extending iseries security a p r e s e n t a t i o n system i security products

Extending iSeries Security A P R E S E N T A T I O N

System iSystem iSecurity ProductsSecurity Products

© 2006 PowerTech Group, Inc. All rights reserved.www.mik3.gr

Agenda

> Security Issues regarding System i> Who is PowerTech?> Customer Requirements> System i Security Vulnerabilities> PowerTech Solutions Overview


The PowerTech GroupDefinitive iSeries Security

> World lead company for System i security> PowerLock AuthorityBroker Ships with iSeries OS.> Acquired leading iSeries SSO Technology 2005> Winner of prestigious Industry Driver APEX Award

from iSeries News in 2004> Over 1.000 Enterprise and Small Business customers> More than 3,000 licenses installed > Advanced Level IBM Partner


PowerUsers

Access Control

DataAccess

PW/User Mgmt

SystemSettings

Source Control

Business Continuity

Data Privacy

Security Change Config Mgmt

Real timeMonitoring

Audit forCompliance

Demonstrate Compliance

Be Compliant

High Avail

DataRecov

DataXfer

Data-base

Where to Begin


Legislators are doing their best to raise security from a technology issue to a business concern

Auditors are defining what security is for companies

Companies are documenting in-scope processes and procedures

Risks inherent in IT Control are being identified and addressed

All are looking to CobIT and ISO 17799 for guidance

IT Controls Being Raised


Can users perform functions/activities that are in conflict with their job responsibilities?

Can users modify/corrupt iSeries data?

Can users circumvent controls to initiate/record unauthorized transactions?

Can users engage in fraud and cover their tracks?

iSeries Environment


iSeries Security Study

> 87% of libraries were accessible by *PUBLIC (any user on the system) – Auditors recommend 0%

> 80% of access points on iSeries were not monitored or controlled, leaving the possibility for un-audited access to critical data – A violation of CoBIT recommended standards and a threat to data integrity.

> 78% of systems had more than 40 user profiles with default passwords (password = user name) – A red flag for auditors and a violation of CoBIT recommended standards.

> 84% of systems had more than 10 users with *ALLOBJ (all-powerful users) – A red flag for auditors, and a threat to data integrity and accountability.


Data Access - Public Authority to Libraries

iSeries Security Study 2005 Source: The PowerTech Group

*USE, 25%

*CHANGE, 53%

*ALL, 9%

AUTL, 5%

*EXCLUDE, 8%


EMPLOYEES

CUSTOMERS

REMOTE EMPLOYEES

iSeries Security Gap

Menu Access Only

Menu Access Only

Ramifications

No Visibility to Network activity

No Control of Network Activity

No Security Monitoring

In the old days you could rely on menu security. But once PCs came along and the iSeries was opened up to ODBC, FTP, Remote command, the iSeries became vulnerable.


IBM Recognizes the Problem

> “ODBC introduced a plethora of desktop applications that offer easy access to data on the as/400 via a few mouse clicks.”

> “COMMON BACKDOORS - Several servers offer methods to submit AS/400 commands via the client. Restricting command line usage does not block this.”

From IBM technote: “Security Issues with Client Access ODBC Driver”http://www-1.ibm.com/support/docview.wss?uid=nas1936b3cdad3645bd98625667a00709a29


Can users perform functions/activities that are in conflict with their job responsibilities?

Can users modify/corrupt application data?

Can users circumvent controls to initiate/record unauthorized transactions?

Can users engage in fraud and cover their tracks?

