I Series User Management


Published on

test upload

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

I Series User Management

  1. 1. SAFESTONE safestone forUser Management and Compliance on the System i
  2. 2. Contents The Internal User as a Threat......................................3 Why is User Management so important? .......................4 The Auditor’s Perspective........................................................................... 5 The Manager’s Perspective......................................................................... 6 The User’s Perspective .............................................................................. 7 Audit, Report, Enforce ................................................8 Common Sense Best Practices................................... 10 How Safestone Addresses these Practices ................... 11 The Business Case................................................... 12 Conclusion ............................................................. 13 About the Author..................................................... 13 About Safestone Technologies ................................... 13SAFESTONE SafestOne for User Management and Compliance on the System i Page 2 of 13
  3. 3. The Internal User as a Threat The System i is used by organisations to process the most sensitive, critical data and this data is its most important asset. Companies have invested a great deal of effort in securing the perimeter from external attack, but the greatest threat comes from those inside the firewall. How these users access the data, the powers they wield and the way they are monitored should be the cornerstone of any security policy. Every survey and indicator tells us that the threat is within the firewall… • A survey conducted at InfoSecurity20081, Europe’s largest IT security event, tells us that over 88% of IT administrators revealed that if their employment was terminated tomorrow they could take valuable and sensitive information including privileged passwords, confidential databases, R & D plans and sensitive financial data about their employers business with them. • The latest edition of PricewaterhouseCoopers annual Global State of Information Security Survey2, also shows that ex-employees and current employees account for 50% of known security incidents, which is almost twice the number attributed to hackers. • Jerome Kerviel an employee at Societe Generale cost the bank $7billion in what the bank described as “…criminal computer fraud and records falsification”3 • “An Insider Threat Survey” conducted last year by the Computer Emergency Response Team (CERT) at Carnegie Mellon University found that 57 percent of insider security attacks identified were carried out by employees who at one time had privileged user status.4 What these surveys and many others show, is that companies have been diligent about making advancements in protecting valuable data assets from external threats but the biggest risk still lies with the very people actually allowed to access systems. For the System i, these risks are compounded by the great value of this data and its critical nature within the organisation that owns it. 1 http://www.cyber-ark.com/news-events/pr_20080827.asp 2 http://www.pwc.com/extweb/home.nsf/docid/C1CD6CC69C2676D4852574DA00785949?WT.ac=GISS_ho mepage_banner 3 http://www.informationweek.com/news/management/showArticle.jhtml?articleID=205918671 4 http://www.cert.org/insider_threat/SAFESTONE SafestOne for User Management and Compliance on the System i Page 3 of 13
  4. 4. Why is User Management so important? In today’s regulation and compliance driven business it is no wonder that user management continues to be a topic of concern for auditors, compliance officers and IT administrators. When an organization undergoes an audit, user management is one of the first areas for auditors to scrutinize. Why? • It is an easy area to audit without having any technical understanding of the underlying hardware platform, operating system or applications. The questions are the same for any combination. • Frequently users have more access to data than is necessary because it is easier to grant more access to ensure the completion of their daily duties. • Poor user management represents a large security exposure to a business and its most valuable asset - data. Managing user profiles has always been a time consuming and troublesome task, the larger the user base the greater the pain! But even small organizations must comply with regulations and they too understand the complexity of provisioning and managing a user throughout the time of their employment Regulations such as PCI, HIPAA and Sarbox have introduced another challenge for organizations, especially IT Administrators who must answer to compliance officers and auditors while remaining responsive to users within the company who are trying to simply get their jobs done. The following control objectives come directly from the PCI Data Security Standard5 and even if a company is not dealing directly with PCI compliance, the controls provide an excellent example of how users should be managed within an organization: Implement Strong Access Control Measures • Requirement 7: Restrict access to cardholder data by business need-to-know • Requirement 8: Assign a unique ID to each person with computer access • Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks • Requirement 10: Track and monitor all access to network resources and cardholder data • Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy • Requirement 12: Maintain a policy that addresses information security These IT controls support the need for user management and access control to be enforced, proven and documented within any organization, public or private and regardless of size. Failure to do so will result in compliance deficiencies which not only leaves sensitive data compromised, it also damages a company’s reputation with customers and partners. 5 PCI Security Standards Council www.pcisecuritystandards.orgSAFESTONE SafestOne for User Management and Compliance on the System i Page 4 of 13
