Presentation is loading. Please wait.

Presentation is loading. Please wait.

Extending iSeries Security A P R E S E N T A T I O N System i Security Products.

Similar presentations


Presentation on theme: "Extending iSeries Security A P R E S E N T A T I O N System i Security Products."— Presentation transcript:

1 Extending iSeries Security A P R E S E N T A T I O N System i Security Products

2 © 2006 PowerTech Group, Inc. All rights reserved. Agenda >Security Issues regarding System i >Who is PowerTech? >Customer Requirements >System i Security Vulnerabilities >PowerTech Solutions Overview

3 © 2006 PowerTech Group, Inc. All rights reserved. The PowerTech Group Definitive iSeries Security >World lead company for System i security >PowerLock AuthorityBroker Ships with iSeries OS. >Acquired leading iSeries SSO Technology 2005 >Winner of prestigious Industry Driver APEX Award from iSeries News in 2004 >Over Enterprise and Small Business customers >More than 3,000 licenses installed >Advanced Level IBM Partner

4 © 2006 PowerTech Group, Inc. All rights reserved. Power Users Access Control Data Access PW/User Mgmt System Settings Source Control Business Continuity Data Privacy Security Change Config Mgmt Real time Monitoring Audit for Compliance Demonstrate Compliance Be Compliant High Avail Data Recov Data Xfer Data- base Where to Begin

5 © 2006 PowerTech Group, Inc. All rights reserved. Legislators are doing their best to raise security from a technology issue to a business concern Auditors are defining what security is for companies Companies are documenting in-scope processes and procedures Risks inherent in IT Control are being identified and addressed All are looking to CobIT and ISO for guidance IT Controls Being Raised

6 © 2006 PowerTech Group, Inc. All rights reserved. Can users perform functions/activities that are in conflict with their job responsibilities? Can users modify/corrupt iSeries data? Can users circumvent controls to initiate/record unauthorized transactions? Can users engage in fraud and cover their tracks? iSeries Environment

7 © 2006 PowerTech Group, Inc. All rights reserved. iSeries Security Study >87% of libraries were accessible by *PUBLIC (any user on the system) – Auditors recommend 0% >80% of access points on iSeries were not monitored or controlled, leaving the possibility for un-audited access to critical data – A violation of CoBIT recommended standards and a threat to data integrity. >78% of systems had more than 40 user profiles with default passwords (password = user name) – A red flag for auditors and a violation of CoBIT recommended standards. >84% of systems had more than 10 users with *ALLOBJ (all- powerful users) – A red flag for auditors, and a threat to data integrity and accountability.

8 © 2006 PowerTech Group, Inc. All rights reserved. Data Access - Public Authority to Libraries iSeries Security Study 2005 Source: The PowerTech Group

9 © 2006 PowerTech Group, Inc. All rights reserved. EMPLOYEES CUSTOMERS REMOTE EMPLOYEES iSeries Security Gap Menu Access Only Ramifications No Visibility to Network activity No Control of Network Activity No Security Monitoring In the old days you could rely on menu security. But once PCs came along and the iSeries was opened up to ODBC, FTP, Remote command, the iSeries became vulnerable.

10 © 2006 PowerTech Group, Inc. All rights reserved. IBM Recognizes the Problem >“ODBC introduced a plethora of desktop applications that offer easy access to data on the as/400 via a few mouse clicks.” >“COMMON BACKDOORS - Several servers offer methods to submit AS/400 commands via the client. Restricting command line usage does not block this.” From IBM technote: “Security Issues with Client Access ODBC Driver”

11 © 2006 PowerTech Group, Inc. All rights reserved. Can users perform functions/activities that are in conflict with their job responsibilities? Can users modify/corrupt application data? Can users circumvent controls to initiate/record unauthorized transactions? Can users engage in fraud and cover their tracks? Customer Data

12 © 2006 PowerTech Group, Inc. All rights reserved. Data Access Public Authority Can users perform functions/activities that are in conflict with their job responsibilities? Yes

13 © 2006 PowerTech Group, Inc. All rights reserved. Data Access Special Authorities - *ALLOBJ Can users modify/corrupt iSeries data? Yes Can users circumvent controls to initiate/record unauthorized transactions? Yes

