Understanding and controlling all the points of access to IBM i systems
IBM i is securable BUT not secured by default. To comply with increasingly strict IT security regulations, you must take control of all access points to your IBM i server. You can limit IBM i security threats by routinely assessing risks and taking control of logon security, powerful authorities, and system access.
With the right tools and process, you can ensure comprehensive control of unauthorized access and can trace any activity, suspicious or otherwise on your IBM i systems.
View this webcast on-demand to learn:
• How to secure network access and communication port
• How to implement different authentication options and tradeoffs
• How to limit the number of privileged user accounts
• How Syncsort’s security solutions can help
2. Housekeeping
Webcast Audio
• Today’s webcast audio is streamed through your
computer speakers.
• If you need technical assistance with the web
interface or audio, please reach out to us using
the chat window.
Questions Welcome
• Submit your questions at any time during the
presentation using the chat window.
• We will answer them during our Q&A session
following the presentation.
Recording and slides
• This webcast is being recorded. You will receive
an email following the webcast with a link to
download both the recording and the slides.
2
3. 3
Agenda
• Why Access Control is Critical
• Multi-Factor Authentication
• Elevated Authority Management
• System Access Management
• How Syncsort Can Help
5. Key IBM i Security Concepts
▪ The IBM i is not inherently a secure system.
However, it is extremely securable.
▪ Legacy, proprietary protocols now cohabitate with new,
open-source protocols – creating new access point
headaches
▪ The worldwide hacker community has discovered the IBM
i as a high value target. It often hosts the most critical
data in a corporation
▪ Being in compliance does not automatically mean the
system is secure.
5
6. Global Security Laws and Regulations
United States Canada
CCPA PIPEDA
PCI DSS PCI DSS
FISMA GDPR
GLBA CCPA
SOX
State & Federal Laws
GDPR
United Kingdom
Data Protection Act (DPA)
PCI DSS
GDPR
CCPA
European Union
GDPR
Directive 2002/58/EC
Basel III
PCI DSS
CCPA
Japan
Personal Information-
Protection Law
PCI DSS
GDPR
CCPA
Asia-Pacific
Forum on Privacy & Data
APEC
PCI DSS
GDPR
CCPA
Latin America
PCI DSS
E-commerce Act
Consumer Protection Code
Law for Protection of Private Life
Data Protection Bill
GDPR
CCPA
6
8. • Should we add more complexity to passwords? Not really.
• Why not? Because we write them down!
• Complex password increase costs and introduce weaknesses:
• Management is complex
• Management is expensive
• Impacts productivity (re-enabling users, password changes, etc.)
• Reliance on passwords alone puts all your eggs in the same basket!
Complex Password Issues
NIST’s latest Digital Identity Guidelines at
https://pages.nist.gov/800-63-3/
recommend against complex passwords
8
9. Multi-Factor Authentication (MFA), sometimes called Two-Factor
Authentication (2FA), uses two or more of the following factors :
• Something you know or a “knowledge factor”
• E.g. user ID, password, PIN, security question
• Something you have or a “possession factor”
• E.g. smartphone, smartcard, token device
• Something you are or an “inherence factor”
• E.g. fingerprint, iris scan, voice recognition
Multi-Factor Authentication
Adds a Layer of Login Security
Typical authentication on IBM i uses 2 items of
the same factor – User ID and password.
This is not multi-factor authentication.
9
10. Examples of MFA This is Not MFA
Two things the user knows
and no other factor is not MFA
A combination of things the user
knows, has or is provides MFA
10
11. • Regulations are evolving to require or recommend MFA. Consult the
latest documentation for the regulations that impact your business!
• MFA avoids the risks and costs of:
• Weak passwords
• Complex passwords
• MFA is a good security measure when:
• It is customizable and simple to administer
• End users adoption is easy
• MFA can support internal strategy and legal requirements
• BYOD (Bring Your Own Device) vs COPE (Corporate Owned,
Personally Enabled)
Passwords alone are insufficient to protect your systems from attack.
Multiple factors are better than one to improve security!
Why Adopt Multi-Factor
Authentication?
