Despite the i5/OS operating system protections and reliability, enterprises using it crave more security. More than 50 products profiled below are successfully competing for System i user dollars.
Ah, security. In the post-9/11 world, is there anything so universally sought with so little agreement on how to reach the goal? Or perhaps it's more correct to say, with so little agreement on what the goal really is? In computing--no less than in real life--the very idea of security has come to be an overriding concern even as the concept of what it constitutes becomes more and more diffuse.
The concept of security today encompasses such diverse functions as encrypting data for transmission between systems, protecting data from unauthorized viewing, controlling user access and privileges on a system, analyzing and auditing the current state of a server's security, and protecting a system from viruses and other malware.
Many products offer some form of security protection for iSeries/System i/IBM i servers, though each one offers its unique set of features. These products offer security help in a variety of ways, ranging from solutions that focus on singular concerns (such as protecting abuse of unattended workstations) to suites that offer the entire spectrum of security analysis, protection, and compliance auditing for Sarbanes-Oxley and the whole alphabet soup of laws and regulations designed to protect an enterprise's information assets. Generally speaking, because so many of the products' functions overlap, it's difficult to come up with a categorization scheme with which to break all the offerings down into sharply delineated subgroups of the security function pie, so all are presented here as one group.
Below is a quick summary of the major players and software products available in System i security software. Because of the sheer number of products, this article covers only software (there are a myriad of hardware products for protecting systems and networks to which System i machines may be connected) and focuses only on solutions for the System i OS. These descriptions also only cover products from the original companies producing them. For example, a number of additional companies resell some of the solutions named below, but those resellers aren't listed because they are not the product originators. Similarly, some security products offered by some vendors aren't listed because they are actually offered in cooperation with another vendor's product that is listed independently. An example is PowerTech Group's Encryption product, which although it has its own name in PowerTech's product list, is actually Patrick Townsend Security's AES Encryption product being offered under a cooperative agreement between the two companies.
Each product includes the vendor name, the product name, a link to more information about each product, and a brief description. These descriptions are in no way complete information about the products; they are just summaries of major features to help you decide where to focus your own research efforts first.
Applied Logic Corporation
Pro/Encrypt uses encryption algorithms to protect System i data for secure backup and storage, file transfer, or physical transport. The function can run interactively or in batch, can use up to 256-bit encryption, can encrypt single files or whole libraries, and uses a symmetric key or pass phrase for decryption.
iSecure is a utility that provides end users with self-service user-profile and password-reset services, letting them bypass help desks with these common requests. Users can review password change rules and establish challenge questions to establish their identities. The product lets QSECOFR determine what functions users may access, logs all actions for later review, and provides an administrator-only menu.
Bsafe Information Systems, Ltd.
Bsafe /Enterprise Security
Bsafe/Enterprise Security is a suite of products that helps administrators control access to applications, data, and ports; manages user profiles and object authorizations; audits system, application, file, and SQL statement use; and generates online reports of security definitions, sensitive authorities, system values, and other security attributes.
Bsafe Policy Compliance Manager
Bsafe Policy Compliance Manager helps administrators create, document, and maintain security policies for an organization by creating templates embodying goals and then automatically comparing them to actual system conditions.
BSafe Security Assessment
Security Assessment carries out automated penetration attacks on System i servers and generates analysis reports on weaknesses, currently defined security policies, and deviations from recommended system values. It also details application server protections and maps system ports and their activities.
BSafe Sensitive Field Masking
Field Masking restricts access and display of fields the administrator defines as sensitive but without requiring any changes to applications that must use the data. Masked files reside in a special library but are automatically synchronized with the original files.
Bugbusters Software Engineering, Inc.
A la Carte Menu and Security System (ALC)
ALC lets administrators control access to applications and objects via a menu system based on i5/OS user and group profiles, *PUBLIC authorities, and authorization lists.
Busch & Partner
PCSACC400 is a database access-control application that limits potential damage PC users can do to System i data when using menu-based application controls. It provides a range of object-level security protections based on its own subset of i5/OS authorities, monitors SQL query use, and provides user interfaces in either English or German.
StandGuard Anti-Virus uses a McAfee engine to find and destroy computer viruses that may have taken up residence on a System i. The product offers automatic updates of virus examples and both green-screen and GUI interfaces. It also lets users manage multiple machines from a single console.
StandGuard Network Security
StandGuard Network Security provides network access control for System i environments. It protects all exit points, secures more than 120 server functions, and supports both public and private authorities.
Califon Systems, Inc.
Califon Systems Audit Module
Califon's Audit module logs changes to non-database system objects, such as those generated by program recompilation or changes to system values.
Califon Systems Password Synchronization
Password Synchronization software lets users have a single password for multiple System i machines.
Califon Systems Security Module
The Security Module protects System i data from unauthorized access by any client machine.
Centerfield Technology, Inc.
Insure/SECURITY helps security officers protect application data from unauthorized access and changes without requiring modification of enterprise applications. Officers can apply rules at the *PUBLIC or group level, set different rules for different times of the day, and restrict or lock down access methods such as FTP.
