powersc tools for ibm i · 2013-11-01 · – host server (multiple) §customization for additional...

© 2013 IBM Corporation

IBM Systems Lab Services


PowerSC Tools for IBM iA service offering from IBM Systems Lab Services



2

PowerSC Tools for IBM i

PowerSC Tools for IBM i helps clients ensure a higher level of security and compliance

Client Benefits

§Simplifies management and measurement of security & compliance

§Reduces cost of security & compliance

§Reduces security exposures

§Improves the audit capability to satisfy reporting requirements

PowerSC Tools for IBM i is a service offering from IBM Systems Lab Services



Positioning IBM i with PowerSC

PowerSC Feature Exp Std TS Source of comparable capability for IBM i

Security and Compliance Monitoring and Reporting

PowerSC Tools for IBM i includes a Compliance Assessment and Reporting Tool

Additional products available from ISVs, seehttp://www-03.ibm.com/systems/power/software/i/security/partner_showcase.html

Trusted Logging PowerSC Trusted Audit Data Repository –

Capability is built into IBM i operating system

Trusted Boot PowerSC Trusted Digital Signature Verification –

Capability is built into IBM i operating system

Trusted Network Connect and Patch Management No equivalent IBM i functionality

Trusted FirewallPowerSC Trusted Firewall feature supports IBM i VMs

Trusted SurveyorPowerSC Trusted Surveyor offering supports IBM i VMs

http://www-03.ibm.com/systems/power/software/i/security/partner_showcase.html



4

1. IBM i Security AssessmentAn experienced IBM i consultant will collect and analyze data using PowerSC Tools for IBM i. The engagement results in a comprehensive report with findings and recommendations for improved compliance and security remediation.

2. IBM i Single Sign On ImplementationSSO improves end user productivity and saves help desk costs. In this services engagement, an experienced IBM consultant will advise on SSO options and provide implementation assistance leveraging the SSO suite components of the PowerSC Tools for IBM i.

3. IBM i Security RemediationAn experienced IBM consultant will adviseon best practices to address IBM i securityand compliance issues. The consultantwill provide remediation assistanceleveraging the PowerSC Tools for IBM I

4. IBM i Encryption Services An experienced IBM consultant will advise on best practices to implement data encryption on IBM I leveraging the PowerSC Tools for IBM i Encryption Suite as appropriate. Tape Encryption implementation services are also available. put

IBM i Security Services from IBM Systems Lab Services

www.ibm.com/systems/services/labservices [email protected]

For more information on PowerSC Tools for IBM i offerings and services, contact:

Mark [email protected], 507-253-1313

Mike [email protected], 507-253-3477

Terry [email protected], 507-253-7241Practice Leader, Security Services

http://www.ibm.com/systems/services/labservices

http://www.ibm.com/systems/services/labservices

mailto:[email protected]








5


Tools / Feature Function Benefit

Compliance Assessment and Reporting Tool

Daily compliance dashboard report/s at LPAR, system or enterprise level

Enables compliance officer to demonstrate adherence to pre-defined security polices

Security DiagnosticsReports detailing security configuration settings and identifying deficiencies

Reduces operator time involved in remediating security exposures

Privileged Access Control Controls the number of privileged usersEnsures compliance with industry guidelines on privileged users

Secure Administrator for SAP Manages and controls access to powerful SAP administrative profiles

Eliminates sharing of SAP administrative profiles with enhanced security auditing

Access Control Monitor Monitors security deviations from application designPrevents user application failures due to inconsistent access controls

Network Interface Firewall for IBM i Exit Points

Controls access to Exit Point interfaces such as ODBC, FTP, RMTCMD, etc

Reduces threat of unauthorized security breach and data loss

Audit ReportingConsolidates and reduces security audit journal information

Simplifies audit analysis for compliance officer and/or auditors

Certificate Expiration Manager Simplifies management of digital certificates expiration

Helps operators prevent system outages due to expired certificates

Password ValidationEnhances IBM i operating system protection with stricter password validation

Enables security officers to ensure user passwords are not trivial

Single Sign On (SSO) SuiteSimplifies implementation of SSO and password synchronization

Reduces password resets and simplifies end user experience

Encryption SuiteSimplifies implementation of cryptography using IBM i operating system capabilities

Helps application developers meet data security standards and protect critical data




Compliance Assessment and Reporting ToolCentralized reporting of IBM i security

§Covers:

- Password management

- Profile administration

- Special authorities

- Group inheritance

- Network configuration

- Netserver attributes

- Operational security

- Security risks and more

§Daily compliance dashboard report/s at VM (partition), system or enterprise level

§ An automated collection, analysis, and reporting tool on over 900 security related risks, information, statistics and demographics. All in one location and easy to use!