  5. 5. The Auditor’s Perspective When you look at the large number of different hardware platforms, networks, operating systems and applications that auditors are expected to ensure compliance on, it is easy to see why carrying out simple user profile related checks feature prominently in almost all audits. More importantly, auditors realize user profiles also represent a big security risk since they are the means used to access your data. They will look at your organization to see if good user security practices and rules are enforced as well as documented. The kinds of checks auditors look at are likely to be similar to those below: • Does every user have a unique profile? • Are any profiles shared by more than one user? • How many users have special privileges? • Are those special privileges required to perform their day to day work? • How is the use of those special privileges monitored when they are used? • Do any unused user accounts exist? (Ex-employees, sleeper profiles) • Do any disabled user accounts exist? • Have any of the user accounts still got default passwords? • Who can create new users and how is this monitored? Associated checks are also likely to be carried for group memberships and password issues: • Which users are members of what groups? • Do any of those groups grant any special privileges? • How often do users have to change their password? o Is this enforced for all users? • What rules are enforced when changing a user password? Our experience shows that auditors run these types of tests because they uncover some basic failings in corporate IT security policies. They use the results from the tests to write up recommendations for user management improvement.SAFESTONE SafestOne for User Management and Compliance on the System i Page 5 of 13
  6. 6. The Manager’s Perspective The manager of a System i installation is responsible for designing, maintaining and evolving a computer and communications systems that is at the heart of the organization. In order to achieve the businesses’ objectives, there has to be a number of powerful users. Powerful users are responsible for the performance of the system; creating and maintaining user accounts; troubleshooting operational issues; administering system upgrades and any reconfigurations required in the course of ongoing operations. They need the ability to instantly access IT resources so they can tune systems to support business processes and high performance for end-users. A powerful user has the ability to manipulate infrastructure and application configurations, and with this increased power comes increased responsibility—and increased security risks for the enterprise. Powerful users on the System i have such rights as Security Officer or All Object Authority. The latter gives the user rights to ALL OBJECTS on the system, which means they are all powerful. The task for the Manager is to balance the needs of the business for powerful users against the need for the business to protect itself from them. In circumstances such as these a process needs to exist to provide the user with temporary access so that in exceptional circumstances they can provide the support required. When this happens a record of who was granted that access and what actions they carried out should ideally be recorded to protect both the user and the business. Some companies have developed such software programs to control these users and monitor their actions. However, auditors are quick to point out “Quis custodiet ipsos custodes?” (who watches the watchmen?). Understanding what special privileges have been given to users is probably the biggest question to answer when determining what type of access a user needs for their specific function. Once this is understood a way of granting appropriate access for your users and your business can then be planned.SAFESTONE SafestOne for User Management and Compliance on the System i Page 6 of 13
  7. 7. The User’s Perspective In addition to the powerful users, described above, there are also many (sometimes hundreds) of users who need to be provided with timely and appropriate access to networks, as well as multiple operating systems and applications across all those systems to complete their daily job functions. PCI and Sarbox both state that users should only have access to data on a need to know basis and it is the first thing an auditor will look for. So how can you maintain regulatory compliance if users need access to data to complete their job? Every user must have a secure password that is only known to them and is difficult to guess. A password should be changed regularly and contain both alpha and numeric characters. Not all systems’ passwords expire at the same time and users are tempted to create simple passwords that can be remembered by them (and guessed by others) more easily. This leads to many users forgetting their passwords. The amount of time spent waiting for the Help Desk to reset passwords significantly impacts the user’s ability to work and increases their frustration. It is also expensive for the organization. Apart from the lost work, 30% of calls to the IT helpdesk (according to the Gartner Group) are password related at a cost of up to $31 per call. For organizations with operating environments supporting thousands of users, this productivity bottleneck can quickly spiral out of control.SAFESTONE SafestOne for User Management and Compliance on the System i Page 7 of 13
