After spending the first half of the week in Nashville, Tennessee, I jumped on a plane to make the trek north to Buffalo, New York. My first stop was the beautiful Seneca Niagara Casino & Hotel in downtown Niagara Falls, 15 miles north of Buffalo. The hotel is just a short walk from the three famous waterfalls that are the city’s namesake, and that impact the Niagara River that straddles the border between the United States and Canada. Although not exceptionally high, these falls are the most powerful in North America and are an important source of hydroelectric power, and one of the most recognized landmarks in the world.

Seneca Casino, one of PowerTech’s valued customers, graciously offered to host our 3^rd IBM i security workshop in their well-appointed conference facilities. The half-day session was another highly interactive one, and was accompanied by a fantastic lunch and free PowerTech giveaways. After bragging that previous sessions had finished within 5 minutes of the scheduled 4 hours, of course this session ran over; simply because of the great interaction and discussion with the attendees. For that reason, no one seemed to mind, and everyone seemed happy with the content that we provided, with topics that included system values, exit points, and object-level security.

Before heading back to Buffalo, I did make the short walk down to the breathtaking American and Bridal Veil Falls. If you have never seen this stunning sight—especially in the Winter—then it is hard to describe the power and sheer natural force of these natural wonders. While I had previously seen the view from the Canadian side in July, this was my first visit to the U.S. side. While a still-photograph doesn’t really do it justice, I hope my panorama conveys a fraction of its majesty.

The remainder of the evening was spent with the large group that comprises the Midrange Users Group of Western New York (www.mugwny.com). On this night, I presented a combined session called The Top 10 IBM i Security Vulnerabilities and The State of IBM i Security Study, which is based on the popular PowerTech white paper that is published annually. From the reaction of the crowd, some of the issues were quite eye-opening. Hopefully the information I provided will assist them with performing security improvements that might prevent corporate data from flowing out of the network as fast as water over the falls! As always, I offered to conduct a no-charge security review for anyone interested in using our fabulous automated Compliance Assessment solution.

Fortunately, the “lake effect snow” that I had been told about plaguing the region held off for the most part, and I was able to start my return travels on time. Ironically, while everyone had cautioned me about the likelihood of flight delays in and out of Buffalo, and my knowledge of the prevalence of seasonal delays at my connecting hub of Chicago’s O’Hare airport, it was my final destination of Des Moines, Iowa, that almost derailed my return. As we were beginning our descent into Des Moines, the pilot informed us that airport had just closed due to the blowing snow from a winter storm. We immediately went into holding pattern awaiting further instructions. The captain indicated that we had an extra 40 minutes worth of fuel in addition to the fuel required for a return to Chicago! Fortunately, we didn’t require much of either as the airport subsequently reopened and we were cleared to land after about 20 minutes of circling. I was so relieved that I didn’t have to end a fantastic work week with a winter travel horror story!

Thanks again for everyone’s continued hospitality on the road, both for the workshops and the user groups. I would be remiss if I didn’t also thank my team back in Minneapolis, especially Katie Carnicom, who tirelessly facilitates the numerous agendas (for me, as well as other members of staff), complicated travel schedules, and shipments of the t-shirts and presentation materials. It takes unbelievable organization to put these events on back-to-back, and she does an amazing job that allows me look good with little effort on my part!

This week will be a week to try and catch up, and then next week I will be off again, taking the workshop and user group presentation to Reno, Nevada, billed as “The Biggest Little City In The World.” That will be immediately followed by Portland, Oregon, the week of March 8^th.

Although it is my first visit to the city of Nashville, it’s immediately clear that it’s a Southern city with a bustling nightlife, and a place that takes pride in its heritage. Best known as the hub of country music, Nashville is home to everything from the Country Music Hall of Fame to “Cooters,” a museum dedicated to them “good ol’ boys,” the Dukes of Hazzard.

Although I don’t typically have time to visit many attractions on my trips, I would certainly love to come back and take some time to explore this town. I must say it was fun to eat dinner while listening to some live country music, as well as visit the spectacular Opryland Hotel. Traveling as much as I do, I thought I had seen it all, but this venue is truly spectacular consisting of three huge atriums complete with cascading waterfalls, winding overhead walkways, and a musically-inspired indoor fountain show.

