Finding the Balance: Personal Privacy vs. Corporate Protection

Posted in Events, Security on July 10th, 2013 by Robin – Be the first to comment

Balancing personal privacy and corporate protection is a complicated issue without a great solution. Corporations need to monitor employee activities, but they have to do it without infringing privacy rights. Though methods vary between companies, the counterintuitive truth is that managers may have to be more transparent with their motives in order to accomplish the oversight they want.

An Unavoidable Conversation

Though workplace surveillance is an inherently secretive pursuit, recent events have dragged the concept out of the shadows and turned it into a primary talking point in offices around the world.

These issues first came to a head as companies began formulating mobile device management policies to govern the escalating use of employee-owned smartphones and tablets for business tasks.

It only took a few malware injections and data breaches triggered by lax mobile security practices for CIOs to realize their all-inclusive approach to device procurement carried certain risks.

Yet when they announced that they’d like to deploy corporate-controlled monitoring software on employee-owned iPhones, there was an immediate pushback.

What right does my company have to track my location outside business hours? What’s to stop an IT administrator from snooping on my personal text messages and photo library? These were just a few of the perplexing questions asked of business managers and legal consultants.

The “Big Brother” fears were only exacerbated earlier in the month as former National Security Agency contractor Edward Snowden unleashed an eye opening account of the vast surveillance technologies available to government bodies and leading telecommunications carriers.

Ironically enough, the relative ease with which Snowden was able to leak classified information raised pointed questions as to how effectively the NSA monitors its own privileged administrators.

Delicate Decisions

Delaying or obscuring discussion of these is a disservice to both managers and frontline workers. Only by communicating concerns, obligations, and expectations in an open forum can companies move forward with an effective, justifiable policy framework that employees actually comply with.

First and foremost, management must communicate the motives behind strengthening or expanding internal oversight. Employees understand the importance of risk management for both individual and corporate protection, and today’s high-tech solutions are only an extension of long-held practices.

If workers are assured that measures are being made to safeguard intellectual property and avoid compliance complications, it should feel like less of an imposition on their personal privacy.

Employees can and should push back during these discussions though, as the concerns they air may not have been previously identified and accounted for in initial plans.

Finally, plans cannot be crystallized until the legality of protective policies has been verified. Statutes surrounding background screening procedures, email monitoring, and social media liability are continuously evolving, and a comprehensive review of local, state, federal and industry-specific codes is likely to turn up more than a few surprising liberties and limitations for uninitiated managers and workers.

A Celebration of the State of Security

Posted in Company News, Security on May 28th, 2013 by Robin – Be the first to comment

State-of-Security-2013-BadgeIt has been a busy few weeks here at Help/Systems: fulfilling my SME duties at COMMON’s annual meeting in Austin, a corporate office move, a week in Las Vegas helping a customer mitigate some security challenges pertaining to PCI compliance, and another at IBM’s Technology Symposium in New Orleans!

During this time, with much help from my wonderful marketing department, I was able to analyze the data for the 2013 State of IBM i Security study. This year marks the tenth anniversary of this hugely popular document and reveals that much of the necessary security work remains to be done.

The number of regulatory and legislative compliance mandates has exploded over the past decade and this has helped spur a growing interest in security; however, as IBM lights the candles for the 25th birthday celebration of the AS/400, many organizations are still not following even simple best-practices for protecting their IBM i data from abuse—either accidental or malicious.

We were given permission to include data from more than 100 of the assessments that we conducted during the year. Although we can’t include the details from a number of others, I can confirm that the study sample is very representative of the total pool of servers we reviewed.

Some examples of the common vulnerabilities we uncovered include:

  • 79 users on average were still using a default password
  • 69% of servers lack the capability to audit data downloaded to the network
  • 65 users on average running with “root” (administrator) privileges

Fortunately, these vulnerabilities are not due to a lack of OS security controls. On the contrary, IBM has provided us with one of the most securable operating systems available. Our report suggests that deployment of the capabilities provided within IBM i remains weak. Security can be improved dramatically using a combination of altered settings and enhancements provided through software from PowerTech.

To download the 2013 edition of the study, point your browser to, or click on the banner on the homepage.

