© 2013 IBM Corporation
IBM Systems Lab Services
© 2013 IBM Corporation
PowerSC Tools for IBM iA service offering from IBM Systems Lab Services
© 2013 IBM Corporation
IBM Systems Lab Services
2
PowerSC Tools for IBM i
PowerSC Tools for IBM i helps clients ensure a higher level of security and compliance
Client Benefits
§Simplifies management and measurement of security & compliance
§Reduces cost of security & compliance
§Reduces security exposures
§Improves the audit capability to satisfy reporting requirements
PowerSC Tools for IBM i is a service offering from IBM Systems Lab Services
© 2013 IBM Corporation
IBM Systems Lab Services
Positioning IBM i with PowerSC
PowerSC Feature Exp Std TS Source of comparable capability for IBM i
Security and Compliance Monitoring and Reporting
PowerSC Tools for IBM i includes a Compliance Assessment and Reporting Tool
Additional products available from ISVs, seehttp://www-03.ibm.com/systems/power/software/i/security/partner_showcase.html
Trusted Logging PowerSC Trusted Audit Data Repository –
Capability is built into IBM i operating system
Trusted Boot PowerSC Trusted Digital Signature Verification –
Capability is built into IBM i operating system
Trusted Network Connect and Patch Management No equivalent IBM i functionality
Trusted FirewallPowerSC Trusted Firewall feature supports IBM i VMs
Trusted SurveyorPowerSC Trusted Surveyor offering supports IBM i VMs
© 2013 IBM Corporation
IBM Systems Lab Services
4
1. IBM i Security AssessmentAn experienced IBM i consultant will collect and analyze data using PowerSC Tools for IBM i. The engagement results in a comprehensive report with findings and recommendations for improved compliance and security remediation.
2. IBM i Single Sign On ImplementationSSO improves end user productivity and saves help desk costs. In this services engagement, an experienced IBM consultant will advise on SSO options and provide implementation assistance leveraging the SSO suite components of the PowerSC Tools for IBM i.
3. IBM i Security RemediationAn experienced IBM consultant will adviseon best practices to address IBM i securityand compliance issues. The consultantwill provide remediation assistanceleveraging the PowerSC Tools for IBM I
4. IBM i Encryption Services An experienced IBM consultant will advise on best practices to implement data encryption on IBM I leveraging the PowerSC Tools for IBM i Encryption Suite as appropriate. Tape Encryption implementation services are also available. put
IBM i Security Services from IBM Systems Lab Services
www.ibm.com/systems/services/labservices [email protected]
For more information on PowerSC Tools for IBM i offerings and services, contact:
Mark [email protected], 507-253-1313
Mike [email protected], 507-253-3477
Terry [email protected], 507-253-7241Practice Leader, Security Services
© 2013 IBM Corporation
IBM Systems Lab Services
5
PowerSC Tools for IBM i
Tools / Feature Function Benefit
Compliance Assessment and Reporting Tool
Daily compliance dashboard report/s at LPAR, system or enterprise level
Enables compliance officer to demonstrate adherence to pre-defined security polices
Security DiagnosticsReports detailing security configuration settings and identifying deficiencies
Reduces operator time involved in remediating security exposures
Privileged Access Control Controls the number of privileged usersEnsures compliance with industry guidelines on privileged users
Secure Administrator for SAP Manages and controls access to powerful SAP administrative profiles
Eliminates sharing of SAP administrative profiles with enhanced security auditing
Access Control Monitor Monitors security deviations from application designPrevents user application failures due to inconsistent access controls
Network Interface Firewall for IBM i Exit Points
Controls access to Exit Point interfaces such as ODBC, FTP, RMTCMD, etc
Reduces threat of unauthorized security breach and data loss
Audit ReportingConsolidates and reduces security audit journal information
Simplifies audit analysis for compliance officer and/or auditors
Certificate Expiration Manager Simplifies management of digital certificates expiration
Helps operators prevent system outages due to expired certificates
Password ValidationEnhances IBM i operating system protection with stricter password validation
Enables security officers to ensure user passwords are not trivial
Single Sign On (SSO) SuiteSimplifies implementation of SSO and password synchronization
Reduces password resets and simplifies end user experience
Encryption SuiteSimplifies implementation of cryptography using IBM i operating system capabilities
Helps application developers meet data security standards and protect critical data
PowerSC Tools for IBM i is a service offering from IBM Systems Lab Services
© 2013 IBM Corporation
IBM Systems Lab Services
Compliance Assessment and Reporting ToolCentralized reporting of IBM i security
§Covers:
- Password management
- Profile administration
- Special authorities
- Group inheritance
- Network configuration
- Netserver attributes
- Operational security
- Security risks and more
§Daily compliance dashboard report/s at VM (partition), system or enterprise level
§ An automated collection, analysis, and reporting tool on over 900 security related risks, information, statistics and demographics. All in one location and easy to use!
