SlideShare a Scribd company logo
1 of 44
Download to read offline
Part-Time Privileges: Accountability
for Powerful Users
2
• Introduction
• Managing Powerful Users
• Why Policy Matters
• Solution Demonstration
• Free Resources
3
ROBIN TATAM
Director of Security Technologies
952-563-2768
robin.tatam@helpsystems.com
4
• Premier provider of security solutions & services
– 17 years in the security industry as an established thought leader
– Customers in over 70 countries, representing every industry
– Security subject matter expert for COMMON
• Wholly-owned subsidiary of HelpSystems since 2008
• IBM Advanced Business Partner
• Member of PCI Security Standards Council
• Authorized by NASBA to issue CPE credits for security education
• Publisher of the annual “State of IBM i Security Study”
5
• Introduction
• Managing Powerful Users
• Why Policy Matters
• Authority Broker Demonstration
• Free Resources
6
• Programmers
– Claim they need *ALLOBJ authority to fix production
applications
• System Administrators
– Claim they need authority to configure and change the system
• Operators
– Claim they need Special Authorities to do backups and other
specialized functions
• Vendors
– Can’t imagine running without Security Officer rights
7
8
Best Practices call for
<10 users with SPCAUTs
9
Date: January 9, 2005 2:37am
Author: A.F.
Subject: How to recover a deleted library?
PLS Help me! How can I recover a library I’ve just
deleted by mistake and I have no tape backup. I’ve
asked all users to sign off in order not to create any
new objects. PLS HELP ME AND I WILL UPGRADE
MY SUBSCRIPTION AT ONCE. THANKS
A posting at iSeriesNetwork.com
10
1
11
Date: September 1, 2004 12:49pm
Author: R.H.
Subject: Oops!
HELP!!!
I've accidentally deleted program QCMD in
QSYS (spelling error using DLTPGM). The system
has crashed. Any suggestions? I assume an
IPL will be required, but is there anything else that
can be suggested? This is bad.
A posting at iSeriesNetwork.com
12
• The #1 item cited by auditors is:
Control and monitoring of powerful users
What’s a powerful user?
• Someone with Special Authority or lots of private authority
• IT staff or other knowledgeable users with
direct access to production data
• A user with a way to execute commands
13
In 2014, 37% of breaches Involved inside threat
14
15
• Introduction
• Managing Powerful Users
• Why Policy Matters
• Authority Broker Demonstration
• Free Resources
16
• Legislatures create laws
– Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley,
SB1386, and more
• Laws are open to interpretation
– Sarbanes-Oxley Section 404:
• “Perform annual assessment of the effectiveness of
internal control over financial reporting…”
• “…and obtain attestation from external auditors”
• Auditors are the interpreters
17
• Auditors interpret regulations:
– Auditors focus on frameworks and processes
– Auditors have concluded that IT is lacking when it
comes to internal controls
• Executives follow auditor recommendations
18
Special Authority (aka Privileges)
All Object
The “gold key” to every object and almost every
administrative operation on the system, including
unstoppable data access.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
19
Special Authority (aka Privileges)
Security Administration
Enables a user to create and maintain the system
user profiles without requiring the user to be in the
*SECOFR user class or giving *ALLOBJ authority.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
20
Special Authority (aka Privileges)
I/O Systems Configuration
Allows the user to create, delete, and manage
devices, lines, and controllers. Also permits the
configuration of TCP/IP, and the start of associated
servers (e.g., HTTP).
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
21
Special Authority (aka Privileges)
Audit
The user is permitted to manage all aspects of
auditing, including setting the audit system values
and running the audit commands
(CHGOBJAUD / CHGUSRAUD).
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
22
Special Authority (aka Privileges)
Spool Control
This is the *ALLOBJ of Spooled Files and allows a
user to view, delete, hold, or release any spooled file
in any output queue, regardless of restrictions.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
23
Special Authority (aka Privileges)
Service
This allows a user to access the System Service Tools
(SST) login, although they also need
an SST login since V5R1.
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
24
Special Authority (aka Privileges)
Job Control
This enables a user to start/end subsystems and
manipulate other users’ jobs. It also provides access
to spooled files in output queues designated as
“operator control.”
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
25
Special Authority (aka Privileges)
Save System
This enables a user to perform save/restore
operations on any object on the system, even if there
is insufficient authority to use the object.
* Be cautious if securing objects at only a library level *
*ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
30
Production Update Authority
Read / Change
Payroll
Accounts Receivable
Accounts Payable
Customer Information
• IT personnel often insist that powerful authorities
are necessary to do their job:
– Special Authorities like *ALLOBJ, *SPLCTL, *SECADM
– Rights to change critical production data
• Sometimes they are right!
31
Read / Change
Read / Change
Read / Change
Read / Change
Payroll
Accounts Receivable
Accounts Payable
Customer Information
This is a top exception item reported by auditors!
32
• To keep your business running, you need:
– Emergency access to repair data files
• To keep your system safe, you need:
– A way to monitor when powerful authorities are used
– A way to monitor user activities, including when they
enter the “command tunnel”
33
• COBIT AI6.4 - Emergency Changes
– IT management should establish parameters defining
emergency changes and procedures to control these
changes (…)
• COBIT DS10.4 - Emergency and
Temporary Access Authorizations
– Emergency and temporary access authorizations
should be documented on standard forms and
maintained on file, approved by appropriate managers,
securely communicated to the security function and
automatically terminated after a predetermined period.
34
• ISO 27002 Section 9.2.2: Privilege Management
– The allocation of privileges should be controlled
through a formal authorization process
– Privileges should be allocated to individuals on a
need-to-use basis and event-by-event basis
– An authorization process and a record of all
privileges allocated should be maintained
– Privileges should be assigned to a different user
identity than those used for normal business
35
Manage, audit, and control powerful profiles on IBM i
36
Management is
aware of all activity
Report
Message Custom Alert
PAYCHANGE
(Temp. Profile)
Payroll
Accounts Receivable
Accounts Payable
Customer Information
37
• Government regulators and IT auditors demand
accountability
• Legislatures have created laws that require us to
prove that our IT infrastructure is secure
• Non-compliance penalties range from public
disclosure, to fines, to prison sentences for
executives
– Executives are finally taking security very seriously
38
• Allows you to monitor and control users
with powerful authorities
– Authority Broker lets you specify when and how
users exercise powerful authority
– Authority Broker works with IBM i security to
protect assets
– Authority Broker provides notification, monitoring,
and control of powerful users
– Authority Broker provides visibility into non-
command-based environments
39
40
• Allows you to intercept commands and
conditionally perform other actions
– Command Security lets you specify when and how
users execute commands
– Command Security is applicable to all users – even
QSECOFR and other *ALLOBJ users
– Command Security provides notification, monitoring,
and control of command environments
– Command Security can enforce the requirement to
obtain privileges via Authority Broker
41
• Introduction
• Managing Powerful Users
• Why Policy Matters
• Solution Demonstration
• Free Resources
42
• Sign on as a limited-capability & as a powerful user
• Attempt to access restricted functions
• Use Authority Broker to elevate user authorities
on demand, and Command Security to control
commands
• Perform restricted functions, including access to
“tunnel” environments
• Report on user activities
43
• IT security has executive attention
– This is the best opportunity to solve long-standing problems
– Gain management approval now
• Control users with broad authority to production data
– Leaving users unchecked is both an audit exception and an
accident waiting to happen
– Don’t accept that powerful users have to be limitless
• Limit the use of powerful profiles
– Monitor and report when power is used
44
• Introduction
• Managing Powerful Users
• Why Policy Matters
• Solution Demonstration
• Free Resources
’
45
47
Please visit www.helpsystems.com/powertech to access:
• The State of IBM i Security Study
• Online Compliance Guide
• Webinars/Educational Events
• Articles & White Papers
• Product Datasheets
• Product Trial Downloads
www.helpsystems.com/powertech (800) 915-7700 info@powertech.com
48
49
www.helpsystems.com/powertech 800-328-1000
info.powertech@helpsystems.com

