I had a very interesting discussion this morning with an organization that is subject to compliance with International Traffic in Arms Regulations (ITAR). In a nutshell, they were in a position of having to report to the U.S. Department of State that they were out of compliance, and obviously that was a situation that needed to be rectified fast!

If you are not familiar with ITAR, it requires them to certify that numerous critical files are secured from any type of access by a foreign national. In their case, they had a Canadian system administrator who carries responsibilities and authorities that make that hard to accomplish using only IBM i security controls.

While ITAR is not as common as Sarbanes-Oxley or PCI, its requirement to secure data from access by powerful users can be applied to virtually any environment. Users often are given privileges in excess of their business need, or have responsibilities that overlap security restrictions. In this particular case, there was a very valid concern that the administrator was responsible for save and restore activities and could create a duplicate of the private data. What they didn’t know was that this user also potentially could delete the original data using the “storage free” option on the save commands!

Fortunately, this customer has a solid foundation of object-level security. This makes the addition of any commercial solution more robust. I discussed the “defense-in-layers” approach that I’ve spoken of previously in this blog, since no one can absolutely guarantee that those files can never be accessed. At least, not without removing the credentials belonging to any foreign national from the server. But, we do need to ensure that we make it painstakingly difficult to perform tasks not specifically related to their job, and then put a detection layer in place in case a possible circumvention is discovered.

We discussed several of PowerTech’s products during the call as they can immediately add significant value to this type of environment. Our solutions are modularized for those customers that require only specific functionality, but also have synergy when deployed together. Network Security provides firewall protection to prevent the data from being moved off the machine through tools such as FTP and ODBC. Interact enhances the firewall even further by monitoring both IBM i events and PowerTech solutions in real-time and escalating its findings to an enterprise monitoring solution. Our latest addition, Command Security, can ensure that restore operations involving these files and this user are performed only to the original library, and that copy or file editor commands are restricted and notified upon use. Authority Broker audits all commands entered by a privileged user, and DataThread can issue an alert when a user simply views a record in a restricted file.

In this case, the primary objective was definitely to prevent access. Classified national security data (or medical or credit card data, for that matter) is best served by preventing a user from seeing it in the first place. But if doors were guaranteed to be 100% secure, we wouldn’t need security cameras in the hallways. And it’s the same with data; without anyone being able to guarantee 100% that data never will be accessed, it’s just as critical to have that audit trail of access and real-time monitoring in place.

I’m excited to work with this customer as I love a challenge. They seemed thrilled to have someone on the line who understood the difficulty in trying to remediate this situation. And, they were even more excited that a company as reputable as PowerTech already had tools that could potentially help change their compliance standing with the U.S. Department of State.

If you’d like information on the solution modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

It’s been a remarkably mild winter so far here in Minnesota and we’ve seen the cancellation of several winter events due to the lack of snow and ice. The only commercial interests not feeling the pinch are those with capabilities to make their own snow. But last week, we finally got a cold (pun intended!) dose of reality in the Upper Midwest. Temperatures dipped down into the negatives, several inches of snow and freezing rain fell, and Minnesota experienced a day with more than 600 traffic accidents!

Fortunately, we have efficient heating systems here and have been heads down working on an upcoming product announcement, as well as a campaign about our free Compliance Assessment service. I’ve been squaring off with icy roads while out and about performing a number of deep-dive assessment contracts—I’m still amazed how many folks don’t know that we can help with general IBM i security services.

Last week, Help/Systems closed the books on a record 2011, and embarked on the journey to an even bigger goal for 2012. We’ve been making numerous organizational expansions to facilitate the next stage in our corporate growth. I’ve joined a new Technical Services team that consists of solutions experts across our various lines of business. As an ISO-certified software development company, we’re used to standardized quality procedures, but now we’re identifying ways to leverage the multitude of years of experience held by the various product evangelists for the common good. It’s a very exciting time to be part of Help/Systems and to see the investment in our strategic growth.

