Control Access to IBM i Systems and Data

Security 101:
Controlling Access to IBM i
Systems and Data
Barry Kirksey, Senior Solutions Architect
1

Agenda
1 – IBM i Access Vulnerabilities
2 – Exit Points and Exit Programs
3 – Four Levels of Access Control
4 – Tradeoffs: DIY or Packaged Solutions?
How Syncsort Can Help5 –

• The IBM i is increasingly connected
• Prior to the 1990s, the IBM i was isolated
• In the 1990s IBM opened up the system to TCP/IP
• The numbers of ways the system could be accessed grew
• Legacy, proprietary protocols now cohabitate with new, open-
source protocols – creating access point headaches
• The worldwide hacker community now recognizes the IBM i as a
high-value target
• 4 important levels of access must now be secured
• Network access
• Communication port access
• Database access
• Command access
Why Secure Access Points?
3

• What are exit points and exit programs?
• Exit points and exit programs are powerful tools for access control
• Introduced in 1994 to the AS/400 in V3R1 of the operating system
• Exit points provide “hooks” to invoke one or more user-written
programs—called exit programs—for a variety of OS-related operations
• Exit point programs are registered to particular exit points
• How can exit points be used?
• Exit programs can allow or deny access based on parameters such as
permissions, date/time, user profile settings, IP addresses, etc.
• Command exit points can allow or deny command execution based on
context and parameters
• Exit programs can also trigger actions such as logging access attempts,
disabling user profiles, sending an alert, etc.
4
Exit Points and Exit Programs

Securing
Network Access
Security Challenges
• Network protocols make it possible for
users to connect directly to backend
databases on the IBM I
• Network protocols include FTP, ODBC,
JDBC, DDM, DRDA, NetServer, and others
• Without proper controls, the system is
open to hackers or internal users who may
create problems
• Without network controls, it is also
possible to remotely execute commands
(e.g. RCMD or REXEC) via FTP, ODBC and
RMTCMD functions
• SQL statements could also be remotely
executed via ODBC, JDBC and DRDA if not
locked down
How Exit Points Can Help
• IBM i provides dozens of exit points that
cover most network access protocols
• Exit programs can be created and assigned
to these exit points
• Exit programs can control access by a
variety of criteria and monitor and log
activity
• When access is controlled through network
exit programs, only the specific operations
defined by the exit program can occur
• Application Administration provides a partial
solution that can control which users can
access particular network functions, but
does not provide logging and cannot be
controlled via granular rules
5

Securing Comm
Port Access
Security Challenges
• Some network protocols don’t have their
own exit points and can’t be protected in
the same way
• These network protocols include SSH,
SFTP, SMTP and others
• IT teams may also wish to control
communication access in a way network
or other types of exit points cannot (for
example, specifying a port number)
• IBM provides socket exit points
• Socket exit programs secure connections by
specific port and/or IP addresses
• Socket exit programs have limits; e.g. fewer
parameters are available to control inbound
connection
• Socket exit points paired with the other
types of exit point access control methods
provide stronger protection
6

Securing
Database Access
Security Challenges
• Object-level security only goes so far in
controlling access to sensitive data
• Open-source protocols that access data
create particular vulnerabilities
• Open-source protocols include JSON,
Node.js, Python, Ruby and others
• Open-source protocols don’t have their
own exit points
• Without properly securing database
access, data could be viewed or changed
without proper authorization or even
stolen
• A powerful exit point called Open Database
File allows exit programs that protect data
from any kind of access
• The exit program can be invoked whenever
a physical file, logical file, SQL table or SQL
view is opened
• The exit program can contain a granular set
of rules that control under what conditions
the file can be accessed and by whom
• The exit program can also be defined to
audit all activity
7

Securing
Command Access
Security Challenges
• The incorrect use of commands by users
can cause considerable damage (deleting
files, ending processes, or worse)
• Access to commands can be controlled to
some extent through user profiles and
object-level security
• A more refined approach to command
control is often required – especially for
powerful profiles
• IBM i provides exit points that cover the
use of commands
• Exit programs can be developed to allow or
disallow access to any command within
very specific circumstances
• Command control can be performed
regardless of whether it is performed
within the IBM i or through network access
• Command exit programs supersede
normal object-level security to provide an
additional, very useful layer of security for
users with powerful authorities
8

Tradeoffs
Do-It-Yourself In-House
• Resources may be stretched and pulled
off project
• May need to bring in consultants or hire
new employee because of lack of
knowledge
• Need to stay on top of new PTFs or
updates to the OS
• Knowledgeable resource may leave or
retire
Third-Party Solutions
• Frees up your resources for more important
projects
• Provides separation of duties
• Leverages experts in the field
• Vendor is in the business of releasing
updated software
• Vendors ensure exit programs stay current
to the latest threats and OS capabilities
• Ensures optimal performance of exit
programs
9

Sensitive Data Protection
Protecting the privacy of sensitive
data by ensuring that it cannot be
read by unauthorized persons
using encryption, tokenization
and secure file transfer
Intrusion
Detection/Prevention
Ensuring comprehensive control
of unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Security & Compliance
Assessments
Assessing your security risks or
regulatory compliance
Auditing and Monitoring
Gaining visibility into all security
activity on your IBM i and
optionally feeding it to an
enterprise console
Syncsort Security
addresses the issues
on every CISO and
system admin’s
radar screen
11

• Syncsort security solutions can take control of all access points
• Network access (FTP, ODBC, JDBC, OLE DB, DDM, DRDA, NetServer, etc.)
• Communication port access (using ports, IP addresses, sockets - covers SSH,
SFTP, SMTP, etc.)
• Database access (open-source protocols - JSON, Node.js, Python, Ruby, etc.)
• Command access
• Intuitive, powerful access control
• Easy to use graphical interface
• Powerful, flexible rules for controlling access
• Provides alerts, produces reports and integrates with SIEM consoles
• Low impact on system performance
• Benefits
• Reduces time and energy to maintain compliance
• Stops fraudulent activity
• Alerts you to security incidents
• Encourages best practices
Syncsort Access Control
Cilasoft CONTROLER
Enforcive Enterprise
Security Suite
(for IBM i and for AIX)
Syncsort
Security
Solutions
12

Expert services are available for
• Security risk assessment
• Quick start services
• Quick check services
• Security update services (for hot fixes, PTFs, new releases, etc.)
• System update services (ensuring security solution is properly configured
after system changes to IP addresses, OS versions, etc.)
• Auditor assist (supporting internal or external auditors)
• Managed security services
• A la carte consulting
Leverage Syncsort’s team of seasoned security experts!
The Syncsort Services Team
Is Here for You
13

Learn more at
www.syncsort.com/en/assure

Control Access to IBM i Systems and Data

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Control Access to IBM i Systems and Data

Similar to Control Access to IBM i Systems and Data (20)

More from Precisely

More from Precisely (20)

Recently uploaded

Recently uploaded (20)

Control Access to IBM i Systems and Data