§ Enables compliance officer to demonstrate adherence to pre-defined or customer-defined security polices.

§ Security reporting made easy!



Security DiagnosticsIn depth security collection and reporting

7

§Reduces security administrator time involved in remediating exposures

§Reports on:

– User profiles

– Adopted authority programs

– Trigger programs

– Work Management

– Auditing configuration

– Network attributes

– Integrated File System

– Over 70 reports



Privileged Access ControlEnsures compliance to industry guidelines on privileged users

8

Without careful control, privileged users can pose a risk to your system security. This tool enables the security administrator to reduce privileged accounts, with a mechanism to temporarily elevate privileges to users when needed.

§Option to change identity for troubleshooting, IFS access and object ownership requirements

§Fully audited§Automated email

notifications sent to distribution list when tool is invoked that includes a log of activities performed



Secure Administrator for SAP on IBM iEliminates sharing of powerful SAP administrator user profiles

9

SAP provided administrator user profiles are often shared leading to security exposures and ineffective auditing. Secure Administrator for SAP on IBM i addresses this exposure by providing a secure and auditable mechanism enabling multiple SAP administrators to utilize the same SAP administrator user profile without sharing the profile itself.

Benefits:§ SAP administrators now only need their

IBM i user profile for SAP administrative tasks

§ Provides the ability to effectively audit SAP administrator user profiles

§ Limits access to authorized users§ SAP administrator user profiles no

longer shared§ Interactive use of SAP administrator

user profiles eliminated§ Manage multiple SAP installations

(running on the same partition) from the same interactive session

Before Secure Administrator for SAP on IBM i:

After Secure Administrator for SAP on IBM i:

Commands:§ CRTSUDOENV and DLTSUDOENV

Create/delete the Secure Administrator environment

§ GRTSIDSUDO and RVKSIDSUDOGrant/revoke use of administrator functions for different SAP

installations

§ LSTSIDSUDOList Secure Administrator environments and users that have

access to each SAP installation

§ SIDSUDOExecute commands under the authority and environment of

the specified SAP administrative user profile



Access Control MonitorMonitor security deviations from application design

10

§Ad hoc or scheduled reporting to check and report on application objects that are out of corporate security policy standards, data classifications, or other security related configurations

§Prevents user application failures due to inconsistent access controls

§Monitors compliance of libraries, objects, and authorization Lists§Customer extensible to allow automation of objects back into compliance



Network Interface Firewall for IBM i Exit PointsReduces threat of unauthorized network access

11

§Users denied by default forgreater security

§Users allowed are added via menu

§Allow access through Group Profiles

§Restrict by IP Address§ Log only mode§Current exit point coverage:

– DRDA / DDM– IFS– FTP– ODBC/JDBC/File Transfer– REXEC– RMTCMD (honors LMTCPB!)– SQL CLI– TELNET *customization required– Host Server (Multiple)

§Customization for additional network interfaces available

§Exit programs allow system administrators to control which activities a user account is allowed for each of the specific servers. This easy to use interface addresses the most commonly used network interfaces.



Audit ReportingSecurity and user auditing management and analysis

12

§Work with QAUDJRN journal entries and statistics to understand the demographics that define your security operations.

§Easily view system and user auditing statistics to demonstrate to management and auditors that security violations are being observed and handled.

§Filter journal entries by:– User Profile– Date/Time

§Manage:– User object and action

auditing values– Library/File/IFS object

auditing– Auditing system values– Journal receivers

§ Scheduler to automate actions and reports§Quick Audit of Users



Certificate Expiration Manager (CEM)Simplifies the management of digital certificates

13

§Maintains a log of all expiration activities

§Sends notification via eMail.