On the security front, if you’ve never taken proactive steps to secure your IFS, you might want to keep an eye on your inbox for an upcoming edition of PowerNews. I’ve put together information on common IFS vulnerabilities, along with some basic steps that you can follow to help control access. It’s probably one of the most neglected areas of configuration and one of the most commonly requested areas for help.

Some recent newsworthy security items have included the arrest of a programmer at the Federal Reserve on charges of stealing software used by the Department of Treasury, and a breach at online retailer zappos.com that could affect 24 million customers. Fortunately, it appears that Zappos had their own critical data protected with encryption, but customer passwords might have been exposed. The primary concern now is that customers who use common passwords for other websites (such as personal banking and investment websites) will become victims of subsequent crimes. I’d say it sounds like a good time to check your own vulnerabilities.

If you’d like information on the solution modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

Most of you probably know that I’m an avid photographer and that my interest focuses (pun intended) on an emerging photographic technique called High Dynamic Range (HDR) imaging. This process helps to address one of the most frustrating challenges a photographer will encounter, where a camera can capture only a fraction of the contrast seen by the human eye. Either the ground is exposed correctly and the sky is too bright, or the sky is okay and the foreground is too dark. And, if you’ve ever tried taking a photograph that included parts from both inside and outside of a building, you’ll recognize immediately what I’m talking about. HDR combines three or more photographs taken at different exposures to form a single image that can span a far greater dynamic range than any one photograph ever could. For some phenomenal examples of HDR, check out www.hdrcreme.com.

So, why am I talking about HDR in an IBM i security blog? Well, there’s an interesting similarity between the two topics. Just like photographing a high-contrast scene, no single security control or add-on application is going to make your IBM i data completely safe from misuse. The best protection comes from combining several different security measures to form a more complete picture. While the term “exposure” carries a very different connotation in security versus photography, I want you to think of it today in the context of three variations, each used to address one specific part of the picture.

IBM has taken the first of our three main “exposures” by integrating extremely robust security controls into IBM i. There are dozens of options for user profiles, such as password settings and special authorities, and a set of system values for the server itself. Objects and libraries can be secured quickly and effectively through a number of authorization commands, and these cannot be circumvented by any known mechanism. All this adds significant value, but has left some administrators wondering how their data or server still was compromised. The problem stems from the fact that the controls may be complex, aren’t always particularly flexible, and don’t have the necessary functions to do everything the modern Security Officer and auditor require.

The next “exposure” balances the first and is provided by PowerTech. Our solutions are not designed to replace the security functionality integrated into the operating system—no solution can ever do that. However, they can make the existing controls easier to use. They also extend the capabilities that IBM i doesn’t inherently provide. Things like real-time event monitoring, audit reporting, powerful user control, and controlling access from PC interfaces are just a few quick examples. Commercial security solutions often are deployed over a foundation of minimal IBM i security and, while this provides better protection than nothing, it’s always best when the two are implemented together.

Lastly, the Security Officers (SO) are responsible for providing the final “exposure.” This provides the balance between the other two and helps form the final picture. So what do these SOs have to do? Quite simply, they must USE the tools they are given! Year after year, PowerTech’s security study shows that far too many organizations are leaving all of the security settings in IBM i at their default shipped value. They often don’t realize that those defaults leave their system wide open. Some of them have purchased and installed third-party tools, however many don’t take advantage of their full capabilities. Without these users providing that final middle “exposure,” the effectiveness of the operating system’s controls and any add-on tools are reduced significantly.

Just like a single photograph that fails to capture the full range of contrast of a scene, the end result of relying on only one “exposure” of these three security components can result in grave disappointment. By extracting the best parts of each of the three “exposures,” we take advantage of their synergy.

If you would like to learn how to combine all of the three exposures I’ve outlined (in your photographs or IBM i security) please feel free to contact me at robin.tatam@powertech.com.

Cheers!

