System iNetwork

September 9, 2009

Security Sage Dan Riehl Busts a Move—and Offers Sound Security Advice for IBM i

I spoke with veteran (21 years!) System iNEWS tech editor Dan Riehl about a major career move he recently announced. Let's get the scoop on that, as well as Dan's expert, IBM i-focused take on security trends and challenges, social media, the economy, SSO, and PCI. We also offer a sneak peek at an upcoming article Dan authors in our October print magazine—it's just the ticket to get you ready for your next security compliance audit.

System iNetwork: You've made some big changes in your work life lately. Tell us about those.

Dan Riehl: In February, I made the decision that I was going to leave Help/Systems, and at that point in time, my emphasis was that I was going to do security services for my customers and also provide training through my training website, 400school.com. I started a new company called the IT Security and Compliance Group and learned HTML all over again as I put together the website, securemyi.com. The site is not very beautiful, but it has all the pertinent information, and I'm currently working with a really sharp college student to make the site "wow-whiz-bang."

From February through about July, I reviewed all the security products I could. I wanted to see what was out there and what other security software vendors were doing. So I had several demos of different products that I was interested in seeing, from different companies, and I read tons of different documentation on different products. After reviewing the products that were out there, I was most impressed by the software put out by a French company named Cilasoft. The methodology built into Cilasoft's products is different from any other vendor's and uses a really clever design to accomplish the same ends as the other vendors' products but with a better result and a more intelligent interface. So as I was speaking to the people at Cilasoft, we decided that since they didn't have a presence in the US, I would agree to become their head of US operations to provide sales and support and management of the product line in the US. Since I would be recommending their products to my customers anyway, it made sense to make a full-fledged commitment to Cilasoft.

In addition to Cilasoft, I have reseller or referral agreements with Help/Systems to recommend PowerTech products, Patrick Townsend Security Solutions to recommend their encryption products, and SkyView Partners to resell their Policy Minder product. Cilasoft doesn't have everything customers need, so in those cases, I recommend what I consider to be the best products to meet the customer needs.

I am so excited about the potential of Cilasoft software in the US that I think when people see and compare products from Cilasoft with what they're used to, they'll be as excited about the products as I am. The paradigm inside the software is so different, and it makes a heck of a lot more sense. I'm expecting great things in the coming years in this partnership with Cilasoft.

SiN: What trends do you see in the security software industry that will affect our readers—the IBM i community?

DR: Probably the biggest thing is consolidation: Consolidation in the vendor community through acquisitions, and consolidation of the IBM i servers throughout the community. Last year, obviously, we saw Help/Systems parent Audax acquire both Bytware and PowerTech, and that took Robot/SECURITY and Bytware StandGuard Anti-Virus and the PowerTech suite and put them all together in one company. And that will have some effect on those customers. It remains to be seen which of those products will be sunsetted and which will continue to be supported. Obviously Help/Systems is not going to continue to support three competing network exit point products, which is what it has today. We also see major consolidation in the high availability arena: Vision Solutions' purchase of iTERA and Lakeview, and IBM's purchase of DataMirror certainly change the dynamic for customers who are dealing with these vendors.

Some of the things I'm hearing include the possibility of increased maintenance prices or vendors changing the pricing schemes because pricing by processor group doesn't work anymore, because today you can have a P30 group processor and pay those license and maintenance fees, and then you upgrade your processor to one of the new machines, and you get a lot more horsepower, but the processor group may now be a P20 group, in effect lowering the price and fees. So software vendors are redoing their pricing schedules and still trying to deal with how to change for additional partitions. Those pricing schemes and the maintenance fees and the change in these consolidated companies, as far as their product offerings, will have a big impact on the i community.

With the consolidation, what have been smaller companies are motivated to gear up to kind of take on the big boys, like in the area of HA. Now we see Maximum Availability's *noMAX popping up, and Bug Busters has its solution out there too. If people don't want to pay the fees of the big players, they can go with these lower-priced offerings. The same thing is true on the security side. Some people might choose to go with other players who have upgraded their offerings to try to go head to head with the bigger players. So that will be good for the industry to get some new competition where the goal of many of the acquisitions seems to have been to eliminate all competitors.

SiN: What effect do you think social media will have on the IBM i community?

DR: I think there are really a couple of different categories of social media. LinkedIn is kind of sitting there by itself. It's aimed at professional development and networking and is not really for Mom and Dad and the kids to get in touch with people—relatives and neighbors. Then you have Facebook and Twitter. I'm on both Facebook and Twitter, and I don't really see a great deal of professional value in Facebook or Twitter. I follow Twitter mostly for political content, but when it comes to Facebook, I know there are a lot of people who spend hours and hours on there, though I don't see our folks in the i community doing that. What I have seen and what I find rather distasteful is using a tool liked LinkedIn for cheap marketing tricks. It really galls me when I see people selling software in the System i and AS/400 professional groups. I don't believe that that's the right forum for that. And then I see general postings about people looking for jobs, while others are recruiting people. LinkedIn has a specific area for this kind of information in the job tabs in the discussion groups. I am just concerned that good legitimate discussions and information exchanges are being muddled by the noise. It's like getting spammed on what would otherwise be a good information exchange. I'll continue to follow LinkedIn and hope that I don't spam the world myself with things that excite me about security techniques and products and that I learn about and want to share with people.

SiN: A couple of years ago, you and Dan Kolz wrote an article about IBM Secure Perspective. Whatever happened to that product?