If you would like to know more about the State of IBM i Security study, send an email to

One of my most recent blog entries followed the bombing in Boston. Sadly, as I drafted this entry, news was breaking of the massive tornado that recently tore through Moore, Oklahoma. I have been through this town many times and am stunned at the images of total destruction. I was in Des Moines with my family that afternoon and we had to take shelter underground as warning sirens blared and reports came in about a “touchdown” on the outskirts of town. I am thankful that we all remained safe. On behalf of PowerTech and Help/Systems, I want to send our prayers to the residents of Moore.



Recruiting and Managing Trustworthy Talent

Posted in Other, Security on May 16th, 2013 by Jill Martin – Be the first to comment
With more companies finding firmer financial ground to stand on following a tumultuous few years in the global marketplace, human resource managers are finally getting the go-ahead to bring in new talent to support teams that have been stretched thin. Although these developments elicit a sense of both excitement and relief for business managers, recruitment processes must be as meticulous as ever.

To ensure companies extend an offer to the right candidate, as opposed to merely a candidate, HR professionals must first construct a more comprehensive perspective through improved background screening procedures. Then, recruiters can collaborate with their IT department colleagues to define appropriate levels of access and control afforded to new hires as they gradually assimilate into the organization and take on additional responsibilities.

The Value of Thorough Screening

Although background screening has been perceived as somewhat of a formality in the hiring process, businesses should be looking for factors well beyond a candidate’s most recent work experience. From a purely financial perspective, CFOs will tell you that it is much more expensive to acquire talent than it is to retain it. As such, HR managers will want to know that the resources committed are actually cultivating a productive new employee. Conversely, there’s no telling how much money they might spend in the long run covering up the mistakes and dealing with the fallout of a new hire that turns out to be a functional—and possibly legal—liability.

Background screening can also be considered an insurance policy, as the story painted by the candidate, his or her resume, and any third-party staffing agency utilized may not be entirely objective. While the candidate may list a litany of professional qualifications that barely fit on the page, a deeper investigation may reveal that they took some liberties in describing past experiences. Finally, recruitment managers should also be cognizant of the potential legal ramifications that can come from negligent hiring practices that compromise the integrity of working environments.

Allocating Trust Accordingly

Diligent recruitment practices are certainly the start of successful talent management, but even the most outstanding candidates cannot be given the keys to the kingdom on Day 1. Business managers need no reminding as to the value and sensitivity of their IT assets—nor how quickly simple human error can create disastrous security and/or compliance liabilities. So they must ensure the proper policies and technologies are in place to limit employee privileges solely to essential, role-based job functions.

These principles are not restricted to the onboarding process, of course, as all employees are initially hired to fulfill a vision of long-term growth. Whether a worker has been on the payroll for 15 days or 15 years, intelligent access control and activity monitoring measures must be employed to guard the company’s collective success against individual abuses and incidental errors. In this way, companies can feel confident that employee trust is not simply given, but earned.

If you would like to learn more about tools that can help you manage specific levels of access once you have determined your policies, take a look at PowerTech Authority Broker. And if you would like to know more about IBM i security and risk analysis and reduction, send an email to

Risk = Fun?

Posted in Security, compliance on April 17th, 2013 by Robin – Be the first to comment

Risk is not typically lauded as something good. From birth we’re counseled and coached by parents and teachers to avoid it or else bad things will most likely happen. Those same folks endeavor to mitigate risk for us. Our need for risk reduction follows most of us through every stage of life; starting simply with AC outlet covers, bumpers on the corners of coffee tables, skateboard helmets, even childhood immunizations.

In adulthood, risk continues to be avoided whenever possible. The insurance premium you shell out every month is based on incredibly complex risk models that enable the insurance companies to accurately predict the likelihood of a payout. As individuals, we wear seat belts, we eat right, and some of us even exercise. No actions can guarantee with 100% certainty that nothing bad will happen. If they did, those insurance policies wouldn’t be necessary.

In reality, some “big” risks may be smaller than they appear—and some may be larger. The safety record of commercial airlines doesn’t justify the paralyzing fear that many experience at the thought of boarding a plane, but how many of us still say a small prayer when the plane hits bad turbulence at 36,000 feet? Riding in a car without a seatbelt may seem low-risk to some; at least until we get into the accident that we never expected.

