Since your IBM i environment handle some of your most mission critical workloads, protecting them is imperative. High availability solutions are there to help you minimize or virtually eliminate downtime. IBM i security is an ongoing concern for IBM i shops due to threats of ransomware and other malware, as well as various regulations and audit requirements.
When HA/DR and security can work together, you can get an even greater ROI from these important solutions.
Join us for this webcast to hear about:
• The benefits of coordinating your HA/DR and your security
• Implications for security, switching, and replication
• Establishing effective reporting and monitoring
Unblocking The Main Thread Solving ANRs and Frozen Frames
IBM i HA and Security: Why They Need to Work Together
1. How Security and
HA Need to Work
Together
Bill Peedle | Principal Sales Engineer
Barry Kirksey | Principal Sales Engineer
2. Today’s Topics
• IBM i is mission critical
• HA and Security coordination
• Security
• Switching
• Replication
• Reporting and monitoring
• Minimizing downtime
2
4. Let’s talk about IBM Power Systems running IBM i
4
Reputation
• IBM i has been a strategic
platform for decades
• IBM i has been able to
adapt to a changing IT
landscape
• IBM i handles important,
mission-critical workloads
• Popular in manufacturing,
retail, distribution, logistics,
banking, healthcare,
insurance, hospitality
management, government
management, and legal
case management.
Trends Concerns
• Increasing move to cloud
deployment
• Existing customers
continue to upgrade
systems and OS versions
• Customers continue to
add more partitions -50%
of companies have more
than 3 LPARs
• Remote work
environments continue to
grow
• Security knowledge and
skills gap
• Security continues to be
top priority
• HA/DR cited as top
concern for almost 2/3
of customers
• Finding required staff
with IBM i skills also a
top concern
• Automation and
modernization are
frequently cited
concerns
*Forta 2022 IBM i Marketplace Survey
5. IT Jungle
2023 IBM i
Marketplace
Predictions*
Automation Modernization
Automation is key in operations, job
scheduling and regular complex
and simple tasks, but the resources
for skilled IBM Power Systems
people are scarce and becoming
even scarcer
IBM i is the system of record and
clients are implementing a hybrid
approach to modernization
Spending Cloud
Many IT projects will be looking to
optimize costs. We will see
investment in tools on the platform
(IBM i) to help move workloads to
cloud/hybrid cloud environments
2023 will mark a year where
customers finally make the move to
cloud-based hosting of their IBM i
5 * IT Jungle-2023 IBM i Predictions, Part 1 - 1/16/2023
6. IBM i marketplace surveys
• Virtually all surveys continue to point to Security
as Number 1 concern
• HA is usually 2nd or 3rd and is generally cited by
more than 50% of survey respondents
• Only 5% of IBM i users intend to remove all
IBM i-based applications from their systems
during the next two years
• Downtime costs IBM i uses an average of $125k
per event**
• Remote operations has become the new
normal for most organizations causing
increased security risks**
• 70% of respondents using their IBM i platform
to run more than half of core business
applications.
6 **Forrester Economic Impact Study
7. Tension Between Availability
and Security
7
Conflict
• Operations team generally focused on Availability
• Security team focused on locking down a secure environment
Causes
• Conflicting Values
• Complexity
• Policy problems
• Communication & coordination
9. Replication Topics to discuss
• IBM i Security Product Modules required to be replicated
• Switching considerations for HA and Security
• Availability and security in a Cloud environment
• Streaming HA and security data to IT Operations
Analytics (ITOA) solutions
• Managing risk and downtime for encryption of data at rest,
while maintaining switch readiness
9
11. Multi-factor Authentication (MFA)
Security Module Replication
11
• Enabling Multi-factor Authentication
• Install MFA Product on target server
• Configure IBM i replication product to replicate MFA
• Authentication server considerations
• External
• Local
• HA Server access when in read only mode
12. Encryption Security Module Replication
12
• Enabling Encryption
• Install on target server
• Configure IBM i replication product to replicate the encryption module
• Encryption at the filed level with IBM i Field Procedures
• Fields encrypted/decrypted on the fly
• Field Proc procedure used on the fly
• Procedures must be replicated
13. Exit Point Security
Module Replication
Managing Exit Points
• Install on target server
• Configure IBM i replication product to
replicate the exit point software product
• Exit Points must be turned on at the system
level
• Consideration for new exit points on source
need to be introduced to backup server
13
15. Switching Your HA and Security Products
15
• Products need to be integrated
• Procedure and steps needed to accommodate
integrated switching
• Automated notification of manual steps required
• Regular testing to ensure HA and Security switch error
free
New
LPARs
Current
LPARs
From
Anywhere
To
Anywhere
Any
Hardware
Any
Storage
Physical,
Virtual, Cloud
Any
IBM i OS
Version
19. Some definitions…
19
• Security Information and Event Management (SIEM) - offers real-time monitoring and
analysis of events as well as tracking and logging of security data for compliance or auditing
purposes
• IT Operations Analytics (ITOA) - IT operations analytics involves collecting IT data from
different sources, examining that data in a broader context, and proactively identifying
problems in advance of their occurrence.
• IT Operations Management (ITOM) - IT operations management (ITOM) is responsible for
managing information technology requirements within an organization, overseeing the
provisioning, capacity, performance, and availability of IT infrastructure and resources.