- rt

Now that we’ve rolled through another New Year’s celebration, we’ve left behind one of the worst years on record for data breaches. Privacyrights.org, a consumer advocacy organization, reports that 2011 witnessed a staggering 547 breaches involving more than 30 million records. Companies ranged from small non-profits all the way up to industry giants such as Bank of America, Sony, and Epsilon. Interestingly, 86 of those breaches (involving almost 120,000 records) involved insiders with some level of legitimate access. With mitigation costs now surpassing an estimated $200 per record breached, we’re talking about some pretty serious money!

With all of the current investment and focus on legislative compliance, how is this even still possible? How can huge multi-national companies continue to fall so hard? It’s actually not that hard to understand. In my opinion, one of the biggest culprits is that too many companies are focused solely on achieving compliance at the expense of security.

A simple analogy is to think of obtaining your first driver’s license. As young adults, we study a handbook and take a test to verify that we understand and are compliant with the basic laws of the road. But do we let newly “certified” drivers loose on the busiest of highways with the expectation that they are now perfect drivers and will never get into an accident? Of course not! The guidelines (hopefully) help us avoid making basic mistakes, but there are many other factors to be considered. The flaws in the guidelines start with the assumption that everyone else also is adhering to the same rules—something that every speed limit sign and red light camera knows isn’t true. And experienced drivers understand that there are many things that aren’t even included in the handbook. We have to expect the unexpected, adapt and use learned experiences to read between the lines, and even improvise—sometimes with little or no warning—to avoid an unplanned disaster.

The same holds true with computer security. Regulations like Sarbanes-Oxley and HIPAA were never intended to intricately detail how to protect your IBM i database from every possible type of misuse. These two common regulations, and many others just like them, are nothing more than basic guidelines to overview access to critical business data. While important, focusing solely on satisfying compliance can be misguided, and might lead an organization into the assumption that they are also secure. In 2011, hundreds of organizations joined the ranks of those that have already discovered the reality of this assumption.

Compliance is an important objective, but it shouldn’t be pursued at the expense of a comprehensive security plan. In fact, taking the time to build and implement a solid security infrastructure undoubtedly will make that objective easier to achieve. New business processes and procedures typically will be required by a compliance standard, but the technology aspect of compliance usually is left to interpretation of an auditor who is often unfamiliar with IBM i. It’s critical, therefore, that compliance directives not be relied on as the sole guideline to protecting data access.

In the analogy of our new drivers, testing is important and has its place to ensure that we understand and acknowledge the basic rules of the road. However, it’s ultimately the focus on learning and deploying good driving skills that’s going to have the greatest impact on the likelihood, magnitude, and consequence of an accident.

Businesses are going to have to get smarter and more committed to security. They must allocate a budget to assess and mitigate the largest risks, and acknowledge that, sooner or later, controls probably will be compromised. The goal is to develop a plan to address possible breach scenarios BEFORE you’re unlucky enough to find yourself in the midst of one. The plan should include the deployment of appropriate technologies to assist with the timely detection and alerting of a problem, but also (gasp!) the training of employees who are designated to respond and react. This is not just theoretical as a number of recent breaches involved warning signs that were not correctly responded to. Many employees never receive adequate training on their company’s security tools—this simply leads to a false sense of security by management.

Don’t secure only the data at rest in the data center; take a look at the entire data lifecycle. And, expect the unexpected. Many of the breaches from last year involved the collection of credit card information from point-of-sale (POS) devices and ATMs. This came from skimming devices, employee theft, and even unauthorized replacement devices at retail store cash registers! We cannot control the intent of the criminal element so we have to devise better ways to deter, detect, and respond. Similarly, lost and stolen laptops might be out of your corporate control, but securing the data stored on them isn’t. And, while we might not classify this like a traditional breach, the Ponemon Institute reports that it happens 637,000 times at U.S. airports every year!

For most organizations, corporate budgets already have been established for the upcoming year. If yours doesn’t include monies for security-related projects, focus on fully leveraging the existing investments and the staff resources already in place for now. Ensure that employees are trained and optimizing the tools they’ve been given. And remember, while we hope that this year shows a vast improvement over last, it’s never too early to start planning for next year.