My whistle-stop schedule started with a customer visit on Monday, and continued today with a half-day security workshop. It was another great interactive event, and opened the door to some great questions and numerous conversations regarding how customers are currently approaching the challenge of securing their data. It was fantastic to find that a number of the attendees are already running Powertech solutions to assist them, and fun to give away another box of shirts and a Starbucks gift card!

Last night found me up in front of a full room at the local Nashville user group where I presented a combination session on protecting the IBM i from FTP, ODBC, and Remote Command, along with how to configure auditing controls for IBM i. While the dinner and cheesecake were great, the best part of the evening was the highly interactive audience, and that is very satisfying to me as a speaker. There were a lot of pertinent questions and discussion around the two topics, and good conversation afterwards about security topics in general. I am also getting to enjoy the mass t-shirt distribution, as everyone seems to get a kick out of our “control freaks” t-shirts!

The hotel that hosted the user group also had a Nashville Songwriters event going on afterwards, and presented some of the talent behind hit songs recorded such country legends as Kenny Chesney, George Straight, and Trace Adkins. I am now preparing to head to the airport this morning for a flight to Buffalo, NY, to repeat the same events again in the Niagara Falls and Buffalo area. I will give you an update on that part of my trip next week.

As part of this entry, I thought I would share a funny story. As a Midwesterner, you’d think that I would be prepared for bad winter weather wherever I go, but upon waking here on my first morning in town I was more than a little surprised to see that Nashville was coated in a layer of black ice, topped with a couple of inches of powdery snow. I was dismayed to find that my car windows were frozen solid, and my windshield wipers “super-glued” to the glass. Unfortunately for me, the rental car agency didn’t include the normal obligatory corporate-branded ice scraper, so I had to make do with the edge of the hotel’s plastic room key. Halfway into this finger-numbing exercise, I was approached by a man carrying a can of de-icer and a scraper. While the scraper was making short work of removing the ice, I asked if this was a common event in Tennessee and mentioned that I was impressed that he was so well prepared. While I had assumed I would be leaving the winter weather behind me for a few days, I was definitely amused when he grinned at me and responded “I have no idea. I am just visiting from Illinois!” I should have known it would take a fellow sufferer to carry his own winter lifeline.

It has been a busy year, and it’s hard to believe we are well into February already. I have really been enjoying the recent interaction with class students, regional user groups, and PowerTech customers around the country and although it is one of my favorite responsibilities, it is not without its challenges. While I have a Blackberry pretty much velcro’d to my hand, it can be challenging to keep up on the daily affairs of the office in Minneapolis.

I actually hear that type of complaint from a lot from customers that I talk to: The daily challenge of finding the time to perform all of the necessary security forensics. It is always nice to visit with some of those same customers after they have installed a tool like PowerTech Compliance Monitor (CM), and to hear how the tasks that previously took hours or even days to perform, can now be reviewed and analyzed in a matter of minutes. For example, the task of comparing system values against your policy. Printing and hand-reviewing this information is not difficult, but takes a good eye and patience to do the compare. Compare that with CM’s ability to quickly and effortlessly print system value scorecards that color-code any non-compliant items for you, and provide a compliance ranking. Of course, although we ship a great policy template inside the product, you can modify it for your own requirements. Now, consider comparing the values on dozens or even hundreds of partitions and it doesn’t take long to see where the time savings start to really add up!

Last week, the U.S. House of Representatives passed the Cybersecurity Enhancement Act (HR 4061). The bill passed easily with a vote of 422-5, and now goes before Congress. If passed into law, the bill provides various provisions, such as providing grants to students in the field of computer security in return for service to the government cybersecurity team, strengthening the role of the National Institute of Standards and Technology (NIST) to influence the way cybersecurity is addressed though awareness campaigns, and requiring the President to perform an agency-by-agency assessment of the skills found in government’s cybersecurity workforce. It is the first major cybersecurity bill to be passed by either house in the current session of Congress, but is unlikely to be the last. For more information, visit http://www.opencongress.org/bill/111-h4061/show

On another note, the PowerTech team is busy working on the finishing touches to Network Security v6.0, which is to be released soon. We are already actively working on ideas for several other product releases, as well as building a development wish list for NS v7.0. As an IBM business partner, we are now running tests on pre-release versions of IBM i to ensure that our products are approved and ready to go when IBM releases its latest iteration of the operating system. I will be taking a look at the new release soon with an eye on delivering an update regarding any new security enhancements that have been included.

