Do my system users have more authority than necessary? How can existing profiles quickly be brought into compliance?
These are questions that every system administrator and security officer asks at one time or another. Provisioning new user profiles with appropriate authorities is a challenging task—especially when doing so over multiple systems or with a large number of users.
It’s time consuming and, if done incorrectly, user provisioning can lead to potential security and compliance violations.
Watch this recording to understand:
The risks associated with special authorities
- The amount of authority a user really needs
- The mechanisms available for determining who possesses special authority
- How PowerAdmin 2.0 can quickly create and maintain profiles
- How PowerAdmin 2.0 can bring existing profiles into compliance
2. (c) 2015 PowerTech, A Division of HelpSystems
• Introduction
• The Profile Challenge
• Why Policy Matters
• PowerAdmin Demonstration
• Free Resources
Today's Agenda
3. (c) 2015 PowerTech, A Division of HelpSystems
Today's Speaker
ROBIN TATAM
Director of Security Technologies
952-563-2768
robin.tatam@powertech.com
4. (c) 2015 PowerTech, A Division of HelpSystems
PAUL CULIN
Sr. Information Security Engineer
952-563-2762
paul.culin@powertech.com
Today's Speaker
5. (c) 2015 PowerTech, A Division of HelpSystems
About PowerTech
• Premier Provider of Security Solutions & Services
– 18 years in the security industry as an established thought-leader
– Customers in over 70 countries, representing every industry
– Security subject matter expert for COMMON
• IBM Advanced Business Partner
• Member of PCI Security Standards Council
• Authorized by NASBA to issue CPE Credits for Security Education
• Publisher of the Annual “State of IBM i Security” Report
6. (c) 2015 PowerTech, A Division of HelpSystems
Comprehensive Security Solutions for Power Systems
7. (c) 2015 PowerTech, A Division of HelpSystems
• Introduction
• The Profile Challenge
• Why Policy Matters
• PowerAdmin Demonstration
• Free Resources
Today's Agenda
8. (c) 2015 PowerTech, A Division of HelpSystems
PowerTech uses anonymous audit data
from our Compliance Assessment tool
to compile an annual study of security
statistics.
This study (available online) provides a
picture of what IBM i shops are
currently doing with their security
controls.
And, year after year, it shows that there
is definitely still room (and a need) for
improvement!
(The study sample consists of
security-aware environments.)
The State of IBM i Security Study
9. (c) 2015 PowerTech, A Division of HelpSystems
• Special Authorities are only for Administrators!
– *ALLOBJ: Complete control of the system
– *SAVSYS: Save, restore, and delete anything
– *SPLCTL: Complete control of spooled files
– *SERVICE: Alter hardware, storage, and clear disks
– *SECADM: Create and delete user profiles
– *JOBCTL: Manage jobs, PWRDWNSYS, and more
– *IOSYSCFG: Configure communication services, TCP/IP
– *AUDIT: Modify system audit values
• Learn more at:
www.helpsystems.com/powertech/managing-privileged-users-ibm
Special Authorities: What's So Special?
10. (c) 2015 PowerTech, A Division of HelpSystems
2014 State of IBM i Security Study
11. (c) 2015 PowerTech, A Division of HelpSystems
2014 State of IBM i Security Study
These are not the fault of the “end” user
12. (c) 2015 PowerTech, A Division of HelpSystems
• Introduction
• The Profile Challenge
• Why Policy Matters
• PowerAdmin Demonstration
• Free Resources
Today's Agenda
13. (c) 2015 PowerTech, A Division of HelpSystems
• Legislatures create laws
– Sarbanes-Oxley, PCI, HIPAA, Gramm-Leach-Bliley,
SB1386, and more
• Laws are open to interpretation
– Sarbanes-Oxley Section 404:
• “Perform annual assessment of the effectiveness of internal
control over financial reporting…”
• “…and obtain attestation from external auditors”
• Auditors are the interpreters
Legislative Reactions
14. (c) 2015 PowerTech, A Division of HelpSystems
• Auditors interpret regulations:
– Auditors focus on frameworks and processes
– Auditors have concluded that IT is lacking when it
comes to internal controls
• Executives follow auditor recommendations
The Auditor's View
15. (c) 2015 PowerTech, A Division of HelpSystems
• Distributed Provisioning:
– Ensure that users are created on (and only on) the
necessary systems
• Programmers only on-boarded on development partitions
• Rapid deployment of new users in defined roles
• Audit and realignment during profile lifecycle
• Simple end-of-life processing
The Auditor's View
16. (c) 2015 PowerTech, A Division of HelpSystems
• Resolve Inconsistencies:
– Ensure that users are created using a standardized
template
• Special authorities
• Command line restrictions
• Initial program and menu
• Accounting code
Applicable to both uni- and multi-partition servers
The Auditor's View
17. (c) 2015 PowerTech, A Division of HelpSystems
Endless News Reports of Insider Breaches
18. (c) 2015 PowerTech, A Division of HelpSystems
Solution: PowerAdmin
TEMPLATE-BASED
MANAGEMENT
ROLE-BASED
SECURITY
EVENT HISTORY
AND REPORTING
HIGHLIGHT
POLICY
EXCEPTIONS OR
UNAUTHORIZED
UPDATES TO
PROFILES
19. (c) 2015 PowerTech, A Division of HelpSystems
• Government regulators and IT auditors demand
accountability.
• Legislatures have created laws that require us to prove
that our IT infrastructure is secure.
• Non-compliance penalties range from public disclosure
and fines to prison sentences for executives.
• Executives are finally taking IBM i security very
seriously.
Why PowerAdmin?
20. (c) 2015 PowerTech, A Division of HelpSystems
• Allows you to reclaim the user lifecycle to ensure a
consistent, managed profile environment
– PowerAdmin lets you specify where and how users are
deployed.
– PowerAdmin removes the complexity and costs associated
with managing profiles across many virtual machines.
– PowerAdmin works with IBM i security to
correctly protect assets.
– PowerAdmin audits the configuration of users between
their creation and deletion.
Why PowerAdmin?
21. (c) 2015 PowerTech, A Division of HelpSystems
• Introduction
• The Profile Challenge
• Why Policy Matters
• PowerAdmin Demonstration
• Free Resources
Today's Agenda
22. (c) 2015 PowerTech, A Division of HelpSystems
• IT Security has executive attention
– This is the best opportunity to solve long-standing problems
– Gain management approval now
• Control users with broad authority to production data
– Leaving user configuration to chance is both an audit
exception and an accident waiting to happen
• Limit the deployment of powerful profiles
– Monitor and report when profiles are non-compliant
– Consistent provisioning of users
Summary
23. (c) 2015 PowerTech, A Division of HelpSystems
• Introduction
• The Profile Challenge
• Why Policy Matters
• PowerAdmin Demonstration
• Free Resources
Today's Agenda
24. (c) 2015 PowerTech, A Division of HelpSystems
YOUR PC YOUR IBM i SERVER YOUR VULNERABILITIES
Automated Vulnerability Testing
25. (c) 2015 PowerTech, A Division of HelpSystems
Online Compliance Guide
Security Policy
Compliance Resources
26. (c) 2015 PowerTech, A Division of HelpSystems
Other (FREE) Resources
Please visit www.helpsystems.com/powertech to access:
– Demonstration Videos & Trial Downloads
– Product Information Data Sheets
– White Papers & Technical Articles
– Customer Success Stories
– How-To Articles
– To request a FREE Compliance Assessment
www.helpsystems.com/powertech (800) 915-7700