File Integrity Monitoring techniques prevent unauthorized configuration and data changes from occurring unnoticed.
File Integrity Monitoring (FIM) helps ensure that your critical and sensitive data is viewed and changed only by authorized personnel through approved channels. Candidates for FIM include application files containing sensitive data, such as personnel or financial data, and server configuration files. FIM is a requirement of several regulatory standards, including the Payment Card Industry Data Security Standards (PCI DSS).
Baseline Validation vs. Real-time Monitoring
There are two main techniques for monitoring file integrity.
Baseline validation can be an effective method for determining that a configuration file has been altered from its desired state. Taking a copy of the file—typically after any authorized change—establishes the baseline. Comparing the current file to the baseline determines whether there are any discrepancies (although the source and timing of the event that caused the discrepancy may remain unknown).
Real-time monitoring doesn't require a baseline, as it monitors for changes as they occur. While this methodology can affect performance, its benefits can be significant. Notification of non-compliance is usually timelier than updates with occasional baseline validation; plus, real-time monitoring will record an event even if the file is returned to its desired state prior to the next validation.
Depending on the nature of the file and the data, the best approach is to utilize both methodologies. Both methods require someone to be responsible for reviewing changes to determine whether they were authorized.
FIM on IBM i
Compared to some operating systems, IBM i doesn't rely heavily on files for its configuration. Instead, many of the controls that dictate how the server will operate are managed through system values. The IBM i auditing facility records when system values are altered, so the job of the security officer becomes watching for when those events occur and whether the change leaves the server non-compliant.
Monitoring changes to database files, which typically hold an application's configuration and data, can be accomplished using facilities provided by the operating system (compare physical file member, triggers, journaling). But while these facilities are part of a successful FIM infrastructure, they are not designed for that purpose, and each has specific shortcomings when used alone.
PowerTech FIM Solutions
PowerTech has designed a portfolio of solutions that leverage and extend the core features of IBM i. Many provide specific benefits to an organization embarking on a FIM initiative.
- DataThread—Built on an operating system foundation, DataThread monitors files in real time for unauthorized activities—regardless of their source—including field-level changes made through low-level utilities like DFU. Real-time email alerts, electronic signatures, and powerful filtering capabilities virtually eliminate false positives caused by approved applications, ensuring no change passes unnoticed. For highly sensitive data, DataThread can notify the instant that data is viewed.
- Network Security—Permissive object-level authority renders IBM i audit controls useless when access originates from client applications like FTP, ODBC, and remote command. Much like an internal firewall, Network Security provides auditing and access control for non-traditional interfaces.
- Compliance Monitor—A highly-scalable compliance and audit reporting solution, Compliance Monitor provides visibility to hundreds of IBM i configuration settings. Forensic reports over event-based audit journal entries are complemented by its impressive baseline validation functions for system values.
- Interact—With visibility to IBM i audit entries—as well as to requests logged by Network Security—Interact facilitates real-time notification to an enterprise syslog sever or messaging solution. The source-filtering capabilities of Interact ensure that only important events are escalated.
Conclusion and Next Steps
Timely reaction to unauthorized changes can mean the difference between an attempted breach and an actual breach. Combining IBM i with PowerTech solutions makes it viable to monitor and alert on unusual activity—even if your configuration suffers from overly powerful users or open public access.
Are you considering a FIM initiative? The following process can help you implement smoothly:
- Determine if FIM is mandated.
- Identify and locate sensitive data.
- Identify critical configuration values.
- Implement PowerTech solutions to monitor and report on non-compliance.
In addition to offering leading security and compliance solutions, PowerTech publishes exclusive content on IBM security. Its new white paper on adopting FIM requirements for IBM i discusses in greater detail how security products can simplify your FIM initiative. For the white paper and more information on PowerTech solutions, visit www.powertech.com.