Unless maintaining compliance is a year-round effort in your enterprise, the answer to this question is very likely an emphatic "no!"
It's not often that we get to see a trendy new term enter the lexicon while being consciously aware it's happening. However, the recent holiday season may have given us that experience. Perhaps it's too early to tell for sure, but recent events should give additional meaning—in the compliance market segment at least—to the term "You've been 'Targeted.' "
While the reaction of most of the consumers in the world was likely tempered by whether or not we charged something at one of the retailer's stores between November 27 and December 15, 2013, if you're an IT professional your second thought was probably, "Wow, I'm glad that wasn't us."
It Could Happen Here
The trouble is, someday it could be you. The disgrace, the damage to its brand, the discounts offered for PR purposes, the lawsuits, a possible Federal Trade Commission probe, and the penalties we probably won't even hear about mean Target's pain is going to last quite a while—to say nothing of that of its affected customers. The fact that the cause was likely unusual malware affecting the company's POS systems isn't going to get Target out of a terrible jam or mean it won't pay a possibly incalculable price.
Sadly for Target, its IT security staff probably felt they were secure and in compliance with applicable standards, particularly the Payment Card Industry Data Security Standard (PCI DSS). That's what compliance audits are all about, after all. But this breach happened anyway. If it could happen to an enterprise with the economic clout and retailing reach of Target, it could happen to your enterprise. And running your Accounts Receivable on an IBM i may not save you.
"[There is] a persistent—and flawed—belief that the [IBM i] server is inherently secure and nothing needs to be done to achieve this state," warns Robin Tatam, director of security technologies at The PowerTech Group. "While it's true that IBM i is one of the most securable OSes in the server market, it certainly doesn't come from the factory preconfigured that way." A second common misconception, Tatam notes, is that "security and compliance are one and the same. Compliance is adherence to a defined standard—even if that standard is incorrect or lacking substance. Being compliant doesn't guarantee that one is also secure."
Finally, he points out, a third problem is that many companies perform compliance audits "only when the auditor is onsite, instead of making compliance validation an ongoing activity."
Carol Woodbury, president and co-founder of SkyView Partners, emphasizes Tatam's final concern—and adds another.
"Most organizations are strapped for time, so they don't have the ability to maintain compliance throughout the year. Then it's a 'fire drill' before the auditor arrives to correct the items that have fallen out of compliance or to address new compliance requirements. The result is not just that they have to pour a large effort into preparing for the audit; the worse issue is that their systems have been in a degrading state of security ever since the last audit."
"[Another] issue is that some organizations somehow are of the belief that regulations don't apply to them," Woodbury adds. "The PCI DSS requirements apply to every organization that accepts credit cards; it doesn't matter how large or small the organization is or how many or few transactions. Yet we've seen some organizations be in denial that PCI applies to them and then they're surprised when they get audited and fined for non-compliance."
Technical Issues Cause Even More Challenges
These issues are just the biggest elephants in the room. Unfortunately, there are others.
"[One] of the most common compliance pitfalls for IBM i companies is the ability to automatically produce compliance reports for individual LPARs, in which each individual LPAR has different optimal values for the compliance criteria," note Shmuel Zailer, CEO/CTO, and Eli Spitz, vice-president of business development, at Raz-Lee Security in a joint interview. "This 'simple-to-comprehend' facility is really very tricky to implement, but it's exactly what's needed to differentiate between compliance requirements for production, test, HA, and other systems. [A second problem is] enabling viewing [of such] compliance reports over a period of time (trends) or once-a-week values comparable on a single spreadsheet."
Zailer and Spitz also cite "a lack of best-practice IT-related compliance requirements," too often left in the hands of system administrators, and not sending compliance reports to "the relevant parties, each in the format which is appropriate for each."
Compliance or Complacency?
Reading between the lines, it's hopefully plain to see that the biggest danger of all is complacency. It's easy to find reasons to reassure yourself that all is well when the next auditor visit is months away and there are no consumers' attorneys banging on your door, lawsuits in hand. But what passes for OK in some people's minds can be shockingly inadequate in reality.
"I once performed an audit for a large company that knowingly granted All Object (*ALLOBJ) special authority—a global permission to every object on the server—to all of their users," confides PowerTech's Tatam. "This was to ensure that users never ran into authorization challenges. They justified this open-door policy to their auditors by implementing simple compensating controls, such as command-line restrictions and application security, to control their users. Sadly, neither the client nor the auditor had any idea that those users could easily connect via alternate interfaces like ODBC and FTP and read or change data in any file and even execute server commands!"
"We see organizations install software that is meant to prevent access to the system but [they] never implement it," SkyView's Woodbury recalls. "They can say they have the software to protect data, but it's actually doing nothing but taking up disk space."
"[Enterprises use] home-grown solutions to solve what is really a very professional challenge, requiring a professional, all-inclusive, solution," the Raz-Lee executives caution. "The compliance demands are posed by professional people (internal/external auditors, industry regulations, etc.) and must be addressed with worthy solutions."