14 © 2006 PowerTech Group, Inc. All rights reserved. Data Access Network Access Can users engage in fraud and cover their tracks? Yes

15 © 2006 PowerTech Group, Inc. All rights reserved. Product Overview AuthorityBroker NetworkSecurity SecurityAudit ISS - Robot Single Sign-On Compliance Monitor Control Powerful Users (Separation of Duties) Access Control Regular Auditing Real Time Monitoring Access Control SSO Back Up Encryption Data Encryption FlashAudit on iSeries Security

16 © 2006 PowerTech Group, Inc. All rights reserved. >Compliance Monitor

17 © 2006 PowerTech Group, Inc. All rights reserved. PowerLock ComplianceMonitor

18 © 2006 PowerTech Group, Inc. All rights reserved. Case Study >Large multinational retail company dealing with SOX compliance issues >Problem: n No staff available to develop new custom reports n IT security group is not familiar with iSeries n Overwhelmed with burden of tracking more than 10 systems >Answer: PowerLock ComplianceMonitor n IT staff save development time n Expert guidance built in to product n Consolidated reports

19 © 2006 PowerTech Group, Inc. All rights reserved. Requirements >Be compliant with regulations n Sox, HIPAA, PCI, Privacy laws >Demonstrate compliance through regular reporting n Automatic scheduling n Focus on exceptions to policy n Historical comparisons of audit results n Process to report on  User profile/account data  System Values  Authority to objects  Network access control

20 © 2006 PowerTech Group, Inc. All rights reserved. Systems arranged in user defined groups to match the business environment A system (or endpoint as it is called in the product) can belong to more than one group. This allows you to selectively audit and report on sets of systems.

21 © 2006 PowerTech Group, Inc. All rights reserved.

22 © 2006 PowerTech Group, Inc. All rights reserved.

23 © 2006 PowerTech Group, Inc. All rights reserved. System Value scorecard highlights exceptions to policy with red down triangle. Green up arrow shows settings that match policy. Policy is stored in an xml file. We can update this to match specific company policy.

24 © 2006 PowerTech Group, Inc. All rights reserved. Consolidated report across three systems – The system value view shows them next to each other for comparison purposes PLCM can collect all system values. In this report, we are looking specifically at the security system values

25 © 2006 PowerTech Group, Inc. All rights reserved. Effective special authority – it’s not just the authority of the user profile, but we also check to see if the user has inherited special authorities from their membership in a group profile.

26 © 2006 PowerTech Group, Inc. All rights reserved. >Netwrok Security

27 © 2006 PowerTech Group, Inc. All rights reserved. Features >Customizable reporting n PowerTech recommended reports n GUI to create custom SQL queries (filters) n Flexible Interface and grid view >Expert guidance n Scorecards rate compliance against security policy n Exceptions are highlighted n Compliance guide >Consolidation across multiple systems n Drastically cut the number of reports

28 © 2006 PowerTech Group, Inc. All rights reserved. PowerLock NetworkSecurity Technology >IBM recognizes the security problems with network access to iSeries assets, and has added and continues to add network access exit points. >NetworkSecurity implements exit point programs that monitor and control iSeries access through the network interfaces >Exit point programs intercept and can record inbound requests. >Access requests can be controlled by: n User Profile, Group Profile, Supplementary Group profile, *PUBLIC n Device Name, IP address, PowerLock IP address groups or generic names n Server and Function type  Remote command, FTP download, FTP upload, etc, n Can be configured to emulate an increase or decrease in object authorities

29 © 2006 PowerTech Group, Inc. All rights reserved. PowerLock NetworkSecurity Technology A point in a process where control can be passed to a User- Supplied program. The User-Supplied program can usually perform processing that overrides or compliments the processing done by the main process. User-Supplied exit program Analyze request & return data What is an exit point anyway? Main program IBM’s FTP Server Access Request Call to Exit program Continue Processing...