If you are in Rochester, Minnesota today for the Large User Group (LUG) sessions at IBM, please consider yourself invited to our customer appreciation event at the DoubleTree hotel downtown.

As I am writing this, the snow is again falling and blowing. If you are in a geography that is being blasted by this storm, or even the last one that came through that ended up dropping a whopping 33” of snow on our nation’s capitol, stay safe. Next week I am headed to Nashville, and then on to Buffalo, so I have a feeling that I haven’t seen the last of Mother Nature! I am hosting an IBM i security workshop in both cities, and presenting at the local user groups. If you would like to get more information on these events, check the events section of the Web site at www.powertech.com.

Well, last week was a busy, but fantastic week. My travels started on Monday afternoon with a non-stop flight from the chilly air of Minneapolis to John F. Kennedy International in New York. Actually, I was surprised how fast the flight went, and after a few short hours I was programming the rental car’s GPS and heading into Manhattan.

It’s been 20 years since I was last there, and though the skyline might have been tragically altered forever, the hustle and bustle of the city that never sleeps is the same. I came to the United States in the summer of 1988 as a British foreign exchange student, and one of my most vivid memories is of being in New York City at night, and riding a tour bus across one of the bridges into Manhattan. It was one of the most spectacular nighttime skyline views that I had ever seen. As an amateur photographer, one of my personal goals of this trip was to try to recreate that view, and I was able to work my way down to the water line and get this photo.

New York Skyline

My work agenda started on Tuesday morning with a visit to a customer on Long Island. We had a great discussion regarding the ways they were using several of the PowerTech tools to help administer and audit access from users that normally would be hard to control, such as programmers. We also talked about how they see their developing security requirements.

After a 90-minute car-ferry ride from Port Jefferson, NY to Bridgeport, CT, it was a short hop down to Norwalk to meet my first user group. The group had selected the topic of “7 Habits of Highly Secure Organizations” and, for a couple of hours, we enjoyed dinner and interacted about the subject of auditing, access control, and regulations and policy. I raffled away a Starbucks gift card, as well as a number of free t-shirts, and it was a great evening.

Wednesday was a pretty easy day, riding the ferry back to Long Island, and then navigating to the location of the Long Island user group. I was met with a fantastic turnout from a crowd of very active System i users. The group started the evening early with some PHP training led by one of their own members, and there was a fun slideshow on some System i/iSeries/AS/400 history. I presented the “Top 10 Security Vulnerabilities,” based on data extracted from our annual security study. I really enjoyed interacting with this group, which included several of my own customers, as they had lots of great questions and discussion points. After another gift card drawing and distribution of a big box of t-shirts, I was off to my next stop in Morris Plains, NJ.

As a side note, if you are not from the East Coast, a GPS is a prerequisite to navigate your way around a city as large as this. Although mine had some trouble acquiring a signal at times (ahhh! technology) and wanted to send me in circles, I managed to successfully navigate the 90 or so miles to my destination.

Thursday morning begin early with another customer visit to a great customer of Help/Systems and now a new PowerTech customer. I learned about some of the challenges that they had faced trying to implement an object security infrastructure. I offered some advice and also offered the PowerTech services team to provide assistance if desired. After all, as I have stated in my blog several times, we are not just a software company.

Thursday evening had me in Fairfield, NJ, at my final user group meeting. I spent several hours with another lively crowd of about 30 people who learned about the dangers of “FTP, ODBC, and Remote Command.” I included a small demo of how simple it is to access corporate data through common tools, and the conversation was very active, which is typical after people see just how easy it can be. I cleared out my final box of t-shirts, handed out my last gift card, and headed the 90 miles to Philadelphia.

I wanted to use this travel opportunity to visit with another (very well-known) customer on Friday morning. They are an active user of several of our security tools, and are evaluating another one to add to the suite. I spent a couple of hours learning about how they are implementing security in their environment, as well as identifying areas where we can provide some relief.