CONTROLER secures the System i from security problems involving use of Client Access, FTP, ODBC, or Telnet access to server data. It lets system managers define the commands remote users can access and limits their use in specific ways. It also audits use of SQL and other query engines.
AZScan is a PC-based program that can analyze midrange system security, including System i machines running i5/OS, AIX, and Linux. It performs 53 tests and doesn't require users to load any software on the System i.
GFM Consulting, Inc.
GFM Security Evaluator
The GFM Security Evaluator lets auditors and managers independently evaluate System i security without having to use the i5/OS Security Officer user profile. The menu-driven utility analyzes user profiles and activity, libraries, passwords in use, and use of critical commands.
Robot/SECURITY is part of Help/Systems' Robot automated operations suite. It helps security officers protect the System i from abuse by overly powerful user profiles, monitor exit and access points to systems (e.g., FTP, ODBC), audit system security configurations, monitor QAUDJRN, research security activities, and automate security reporting.
HiT Software, Inc.
SafeConduct uses SSL and 256-bit data encryption to protect access to sensitive data being transmitted across a LAN, WAN, or VPN. It provides node-to-node authentication to ensure the recipient is valid, requires no changes to application code, and provides a Windows-based audit log.
IBM's Secure Perspective product helps system administrators establish and monitor system-security policies for IT machines that use i5/OS, Windows, and AIX. Managers can use this Java-based tool to write policies in a natural language format rather than programmatically, implement the policies with a single click, roll back policies to a previous version if necessary, and verify enforcement via reports.
Identity Forge LLC
IBM i5 Advanced Adapter for IdF
Identity Forge (IdF) is a suite of user authorization and authentication products based on the Lightweight Directory Access Protocol (LDAP) and Microsoft's Active Directory, which supports the System i via the IBM i5 Advanced Adapter. IdF host agents complement directory services and identity- and access-management applications, monitor system events, and generate audit records of security events.
DataThread captures all changes to target databases and records them in an auditable database of its own. It lets one or multiple end users electronically sign changes to data to facilitate workflow environments, is scalable to any System i environment, and can combine data from multiple systems into a single report or GUI. It is also designed to meet U.S. Food and Drug Administration Part 11 requirements for auditability.
Kisco Information Systems
The iFileAudit product logs and tracks data updates and file changes to System i objects. The product records which user profiles and programs made the change and what the changes were. It also produces audit reports that show global or selected data for each change.
SafeNet/400 guards System i servers from unauthorized access via network connections. It logs all requests, limits access to server functions based on user profiles, and gives system managers control over exit-processing for applications. It lets managers limit use of server commands and functions and restrict Internet use to enterprise-defined IP addresses. The product is available in Lite, Basic, and Advanced versions.
ScreenSafer/400 is a security tool that takes control of unattended workstations during idle time, restricting access to information and functions to the user logged on to the device.
Crypto Complete is a data-protection system that protects sensitive data via multiple strong encryption algorithms at the field level. It provides encryption-key management and auditing features as well.
PSAudit reports security exposures caused by user profiles, files, objects, and system values. It monitors access to sensitive data, tracks specific user access to System i machines, and analyzes changes over time to libraries, documents, program temporary fixes (PTFs), and network and device configurations.
PS Detect monitors System i servers for specific system and security events and sends alerts to the appropriate personnel. For example, it notes whether the system is running low on particular resources, such as disk space, whether someone is trying to access the system with an invalid password, or whether the auditing level of the system has been changed.
NetIQ Secure Configuration Manager
Secure Configuration Manager audits system configurations and compares them to corporate policies, previous configurations, and other systems to help identify problems, meet compliance obligations, and enable the best allocation of security resources.
NetIQ Security Manager
Security Manager automates security activities such as activity reviews, log preservation, threat management, incident response, and auditing system changes. The product includes a built-in knowledge base, consolidates security information in a central location, and aids troubleshooting.
NuBridges Exchange is a suite of products for handling secure file-transfer, connectivity, and Internet electronic data interchange (EDI) transactions for System i. It lets administrators manage file transfer scripts and activities, protect data transmissions between machines and business partners, and provides error notifications and other reports.
NuBridges Protect is an encryption product for data at rest in databases, applications, and backup storage. It features centralized key management, user choice between two data-protection methods, and complete audit logging.
Palace Guard Software
Secure/Audit logs all system events (e.g., file accesses and changes, print operations) and lets security officers access the data via visual displays and reports. It enables queries against the information as well.
Designed to enhance client/server security, Secure/Net+ restricts access to server functions by all users, performs a series of checks against incoming client requests for system services, and provides an audit trail of all monitored activities. The product recognizes group and *PUBLIC authorities and operates in cooperation with i5/OS security features.
Patrick Townsend Security Solutions
Alliance AES Encryption for System i
Alliances AES Encryption for System i is a system of strong encryption for databases, unstructured data, reports, and offline storage. It includes facilities for managing encryption keys, encrypting backup media and spooled files, and logging compliance activities.
