I am not sure what happened to Spring, but as Orlando enjoys temperatures in the mid-90s, one could say summer is already here.

I am in Central Florida this week to attend the 50^th Anniversary COMMON annual meeting and exposition, hosted at the Orlando Marriott resort. This is my first time touching down in Florida, and I have not been disappointed. Although I do not have the complexion to ever consider becoming a “sun worshipper,” there is an immediate recognition of why this state attracts thousands of visitors from around the world: Clean streets, pristine buildings, and endless entertainment and activities for people of every age. I arrived a couple of days early and drove over to Cocoa Beach, and then down to West Palm Beach to visit my “brother” from my time as a foreign exchange student. It was wonderful to reconnect with him after a couple of years.

The conference started on Sunday with the normal pre-meeting lab sessions, and then formally commenced on Monday after with a large opening session hosted by COMMON president Wayne Madden, and keynote speaker Ross Mauri, General Manager of IBM Power Systems.

The exposition has been very busy for all of the Help/Systems’ family of companies, significantly up from the event last year in Reno. With a COMMON call for more participation from its members, hopefully this is something that continues to rebuild and increase. It has been a pleasure to visit with existing and prospective customers alike. It seems security is still very much on the minds of the attendees, with interest from every industry and every size organization within those industries.

We have been signing up large numbers of attendees who are interested in winning the beautiful Gateway netbook, and have been handing out logo t-shirts from SEQUEL, Help/Systems, and of course, PowerTech by the box.

Well, I have to run as the expo is about to begin again. Based on the last couple of days, we will need every resource available on the expo floor; a great problem to have!

If you were not able to attend this year’s meeting, I hope to see you all at next year’s event in Help/Systems’ hometown of Minneapolis, MN, from May 1 through 4.

Have a wonderful week!

- rt

I am sometimes asked to clarify whether PowerTech is a security company or a compliance company. I also sometimes read comments from industry experts criticizing organizations for wasting time, effort, and money on compliance solutions without ever really becoming secure. Well, before I can weigh in on that argument, we have to discuss the basic difference between “security” and “compliance.”

Security is the act of creating a defense to prevent something from being attacked or injured. In the IT world, this usually pertains to preventing unauthorized access to computer servers, and more importantly, the application data that resides on them. For most businesses, the value of the technology infrastructure is found in the application data as hardware can be replaced relatively easily. Data is usually our primary intellectual property, for example: our customer information, order history, vendor data, employee information, and credit card transactions. Securing the data asset is necessary to prevent damage—both accidental and malicious—and to ensure that the data remains the property of the organization that owns it, and to allow it to add value to the buiness operations.

Although obviously tied to security, compliance is simply the adherence (and proof of aderence) to a set of baseline standards and procedures. While you can be secure without being compliant, and even be compliant without truly being secure, the terms are often used interchangeably. When I consult with PowerTech customers, I am usually asked to help achieve compliance, often with Sarbanes-Oxley, or the payment card industry’s PCI-DSS standards. However, sometimes it is a worthwhile investment of time and money to set the compliance objective aside, and to simply review how secure you actually are.

Unfortunately (or thankfully, depending on your perspective!), it is not difficult to satisfy an auditor during an IBM i audit due to the fact that many of them really are not trained in auditing the i platform. While this sometimes leads to answering questions that don’t really pertain to us, it also means that we can potentially talk our way out of a compliance violation. Getting the auditors off our backs may seem advantageous in the short term, but it may be doing the organization a huge disservice in the long term.

One of the challenges is to educate customers that security is NOT a destination, but more of a journey. You can never really be 100% secure. There are new threats making security a continuously moving target, but regular compliance checks can help the server remain as secure as possible by assessing the risk of threats, and the vulnerability that you could become subjected to it. But in order to do that, we have to accept a valid set of standards as our baseline.

So, back to our original question: Is PowerTech a security or a compliance company? Well, I say that we provide solutions that can align with both security and compliance objectives. Network Security’s access control facility, and Authority Broker’s restriction on powerful users, are both designed to provide tangible value to an organization’s security defenses. Compliance Monitor, a compliance tool per se, provides visibility into the security audit journal to enable security officers to respond in a more timely manner to possible intrusion events. These tools can also help satisfy common compliance criteria. For example, Network Security can satisfy a compliance requirement such as “audit and control access for network initiated activities,” and Compliance Monitor can generate compliance scorecards to compare security policy to current settings.