DR: The product as we laid it out in the article was an excellent product and had great possibility. The big issue was that the evangelist for the product and the person making inroads into the community was Dan Kolz. Shortly after the article came out, Dan was reassigned to a different group in IBM, and as leadership faded, Secure Perspective kind of wilted on the vine. I haven't heard that it is a product anymore, I haven't seen any marketing for it, and I know of nobody who has even heard anything about the product. I talked to Dan, and he said he'd left it in the hands of other folks, and he was concerned about the future of it—funding and marketing. So while it had great promise and has a couple of wonderful software patents tied to it, from all information that I have, it's no longer an IBM product.

SiN: What is the biggest challenge facing IBM i shops in the security area?

DR: The biggest problem I see in dealing with my customers is the edicts that they receive from their external auditors that come in to do SOX audits, mostly. The auditors are coming from a nontechnical background and are working off of a checklist, as I talk about in my security audit checklist article appearing in the October System iNEWS [you, dear reader, can get a sneak peek at this article by clicking here]. Many times, IT folks are under the gun to provide information or make certain changes to their system that really have little or no value from the standpoint of actually securing the system. Now, there are some places where the auditors are right on. I see a lot of my customers now being challenged to track and audit traffic through ODBC. If you're going to have ODBC access, you're going to have to make it read only, except for approved exceptions. And the approved exceptions need to be well documented, and you'll need to audit everything that those exceptional users do with ODBC—so that they don't use ODBC to update files that are outside their scope of responsibility.

It surprises me that the auditors don't ask for the same info or controls on DDM, DRDA, FTP, or remote command, but we have this ODBC thing that the auditors have jumped on to.

The other big problem that these shops have is when it comes to security, they do not typically have a dedicated resource. Especially with this economy, it's difficult to justify a full-time security resource. Companies will invest in Windows people to keep their network secure, but at the same time, the family jewels are sitting on their i, and they have not stepped up to have a dedicated resource for security on that platform. Sometimes the auditors do ask for ridiculous things, but sometimes they ask for things that are useful and legitimate, yet you don't have the resources to do it. So you do it the best you can, and it's not usually the optimal solution.

SiN: What effect is the economy having on your company? Other software/services companies? IBM i shops?

DR: Certainly most companies have been experiencing some impact from the economy over the last year, and we do see companies opting in to tools that automate processes that typically might have been done by a staff member, so that they can reduce headcount. For example, in security reporting, there's an effort to really try to push information to the correct individual responsible for looking at that information, rather than generating a lot of reports and then requiring somebody to regularly sift through 500 to 1,000 pages of audit reports. So the trend is toward auditing and reporting exceptions only, rather than reporting everything and then trying to find difficulties in the reports. People want information to be pushed to them when there's something they need to know about; they don't want to have to go and look for it. This is an area in which the Cilasoft software products and Skyview Policy Minder really shine.

I think the security products pushing data in this manner will be successful in this market. Because of SOX, it's important that the reports be routed to someone who will not have a segregation-of-duties conflict. For example, you cannot have your IT manager reviewing a report on the use of sensitive commands. But the question then becomes, who can look at this and understand the sensitivity of the commands and what the commands have done? And that is a big problem for anybody in the IT compliance arena—to get information to a person who understands it but doesn't have a segregation-of-duties conflict in reviewing the information.

To solve this problem, my suggestion in the case of these technical reports is that they actually go out of house and route those to an outside IBM i security auditing company, like mine, to look at what would be considered use of sensitive operations on the machine, where the only people within the organization who know enough to understand what the report is saying are within the IT group. Having the IT group watch the IT group is a big problem from a compliance standpoint. I don't think people have found the answer to that problem—they struggle with it. I think the answer may be to go with an external company that is technical enough to understand the reports and then report back through approved channels within the company when disparities and vulnerabilities are found.

SiN: What's the status of Single Sign-On these days?

DR: At one point in time, there were one or two software companies that were providing assistance with SSO between Windows and the i. IBM's implementation uses Kerberos and EIM as the underlying technology to implement SSO. SSO works; it's not really difficult to set up. I don't know why more companies don't use it, because it would certainly save time at the help desk for people who forget their user ID and password. The two companies that were selling SSO offerings, PowerTech and Safestone, I believe, no longer do so. One of the biggest problems we encountered in SSO was implementing SSO for NetServer. It caused many problems in most cases. So if people limit their SSO to only Telnet access, they still get value from that and could use—and I would say should use—SSO for Telnet access. But I think they should not try to use it for the file server and NetServer. People who look at enterprise SSO are looking at a whole other animal and tremendous expense and a very long roll out. But I think SSO for Telnet only, where users don't have to have a user name and password to get to the i as long as they first authenticated to Windows, is a good idea. And, yes, I do provide services for implementing SSO using the IBM tools provided with Navigator for i—not using third-party vendor tools.

SiN: What's up with PCI?

DR: I'm seeing a lot of action with people needing to be PCI compliant—people who in the past didn't think they would need to be compliant are now being told by the PCI that they do need to be PCI compliant. And the PCI Data Security Standard is pretty well documented at the PCI website. With PCI, we're seeing a lot of need for data encryption, so there is a lot of encryption software being sold to meet the PCI requirements. The biggest players in the i industry are Patrick Townsend Security Solutions, Linoma Software, and nuBridges. Those companies are seeing a lot of action on the encryption front. Our company has decided to work with Patrick Townsend Security Solutions to provide encryption solutions to our customers.

Another big thing I'm seeing is that companies are looking as part of PCI compliance to implement enterprise-wide SYSLOG consolidation. There are several players in the i market that do have different levels of output to a standard SYSLOG, and some companies, including Cilasoft, have crafted customized SYSLOG entries for different SYSLOG consolidation product vendors such as Symantec, ISS, and ArcSight.

—Linda Harty, executive editor & security/availability/networking/connectivity editor

Posted by lharty at September 9, 2009 9:48 AM