Users and IT administrators have the belief that the IBM i is a secure system on its own, but what is the actual truth here? While the IBM i is known to be a highly securable system, it also presents unique challenges to security auditors and system administrators alike.
Achieving a secure and compliant IBM i environment is often a complex and difficult process. External threats, the array of security regulations and the increasing demands of auditors continue to grow and evolve every day.
View this webinar on-demand to learn about the top ten key tips for achieving compliance and managing security including topics like:
• Encrypting, masking or scrambling your sensitive data
• Assessing your system definitions and setting them to conform to policy or compliance requirements
• Adding an additional layer of password security with multi-factor authentication
• Making sure your security assessment is done by someone who isn’t managing the system
• and MORE!
1. Top Ten Tips for IBM i Security and
Compliance
June 26, 2018
2. Housekeeping
Webcast Audio
• Today’s webcast audio is streamed through your computer speakers.
• If you need technical assistance with the web interface or audio,
please reach out to us using the chat window.
Questions Welcome
• Submit your questions at any time during the presentation
using the chat window.
• We will answer them during our Q&A session following the
presentation.
Recording and slides
• This webcast is being recorded. You will receive an
email following the webcast with a link to download
both the recording and the slides.
3. Dan Riehl - President, IT Security and Compliance Group
Dan Riehl is the president and security specialist for IT Security and Compliance
Group where he performs IBM i security assessments and provides customized
security services and software solutions for his customers. He also provides
training in all aspects of IBM i security and other technical topics through his
training company, The 400 School, which he founded 21 years ago. Dan is also
familiar to most System i professionals through his many books and articles on
security written for System iNEWS over the past 20 years.
Today’s Presenters
Becky Hjellming - Product Marketing Director, Syncsort
Becky is one of our Product Marketing Directors. She has over 25 years of
experience in the software industry in a variety of R&D, product management and
marketing roles. Her areas of specialty are high availability, disaster recovery,
backup and archiving, systems management and networking. She has worked at
companies of all sizes and stages – from software startups to HP, Seagate and
Novell.
54. Solutions for IBM i
Compliance and Security
Becky Hjellming
Product Marketing Director
55. Syncsort’s Security Portfolio
Security
Cilasoft
Cilasoft Compliance
and Security Suite
QJRN/400
QJRN Database & QJRN System
CONTROLER
EAM
RAMi
(Coming Soon!)
CENTRAL
Enforcive
Enterprise Security
Suite
Security Risk
Assessment
Cross-Platform Audit
Cross-Platform
Compliance
Password Self-Service
AIX Security
Quick
Quick-CSi
Quick-Anonymizer
Townsend
Alliance
AES/400
Alliance
Key Manager
Alliance Token
Manager
Alliance
FTP Manager
Alliance
LogAgent Suite
Alliance Two Factor
Authentication
55
56. SIEM Integration
Ensure IBM i security activity can
be fed into an enterprise security
monitoring console
Fraud
Detection/Prevention
Ensure comprehensive control of
unauthorized access and the
ability to trace any activity,
suspicious or otherwise
Compliance
Prove to auditors that access is
controlled and the system is in
compliance
What Are Your
Security Goals?
56
57. Syncsort can help
with any compliance,
security or SIEM
integration need
Security Risk
Assessment
Comprehensive
Access Control
Elevated
Authority
Management
Enhanced
Password
Management
Sensitive
Data
Protection
Secure Data
Transfer
System &
Database
Auditing
Compliance
Acceleration
Alerts and
Reports
SIEM
Integration
Log
Forwarding
57
58. • Annual IT risk assessments are required by certain regulations
such as PCI DSS and HIPAA
• Challenges of performing an IBM i audit include
• Audits of IBM i are not well understood by all security auditors
• Not all IBM i administrators have the knowledge or the time to
conduct regular, thorough security assessments.
• Separation of duties is encouraged so that the audit is not conducted
by the same person that manages the system on a day-to-day basis
• Look for risk assessment products or services that:
• Assess all areas of the IBM i
• Generate comprehensive reports
• Make recommendations for remediating any exposures
Security Risk Assessment
58
59. • Annual IT risk assessments are required by certain regulations
such as PCI DSS and HIPAA
• Challenges of performing an IBM i audit include
• Audits of IBM i are not well understood by all security auditors
• Not all IBM i administrators have the knowledge or the time to
conduct regular, thorough security assessments.
