It was another week on the road, this time heading slightly south to St Louis, Missouri. It was great to get away from the snow, although the air seemed just as cold as in Minneapolis. To say that it would be nice to feel a warm breeze at this point would be an understatement!

One of my first duties in town was to conduct our weekly PowerTech Webinar. The Webinar was titled Protect IBM i (AS400) Data From FTP, ODBC, and Remote Command, and it’s always one of the most popular Webinars that we do. It still surprises me that we have so many people attend this topic, and ask such great questions such as why IBM i is often exposed from a lack of access control, or auditing of network-initiated transactions. I suppose the statistic that 65% of IBM i servers that we audit still have no exit programs registered might explain some of the interest—even after two decades of awareness of this problem.

I was thrilled to also be presenting the first session of our new regional security workshops to a full room of attendees. For several hours, we whittled our way through numerous important aspects of IBM i security—from system values to adopted authority and from special authorities to network access. Based on the positive comments made on the evaluation forms, the class was a resounding success! It always makes it fun when an idea comes to fruition, and especially when it is so well received. Thanks to the IBM i team at MSI Systems Integrators for hosting the event at their downtown facilities, and for providing lunch for all of the attendees.

After the class, I traveled the 90 miles or so to Jefferson City and engaged with the mid-Missouri users group, presenting a session titled Top 10 Security Vulnerabilities. I would like to offer my appreciation to Huber and Associates for inviting me to present at their location, and also for the interest and interaction I received from the group. This presentation actually ran long because of some of the great discussion that we were having. Before I left, we emptied another box of cool PowerTech t-shirts, and raffled another gift-card.

I am now going to be back in the office for a couple of weeks to catch up on some of my other daily responsibilities, including helping host our upcoming online training classes for Network Security. After that, I will head out again for the next workshop and user group stops, this time in Nashville, Tennessee, and Buffalo, New York. I am especially excited about going to Buffalo, as it is being hosted at a PowerTech customer location. Plans are also being worked on for Reno and Portland events in early March, so if you work in those areas, we invite you to join us.

Before I close this week’s entry, I want to take a moment to say that my thoughts are with the family of IBM’s Craig Johnson, who died this past week in a car accident in Northern Iowa. Blizzard and whiteout conditions on Interstate 35 led to a massive 40-vehicle pile-up. This is the exact same route that I take weekly between Des Moines and Minneapolis, and I just happened to have stayed in Minneapolis that weekend due to my back-to-back travel plans. It certainly brings home how life can change in an instant, and how important it is to live each day as if it is your last.

Stay Warm!

Well, last week was a busy, but fantastic week. My travels started on Monday afternoon with a non-stop flight from the chilly air of Minneapolis to John F. Kennedy International in New York. Actually, I was surprised how fast the flight went, and after a few short hours I was programming the rental car’s GPS and heading into Manhattan.

It’s been 20 years since I was last there, and though the skyline might have been tragically altered forever, the hustle and bustle of the city that never sleeps is the same. I came to the United States in the summer of 1988 as a British foreign exchange student, and one of my most vivid memories is of being in New York City at night, and riding a tour bus across one of the bridges into Manhattan. It was one of the most spectacular nighttime skyline views that I had ever seen. As an amateur photographer, one of my personal goals of this trip was to try to recreate that view, and I was able to work my way down to the water line and get this photo.

New York Skyline

My work agenda started on Tuesday morning with a visit to a customer on Long Island. We had a great discussion regarding the ways they were using several of the PowerTech tools to help administer and audit access from users that normally would be hard to control, such as programmers. We also talked about how they see their developing security requirements.

After a 90-minute car-ferry ride from Port Jefferson, NY to Bridgeport, CT, it was a short hop down to Norwalk to meet my first user group. The group had selected the topic of “7 Habits of Highly Secure Organizations” and, for a couple of hours, we enjoyed dinner and interacted about the subject of auditing, access control, and regulations and policy. I raffled away a Starbucks gift card, as well as a number of free t-shirts, and it was a great evening.

Wednesday was a pretty easy day, riding the ferry back to Long Island, and then navigating to the location of the Long Island user group. I was met with a fantastic turnout from a crowd of very active System i users. The group started the evening early with some PHP training led by one of their own members, and there was a fun slideshow on some System i/iSeries/AS/400 history. I presented the “Top 10 Security Vulnerabilities,” based on data extracted from our annual security study. I really enjoyed interacting with this group, which included several of my own customers, as they had lots of great questions and discussion points. After another gift card drawing and distribution of a big box of t-shirts, I was off to my next stop in Morris Plains, NJ.