This is one of my favorite types of work. Meeting with customers to discuss their successes and future needs, and also mingling with the types of user groups that I used be an attendee at in my past jobs. These are the folks that are the diehards of the technology on which our software runs. You don’t have to sell them on the attributes of the System i (or AS/400, as many still call it), and their biggest complaint is that it is not more prevalent than it is.

I want to thank the customers who took time from their busy schedules to meet with me, and also the three user groups that invited me to present to their membership. At the request of a number of people, I am looking forward to returning to the area in the future—to meet with the user groups again as they support the local ‘i’ community, and to host our IBM i security workshop.

I am finalizing this blog entry on Friday afternoon, while awaiting my return flight from Philadelphia, Pennsylvania. After a brief return to Minneapolis, I leave again to head to St. Louis, Missouri, to teach a security workshop, and give a user group presentation in Jefferson City.

Interestingly, although I added “ferry” to the list of my various modes of transportation used last week, I still have yet to use a train!

With Gregg Bury and Jill Martin

JM:  Before we get started with the questions, why don’t you give us a quick introduction?

GB:  Well, my name is Gregg Bury. I’m a technical support consultant at PowerTech and I work with the System i and our software in security.  I live in the Pacific Northwest, in Seattle.

JM:  How long have you been with PowerTech?

GB:  It’s 10 years this year; joined in 2000.

JM:  Have you always been in customer support?

GB:  I have.  In the early days, it wasn’t just customer service. We did QA, and wrote our own documentation and guides and best practices, so it’s kind of narrowed now.  In the original days, there was a lot broader job description.

JM:  What makes our support unique?

GB:  Those of us in support have been here a long time, so we’re very aware of not just our software, but security needs and the System i.  Myself and my co-worker, Pablo Tellez—he’s been here 11 years—just by virtue of our length of time in service at this one company, I think gives us a lot of credibility and skill here.  And, we both like what we do and we care about the customers.

JM:  What is the knowledge level of our support?  (Level 1, 2, 3 etc)

GB:  Three being the highest?  At least 2 and edging into 3; generally when I consider 3, you’re getting into the development and the code and the software functions at a program level.

JM:  You take it further than level 2 often times, I bet you do a lot of research.

GB:  Yes, we research.  We dig into the deepest parts sometimes.  Sometimes with help.

JM:  What type of closure rate do we have for incoming calls? How often do you close calls after the initial contact?

GB:  Well, I’d say between 80%-90% easy.  While we’re on the call, we open it.  We may be creating the ticket at the moment they call, and most of the time by the time the call is done, it’s finished.  We’ve closed the call.

JM:  You’ve solved the problem for the customer?

GB:  Correct.

JM:  In addition to phone calls, what are some other ways to contact support?

GB:  Email; we have a support email address.  It’s mailbox that we monitor: support@powertech.com.  The phone and email are primary ways.  Often some will be referenced by either an account rep or someone else who transfers the call to us, but generally it’s the phone.

JM:  What do you like best about working with our customers?

GB:  I like problem solving.  People will call, they have a problem – often they’re stressed, and people often vent which is normal, but we don’t take it personally in that respect; but when we’re done, they’re often happy or satisfied that they’ve got your answer or at least we’re working on the problem.  So, I just like to solve problems.

JM:  Would you say that most of the calls or questions you guys get are related to defects or how-to questions?

GB:  At least 75%-80% are how-to questions.  Some of them might be dealing with the iSeries and how it works with security, or how to use our software.  Often they’re dealing with forensics: they had an event that happened that shouldn’t have or something, and they’ll call us about how to get some history and documentation of what happened.  Often it’s just on the iSeries or using our software.

JM:  So most of the calls you take are how-to questions on the software or on the operating system.  For instance, it’s not always just when there’s an actual problem.

GB:  Yeah, I think people have learned to trust us; not all of the calls we get have to do with our software, and maybe don’t even have to do with security, they just know that somehow we know what to do in this situation, and we’ll get calls on that just because they trust us.

JM:  What are some of the other things you get involved in as part of support?

