The Merriam-Webster dictionary defines a fallacy as “a false or mistaken idea.” Unfortunately, the list of fallacies related to IBM i security is a pretty long one. My list of “faves” includes:
- IBM Power Systems servers running IBM i are totally secure.
- You can’t get a virus on an IBM i server.
- The users don’t know how to use ODBC and FTP.
- «Insert name of long-time employee here» would never do anything bad.
I’ll resist the urge to write the answers upside down in parenthesis. For those that are curious, or have possibly uttered any of those statements, the reality is: No, they’re not (unless you do a lot of configuration); Yes, you most certainly can; It’s easier than it looks; and maybe not maliciously, but don’t bet your business on it.
In today’s highly-regulated world, compliance fallacies are also becoming more common. In a conversation with some of my customer-facing team members last week, I heard numerous examples of a business mind-set that could (and most likely, will) result in a painful reality check:
- Security and compliance are the same thing.
- I don’t have to worry as my IBM i is not in scope of the regulatory mandate.
- I’m already compliant. (Variations: I passed my audit. / The auditors didn’t find anything.)
Surprisingly, these types of comments are sometimes heard coming from the mouths of global enterprises; organizations whose radar signatures as breach targets approach the size of a small planet!
Regardless of the size of your business, build a goal-oriented project plan as the first step of a security initiative. This will likely be comprised of tasks such as:
- Determining known vulnerabilities
- Assigning risk
- Performing cost/benefit analysis for mitigation
- Determining impact and overlap with regulatory compliance initiatives
I often speak to organizations whose sole focus is on achieving compliance. Sadly, they’re overlooking the fact that there’s a big difference between being secure and being compliant. Mandates are typically just guidelines that spell out the minimum that should be done. The irony is that, while the goal of most regulatory mandates is to make your business more secure, if you concentrate entirely on compliance there’s a good probability that you won’t be totally secure. But if you set out to become as secure as possible, then compliance is usually a short journey from there.
Compliance is definitely a motivator, but using it as your driving force can be problematic. Regulatory mandates are usually not I.T. centric—and never IBM i centric—so compliance isn’t always intuitive. In fact, one of the frustrations I hear uttered by I.T. staff around the world is that many simply don’t know what they’re supposed to do. There’s nothing in PCI, HIPAA, or SOX documentation that says “set QALWOBJRST to *NONE”, or that it’s okay to have up to seven users with *ALLOBJ special authority. Auditors walk in the door and demand that we “harden” our server security, but don’t tell us how to do it.
Don’t make the mistake of believing that compliance is a destination, or that PowerTech can only help during the initial approach. Yes, we have great solutions to uncover configuration vulnerabilities, but the benefits of PowerTech security solutions don’t end with achieving compliance. Solutions such as PowerAdmin, DataThread, and Network Security are all designed to live on to help an organization be more secure (and compliant) and to maintain that state indefinitely. After all, regulatory mandates are designed to reduce the risk of an integrity violation from ever happening, and that’s not something that’s simply going to happen through wishful thinking. And, like it or not, compliance can’t be achieved and subsequently maintained from a one-time effort. Success comes when valuable, time-saving controls are introduced and well-designed security procedures become ingrained into the corporate culture as a way of life.
No-one should believe that becoming compliant won’t be expensive, or time-consuming. But the alternative can be far, far worse. Take the case of BlueCross BlueShield of Tennessee, who recently agreed to pay $1.5 million to the U.S. Department of Health and Human Services to settle a case involving the theft of 57 unencrypted hard drives. These drives contained protected health information on more than one million subscribers. The settlement is in addition to the estimated $17 million BCBSTN has spent on investigation, notification, and protection efforts! This is just one of numerous examples where organizations opted not to spend the money up front, but spent it (many hundred-fold) after the fact.
Even if regulatory mandates aren’t applicable (although I would offer that every organization has a responsibility to answer to someone), then we still need to maintain the business value and integrity of our server and data assets. After all, if the applications are not able to function then we’re in trouble. And, if the data that defines the recipe for the businesses “secret sauce” walks out the door then that door might get locked—permanently!
PowerTech has lived in the IBM i security space for sixteen years, and has the expertise and resources to contribute to long-term security and compliance initiatives. In fact, only one of our products is designed with the initial assessment of vulnerability in mind. It’s called, unsurprisingly, Compliance Assessment, and it’s tied to a free service that we perform for the IBM i community. Every other solution in the ever-growing PowerTech portfolio is designed to manage and maintain ongoing security and compliance—even if regulatory mandates don’t pertain to you.
If you previously thought achieving compliance meant that PowerTech solutions were no longer necessary, or that the absence of a regulatory mandate meant no benefit from a product with “Compliance” in its name, give me a call—you might be surprised how we can help! We’re a leader in the IBM i security business, and compliance falls nearby as a subset of that.
I’m excited to announce that Help/Systems, our parent organization, was recently named to The Star Tribune’s 2012 list of “Top 100 workplaces” in Minnesota. The inclusion is based on employee surveys, and demonstrates that Help/System’s employee culture reflects the way we approach our business relationships.
Registrations have been rolling in for Help/Systems’ 2012 Solutions Summit. Enroll now to secure your place and a chance to discuss security, automation, and business intelligence topics with industry leaders.
If you’d like more information on PowerTech’s security solutions, visit www.powertech.com or contact me at email@example.com.