As a side note, if you are not from the East Coast, a GPS is a prerequisite to navigate your way around a city as large as this. Although mine had some trouble acquiring a signal at times (ahhh! technology) and wanted to send me in circles, I managed to successfully navigate the 90 or so miles to my destination.

Thursday morning begin early with another customer visit to a great customer of Help/Systems and now a new PowerTech customer. I learned about some of the challenges that they had faced trying to implement an object security infrastructure. I offered some advice and also offered the PowerTech services team to provide assistance if desired. After all, as I have stated in my blog several times, we are not just a software company.

Thursday evening had me in Fairfield, NJ, at my final user group meeting. I spent several hours with another lively crowd of about 30 people who learned about the dangers of “FTP, ODBC, and Remote Command.” I included a small demo of how simple it is to access corporate data through common tools, and the conversation was very active, which is typical after people see just how easy it can be. I cleared out my final box of t-shirts, handed out my last gift card, and headed the 90 miles to Philadelphia.

I wanted to use this travel opportunity to visit with another (very well-known) customer on Friday morning. They are an active user of several of our security tools, and are evaluating another one to add to the suite. I spent a couple of hours learning about how they are implementing security in their environment, as well as identifying areas where we can provide some relief.

This is one of my favorite types of work. Meeting with customers to discuss their successes and future needs, and also mingling with the types of user groups that I used be an attendee at in my past jobs. These are the folks that are the diehards of the technology on which our software runs. You don’t have to sell them on the attributes of the System i (or AS/400, as many still call it), and their biggest complaint is that it is not more prevalent than it is.

I want to thank the customers who took time from their busy schedules to meet with me, and also the three user groups that invited me to present to their membership. At the request of a number of people, I am looking forward to returning to the area in the future—to meet with the user groups again as they support the local ‘i’ community, and to host our IBM i security workshop.

I am finalizing this blog entry on Friday afternoon, while awaiting my return flight from Philadelphia, Pennsylvania. After a brief return to Minneapolis, I leave again to head to St. Louis, Missouri, to teach a security workshop, and give a user group presentation in Jefferson City.

Interestingly, although I added “ferry” to the list of my various modes of transportation used last week, I still have yet to use a train!

By Robin Tatam

When I began my career on the AS/400 more years ago than I care to reveal, life was simple—“dumb terminals” ruled the computing kingdom and sub-file displays were considered cutting edge. Application menus blocked users from direct database access and security conscious administrators could set up a profile to limit user capabilities to a few basic commands.

Then, things got complicated. First, everyone flocked to programmable workstations, better known as Personal Computers (PCs). As a result, business software, including spreadsheet applications, developed rapidly. And, because core line of business applications were still running on the AS/400, file transfers between PCs and servers became common.

Pandora’s Box
IBM responded to the new market demands for open database access by building TCP connectivity into the AS/400 (now re-branded as the iSeries). In addition to the traditional 5250-based ‘green screen’ applications, the iSeries could now be accessed through File Transfer Protocol (FTP), Open Database Connectivity (ODBC), Distributed Data Management (DDM), and other interfaces. No one thought much about the security ramifications, but it was like opening Pandora’s Box!

Fast forward through a few server name changes to the current day…

Because all of these interfaces connect directly to the server’s database, the menus that historically restricted green-screen users were not effective. The “secure menu” has become a thing of the past—now, we must rely on resource (object) security to protect data. Object security, an integral part of the operating system, is rock solid and works with every interface that IBM Power Systems support. Yet, as the PowerTech annual State of System i Security study reports every year, object security is rarely fully implemented and is easily circumvented by powerful user profiles. That’s why most industry studies of lost, stolen, or corrupt data, point to internal corporate users as the culprit.

Object security is recommended for the core layer of protection. Unfortunately it is a “one-size-fits-all” approach because it does not distinguish between different user interfaces. If you implement the best practice recommendation of ‘deny by default’ for green-screen access, you really can’t use legitimate PC tools to access the data. For example, a user with change-level access to data with a menu-controlled green-screen application will have that same access with powerful SQL-based applications such as FTP and DDM.

FREE: Unauthorized Access to Sensitive Data for 30 Days!
Don’t think a user could take advantage of those authorities? Think again. A PC-based FTP program, such as the one shown in Figure 1, provides full graphical access to any authorized or unsecured library or IFS directory. This application cost less than $40 and came with a free 30 day trial!