In 2012, let’s all resolve to start taking security more seriously.

If you would like information on the solutions modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

I just returned from the traditional Help/Systems holiday luncheon, a fun event held near the corporate offices in Minneapolis. It’s always great to reconnect with staff from our remote offices, and to relax and share a ton laughs with people who are dead serious about providing the best products and the best support. I always come away from these occasions reenergized and excited that I found this company.

Of all the employee events that are arranged throughout the year, this one is always the most popular—akin to the infamous Oprah holiday special. There are silly games, fantastic gifts, hilarious skits, and a great catered meal (cheesecake would cheer even the Grinch’s spirits!). This year we also were entertained with several songs from The Sound of Music by the delightful “von Trapp” children from a local theatre company. The group was led by the young daughter of Gini, our office manager and concierge.

From a corporate perspective, we relished in the announcement of Help/Systems’ biggest year in its almost 30-year history. Double-digit growth figures were a welcome sight in an economy that is still struggling for most companies. The message about automation technology, security, and leveraging the most out of your servers and data assets almost seems to resonate more when times are tight.

The distinct highlight for me this year, however, was actually none of these things. Rather, it was the moving speech by an at-risk teenager who credits the saving of his life to a local organization called Treehouse. Without sharing details of his personal plight, he was definitely in trouble and engaging in highly destructive and dangerous behavior. Resistant at first, he subsequently accepted the help that Treehouse was offering and is now working on plans to attend college. As part of our “Good Neighbor” initiative, Help/Systems became a corporate sponsor earlier this year. The generous spirit of my colleagues (the recent “penny war” raised over $2,500!), a gift-card drive, and a corporate donation by the executive team will help this fantastic cause well into 2012. I’m sure that a couple of years ago this young man never would have pictured himself receiving a standing ovation at a corporate function.

So here’s to the final few days of 2011. Thanks for checking this blog over the past twelve months, and I hope you’ll continue to come back to hear about industry trends, my travels (with a few photographs scattered in), and insight into some upcoming announcements from PowerTech.

I hope you have a safe and happy holiday season. See you all next year!

Cheers!

- rt

I recently had the pleasure of spending a week working with a new customer on the gorgeous Gulf Coast area of the Florida “panhandle.” Known as the emerald coast for its turquoise waters, my evenings were spent enjoying pure white sands and crashing waves. And, my days were spent working on a PCI-based initiative to harden the security of an IBM i server.

Regardless of where I’ve traveled this year—pretty much coast to coast—most of the security challenges are common. This one was driven by a PCI initiative, but regardless of whether it’s a formal regulatory compliance directive, or just an internal desire to prevent accidental or deliberate misuse of corporate application data, we’re being bombarded with requests to assess and remediate.

In this particular case, I first used Compliance Monitor to provide some information on their system values and user profiles. Using Compliance Monitor scorecards, I determined where many of the system weaknesses were. We changed many of the server values to coincide with best practices, and tweaked the software’s security policy baseline when there were reasons why best practices could not be met. In only a few short hours, we had gone from 53% compliance to over 90%.

As expected, the profile cleanup effort was more involved. Most user profiles carried *ALLOBJ special authority, and had to continue to be able to use the application. I designed a straightforward authority infrastructure based on adopted authority, which enabled users to access data only through the approved application. We also had to secure libraries and their objects. We standardized on a single object ownership profile, which removed their dependency on multiple legacy user profiles. Authorization lists secured the objects based on object type—file or program—allowing users to gain necessary access. It was a quick and (relatively) painless approach, and now authority changes can be made from two authorization lists instead of the thousands of individual objects that comprise the application.

I think the customer was pleasantly surprised that I was able to architect this design so quickly, as well as mentor him on the usage of some of the IBM i main security controls. He knew that an IBM i server has integrated security, but understandably didn’t have the time to research all he needed to know. In three short days, I was able to complete a knowledge transfer on what would have taken months, or years, to do in between his primary tasks. It’s times like that when I can really sit back and enjoy my job!