30 © 2006 PowerTech Group, Inc. All rights reserved. >PowerLock NetworkSecurity provides exit point programs that allow iSeries customers to monitor and take control of their network interfaces (FTP, ODBC, Telnet, DDM, Client Access, etc...) PowerLock NetworkSecurity Technology

31 © 2006 PowerTech Group, Inc. All rights reserved. Network Exit Points >4 Major categories of network exit points n Original PCS Servers (PCSACC) n DDM & DRDA Servers (DDMACC) n Optimized Client Access Servers (WRKREGINF) n TCP/IP Servers (WRKREGINF) >More than 30 network servers >More than 250 combinations of servers & functions that regulate network access

32 © 2006 PowerTech Group, Inc. All rights reserved. Network Servers that can be monitored and controlled >Original Servers Virtual Print ServerFile Transfer Function Message Function Data Queue Remote SQL License Management Shared Folders >DDM (Including DRDA) Server >Optimized Servers File ServerDatabase Server Data Queue Server Network Print Server Central Server Remote Command Server Signon Server >TCP/IP Servers FTP TELNET WSG (V5R1) etc...

33 © 2006 PowerTech Group, Inc. All rights reserved. iSeries Network Access with PowerLock NetworkSecurity FTP Server TELNET Server Database Server DDM Server DRDA Server POWERLOCKPOWERLOCK PowerLock NetworkSecurity is the software that controls and monitors access to the iSeries through the network interfaces

34 © 2006 PowerTech Group, Inc. All rights reserved. Reporting current exposures >To help you get a current view of your network access exposures, NetworkSecurity includes comprehensive reporting capabilities. NetworkSecurity includes several reports that may be run at any time. The Reporting Menu is accessed using option 4 from the NetworkSecurity Main Menu. >If you want information on all network access attempts, you can run the NetworkSecurity reports for All users at All locations. While this will create a lengthy report, it will provide all the detail you need to determine who is connecting to your system, and what functions are being performed. Some applications like JDE OneWorld and FastFax can generate lots of entries very quickly. >Right after activation there will be few if any entries on the reports. NetworkSecurity activation begins to record access attempts. Some applications like JDE OneWorld and FastFax can generate lots of entries very quickly.

35 © 2006 PowerTech Group, Inc. All rights reserved. NetworkSecurity Work with Servers

36 © 2006 PowerTech Group, Inc. All rights reserved. >Authority Broker

37 © 2006 PowerTech Group, Inc. All rights reserved. Sarbanes-Oxley Implications >COBIT DS5.3 – Security of Online Access to Data “… IT management should implement procedures in line with the security policy that provides access security control based on the individual’s demonstrated need to view, add, change, or delete data.”

38 © 2006 PowerTech Group, Inc. All rights reserved. Customer Employees Reactive security Many companies use Reactive security trying to respond to breaches as they occur. The problem with trying to find all the different ways people can get to you data is that you will never find all the different approaches. Instead, PowerTech takes and exclude based security approach.

39 © 2006 PowerTech Group, Inc. All rights reserved. Customers Employees Exclude Based Security PowerTech allows you to determine what type of activity you want to allow first. Then you lock everything else out and set up alerts so you know if someone is trying to do something you don’t allow, you can decide at that point whether you want to allow them to do it or not.

40 © 2006 PowerTech Group, Inc. All rights reserved. Case Study: The Solution >Remove special authorities from the programmer on the production system >Implement PowerLock AuthorityBroker n Programmer “switches” into powerful profile when needed n All actions are audited to a secure journal n Management gets alerts (to cellphone!) n Management reviews and signs off on regular reports >Compliance - Auditors are happy!