• Separation of duties is encouraged so that the audit is not conducted
by the same person that manages the system on a day-to-day basis
• Look for risk assessment products or services that:
• Assess all areas of the IBM i
• Generate comprehensive reports
• Make recommendations for remediating any exposures
Security Risk Assessment
59
Security Risk
Assessment Tool
Security Risk
Assessment Service
Syncsort
Security
Solutions
60. • You must take control of all access to your IBM i
• Comprehensive access control can only be achieved if network exit point
and command control are added to your IBM i security strategy
• Controlling network exit points
• Blocking operations like logging on, accessing data, running programs, etc.
• Includes:
• Network protocols such as ODBC, JDBC, OLE DB, FTP, DDM, DRDA, NetServer
• Jobs, Sockets
• SQL engine
• File open
• System and user commands
• Command control
• Blocking commands based on their context and parameter values
Comprehensive Access Control
60
61. • You must take control of all access to your IBM i
• Comprehensive access control can only be achieved if network exit point
and command control are added to your IBM i security strategy
• Controlling network exit points
• Blocking operations like logging on, accessing data, running programs, etc.
• Includes:
• Network protocols such as ODBC, JDBC, OLE DB, FTP, DDM, DRDA, NetServer
• Jobs, Sockets
• SQL engine
• File open
• System and user commands
• Command control
• Blocking commands based on their context and parameter values
Comprehensive Access Control
61
Cilasoft CONTROLER
Enforcive Enterprise
Security Suite
(for IBM i and for AIX)
Syncsort
Security
Solutions
62. • Auditors require that the number of powerful profiles (*ALLOBJ,
*SECADM, command line access, etc.) within a system be limited
• It is preferred that users are only given the minimum necessary
authorities and that their authorities are only elevated as required
• Temporarily assigning authority through a rule-based process, and only as
required, helps meet audit requirements
• Logging all activity from the temporarily elevated profile (including
journals, exit programs, joblogs, screen captures, etc.) to produce a
complete audit trail is also desirable
Elevated Authority Management
62
63. • Auditors require that the number of powerful profiles (*ALLOBJ,
*SECADM, command line access, etc.) within a system be limited
• It is preferred that users are only given the minimum necessary
authorities and that their authorities are only elevated as required
• Temporarily assigning authority through a rule-based process, and only as
required, helps meet audit requirements
• Logging all activity from the temporarily elevated profile (including
journals, exit programs, joblogs, screen captures, etc.) to produce a
complete audit trail is also desirable
Elevated Authority Management
63
Cilasoft Elevated
Authority Manager
(EAM)
Syncsort
Security
Solutions
64. • Passwords alone are not sufficient to provide strong security as
evidenced by breaches due to brute force attacks
• Authentication methods known as multi-factor authentication(MFA) or
two-factor authentication (2FA) use two of the following factors for
authentication:
• Something you know (user ID, password, PIN)
• Something you have (smart phone, email, token device)
• Something you are (fingerprint, iris scan)
• One-time passwords are generated by authenticators such as Google
Authenticator, Microsoft Authenticator, Authy, Duo, RSA SecurID. Some
support RADIUS.
• MFA is a strong requirement in PCI-DSS 3.2, HIPAA, NYDFS Cybersecurity
Regulation, Swift Alliance Access
Multi-Factor Authentication
64
65. • Passwords alone are not sufficient to provide strong security as
evidenced by breaches due to brute force attacks
• Authentication methods known as multi-factor authentication(MFA) or
two-factor authentication (2FA) use two of the following factors for
authentication:
• Something you know (user ID, password, PIN)
• Something you have (smart phone, email, token device)
• Something you are (fingerprint, iris scan)
• One-time passwords are generated by authenticators such as Google
Authenticator, Microsoft Authenticator, Authy, Duo, RSA SecurID. Some
support RADIUS.