So, if you have any IBM i security needs beyond great software, remember PowerTech is your go-to partner.

My photo this week is of one of the seemingly endless beaches lined with luxury condominiums. If you’ve never been to the Gulf side of Florida, I highly recommend it.

If you would like information on the solutions modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

Hopefully by now, you’re recovered from Thanksgiving’s tryptophan-induced coma and you’re back in full swing for the last month of the year. In Minneapolis, unseasonably warm temperatures have finally succumbed to morning frosts and a dusting or two of snow, but (while I’m not complaining) that still leaves us several inches behind the seasonal norm!

The World’s economies are still very much in flux, with more than one European country struggling to stay afloat financially; and people continue to watch housing markets and unemployment numbers closely for the smallest glimpse of economic recovery. “Black Friday” shopping numbers reportedly were up about 6% this year, possibly due in part to merchants who opened at midnight, or earlier. Some even sold out of their best deals before Friday even began! This was followed by a flood of online ordering on Cyber-Monday—a day that seems to have been drawn out to more of a cyber-week.

All of these consumer transactions sent a boost to the stock market, but it’ll be interesting to see if the millions of store purchases and online transactions lead to similar increases in reported credit card fraud. Many of the security news sources that I monitor have been reporting a steadily growing increase in the frequency and sophistication of credit card skimming schemes, making it one of the biggest threats now facing consumers this holiday season. Brazen crimes—like swapping out point-of-sale (POS) devices—are supplying criminals with information that can be rapidly sold (and used) over and over again until the card number is marked as invalid.

Discussions abound about how to combat this type of crime, with some banks bolting new anti-skimming devices onto their ATMs, and credit card monitoring services on the lookout for unusual transactions. While there have been some noteworthy “take-downs” of criminal gangs responsible for scams around the country, it’s still a highly profitable crime.

From a business perspective, this type of economic uncertainty leads to an increase in employee violations, ranging from data leakage of proprietary information to theft and misuse of data and applications. With companies often dealing with fewer resources—staff and financial—during these times to watch for unauthorized activities, it’s more important than ever to ensure that the right monitoring tools are in place, and that they are correctly configured and deployed.

And while important, the often-touted goal of “compliance” is only one part of the puzzle. Security and protection of the data and servers is critical to ensure that business information is accurate and available to the people that need it. Compliance is designed to ensure the security and integrity of the information, but often can be achieved without the best security in mind.

PowerTech supplies market-proven solutions to some of the world’s largest organizations running on IBM i. We also invest in our client relationships to ensure that these tools are implemented properly, and that the staff has the necessary training to fully utilize them on an ongoing basis. And, as we close out 2011, our development and design teams are working hard to enhance the functions of the existing solutions, as well as bring new solutions to market.

If you would like information on the solutions modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers!

- rt

The Thanksgiving holiday is fast approaching, signaling the run up to Christmas. There are many reasons why I am thankful for being able to work at PowerTech and Help/Systems, and I have been reminded this week of one of them: the generosity of the various teams and their caring towards those that are less fortunate than us.

Although I was traveling for clients last month during our annual United Way events, I elected to be a team captain for a new fundraiser for TreeHouse, an organization that helps at-risk youth here in the Twin Cities area.

A “Penny War” is a simple game that involves rivaling teams raising points by putting pennies into a team jar. One cent = one point. Of course, the fun and strategy in the game (and most of the charitable funds) comes from being able to put silver coins and notes into the jars of the opposing teams to offset the pennies that they’ve collected. Each day, a tally is taken of the pennies, and the tally of the non-pennies is subtracted. I don’t wish to brag, but my team, the Common Cents, has been the cumulative battle leader for the past two days! While most teams are currently in the red, all of the money deposited is added up and is already proving to be a fun and profitable initiative. I got interesting looks at the local bank on the first day when I asked for $75 worth of pennies, nickels, and dimes!