More Related Content

What's hot

Compliance technical controls and you rva sec 2019
Compliance technical controls and you   rva sec 2019Compliance technical controls and you   rva sec 2019
Compliance technical controls and you rva sec 2019Derek Banks
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataPrecisely
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataPrecisely
 
VET4SBO Level 1 module 2 - unit 1 - v0.9 en
VET4SBO Level 1   module 2 - unit 1 - v0.9 enVET4SBO Level 1   module 2 - unit 1 - v0.9 en
VET4SBO Level 1 module 2 - unit 1 - v0.9 enKarel Van Isacker
 
Dmitry Kurbatov. Five Nightmares for a Telecom
Dmitry Kurbatov. Five Nightmares for a TelecomDmitry Kurbatov. Five Nightmares for a Telecom
Dmitry Kurbatov. Five Nightmares for a TelecomPositive Hack Days
 
Firewall log and network security management - Mumbai Seminar
Firewall log and network security management - Mumbai SeminarFirewall log and network security management - Mumbai Seminar
Firewall log and network security management - Mumbai SeminarManageEngine, Zoho Corporation
 
21 CFR Part 11 Validation
21 CFR Part 11 Validation21 CFR Part 11 Validation
21 CFR Part 11 ValidationIndium Software
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i  auditing operating systems and networksChapter 3 security part i  auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networksjayussuryawan
 
Get Mainframe Visibility to Enhance SIEM Efforts in Splunk
Get Mainframe Visibility to Enhance SIEM Efforts in SplunkGet Mainframe Visibility to Enhance SIEM Efforts in Splunk
Get Mainframe Visibility to Enhance SIEM Efforts in SplunkPrecisely
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentPrecisely
 
Managing your access control systems
Managing your access control systemsManaging your access control systems
Managing your access control systemsWalter Sinchak,
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an IntroductoryMNorazizi HM
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskPrecisely
 

What's hot (19)

