The box we love is well-known for its excellent security, but ensuring that tight security requires a little planning, effort, and knowledge.
Editor's note: Last month, we published the first part of this very comprehensive article, which included interviews with prominent security vendors who addressed the issues IBM i shops face today. Today, we finish it up with the rest of the list of vendors and products that we started last month.
Identity Forge, an IDMWorks Company
Advanced Adapter for IBM System i
The Advanced Adapter for IBM System i provides a standard and seamless interface between applications and identity infrastructures to the IBM i Security Manager to support automated provisioning, reconciliation, compliance attestation, and other functions. The adapter acts as a trusted virtual administrator, performing tasks such as creating login IDs, changing passwords, managing file access, and supporting custom command calls.
DataThread captures all changes to target databases and records them in an auditable database of its own. It lets one or multiple end users electronically sign changes to data to facilitate workflow environments, is scalable to any System i environment, and can combine data from multiple systems into a single report or GUI. It is also designed to meet U.S. Food and Drug Administration Part 11 requirements for auditability.
Kisco Information Systems
The iFileAudit product logs and tracks data updates and file changes to System i objects. The product records which user profiles and programs made the change and what the changes were. It also tracks file-read operations with custom filtering and produces audit reports that show global or selected data for each change.
SafeNet/i guards System i servers from unauthorized access via network connections. It logs all requests, limits access to server functions based on user profiles, and gives system managers control over exit-processing for applications. It lets managers limit use of server commands and functions and restrict Internet use to enterprise-defined IP addresses. The product is available in Lite, Basic, Advanced, and Enterprise versions.
ScreenSafer/400 is a security tool that takes control of unattended workstations during idle time, restricting access to information and functions to the user logged on to the device. In addition, the product doesn't terminate users during workstation idle time, but instead makes any displayed information illegible to passersby.
Liaison Exchange i
Liaison Exchange i is a suite of products for handling secure file-transfer, connectivity, and Internet electronic data interchange (EDI) transactions for System i. It lets administrators manage file-transfer scripts and activities. The product also protects data transmissions between machines and business partners and provides error notifications and other reports.
Liaison Protect is an encryption product for data at rest in databases, applications, and backup storage. It features centralized key management, user choice between two data-protection methods, and complete audit logging.
Crypto Complete is a data-protection system for database fields, IFS files, and backups. It protects sensitive data via multiple strong encryption algorithms (e.g., AES128, AES192, AES256, TDES) at the field level and lets administrators rotate keys without having to change applications or re-encrypt data. It also provides encryption-key creation, management, and auditing features.
GoAnywhere Director is a managed file-transfer solution that automates data retrieval, translation, encryption, compression, and distribution. It automates FTP processes, exchanges data with HTTP and HTTPS servers, connects to many leading database servers, and includes a scheduler.
Although primarily a database and file editor, Surveyor/400 includes security features that protect System i databases from unauthorized access via Open Database Connectivity (ODBC). Surveyor/400 lets administrators restrict access to libraries and database files, fields, and records to prevent unauthorized or accidental changes and deletions.
NetIQ Change Guardian
NetIQ Change Guardian is designed for servers running Linux. It is a privileged-user activity and change-monitoring solution that helps companies detect and respond to potential threats in real time through intelligent alerting of unauthorized access and changes to critical files, systems, and applications.
PSAudit runs on IBM i servers and reports security exposures caused by user profiles, files, objects, and system values. It monitors access to sensitive data, tracks specific user access to System i machines, and analyzes changes over time to libraries, documents, program temporary fixes (PTFs), and network and device configurations.
PSDetect monitors System i servers for specific system and security events and sends alerts to the appropriate personnel. For example, it notes whether the system is running low on particular resources (such as disk space), whether someone is trying to access the system with an invalid password, and whether the auditing level of the system has been changed.
NetIQ PSSecure secures network access to i servers by enforcing rules over when and how access to an object is allowed and who has that authority. It securely manages user activity through enhanced object-level security, governing what a user can do while on the system, and enhanced privileged delegation for job-specific and time-specific activities. It also simplifies user administration and profile management by synchronizing user profiles and passwords across multiple servers.
NetIQ Secure Configuration Manager
Secure Configuration Manager audits system configurations and compares them to corporate policies, previous configurations, and other systems to help identify problems, meet compliance obligations, automate some security operations, and enable the best allocation of security resources.
PowerTech Group, Inc.