41 © 2006 PowerTech Group, Inc. All rights reserved. Customer Requirements >Log and record activity of powerful users >Flexible Reporting options n 3 levels of detail n Filter out unnecessary information n Print, Database,.csv >Time specific controls n Limit duration of profile switch n Specific Day, Date, and Time restrictions n Delegate “Firecall” to Helpdesk personnel

42 © 2006 PowerTech Group, Inc. All rights reserved. Product Demo

43 © 2006 PowerTech Group, Inc. All rights reserved. >Security Audit

44 © 2006 PowerTech Group, Inc. All rights reserved. PowerLock SecurityAudit >Assesses your iSeries and AS/400 systems Complete history Instant view of changes >Used by internal auditors No Special Authorities (like *ALLOBJ) required for auditors >200+ reports available Network transactions Object level assessments User profiles and system values Continuous auditing of events, objects, users and system values >Comprehensive reporting and analysis

45 © 2006 PowerTech Group, Inc. All rights reserved. System Requirements >V5R1 of OS/400 or later >100 MB of disk space >*ALLOBJ special authority for installation >Users without *ALLOBJ should be added to the SECAUDADM authorization list to allow them to run reports

46 © 2006 PowerTech Group, Inc. All rights reserved. Value Proposition >SOX related usage opportunities Security Audit generates reports that can be used to test the effectiveness of AS/400 related logical access IT General Controls. >Improves efficiency of audits >Improves quality and consistency of audits

47 © 2006 PowerTech Group, Inc. All rights reserved. OS/400 Report

48 © 2006 PowerTech Group, Inc. All rights reserved. SecurityAudit Report

49 © 2006 PowerTech Group, Inc. All rights reserved. PowerLock SecurityAudit Demonstration

50 © 2006 PowerTech Group, Inc. All rights reserved. PowerLock SecurityAudit Demonstration

51 © 2006 PowerTech Group, Inc. All rights reserved. Powerful Users >Special Authorities = Power! n Special authorities trump OS/400 object level authorities. >A user with … n *ALLOBJ CAN READ, CHANGE, OR DELETE ANY OBJECT ON THE SYSTEM. n *SPLCTL CAN READ, CHANGE, PRINT, OR DELETE ANY SPOOL FILE ON THE SYSTEM. n *JOBCTL CAN VIEW, CHANGE, OR STOP ANY JOB ON THE SYSTEM (INCLUDES ENDSBS AND PWRDWNSYS) n *SAVSYS CAN READ OR DELETE ANY OBJECT ON THE SYSTEM.

52 © 2006 PowerTech Group, Inc. All rights reserved. Powerful Users

53 © 2006 PowerTech Group, Inc. All rights reserved. User Profiles >Users with Command Line Access n Limit Capability of *NO or *Partial >Default Passwords n Username = Password >Inactive (Dormant) accounts n Any profile that has not been used in the last 90 days >IBM Profiles >Group Profiles n Password of *None – should not be used for sign-on >Public Authority n Public should be set to *EXCLUDE

54 © 2006 PowerTech Group, Inc. All rights reserved. Sample Reports

55 © 2006 PowerTech Group, Inc. All rights reserved. Special Authorities

56 © 2006 PowerTech Group, Inc. All rights reserved. User Access – System Users

57 © 2006 PowerTech Group, Inc. All rights reserved. Public Authority to Data >To mitigate the risk of unauthorized program changes and database alterations, the public authority for each significant production database and production source code file must be set to *EXCLUDE with access allowed through appropriate individual settings. >In addition, any programmer access to production libraries should be restricted.

58 © 2006 PowerTech Group, Inc. All rights reserved. Adopted Authority

59 © 2006 PowerTech Group, Inc. All rights reserved. Library Authorities

60 © 2006 PowerTech Group, Inc. All rights reserved. Library Authorities

61 © 2006 PowerTech Group, Inc. All rights reserved. Security Audit Journal Failed sign-on attempts; Unauthorized access to files Security sensitive operations e.g. changing system values Restore actions to security sensitive objects Object move and rename operations

62 © 2006 PowerTech Group, Inc. All rights reserved. >Single Sign On (SSO)

63 © 2006 PowerTech Group, Inc. All rights reserved. Agenda A.The Problems with Passwords B.What is Single Signon C.Who Benefits from Single Signon? D.How does it work? E.Five Steps to Single Signon. F.PowerLock EasyPass

64 © 2006 PowerTech Group, Inc. All rights reserved. The Problems with Passwords >Passwords have been around since the dawn of computers. n And they are starting to show their age >What are the key features of a Password? n A password is a secret associated with a user id. n Passwords should work only on the hosting system. n For each unique user ID on each system, there is a single, correct, key

65 © 2006 PowerTech Group, Inc. All rights reserved. The Problems with Passwords >Each computer system the user logs on to (theoretically) has a different password n How many unique passwords do really you have? >Users must remember their passwords. n But we don’t want users to write them down. n Users shouldn’t use easy to guess passwords. >Your users log on to many, many systems n Internal systems, home, websites etc. n A user could have passwords for a hundred different systems n Some external servers are not secure and not to be trusted.