Okay, I’ll admit it: a certain amount of risk can be fun. I am not going to dust off any skeletons in my closet in case my kids read this, but I have rock climbed, I have parasailed, I have driven a car at over 150 mph, and I have commanded a tank. To some these activities might seem insane, while others might think I’m a wimp. Everyone has their own risk threshold at which the reward is exceeded by the possible cost.

This past weekend, I started down a path that many consider risky: I purchased my first motorcycle! As the proud new “papa” of a decked-out Harley Davidson Electra Glide Ultra, I’m looking forward to getting out on the open road this summer (if it ever arrives in Minnesota!) and enjoying an experience that I have always envied. Sure, I know I’m seven times more likely to be injured on two-wheeled transportation, but gosh-darned it’s fun!


Risk doesn’t have to mean recklessness. Most risks can be influenced by the amount of precautions that are taken. From bungee jumping to skydiving to spelunking, steps can be taken to limit the chances that the risk will be realized. It might mean safety lines, spare chutes, or a simple seatbelt, but there are usually things that people can do if they want to live to see another day. Although Minnesota state law doesn’t require the use of a helmet, I plan to wear one as others have learned the importance of this protection the hard way—and I’m all for learning from other’s mistakes.

Risk in the world of security is very similar. Risks are present due to hackers, wayward or careless employees, bad configuration settings, and even failing hardware. Many security risks can be reduced with the same precautionary mindset as personal risk. Installing backup systems, performing nightly saves, and activating auditing are common steps. When inexperienced we tend to set out with the goal of eliminating every risk no matter how trivial. But organizations without unlimited budgets learn quickly that there is a correlation between risk and cost: cost to mitigate and costs that will be incurred if the risk is realized.

When starting a security project, experts recommend performing a risk evaluation. Risks should be rated from high (likely to be exploited) to low (unlikely) and costs ascertained for mitigation (reduction or prevention) and damage control (reaction). A matrix can then be developed to allow high-risk/low-cost items to be resolved first. At some point, vulnerabilities might be acknowledged and accepted based on the high cost to mitigate versus the small risk they present.

Regulatory and legislative compliance might be a pain to those who have to comply, but in reality these are the safety guidelines that govern potentially risky business activities. As with most rules, these governances come after someone has already had a mishap. New rules are developed to prevent someone from making the same mistake again.

PowerTech has experience helping customers assess risk and allocate limited budgets to get the most “bang for the buck.” This might entail simple tweaks of IBM i’s own integrated controls, or the implementation of a commercial security solution.

If you would like to know more about IBM i security and risk analysis and reduction, send an email to

As I write this, news is breaking of the explosions at the Boston Marathon. On behalf of PowerTech and Help/Systems, I want to send our prayers to the victims and their families.



Passing Audits and Preserving Protection

Posted in Auditing, Security on April 4th, 2013 by Jill Martin – Be the first to comment

The word ‘audit’ is rarely welcomed with open arms by the IT department, and administrators often employ all sorts of delay and escape tactics to avoid the inevitable. But what they may not realize is the full significance of passing these assessments, or how painless the process can be with the right combination of policy enforcement and activity monitoring tools in place.

Outside Obligations
When IBM i users sit down to discuss reporting strategies and auditing exercises, the first image they often conjure up is that of a stern statistician holding a clipboard and waiting for the first opportunity to find fault with data center operations. Whether or not this perception is correct, it’s important to acknowledge the logic and process behind the standards qualified security assessors (QSAs) are referencing.

Whether companies are covered by HIPAA, SOX, PCI, FISMA or all of the above, IBM i users should remember that the objective of these frameworks is progress, not punishment. Regulatory bodies are a key component of the checks and balances that promote responsible IT administration and sensitive data protection. By keeping operations in line with federal, state and industry expectations, IBM i users will not only sidestep the potential expense of fines and unexpected upgrades, but position themselves as responsible corporate citizens as well.

Internal Improvements
Although external forces may be the most visible factor inspiring IBM i users to get their operations in order, true business leaders are driven by intrinsic motivation. That means even when an audit date isn’t lurking on the calendar, managers are applying proactive approaches toward policy enforcement and activity reporting to limit risk and promote progress. Through diligently designed plans and appropriately paired technologies, companies can gain the visibility they need to diagnose and resolve problems long before they surface on regulator radars.