GB:  QA (testing) often from the customer standpoint.  I know we have QA people who make sure the code is working, but we, in support, will do QA from a customer perspective; we know customers like to do a particular process in a particular way just by virtue of our calls.  Whether it’s running a report, adding access control rules, installing or uninstalling – various things like that.  We also find customers do things in unexpected ways that when development built the product, they didn’t foresee; Pablo and I know that and we will run our QA from that perspective.  Also, we have ideas and enhancements that we will supply back to development by virtue of repeated calls that we get from customers.  We are often involved in usability meetings with the products.

JM:  So, by being on the front lines and getting involved with new version product testing and enhancements, you’re able to add a lot of value to the direction of the product.

GB:  I think so and I hope so.

JM:  Any other thoughts you would like to share?

GB:  Well there’s a loaded one!  You know, our software targets security, but often people view our software as an end-all solution, but it should probably be viewed more as a tool to dealing with security.  Also, security is a verb, it’s not that you just put the software on and then forget about it, it’s ongoing.  The environments are changing, the laws change, the users – as everybody knows – come and go from the business, so they have to be added and removed, the way users do things – as users get smarter they’ll try new things, software applications are added – you know, the old thing with ODBC, and through Microsoft Excel, that was more or less a catalyst for Network Security – but they’re just tools and they can’t be forgotten, they have to be worked and used.  I think at PowerTech we do offer more than just the tools, we are offering our security expertise and experience.

Regardless of how much effort we expend to plan for “unexpected” events, sometimes things happen that are simply out of our control. Last week in Seattle, for example, a failed network component at the local communication service provider’s data center forced a temporary outage of our voice and data lines at our technical support center. Fortunately, having multiple locations means we could do some creative magic and reroute our callers to different offices. This ensured that anyone looking for help could still talk to a live person; something that Help/Systems companies take pride in.

Although the outage was sporadic, it did mean that our call handlers sometimes had to seek other people when they couldn’t forward the call to a technical support employee. Rather than simply take call-back information, I fielded one of the calls myself, and I am extremely glad that I did. It came from a large customer located in Niagara Falls, NY, who initially was a little surprised that a director was answering level 1 support calls (perhaps their surprise was less about my title than the concern of a “pencil pusher” trying to help them!). I explained that the support team was not available, but that I was interested in knowing what their question was, and that I would do my best to address it for them, or escalate it as soon as Seattle came back online. As we worked through some troubleshooting steps, it gave me a great opportunity to visit with them.

I was very happy to hear that they are “huge fans” of the PowerTech security solutions, and frequent listeners of my weekly educational Webinars, but especially proud of how complimentary they were of the support team that they (normally) talk to if they call in. Regardless of whether they had an actual technical issue, or they were simply looking for advice or assistance on how best to utilize the solutions to secure their numerous systems, I was told that the support they had received had always been first class.

I started thinking about how quality technical support can make an enormous difference in a customer relationship. It doesn’t matter how good a solutions is, if at the end of the day the solution is not well supported. I think everyone at one point has purchased a product or service, and found that they had a question about its use, or needed some assistance with it. The instant a phone call is made to the vendor’s support number, there is a “Y” in the road that says whether it will actually increase the customers’ level of satisfaction, or make them question their purchase. In fact, I remember hearing a tale of a cellular phone company that deliberately provided a number of their customers with phones that were not working. This was done as an experiment to see if the way that the support calls were handled would have an impact on a customer’s perception of the company. Interestingly, the level of satisfaction after the issue was handled promptly and courteously was recorded as higher than even those customers who had received a working phone from the start! That is a powerful statement of the impact that good support can have.

Of course, PowerTech does not provide solutions that will deliberately cause issues to customers, but we do have the type of support response that gets praised frequently. That is good for the customer and good for our business. From my perspective, I wish to send my thanks to the members of the PowerTech support team, and also the professional services team that—based on the satisfaction surveys that pass my desk—do an equally superb job at making PowerTech look good. It takes a lot of patience and skill to help customers in a way that makes them thankful for calling.

I am going to be in Buffalo, NY, in February (for some reason, everyone laughs when I say that) to speak at a local user group, and to host a half-day IBM i security class. During that trip, I have arranged to stop by and visit with this particular customer. I want to thank them for their business, and also to have some discussion about how they use the PowerTech products. It is invaluable to us to hear customer insight about what security and compliance issues are important to them in their business, as well as features they would like to see us include in an upcoming release of one of our products. I think it makes us more of a security company than a software company.