Compliance technical controls and you rva sec 2019
Compliance technical controls and you   rva sec 2019Compliance technical controls and you   rva sec 2019
Compliance technical controls and you rva sec 2019
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and Data
 
Security 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and DataSecurity 101: Controlling Access to IBM i Systems and Data
Security 101: Controlling Access to IBM i Systems and Data
 
Managerof managerarchitecture
Managerof managerarchitectureManagerof managerarchitecture
Managerof managerarchitecture
 
IT & the Auditor
IT & the AuditorIT & the Auditor
IT & the Auditor
 
Chapter 1 Law & Ethics
Chapter 1   Law & EthicsChapter 1   Law & Ethics
Chapter 1 Law & Ethics
 
VET4SBO Level 1 module 2 - unit 1 - v0.9 en
VET4SBO Level 1   module 2 - unit 1 - v0.9 enVET4SBO Level 1   module 2 - unit 1 - v0.9 en
VET4SBO Level 1 module 2 - unit 1 - v0.9 en
 
Dmitry Kurbatov. Five Nightmares for a Telecom
Dmitry Kurbatov. Five Nightmares for a TelecomDmitry Kurbatov. Five Nightmares for a Telecom
Dmitry Kurbatov. Five Nightmares for a Telecom
 
Chapter 5 - Identity Management
Chapter 5 - Identity ManagementChapter 5 - Identity Management
Chapter 5 - Identity Management
 
Firewall log and network security management - Mumbai Seminar
Firewall log and network security management - Mumbai SeminarFirewall log and network security management - Mumbai Seminar
Firewall log and network security management - Mumbai Seminar
 
21 CFR Part 11 Validation
21 CFR Part 11 Validation21 CFR Part 11 Validation
21 CFR Part 11 Validation
 
Chapter 3 security part i auditing operating systems and networks
Chapter 3 security part i  auditing operating systems and networksChapter 3 security part i  auditing operating systems and networks
Chapter 3 security part i auditing operating systems and networks
 
Get Mainframe Visibility to Enhance SIEM Efforts in Splunk
Get Mainframe Visibility to Enhance SIEM Efforts in SplunkGet Mainframe Visibility to Enhance SIEM Efforts in Splunk
Get Mainframe Visibility to Enhance SIEM Efforts in Splunk
 
Introducing Assure Security Risk Assessment
Introducing Assure Security Risk AssessmentIntroducing Assure Security Risk Assessment
Introducing Assure Security Risk Assessment
 
PCI Virtual Terminals - The Easy Way
PCI Virtual Terminals - The Easy WayPCI Virtual Terminals - The Easy Way
PCI Virtual Terminals - The Easy Way
 
Access-control-system
Access-control-systemAccess-control-system
Access-control-system
 
Managing your access control systems
Managing your access control systemsManaging your access control systems
Managing your access control systems
 
Computer Audit an Introductory
Computer Audit an IntroductoryComputer Audit an Introductory
Computer Audit an Introductory
 
Social Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity RiskSocial Distance Your IBM i from Cybersecurity Risk
Social Distance Your IBM i from Cybersecurity Risk
 

Viewers also liked

PCI Compliance white paper
PCI Compliance white paper PCI Compliance white paper
PCI Compliance white paper HelpSystems
 
Scheduling Survival Guide
Scheduling Survival Guide Scheduling Survival Guide
Scheduling Survival Guide HelpSystems
 
Combatting Intruders on IBM i with IDS
Combatting Intruders on IBM i with IDSCombatting Intruders on IBM i with IDS
Combatting Intruders on IBM i with IDSHelpSystems
 
5 Things Your Security Administrator Should Tell You
5 Things Your Security Administrator Should Tell You5 Things Your Security Administrator Should Tell You
5 Things Your Security Administrator Should Tell YouHelpSystems
 
IT Backup & Restoration: Never Worry about a Late Backup Again
IT Backup & Restoration: Never Worry about a Late Backup AgainIT Backup & Restoration: Never Worry about a Late Backup Again
IT Backup & Restoration: Never Worry about a Late Backup AgainHelpSystems
 
1, 2, 3 por mí y por todos mis compañeros VTR
1, 2, 3 por mí y por todos mis compañeros VTR1, 2, 3 por mí y por todos mis compañeros VTR
1, 2, 3 por mí y por todos mis compañeros VTRrodrigo_saa
 
Data Breaches: Is IBM i Really at Risk?
Data Breaches: Is IBM i Really at Risk?Data Breaches: Is IBM i Really at Risk?
Data Breaches: Is IBM i Really at Risk?HelpSystems
 
What’s the State of Your Endpoint Security?
What’s the State of Your    Endpoint Security?What’s the State of Your    Endpoint Security?
What’s the State of Your Endpoint Security?IBM Security
 

Viewers also liked (10)

PCI Compliance white paper
PCI Compliance white paper PCI Compliance white paper
PCI Compliance white paper
 
Scheduling Survival Guide
Scheduling Survival Guide Scheduling Survival Guide
Scheduling Survival Guide
 