Reliable Reporting
The secret to success in today’s increasingly crowded and complex IBM i ecosystems is the power of automation. In an era in which continuous monitoring is the rule rather than the exception, manual assessments simply do not cut it. Luckily, there are a variety of smart solutions which can help with the heavy lifting—so long as administrators guide them in the correct direction. By leveraging advanced reporting tools which allow managers to define network and data access privileges and set customized alert thresholds, compliance and risk management professionals are provided with a bird’s eye view of all the essential information needed to assess their standing and to correct course as needed.

A Moment of Reflection In the City that Never Sleeps

Posted in Events, Security on March 1st, 2013 by Robin – Be the first to comment

I recently embarked on my annual week-long pilgrimage to speak with the user groups of Fairfeld, Connecticut (FASUG), Long Island (LISUG), and New Jersey (NESTU). During three consecutive nights I presented no less than five sessions to the groups on topics that included IFS security (everyone’s favorite challenge), good habits of secure organizations, and a new 90-minute instructional session aimed at developing secure applications. As an RPGer for more than 12 years, I always love to talk to the programmers and developers as they have so much influence over how secure the corporate application database is. I think they appreciate that I can relate on a technical level and that I have experienced the same struggles with auditors. I always love the reception I get from these groups as well as reconnecting with some of their well-known members, such as Pete Massiello and Charlie Guarino.

Listen to this blog post:

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

If you belong to a regional user group, and would be interested in having me come and speak to your group, let me know as Help/Systems and PowerTech are extremely supportive of the IBM i user group community.


As my first port of call into the United States when I was a teenager (many years ago!) from England, the New York skyline holds a special memory in my heart. My night photograph was taken from atop the roof of the Rockefeller Center, looking south past the Empire State Building. Despite this city’s hectic personality (is honking your car horn really necessary!?) this year she also gave me a glimpse of the resilience born from the events that shook her foundations in 2001.

During my visit, I was honored to access the memorial that opened on last year’s anniversary of the September 11 attacks. Two beautiful fountains now flow into infinity where the north and south tower of the World Trade Center once stood; every victim’s name carefully engraved around the edges. After the hustle and bustle of Times Square, the subway, Broadway, and just about every block in Manhattan, these gardens call for a quiet, peaceful reflection. Although not yet complete, the memorial has been built on probably the most hallowed ground in the United States, and is a deeply moving experience. I am sharing one of many photos that I took—I hope you feel that I captured the essence of the sadness and national strength that this site represents.


I was back in the office most of this week; however, my suitcase didn’t get put away for long. I’m flying to the United Kingdom later this evening for the first stop on an exciting European speaking tour. In four days I am going to be speaking at IBM in London and Warwick in the UK; Copenhagen, Denmark; and Utrecht (nr. Amsterdam) in the Netherlands. I will be evangelizing a message of security and compliance to more than 80 people representing 50 companies, and it’ll be very interesting to hear if the challenges facing these organizations mirror what I hear from U.S. companies every day. During these sessions, I will unveil a brand-new presentation on IBM i security entitled “Security Is Not the Same as Compliance.”

(It’s also a wonderful opportunity to say a quick “hello” to my dad and brother whom I haven’t seen in 3 years! Thanks Help/Systems!)

If you would like to know more about the comprehensive message I’ll be sharing, or discuss the ways that PowerTech is being engaged around the globe to assist organizations as they become more secure, send an email to



Balancing Data Privilege and Protection

Posted in Other, Security on February 21st, 2013 by Robin – Be the first to comment

face-and-menuRegulating the relationship between individual employees and corporate data is one of the most challenging tasks faced by the IT department. On the one hand, companies have been calling for a more seamless flow of information across the organization so that each worker can let relevant and timely data shape their decisions. But at the same time, overly permissive practices may afford users more power than they are equipped to handle.

As a result, managers must align policy and technology to ensure the company is not promoting productivity at the expense of security and compliance.

Listen to this blog post:

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

Various Vulnerabilities

From satisfying HIPAA mandates to guarding trade secrets, companies are well aware of how important it is to protect their sensitive data. Too often, however, their focus is directed at the wrong targets. Considering the majority of data breaches are triggered by employee action, companies would be better served to get their own houses in order before worrying about external attackers.