11
12. Authentication options are methods for transporting an authentication
factor. They can include:
• Email
• Phone call
• Mobile phones
• Push-based authentication
• QR code based authentication
• One-time password authentication (event-based and time-based)
• SMS-based verification (see box)
• Hardware device such as fobs
• USB-based physical tokens
• USB tokens are not allowed in many organizations due to risk of loss,
theft, virus, or malware
• USB tokens are costly and heavy to manage for all users
• Biometric device
Factors must be independent – A factor cannot be used to access
another factor, they should be physically independent
Authentication Options
12
13. PCI-DSS version 3.2
• Requires companies to secure all administrative access to the CDE (Cardholder Data Environment) using MFA
• Check document “Multi-Factor Authentication” – February 2017 –Requirement 8.3.
New York Department of Financial Services Cybersecurity Regulation
• 23 NYCRR 500 Section 500.12 (b) states, “Multi-Factor Authentication shall be utilized for any individual accessing
the Covered Entity’s internal networks from an external network, unless the Covered Entity’s CISO has approved
in writing the use of reasonably equivalent or more secure access controls.”
FFIEC (Federal Financial Institutions Examination Council)
• The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk
transactions involving access to customer information or the movement of funds to other parties.
HIPAA
• Doesn't explicitly mention MFA
• Due to password expiration reinforcement and updates to NIST guidance (800-63), MFA becomes a very
reasonable solution to meet HIPAA section 164.312d
Regulatory Requirements for MFA
13
15. What Is Elevated Authority?
• A user’s authorities define what they can do on an IBM i
system, including
• menus they can access
• commands they can run and
• actions they can take
• Elevated authorities are those that give users more
powerful privileges
• Some people may refer to elevated authority
as privileged access
15
16. • Having too many powerful users leaves the system and data exposed
• Controlling user authorities is required by regulations such as SOX,
HIPAA, the Federal and North American Information Practice Act,
GDPR and more
• Compliance auditors require that additional authority be granted
only when needed and only for the time required
• Security best practice is for users to only have the authorities
required to do their jobs
• Even administrators should have their actions monitored (separation
of duties) as a best practice
• Outsiders who obtain credentials will attempt to elevate authority
unchecked unless you have control of that process
Why Elevated Authorities
Must be Limited
16
17. • Elevated authority should only be granted as needed – and then
revoked
• Manually granting and revoking elevated authority is time
consuming and error prone
• A log of the activities of users with elevated authorities should be
maintained so their actions can be monitored
• Remember that administrators, who have elevated authority, also
need to have their actions monitored
Challenges of Managing
Elevated Authority I need to be
*SYSOPR for this
assignment!
I need
*ALLOBJ to
do my job!
Can I have
*SPLCTL for
my project?
17
18. Regulatory
Requirements
General Data Protection
Regulation (GDPR)
Enforcement date: 25 May 2018
Regulation in European Union law on data
protection and privacy for all individuals
within the European Union (EU) and the
European Economic Area (EEA)
Applies to all organizations doing business
with EU citizens
Aims primarily to provide protection and
control over their personal data to citizens
and residents, including
• Access control
• Sensitive data protection
• Restricted user privileges
• System activity logging
• Risk assessments
New York Dept. of Financial
Services Cybersecurity Regulation
NYS 23 NYCRR 500
Enforcement date: February 15, 2018
Requires banks, insurance companies, and
other financial services institutions to
establish and maintain a cybersecurity
program designed to protect consumers
Ensures the safety and soundness of New
York State's financial services industry.
Requirements protect the confidentiality,
integrity and availability of information
systems, including
• Risk assessments
• Restricted user privileges
• Automatic logouts
• Antivirus
• Multi-factor authentication
• System activity logging
Sarbanes–Oxley Act
Enacted July 30, 2002
United States federal law
Sets requirements for U.S. public companies.
Certain provisions apply to private companies
Requires corporates to assess the
effectiveness of internal controls and report
this assessment annually to the SEC.
Any review of internal controls would not be
complete with out addressing controls
around information security including
• Security Policy
• Security Standards
• Access and Authentication
• Network Security
• Monitoring
• Segregation of Duties
18
20. The IBM i is increasingly connected
• Prior to the 1990s, the IBM i was isolated
• In the 1990s IBM opened up the system to TCP/IP
• The numbers of ways the system could be accessed grew
• Legacy, proprietary protocols now cohabitate with new, open-
source protocols – creating access point headaches
• The worldwide hacker community now recognizes the IBM i as a
high-value target
4 important levels of access must now be secured
• Network access
• Communication port access
• Database access
• Command access
Why Secure Access Points?