Combatting Intruders on IBM i with IDS
Combatting Intruders on IBM i with IDSCombatting Intruders on IBM i with IDS
Combatting Intruders on IBM i with IDS
 
5 Things Your Security Administrator Should Tell You
5 Things Your Security Administrator Should Tell You5 Things Your Security Administrator Should Tell You
5 Things Your Security Administrator Should Tell You
 
IT Backup & Restoration: Never Worry about a Late Backup Again
IT Backup & Restoration: Never Worry about a Late Backup AgainIT Backup & Restoration: Never Worry about a Late Backup Again
IT Backup & Restoration: Never Worry about a Late Backup Again
 
Las redes sociales
Las redes socialesLas redes sociales
Las redes sociales
 
Ecología
EcologíaEcología
Ecología
 
1, 2, 3 por mí y por todos mis compañeros VTR
1, 2, 3 por mí y por todos mis compañeros VTR1, 2, 3 por mí y por todos mis compañeros VTR
1, 2, 3 por mí y por todos mis compañeros VTR
 
Data Breaches: Is IBM i Really at Risk?
Data Breaches: Is IBM i Really at Risk?Data Breaches: Is IBM i Really at Risk?
Data Breaches: Is IBM i Really at Risk?
 
What’s the State of Your Endpoint Security?
What’s the State of Your    Endpoint Security?What’s the State of Your    Endpoint Security?
What’s the State of Your Endpoint Security?
 

Similar to PowerTech - Part-Time Privileges: Accountability for Powerful Users

IBM i Security Study
IBM i Security StudyIBM i Security Study
IBM i Security StudyHelpSystems
 
The Dark Side of Powerful Users
The Dark Side of Powerful UsersThe Dark Side of Powerful Users
The Dark Side of Powerful UsersHelpSystems
 
Developing Secure IBM i Applications
Developing Secure IBM i ApplicationsDeveloping Secure IBM i Applications
Developing Secure IBM i ApplicationsHelpSystems
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV  series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV  series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5Lisa Niles
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityPrecisely
 
The Dangers of Elevated IBM i Authorities and How to Manage Them
The Dangers of Elevated IBM i Authorities and How to Manage ThemThe Dangers of Elevated IBM i Authorities and How to Manage Them
The Dangers of Elevated IBM i Authorities and How to Manage ThemPrecisely
 
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CloudIDSummit
 
Revealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i SecurityRevealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i SecurityHelpSystems
 
Security 101: Limiting Powerful User Profiles
Security 101: Limiting Powerful User ProfilesSecurity 101: Limiting Powerful User Profiles
Security 101: Limiting Powerful User ProfilesPrecisely
 
Security 101: IBM i Security Auditing and Reporting
Security 101: IBM i Security Auditing and ReportingSecurity 101: IBM i Security Auditing and Reporting
Security 101: IBM i Security Auditing and ReportingPrecisely
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Systems, Inc.
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessPrecisely
 
Getting Started with IBM i Security: Event Auditing
Getting Started with IBM i Security: Event AuditingGetting Started with IBM i Security: Event Auditing
Getting Started with IBM i Security: Event AuditingHelpSystems
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
University roll (Sub code).pptx
University roll (Sub code).pptxUniversity roll (Sub code).pptx
University roll (Sub code).pptxSKILL2021
 
Cyber security series administrative control breaches
Cyber security series   administrative control breaches Cyber security series   administrative control breaches
Cyber security series administrative control breaches Jim Kaplan CIA CFE
 
Confessions of an Internal Auditor: IT Edition
Confessions of an Internal Auditor: IT EditionConfessions of an Internal Auditor: IT Edition
Confessions of an Internal Auditor: IT EditionBrad Adams
 

Similar to PowerTech - Part-Time Privileges: Accountability for Powerful Users (20)

IBM i Security Study
IBM i Security StudyIBM i Security Study
IBM i Security Study
 
The Dark Side of Powerful Users
The Dark Side of Powerful UsersThe Dark Side of Powerful Users
The Dark Side of Powerful Users
 
Developing Secure IBM i Applications
Developing Secure IBM i ApplicationsDeveloping Secure IBM i Applications
Developing Secure IBM i Applications
 
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV  series CIS Top 20 Critical Security Controls #5SynerComm's Tech TV  series CIS Top 20 Critical Security Controls #5
SynerComm's Tech TV series CIS Top 20 Critical Security Controls #5
 
Monitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and SecurityMonitoring and Reporting on IBM i Compliance and Security
Monitoring and Reporting on IBM i Compliance and Security
 
The Dangers of Elevated IBM i Authorities and How to Manage Them
The Dangers of Elevated IBM i Authorities and How to Manage ThemThe Dangers of Elevated IBM i Authorities and How to Manage Them
The Dangers of Elevated IBM i Authorities and How to Manage Them
 
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
CIS13: Managing the Keys to the Kingdom: Next-Gen Role-based Access Control a...
 
Revealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i SecurityRevealing the 2016 State of IBM i Security
Revealing the 2016 State of IBM i Security
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
Hitachi ID Access Certifier
Hitachi ID Access CertifierHitachi ID Access Certifier
Hitachi ID Access Certifier
 
Security 101: Limiting Powerful User Profiles
Security 101: Limiting Powerful User ProfilesSecurity 101: Limiting Powerful User Profiles
Security 101: Limiting Powerful User Profiles
 
Security 101: IBM i Security Auditing and Reporting
Security 101: IBM i Security Auditing and ReportingSecurity 101: IBM i Security Auditing and Reporting
Security 101: IBM i Security Auditing and Reporting
 
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
Hitachi ID Access Certifier: Find and remove stale privileges with periodic r...
 
Protecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i AccessProtecting Your Business from Unauthorized IBM i Access
Protecting Your Business from Unauthorized IBM i Access
 
Getting Started with IBM i Security: Event Auditing
Getting Started with IBM i Security: Event AuditingGetting Started with IBM i Security: Event Auditing
Getting Started with IBM i Security: Event Auditing
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 
University roll (Sub code).pptx
University roll (Sub code).pptxUniversity roll (Sub code).pptx
University roll (Sub code).pptx
 
Chromatography Data System: Comply with Regulations
Chromatography Data System: Comply with RegulationsChromatography Data System: Comply with Regulations
Chromatography Data System: Comply with Regulations
 
Cyber security series administrative control breaches
Cyber security series   administrative control breaches Cyber security series   administrative control breaches
Cyber security series administrative control breaches
 
Confessions of an Internal Auditor: IT Edition
Confessions of an Internal Auditor: IT EditionConfessions of an Internal Auditor: IT Edition
Confessions of an Internal Auditor: IT Edition
 

More from HelpSystems

El Estado de la Seguridad de IBM i en 2020
El Estado de la Seguridad de IBM i en 2020El Estado de la Seguridad de IBM i en 2020
El Estado de la Seguridad de IBM i en 2020HelpSystems
 
Ciberseguridad Cómo identificar con certeza dispositivos comprometidos en la...
Ciberseguridad  Cómo identificar con certeza dispositivos comprometidos en la...Ciberseguridad  Cómo identificar con certeza dispositivos comprometidos en la...
Ciberseguridad Cómo identificar con certeza dispositivos comprometidos en la...HelpSystems
 
Rbt jdbc odbc webinar
Rbt jdbc odbc webinar Rbt jdbc odbc webinar
Rbt jdbc odbc webinar HelpSystems
 
RPA en 45 minutos
RPA en 45 minutos RPA en 45 minutos
RPA en 45 minutos HelpSystems
 
Webinar go anywhere_mft_scripts
Webinar go anywhere_mft_scriptsWebinar go anywhere_mft_scripts
Webinar go anywhere_mft_scriptsHelpSystems
 
Automatización de Procesos de IT
Automatización de Procesos de ITAutomatización de Procesos de IT
Automatización de Procesos de ITHelpSystems
 
Hs 2020-ibmi-marketplace-spanish v3
Hs 2020-ibmi-marketplace-spanish v3Hs 2020-ibmi-marketplace-spanish v3
Hs 2020-ibmi-marketplace-spanish v3HelpSystems
 
Caso de éxito Zurich automatiza sus procesos críticos de Negocio con RPA
Caso de éxito  Zurich automatiza sus procesos críticos de Negocio con RPACaso de éxito  Zurich automatiza sus procesos críticos de Negocio con RPA
Caso de éxito Zurich automatiza sus procesos críticos de Negocio con RPAHelpSystems
 
Centro de Excelencia en Automatización 3
Centro de Excelencia en Automatización 3Centro de Excelencia en Automatización 3
Centro de Excelencia en Automatización 3HelpSystems
 
Cómo crear un Centro de Excelencia de Automatización 2
Cómo crear un Centro de Excelencia de Automatización 2Cómo crear un Centro de Excelencia de Automatización 2
Cómo crear un Centro de Excelencia de Automatización 2HelpSystems
 
Construyendo un Centro de Excelencia de Automatización PARTE 1
Construyendo un Centro de Excelencia de Automatización PARTE 1Construyendo un Centro de Excelencia de Automatización PARTE 1
Construyendo un Centro de Excelencia de Automatización PARTE 1HelpSystems
 
Webinar Vityl IT & Business Monitoring
Webinar Vityl IT & Business MonitoringWebinar Vityl IT & Business Monitoring
Webinar Vityl IT & Business MonitoringHelpSystems
 
1 año de RGPD: 3 formas en las que HelpSystems puede ayudar
1 año de RGPD:  3 formas en las que HelpSystems puede ayudar1 año de RGPD:  3 formas en las que HelpSystems puede ayudar
1 año de RGPD: 3 formas en las que HelpSystems puede ayudarHelpSystems
 
Automate feature tour
Automate feature tourAutomate feature tour
Automate feature tourHelpSystems
 
WEBINAR GRABADO Automatización de procesos de IT: tecnologías más usadas, cas...
WEBINAR GRABADO Automatización de procesos de IT: tecnologías más usadas, cas...WEBINAR GRABADO Automatización de procesos de IT: tecnologías más usadas, cas...
WEBINAR GRABADO Automatización de procesos de IT: tecnologías más usadas, cas...HelpSystems
 