In summary, I am a proponent of working to secure a system and data from common and known vulnerabilities first. This typically involves an audit of configuration and procedures against best-practices, the creation and maintenance of a detailed security policy. Once you do that, you can work to secure your environment using the policy as your guideline. Then you can “simply” monitor for ongoing compliance to your objectives and standards. PowerTech can help you navigate through the entire project cycle!

Have a wonderful week!

- rt

Advisory Board

Last week was exciting, as PowerTech hosted an Advisory Board of customers from Minneapolis to the UK. The advisory board is a two-day session that is primarily an open forum about the security challenges that these companies are facing, and a discussion of how PowerTech solutions are helping mitigate many of them. It’s also an opportunity for our team to assign priorities for PowerTech’s future development initiatives that have been identified for the current product set, as well as to assess future directions.

PowerTech representatives spent time with each of the board members and performed product reviews to ensure that all of the members were up-to-date on the latest releases of our solutions. This also provided a great opportunity for networking between the members, and to get some insight into the creative ways that other organizations have deployed our products and services, especially in conjunction with many of the Robot solutions from Help/Systems.
Of course, it was not all work and no play. Although I won’t talk about individual scores—primarily as I didn’t get the highest—we all enjoyed a fun evening of bowling, pool, and dinner at a local entertainment center. The team-colored bowling shirts that had been designed for everyone ensured that the group competition remained intense but friendly.

Look for more of an overview of the Advisory Board in our upcoming edition of the PowerNews eNewsletter due at the beginning of next month.

IBM i 7.1 Released

IBM officially announced v7.1 of the IBM i operating system last week. Due to the numerous security enhancements introduced in V5R4 and v6.1, IBM gave some attention to other areas of the operating system this time around. However, there were some new details that were presented to our advisory board and internal staff by Jeff Uhling, a guest speaker that we had visit us from IBM Rochester, home of the “AS/400.”

Some high level details of enhancements include:

• Two new user profile parameters pertaining to automatic disablement of the profile after a defined period of non-use, or on a specific date. If you choose the inactivity option, you can select from 1-365 days. This functionality has been available via the Analyze Profile Activity (ANZPRFACT) command as part of the IBM Security Toolkit, but these parameters make it more mainstream.

• Encryption enhancements include a field-level exit program. While read-based triggers previously were unable to perform changes to the data being read, this exit point’s program allows the data to be selectively decrypted. This exit program is not specifically tied to encryption/decryption functions, so expect to see other uses dreamed up by the ‘i’ community.

• V7 enhances full disk encryption with the ability to start and stop encryption on existing auxiliary storage pools, instead of requiring a new ASP to be created.

Regulatory News

In regulatory news, Washington became the third state to pass legislation incorporating the Payment Card Industry (PCI) standards to help financial institutions recover costs associated with credit/debit card breaches. Although there are some experts that doubt the effectiveness of such legislation (partly on the grounds that it really only affects those not already compliant with PCI regulations), HB1149 contains provisions for controlling organizations that process more than 6 million transactions per year. Recovery includes the cost of reissuing cards to Washington residents, as well as damages caused by defects in a vendor’s software or equipment related to encryption, if that defect caused the breach.

Have a wonderful week!

- rt

The PowerTech team is busy this week with the PowerTech Advisory Board. Please check the blog next week for a recap of the advisory board!

It was a fantastic weekend here in Minneapolis, and certainly one of celebration! Good Friday through Easter Sunday is one of the highlights of the Christian calendar, but even if you have different beliefs, perhaps there were still chocolate eggs and bags of candy to enjoy, not to mention an absolutely glorious sunny and warm spring weekend—something Midwesterners are so incredibly ready for!

I spent the weekend with a couple of close friends and my two teenage kids, Jordan and Sydney, and we had a wonderful time out enjoying the sunshine, picnicking at a local park, riding some hair-raising rides at the (in)famous Mall of America, and paying a visit to the beautiful Minnehaha_Falls. Although not quite as dramatic as the other two spectacular falls I have been fortunate to see this year in Niagara and Portland, this waterfall is a favorite attraction for visitors to Minneapolis, and is situated in a beautiful park close the Minneapolis International airport.

This week is going to pass quickly, as we are busy preparing for the PowerTech Advisory Board, a consortium of large customers who will be converging on our corporate offices in Eden Prairie next week. The purpose of this session is to share strategic direction on PowerTech product development, as well as garner opinions and insight into the future security and compliance needs of our customers. We also conduct these sessions with the assistance of Help/Systems’ Robot customers, and always find them extremely beneficial in helping define needs, and to ensure that we continue to meet (and hopefully exceed) the high expectations that our customers have.

