Despite a quality selection of auditing and compliance tools for IBM i, security problems in 2013 are largely "same old, same old."
Probably as much as two decades ago, when the IBM i was still the AS/400 and being touted as the most secure computing system in the world (mostly due its magnificent isolation), there were still security problems experts could point to. Primarily these were 1) not enough accountability for changes to databases, 2) too many users holding too-powerful security profiles, and 3) unauthorized users gaining access to systems (e.g., due to weak passwords).
Today, years after adoption of such reforms as federal laws—e.g., Sarbanes-Oxley (SOX)—and tighter industry standards—e.g., payment card industry (PCI)—the fundamental security concerns for the IBM i remain: Not enough accountability for changes to databases, too many users holding too-powerful security profiles, and unauthorized users gaining access to systems. Who knew that, in 2013, the title of the classic Led Zeppelin concert film would summarize the state of compliance on many IBM i machines?
"In our experience, the first and most basic area of weakness usually centers on the area of user profile authorities and passwords, system value definitions, object authorities, and similar [aspects]," reports Eli Spitz, vice president of business development at Raz-Lee Security.
"Profiles with too much authority," is a common fault, agrees Guy Marmorat, president and CEO of Cilasoft. "Whether it is through public or private authorities on business-critical files or special authorities, users often have power that exceeds the actual authority needed for their specific problem."
"Too much authority to data," is how Carol Woodbury, president and co-founder of Skyview Partners, puts it. "A main issue is that too many users have direct access from outside applications, and another is that users rely on default passwords or have too much user authority."
"Another area of weakness centers on the different ways in which business-critical application data is referenced, specifically by different groups of users (e.g., segregation of duties)," clarifies Raz-Lee's Spitz. "This includes the need to monitor changes made to database application files, which eventually leads to the need to view actual before/after data."
Slightly in dissent is Ken Linde, marketing manager for Enforcive (formerly BSAFE), who points to breaches via TCP/IP connections due to lack of adequate monitoring of File Transfer Protocol (FTP), Open Database Connectivity (ODBC), and remote SQL as the most common problem. As the second most common, he cites "the limited auditing configuration most shops have activated for their QAUDJRNL. This weakness can fall into one of three categories. The first being not activating any auditing, the second being activating limited auditing or not defining the additional audit requirements for high-privileged users, and the third including cases where the auditing settings are defined appropriately but are not being consistently reviewed."
While a majority of the vendors contacted for this article agree that user authority and data-change accountability problems are the most common for IBM i installations, they cited different problems when asked which are the most chronic security challenges.
Common vs. Chronic
"The most chronic compliance failures we see at customer sites is stagnation in keeping exit-point security policies up to date, weak implementation of password policies, and partial implementation of the security software tools available," notes Enforcive's Linde.
"Monitoring of business-critical application files, updates, and changes to these files," are what Raz-Lee's Spitz points to. As an example, he highlights that employees accessing their own personal credit card, health, and salary data is a compliance violation. "What contributes to problems in these areas is the dependence on manual methods rather than packaged products to address these issues."
"Ensuring that reports and alerts remain relevant to the environment" is the most-chronic problem nominee for Cilasoft's Marmorat. "Often the controls set up initially make sense, but environments change and the controls are not updated accordingly." He cites the example of introducing a new interface that enables a potential security hole but no controls are changed to safeguard the hole. "Furthermore," he adds, "internal documentation must be created to ensure that the security controls are sufficiently explained in case the security professional who designed the controls leaves the company."
The Thin Red Line
Obviously, to a very large extent, all these problems are a case of the song remaining the same after decades of experience with IBM i in IT departments. Why are so many of these traditional problems still with us despite this experience and attempts at reform from government and industry groups?
"The real issue is lack of administrator time," notes Skyview's Woodbury. "Administrators wear so many hats that if they don't take time to set up product automation features, things tend to slide back to where they were. This is often because there's a lack of management focus on the whole issue [of compliance]." She cites a frequent problem as that of management paying attention to compliance only when an audit is imminent. "That's when things like inactive profiles get cleaned up, but [administrators] don't do the extra step of automating that policing, and a year later these issues are still a problem."
Another issue is turnover in personnel. "An administrator implements our software but then a replacement isn't adequately trained. We see that over and over," Woodbury points out.
Enforcive's Linde backs up those concerns. "The sources of chronic failures are...limited time and professional resources allocated to handle security on an ongoing basis, high employee turnover and ineffective handover of security and compliance-related responsibilities, and limited documentation and policies pertaining to the security and compliance aspects of the environment."
"A lot of time and resources are spent on reinventing the wheel after a security professional leaves," agrees Cilasoft's Marmorat.
Spitz emphasizes the lack of use of automation features in auditing and compliance tools as a root concern. "Customers depend on manual solutions rather than searching for automatic tools that allow them to define rules.... This lack causes persistent problems, as business rules change all the time [but] companies cannot manually change definitions at the same time."
Meeting the Compliance Challenges
So what can be done in the face of such persistent compliance difficulties?
Woodbury cites "developing a 'compliance lifestyle' to maintain a consistent level of compliance. If there are daily or weekly administrative tasks, automate them or you don't stand a chance of staying in compliance. If you implement this kind of automation, you'll stay in compliance and can avoid the annual 'audit fire drill.' "
Almost regardless of what provider's auditing and compliance tools you use, full implementation of the products you do purchase seems like the best way to meet the challenges of both the most common and most chronic compliance problems.
Below are listings for auditing and compliance solutions currently available for the IBM i. Although the brief product descriptions don't provide more than an overview, links are provided to all product Web pages, at which you can find more complete information.