5 problemas del intercambio de archivos mediante scripts
5 problemas del intercambio de archivos mediante scripts5 problemas del intercambio de archivos mediante scripts
5 problemas del intercambio de archivos mediante scriptsHelpSystems
 
CASO DE ÉXITO: Grupo Banco San Juan
CASO DE ÉXITO: Grupo Banco San JuanCASO DE ÉXITO: Grupo Banco San Juan
CASO DE ÉXITO: Grupo Banco San JuanHelpSystems
 
Webinar Security Scan
Webinar Security ScanWebinar Security Scan
Webinar Security ScanHelpSystems
 

More from HelpSystems (20)

El Estado de la Seguridad de IBM i en 2020
El Estado de la Seguridad de IBM i en 2020El Estado de la Seguridad de IBM i en 2020
El Estado de la Seguridad de IBM i en 2020
 
Ciberseguridad Cómo identificar con certeza dispositivos comprometidos en la...
Ciberseguridad  Cómo identificar con certeza dispositivos comprometidos en la...Ciberseguridad  Cómo identificar con certeza dispositivos comprometidos en la...
Ciberseguridad Cómo identificar con certeza dispositivos comprometidos en la...
 
Rbt jdbc odbc webinar
Rbt jdbc odbc webinar Rbt jdbc odbc webinar
Rbt jdbc odbc webinar
 
RPA en 45 minutos
RPA en 45 minutos RPA en 45 minutos
RPA en 45 minutos
 
Webinar go anywhere_mft_scripts
Webinar go anywhere_mft_scriptsWebinar go anywhere_mft_scripts
Webinar go anywhere_mft_scripts
 
Automatización de Procesos de IT
Automatización de Procesos de ITAutomatización de Procesos de IT
Automatización de Procesos de IT
 
Hs 2020-ibmi-marketplace-spanish v3
Hs 2020-ibmi-marketplace-spanish v3Hs 2020-ibmi-marketplace-spanish v3
Hs 2020-ibmi-marketplace-spanish v3
 
Mft 45 minutos
Mft 45 minutosMft 45 minutos
Mft 45 minutos
 
Caso de éxito Zurich automatiza sus procesos críticos de Negocio con RPA
Caso de éxito  Zurich automatiza sus procesos críticos de Negocio con RPACaso de éxito  Zurich automatiza sus procesos críticos de Negocio con RPA
Caso de éxito Zurich automatiza sus procesos críticos de Negocio con RPA
 
Centro de Excelencia en Automatización 3
Centro de Excelencia en Automatización 3Centro de Excelencia en Automatización 3
Centro de Excelencia en Automatización 3
 
Cómo crear un Centro de Excelencia de Automatización 2
Cómo crear un Centro de Excelencia de Automatización 2Cómo crear un Centro de Excelencia de Automatización 2
Cómo crear un Centro de Excelencia de Automatización 2
 
Construyendo un Centro de Excelencia de Automatización PARTE 1
Construyendo un Centro de Excelencia de Automatización PARTE 1Construyendo un Centro de Excelencia de Automatización PARTE 1
Construyendo un Centro de Excelencia de Automatización PARTE 1
 
Webinar Vityl IT & Business Monitoring
Webinar Vityl IT & Business MonitoringWebinar Vityl IT & Business Monitoring
Webinar Vityl IT & Business Monitoring
 
1 año de RGPD: 3 formas en las que HelpSystems puede ayudar
1 año de RGPD:  3 formas en las que HelpSystems puede ayudar1 año de RGPD:  3 formas en las que HelpSystems puede ayudar
1 año de RGPD: 3 formas en las que HelpSystems puede ayudar
 
Mft 45 minutos
Mft 45 minutosMft 45 minutos
Mft 45 minutos
 
Automate feature tour
Automate feature tourAutomate feature tour
Automate feature tour
 
WEBINAR GRABADO Automatización de procesos de IT: tecnologías más usadas, cas...
WEBINAR GRABADO Automatización de procesos de IT: tecnologías más usadas, cas...WEBINAR GRABADO Automatización de procesos de IT: tecnologías más usadas, cas...
WEBINAR GRABADO Automatización de procesos de IT: tecnologías más usadas, cas...
 