Customer Data


0%

20%

40%

60%

80%

100%

120%

Industry Average Best Practice System 1 System 2

*AUTL

*EXCLUDE

*USE

*CHANGE

*ALL

Data Access

Public Authority

Can users perform functions/activities that are in conflict with their job responsibilities? Yes


0

5

10

15

20

25

30

35


Use

rs

Data Access

Special Authorities - *ALLOBJ

Can users modify/corrupt iSeries data? Yes

Can users circumvent controls to initiate/record unauthorized transactions?Yes


0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%


Data Access

Network Access

Can users engage in fraud and cover their tracks?Yes


Product Overview

AuthorityBroker

NetworkSecurity

SecurityAuditISS - Robot

Single Sign-On

Compliance Monitor

Control Powerful Users (Separation

of Duties)

Access Control

Regular Auditing

Real Time Monitoring

Access Control SSO

Back Up Encryption

Data Encryption

FlashAudit on iSeries Security


> Compliance Monitor


PowerLock ComplianceMonitor


Case Study

> Large multinational retail company dealing with SOX compliance issues

> Problem: No staff available to develop new custom reports IT security group is not familiar with iSeries Overwhelmed with burden of tracking more than 10 systems

> Answer: PowerLock ComplianceMonitor IT staff save development time Expert guidance built in to product Consolidated reports


Requirements

> Be compliant with regulations Sox, HIPAA, PCI, Privacy laws

> Demonstrate compliance through regular reporting Automatic scheduling Focus on exceptions to policy Historical comparisons of audit results Process to report on

User profile/account data System Values Authority to objects Network access control


Systems arranged in user defined groups to match the business environment

A system (or endpoint as it is called in the product) can belong to more than one group. This allows you to selectively audit and report on sets of systems.


System Value scorecard highlights exceptions to policy with red down triangle.Green up arrow shows settings that match policy. Policy is stored in an xml file. We can update this to match specific company policy.


Consolidated report across three systems – The system value view shows them next to each other for comparison purposesPLCM can collect all system values. In this report, we are looking specifically at the security system values


Effective special authority – it’s not just the authority of the user profile, but we also check to see if the user has inherited special authorities from their membership in a group profile.


> Netwrok Security


Features

> Customizable reporting PowerTech recommended reports GUI to create custom SQL queries (filters) Flexible Interface and grid view

> Expert guidance Scorecards rate compliance against security policy Exceptions are highlighted Compliance guide

> Consolidation across multiple systems Drastically cut the number of reports


PowerLock NetworkSecurity Technology

> IBM recognizes the security problems with network access to iSeries assets, and has added and continues to add network access exit points.

> NetworkSecurity implements exit point programs that monitor and control iSeries access through the network interfaces

> Exit point programs intercept and can record inbound requests.

> Access requests can be controlled by: User Profile, Group Profile, Supplementary Group profile, *PUBLIC Device Name, IP address, PowerLock IP address groups or generic

names Server and Function type

Remote command, FTP download, FTP upload, etc,

Can be configured to emulate an increase or decrease in object authorities



A point in a process where control can be passed to a User-Supplied program. The User-Supplied program can usually perform processing that overrides or compliments the processing done by the main process.

User-Suppliedexit program

Analyze request & return data

What is an exit point anyway?

Main program

IBM’s FTP Server

Access Request

Call to Exit program

Continue Processing...


> PowerLock NetworkSecurity provides exit point programs that allow iSeries customers to monitor and take control of their network interfaces (FTP, ODBC, Telnet, DDM, Client Access, etc...)



Network Exit Points

> 4 Major categories of network exit points Original PCS Servers (PCSACC) DDM & DRDA Servers (DDMACC) Optimized Client Access Servers (WRKREGINF) TCP/IP Servers (WRKREGINF)

> More than 30 network servers

> More than 250 combinations of servers & functions that regulate network access


Network Servers that can be monitored and controlled

> Original ServersVirtual Print Server File Transfer Function Message Function Data Queue

Remote SQL License Management Shared Folders

> DDM (Including DRDA) Server

> Optimized ServersFile Server Database Server Data Queue Server Network Print Server Central Server Remote Command ServerSignon Server

> TCP/IP ServersFTP TELNET WSG (V5R1)

etc...


iSeries Network Access with PowerLock NetworkSecurity

FTP Server

TELNET Server

Database Server

DDM Server

DRDA Server

POWERLOCK

PowerLock NetworkSecurity is the software that controls and monitors access to the iSeries through the network interfaces


Reporting current exposures

> To help you get a current view of your network access exposures, NetworkSecurity includes comprehensive reporting capabilities. NetworkSecurity includes several reports that may be run at any time. The Reporting Menu is accessed using option 4 from the

NetworkSecurity Main Menu.