Alliance All-Ways Secure
Alliance All-Ways Secure is a secure environment in which System i users can operate FTP. It automates and logs all tasks associated with exchanging database, IFS, and spooled files between a System i and remote systems. Data exchanges are encrypted using PGP, Secure FTP, or Secure Shell algorithms.
Alliance LogAgent for System i
Alliance LogAgent helps users meet compliance objectives by collecting logs from the System i QAUDJRN, the system operator message queue, and the QHST system history file. LogAgent can process more than 800 events per second and lets users slice and dice the resulting data in a variety of ways.
PowerTech Group, Inc.
Authority Broker attacks the problem of power users with special authorities who have too much power. By letting security officers reduce the number of user profiles with special authorities, enabling certain users to adopt higher authorities only in particular situations, and generating alerts if a user's authority changes, the product helps enterprises avoid excessive authority proliferation.
Compliance Monitor consolidates compliance data from multiple systems and presents them in user choice of a GUI or a report document in a PDF or MS Excel format. Data presented covers all security-related events from QAUDJRN, automatically compresses the data, and requires users to review only those events that don't comply with established security policies.
Interact monitors QAUDJRN, exit programs, messages from QSYSOPR and QSYSMSG, and other system events and sends them to a system log in real time for later analysis or troubleshooting. It parses and simplifies audit journal entries so nontechnical users can read them and can filter system events by user, IP address, date, time, and other criteria.
Network Security monitors traffic through i5/OS exit points, which enables system managers to control data access from client machines, audit end user access to network services, and close security loopholes not handled by traditional menu-based security methods.
Raz-Lee's iSecurity is a suite of products that provide a broad spectrum of help for System i security concerns. Product modules identify security breaches and activate automated responses to them, provide antivirus protection, assess system security, and offer reporting and auditing facilities. Other modules control user authorities, track and monitor suspicious users, enable multiple-system monitoring from a central console, prevent intrusions, control password activity, mask sensitive data, and analyze system-log data.
DetectIt - Security Manager
DetectIt offers individual modules for assessing risks and system security compliance, detecting intrusions, managing and auditing activities of ordinary and power users, controlling exit-point traffic, and centralizing multisystem operations. It also includes automated password self-help for end users.
SkyView Partners, Inc.
SkyView Policy Minder for IBM i and i5/OS
Policy Minder automates security policy compliance and documents security implementation with templates. It automatically checks compliances for user profiles, objects, libraries, directories, and other system attributes and objects and then reports on discrepancies without requiring human analysis of data.
SkyView PolicyMinder for Real Time Add-on powered by DataThread
The Real Time Add-on product uses Innovatum's DataThread product to provide real time administrator notification of security events.
SkyView Risk Assessor for IBM i and i5/OS
Risk Assessor automates analysis of more than 100 risk points in a system to provide a risk assessment from an objective, third-party view. It generates a report that specifies compliance shortfalls.
SoftLanding Systems, Inc.
SoftMenu is security product for companies that control access to applications via menu systems. SoftMenu gives administrators the ability to control access to sensitive options, standardize management of all application menus, and use application exit points to customize menu-administration tasks. It also lets managers delegate administration of application menu systems to nontechnical personnel if desired.
Fortress/400 prevents unauthorized access to data and server functions from client machines. It uses the exit program facilities of i5/OS, records activity to a separate security database, provides a GUI interface, recognizes group and *PUBLIC authorities, and records an audit trail of all remote instructions.
System Support Products, Inc.
Screen Manager II
Screen Manager II addresses the problems of signed-on workstations that are left unattended and inactive jobs that consume system resources uselessly. The product lets administrators manage inactive jobs by multiple criteria and specify actions (such as disconnection) after a specific time interval. It maintains a security log of actions for auditing.
Tango/04 Computing Group
Tango/04 Data Monitor
Data Monitor watches for security breaches affecting data via real time auditing and logging of read, insert, update, and delete transactions carried out against DB2/UDB databases. Features include masking of sensitive fields, custom selection of fields for auditing, and the ability to incorporate data from old journal receivers.
VISUAL Security Suite (VSS)
VSS provides real time auditing of user activity on the system and helps administrators establish and maintain control policies via wizards and analyze business effects. Available product extensions add exit-point security, monitor library and log files in realtime, and protect TCP/IP services.
Teamstudio Security Manager
Teamstudio Security Manager supports Lotus Notes/Domino environments on the System i to provide automated access control list management for end users. It also provides managers with an enterprise-wide view of security settings that can be parsed in more than 70 ways (e.g., by application, username, access level, server) and generates detailed reports and audit trails.
Valid Secure System Authentication (VSSA)
VSSA is a biometric user-authentication system that uses USB-attached sensor peripherals to validate user identities based on their fingerprints. Users undergo an enrollment process that creates a unique biometric template, which is encrypted so that no actual user fingerprints are stored on the system. Once enrolled, users can log on to any networked system without using passwords.