66 © 2006 PowerTech Group, Inc. All rights reserved. The Problems with Passwords >Each password on each of your servers represents a potential security exposure. n The more passwords you have, the more exposures you have. >The chief protection for passwords are your end users. n Humans are almost always the weakest link in the security chain. >Reducing the number of passwords a user is responsible for, reduces your organization’s security exposure. n User’s can’t compromise a password they don’t know.

67 © 2006 PowerTech Group, Inc. All rights reserved. What is Single Signon? >Single Signon is a technology that requires a user to only authenticate one time per session – regardless of the number of systems connected to. n The first server authenticates the user, then vouches for that user’s authenticity to other systems. n The user is then able to seamlessly connect to all of the other trusted systems in that domain. n A single authentication can be good for a number of hours – a number that you can set.

68 © 2006 PowerTech Group, Inc. All rights reserved. What is Single Signon? >Single Signon requires that the user only have one password. n This password would be for the first server they connect to each morning. >With only one password to remember, users require less help desk assistance n It’s also easier and faster to reset passwords on a single system. >Single Signon simplifies disabling a user. n Again, there is just one entry to maintain.

69 © 2006 PowerTech Group, Inc. All rights reserved. What isn’t Single Signon? >Single Signon isn’t password synchronization n It doesn’t require that password be shared among multiple systems n It does not require a user to log on separately to each server. n It doesn’t send passwords around the network in clear text. >Single Signon is not password replay. n It doesn’t capture passwords on an appliance and replay them for each server. n It doesn’t store passwords in multiple places n It doesn’t send passwords around the network in clear text.

70 © 2006 PowerTech Group, Inc. All rights reserved. Who benefits from Single Signon? >Users n Have fewer passwords to remember n Spend less time authenticating on your network n Have far, far, fewer password reset requests >Help Desk n Far, far, fewer password reset requests >System Administrators n More secure systems n More secure passwords n Fewer invalid signon attempts >Programmers n More robust applications n Pull data from several sources, without authentication hassles >Management n More Secure systems n Less cost!

71 © 2006 PowerTech Group, Inc. All rights reserved. How Does it work? >Single Signon uses industry standard technologies from several leading sources. n Kerberos Authentication – developed at M.I.T. in the 1980’s and funded by a grant from DEC and IBM n Active Directory – Introduced by Microsoft with Windows 2000 for secure network authentication n Enterprise Identity Mapping (EIM) – Introduced by IBM in 2001(?) to provide User Identity Mapping across dissimilar servers >Backed by computer industry powerhouses, Single Signon is the new authentication standard. n Kerberos, Active Directory, and EIM combine to make stronger, simpler, and more secure user authentication.

72 © 2006 PowerTech Group, Inc. All rights reserved. How Do I get started? >If you use these OS’s, you already have the ingredients to get started: n OS/400 V5R2 or higher n Windows server 2000 or higher >Unlike other technologies, Single Signon deployment can be incremental n No need to change the whole organization - start with a small group n Start with yourself and experience the benefits first hand >With experienced assistance, you can truly go to “Single Signon in a single day” n Some assembly required.