It’s an unfortunate reality to think about, but there have been a number of cases in which malicious insiders abused their access privileges for personal gain. From hospital attendants selling personal health records to disgruntled software engineers downloading proprietary code to take to a rival, there may be more going on beneath the surface than administrators initially see.

Even if employees have only the best intentions, there’s no telling what could happen if someone gets a hold of their network privileges without their knowledge. In fact, some of the most damaging data breaches have followed that pattern. The scandal that shook the South Carolina Department of Revenue late last year began with a simple phishing email that enabled cybercriminals to usurp the credentials of a legitimate user with wide-ranging database privileges.

Comprehensive Solutions

While these scenarios may send chills down executives’ spines, the good news is that the solutions are well within their control. By developing and enforcing a role-based data governance system, IT teams can give users access to all they need to succeed without handing them added privileges which could be abused.

The first part of the equation includes categorizing data and applications according to sensitivity, and determining access needs for each employee group. Some rules will have to be customized to the individual, but it is important to establish the same sense of accountability from entry level to C-level by ensuring everyone adheres to the rule of least privilege.

Finally, IT teams must choose their technology of choice to monitor access behavior and confirm group- and object-based rules are being followed. As network ecosystems expand to include more users, devices, and transactions, companies should look toward centralized platforms which afford administrators all the visibility they need to spot signs of trouble and intervene early.

If you would like help configuring the tools you own within IBM i, or would welcome an introduction to PowerTech’s security solution portfolio, send an email to

Federal Reserve Falls Victim To Cyberattack

Posted in Other, Security on February 14th, 2013 by Robin – Be the first to comment

us-federal-reserveThe Federal Reserve has been breached!, an online security news source, reports that the attack occurred on February 3, 2013. Although the identity of the attackers has not been confirmed, claim has been laid by the hacktivist group Anonymous who announced that they broke into servers and accessed credentials and other information for more than 4,000 U.S. bankers.

It’s believed that the group may have taken advantage of a zero-day vulnerability—a newly discovered weakness that exists until a patch can be issued. This permitted the group to gain unauthorized access.

Listen to this blog post:

Audio clip: Adobe Flash Player (version 9 or above) is required to play this audio clip. Download the latest version here. You also need to have JavaScript enabled in your browser.

While your organization might not consider itself a comparable target to the U.S. Federal Reserve, don’t believe for a moment that size is all that matters to the nefarious! In fact, the political hackers that disrupted numerous major US banking organizations with distributed-denial-of-service (DDoS) attacks last year also set their sights on some comparatively small financial institutions in addition to the global giants.

An expert interviewed by BankInfoSecurity spoke to the difficulty in protecting against these opportunistic attacks. Instead, companies need to deploy strong detection capabilities so that an early warning can be received.

For those of you running on IBM i, consider the following action plan:

  • Configure IBM i’s integrated IDS 
(for an introduction, replay PowerTech’s recent IDS Webinar featuring IBM expert Lindsay Reiser)
  • Deploy an Exit Program Solution such as PowerTech Network Security to facilitate auditing and control of network-based access
  • Activate IBM i’s integrated auditing functionality 
(download the free white paper “Auditing In The Real World” from
  • Utilize real-time server monitoring technology such as Interact, PowerTech’s syslog agent

While the mindset that “it will never happen to us” has become less prevalent, there remains tremendous naivety in the IBM i community as so many still believe that the server is secure and not prone to attack. Sadly, as I work through the data for the 2013 State of Security Study, I see that this continues to be a fallacy.

If you would like help configuring the tools you own within IBM i, or would welcome an introduction to PowerTech’s security solution portfolio, send an email to



Avoid the Hype; Avoid the Crash!

Posted in Security, compliance on January 31st, 2013 by Robin – Be the first to comment

irn-bruAs some of you know, I spent my formative years in the UK. The closest things we had to energy drinks back then were “Irn Bru” and “Lucozade.” I have no idea if there was a medical-based correlation, but the only time my mom “splurged” for a bottle of the latter was when I was sick.

My kids—like most teenagers—love energy drinks. Although I’ve had a couple of cans in my adult life, I don’t see the fascination with a quick burst of flavor, a racing heart, and a subsequent crash. But plenty of people do, making it one the fastest growing segments of the soft drink industry. Sadly, it seems the short-term spike in energy is now being accompanied by a spike in emergency room admissions.