Unfortunately, our efforts pale in comparison against the need that exists in every community. As such, I urge you to get involved with a cause that is important to you to give something back as often as you can. And hopefully, like us, you can also have a blast doing it.

If you would like information on hosting a “penny war” at your own organization, or the solutions modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Ooh-Rah!

- General RT

What a crazy couple of months! A week in Pittsburgh, a week in Las Vegas, a week in Tampa, a night in Milwaukee, and two weeks in Baltimore. It’s actually hard to adjust to being back in the office as this is exactly what makes this job so rewarding: being able to visit face–to-face with real IBM i customers, hear about their security challenges, and observe the value that our security portfolio is bringing to their compliance efforts.

One of the areas that I’m seeing an increasing need for is a quality IBM i security assessment. Many customers are finding that the resources they use for their vulnerability and penetration tests on the network aren’t experts on the IBM i platform. Additionally, many auditors aren’t trained to audit the platform. So, there are still basic shortcomings that need to be resolved.

When I present to user groups, like COMMON, I speak to the issue that I sometimes see where a customer attempts to make changes to their system and security environment before really understanding where the vulnerabilities lie and the risks that they represent. Unfortunately, this means that time and, typically, money are wasted by not having a good plan for needs remediation. This also can mean that large risks remain even as small risks are being remediated.

The challenge with making security changes without first performing an assessment is that it can seem like a mountainous task. Where do you begin? How do you know if you have reduced the risk? Sure, some exposures might already be well-known (for example, if all your users have *ALLOBJ special authority), but you need a plan to stand the best chance at success.

Be careful, however, as looking at the security of your server and applications can lead to “analysis paralysis,” where you become so caught up in the planning and the details that you’re too afraid to ever pull the trigger.

So, where should you begin? Over two hundred customers each year start with a PowerTech Compliance Assessment. Here are some compelling reasons why:

• You can download and complete the assessment in less than 10 minutes
• PowerTech needs no network access; you run the assessment at any time you choose (even on production servers.)
• The assessment makes NO CHANGES to the system during the assessment process
• The assessment won’t overwhelm those who aren’t full-time IBM i security experts
• It reviews 6 critical configuration areas of IBM i security
• A security expert is available for questions and answers via WebEx and helps you interpret the findings
• Security projects can more easily be cost justified after an independent review.
• Keep the report (or rerun it as many times as you like during the next 7 days)

Oh, and the best part? It’s all FREE! Yes, really!

Although I like to start with the free assessment, PowerTech also performs a number of deep-dive assessments each year. These professional services engagements can be performed on-site or remotely (or a combination), and come with a 100+ page report of the assessment findings. We’ll even help prioritize remediation tasks according to the risk they represent in your unique environment.

If you’re struggling to find a respected resource who can assess and educate your team on security best practices, then your struggle is over. PowerTech has been focused on IBM i security with laser-like precision for more than fifteen years. Put that experience to work for YOU today! But don’t procrastinate; there are a limited number of “openings” each year.

My photo this week was taken at night during one of my recent trips to Baltimore. It’s the statue of the 16th President of the United States, Abraham Lincoln, inside the Lincoln Memorial in nearby Washington D.C. I hope you enjoy it.

If you would like information on performing either type of IBM i assessment, or the solutions modules that make up the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers,

- rt

I’ll be the first to admit that I’m not a genius. But I would like to think that I’m at least fairly intelligent and, though I never went to college, I did take the ACT exam when I was a foreign exchange student. I walked away from that experience with a score of 27, which was a flattering cushion of 8 points over the state average back in 1989. Not too shabby, considering I only went to accompany a fellow student! However, I am most definitely human: I do forget things, and occasionally (my kids: cover your ears!) I even make mistakes.

I know we all have them occasionally, but recently was my turn for one of “those” days. I flew back to Minneapolis on a Friday afternoon and then immediately drove to Iowa to see my family. I returned late on Sunday night to catch the 7:30 a.m. flight back to Baltimore on Monday. That departure involved an alarm being set at an excruciatingly early 4:30 a.m. After the winding security lines, cramped two-hour flight, baggage claim problems, followed by a long afternoon working at the client site and an evening catching up on other important tasks, I was more than ready to crash into bed.