We are reeling a little from the fevered interest we have been receiving for the updated 2010 “State of IBM i Security” released last week. I conducted a Webinar with Jill Martin—who did much of the work around the updated copy—on the day we published it, and were subsequently inundated with requests for copies of the study. We also received a wealth of interest in the use of our free assessment tool that (optionally) provides the data used in the report each year. Go to www.powertech.com for access to the full study, and to register for your own free system review using our Compliance Assessment tool.

I will also be teaching the PowerTech security workshop with local partner MSI Systems Integrators here in Bloomington. This is the last scheduled session, although we are discussing Chicago and Dallas as possible future host cities. If you think that you are in a geography that we should be visiting, send me a note at robin.tatam@powertech.com. I’d love to hear from you.

Have a wonderful week!

Well, I am finally back in Minneapolis with no scheduled plans for travel until COMMON at the beginning of May. Of course, that can change at a moment’s notice so if you need any security services, let me know. Have bag; will travel!

I’d like to give a “Thank You” to Jill Martin for updating us here last week about her activities while I took a couple of (almost) vacation days in and around London with my children. What a spectacularly intense city that is! There is so much culture and history shoe-horned into a fairly small geographical space, and when you add in the vast population of commuters and visitors, you could be excused for becoming totally overwhelmed. One of the keys to a successful visit to London is understanding the incredible public transportation systems, and to not run yourself ragged trying to accomplish too much. (Easier said than done!)

From a professional perspective, it was a very successful trip. Although phones and e-mail are quick, cheap, and efficient methods of communication, there is something irreplaceable about an old-fashioned, face-to-face meeting and a firm handshake. Spending time with the Help/Systems International sales teams from the UK, France, and Switzerland was very enlightening, as we discussed and compared the security requirements of IBM i customers in the United States and Europe. I also ran through the PowerTech security information with the technical support team prior to a customer workshop in Farnborough. We had to move the event due to more registered attendees than seats in the Help/Systems office, and it was a fantastic four hours that flew by as we covered everything from user profile configuration to system values, to best practices for object authority configuration.

Since last visiting the U.K., one of the things that was noticeably different for me was how credit and debit retail transactions are now entirely “chip-and-PIN” based. If you are reading this from the U.S., you may have no idea what I am talking about—just as I had no idea until I got there. There are two main challenges with credit cards transactions at the point of sale using the more traditional “swipe and sign” technique:

1. Determining that the physical card is not a counterfeit. The availability of swipe devices that read all of the data from a card’s magnetic strip means that it is not difficult to manufacture cards that appear to be completely legitimate, and that swipe with all of the information of a genuine card.
2. Verifying that the card user is the actual owner of the card. This is normally accomplished by comparing the signature of the user with some form of formal identification such as a driver’s license. Unfortunately, this puts the responsibility of identity verification on the shoulders of the retail organization, instead of with the card user. Comparing a (commonly out-of-date) photo to a person’s physical likeness slows down transactions, and is fraught with human error. In my U.S. travel experience, it is rare for a sales clerk to even check the signature. Although it is against most cardholder agreements, I often write “Ask for ID” on the signature panel of my cards, and that does seem to help prompt a clerk to check my credentials. Unfortunately, if they “catch” a person trying to use someone else’s card, I have witnessed people successfully justifying it to the clerk.

By the end of 2006, U.K. retailers joined the initiatives of several other European nations and fully adopted a new point-of-sale mechanism that uses so-called smart cards, more commonly referred to “chip-and-PIN” cards. These cards, which look like regular credit cards, contain a small micro-chip that is read by a special reader device that looks similar to any other credit card processing machine but allows the card to be inserted. The embedded chip helps authenticate the card, thereby addressing the first challenge above. The requirement for a personal PIN to be entered instead of a traditional signature solves the second challenge, as the assumption is that your PIN number is highly confidential.

Use of smart-cards provides a couple of additional advantages over traditional signature transactions. First, most of the readers are portable devices, so the entire transaction can be handled without having to hand over your credit card to a complete stranger, as is common in the United States. Second, disabled users can now more easily use credit cards even when signatures are difficult or impossible.

While countries that use smart cards report significant declines in credit card fraud, there are currently a few disadvantages to this technology—especially for foreign travelers. Card numbers from PIN-based cards are being used fraudulently more easily in non-PIN countries, as no PIN is required. While most locations still have the capability to swipe cards from chipless cards, this becomes more difficult with unattended point-of-sale devices such as ticket machines and, from my own personal experience, clerks that are not particularly well-trained on processing a transaction using a chip-less card. Naturally, as additional countries adopt the smart card technology, these challenges will become less and less of an issue.