§Easy to use configuration GUI is included for managing the XML settings.

§Runs on any platform that supports Java.

§Prevent outages due to expired certificates

CertificateUniversity of the Internet

Issue DateDistinguished NamePublic KeyExpiration DateDigital Signature of CA



Password ValidationEnhanced protection through strict password criteria

14

§Checks the password to see if it contains:– The user profile itself– Any words from the customer defined

dictionary of disallowed words

§Customization available for additional password validations.

CHGPWD command is called

QIBM_QSY_VLD_PASSWRD exit program is automatically run

Command completes, password is changed

Password is not changed, command returns message

Does password meet exit program

requirements?

NO

YES

§Assures the security administrator that passwords being entered are not trivial.



Single Sign On (SSO) SuiteSimplify SSO implementation reducing help desk costs

15

Suite of tools sold individually or à la carte with or without implementation services:

Single Sign On (SSO) Suite for Domino

ü Domino Synchronizationü DSAPI Plug-in

Single Sign On (SSO) Suite for EIM

ü EIM CL Commandsü EIM Populatorü EIM Management Utilityü EIM Based Password Resetü EIM Based CRTUSRPRFü Windows AD Profile Synchronization

Password Synchronization Tool

Single Sign On (SSO) for SAP

An effective alternative to manual configuration



Encryption SuiteSimplify implementation of IBM i cryptographic capabilities

16

Set of procedures and techniques to simply the implementation of cryptography using IBM i Operating System capabilities. Choice of service provider:

§Cryptographic Services APIs§Cryptographic Coprocessor

Field SQL Type DDS Type Length

Index

Encrypted Data BINARY HEXADECIMAL Multiple of 16 ≥ data length

Key Version CHARACTER CHARACTER ≤ 32

Initialization Vector BINARY HEXADECIMAL 16

Hash BINARY HEXADECIMAL 32

Masked Value

Consulting assistance:

§Application design§Key management§Custom procedures§Tape encryption

§Cryptographic techniquesü Symmetric key encryptionü Asymmetric key encryptionü Secure hashü Key exchange

Encryption applications:

§Data at rest§Data in motion

Other Encryption Tools

§Cryptographic Support (CR1) Emulator Tool

§Credit Card Management Subsystem Tool



Questions



IBM Lab Services offerings for IBM i security:

ü IBM i Security Assessment

ü IBM i Single Sign On Implementation

ü IBM i Security Remediation

ü IBM I Encryption

üSimplifies management and measurement of security & compliance

üReduces cost of security & compliance

üImproves detection and reporting of security exposures

üImproves the audit capability to satisfy reporting requirements

PowerSC Tools for IBM i Benefits

Compliance Assessment Tool Demonstrate adherence to pre-defined security polices

Security Diagnostics Reduces operator time involved in remediating exposures

Privileged Access Control Ensures compliance with guidelines on privileged users

Secure Administrator for SAP Eliminates sharing of SAP administrative profiles

Access Control Monitor Prevents user application failures due to inconsistent controls

Network Interface Firewall Reduces threat of unauthorized security breach and data loss

Audit Reporting Simplifies audit analysis for compliance officer and/or auditors

Certificate Expiration Manager Prevents system outages due to expired certificates

Password Validation Ensures user passwords are not trivial

Single Sign On (SSO) Suite Reduces for password resets and simplifies user experience

Encryption Suite Helps meet data security standards and protect critical data


For more information on PowerSC Tools for IBM i offerings and services, contact: Terry Ford [email protected] Practice Leader, IBM Systems Lab Services Security





For more information on PowerSC Tools for IBM i

Terry Ford, Team LeaderIBM Systems Lab ServicesSecurity Services [email protected]

Mark EvenIBM Systems Lab ServicesIBM i Opportunity [email protected]

http://www-03.ibm.com/systems/services/labservices/contact.html

Mike GordonIBM Systems Lab ServicesIBM i Opportunity Manager

507-253-3477

[email protected]



http://www-03.ibm.com/systems/services/labservices/contact.html


powersc tools for ibm i · 2013-11-01 · – host server (multiple) §customization for additional...

Documents