• MFA is a strong requirement in PCI-DSS 3.2, HIPAA, NYDFS Cybersecurity
Regulation, Swift Alliance Access
Multi-Factor Authentication
65
Cilasoft Reinforced
Authentication
Manager for i (RAMi)
Townsend
Alliance Two Factor
Authentication
Syncsort
Security
Solutions
66. Organizations subject to regulations may be required to implement
some form of sensitive data protection
Encryption
• Required to comply with the PCI DSS
• Using a variety of algorithms, data is encrypted at either the file or
field level such that unauthorized users will not be able to see the
encrypted data, even if accessed through journals
• Solutions may have certification by NIST, RSA or others
Tokenization
• Supports compliance with PCI DSS, HIPAA/HITECH, GLBA, GDPR and
individual state privacy laws
• Replaces sensitive data with a token value. If files are lost or stolen,
sensitive data is not compromised
• Token is consistent for unique names, and data can be re-identified
• Solutions may be certified by NIST, RSA or others
Sensitive Data Protection
66
67. Organizations subject to regulations may be required to implement
some form of sensitive data protection
Encryption
• Required to comply with the PCI DSS
• Using a variety of algorithms, data is encrypted at either the file or
field level such that unauthorized users will not be able to see the
encrypted data, even if accessed through journals
• Solutions may have certification by NIST, RSA or others
Tokenization
• Supports compliance with PCI DSS, HIPAA/HITECH, GLBA, GDPR and
individual state privacy laws
• Replaces sensitive data with a token value. If files are lost or stolen,
sensitive data is not compromised
• Token is consistent for unique names, and data can be re-identified
• Solutions may be certified by NIST, RSA or others
Sensitive Data Protection
67
Townsend
Alliance AES/400,
Alliance Key Manager,
Alliance Token Manager
Enforcive
Field Encryption
Syncsort
Security
Solutions
68. Masking
• Full or partial masks of fields can be applied on any kind of database field
• Format remains the same but the values are changed
• Common when displaying credit card numbers (mask all but the final digits)
• Protects the data while providing a functional substitute
• Useful in production environments
Anonymization
• Permanently replaces identifiable data; process is irreversible
• Anonymization can be done using methods such as scrambling, PCI/LUHN
algorithm or custom exit program
• Key notion can be respected for data consistency
• Coupled with replication, can distribute anonymized data to another
environment in real time (not production or HA/DR environments)
• Useful for feeding anonymized data to a secondary system for training,
development and testing
More Sensitive Data Protection
68
Syncsort
Security
Solutions
Townsend
Alliance AES/400,
Alliance Key Manager,
Alliance Token Manager
Enforcive
Field Encryption
Quick-Anonymizer
69. • In addition to encrypting data at rest, you need to protect sensitive data
when in flight to meet regulatory requirements such as PCI, HIPAA, GDPR,
GLBA and others
• Data transfers need to be secured across both external and internal
networks
• Data is secured by encrypting the data on the IBM i before transferring
and decrypting it on the receiving end
• Options include
• Secure FTP (sFTP)
• Secure Shell (SSH)
• Pretty Good Privacy (PGP)
• Additional features such as negotiating firewalls and creating an audit trail
of file transfer activities are highly desirable
Secure Data Transfer
69
70. • In addition to encrypting data at rest, you need to protect sensitive data
when in flight to meet regulatory requirements such as PCI, HIPAA, GDPR,
GLBA and others
• Data transfers need to be secured across both external and internal
networks
• Data is secured by encrypting the data on the IBM i before transferring
and decrypting it on the receiving end
• Options include
• Secure FTP (sFTP)
• Secure Shell (SSH)
• Pretty Good Privacy (PGP)
• Additional features such as negotiating firewalls and creating an audit trail
of file transfer activities are highly desirable
Secure Data Transfer
70
Townsend
Alliance FTP Manager,
Alliance XML/400
Syncsort
Security
Solutions
71. • Regulations such as PCI, SOX, HIPAA, GLBA and others require logging and
monitoring of system and database activity
• Journals are the trusted source for auditors when tracing security events as they are
reliable, not falsifiable, not selective, and they are integrated with the IBM i OS
• System auditing includes logging of:
• Object changes (system values, user profiles, authorization lists, etc.)
• Access attempts (authentication and object access)
• Powerful user activity (*ALLOBJ, *SECADM)
• Real command line activity of user profiles
• Access to, or use of, sensitive objects (files, programs, menus, etc.)
• Database auditing includes logging of:
• Changes made via programs outside the standard applications (SQL, DFU, etc.)
• Modification to sensitive field values (credit limits, price lists, discount rates, etc.)
• Proper journal analysis requires tools
• Journals are cryptic, contain a large amount of data and are difficult to search
• Special tools are needed to make it easy to identify useful data in the journals
System and Database Auditing
71
72. • Regulations such as PCI, SOX, HIPAA, GLBA and others require logging and
monitoring of system and database activity
• Journals are the trusted source for auditors when tracing security events as they are
reliable, not falsifiable, not selective, and they are integrated with the IBM i OS
• System auditing includes logging of:
• Object changes (system values, user profiles, authorization lists, etc.)