It was after midnight when I quickly headed back down to my rental car to grab my suitcase from the trunk, only to discover to my horror that the vehicle’s battery was even more exhausted than I was. There wasn’t even enough power to drive the door locks. I initially suspected the key fob was the culprit and proceeded to go “old school” by unlocking the door with a real key that I magically extracted from inside the fob. Sadly, the pitch darkness of the interior relayed that I wasn’t going to get any further as it was the car that was actually DOA. This was a brand spanking new vehicle with a keyless, push-button ignition, and an electronic trunk release; without power there was no access.

Thank goodness I was able to find a lone security guard who was equipped to defibrillate it back to life for me (ironically from a 20-year-old car) so that I could open the trunk and retrieve my personal belongings. Of course, I still had to drive around aimlessly for 20 minutes to ensure that the battery was recharged sufficiently for it to start again for my morning commute. All in all, not really what I wanted to do after being up for almost 20 hours.

This car was so technologically advanced, with computing power equivalent to that of a small mainframe from a few years ago, that it can detect the proximity of the key in my pocket, and evaluate a myriad of driving conditions thousands of times every second. Car makers spend millions of dollars studying ergonomics and attempting to fool-proof their designs but, despite all of that impressive processing capability, it still couldn’t manage to turn the headlights off when I walked away! And that simple oversight caused the combined failure of all the other systems. That’s what I get for not taking the time to learn how to operate the system as designed; blindly assuming the car would never permit me to do something so simple and yet so destructive. To be fair to this particular fool, most modern car headlights remain on for several minutes after the engine is shut off so I think we become desensitized to it. I made the mistake of relying on the car to protect its own systems, and I ended up looking like a chump.

Sadly, it’s not much different with IBM i security. Many of us know how to drive our day-to-day applications and we simply assume the system’s smart enough to take care of everything else. After all, isn’t that what the IBM i community touted for years? Unfortunately, even with a solid hardware base, a security-aware operating system, and even commercial software to help, it’s still not entirely a hands-free proposition.

To dispel a very common myth, no one will secure your IBM i environment for you. Not IBM, not your application provider, and definitely not your user community. To ultimately be successful at protecting your data, you have to invest time and resources to learn about the strengths and weaknesses of the security environment. Ask questions such as “how do our users need to access the system?” And “what type of security do we currently rely on for our applications?” Once you have the answers to those types of questions, you can ensure that the appropriate controls are implemented. Those controls might include object-level security for the application, exit programs to manage and audit network access, and even reporting tools to alert you the instant that a critical security event takes place.

Like many things, it’s not rocket science after you’ve done it a few times. But until then it can be much like working in the dark; intimidating and frustrating. As with turning off the headlights, you first have to be aware that the system doesn’t do it for you. Consider yourself notified! Fortunately there’s a trusted company called PowerTech to help steer you along. You may know of our enviable reputation as a solution provider, but you may not be aware that we also perform more than two hundred free IBM i compliance assessments every year, and employ security experts who can talk about what security functions already are available for free in the operating system. And, of course, we definitely can help you when it comes time to evaluate a proven best-of-breed commercial solution.

Technology should serve you, not the other way around. But the reality is that it doesn’t eliminate the responsibility of the owner to know of any limitations or quirks associated with how it works. When you truly take ownership of your security infrastructure, and you engage with PowerTech to help assess, automate, and remediate the protection of your business data, you stand a much better chance of avoiding becoming the IBM i security equivalent of that chump peering into the tinted window of a car that won’t open or start at midnight, wondering how the heck you’re going to get out of this one!

(Okay kids, you can uncover your ears now and remember: Dad knows and sees EVERYTHING!)

If you would like information on IBM i security topics, or the solutions modules that comprise the PowerTech portfolio, please contact me at robin.tatam@powertech.com.

Cheers,

- rt