73 © 2006 PowerTech Group, Inc. All rights reserved. PowerLock EasyPass >Single Signon implementations are better, faster, and more reliable when you use automated tools. >PowerLock EasyPass simplifies the steps of setting up, associating, and maintaining user ID’s and User associations. >User associations can be maintained across multiple systems, and multiple OS’s. n OS/400 V5R2 or higher n Windows server 2000 or higher n Lotus Domino n Websphere n AIX n and more…

74 © 2006 PowerTech Group, Inc. All rights reserved. Measuring SSO ROI >Productivity Gain > Cost? >Cost Components: Management Implementation Acquisition

75 © 2006 PowerTech Group, Inc. All rights reserved. Synchronization SSO Approach User ID/Password Synchronization No end user productivity gains (not really SSO) Must deploy and configure synchronization service Passwords must still be changed and audited Must troubleshoot synchronization issues User IDs and Passwords are limited by platform UID: JACKM PWD: TEXAS UID: JACKM PWD: TEXAS UID: JACKM PWD: TEXAS UID: JACKM PWD: TEXAS UID: JACKM PWD: TEXAS

76 © 2006 PowerTech Group, Inc. All rights reserved. Centralization SSO Approach User ID/Password Centralization End user productivity gains “Capture & Replay” function must be deployed on all PCs “Capture & Replay” must be initially trained Passwords must still be changed and audited Must troubleshoot centralization issues UID: rjmcafee PWD: SpaceCenter UID: RJMCAF PWD: ALAMO UID: JACK PWD: LONGHORN UID: JACKM PWD: HOUSTON UID: jmcafee PWD: LoneStar UID: jmcafeePWD: LoneStar UID: JACKMPWD: HOUSTON UID: JACKPWD: LONGHORN UID: RJMCAFPWD: ALAMO UID: rjmcafeePWD: SpaceCenter Central Repository

77 © 2006 PowerTech Group, Inc. All rights reserved. The Password Elimination Approach Single Sign-On Components >Kerberos for authentication n Uses strongly encrypted tickets and not passwords n Implemented on all major platforms >Enterprise Identity Mapping (EIM) for authorization n Maps people to their user identities on various registries n Registry might be a platform, application, or middleware >Applications enabled for Kerberos and EIM n IBM has enabled many popular services in V5R2 and i5/OS n NetManage has enabled RUMBA 7.4 & OnWeb Web-to-Host 5.2 n Customers can also enable their applications (Services!)

78 © 2006 PowerTech Group, Inc. All rights reserved. The Password Elimination Approach EIM and Kerberos End user productivity gains Easy to implement – no synchronization Easy to manage – no centralization Password Elimination! Source Targets Key Distribution Center (KDC) Sign-On as jmcafee and get Kerberos TGT KDC sends a Kerberos ST to iSeries i1 authenticates the Kerberos ST EIM  Jack McAfee is authorized on iSeries as JACKM jmcafee on KDC  JACKM on iSeries Source Target UID: rjmcafee PWD: SpaceCenter UID: RJMCAF PWD: ALAMO UID: JACK PWD: *NONE UID: JACKM PWD: HOUSTON UID: jmcafee PWD: LoneStar EIM Domain

79 © 2006 PowerTech Group, Inc. All rights reserved. Top 10 Password Elimination Benefits 1.No need to install and configure another new IT infrastructure layer; 2.Less IT infrastructure means incremental and faster deployment; 3.Less IT infrastructure means lower cost to deploy and maintain; 4.Existing IT infrastructure is already supported by companies like IBM, Microsoft, Novell, SuSE, Red Hat, and many others; 5.Existing IT infrastructure leverages EIM to document user account ownership, which is a powerful business tool 6.Existing IT infrastructure leverages a combination of authentication technologies like Kerberos (Windows), Identity Tokens (WebSphere), Pluggable Authentication Modules (UNIX or Linux PAMs), and others, rather than passwords; 7.Password elimination results in fewer help desk password reset calls; 8.Password elimination includes distributed applications, which no longer require hard coded user ids and passwords to be sent across the network; 9.Password elimination results in fewer passwords to audit and change every 30, 60, 90 days per company policy; 10.Fewer passwords to audit helps exceed regulatory requirements (i.e. SOX, HIPAA, GLBA, ISO17799, etc.)

80 © 2006 PowerTech Group, Inc. All rights reserved. User Identities Successfully Loaded

81 Extending iSeries Security A P R E S E N T A T I O N : PowerTech Security Solutions extend iSeries security Thank You


Download ppt "Extending iSeries Security A P R E S E N T A T I O N System i Security Products."

Similar presentations


Ads by Google