Case Study: Califon Systems' Security Module for iSeries

Case Studies
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

When you open a trade publication or a general newspaper these days, you're frequently greeted with a new report, often under a frightening headline, about a data security breach at a major company or at a government organization. Some of those security violations are minor, but others involve private financial or other information about thousands or even hundreds of thousands of people.

That's extremely disconcerting, but not terribly surprising. Organizations now accumulate a mountain of data about customers, prospects, products, internal operations, suppliers, and competitors. Over the past couple of decades, the volume and criticality of that data has leapt considerably, and it's continuing to grow. The more data that companies amass and the more valuable it is, the more tempting a target it presents. And the more that data is scattered around an organization, the greater is the risk that some of it will be inadvertently exposed. When you couple the increased volume and importance of stored data with the increased number of access points thanks to the Internet and linked supply chain systems, it's easy to see why the number of threats, many of them realized, has increased.

Not only are the security threats increasing, but the demand for protection of data is also rising. Again, that's not surprising. As organizations gather more confidential data and as that data's vulnerability is cataloged daily in the media, the subjects of the data are, understandably, becoming more concerned about privacy issues. Blaring headlines about data security breaches further fan the flames.

It's more than just the threat to privacy and intellectual property that companies need to worry about. Providing more people than necessary with data update rights increases the opportunity for human error or malfeasance to corrupt critical data. Read/write access should be restricted to only those people who need to have it and who have received proper training on the relevant applications and data management issues.

Furthermore, rigorous data security is now more than just a prudent, responsible business practice. For many organizations, it's now the law. New regulations passed in response to the threats and the actual breaches of security are forcing companies to enhance the security of their data, to improve their data auditing capabilities, and, consequently, to ensure the traceability of all data update activity.

This highly security-conscious environment is common to almost all organizations. Tire Kingdom is no exception. It took action by implementing the Califon Systems Security Module to fulfill the company's data security and auditing requirements.

About Tire Kingdom

Juno Beach, Florida–based Tire Kingdom is a major retailer and distributor of tires. Its more than 600 retail outlets throughout the United States, which employ over 7,000 people, also sell brakes, batteries, wheel alignments, and other automotive services.

Despite its current size, the company had humble beginnings. It was founded in 1972 with capital of just $150 and 50 consignment tires that were sold from a 200 square foot stall at the West Palm Beach Farmer's Market. Tire Kingdom subsequently grew considerably in both revenue and geographic scope. In June 2000, it was acquired by Memphis, Tennessee–based TBC Corporation, a publicly traded company. In November, 2005, TBC became a wholly owned subsidiary of Sumitomo Corporation of America.

TBC owns a number of subsidiaries in addition to Tire Kingdom, including Merchants Tire & Auto Centers, National Tire & Battery, Big O Tires, and Carroll Tire Company. All of TBC's subsidiaries run most of their operations on Tire Kingdom's iSeries Model 890 system, which maintains four partitions, two for production and two for development and testing.

The company's data flows are complex. Data comes into its iSeries systems from all of its stores, as well as from its trading partners.

Tire Kingdom was able to control iSeries access using standard operating system tools, but, despite the high level of security available on iSeries, the company needed a more comprehensive security solution than was possible using only the operating system tools.

Security Requirements

As at all companies, security is important to Tire Kingdom, but what primarily drove it to search for a way to augment iSeries security was a Sarbanes-Oxley (SOX) audit that was performed at the company. SOX regulations apply to all companies listed on a U.S. stock exchange. Among other things, SOX imposes strict data auditing, security, and control requirements.

Tire Kingdom's audit found that not all of the SOX data security and auditing requirements could be met using only iSeries security. Specifically, the company needed a way to track changes to critical operational data such as product prices. This tracking capability had to include information on not only what changes were made, but also when they were made and who made them.