Oh, and in case you were wondering, I was able to resolve the question that the customer had called in about. My single call may pale in comparison with the volume of questions that the professionals in Seattle typically handle, but at least I can hold my head up high in the break room!

Watch for an upcoming blog and PowerNews newsletter interview with a member of our (real) support team.

I guess it is a sign of my age that the years seem to slide past faster nowadays. It is staggering to think that it is the start of yet another decade, and ten years ago the I.T. industry just got done holding its collective breath for Y2K—a computing event that many thought would be cataclysmic. While no disaster ever materialized, it did help to point out how technology-dependent we have all become in our businesses and in our personal lives.

Security should be considered the new Y2K as it demands the attention of every citizen in every country, and has the potential of bringing us to our computing knees. While the year 2000 came and went without major incident, barely a day goes by that another breach doesn’t occur, or someone pays the price of one. We have seen an increasing barrage of attacks come from every direction, from every country, and via every form of communication. And even some “legitimate” businesses have turned out to be the culprit, and their actions have resulted in a new requirement for yet another regulation or legislation (think Sarbanes-Oxley). As someone who works in this industry full-time, I only see this continuing to worsen as cyber-criminals become more sophisticated and well-funded.

So as we embark on the ride into the next decade, I really hope that the vulnerabilities that I see every day are seriously contemplated and then addressed. For that to happen, it is critical that management gives the necessary consideration to their I.T. budget to help protect the very assets that their business survives on. This is true even in a tepid economy as employees fear for their jobs, and those that remain have to perform even more responsibilities. “ROSI” is an industry term, meaning “Return On Security Investment,” and although it might be calculated slightly differently from the more traditional “ROI,” there is a return nonetheless. One of the returns is that your business stays IN business—a pretty significant return, and something that should get the attention of your corporate management.

The good news is that many of us continue to run our core businesses applications on IBM i. While it does not come pre-configured as an overly secure environment, it has the ability—with a little help from your friends at PowerTech—to be one of the most secure servers available today. The features that are built in to the operating system all work together as a tightly integrated ring of protection around the data. And our popular software provides additional tools to make the life of the security officer more productive, and your data more secure.

So, as we start another new year and a new decade, resolve to finally take the steps you know you need to take to get your server in shape. If you don’t, it might mean more than your system just gaining a few extra holiday pounds!

Happy New Year, everyone!

Well, it may have held off slightly longer than normal, but we knew it would just be a matter of time. This past week my home state of Iowa was pummeled with ice, snow, and bitterly cold temperatures. Although my weekly trek between Des Moines and Minneapolis was delayed by a day, it didn’t take too long for the hard-working road crews to get the highway infrastructure moving again.

Although I have survived my fair share of Midwest winter storms over the years, it struck me how there is similarity between how winter storm contingencies are planned for and how enterprise security should be handled.

In a computing environment, it’s important to perform what is known as “data classification.” This is where data is identified by its criticality to the organization. Data that is public, easily recreated, or has less intrinsic value to the organization (perhaps historical information) typically has less importance than data that would be costly if it were damaged or breached. Most organizations have limited resources (funding, security staff, etc.) and so the more important data gets prioritized first.

This classification is also necessary for our city planners. Obviously, with limited snow removal equipment and plow drivers, there is no way that every road can be cleared simultaneously. Routes are classified according to their importance. Classifications might include interstates, main trucking thoroughfares, secondary roads, and residential streets.

The next task is to perform a risk assessment. This is an important process by which risk is assessed based on a couple of factors: vulnerability and threat. Vulnerability is the possibility of the incident; threat is the likelihood that the vulnerability will occur. By reviewing the classification, the vulnerability, and the threat, we get an assessment of risk. If one of the factors is low then the risk is generally also going to be low, and may even fall in the category of “acceptable risk.” If the cost to secure an asset is more than the business value of the asset, then management is not likely to want to spend the money on it.