20
21. What are exit points and exit programs?
• Exit points and exit programs are powerful tools for access control
• Introduced in 1994 to the AS/400 in V3R1 of the operating system
• Exit points provide “hooks” to invoke one or more user-written
programs—called exit programs—for a variety of OS-related operations
• Exit programs are registered to particular exit points
How can exit points be used?
• Exit programs can allow or deny access based on parameters such as
permissions, date/time, user profile settings, IP addresses, etc.
• Command exit points can allow or deny command execution based on
context and parameters
• Exit programs can also trigger actions such as logging access attempts,
disabling user profiles, sending an alert, etc.
Exit Points and Exit Programs
21
22. Securing
Network Access
Security Challenges
• Network protocols make it possible for
users to connect directly to backend
databases on the IBM i
• Network protocols include FTP, ODBC,
JDBC, DDM, DRDA, NetServer and others
• Without proper controls, the system is
open to hackers or internal users who may
create problems
• Without network controls, it is also
possible to remotely execute commands
(e.g. RCMD or REXEC) via FTP, ODBC and
RMTCMD functions
• SQL statements could also be remotely
executed via ODBC, JDBC and DRDA if not
locked down
How Exit Points Can Help
• IBM i provides dozens of exit points that
cover most network access protocols
• Exit programs can be created and assigned
to these exit points
• Exit programs can control access by a
variety of criteria and monitor and log
activity
• When access is controlled through network
exit programs, only the specific operations
defined by the exit program can occur
• Application Administration provides a partial
solution that can control which users can
access particular network functions, but
does not provide logging and cannot be
controlled via granular rules
22
23. Securing
Com Port Access
Security Challenges
• Some network protocols don’t have their
own exit points and can’t be protected in
the same way
• These network protocols include SSH,
SFTP, SMTP and others
• IT teams may also wish to control
communication access in a way network
or other types of exit points cannot (for
example, specifying a port number)
How Exit Points Can Help
• IBM provides socket exit points
• Socket exit programs secure connections by
specific port and/or IP addresses
• Socket exit programs have limits; e.g. fewer
parameters are available to control inbound
connection
• Socket exit points paired with the other
types of exit point access control methods
provide stronger protection
23
24. Securing
Database Access
Security Challenges
• Object-level security only goes so far in
controlling access to sensitive data
• Open-source protocols that access data
create particular vulnerabilities
• Open-source protocols include JSON,
Node.js, Python, Ruby and others
• Open-source protocols don’t have their
own exit points
• Without properly securing database
access, data could be viewed or changed
without proper authorization or even
stolen
How Exit Points Can Help
• A powerful exit point called Open Database
File allows exit programs that protect data
from any kind of access
• The exit program can be invoked whenever
a physical file, logical file, SQL table or SQL
view is opened
• The exit program can contain a granular set
of rules that control under what conditions
the file can be accessed and by whom
• The exit program can also be defined to
audit all activity
24
25. Securing
Command Access
Security Challenges
• The incorrect use of commands by users
can cause considerable damage (deleting
files, ending processes, or worse)
• Access to commands can be controlled to
some extent through user profiles and
object-level security
• A more refined approach to command
control is often required – especially for
powerful profiles
How Exit Points Can Help
• IBM i provides exit points that cover the
use of commands
• Exit programs can be developed to allow or
disallow access to any command within
very specific circumstances
• Command control can be performed
regardless of whether it is performed
within the IBM i or through network access
• Command exit programs supersede
normal object-level security to provide an
additional, very useful layer of security for
users with powerful authorities
25
27. Assure Security
Assure
Data Privacy
Assure Encryption
Assure Secure File
Transfer
Assure Monitoring
and Reporting
Assure Db2 Data
Monitor
Assure
Access Control
Assure System Access
Manager
Assure Elevated
Authority Manager
Assure Multi-Factor
Authentication
Security Risk
Assessment
Assure Compliance
Monitoring Assure Access Control
assures comprehensive
control of system and
database access
27
28. Assure Multi-Factor
Authentication
Full-featured multi-factor
authentication for IBM i
• Enables you to require two or more
factors for authentication:
• Something the user knows
• Something the user has
• Something the user “is”
• Relies on codes from authentication
services delivered via mobile device,
email, hardware token, etc.