Figure 1. Authorized drag-and-drop access to sensitive data.

To make matters worse, several of these network interfaces let users submit and execute host commands, as well as run commands and edit database files. Object security is still in effect for the command and any objects that the command uses. But, it is important to understand that a user profile’s “limited capabilities” setting (used to restrict command line functionality) may not be honored outside of the green screen. For example, depending on the specific operating system level, the FTP server either honors the setting or ignores it.

Finally, network requests are not logged or audited by the operating system. More and more customers are auditing user and system events with QAUDxxx system values. But, these values don’t monitor network activities—the most you can learn is when a file is opened, not what request was made of its data.

A Hodgepodge of Options
Because of the clear danger of unwanted system access through network interfaces, can we still use these interfaces for legitimate business reasons? And if so, how do we control them? Several methods are available to help secure these interfaces, each with its own pros and cons.

• You can prevent some services from starting by using the GO TCPADM command menu or Navigator for i (formerly known as iSeries Navigator). Verifying that someone does not restart the services, or forgets to shut them down after using them temporarily, is an issue. Plus, server requests are not visible for reports or alerts. And, you are dependent on the underlying object security model.
• You can use the IBM i commands plus the Application Administration portion of Navigator for i to select which functions individual users control. This allows you to override some settings normally restricted by operating system security. On the downside, it offers no visibility, no alert mechanism, and no reporting. Plus, not all services are covered by functions.
• You can define exit programs for most network interfaces. You use the Work With Registration Information (WRKREGINF) command to define the name and location of an exit program for each service. (An exit program, similar to database trigger program, is called by the associated exit point when the server receives a request. The exit program receiving details about the incoming request should determine the legitimacy of the request and log the activity.)

Exit programs are not synonymous with security—the functions performed by an exit program are defined by the programmer who created it. Some exit points allow exit programs to approve or deny requests; others simply perform a programmed function. For example, the ‘create user profile’ exit point might call a program to create a work library for a new user. While it is possible to write your own exit programs, many organizations don’t want the cost and effort of developing and maintaining complex, security-sensitive applications with potential performance implications.

The Professional Solution
If, like most organizations, you decide to use a professional network security solution, we recommend PowerTech Network Security. As the leader in security solutions, PowerTech makes all of the necessary functionality available as a standalone solution, or as part of the PowerTech Compliance Suite—a collection of several popular solutions for securing Power Systems running IBM i.

When you install and activate Network Security, network requests to the server are visible instantly. The information is stored in a secure IBM repository for analysis and reporting. For user and application requests that involve server access, including remote commands, you can issue alerts for immediate notification and response.

Imagine being able to report on a user accessing your Integrated File System (IFS), including the directories navigated and the files viewed or deleted. How reassuring to know that if an FTP user attempts to target a secured production file, the unauthorized access attempt is blocked and the system administrator is notified automatically!

Network Security also offers the ability to have a request run under an alternate profile. You can implement ‘deny by default’ methodology while granting temporary access to pre approved requests. For example, you could set authorities on a library to *EXCLUDE, but still allow a specific file to be downloaded and logged by your accounting group.

Or, you could take an unrestricted user profile with *ALLOBJ special authority and downgrade it to read only capabilities for production data. Both of these “on-the-fly” security changes are transparent to the user and remain in effect only during specific requests.

Figure 2. Analyze, control, and report on a user's network activities.

For more information on PowerTech Network Security, or to receive a FREE compliance scan of your system (including a review of your network vulnerability), visit the PowerTech website at www.powertech.com.

Robin Tatam is the Director of Security Technologies for PowerTech, a leading provider of security solutions for the System i. A frequent speaker on security topics, he is co-author of the IBM RedBook, System i Security – Protecting i5/OS Data with Encryption. Robin can be reached by e-mail at robin.tatam@powertech.com.

My name is Robin Tatam and I am PowerTech’s Director of Security Technologies. When I was asked to contribute to our corporate blog, I was excited for two reasons. First, I am a true believer! You won’t find many people who are bigger fans of Power Systems and ‘i’ than me. And, I am not just an ‘on paper’ enthusiast—I have strung miles of Twinax cable, written “millions” of lines of RPG code, and sat up many nights running disaster recovery tests. I get it—this server is a technological rock star! Second, in my capacity as a security professional, I see how many of these systems are not properly secured. I love the idea of having access to another communication channel to spread the word that there is much work to be done to keep IBM i data safe.