Upon my return last week, I began to research why this type of technology is not currently in-use in the United States. I was surprised to learn that it appears to be based purely upon the massive cost of replacing every point-of-sale terminal in comparison with the relatively low cost of credit card fraud here. However, as more and more countries adopt this technology, it will place pressure onto the U.S. to adopt it as well. I personally think that it would be a huge step forward in getting control of international credit card fraud.

Before I wrap up for this week, I would like to thank everyone that sent me 40^th birthday wishes, and also to my Minneapolis cohorts—I mean colleagues—that “decorated” my office in black prior to my return. Payback is a …. Well, you know the expression!

Regards,

- rt

Robin’s not the only one on the road!

As Robin has been criss-crossing the U.S. and flying over the pond to visit the Old Country, I have been on a whirlwind tour myself. I started by visiting RSA in San Francisco, CA for a few days, before stopping in our Seattle, WA office.

I have attended COMMON and the IBM Technical Conference several times over the years, and I have to say, the number of people at RSA is just mind-boggling! If you have never attended the RSA conference, it is quite a sight to see! Here I found thousands of people, hundreds of vendors, and a large selection of security topics to participate in. It was quite exciting to see such a buzz around the topic of security. If RSA is any indication, 2010 will be a big year for security projects!

My second week of travels brought me back to San Francisco, CA to kick off my workshop tour. I started in Oakland, CA, traveled to Irvine, CA, and then to Las Vegas, NV. The goal of these workshops was to help people get started with their IBM i Security Policy.

Some of the things we discussed included:

• Why a security policy is so important in today’s environment
• What government regulations and standards are driving the security policy projects
• Components of your security policy, both from a corporate perspective and specific to IBM i
• Business requirements considerations for your security policy
• Who to include in your security policy review team
• How to audit your IBM i
• What reports are available to support your security policy and how they are executed
• How PowerTech can help – tools available to help assess your system and simplify reporting

I really enjoyed working with everyone who attended my workshop, and hope everyone learned something valuable that can be applied to their security policy – I know I learned something from each workshop!

If you are interested in attending a workshop on this topic watch our newsletter, PowerNews, or check the blog for more cities and dates. I will be continuing my workshop tour over the next few months. I hope to see you in the future!

Well, a lot has happened for me since last week. After returning from Portland on Wednesday, I quickly laundered my clothes and repacked my suitcase. Less than 24 hours later, I headed back to the Minneapolis airport, this time with my two teenage kids; Jodan 15, and Sydney 13. We boarded a non-stop flight to London’s Heathrow airport. At 33,000 feet, and a temperature of -70 degrees Fahrenheit, we all said a temporary goodbye to the United States coastline, and I said a permanent goodbye to my “30’s.” A big sign of advancing years was that I had completely forgotten about the event until my daughter reminded me with a “Happy Birthday, Dad!” as we passed midnight.

As many of you know, I was born and raised in the United Kingdom and came to the U.S. twenty years ago as a high school foreign exchange student. I fell in love with Iowa back then, and upon my return home I started planning how I could come back. I took a job as a trainee programmer, and found myself learning to write RPG code on an AS/400. Eighteen months later, I took the plunge and packed all my worldy possessions into several large suitcases and never looked back.

For a number of reasons, eleven years has slipped by since my last return. I am now retraining myself in the art of driving on the left,and steering on the right! I am also quickly (re)adopting the accent of my ancestors, and reaquainting myself with the mighty Fish ‘n’ Chip.

The business purpose for my traveling here this week is due to the growth that we are seeing in security conversations in Europe. After a successful year at PowerTech, our Help/Systems International division is looking at ways to expand their contribution to that success. I will be working with the sales team to identify ways to best service new customers, for example by leveraging our fantastic no-charge compliance assessment offering. The technical teams are going to be briefed on a number of pertinent security topics, as well as discuss some aspects of product and operating system security.

Wednesday afternoon (10am CST in Minneapolis) Jill Martin, PowerTech’s product manager, and myself will connect the 4,000 miles between the two Help/Systems offices via WebEx to host our weekly Webinar security session. On Thursday, I am excited to be hosting a security workshop in the vein of the ones that I have been holding across the U.S. during the last couple of months. This session is now bordering on being “sold out,” so if you are interested, go to www.powertech.com and register.

Finally, I am taking a couple of days off at the beginning of next week to enjoy a little time with my UK-based family, and to show my kids more of “the old country.” I will be back in Minneapolis later in the week.

Have a great week everyone!