• Access attempts (authentication and object access)
• Powerful user activity (*ALLOBJ, *SECADM)
• Real command line activity of user profiles
• Access to, or use of, sensitive objects (files, programs, menus, etc.)
• Database auditing includes logging of:
• Changes made via programs outside the standard applications (SQL, DFU, etc.)
• Modification to sensitive field values (credit limits, price lists, discount rates, etc.)
• Proper journal analysis requires tools
• Journals are cryptic, contain a large amount of data and are difficult to search
• Special tools are needed to make it easy to identify useful data in the journals
System and Database Auditing
72
Cilasoft
QJRN/400
Enforcive
Enterprise Security Suite
(for IBM i and AIX),
Cross-Platform Audit
Quick-CSi
Syncsort
Security
Solutions
73. • Organizations that are subject to regulations may need to
accelerate achieving compliance. Particularly if they are aware of
an impending audit.
• Compliance acceleration tools can help identify deviations from
the requirements and provide models or rules for achieving
compliance.
• By defining corporate security policies, alerts can be generated in
the event of potential compliance violations, fraudulent activity to
ensure that compliance is maintained.
Compliance Acceleration
73
74. • Organizations that are subject to regulations may need to
accelerate achieving compliance. Particularly if they are aware of
an impending audit.
• Compliance acceleration tools can help identify deviations from
the requirements and provide models or rules for achieving
compliance.
• By defining corporate security policies, alerts can be generated in
the event of potential compliance violations, fraudulent activity to
ensure that compliance is maintained.
Compliance Acceleration
74
Enforcive
Policy Compliance,
Compliance Accelerator,
Cross-Platform
Compliance
Cilasoft
QJRN/400
Syncsort
Security
Solutions
75. • For any security use case, proper alerting, reporting and integration with
other SIEM consoles makes the data truly useful.
• Alerting via various methods brings events to your attention that require
additional inspection or action.
• Reports enable you to communicate compliance and security data to
management, auditors, partners and customers.
• Integration with SIEM consoles or forwarding logs to tools such as Splunk
enables IBM i security data to be monitored alongside other platforms
and supports IT Operations Analytics (ITOA).
Reporting, Alerting, Log
Forwarding & SIEM Integration
75
76. • For any security use case, proper alerting, reporting and integration with
other SIEM consoles makes the data truly useful.
• Alerting via various methods brings events to your attention that require
additional inspection or action.
• Reports enable you to communicate compliance and security data to
management, auditors, partners and customers.
• Integration with SIEM consoles or forwarding logs to tools such as Splunk
enables IBM i security data to be monitored alongside other platforms
and supports IT Operations Analytics (ITOA).
Reporting, Alerting, Log
Forwarding & SIEM Integration
76
Ironstream for i
Cilasoft
Security Suite
Townsend
Alliance LogAgent
Enforcive Security Suite
with Data Provider
Syncsort
Security
Solutions
77. • Network Security
• Enforcive Firewall Manager
• Password Self-Service
• Cilasoft Reinforced Authentication Manager (RAMi)
• Enforcive Password Self-Service
• Supervised Changes / Four Eyes Principle
• Cilasoft Reinforced Authentication Manager (RAMi)
• Job Log Analysis
• Free Cilasoft Job Log Explorer
• Data Consolidation & Distribution
• Cilasoft CENTRAL (Consolidation & Distribution)
More Security Solutions
77
Cilasoft
Reinforced Authentication
Manager for i (RAMi)
Cilasoft
CENTRAL
Cilasoft
Job Log Explorer
Enforcive
Firewall Manager
Enforcive
Password Self-Service
Syncsort
Security
Solutions
78. Syncsort Global Services
Is Here to Help!
Flexible Services Offerings for Security
• Security risk assessment
• Quick start services
• Quick check services
• Security update services (installing hot fixes, PTFs, new releases, etc.)
• System update services (ensuring security solution is properly configured
after system changes to IP addresses, OS versions, etc.)
• Auditor assist (supporting internal or external auditors)
• Managed security services
• A la carte consulting
Our team of seasoned experts is here for you!
78
79. Let’s Get Started!
Compliance and Security solutions from Syncsort are available
to help you with:
1. Security Risk Assessment
2. Compliance Acceleration
3. Comprehensive Access Control
4. Elevated Authority Management
5. Enhanced Password Management
6. Sensitive Data Protection
7. Secure Data Transfer
8. System & Database Change Auditing
9. Alerts, Reports and SIEM Integration
10.Log Forwarding for ITOA
79