Ironically, since the time of the SOX audit, TBC has been acquired by Sumitomo, meaning that Tire Kingdom is no longer a part of a company traded on a U.S. exchange. It is thus not subject to SOX. However, the company decided to proceed with the security enhancement project because, as John Pawlikowski, manager of i5 operations, noted, "Private companies are going through the same type of audits as public companies. Who cares if we're public or private? We still need to audit our financial compliance."

If it weren't for its stringent data logging requirements, Tire Kingdom probably could have used iSeries object security to provide the level of security it required, but even with that lesser requirement, implementing the necessary security would have been unwieldy. The company uses an ERP application that manages thousands of objects. Without a tool that would allow Tire Kingdom to assign object security more easily and quickly than the built-in iSeries object security facilities allow, the configuration and maintenance effort would have been too cumbersome and time-consuming.

In addition, Tire Kingdom wanted a way to manage security on a very granular level. For example, the company needs to allow authorized users to update price data through its ERP application. This requires granting the relevant users read/write access to the appropriate table(s). The problem was that the company wanted to allow these users to read the same data through desktop applications, such as Microsoft Access or Excel, but it did not want to let them update the data using those less-structured tools as that would bypass the processes and controls provided by the ERP. Giving users read/write access through some programs, but read-only access through others, was difficult, if not impossible, using solely iSeries security.

The Solution

In its hunt for a security solution, Tire Kingdom searched the Web, reviewed trade publications, and studied vendors' literature to narrow its selection down to just a couple of suppliers. After evaluating this shortlist, Tire Kingdom found that, in addition to meeting all of its technical requirements, the Califon Systems Security Module scored higher than the competition on ease of implementation and use. Contributing to the ease of implementation was the fact that, unlike what was the case with some of Califon's competitors, Tire Kingdom didn't need to install several IBM PTFs before installing the security software.

Califon Systems first released its Security Module in 1999 to take advantage of and augment the IBM AS/400 (subsequently iSeries and then System i) object-level security, as well as the exit point security software module inherent in AS/400. The software was developed by two high-level security experts who had extensive knowledge of AS/400, along with considerable enterprise security expertise.

In the early days after its introduction, the primary advantage of Califon Systems' solution was that it automated many of the AS/400 security functions that then required a very heavy administration burden to implement and maintain. Califon has considerably enhanced and added to the software over the years, to the point where it now offers several additional benefits.

Califon Systems Security Module takes advantage of the Registration Facility function that has been a part of OS/400 since V3R1.When a server request is started, the registered exit program is also called. Califon Systems Security Module uses these exit points to monitor and control object access. It can block access based on, among other criteria, location, type of function, type of command, SQL statement, and/or time of day.

This form of exit point security should be a high priority in most iSeries shops. Unlike built-in iSeries facilities, it provides the granularity necessary to control not just who is allowed to access which data, but also how they can access it.

When considering extra security, many people assume that a hardware or software firewall is adequate. That's not the case. A firewall is primarily designed to block denial of service or other mass attacks. Its purpose is to control access to particular ports. Unlike Califon Systems Security Module, a firewall cannot specifically limit access at the file or library level.

In addition to blocking access when required, Califon Systems Security Module logs information such as user, date, time, file, library, command, and directory for every data access and update. A flexible online query facility allows easy and rapid access to this log data for auditing and other purposes.

All setup, administration, and maintenance operations are performed via straightforward, easily navigable iSeries menus.

Tire Kingdom installed the Califon Systems Security Module using only in-house staff. It found the process to be fast and easy. When asked how long it took to install the software, Pawlikowski responded, "Minutes. Literally minutes, probably twenty or less." The company was able to complete the installation and the subsequent configuration and implementation without the need for any formal training. The operations staff simply read the user's guide.

What took the most time was not installation, but implementation. That was because Tire Kingdom took great care to interview users about their data requirements. It then undertook an extensive quality control phase to verify the collected information. Finally, the company completed a lengthy and thorough testing phase before moving the Califon Systems software into production. This extensive data gathering, analysis, and testing phase was undertaken to minimize the risk of implementing security rules that would mistakenly block legitimate data access for even the short period before the mistake could be corrected.