And as always when looking for products or services, be sure to check the MC Press Online Buyer's Guide.
Auditing and Compliance Tools for IBM i
Standguard Network Security provides security and compliance monitoring for networks that include IBM i systems. Auditing and compliance features include a SOX toolkit, numerous standard auditing reports, and compliance white papers.
QSystem Monitor is primarily a performance-monitoring solution for IBM i systems and applications. It includes features for compliance with SOX and PCI requirements by monitoring the QAUDJRN and sends alerts of administrator-defined security breaches to appropriate personnel.
QJRN/400 is an auditing application that enhances IBM i journaling functions to keep an eye on system events and changes to databases. It reports on changes to database authorization files, user profiles and authorities, network attributes, and system values. It also identifies modifications to corporate applications made by other software and monitors access of sensitive database fields.
Cosyn Audit Trail/400 tracks changes made to database files by using triggers instead of journaling and also tracks changes made by users and applications. The solution outputs results to physical files that users can query or use to create their own reports.
AZScan is a Windows application that can audit and evaluate security on IBM i machines running i5/OS or Linux/UNIX, as well as Oracle databases. The product runs on PCs using copies of IBM i files and conducts 53 security tests for i5/OS. It also creates reports for nontechnical auditors, pinpoints problems, and assists users with maintaining regulation and industry standards compliance.
Enforcive/Enterprise Security is a suite of 19 modules, each offering its own GUI, for controlling security and compliance activities on IBM i machines. Functional modules include controls for application access, an application security event analyzer, a user-profile manager, inactive-user controls, and multiple-system policy distribution and controls. Auditing controls include features for cross-system compliance reporting and auditing, field-level auditing template-based compliance monitoring and deviation reporting, compliance-driven alerts, and a SOX compliance toolkit. Additional services include enterprise-wide security assessments.
SecureSphere Data Security Suite is primarily an application and database security solution that includes DB2 monitoring for IBM i. The solution's auditing features help non-technical auditors analyze and view database activity, as well as access standard and customizable reports on security-related user activities.
DataThread tracks changes to databases, centralizes and automates data-policy enforcement without requiring program changes to existing applications, notifies appropriate personnel of changes, and meets compliance requirements for all domestic and international regulations that require monitoring of IBM i data access and user activity.
Kisco Information Systems
Kisco's iFileAudit lets users track data updates and changes to files on a user-by-user, file-by-file, and field-by-field basis. The product includes a Web browser interface, a notation feature, and the ability to track file-read actions for user-selected files. It produces audit reports on a global or selected basis.
Compliance Monitor provides a single console view with a GUI, multiple reporting options, the ability to see all security events within the security audit journal (QAUDJRN), audit-data compression, and the ability to schedule assessments around production jobs. It also enables audit reporting and inspection of security-policy compliance with SOX, PCI, and other regulations and standards.
Interact monitors more than 500 system security events in real time and sends them to a system log in real time for later analysis or troubleshooting. Examples include QAUDJRN, exit programs, messages from QSYSOPR and QSYSMSG, and other system events. Interact parses and simplifies audit journal entries so nontechnical users can read them and can filter system events by date, time, user, IP address, and other criteria.
iSecurity Audit is a suite of 16 products designed to help with all facets of IBM i security concerns. Audit is the suite member most directly responsible for monitoring and reporting all activity on the system, as well as providing real-time server security and detailed audit trails. iSecurity Audit documents all QAUDJRN file activity, offers an interface for managing all QUADJRN parameters, provides GUI-based drilldown tools for activity statistics and histories, collects and displays all changes in user profiles, and generates more than 200 standard status reports.
iSecurity Visualizer is the iSecurity suite member that handles graphical representation and analysis of audit log (and firewall log) data. It assists with investigations of problems and lets users query log files of any size.
Safestone's Compliance Center for i provides a query-based reporting solution for machines running i5/OS and AIX that automates the data collection and conversion into reports of audit, compliance, and security events. The product can generate reports for a single compliance objective (e.g., PCI DSS, SOX) and reports on a regularly scheduled basis.
Managed Services for Compliance Reporting is a monthly service for i machines running i5/OS and AIX. It includes licenses for Policy Minder and Risk Assessor, monthly monitoring of five important security topics, and an annual inspection by Skyview personnel for compliance problems.
SkyView Audit Journal Reporter generates predefined and auditor-ready reports based on events recorded in QUADJRN. It helps reduce time needed to provide non-technical reports on system events for auditor use and produces ongoing reports as necessary to help users investigate compliance issues.
SkyView Policy Minder for IBM i and i5/OS automates security policy compliance and documentation. Examples of features include automatic checking of system settings (e.g., user profiles, libraries, objects, directories, authorization lists), security policy documentation via template-based and customized settings, and report generation on multiple aspects of security policy. A version for machines running AIX is also available.
SkyView Risk Assessor provides an analysis of more than 100 system risks from the point of view of an external expert. Designed to provide the basis for a security audit of IBM i machines, Risk Assessor also helps evaluate enterprise compliance with PCI, HIPAA, and other standards.
SkyView Security Compliance Solution is a reporting application for IBM i that automates generation of security compliance reports. Standard reports include documents on system risk assessment, inactive profiles, users with default passwords, profiles having special authorities, system values settings, and access controls on files and directories containing sensitive information.
Tango/04 Computing Group
Tango/04 Data Monitor audits transactions performed on specific records and fields in DB2/UDB databases. It provides audit trails of all activity to satisfy