§ Enables compliance officer to demonstrate adherence to pre-defined or customer-defined security polices.
§ Security reporting made easy!
© 2013 IBM Corporation
IBM Systems Lab Services
Security DiagnosticsIn depth security collection and reporting
7
§Reduces security administrator time involved in remediating exposures
§Reports on:
– User profiles
– Adopted authority programs
– Trigger programs
– Work Management
– Auditing configuration
– Network attributes
– Integrated File System
– Over 70 reports
© 2013 IBM Corporation
IBM Systems Lab Services
Privileged Access ControlEnsures compliance to industry guidelines on privileged users
8
Without careful control, privileged users can pose a risk to your system security. This tool enables the security administrator to reduce privileged accounts, with a mechanism to temporarily elevate privileges to users when needed.
§Option to change identity for troubleshooting, IFS access and object ownership requirements
§Fully audited§Automated email
notifications sent to distribution list when tool is invoked that includes a log of activities performed
© 2013 IBM Corporation
IBM Systems Lab Services
Secure Administrator for SAP on IBM iEliminates sharing of powerful SAP administrator user profiles
9
SAP provided administrator user profiles are often shared leading to security exposures and ineffective auditing. Secure Administrator for SAP on IBM i addresses this exposure by providing a secure and auditable mechanism enabling multiple SAP administrators to utilize the same SAP administrator user profile without sharing the profile itself.
Benefits:§ SAP administrators now only need their
IBM i user profile for SAP administrative tasks
§ Provides the ability to effectively audit SAP administrator user profiles
§ Limits access to authorized users§ SAP administrator user profiles no
longer shared§ Interactive use of SAP administrator
user profiles eliminated§ Manage multiple SAP installations
(running on the same partition) from the same interactive session
Before Secure Administrator for SAP on IBM i:
After Secure Administrator for SAP on IBM i:
Commands:§ CRTSUDOENV and DLTSUDOENV
Create/delete the Secure Administrator environment
§ GRTSIDSUDO and RVKSIDSUDOGrant/revoke use of administrator functions for different SAP
installations
§ LSTSIDSUDOList Secure Administrator environments and users that have
access to each SAP installation
§ SIDSUDOExecute commands under the authority and environment of
the specified SAP administrative user profile
© 2013 IBM Corporation
IBM Systems Lab Services
Access Control MonitorMonitor security deviations from application design
10
§Ad hoc or scheduled reporting to check and report on application objects that are out of corporate security policy standards, data classifications, or other security related configurations
§Prevents user application failures due to inconsistent access controls
§Monitors compliance of libraries, objects, and authorization Lists§Customer extensible to allow automation of objects back into compliance
© 2013 IBM Corporation
IBM Systems Lab Services
Network Interface Firewall for IBM i Exit PointsReduces threat of unauthorized network access
11
§Users denied by default forgreater security
§Users allowed are added via menu
§Allow access through Group Profiles
§Restrict by IP Address§ Log only mode§Current exit point coverage:
– DRDA / DDM– IFS– FTP– ODBC/JDBC/File Transfer– REXEC– RMTCMD (honors LMTCPB!)– SQL CLI– TELNET *customization required– Host Server (Multiple)
§Customization for additional network interfaces available
§Exit programs allow system administrators to control which activities a user account is allowed for each of the specific servers. This easy to use interface addresses the most commonly used network interfaces.
© 2013 IBM Corporation
IBM Systems Lab Services
Audit ReportingSecurity and user auditing management and analysis
12
§Work with QAUDJRN journal entries and statistics to understand the demographics that define your security operations.
§Easily view system and user auditing statistics to demonstrate to management and auditors that security violations are being observed and handled.
§Filter journal entries by:– User Profile– Date/Time
§Manage:– User object and action
auditing values– Library/File/IFS object
auditing– Auditing system values– Journal receivers
§ Scheduler to automate actions and reports§Quick Audit of Users
© 2013 IBM Corporation
IBM Systems Lab Services
Certificate Expiration Manager (CEM)Simplifies the management of digital certificates
13
§Maintains a log of all expiration activities
§Sends notification via eMail.