Truth or Consequences
The vendors interviewed for this article point to numerous consequences for being found in non-compliance, such as heavy fines ($50,000 a month for two of SkyView's clients, Woodbury reports), legal expenses and notification costs, and simply "being sent back to the drawing board" to rewrite a compliance system from scratch. That's in addition to the penalties we've already reviewed for Target's unintentionally devastating security loophole.
Sadly, meeting compliance standards is a moving target rather than a static one. You'll fall behind by simply doing nothing new.
"The recent explosive adoption of smart, mobile devices, along with a trend towards cloud-based computing, has meant that most compliance standards are struggling to keep pace," warns Tatam. "I fully expect to see more regulations pertaining to securing data that's stored virtually, along with a continuation of controls designed to prevent loopholes that have been discovered and exploited."
How far behind the curve might your enterprise be if that comes to pass, particularly in light of how widespread the effect of Target's breach has been and how much political pressure that incident might generate for even stricter laws and regulations? Compliance is an ongoing requirement that needs to be the focus of an ongoing effort.
Below are major solutions for addressing compliance problems, products specifically designed for the IBM i and some of the OSes it uses. Hopefully, one of these solutions can help you and your enterprise avoid becoming the next poster child for non-compliance.
Auditing and Compliance Tools for IBM i
Standguard Network Security is an object-based security product for Power Systems that monitors exit points and the QAUDJRN, tracks and manages system access, defines user access permissions, alerts administrators to changes in system values and profile changes, audits business asset libraries, checks system authority settings, and provides numerous reports and audit trails.
QSystem Monitor is an application and job-monitoring solution for IBM i. It filters all system messaging activities and provides a check on use of FTP and QSECOFR authority. It monitors system-value and user-profile changes and invalid password attempts. It also includes features for compliance with SOX and PCI requirements by monitoring the QAUDJRN and sends alerts of administrator-defined security breaches to appropriate personnel.
Cilasoft's suite consists of four integrated but separately available auditing products. QJRN/400 audits system activities and databases. Controler watches use of access protocols and system commands. Database View Monitor (DVM) audits read accesses of databases. Elevated Authority Manager (EAM) controls user activities to comply with HIPAA, PCI DSS, SOX, and other standards.
Cosyn Audit Trail tracks changes made to database files on IBM i machines without requiring the overhead of turning on journaling. The product uses triggers instead and outputs results to physical files that users can query or use to create their own reports. The product also tracks updates from Interactive SQL and selected query products from other vendors.
AZScan is a Windows application that can audit and evaluate security on IBM i machines running i5/OS or Linux/UNIX, as well as Oracle databases. The product runs 53 security tests for i5/OS, creates reports intelligible to nontechnical auditors, pinpoints problems, and assists users with maintaining regulation and industry standards compliance.
Enforcive Systems Limited
Enforcive's Accelerator Package provides more than 700 predefined but customizable reports, alerts, and compliance definitions for COBIT 4.1, ISO 17799, PCI, and SOX standards on IBM i.
Enforcive offers a cross-platform auditing service that includes multiplatform consolidation and security-event correlation for IBM Systems i and z, Oracle, SQL Server, Sun Solaris, and other servers running AIX, Linux, UNIX, and Windows.
Enforcive/Sensitive Field Masking is a GUI-based tool that lets administrators designate sensitive database fields that are then blocked from viewing by any but authorized users. The product is flexible enough to designate different fields within the same file as available to different specified users. Masked files are also stored in a special library.
Enterprise Security for IBM i features application exit-point controls, user-profile and group permission controls, IP address authorization, access controls down to objects and including the IFS, account swapping for adopted authorities, multiple-server policy replication, file protection against power users, a graphical application-security event analyzer, a graphical user-profile manager, and session timeout/inactive-user controls.
Field Encryption lets security officers encrypt sensitive database alphanumeric and numeric fields using one of seven different encryption standards and unlimited multiple encryption keys. The tool also provides scrambling and encryption for backups, GUI-based administration, and compliance with the PCI DSS, requirement 3.
IP Packet Lockdown incorporates intrusion detection, access control, and IP packet filtering that lets security officers set up and manage the ports and IP addresses from which they wish to receive network traffic and the specific System i ports at which they wish to receive that traffic. Similarly, SECOFRs can define those addresses and ports they wish to lock down and prevent from communicating.
Security Assessment is an external security testing application that launches real-time security penetration tests, summarizes current security policies, and highlights deviations from recommended policy settings.
Policy Compliance Manager helps security personnel build, document, and maintain a corporate security policy. Product features include template-based compliance management, compliance-deviation monitoring and enforcement with an alert center for instant deviation reporting, a Sarbanes-Oxley compliance toolkit, a Help Desk assistant, and an optional PCI DSS reporting toolkit.