In the case of winter, the vulnerability is whether a particular location could get a disabling snowstorm. There is high vulnerability in northern states such as Iowa and Minnesota, but not much vulnerability in the South. Even in places where there is vulnerability, the threat may still be low and may mean that we don’t see it as ‘high risk’ overall. The threat of a winter storm is obviously minuscule during summer months, but high between December and January. Accordingly, road maintenance departments know when to prepare their snow removal equipment for deployment, and to stock up on road salt and snow-melting chemicals.

There are cities that have occasional snowfall. I have been stuck in Dallas Fort Worth International airport when freezing rain has started to fall. The difference in how these locations respond is almost comical. It is like they grind to a halt over an incident that Minneapolis would handle in its sleep. This is because snow removal is not a major threat, and therefore is typically deemed as an acceptable risk. I remember a few years ago when Iowa actually lent plows to another state that suffered a crippling snow storm, and had only 1 or 2 plows of their own (for the whole state!).

When an incident is discovered or predicted, the emergency response teams are called in. They use an Incident Response Plan (IRP) to know how to respond. For computer security, this may mean performing forensic analysis, management notification, or even disaster recovery; for winter storms it is the carefully orchestrated plowing of streets, parking bans, and widespread public notification of school closures.

A post-incident review, designed to analyze how effectively the response teams handled the situation, is the last step to determine if changes need to be made to the response plan. This may include additional notification methodologies, or requirements for new or additional equipment. In 2008, Iowa started to implement laser-guided plows to enable more accurate plowing with less chance of damage to the roads, and to help weary crews who are often faced with 12+ hour shifts.

Occasional risk assessments should also be performed to ensure that the incident is represented with the same level of risk. Risk levels will be impacted by the need to reclassify the asset (data or road), as well as different vulnerabilities, or changes in threat levels.

So, if you live in a part of the world where snow—or any type of large natural event—is possible, imagine how the response teams might be using the very same type of risk management technique as your I.T. security staff.

Last week I was on the road again, spending five days with a brand new PowerTech customer in Montreal, Canada. I always love these types of trips as they allow me to spend time with the customers who are really seeing the benefit of our solutions. It is also interesting to go to places that speak a different language, and all that entails.

It was an extremely productive trip, built around a packed agenda. Our original goal was to install our popular exit point solution, Network Security (NS), on two separate production machines, and start auditing the users’ activities that were previously invisible. I was also there to perform a formal security assessment; a combination of tasks that I expected would require some long days to accomplish in the time available.

When I arrived, I discovered that there was also a desire for me to help design a new security infrastructure for the application environment. A recent business acquisition, and an open vendor application environment, was driving the desire to secure user access based on business need, instead of hoping that users were doing only what they should. An admirable goal—and a service that we can certainly provide—but I didn’t anticipate we would have enough time to accomplish it during this particular trip.

The installation, initial configuration, and user training on Network Security went so smoothly that by the end of the first day we had already started to enter access control rules, and were hungrily awaiting more user transactions to come in. I was glad when my ‘trainee’ told me that he felt that the PowerTech software was intuitive and easy to use, and that the biggest challenge would be for them to identify whether a user was using a network access tool with approval or not (we later discovered that some activities were questionable). We also made some immediate and dramatic improvements in their security environment. For example, with a single NS rule we were able to protect the critical QSYS.LIB file structure from network access by any user on the system—even the ones with powerful access rights like *ALLOBJ.

Day two had me getting a jump-start on the security assessment, and some deeper insight into the strengths and weaknesses of this particular environment. Most of the issues were typical of most IBM i shops: overly powerful users, a few default passwords, some system value change recommendations, and confirmation of that open application data access model. And like most typical issues, some could be remedied easily; others require careful planning and testing. I had been able to perform some of the data analysis ahead of time using a proprietary data collection tool, and so I was able to provide the customer with a draft of the assessment for review before the end of the day.

Designing a resource security model for the corporate application was next. I’m always interested to see how so many commercial software vendors completely miss the mark when it comes to securing their application. I won’t name names, but this particular application relied on the QPGMR user profile owning the application objects and base IBM i security to control user access. The problem with this approach is that most customers have no idea how to implement a solid security model. Leaving their application open, or worse, requiring application users have *ALLOBJ special authority is shameful. Engineering security into an existing commercial application is not easy. You often have little to no control over the way the application executes its code and the objects it accesses. Good security can be incorporated into an application much more easily when it is part of the design. For example, have a custom (non-IBM) profile own all of the objects. Also, don’t require that application users have special authorities for tasks that can be handled through application code (like starting print writers).