> If you want information on all network access attempts, you can run the NetworkSecurity reports for All users at All locations. While this will create a lengthy report, it will provide all the detail you need to determine who is connecting to your system, and what functions are being performed.

> Right after activation there will be few if any entries on the reports. NetworkSecurity activation begins to record access attempts. Some Some applications like JDE OneWorld and FastFax can generate lots of applications like JDE OneWorld and FastFax can generate lots of entries very quickly.entries very quickly.


NetworkSecurity Work with Servers


> Authority Broker


Sarbanes-Oxley Implications

> COBIT DS5.3 – Security of Online Access to Data

“… IT management should implement procedures in line with the security policy that provides access security control based on the individual’s demonstrated need to view, add, change, or delete data.”


Customer

Employees

Reactive security

Many companies use Reactive security trying to respond to breaches as they occur. The problem with trying to find all the different ways people can get to you data is that you will never find all the different approaches. Instead, PowerTech takes and exclude based security approach.


Customers

Employees

Exclude Based Security

PowerTech allows you to determine what type of activity you want to allow first. Then you lock everything else out and set up alerts so you know if someone is trying to do something you don’t allow, you can decide at that point whether you want to allow them to do it or not.


Case Study: The Solution

> Remove special authorities from the programmer on the production system

> Implement PowerLock AuthorityBroker Programmer “switches” into powerful profile when needed All actions are audited to a secure journal Management gets alerts (to cellphone!) Management reviews and signs off on regular reports

> Compliance - Auditors are happy!


Customer Requirements

> Log and record activity of powerful users

> Flexible Reporting options 3 levels of detail Filter out unnecessary information Print, Database, .csv

> Time specific controls Limit duration of profile switch Specific Day, Date, and Time restrictions Delegate “Firecall” to Helpdesk personnel


Product Demo


> Security Audit


PowerLock SecurityAudit

>Assesses your iSeries and AS/400 systems

Complete history

Instant view of changes

>Used by internal auditors

No Special Authorities (like *ALLOBJ) required for auditors

>200+ reports available

Network transactions

Object level assessments

User profiles and system values

Continuous auditing of events, objects, users and system values

>Comprehensive reporting and analysis


System Requirements

> V5R1 of OS/400 or later

> 100 MB of disk space

> *ALLOBJ special authority for installation

> Users without *ALLOBJ should be added to the SECAUDADM authorization list to allow them to run reports


Value Proposition

> SOX related usage opportunities Security Audit generates reports that can be used to test the

effectiveness of AS/400 related logical access IT General Controls.

> Improves efficiency of audits

> Improves quality and consistency of audits


OS/400 Report


SecurityAudit Report


PowerLock SecurityAuditDemonstration


Powerful Users

>Special Authorities = Power! Special authorities trump OS/400 object level authorities.

>A user with … *ALLOBJ CAN READ, CHANGE, OR DELETE ANY OBJECT ON THE

SYSTEM. *SPLCTL CAN READ, CHANGE, PRINT, OR DELETE ANY SPOOL

FILE ON THE SYSTEM. *JOBCTL CAN VIEW, CHANGE, OR STOP ANY JOB ON THE

SYSTEM (INCLUDES ENDSBS AND PWRDWNSYS) *SAVSYS CAN READ OR DELETE ANY OBJECT ON THE SYSTEM.


Powerful Users


User Profiles

>Users with Command Line Access Limit Capability of *NO or *Partial

>Default Passwords Username = Password

>Inactive (Dormant) accounts Any profile that has not been used in the last 90 days

>IBM Profiles>Group Profiles

Password of *None – should not be used for sign-on

>Public Authority Public should be set to *EXCLUDE


Sample Reports


Special Authorities


User Access – System Users


Public Authority to Data

>To mitigate the risk of unauthorized program changes and database alterations, the public authority for each significant production database and production source code file must be set to *EXCLUDE with access allowed through appropriate individual settings.