IBM Power SC is a security and compliance solution for IBM i and other servers running AIX, Linux, or PowerVM. The product automates security compliance activities, includes reporting systems for compliance measurement and audit, supports virtual machine environments across multiple systems, and ensures compliance with numerous industry standards as well as legal and other governmental mandates.
IBM's Security AppScan Standard runs on i servers using JBoss, Apache Tomcat 6.0/7.0, WebSphere 7.0, AIX, Linux, and Windows. It scans Web applications for security holes and provides more than 40 compliance-related reports.
SecureSphere Data Security Suite is a security and auditing solution that monitors databases, files, and Web applications via independent hardware appliances, agents running on host servers, and cross-platform administrative tools. The suite includes DB2 monitoring for IBM i and offers alerts, a database firewall with activity monitoring, access controls for sensitive data, and auditing features usable by non-technical auditors.
IT Security and Compliance Group
The Security Audit Service is typically a five-day onsite evaluation of the security implementation of a client's System i. The audit checks all aspects of the System i security configuration at the operating system, database, and user interface level, including evaluation of user accounts, object permissions, database security and the various access methods, resulting in an executive overview containing a list of high-severity items and remediation recommendations. Additional services include security assessment for networks, user-account maintenance and assessment, object-level security assessment, security implementation remediation, security event monitoring and reporting, QAUDJRN configuration, forensic analysis of security events, and implementation of single-sign on.
Kisco Information Systems
Kisco's iFileAudit lets users track data updates and changes to files on a user-by-user, file-by-file, and field-by-field basis. The product includes a Web browser interface, a notation feature, the ability to track file-read actions for user-selected files, and the ability to produce audit reports on a global or selected basis.
NetIQ Secure Configuration Manager is a system-security configuration assessment and compliance-monitoring tool that helps administrators compare system security settings against regulatory and best-practice requirements. It assesses system configurations against multiple compliance mandates, reports on systems out of configuration, provides tools for restoring mandate compliance, generates reports that satisfy legal and industry standards requirements, and presents data via a dashboard-style interface.
The iSecurity Compliance Pack is a suite of products that provides automatic and sophisticated reporting capabilities covering all types of security-related information. Coverage includes more than 300 customizable auditing reports, a visual console for investigating suspicious events, alerts, corrective programs and CL scripts, and a security assessment analysis application.
Safestone's Compliance Center for i provides a query-based reporting solution that automates the data collection and conversion into reports of audit, compliance, and security events. The product monitors such system activities as network accesses, object authorities, user profiles, QUADJRN and QHIST entries, system values, and SQL command usage. Users can either schedule reports on a regular basis or access them on demand. A version for servers running AIX is also available.
SkyView Audit Journal Reporter generates predefined and auditor-ready reports based on events recorded in QUADJRN. It helps reduce time needed to provide non-technical reports on system events for auditor use and produces ongoing reports as necessary to help users investigate compliance issues.
SkyView Policy Minder for IBM i and i5/OS automates security policy compliance and administration. Examples of features include automatic checking of system settings (e.g., user profiles, libraries, objects, directories, authorization lists), security policy documentation via template-based and customized settings, and report generation on multiple aspects of security policy. The product also includes tools for modifying system parameters that are out of line with established security policy.
SkyView Risk Assessor is a service that provides an analysis of more than 100 system risks from the point of view of an external expert. Designed to provide the basis for a security audit of IBM i machines, Risk Assessor also helps evaluate enterprise compliance with PCI, HIPAA, and other standards.
Tango/04 Computing Group
The Security Knowledge Module is a configuration of Tango/04's VISUAL Message Center that reports on system events, security incidents, and compliance violations across multiple platforms, including IBM i. The product maintains a database of all events and sends real-time alerts in response to security or compliance problems.
The Operations Knowledge Module monitors multiple partitions or systems from a central console and reports on a variety of conditions and situations. These include system and subsystems performance, interactive job efficiency, messages from all message queues, security and permissions violations, and Web environments. Reports are available via dashboards, and the product also includes templates for new software apps that can measure each app's real-time service-level requirements.
The PowerTech Group
Compliance Monitor provides a single console view of multiple systems, multiple reporting options, the ability to see all security events within the security audit journal (QAUDJRN), audit-data compression, and the ability to schedule assessments around production jobs. It also enables audit reporting and inspection of security-policy compliance with SOX, PCI, and other regulations and standards.
DataThread tracks changes to databases, filters out routine activity and focuses on user-requested exceptions, centralizes and automates data-policy enforcement without requiring program changes to existing applications, notifies appropriate personnel of changes, and meets compliance requirements for all domestic and international regulations that require monitoring of IBM i data access and user activity.
Interact monitors more than 500 system security events in real time and sends them to a system log in real time for later analysis or troubleshooting. Examples include QAUDJRN, exit programs, messages from QSYSOPR and QSYSMSG, and other system events. Interact parses and simplifies audit journal entries so nontechnical users can read them and can filter system events by date, time, user, IP address, and other criteria.