Why do we frequently see this openness? Honestly, I think it is for two main reasons. First, IBM i security knowledge is rare and it is easier to put the burden on the end customer as they are the “owner” of the machine. Sure, every customer has different configurations to be accommodated, but a little forethought goes a long way. PowerTech does this with our own applications, so we know it is entirely feasible even when we have no idea of the configuration of the customer’s server. Second, I think that many vendors believe that that a wide open application reduces the support burden. Ironically, designing the application correctly often means fewer calls, as there are no unknown variables at play. I personally feel the responsibility for a secure environment is shared by the customer as the owners of the data, and with the application vendors whose software we trust to house and maintain that data.

In this particular case, we were fortunate to be able to map out a detailed application model that would work without requiring any application modifications. We started by identifying the types of users on the system. We mapped those users into one of four new group profiles to make life much easier when granting access to the numerous application objects. We secured at the library level first, and then at the object level using a couple of authorization lists. The programs are configured to use adopted authority, providing the users with the necessary elevated access only when using the line-of-business application. The group profiles also provide *USE access to certain command line users when using Query/400. As you would expect, there were a number of additional tasks identified, including a creative modification of the application subsystem (as adopted authority does not normally carry through to submitted jobs).

By the end of the week, we had accomplished everything outlined in the project scope; a detailed step-by-step task document would walk through the actual implementation of the object resource model for the application environment. There was even enough time left to help present PowerTech’s free weekly education Webinar; discussing the findings from our annual “State of System i Security” study.

I would like to thank the wonderful customer staff, Sylvain and Louise, for their kind hospitality and excellent French-English translation skills (putting my own to shame!). I am glad to report that everyone was extremely satisfied with what was accomplished in such a short period of time. I really enjoyed assisting them with all of their security initiatives, and I feel proud knowing that the data served from their IBM i servers is more secure than when I arrived.

If you weren’t aware that PowerTech performed professional services—revolving around our products, and also the base IBM i security controls—then I invite you to drop me a note. I think you will be pleasantly surprised to hear what we bring to the table.

Which leaves me with one final question: “Parlez Vous PowerTech?”

As we head into Thanksgiving week in the United States, I want to take this opportunity for some personal reflections. This has been a tough year for many around the world. Chances are that 2010 will ring in a new decade with many of the same challenges still in front of us. Whether you feel that the biggest hurdle we’re facing as a nation is the ongoing tension in the Middle East, the current economic crisis, or the need for national healthcare reform, it will continue to be a trying time for both businesses and individuals.

Like many people, I hope the economy is on the verge of significant recovery. As unemployment rises—which is often considered a lagging indicator of economic recovery—it is time for those of us fortunate enough to remain employed to give thanks for something that many of us take for granted.

I also wish there were a simple resolution to the issues that have our servicemen and servicewomen deployed overseas, risking everything to improve the lives of others. No matter how we may feel about why our country is involved in conflicts around the world, it is imperative that the mothers, fathers, sons and daughters that are separated from their loved ones, feel support from everyone “back home.” The holidays can make a difficult situation even more difficult, and those who are making that sacrifice have my complete respect and gratitude.

I am very appreciative of the team here at PowerTech. This is traditionally a busy time of year for us, this year even more so. I am grateful to the marketing team who has done a phenomenal job this year of spreading the message about our solutions; to the technical teams that design, develop, and get our solutions “up and running” for customers (a task that often means time away from home); and to our technical support staff that provide the great support that so many customers rave about.

Thanksgiving is a time to sit back and enjoy quality time at home. As we try to pack more and more into our daily lives and stay “connected” to our corporate responsibilities, it is important to occasionally “unplug” and share laughter, good food, and fellowship with our friends and family. I am especially thankful for my own family. I appreciate the sacrifice they make by allowing me to fulfill my aspirations working in this industry. And, I hope that my work ethic teaches my children how to apply themselves and how important it is to contribute and earn a living. But, I also try to teach them that family should always come first.

So, as we start the holiday season, I personally want to wish everyone peace, happiness, and renewed prosperity.