|Partner TechTip: Monitor Powerful Users in Real Time|
|Tips & Techniques - Security|
|Written by John Earl|
|Thursday, 05 February 2009 19:00|
Do you find it difficult to prove to auditors that your data is secure?
You just might have the most secure machine around. You're using the IBM Power Systems running IBM i (System i, iSeries, AS/400), you're diligent about security, and you've bought the very best tools to secure your system and automate the task of compliance. What more could an auditor ask of you?
Oh, there's always something more, always something new. The latest demand by auditors comes from the Payment Card Industry (PCI) Security Framework--and it's rapidly being adopted by auditors to apply to other scenarios, such as SOX and HIPAA compliance.
The essence of the argument is this: even if you have all of the necessary tools to prove that you are secure, how does the auditor know--and how can you prove--that the data you're reporting hasn't been altered or tampered with prior to reporting?
I can hear many of you complaining already: "Boy, don't those auditors have anything better to do? Now they're pointing at the system administrators and IT staff that have been helping them with their audits all along!"
But hold on just a minute. You can see that the auditors have a point. The FBI estimates that over 80 percent of all data that is lost, damaged, or stolen falls victim to an internal source, as opposed to an outside attacker. After all, these are the people who already have access (a user ID and a password) to your system and have a working knowledge of the data and the value of that data. Isn't it natural to assume that they could be an important threat? Add to that the power of most system administrators and IT folks, stir in the realization that few people in the organization understand exactly what the IT team does--and thus could not easily spot whether or not they're doing it well--and you have the ingredients for a first-class disaster.
Powerful users with unbridled access to all corporate data and no one capable of monitoring their activities: sounds like a problem to me. In fact, it can be broken down into two distinct problems. First, if IT administrators decide to turn criminal, their ability to cover their tracks is almost complete. Second, if they were doing something really bad, would you be able to tell?
Security Events Don't Have to Be out of Sight
PowerTech Interact sweeps your system for security-related events and, in real time, copies those security events off the system to another system that your System i administrator (presumably) does not have access to. Interact dramatically reduces the ability of a seasoned IT pro to cover his tracks after a dastardly deed. For example, if someone were to change Accounts Receivable balances for a relative, download the credit card file, or change another user's password, Interact would intercept that event and forward it to another system where the information could be stored safely. A system administrator will always have the ability to do dangerous things--there is simply no getting around that--but should never be able to hide the truth about what has been done.
Another difficulty is in interpreting the events. The System i and its operating system (IBM i, i5/OS, OS/400) are pretty much a language unto themselves, and the wider IT world often looks at us cross-eyed when we spew our technical jargon. Windows, UNIX, and network security professionals use a slightly more standard (though not yet universal) nomenclature, and if we can translate our unique security terms into that more universal language, we stand a better chance of making the actions of our IT teams transparent.
Interact helps here, too, by sending preformatted messages to a wealth of industry-standard Security Event Information Management (SEIM) consoles in a standard SYSLOG format. Using this format, System i security events can be read and interpreted by the leading SEIM consoles, such as Arcsight, LogRhythm, TriGeo, OpenConnect, and many others. This concentrates the more mundane tasks of network event monitoring in the hands of the network operations center and leaves your team more available for the work only they can do.
Interact Eliminates Security Headaches
PowerTech Interact is a critical element for managing security and compliance on your Power Systems running IBM i. To see what Interact can do for your organization, call one of the security advisors at Powertech at 800.915.7700. Learn more about Interact by clicking here.
|Last Updated on Thursday, 05 February 2009 12:03|