>In addition, any programmer access to production libraries should be restricted.


Adopted Authority


Library Authorities


Security Audit Journal

Failed sign-on attempts; Unauthorized access to filesSecurity sensitive operations e.g. changing system values

Restore actions to security sensitive objectsObject move and rename operations


> Single Sign On (SSO)


Agenda

A. The Problems with Passwords

B. What is Single Signon

C. Who Benefits from Single Signon?

D. How does it work?

E. Five Steps to Single Signon.

F. PowerLock EasyPass


The Problems with Passwords

> Passwords have been around since the dawn of computers. And they are starting to show their age

> What are the key features of a Password? A password is a secret associated with a user id. Passwords should work only on the hosting system. For each unique user ID on each system, there is a

single, correct, key



> Each computer system the user logs on to (theoretically) has a different password How many unique passwords do really you have?

> Users must remember their passwords. But we don’t want users to write them down. Users shouldn’t use easy to guess passwords.

> Your users log on to many, many systems Internal systems, home, websites etc. A user could have passwords for a hundred different

systems Some external servers are not secure and not to be

trusted.



> Each password on each of your servers represents a potential security exposure. The more passwords you have, the more

exposures you have.> The chief protection for passwords are your

end users. Humans are almost always the weakest link in the

security chain.> Reducing the number of passwords a user is

responsible for, reduces your organization’s security exposure. User’s can’t compromise a password they don’t

know.


What is Single Signon?

> Single Signon is a technology that requires a user to only authenticate one time per session – regardless of the number of systems connected to. The first server authenticates the user, then

vouches for that user’s authenticity to other systems.

The user is then able to seamlessly connect to all of the other trusted systems in that domain.

A single authentication can be good for a number of hours – a number that you can set.


What is Single Signon?

> Single Signon requires that the user only have one password. This password would be for the first server they

connect to each morning.

> With only one password to remember, users require less help desk assistance It’s also easier and faster to reset passwords on a

single system.

> Single Signon simplifies disabling a user. Again, there is just one entry to maintain.


What isn’t Single Signon?

> Single Signon isn’t password synchronization It doesn’t require that password be shared among

multiple systems It does not require a user to log on separately to

each server. It doesn’t send passwords around the network in

clear text.> Single Signon is not password replay.

It doesn’t capture passwords on an appliance and replay them for each server.

It doesn’t store passwords in multiple places It doesn’t send passwords around the network in

clear text.


Who benefits from Single Signon?

> Users Have fewer passwords to remember Spend less time authenticating on your network Have far, far, fewer password reset requests

> Help Desk Far, far, fewer password reset requests

> System Administrators More secure systems More secure passwords Fewer invalid signon attempts

> Programmers More robust applications Pull data from several sources, without authentication hassles

> Management More Secure systems Less cost!


How Does it work?

> Single Signon uses industry standard technologies from several leading sources. Kerberos Authentication – developed at M.I.T. in the 1980’s

and funded by a grant from DEC and IBM Active Directory – Introduced by Microsoft with Windows

2000 for secure network authentication Enterprise Identity Mapping (EIM) – Introduced by IBM in

2001(?) to provide User Identity Mapping across dissimilar servers

> Backed by computer industry powerhouses, Single Signon is the new authentication standard. Kerberos, Active Directory, and EIM combine to make

stronger, simpler, and more secure user authentication.


How Do I get started?

> If you use these OS’s, you already have the ingredients to get started: OS/400 V5R2 or higher Windows server 2000 or higher

> Unlike other technologies, Single Signon deployment can be incremental No need to change the whole organization - start

with a small group Start with yourself and experience the benefits first

hand> With experienced assistance, you can truly go

to “Single Signon in a single day” Some assembly required.