We often observe a similar trend in security and compliance. A new threat comes around and there is an immediate surge as we scramble to develop and implement regulatory controls to prevent the second lightning strike. Likewise, some of the resulting solutions promise to pleasure our security taste buds with the quick fizz of compliance, only to leave us with some previously unknown side-effects—typically the crash that follows our realization that we didn’t properly eliminate the risk in the first place.

The software industry—like any dynamic community—sees companies that come and go. There is a flurry of activity as the “newbie” introduces what they tout as the latest and greatest technology. However, this is often followed by a lull as customers ultimately choose to partner with a company that will still be around tomorrow. PowerTech is not alone in the IBM i security space, but we have definitely been a constant—even when the economy saw many of our competitors cutting back. Over 16 years of tenure in the market has meant that we have seen other security organizations peak and fail; and yet we continue to grow stronger every year.

Our acquisition by Help/Systems in 2008 was a major milestone, benefitting us with the experience of a company that has lived on the top rung of the software industry ladder for more than three decades. Unbelievably, competitors actually called on our customers during the acquisition to advise them to expect game-over, but the reality was that we had further strengthened our position and were transforming quickly into the global force that we are today.

It’s not about introducing the new flavor of the month. It’s not about working with the wanna-be that has developed dozens of vague solutions. It’s about having market-proven solutions to the critical challenges YOUR business is facing. It’s about knowing that you can pick up the phone and talk live to a real person.

Ultimately, it’s about strengthening your own market position by partnering with your vendors… and no-one does partnering like us.

If you’d like to know how PowerTech’s security solutions are providing long-term benefits to organizations just like yours, give me a call.



I Have the Flu!

Posted in Other, Security on January 24th, 2013 by Robin – Be the first to comment

Yes, sadly, it’s true. I won’t gross you out with the grizzly details, but I haven’t felt so awful in a very long time. In fact—until this week—I don’t believe I’ve missed a day of work due to sickness in my three and a half years tenure with PowerTech. According to the Minnesota Department of Health, we are in the midst of one of the worst flu epidemics on record; one that has already resulted in at least 60 flu-related deaths in our state alone.

I rarely “unplug” from the corporate grid, and over the past two days in bed I have relied on my mobile devices to keep tabs on incoming meeting requests and emails, and to work with the team to reschedule events that were already on the calendar. It certainly had me grateful for the proactive notifications sent from our collaborative systems and made me consider what other companies do when an integral team member is out of commission—be it due to vacation, illness, or winning the lottery!

Many organizations lack a contingency plan for short-term absences and assume that open tasks can wait, or “someone” will take care of that employee’s responsibilities. In reality, I believe that many of those responsibilities fall by the wayside until the employee returns, or someone realizes that there is a hole in the organizational structure. If that employee is responsible for auditing or forensics monitoring, then the risk of a breach can balloon significantly during their absence.

Business people fearing h1n1 virus

One of the best defenses against this type of exposure is automation. Scheduled analysis of transaction logs, proactive event detection, and warning notification are ways that the system can self-police even when a human is not in a position to do so. While a person may be required to fully determine a course of action, using the server’s CPU to perform the repetitive “grunt work” empowers the skilled resource to focus on decision making. A computer typically runs 24×7x365 (at least if it’s an IBM Power Systems server!), it doesn’t get tired or bored of the same work, and it won’t overlook an event.

While I plan to be back in the office very soon, I appreciate knowing that my server would never truly have missed me. That’s because our friendship isn’t entirely exclusive: the server can communicate with multiple members of the team concurrently to alert them when something important is happening. If my symptoms became more serious, or I hit on one of those astronomical Powerball lotto winnings, I wouldn’t have to leave behind a team scratching their heads in frustration as they try to figure out how and when reports need to be run and who they get distributed to. And, heaven forbid, if I was the programmer that wrote complex applications to monitor the system (we hope it is monitoring) or to generate those next rounds of audit reports, I would have accidentally left my organization sitting out in the Minnesota cold!

If you’d like to know how PowerTech’s security solutions have been architected to self-serve your organization’s security interests, give me a call or send me an e-mail at