5 problemas del intercambio de archivos mediante scripts
5 problemas del intercambio de archivos mediante scripts5 problemas del intercambio de archivos mediante scripts
5 problemas del intercambio de archivos mediante scripts
 
CASO DE ÉXITO: Grupo Banco San Juan
CASO DE ÉXITO: Grupo Banco San JuanCASO DE ÉXITO: Grupo Banco San Juan
CASO DE ÉXITO: Grupo Banco San Juan
 
Webinar Security Scan
Webinar Security ScanWebinar Security Scan
Webinar Security Scan
 

Recently uploaded

eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionsNirav Modi
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageDista
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
How to Improve the Employee Experience? - HRMS Software
How to Improve the Employee Experience? - HRMS SoftwareHow to Improve the Employee Experience? - HRMS Software
How to Improve the Employee Experience? - HRMS SoftwareNYGGS Automation Suite
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
React 19: Revolutionizing Web Development
React 19: Revolutionizing Web DevelopmentReact 19: Revolutionizing Web Development
React 19: Revolutionizing Web DevelopmentBOSC Tech Labs
 
Understanding Native Mobile App Development
Understanding Native Mobile App DevelopmentUnderstanding Native Mobile App Development
Understanding Native Mobile App DevelopmentMobulous Technologies
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.Sharon Liu
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Incrobinwilliams8624
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...OnePlan Solutions
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 

Recently uploaded (20)

eAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspectionseAuditor Audits & Inspections - conduct field inspections
eAuditor Audits & Inspections - conduct field inspections
 
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales CoverageSales Territory Management: A Definitive Guide to Expand Sales Coverage
Sales Territory Management: A Definitive Guide to Expand Sales Coverage
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
How to Improve the Employee Experience? - HRMS Software
How to Improve the Employee Experience? - HRMS SoftwareHow to Improve the Employee Experience? - HRMS Software
How to Improve the Employee Experience? - HRMS Software
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
React 19: Revolutionizing Web Development
React 19: Revolutionizing Web DevelopmentReact 19: Revolutionizing Web Development
React 19: Revolutionizing Web Development
 
Understanding Native Mobile App Development
Understanding Native Mobile App DevelopmentUnderstanding Native Mobile App Development
Understanding Native Mobile App Development
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
20240319 Car Simulator Plan.pptx . Plan for a JavaScript Car Driving Simulator.
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Enterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze IncEnterprise Document Management System - Qualityze Inc
Enterprise Document Management System - Qualityze Inc
 
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
Transforming PMO Success with AI - Discover OnePlan Strategic Portfolio Work ...
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 