Authority Broker attacks the problem of power users with special authorities who have too much power. By letting security officers reduce the number of user profiles with special authorities, enabling certain users to adopt higher authorities only in particular situations, and generating alerts if a user's authority changes, the product helps enterprises avoid excessive authority proliferation.
Network Security monitors traffic through i5/OS exit points, which enables system managers to control data access from client machines, audit end user access to network services, and close security loopholes not handled by traditional menu-based security methods. The product features a browser interface.
Raz-Lee's iSecurity is a suite of 20 products that provides a broad spectrum of help for System i security concerns. Product modules identify security breaches and activate automated responses to them, provide antivirus protection, assess system security, and offer reporting and auditing facilities. Other modules control user authorities, track and monitor suspicious users, enable multiple-system monitoring from a central console, prevent intrusions, control password activity, mask sensitive data, and analyze system-log data.
Safestone, a HelpSystems Company
Agent for RSA SecurID
Agent for RSA SecurID for IBM i users enables two-factor authentication that uses both passwords and hardware authenticators. Administrators can apply the agent for initial access or use of networked access points (e.g. FTP, ODBC) and have the flexibility to use the agent regularly or on a selective basis.
Compliance Center is a query-based reporting system that collects data about security events and compiles them into compliance reports. Data collection includes network events, object authorities, user profiles, privileged user actions, QAUDJRN entries, SQL commands, QHST log entries, and system values.
iConnect lets users monitor, capture, and send IBM i security events to any Security Information and Event Management (SIEM) console. It converts raw security data from QAUDJRN and QHST files into relevant security event information. iConnect covers over 300 IBM i events, including network access, object changes, user profiles, systems security journal entries, and SQL command use.
Multiple Systems Administrator (MSA)
MSA works with all Safestone Security Manager modules to centralize administration of networked IBM i servers and partitions through a single point of control. From one designated machine, administrators can set up, deploy, and manage the security configurations of all networked systems to control security auditing and reporting, manage network traffic, sync profile access authorities and passwords, centrally monitor remote event notification, consolidate selected reports, and utilize single sign-on capability.
Network Traffic Controller
Network Traffic Controller monitors and controls up to 34 exit points (e.g., FTP, ODBC, TELNET) on IBM i servers. The module lets administrators customize how and when users access the system via remote connections, records all transactions to a secure repository (separate from QAUDJRN), and enables creation of access rules by user, group, library, object, or IP address.
Password Self Help
Password Self Help lets IBM i users reset their own passwords without requiring assistance of a help desk. The utility also presents users with challenge questions to verify their identity and resets approved new passwords automatically.
Powerful User Passport
Powerful User Passport enables system administrators to limit the number of powerful users and provide a full audit trail of their activities. Administrators predefine which users are permitted a temporary higher level of authority. Users swap into this powerful profile only when needed for a specific period of time, and comprehensive reports on all swap activity are available for management and auditors.
User Profile Manager
User Profile Manager provides centralized user profile management across entire IBM i environments by controlling the user lifecycle, only allowing access to system resources relevant to a user's role, and instituting best practice standards for access control.
Shield Advanced Solutions
FTP Guard 4i
FTP Guard 4i helps administrators restrict access to FTP functions and log FTP activity while providing a user-friendly GUI that lets authorized users employ FTP for legitimate purposes.
SkyView Partners, Inc.
SkyView Audit Reporter for IBM i and i5/OS
SkyView Audit Journal Reporter generates predefined, auditor-ready reports based on events recorded in QAUDJRN. It can provide ongoing compliance reports or provide means of investigating issues discovered by SkyView Policy Minder.
SkyView Policy Minder for IBM i and i5/OS
SkyView Policy Minder automates security policy compliance and documents security implementation with templates. It automatically checks compliances for user profiles, objects, libraries, directories, and other system attributes and objects and then reports on discrepancies without requiring human analysis of data.
SkyView Policy Minder OPEN
SkyView Policy Minder OPEN provides the features of Policy Minder for IBM i and i5/OS for servers running IBM AIX, Red Hat Enterprise Linux, Oracle Linux, and other operating systems.
SkyView Risk Assessor for IBM i
Risk Assessor automates analysis of more than 100 risk points in a system to provide a risk assessment from an objective, third-party view. It generates a report that specifies compliance shortfalls.
