System iNetwork

Chris, I really enjoyed your article; in fact, as Vice President of Business Development at Raz-Lee Security (www.razlee.com) which has focused exclusively on software products for the AS/400 (now IBM i) since 1983 and on iSecurity, a wide-ranging suite of security solutions for this platform since 1999, I couldn't agree with you more. Security is indeed "built into" the IBM i to an extent that is unequaled on any other platform around.

At the same time, it's important to emphasize the areas where the IBM i only provides the infrastructure for security solutions, leaving it to each individual organization- or to software ISVs like ourselves- to turn this infrastructure into something manageable and beneficial to CIOs, CSOs, auditors, system administrators and anyone else relevant.

Certainly the exit point architecture for protecting network access exists in vanilla OS/400; but were it not for a solution such as iSecurity Firewall, most organizations would not have the qualifications or resources to utilize these exit points.

The same goes for QAUDJRN log information; the information may all be there but its esoteric codes are unreadable without a solution such as iSecurity Audit which provides a useable (i.e. human!) front end to all this extremely valuable information.

OS/400 provides a wealth of password related system values and options; so many in fact, that a solution such as iSecurity Audit (part of the Compliance Package) which provides many tens of built-in password-related reports, a report generator and a report scheduler are an absolute must.

And then there are capabilities that OS/400 simply does not provide; for example, an automatic operator facility (part of iSecurity Action) which can send real-time alerts (as operator messages, e-mail messages and other means) and execute CL (command language) scripts if a security breach is identified, which can restart a subsystem which has abended and more.

And finally we reach the area I'll call "Application Security": using OS/400 facilities to secure and provide audit trails for changes (i.e. updates) made to company's business critical data. We've actually seen a growing trend over the past 2-3 years in which companies are more and more interested in securing applications, while less concerned about securing their "infrastructure" (i.e. network access, QAUDJRN, user profile management and passwords, etc.).

THE most important product we offer in the area of "Application Security" is AP(for Application)-Journal. This product is based upon OS/400 journal receivers, which, as we all know, fill up very quickly, becoming essentially unmanageable and therefore unusable.

AP-Journal uses special purpose "containers", which store only updates, and only fields in updates, which were designed by the site to be "significant". As such, containers are orders of magnitude smaller than journal receivers, yet at the same time providing all benefits these journal receivers provide,

For example, it's easy enough for us to "trap" changes to business-critical application fields which are beyond a pre-defined threshold, so that at the moment the change occurs, an e-mail or operator message are sent to notify management of this occurrence. And, because the containers can store years worth of data, AP-Journal can provide a time-line report, for example of all changes made to a mortgage over the years, to a mortgage bank's management, auditors, and, most important, their customers!

Another capability touching on application security and especially audit trails is our ability to "capture" (via iSecurity Capture not surprisingly) user green screen images, store them and play them back (or search them for incriminating evidence) at a later date.

And, if you think about it, AP-Journal can actually tie in to Capture, since it would be great if, when a potentially malicious update was made, we immediately (i.e. in real time) issued an alert which would initiate capturing the offending user's screens, storing them for potential evidence when required.

I hope I've convinced you that although security is indeed a "built-in" OS/400 feature, we've developed many extremely useful and important extensions of IBM's offerings.