PowerTech - Part-Time Privileges: Accountability for Powerful Users

  • 2. 2 • Introduction • Managing Powerful Users • Why Policy Matters • Solution Demonstration • Free Resources
  • 3. 3 ROBIN TATAM Director of Security Technologies 952-563-2768 robin.tatam@helpsystems.com
  • 4. 4 • Premier provider of security solutions & services – 17 years in the security industry as an established thought leader – Customers in over 70 countries, representing every industry – Security subject matter expert for COMMON • Wholly-owned subsidiary of HelpSystems since 2008 • IBM Advanced Business Partner • Member of PCI Security Standards Council • Authorized by NASBA to issue CPE credits for security education • Publisher of the annual “State of IBM i Security Study”
  • 5. 5 • Introduction • Managing Powerful Users • Why Policy Matters • Authority Broker Demonstration • Free Resources
  • 6. 6 • Programmers – Claim they need *ALLOBJ authority to fix production applications • System Administrators – Claim they need authority to configure and change the system • Operators – Claim they need Special Authorities to do backups and other specialized functions • Vendors – Can’t imagine running without Security Officer rights
  • 7. 7
  • 8. 8 Best Practices call for <10 users with SPCAUTs
  • 9. 9 Date: January 9, 2005 2:37am Author: A.F. Subject: How to recover a deleted library? PLS Help me! How can I recover a library I’ve just deleted by mistake and I have no tape backup. I’ve asked all users to sign off in order not to create any new objects. PLS HELP ME AND I WILL UPGRADE MY SUBSCRIPTION AT ONCE. THANKS A posting at iSeriesNetwork.com
  • 10. 10 1
  • 11. 11 Date: September 1, 2004 12:49pm Author: R.H. Subject: Oops! HELP!!! I've accidentally deleted program QCMD in QSYS (spelling error using DLTPGM). The system has crashed. Any suggestions? I assume an IPL will be required, but is there anything else that can be suggested? This is bad. A posting at iSeriesNetwork.com
  • 12. 12 • The #1 item cited by auditors is: Control and monitoring of powerful users What’s a powerful user? • Someone with Special Authority or lots of private authority • IT staff or other knowledgeable users with direct access to production data • A user with a way to execute commands
  • 13. 13 In 2014, 37% of breaches Involved inside threat
  • 14. 14
  • 15. 15 • Introduction • Managing Powerful Users • Why Policy Matters • Authority Broker Demonstration • Free Resources
  • 16. 16 • Legislatures create laws – Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, SB1386, and more • Laws are open to interpretation – Sarbanes-Oxley Section 404: • “Perform annual assessment of the effectiveness of internal control over financial reporting…” • “…and obtain attestation from external auditors” • Auditors are the interpreters
  • 17. 17 • Auditors interpret regulations: – Auditors focus on frameworks and processes – Auditors have concluded that IT is lacking when it comes to internal controls • Executives follow auditor recommendations
  • 18. 18 Special Authority (aka Privileges) All Object The “gold key” to every object and almost every administrative operation on the system, including unstoppable data access. *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
  • 19. 19 Special Authority (aka Privileges) Security Administration Enables a user to create and maintain the system user profiles without requiring the user to be in the *SECOFR user class or giving *ALLOBJ authority. *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
  • 20. 20 Special Authority (aka Privileges) I/O Systems Configuration Allows the user to create, delete, and manage devices, lines, and controllers. Also permits the configuration of TCP/IP, and the start of associated servers (e.g., HTTP). *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
  • 21. 21 Special Authority (aka Privileges) Audit The user is permitted to manage all aspects of auditing, including setting the audit system values and running the audit commands (CHGOBJAUD / CHGUSRAUD). *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
  • 22. 22 Special Authority (aka Privileges) Spool Control This is the *ALLOBJ of Spooled Files and allows a user to view, delete, hold, or release any spooled file in any output queue, regardless of restrictions. *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
  • 23. 23 Special Authority (aka Privileges) Service This allows a user to access the System Service Tools (SST) login, although they also need an SST login since V5R1. *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
  • 24. 24 Special Authority (aka Privileges) Job Control This enables a user to start/end subsystems and manipulate other users’ jobs. It also provides access to spooled files in output queues designated as “operator control.” *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
  • 25. 25 Special Authority (aka Privileges) Save System This enables a user to perform save/restore operations on any object on the system, even if there is insufficient authority to use the object. * Be cautious if securing objects at only a library level * *ALLOBJ *SECADM *IOSYSCFG *AUDIT *SPLCTL *SERVICE *JOBCTL *SAVSYS
  • 26. 30 Production Update Authority Read / Change Payroll Accounts Receivable Accounts Payable Customer Information • IT personnel often insist that powerful authorities are necessary to do their job: – Special Authorities like *ALLOBJ, *SPLCTL, *SECADM – Rights to change critical production data • Sometimes they are right!
  • 27. 31 Read / Change Read / Change Read / Change Read / Change Payroll Accounts Receivable Accounts Payable Customer Information This is a top exception item reported by auditors!
  • 28. 32 • To keep your business running, you need: – Emergency access to repair data files • To keep your system safe, you need: – A way to monitor when powerful authorities are used – A way to monitor user activities, including when they enter the “command tunnel”
  • 29. 33 • COBIT AI6.4 - Emergency Changes – IT management should establish parameters defining emergency changes and procedures to control these changes (…) • COBIT DS10.4 - Emergency and Temporary Access Authorizations – Emergency and temporary access authorizations should be documented on standard forms and maintained on file, approved by appropriate managers, securely communicated to the security function and automatically terminated after a predetermined period.
  • 30. 34 • ISO 27002 Section 9.2.2: Privilege Management – The allocation of privileges should be controlled through a formal authorization process – Privileges should be allocated to individuals on a need-to-use basis and event-by-event basis – An authorization process and a record of all privileges allocated should be maintained – Privileges should be assigned to a different user identity than those used for normal business
  • 31. 35 Manage, audit, and control powerful profiles on IBM i
  • 32. 36 Management is aware of all activity Report Message Custom Alert PAYCHANGE (Temp. Profile) Payroll Accounts Receivable Accounts Payable Customer Information
  • 33. 37 • Government regulators and IT auditors demand accountability • Legislatures have created laws that require us to prove that our IT infrastructure is secure • Non-compliance penalties range from public disclosure, to fines, to prison sentences for executives – Executives are finally taking security very seriously
  • 34. 38 • Allows you to monitor and control users with powerful authorities – Authority Broker lets you specify when and how users exercise powerful authority – Authority Broker works with IBM i security to protect assets – Authority Broker provides notification, monitoring, and control of powerful users – Authority Broker provides visibility into non- command-based environments
  • 35. 39
  • 36. 40 • Allows you to intercept commands and conditionally perform other actions – Command Security lets you specify when and how users execute commands – Command Security is applicable to all users – even QSECOFR and other *ALLOBJ users – Command Security provides notification, monitoring, and control of command environments – Command Security can enforce the requirement to obtain privileges via Authority Broker
  • 37. 41 • Introduction • Managing Powerful Users • Why Policy Matters • Solution Demonstration • Free Resources
  • 38. 42 • Sign on as a limited-capability & as a powerful user • Attempt to access restricted functions • Use Authority Broker to elevate user authorities on demand, and Command Security to control commands • Perform restricted functions, including access to “tunnel” environments • Report on user activities
  • 39. 43 • IT security has executive attention – This is the best opportunity to solve long-standing problems – Gain management approval now • Control users with broad authority to production data – Leaving users unchecked is both an audit exception and an accident waiting to happen – Don’t accept that powerful users have to be limitless • Limit the use of powerful profiles – Monitor and report when power is used
  • 40. 44 • Introduction • Managing Powerful Users • Why Policy Matters • Solution Demonstration • Free Resources ’
  • 41. 45
  • 42. 47 Please visit www.helpsystems.com/powertech to access: • The State of IBM i Security Study • Online Compliance Guide • Webinars/Educational Events • Articles & White Papers • Product Datasheets • Product Trial Downloads www.helpsystems.com/powertech (800) 915-7700 info@powertech.com
  • 43. 48