Performing a detailed security risk assessment is a time-consuming and challenging task. However, in today’s high-risk environment, it is required. A common misconception that can leave IBM i systems open to data breaches is that addressing physical and network security is enough to keep systems and data safe. Though controlling physical access and ensuring network security is important, the most common vulnerabilities in IBM i environments come from improper security configurations.
To understand security risks on your IBM i, it is essential to review security settings and configurations throughout the system. This requires significant knowledge of dozens of IBM i capabilities and their related configurations. Assure Security Risk Assessment thoroughly examines dozens of security settings, comparing values against best practice, to produce reports that identify security vulnerabilities.
View this webcast on-demand to learn:
• The dangers of improperly configured security setting on your IBM i
• How many compliance regulations, such as PCI DSS and HIPAA, require annual IT risk assessments
• How to request Syncsort’s FREE Assure Security Risk Assessment
2. Webcast Audio
• Today’s webcast audio is streamed through your computer
speakers.
• If you need technical assistance with the web interface or audio,
please reach out to us using the Q&A box.
Questions Welcome
• Submit your questions at any time during the presentation using
the Q&A box.
• We will answer them during our Q&A session following the
presentation.
Recording and slides
• This webcast is being recorded. You will receive an email following
the webcast with a link to download both the recording and the
slides.
Housekeeping
Bill Hammond
Sr Product Marketing Manager
3. A recent survey by Syncsort of companies running IBM Power Systems shows
the impact that security and compliance are having on IT priorities:
• 45% say the possibility of a security/privacy breach is a top IT concern
• 48% say security is their #1 IT initiative over the coming 24 months
• 75% say compliance regulations define their company’s security program
• 33% say the growing complexity of regulations presents a challenge to
ensuring security
Compliance & Security Are Top
of Mind for IBM Power Pros
4. Key IBM i Security Concepts
• The IBM i is not inherently a secure system.
However, it is extremely securable.
• Legacy, proprietary protocols now cohabitate with new,
open-source protocols – creating new access point
headaches
• The worldwide hacker community has discovered the IBM
i as a high value target
• Being in compliance does not automatically mean the
system is secure.
5. Global Laws and Regulations
United States Canada
CCPA PIPEDA
PCI DSS PCI DSS
FISMA GDPR
GLBA CCPA
SOX
State & Federal Laws
GDPR
United Kingdom
Data Protection Act (DPA)
PCI DSS
GDPR
CCPA
European Union
GDPR
Data Protection Directive 94/45/EC
Directive 2002/58/EC
Basel III
PCI DSS
CCPA
Japan
Personal Information-
Protection Law
PCI DSS
GDPR
CCPA
Asia-Pacific
Forum on Privacy & Data
APEC
PCI DSS
GDPR
CCPA
Latin America
PCI DSS
E-commerce Act
Consumer Protection Code
Law for Protection of Private Life
Data Protection Bill
GDPR
CCPA
6. What Requirements Do Regulations
Have in Common?
• Strengthen and monitor login security
• Control the use of powerful user authorities
• Lock down access to systems and data
• Encrypt (anonymize, deidentify, tokenize, etc.) private data,
both at rest and in transit; encrypt removable storage and archival files
• Implement strong encryption key management policies
• Implement comprehensive logging and monitoring of systems
and data for security and compliance incidents
• Certify that vendors, service providers, etc. are compliant
• Periodic security risk assessments
7. Most regulations require some sort of security
audit/assessment on a regular basis
• Payment Card Industry Data Security Standard (PCI DSS)
• Health Insurance Portability and Accountability Act (HIPAA)
• General Data Protection Regulation (GDPR)
• New York Dept. of Financial Services Cybersecurity
Regulation (23 NYCRR 500)
• and others
Regulatory Requirements
for Security Assessment
8. A good security risk assessment should include:
• Checks of system definitions and settings
• Explanation of what they mean
• Recommendations of any changes needed
What Should an
Assessment Include?
Assessment results should be detailed enough to guide the
technical staff responsible for security while also providing
an overview for managers and executives.
9. Security Risk
Assessment Service
Let Syncsort’s team of security
experts conduct a thorough risk
assessment and provide a report
with remediation guidance
Assure Security
Risk Assessment Tool
Thoroughly check all aspects of
IBM i security and obtain detailed
reports and recommendations
Risk
Assessment
10. Security Risk
Assessment
What It Is
• A security risk assessment is a thorough
check of all aspects of system security,
including (but not limited to):
• Security settings in the OS
• Default passwords
• Disabled users
• Command line users
• Distribution of powerful users
• Library authorities
• Open ports
• OS exit points
• Risk assessments tools or services
provide detailed reports on findings,
explanations and recommendations for
remediation
• Assessment summary for non-technical
management summarizes findings
Benefits
• Helps to satisfy the requirement for
annual risk assessments found in
regulations such as PCI DSS and HIPAA
• Results in reports that inform
management and administrators about
security vulnerabilities and remedies
• Saves time by automating (tool) or
offloading (service) the process of
conducting as assessment
• Using a service or tool that encapsulates
extensive experience can fill skillset gaps
• Provides separation of duties between
administrator and auditor
12. Management Summary
Report Overview
Gauge to illustrate
where the LPAR falls
overall on the scale
This is the System Name
This report can be run in 3 modes:
SUMmary, FAST and Full
13. Management Summary
The assessment results will fall
into these four categories
This section
explains
how the
system did
in the four
categories
14. Management Summary
The SRA tool has three risk ratings
This table shows the number of checks
by category performed and where this
system/LPAR rated for each
16. Management Summary
Management Summary Categories
• System Values Category
• QALWOBJRST – Allow Object Restore
• QCRTAUT – Create Default Public Authority
• QPWDMINLEN – Minimum Password Length
• QUSEADPAUT – Use Adopted Authority
• User Profiles Category
• Distribution of Powerful Profiles,
• Default Passwords
• Inactive Users
• Limited Capability (Command Line) Users
• IBM Profiles with a Password
• Object Authorities Category
• Library Authorities
• Object Authorities with *PUBLIC Authority
• Commands with *PUBLIC not *EXCLUDE
• File Shares (Big thing with Ransomware)
• Programs that Adopt *ALLOBJ Authority
• Access through Network Category
• information about the open ports and Exit Points on the
IBM i
17. Detail Section
System Value with
System Name
Description
Rating,
Recommendation and
Explanation
Current Setting
22. Key Areas
Examined
System Values
• Security
• Password
• Auditing
• Powerful User Profiles
• Default Passwords
• Dormant Users
• Limited Capabilities
• IBM Profiles
• Group Profiles
• Service Tools User IDs
Object Authorities
• Libraries
• Files, Programs, etc.
• User Profiles
• Commands
• Authorization Lists
• Job Descriptions
• Output Queues
Access through the Network
• Ports
• Exit Points
User Profiles
Sample Result with Guidance
23. Register for Your Free Assessment
Assure Security Risk Assessment provides a useful and
informative picture of your IBM i security:
• Checks dozens of security definitions on your IBM i
• Compares actual values against recommended best
practice
• Tags results with three simple severities – OK,
Warning, or High Risk
• Explains the meaning and significance of system
definitions
• Delivers easy guidance on reducing cyber security
risks
• Provides a high-level management summary of
security risks