PowerLock EasyPass

> Single Signon implementations are better, faster, and more reliable when you use automated tools.

> PowerLock EasyPass simplifies the steps of setting up, associating, and maintaining user ID’s and User associations.

> User associations can be maintained across multiple systems, and multiple OS’s. OS/400 V5R2 or higher Windows server 2000 or higher Lotus Domino Websphere AIX and more…


Measuring SSO ROI

ProductivityGain

Cost

> Productivity Gain > Cost?

> Cost Components:

Management

Implementation

Acquisition


Synchronization SSO Approach

User ID/Password Synchronization• No end user productivity gains (not really SSO)• Must deploy and configure synchronization service• Passwords must still be changed and audited• Must troubleshoot synchronization issues• User IDs and Passwords are limited by platform

UID: JACKMPWD: TEXAS






Centralization SSO Approach

User ID/Password Centralization• End user productivity gains• “Capture & Replay” function must be deployed on all PCs• “Capture & Replay” must be initially trained• Passwords must still be changed and audited• Must troubleshoot centralization issues

UID: rjmcafeePWD: SpaceCenter

UID: RJMCAFPWD: ALAMO

UID: JACKPWD: LONGHORN

UID: JACKMPWD: HOUSTON

UID: jmcafeePWD: LoneStar

UID: jmcafee PWD: LoneStarUID: JACKM PWD: HOUSTONUID: JACK PWD: LONGHORNUID: RJMCAF PWD: ALAMOUID: rjmcafee PWD: SpaceCenter

Central Repository


The Password Elimination Approach

Single Sign-On Components

> Kerberos for authentication Uses strongly encrypted tickets and not passwords Implemented on all major platforms

> Enterprise Identity Mapping (EIM) for authorization Maps people to their user identities on various registries Registry might be a platform, application, or middleware

> Applications enabled for Kerberos and EIM IBM has enabled many popular services in V5R2 and i5/OS NetManage has enabled RUMBA 7.4 & OnWeb Web-to-Host 5.2 Customers can also enable their applications (Services!)


The Password Elimination Approach

EIM and Kerberos• End user productivity gains• Easy to implement – no synchronization• Easy to manage – no centralization• Password Elimination!

Source

TargetsKey Distribution Center (KDC)

Sign-On as jmcafee and get Kerberos TGTKDC sends a Kerberos ST to iSeriesi1 authenticates the Kerberos STEIM Jack McAfee is authorized on iSeries as JACKM

jmcafee on KDC JACKM on iSeries

Source Target

UID: rjmcafeePWD: SpaceCenter

UID: RJMCAFPWD: ALAMO

UID: JACKPWD: *NONE

UID: JACKMPWD: HOUSTON

UID: jmcafeePWD: LoneStar

EIMDomain


Top 10 Password Elimination Benefits

1. No need to install and configure another new IT infrastructure layer;2. Less IT infrastructure means incremental and faster deployment;3. Less IT infrastructure means lower cost to deploy and maintain;4. Existing IT infrastructure is already supported by companies like IBM, Microsoft, Novell, SuSE,

Red Hat, and many others;5. Existing IT infrastructure leverages EIM to document user account ownership, which is a

powerful business tool6. Existing IT infrastructure leverages a combination of authentication technologies like Kerberos

(Windows), Identity Tokens (WebSphere), Pluggable Authentication Modules (UNIX or Linux PAMs), and others, rather than passwords;

7. Password elimination results in fewer help desk password reset calls;8. Password elimination includes distributed applications, which no longer require hard coded

user ids and passwords to be sent across the network;9. Password elimination results in fewer passwords to audit and change every 30, 60, 90 days

per company policy;10. Fewer passwords to audit helps exceed regulatory requirements (i.e. SOX, HIPAA, GLBA,

ISO17799, etc.)

Extending iSeries Security A P R E S E N T A T I O N

:PowerTech Security Solutions extend iSeries security

Thank You

www.mik3.gr

extending iseries security a p r e s e n t a t i o n system i security products

Documents