To protect your critical data from access by unauthorized users or intruders and to comply with increasingly strict IT security regulations, you must take control of all access points to your IBM i server. View this webinar on-demand to jump start your understanding of all the points of access that must be managed and how they can be secured using IBM i exit points.
You’ll learn:
• How to secure network access and communication ports
• How database access via open-source protocols can be secured
• How to take control of command execution
• How Syncsort’s security solutions can help
2. Agenda
1 – IBM i Access Vulnerabilities
2 – Exit Points and Exit Programs
3 – Four Levels of Access Control
4 – Tradeoffs: DIY or Packaged Solutions?
How Syncsort Can Help5 –
3. • The IBM i is increasingly connected
• Prior to the 1990s, the IBM i was isolated
• In the 1990s IBM opened up the system to TCP/IP
• The numbers of ways the system could be accessed grew
• Legacy, proprietary protocols now cohabitate with new, open-
source protocols – creating access point headaches
• The worldwide hacker community now recognizes the IBM i as a
high-value target
• 4 important levels of access must now be secured
• Network access
• Communication port access
• Database access
• Command access
Why Secure Access Points?
3
4. • What are exit points and exit programs?
• Exit points and exit programs are powerful tools for access control
• Introduced in 1994 to the AS/400 in V3R1 of the operating system
• Exit points provide “hooks” to invoke one or more user-written
programs—called exit programs—for a variety of OS-related operations
• Exit programs are registered to particular exit points
• How can exit points be used?
• Exit programs can allow or deny access based on parameters such as
permissions, date/time, user profile settings, IP addresses, etc.
• Command exit points can allow or deny command execution based on
context and parameters
• Exit programs can also trigger actions such as logging access attempts,
disabling user profiles, sending an alert, etc.
4
Exit Points and Exit Programs
5. Securing
Network Access
Security Challenges
• Network protocols make it possible for
users to connect directly to backend
databases on the IBM i
• Network protocols include FTP, ODBC,
JDBC, DDM, DRDA, NetServer and others
• Without proper controls, the system is
open to hackers or internal users who may
create problems
• Without network controls, it is also
possible to remotely execute commands
(e.g. RCMD or REXEC) via FTP, ODBC and
RMTCMD functions
• SQL statements could also be remotely
executed via ODBC, JDBC and DRDA if not
locked down
How Exit Points Can Help
• IBM i provides dozens of exit points that
cover most network access protocols
• Exit programs can be created and assigned
to these exit points
• Exit programs can control access by a
variety of criteria and monitor and log
activity
• When access is controlled through network
exit programs, only the specific operations
defined by the exit program can occur
• Application Administration provides a partial
solution that can control which users can
access particular network functions, but
does not provide logging and cannot be
controlled via granular rules
5
6. Securing
Com Port Access
Security Challenges
• Some network protocols don’t have their
own exit points and can’t be protected in
the same way
• These network protocols include SSH,
SFTP, SMTP and others
• IT teams may also wish to control
communication access in a way network
or other types of exit points cannot (for
example, specifying a port number)
How Exit Points Can Help
• IBM provides socket exit points
• Socket exit programs secure connections by
specific port and/or IP addresses
• Socket exit programs have limits; e.g. fewer
parameters are available to control inbound
connection
• Socket exit points paired with the other
types of exit point access control methods
provide stronger protection
6
7. Securing
Database Access
Security Challenges
• Object-level security only goes so far in
controlling access to sensitive data
• Open-source protocols that access data
create particular vulnerabilities
• Open-source protocols include JSON,
Node.js, Python, Ruby and others
• Open-source protocols don’t have their
own exit points
• Without properly securing database
access, data could be viewed or changed
without proper authorization or even
stolen
How Exit Points Can Help
• A powerful exit point called Open Database
File allows exit programs that protect data
from any kind of access
• The exit program can be invoked whenever
a physical file, logical file, SQL table or SQL
view is opened
• The exit program can contain a granular set
of rules that control under what conditions
the file can be accessed and by whom
• The exit program can also be defined to
audit all activity
7
8. Securing
Command Access
Security Challenges
• The incorrect use of commands by users
can cause considerable damage (deleting
files, ending processes, or worse)
• Access to commands can be controlled to
some extent through user profiles and
object-level security
• A more refined approach to command
control is often required – especially for
powerful profiles
How Exit Points Can Help
• IBM i provides exit points that cover the
use of commands
• Exit programs can be developed to allow or
disallow access to any command within
very specific circumstances
• Command control can be performed
regardless of whether it is performed
within the IBM i or through network access
• Command exit programs supersede
normal object-level security to provide an
additional, very useful layer of security for
users with powerful authorities
8
9. Tradeoffs
Do-It-Yourself In-House
• Resources may be stretched and pulled
off project
• May need to bring in consultants or hire
new employee because of lack of
knowledge
• Need to stay on top of new PTFs or
updates to the OS
• Knowledgeable resource may leave or
retire
Third-Party Solutions
• Frees up your resources for more important
projects
• Provides separation of duties
• Leverages experts in the field
• Vendor is in the business of releasing
updated software
• Vendors ensure exit programs stay current
to the latest threats and OS capabilities
• Ensures optimal performance of exit
programs
9
11. Data Privacy
Protect the privacy of data at-rest
or in-motion to prevent data
breaches
Access Control
Ensure comprehensive control of
unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Compliance Monitoring
Gain visibility into all security activity
on your IBM i and optionally
feed it to an enterprise console
Security Risk Assessment
Assess your security threats
and vulnerabilities
11
Syncsort can address
the issues on the
radar screen of every
security officer and
IBM i admin
12. Assure System
Access Manager
Comprehensive control of
external and internal access
• Network access
(FTP, ODBC, JDBC, OLE DB, DDM, DRDA,
NetServer, etc.)
• Communication port access
(using ports, IP addresses, sockets -
covers SSH, SFTP, SMTP, etc.)
• Database access
(open-source protocols - JSON, Node.js,
Python, Ruby, etc.)
• Command access
Powerful, flexible and easy to
manage
• Easy to use graphical interface
• Standard configuration easy deployment
• Powerful, flexible rules for controlling
access based on conditions such as
date/time, user profile settings, IP
addresses, etc.
• Simulation mode for rules testing
• Provides alerts and produces reports
• Logs access data for SIEM integration
Secures IBM i systems and
enables regulatory compliance
• Supports regulatory requirements for SOX,
GDPR, PCI-DSS, HIPAA, and others
• Satisfies security officers by securing
access to IBM i systems and data
• Significantly reduces the time and cost of
achieving regulatory compliance
• Enables implementation of security best
practices
• Quickly detects security incidents so you
can efficiently remediate them
• Has low impact on system performance
12
13. Expert services are available for
• Security risk assessment
• Quick start services
• Quick check services
• Security update services (hot fixes, PTFs, new releases, etc.)
• System update services (ensuring security solution is properly configured
after system changes to IP addresses, OS versions, etc.)
• Auditor assist (supporting internal or external auditors)
• Managed security services
• A la carte consulting
Leverage the seasoned security experts in Syncsort Global Services!
The Syncsort Services Team
Is Here for You
13