Tire Kingdom now uses Califon Systems Security Module to monitor updates to iSeries objects and files so that the company can, in particular, pinpoint revisions to records in relational database. Tire Kingdom also uses the software as an additional line of defense in its already multilayered data security environment.

Benefits

When asked about the advantages that he sees in Califon Systems Security Module, Pawlikowski cited the ease and speed of installation, as described above, but he also highlighted the product's ease of use. This was important because, despite Tire Kingdom's extensive analysis and testing process, when interviewed by IT, some users forgot about some of their less frequent data needs. As a result, the access rights required to serve those needs were initially denied.

As Pawlikowski explained, "If a user comes to us and says, 'Oh boy, you know what, once a quarter I run this process and I forgot to tell you guys about it,' we can very quickly adjust the access rights, run through a fast QA, and get it into production very quickly. I suspect we'll also run into this problem when people start performing their year-end tasks."

Pawlikowski also listed the security granularity afforded by the Califon Systems Security Module as another major benefit. It allows Tire Kingdom to grant or deny access to specific objects and libraries quickly and easily. This allows the company to restrict read/write rights to just those people who need to have them and who have the necessary expertise to modify the data correctly. This serves to reduce the number of data errors that occur.

Califon Systems Security Module also meets Tire Kingdom's need to limit update rights not just for particular data, but also based on the software used. For example, the company can provide a user with read/write access to pricing data when the user tries to update it through the ERP, but that same user might be granted read-only rights when using other software to access the same data.

Another feature that has afforded Tire Kingdom the opportunity to reduce the number of problems that occur in its data and applications is the software's ability to restrict object access by time of day. For example, read/write access for critical data or for a complex application can be denied outside of the hours when IT support is available. That way, there will always be an IT support person available to help a user solve a problem should one arise. Otherwise, critical data might remain in error until the IT support people return the next day. Until then, the original error could compound as systems continue to run using the corrupted data.

The Califon Systems Security Module's logging function allows Tire Kingdom to track down problems more quickly than was previously possible. Pawlikowski reported that, in the past, if someone updated a table incorrectly, it could take considerable time to find the problem. In the meantime, some of the company's programs could possibly stop because of the faulty data. Now, not only does Califon Systems' software help to reduce the probability of errors creeping into the data, but when a problem does occur, Tire Kingdom can use the log to track it down quickly and, therefore, keep its systems online and providing accurate data.

Pawlikowski discovered one benefit that he wasn't expecting. The logging function allows him to look at all SQL query strings coming into the database, which has helped in troubleshooting and optimization. If an application is not providing correct results, the developers can look at the precise query string to try to resolve the problem. Likewise, if database applications are running slowly, Pawlikowski can gather the log data and show it to the developers, who may decide to create a new index or look for ways to optimize the application's SQL code.

One other thing that impressed Pawlikowski about the Califon Systems Security Module is that "it did exactly what it was advertised to do. It's a very solid and reliable product."

Free Trial

Califon Systems offers a 30-day free trial for its Security Module. A request form for the free trial is available on the company's Web site. The software can then be downloaded from Califon's Web site or it can be emailed to you.

For more information, contact Califon Systems or visit its Web site at the address below.

Joel Klebanoff is a consultant, a writer, and president of Klebanoff Associates, Inc., a Toronto, Canada-based marketing communications firm. Joel has 25 years experience working in IT, first as a programmer/analyst and then as a marketer. He holds a Bachelor of Science in computer science and an MBA, both from the University of Toronto. Contact Joel at This email address is being protected from spambots. You need JavaScript enabled to view it..

http://www.mcpressonline.com/articles/images/2002/Califon%20-%20Tire%20Kingdom%20case%20studyV3--09200600.jpg
 

Califon Systems
110 Newport Center Drive
Suite 200
Newport Beach, California 92660
USA
Web: www.califon-systems.com
Email: This email address is being protected from spambots. You need JavaScript enabled to view it.
Tel: 949.863.6195

BLOG COMMENTS POWERED BY DISQUS