§Easy to use configuration GUI is included for managing the XML settings.
§Runs on any platform that supports Java.
§Prevent outages due to expired certificates
CertificateUniversity of the Internet
Issue DateDistinguished NamePublic KeyExpiration DateDigital Signature of CA
© 2013 IBM Corporation
IBM Systems Lab Services
Password ValidationEnhanced protection through strict password criteria
14
§Checks the password to see if it contains:– The user profile itself– Any words from the customer defined
dictionary of disallowed words
§Customization available for additional password validations.
CHGPWD command is called
QIBM_QSY_VLD_PASSWRD exit program is automatically run
Command completes, password is changed
Password is not changed, command returns message
Does password meet exit program
requirements?
NO
YES
§Assures the security administrator that passwords being entered are not trivial.
© 2013 IBM Corporation
IBM Systems Lab Services
Single Sign On (SSO) SuiteSimplify SSO implementation reducing help desk costs
15
Suite of tools sold individually or à la carte with or without implementation services:
Single Sign On (SSO) Suite for Domino
ü Domino Synchronizationü DSAPI Plug-in
Single Sign On (SSO) Suite for EIM
ü EIM CL Commandsü EIM Populatorü EIM Management Utilityü EIM Based Password Resetü EIM Based CRTUSRPRFü Windows AD Profile Synchronization
Password Synchronization Tool
Single Sign On (SSO) for SAP
An effective alternative to manual configuration
© 2013 IBM Corporation
IBM Systems Lab Services
Encryption SuiteSimplify implementation of IBM i cryptographic capabilities
16
Set of procedures and techniques to simply the implementation of cryptography using IBM i Operating System capabilities. Choice of service provider:
§Cryptographic Services APIs§Cryptographic Coprocessor
Field SQL Type DDS Type Length
Index
Encrypted Data BINARY HEXADECIMAL Multiple of 16 ≥ data length
Key Version CHARACTER CHARACTER ≤ 32
Initialization Vector BINARY HEXADECIMAL 16
Hash BINARY HEXADECIMAL 32
Masked Value
Consulting assistance:
§Application design§Key management§Custom procedures§Tape encryption
§Cryptographic techniquesü Symmetric key encryptionü Asymmetric key encryptionü Secure hashü Key exchange
Encryption applications:
§Data at rest§Data in motion
Other Encryption Tools
§Cryptographic Support (CR1) Emulator Tool
§Credit Card Management Subsystem Tool
© 2013 IBM Corporation
IBM Systems Lab Services
Questions
© 2013 IBM Corporation
PowerSC Tools for IBM i
IBM Lab Services offerings for IBM i security:
ü IBM i Security Assessment
ü IBM i Single Sign On Implementation
ü IBM i Security Remediation
ü IBM I Encryption
üSimplifies management and measurement of security & compliance
üReduces cost of security & compliance
üImproves detection and reporting of security exposures
üImproves the audit capability to satisfy reporting requirements
PowerSC Tools for IBM i Benefits
Compliance Assessment Tool Demonstrate adherence to pre-defined security polices
Security Diagnostics Reduces operator time involved in remediating exposures
Privileged Access Control Ensures compliance with guidelines on privileged users
Secure Administrator for SAP Eliminates sharing of SAP administrative profiles
Access Control Monitor Prevents user application failures due to inconsistent controls
Network Interface Firewall Reduces threat of unauthorized security breach and data loss
Audit Reporting Simplifies audit analysis for compliance officer and/or auditors
Certificate Expiration Manager Prevents system outages due to expired certificates
Password Validation Ensures user passwords are not trivial
Single Sign On (SSO) Suite Reduces for password resets and simplifies user experience
Encryption Suite Helps meet data security standards and protect critical data
PowerSC Tools for IBM i is a service offering from IBM Systems Lab Services
For more information on PowerSC Tools for IBM i offerings and services, contact: Terry Ford [email protected] Practice Leader, IBM Systems Lab Services Security
© 2013 IBM Corporation
IBM Systems Lab Services
For more information on PowerSC Tools for IBM i
Terry Ford, Team LeaderIBM Systems Lab ServicesSecurity Services [email protected]
Mark EvenIBM Systems Lab ServicesIBM i Opportunity [email protected]
http://www-03.ibm.com/systems/services/labservices/contact.html
Mike GordonIBM Systems Lab ServicesIBM i Opportunity Manager
507-253-3477