As part of our status as the leading IBM i security solution and services provider, PowerTech has embraced a number of modern communication mediums, including Twitter (@powertechgroup), PowerNews, our electronic newsletter, and a weekly online seminar schedule. Blogging is a natural extension of that communication because it allows for rapid dissemination of information so that we can easily weigh-in on important security topics. In the future, we plan to have personal observations from the PowerTech security team, interspersed with more in-depth articles from the PowerNews newsletter, as well as announcements on upcoming events.

In the true spirit of blogging, I wrote this entry at 36,000 feet, somewhere above the Grand Canyon, on the last leg of my trip to irrepressible Las Vegas to attend an ISACA auditor conference. Our work with the audit community sometimes makes us unpopular in data centers, but we feel that an educated auditor is easier to deal with, forcing us to be more conscientious security officers.

I look forward to reporting to you about my trip…

Robin Tatam

Robin Tatam, the new Director of Security Technologies, joined PowerTech’s Eden Prairie, Minnesota office in July 2009. He brings two decades of IBM Power Systems (AS/400, iSeries, System i) and operating system (OS/400, i5/OS, IBM i) consulting experience, including a strong midrange background of RPG and advanced CL programming, Web site creation, and system administration.

For the last six years, Robin has been a top tier consultant for System i security and compliance issues. Robin’s recent projects included teaching commercial classes in security and system administration, performing advanced product implementations, and numerous compliance-oriented assignments. He was a guest on the panel of experts at the PowerTech iNSIGHT Security Conference in Las Vegas two years in a row. In 2009, he taught multiple security sessions at COMMON in Reno, Nevada.

Robin Tatam, Director of Security Technologies

Previously, Robin was an IBM i Security Specialist for MSI Systems Integrators, an IBM Business Partner, where he was named Technology Impact Player of the Year for 2008. He also has worked as a development manager and was a vice-president directing corporate development practices.

Robin has been quoted on System i security trends by ComputerWorld magazine and has published several full-feature technical articles in Midrange Computing magazine. He also authored the MSI System i Security and Compliance Guide and co-authored the IBM Redbook on System i data encryption.

You can e-mail Robin at robin.tatam@powertech.com.

We’re very pleased to announce that Richard Bryant of Pilot Pen is the lucky winner of the Netbook mobile internet device in our recent security compliance assessment promotion. Richard took advantage a free PowerTech security compliance assessment and was entered into the drawing for the device. We would also like to thank everyone who participated.

Our free security compliance assessment helps you identify areas of weakness in your current configuration so that you can take steps to correct problems and close exposures before these weaknesses are exposed by an audit. PowerTech Network Security can then help you implement the access control that regulatory legislation requires by preventing unauthorized access to data by giving you the power to fine-tune restrictions to only those who need it.

To get a free security compliance assessment for your System i, visit our request page. You can also learn more about PowerTech Network Security in the products section of our website.

Watch for future promotions right here on the PowerTech PowerBlog!

Partnership gives PowerTech customers access to world-class encryption solutions.

Patrick Townsend Security Solutions (PTSS) has announced its partnership today with The PowerTech Group. Townsend is a leader in encryption products for Power Systems servers running IBM i, while PowerTech (a Help/Systems company) is a leading provider of native IBM i security solutions. This strategic partnership gives PowerTech customers access to the world-class encryption solutions offered by Patrick Townsend.

Tom Huntington, vice president of Technical Services at Help/Systems said, “This is a natural relationship for PowerTech customers who need encryption. The security solutions offered by these two companies are very complimentary.”

Patrick Townsend, founder and chief technology officer of Patrick Townsend Security Solutions, said, “This is just another great way for PowerTech customers to round out their security. While native security solutions can protect data from inappropriate change or deletion, our encryption technologies go a step further to actually protect the data from all inappropriate use or viewing.”

About Patrick Townsend Security Solutions
Patrick Townsend Security Solutions provides data encryption, key management, and secure data transfer products for major enterprise platforms. Its customers include some of the most recognized names in retail, finance, healthcare, and government. Known as the Encryption Company, Townsend Security Solutions was formed in 1984 and is privately held with headquarters in Olympia, Washington. For more information visit www.patownsend.com or call 800/357-1019.

About PowerTech
PowerTech is a leading expert in automated security solutions for IBM Power Systems running IBM i (System i, AS/400), helping users manage today’s compliance regulations and data privacy threats. Because these systems are used to host sensitive corporate data, every organization needs to practice proactive compliance security. PowerTech products provide definitive security coverage. For more information, visit www.powertech.com or call 1-800-915-7700.