20. Leading IT analytics & security platforms lack
native IBM i support
20
Distributed and
Cloud environments
IBM i Systems
Online
services
Storage
Online
Shopping
Cart
Servers
Desktops
Web
clickstreams
Security
Networks
Telecoms
Call detail
records
GPS
location
Messaging
Databases
RFID
Web
services
Packaged
applications
APP
Custom
apps
Energy
meters
Smartphones
and devices
On-
premises
Private
cloud
Public
cloud
IBM i
21. IT operations analytics
Monitor the business for real-time
operational intelligence
• Monitor operational status of enterprise IT
infrastructure
• Monitor resource utilization and availability
• Realtime visibility into IBM systems
• Predict and avoid problems
• Non-IBM users have access to IBM KPIs
21
22. Security monitoring
Extend your security strategy to include
the IBM i
• Detect and prevent security threats
• Report on security events
• Prioritize on highest impact issues
• Monitor privileged user activity
• Automated reporting and simplified
compliance
22
24. Implementing
encryption has
its challenges
Exclusive Locks Small Window
• IBM i Field Procedures (FieldProc)
needs an Exclusive Lock on file
data to add/remove an
encryption program and
encrypt/decrypt a column
• Your maintenance window may
be too small to encrypt/decrypt
all files during the allotted time
Application Risk
• Encryption processing changes
every record within a file –
increasing risk to applications
24
25. Encrypt While
Active is useful
throughout the
lifetime of your
encryption
project
Initial Encryption Removing Encryption
• Adding encryption to fields/files
not currently encrypted
• Removing encryption from
fields/files currently encrypted
Key Rotation
• Cycling an encrypted file from
one set of encryption keys to
another
(annually or on another regular interval to meet
compliance requirements)
25
26. Benefits of Encrypt
While Active
• Minimizes downtime for encryption
operations
• Mitigates the risk of application failure
after encryption
• Ensures HA/DR-readiness throughout
the encryption process
26
As an added benefit, deleted records can be
removed from the file during the encryption –
a Compress While Active service
28. Precisely IBM i Products
• Protects against downtime
and meets aggressive service
level agreements
• Flexible, scalable replication
and failover automation
• Scales from SMB to
enterprise workloads
• Minimizes impact on network
bandwidth and CPU usage
• Supports mixed i OS and
hardware environments on
physical, virtual and cloud
platforms
Integrates log data from IBM i into
IT operations analytics and
management platforms
• Robust, multi-layered, and
resilient defenses against
advanced malware threats
• Enforces strict security policies to
protect your systems with
automated access control
• Generates generate clear,
actionable alerts and reports
• Protects sensitive and highly
regulated data from
unauthorized access using
encryption, tokenization and
masking technologies
• Provides access to the log data
to address IT operations
analysis, security, and
compliance
• Unlocks real time operational
intelligence from IBM i systems,
• Improves access to data by
breaking down silos
• Increases value and
observability of IT services &
operations
28
Ironstream
Assure HA Assure Security
Protects IBM i systems and data
from security breaches and assures
regulatory compliance
Protect IBM i servers from
downtime and data loss
Conflicting values
Because of the innate conflicting values between availability and security, there is also friction when choosing best practices to follow when teams are combined. For example, SecOps combines multiple teams with specific duties, goals, and responsibilities. There is no question that everyone wins when they can work together in balance, but their conflicting values make it especially difficult to agree on workflows and best practices.
For example, when DevOps teams think about vulnerability patching, they think of it in terms of downtime and disruptions that cause problems and inconveniences for users. That’s why they often turn to regularly scheduled downtime in an attempt to prioritize security.
However, maintenance windows and scheduled downtime can’t result in complete patching every time. Network updates are not released according to your organization’s timetable. And hackers certainly won’t wait until your next security update to launch an attack.
Complexity
Deciding on how often to patch and how quickly to respond when known vulnerabilities are released is just the beginning of the issues between availability and security. And sometimes, reducing risk is more complicated than running an update or patching a specific vulnerability.
For example, some vulnerabilities occur at the programming language level. These vulnerabilities impact all of the apps written with the affected language. Sometimes operations and security teams are oblivious to the inner workings of certain programming languages. If they don’t know how to log in with Python, how will they patch a PHP vulnerability?
This is where developers get involved, and DevSecOps teams are formed, further adding to the complexity of balancing availability and security. Not only must teams update the language version to patch the vulnerability, but they also must rewrite application code with the language-level changes in mind.
At this level of complexity, developers have doubled their workload, IT teams cannot serve their primary functions, and security specialists are faced with hours of rework securing an entirely new application.
Policy problems
It is at this point that processes break down. Everything is on fire, no one is clear on how to proceed, and organizations often suffer from data incidents at this stage. In addition to a multi-layered conflict across the company, you also have to repair your reputation with customers.
This is also where the idea of a top-to-bottom policy seems the best way to deal with the issues. And while policies can solve these problems to some degree, no team is truly happy with the outcome. The result? Mediocre products and services from a mediocre organization.
Another problem with policies is that they often leave systems unpatched for long periods, giving hackers plenty of opportunities to sneak in and wait for the perfect time to launch an attack.