• Enables self-service profile re-
enablement and self-service
password changes
• Supports the Four Eyes Principle for
supervised changes
• RSA certified (See DOC-92160
on RSA’s community site)
Powerful, flexible deployment
options
• Allows multi-factor authentication to
be enabled only for specific users or
situations
• Rules engine makes it easy to
configure when multi-factor
authentication is used
• Supports multiple authenticators
• Free Syncsort authenticator
• RADIUS-based servers
• RSA SecurID (on-prem or cloud)
• Options to initiate from the 5250
signon screen or on-demand
(manually or from a program)
• Options for multi-factor or two-step
authentication
Strengthens login security and
enables compliance
• Adds an authentication layer above
and beyond memorized or written
passwords
• Reduces potential for the cost and
consequences of data theft and
unauthorized access to systems and
applications
• Lowers risk of an unauthorized user
guessing or finding another user’s
password
• Addresses regulatory requirements
and recommendations in PCI DSS 3.2,
NYDFS Cybersecurity Regulation,
Swift Alliance Access, GLBA/FFIEC,
and more
28
29. Complete, automated control of
elevated user authorities
• Administrators can manually grant
user’s requests or rules can be
configured to manage them
• Define rules for source and target
profiles based on group profiles,
supplemental groups, user list, etc.
• Rules determine the context in which
authority can be granted, such as time
of date, job name, IP address and
more
• *SWAP or *ADOPT methods are
supported to elevate authority
• Handles processes connecting via
ODBC, JDBC, DRDA and FTP
• Monitors elevated users and duration
of elevation from GUI or 5250 displays
• Maintains an audit trail of elevated
activity using job logs, screen
captures, exit points and journals
• An option is available to simply log
user activity without changing
authorities
• Produces alerts on events such as
exceeding authorized time
• Generates reports in a variety of
formats
• Allows integration with ticketing
systems
Enables regulatory compliance and
security best practice
• Generates an audit trail of actions by
elevated profiles for compliance
auditors
• Makes it easy to manage requests for
elevated authority on demand
• Enforces segregation of duties
• Satisfies security officers by reducing
the number of powerful profiles and
maintaining a comprehensive audit trail
• Produces necessary alerts and reports
• Significantly reduces security exposures
caused by human error
• Reduces risk of unauthorized access to
sensitive data
Comprehensive monitoring of
elevated profiles
Assure Elevated
Authority Manager
29
30. Assure System
Access Manager
Comprehensive control of external
and internal access
• Network access (FTP, ODBC, JDBC,
OLE DB, DDM, DRDA, NetServer,
etc.)
• Communication port access (using
ports, IP addresses, sockets - covers
SSH, SFTP, SMTP, etc.)
• Database access (open-source
protocols - JSON, Node.js, Python,
Ruby, etc.)
• Command access
Powerful, flexible and easy
to manage
• Easy to use graphical interface
• Standard configuration provided for
out-of-the-box deployment
• Powerful, flexible rules for controlling
access based on conditions such as
date/time, user profile settings, IP
addresses, etc.
• Simulation mode for testing rules
without impact to the users
• Provides alerts and produces reports
• Logs access data for SIEM integration
Secures IBM i systems and enables
regulatory compliance
• Supports regulatory requirements for
SOX, GDPR, PCI-DSS, HIPAA, and others
• Satisfies security officers by securing
access to IBM i systems and data
• Significantly reduces the time and cost
of achieving regulatory compliance
• Enables implementation of security best
practices
• Quickly detects security incidents so
you can efficiently remediate them
• Has low impact on system performance
30
31. Expert services are available for
• Security risk assessment
• Quick start services
• Quick check services
• Security update services (hot fixes, PTFs, new releases, etc.)
• System update services (ensuring security solution is properly configured
after system changes to IP addresses, OS versions, etc.)
• Auditor assist (supporting internal or external auditors)
• Managed security services
• A la carte consulting
Leverage the seasoned security experts in Syncsort Global Services!
The Syncsort Services Team
Is Here for You
31