SoftLanding Systems, Inc., a division of UNICOM Global
CENTRAL for iAccess v100
CENTRAL for iAccess controls access to System i applications via menu systems across one or multiple servers. CENTRAL for iAccess lets administrators restrict access to sensitive options, standardize management of all application menus, and use application exit points to customize menu-administration tasks. It also lets managers delegate administration of application menu systems to nontechnical personnel if desired.
CENTRAL for iMenu V100
CENTRAL for iMenu V100 provides secure menu-management capabilities across one or more IBM i servers. Administrators can enroll any number of users and manage what each one does, while the end users see only the options they're authorized to use.
Fortress/400 prevents unauthorized access to data and server functions from client machines. It uses the exit program facilities of i5/OS, records activity to a separate security database, provides a GUI interface, recognizes group and *PUBLIC authorities, and records an audit trail of all remote instructions.
Symantec IT Management Suite
Symantec IT Management Suite operates on IBM i servers running AIX, Linux, Microsoft SQL Server, and Windows to provide centralized security and other server management features, software license audits, end-user self-service, IT asset-tracking reports, patch and mobile-device management, and secure software distribution services.
System Support Products, Inc.
Screen Manager II
Screen Manager II addresses the problems of signed-on workstations that are left unattended and inactive jobs that consume system resources uselessly. The product lets administrators manage inactive jobs by multiple criteria and specify actions (such as disconnection) after a specific time interval. It maintains a security log of actions for auditing.
Tango/04 Computing Group
Tango/04 Data Monitor
Tango/04 Data Monitor helps detect and resolve security breaches of data in real time by auditing all read, insert, update, and delete transactions performed on records and fields in DB2 UDB databases on IBM i servers.
Alliance AES/400 is a system of strong encryption for databases, unstructured data, reports, and offline storage. It includes facilities for managing encryption keys, encrypting backup media and spooled files, and logging compliance activities.
Alliance FTP Manager
Alliance FTP Manager automates and secures tasks involved with exchanging database files, IFS files, and spooled files between IBM i servers and other platforms.
Alliance Key Manager for IBM Cloud
Alliance Key Manager for IBM Cloud is a centralized encryption-key management solution for enterprises operating in the cloud. Features include backup and recovery, data encryption that meets major data-security standards, and key-management tools.
Alliance Key Manager for IBM PureSystems
Alliance Key Manager for IBM PureSystems offers full-lifecycle encryption-key management for any encryption library, on-board encryption services, and features similar to Alliance Key Manager for IBM Cloud on PureSystems servers.
Alliance LogAgent for IBM i
Alliance LogAgent for IBM i collects security events and places them in a log server for consolidation with security event information from other enterprise platforms. It translates QAUDJRN and QHST entries to a common log format and can handle more than 800 log entries per second.
Alliance LogAgent Suite for IBM i
Alliance LogAgent Suite for IBM i lets administrators monitor the health and security of their servers. Among other features, users can monitor file read or change access by column, detect and alert administrators to changes in configuration files and sensitive data, set floor and ceiling values for events, and route file integrity events to QAUDJRN or SIEM applications.
Alliance Secure TCP for the IBM i
Alliance Secure TCP for the IBM i offers secure TCP sockets data transfers between i servers and other internal and external platforms. It uses the native IBM i Digital Certificate Manager to create and distribute SSL certificates, provides preconfigured interfaces for passing data to other OSs, and provides an option for 128-bit SSL/TLS encryption.
Alliance Token Manager for IBM i
Alliance Token Manager for IBM i helps protect sensitive data by replacing it with a token that maintains the data's original characteristics but doesn't include data values. If the tokens are lost, the sensitive data remains safe. The product also includes a masking option for contents of data fields.
Alliance Token Manager for IBM PureSystems
Alliance Token Manager implements tokenization on IBM PureSystems servers. It provides an independent and encrypted repository accessible by authorized applications and can be used by enterprise and customer users to provide a secure, scalable token repository.
Alliance Two Factor Authentication
Alliance Two Factor Authentication offers a method of implementing two-factor authentication mechanisms based on voice and mobile SMS text technologies to IBM i servers.
PGP File Encryption
The product provides a native i5/OS version of the PGP file-encryption algorithm. It protects sensitive data, automates encryption procedures, and provides encryption key-management features.
Valid Secure System Authentication (VSSA)
VSSA is a biometric user-authentication system that uses USB-attached sensor peripherals to validate user identities based on their fingerprints. Users undergo an enrollment process that creates a unique biometric template, which is encrypted so that no actual user fingerprints are stored on the system. Once enrolled, users can log on to any networked system without using passwords.