that you could become subjected to it. But in order to do that, we have to accept a valid set of standards as our baseline.

So, back to our original question: Is PowerTech a security or a compliance company? Well, I say that we provide solutions that can align with both security and compliance objectives. Network Security’s access control facility, and Authority Broker’s restriction on powerful users, are both designed to provide tangible value to an organization’s security defenses. Compliance Monitor, a compliance tool per se, provides visibility into the security audit journal to enable security officers to respond in a more timely manner to possible intrusion events. These tools can also help satisfy common compliance criteria. For example, Network Security can satisfy a compliance requirement such as “audit and control access for network initiated activities,” and Compliance Monitor can generate compliance scorecards to compare security policy to current settings.

In summary, I am a proponent of working to secure a system and data from common and known vulnerabilities first. This typically involves an audit of configuration and procedures against best-practices, the creation and maintenance of a detailed security policy. Once you do that, you can work to secure your environment using the policy as your guideline. Then you can “simply” monitor for ongoing compliance to your objectives and standards. PowerTech can help you navigate through the entire project cycle!

Have a wonderful week!

- rt

It is amazing to me that another year is already coming to an end. With the mad dash of last minute shoppers (yes, that would be me this year!), and the certainty of a white Christmas for us in much of the Midwest, it is definitely going out with a bang. In fact, although Winter officially began yesterday, the readers of this blog will know that we have been feeling it in Minneapolis for several weeks. December 21st is marked as Winter Solstice—the shortest day of the year due to the Earth’s tilt—so the good news is that summer is on its way. Ok, so I’m an eternal optimist!

In the spirit of the season, I thought I would create a last-minute holiday wish-list for the security officers that made Santa’s “good” list:

Perform an assessment

This is a good way to get the baseline metrics reviewed; identify the areas of weakness and strength so you can focus your resources where they are needed.

This one is a stocking stuffer, as PowerTech does it for free!

Create a policy

It is hard to measure your progress without a policy. You can even start with the open-source one at www.powertech.com!

Update your system values

Make sure that the server configuration reflects the directives in your security policy. After you set the correct attributes, use the policy feature of PowerTech Compliance Monitor to validate that nothing has changed with scorecard views of system value compliance.

Secure Your Borders

Internal employees are the cause of approximately 70% of data integrity events. Ensure that you don’t secure just your perimeter and leave corporate users with unrestricted network access. Any user with access to your servers should be audited and controlled. PowerTech’s Network Security provides both auditing and access control of powerful interfaces like FTP, ODBC, and remote command.

Don’t overlook your powerful users

Sure, we expect our programmers and administrators to run and maintain a system, but would we want them to have our social security numbers, bank balances, and the “skeleton key” to our corporate data? Try to reduce unnecessary assignment of special authorities, and then use a tool like PowerTech Authority Broker to facilitate on-demand access to super-users while auditing their activities.

Educate your staff

PowerTech conducts weekly online Webinars, as well as eTraining. In 2010, we are also taking some classes out on the road. Registration for the eTraining will open shortly at www.powertech.com. Get on our newsletter list while you are there and stay informed of events, as well as related security news and articles specific to IBM i.

We know that taking that first step can sometimes be a daunting one. If you are not sure how to get started, allow our team here to guide your compliance sleigh! After all, we have being doing it for years.

Happy Holidays!!

It’s always an eye-opening experience to speak with an auditor about the intricacies of auditing an IT environment. I respect their views, and I can only imagine how difficult it is trying to be an expert on the wide variety of technologies found in an average enterprise.

Last week, I spent a couple of days at the ISACA conference in Las Vegas, meeting and talking with auditors from around the country. While some had heard of the System i (or iSeries or AS/400), it was very evident that there weren’t any subject matter experts on hand. I was left wondering: “How can anyone receive an effective audit of a platform that IT auditors have such limited knowledge of?”

PowerTech security experts perform a healthy number of audits each year, but there are not many firms with our professional capabilities. Yet, we’re barely scratching the surface of the immense number of organizations that must maintain compliance with the seemingly-endless list of regulations and legislations found throughout the world. What about the others—are they just ignoring the mandates? Or, are they being subjected to questionable recommendations made from a comparison to an old checklist compiled from numerous online sources. I fear it’s probably a mix of the two!

PowerTech developed the wildly popular Compliance Assessment tool to perform a review of six major areas of vulnerability. We have made this tool available to users as a free service, and now include one-on-one time with a security expert to help interpret the findings. The auditors I talked to were extremely excited to know that there was someone out there to help make their lives easier, and to be an expert they can talk to when they encounter a System i. I’m excited and encouraged at the opportunities that brings to the PowerTech table as we continue to grow, and as we continue to service the IBM i community with world-class security solutions.

While you might not think of an IBM i-savvy auditor as a benefit, the fact that you’re talking with someone who understands real-world vulnerabilities, as well as the inherent strengths of security on the platform, adds protection to your corporate data. And the availability of a speedy tool that provides an educated view into the infrastructure makes your IBM i data even safer.

And, after all, isn’t that the purpose of a security audit in the first place?