  8. 8. Audit, Report, Enforce Of course auditors and compliance officers don’t give prominence to effective user management just because it’s easy! A badly managed user community represents a significant security risk. There is the obvious potential of a malicious act from outside the organization, but there is an even greater threat of data becoming compromised from users within the organization due to a lack of understanding on the impacts of their actions. Administrators should ask themselves the following questions: • Are employees taking home sensitive data on their laptops? • Who has access to the financial records of the organization and can they alter the data? • Is there a corporate policy in place that clearly outlines how data is accessed and who is responsible for its integrity? If we look back to the IT Controls within PCI DSS we can see why the questions asked above are necessary in reducing the risk of security exposures. Not only do these controls apply to companies facing PCI compliance, they apply to any company who wants to enforce strong user management: Implement Strong Access Control Measures Given the risks posed by a poorly managed user community it is surprising that so little time and effort is dedicated to the subject. For example, the budget available for user management compared to that available for other pieces of the IT security budget is generally much less. In fact, user management is often not seen as a security issue, it seen as an admin task and/or merely an inconvenience of doing business. Poor user management and lack of access control open up a company to a multitude of security exposures. Customers, partners and employees expect their data to be secure and if organizations are unable to ensure this and it is exposed to the public, the high costs of legal fees coupled with the loss of reputation can be difficult to overcome. Regularly Monitor and Test Networks According to the 2008 Global State of Information Security Study®, published by Pricewaterhouse Coopers, 73% of companies surveyed say they are confident internal policies are being followed, however 43% of those same companies say they are not auditing against those policies. Establishing a policy is the first step, however policies are only useful when there is accountability.SAFESTONE SafestOne for User Management and Compliance on the System i Page 8 of 13
  9. 9. Maintain an Information Security Policy With so many different departments responsible for various stages of users management, it is necessary to implement strong policies and processes on how data is accessed to avoid a security exposure. User management issues are not just an IT problem to tackle, it is a cross-function of several different departments: • Human Resources is responsible for providing details of new employees, former employees and employee change in status. • IT creates, amends and removes user profiles on required systems. • Management decides on required level of access to applications and data for users. • Support manages the Helpdesk and assists with login problems etc. This situation exists throughout all sizes of business from the large multinationals down to even the smallest businesses. In fact those with larger user bases are often the ones who have made an attempt to effectively manage their users, normally out of desperation as the problem of user management has simply become impossible with out some sort of controls and supporting procedures. However, the basic principles of good user management are just as important in the smallest business. In fact, it is possibly more so in smaller business since there are not enough dedicated resources tasked with solely managing the user community. Without some sort of policy, user management becomes another task for a beleaguered IT administrator who is already juggling a host of other responsibilities.SAFESTONE SafestOne for User Management and Compliance on the System i Page 9 of 13
  10. 10. Common Sense Best Practices The CERT6 promotes the following thirteen points for best practice: 1. Institute periodic enterprise-wide risk assessments. 2. Institute periodic security awareness training for all employees. 3. Enforce separation of duties and privilege. 4. Implement strict password and account management policies and practices. 5. Log, monitor, and audit employee’s online actions. 6. Use extra caution with system administrators and powerful users. 7. Actively defend against malicious code. 8. Use layered defense against remote attacks. 9. Monitor and respond to suspicious or disruptive behavior. 10. Deactivate computer access following termination. 11. Collect and save data for use in investigations. 12. Implement secure backup and recovery processes. 13. Clearly document insider threat controls 6 http://www.cert.org/insider_threat/SAFESTONE SafestOne for User Management and Compliance on the System i Page 10 of 13
  11. 11. How Safestone Addresses these Practices 1. Institute periodic enterprise-wide risk assessments. DetectIT Security Audit and Detection Module can be scheduled to provide comprehensive audits on your System i 2. Institute periodic security awareness training for all employees Safestone provide a range of Professional Services to ensure the best practices are deployed 3. Enforce separation of duties and privilege. It is important that those using the system are not the same people who are policing it. DetectIT Smart Security Console can be used by non technical administrators to check on all users’ activities. 4. Implement strict password and account management policies and practices. The Password Self Help, Password Synchronization and Password Validation Program ensure that strong passwords are used and the whole process of managing passwords is easily enforced 5. Log, monitor, and audit employee’s online actions. The Security Audit and Detection Module allows you to configure, report and archive against thousands of different security events 6. Use extra caution with system administrators and powerful users. DetectIT gives you the ability to swap profiles and audit extensively on what powerful users are doing 7. Actively defend against malicious code. DetectIT allows you to identify new and changes to existing programs on the server 8. Use layered defense against remote attacks. Network Traffic Controller effectively “firewalls” the System i from the rest of the network 9. Monitor and respond to suspicious or disruptive behavior. DetectIT monitors thousands of different security events and reports on all activity that falls outside your predefined security policy guidelines 10. Deactivate computer access following termination. User Profile Manager provides full user life cycle management across multiple System i servers 11. Collect and save data for use in investigations. DetectIT Security Audit and Detection Module allows you to configure, report and archive against thousands of different security events 12. Clearly document insider threat controls Risk and Compliance Monitor contains pre-defined policies based upon internationally accepted standards against which your systems are monitoredSAFESTONE SafestOne for User Management and Compliance on the System i Page 11 of 13
  12. 12. The Business Case Managing System i users effectively will deliver a financial benefit to any organization that employs robust user management. IT fraud such as the Societe Generale case and financial penalties for failure to comply with legislative initiatives (Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, Basel II etc) can cost an organization a great deal of money. So it is no surprise that security audits are addressed at board level and management of System i users is given the highest priority. Security and operations must demonstrate the ability to control, audit and report on which users have access to what System i resources. Another, less obvious return on investment is in the case of password management. On average, up to 70% of calls to the service desk are due to forgotten passwords. Self service password resets and single sign on reduce the volume of calls by up to 80%. This eliminates many costly time consuming processes and delivers hard cash savings to IT operations. Gartner estimates that help desk calls cost an average of £30 each, and that personal management reports for users, accounts for a minimum of 40% of help desk call volumes.SAFESTONE SafestOne for User Management and Compliance on the System i Page 12 of 13
  13. 13. Conclusion Despite the huge threat posed by employees, user management can be overlooked in security projects. Too often, it is considered just an administrative task, rather than a security issue. The policy management and access control part of user management tends to be forgotten. The realities are that you can massively reduce the risk of security incidents, by correctly managing employees and other authorized users. This is where organizations should focus the majority of their efforts in securing their critical data. The three IT Controls mentioned earlier provide a useful framework for organizations to manage their user community: • Implement Strong Access Control Measures • Regularly Monitor and Test Networks • Maintain an Information Security Policy When organizations follow these guidelines they can help ensure sensitive data stays secure and keep users productive. About the Author Simon Bott has over 16 years experience working in IT, this has encompassed time spent working within an end user environments, and for more than a decade working as a consultant for several successful IBM business partners with a focus on the iSeries/System i platform. For the past 3 years Simon helped build the networking and security function of one of IBM’s largest business partners working with technology partners such as Juniper Networks, RSA, Cisco, Trend Micro, Barracuda Networks to meet the growing demand for security services in today’s regulatory compliance driven business environment. Simon joined Safestone Technologies in summer 2008 to help Safestone continue to evolve and deliver the high quality innovative System i audit, compliance and security tools for which they are known. About Safestone Technologies Partner of choice for global financial and banking institutions with the most stringent security and compliance requirements, Safestone provides the most comprehensive solution in System i security to over 500 blue-chip customers worldwide. Safestone’s module- based solutions are flexible, scalable, easy to implement and use, allowing the solution to address all varying degrees of audit, compliance and security requirements. Safestone has built up a global network over more than 21 years, which provides localized sales, consultancy and professional services to help organizations manage all their System i security requirements.SAFESTONE SafestOne for User Management and Compliance on the System i Page 13 of 13