System iNetwork

August 2007

August 31, 2007 9:26 AM

The Compliance Cornucopia: Parsing the Riches

Special Note: Please see next week's blog, "The Compliance Cornucopia, Part II," for additional vendor information and discussion of this topic.

The August 28th announcement by Help/Systems of Robot/SECURITY pretty much makes it official that compliance solutions from third parties (i.e., other than IBM) are one of the hottest areas for major new System i product introductions over the past couple of years. All of these offerings help enterprises meet Sarbanes-Oxley and other legislative and regulatory mandates for system auditing requirements. Virtually all share such features as protecting application exit points, enabling analyses of user authorities, auditing of system values and other attributes, and providing a central console for monitoring system security settings and user-access activities, all of which meet key compliance objectives.

By and large, given the importance of complying with all the mandates that have arisen from the business scandals of the past 10 years, we are fortunate as a market to have such a wide range of feature-rich toolsets with which to address compliance issues. But this very strength is disadvantageous to us as individuals when we try to decide which of these products offers the set of features that would be best for our particular enterprise. What I hope will be useful is a quick overview of all the products of this type to highlight the unique, or nearly unique, features each of the major players has to offer.

In addition to Robot/SECURITY, the other System i compliance solutions are Bsafe Information Systems' Bsafe/Enterprise Security, NetIQ Corporation's Security Solutions for iSeries suite, The PowerTech Group's PowerLock ComplianceMonitor, Raz-Lee Security's iSecurity, SafeStone Technologies' DetectIT, and SkyView Partners' PolicyMinder.

An important disclaimer: Please note that with a few exceptions, I'm doing this overview based on publicly available online documentation about all these products, because those are resources available to anyone, not just journalists writing articles. Although I've done my best to avoid it, if I'm in error about a particular capability or its uniqueness to a particular product or two, it's purely due to my own inability to find, or correctly interpret, what information I've been able to access. I trust that the vendors involved will quickly point out any errors in my analysis and I welcome those corrections.

A key point in looking at compliance products as a set is the difference between the terms "auditing," "defining," and "monitoring" security-related attributes of System i servers. These three words appear repeatedly in the product literature. The way I'm interpreting these words is as follows. Auditing refers to a specific act of recording a snapshot of present settings for analysis, performed either interactively or in batch, of such attributes as system values, permitted user authorities, security settings, and other system metrics. Defining means tools within a product that automate the process of setting various values, permissions, and policies that affect user access to System i programs and data. Monitoring is the process of logging specific activities, settings, and values for later analysis, and may or may not include some system of alerts to human beings should certain predefined thresholds be met or exceeded.

Bsafe/Enterprise Security is one of two products geared to monitoring multiple, networked System i servers (the other being PowerTech's product). Among other capabilities, Bsafe's product lets you import initial system settings from other System i servers, define templates for system objects (e.g., user profiles, libraries, directories), and monitor multiple servers concurrently. An apparently unique feature is the ability to propose particular security policies on a "what-if" basis and receive an analysis of system impacts for each modification without actually implementing any.

Help/System's Robot/SECURITY's unique feature is a PC-based Forensics module that helps analysts untangle security breach causes after the fact, with help from the joint knowledgebase maintained by the entire suite of Robot products. Almost unique is its ability, shared to a degree with the Bsafe product, to resolve the problem of certain users temporarily needing special authorities by letting them swap profiles with a defined user with greater authority, perhaps just to carry out a single function. This swap can be automated beforehand and gets around the too-common practice of giving some users too much authority just so they can perform one or two special functions. SkyView's PolicyMinder lets system managers establish predefined settings for default adoption in similar circumstances, but it's not clear if these capabilities are totally equivalent. Bsafe's product, Robot/SECURITY, and PolicyMinder are the only three products that specifically monitor programs adopting *ALLOBJ authority. Robot/SECURITY also uniquely offers a "Learn" mode that lets managers learn how to implement security rules without affecting system operations. And it shares only with NetIQ's suite the ability to carry out analyses of system configuration flaws.

NetIQ's suite is a little harder to pin down because it consists of multiple products, each of which can run standalone and that cover different aspects of compliance and security. The suite consists of PSAudit, PSDetect, and PSSecure, and you have to buy all three to get the suite's full protection. Individually, these products have a number of unique features. PSAudit audits user activity down to the field and record level, audits system access times for all users, and audits changes to system values, libraries, profiles, device configurations, and PTFs. PSDetect includes many system-resource monitoring tools normally found in system-management products but not compliance products (other than Raz-Lee's), including monitors for message queues and storage systems. It also specifically monitors QSECOFR account activity, a "who's watching the watchers" capability that perhaps some of the others don't have because it's assumed it's usually the security officer using compliance products in the first place. PSSecure automatically generates secure menus, terminates inactive work sessions, and synchronizes user passwords across multiple systems. Like the Help/System product, the suite embodies a knowledgebase.

As I mentioned earlier, PowerTech's PowerLock ComplianceMonitor is one of two products that seems specifically built with the multiple-System i shop in mind. It can compare system values across multiple machines and monitor multiple machines concurrently. It spotlights user profiles using default passwords. It also includes specific tools for designing custom reports (as well as having many standard ones as all the other products do), supports ad hoc queries about compliance metrics (although Raz-Lee's product appears to do this also), and supports batch scheduling of assessments. Alone of all the compliance products, ComplianceMonitor requires JVM 1.4 installed on the System i to operate.

Raz-Lee's iSecurity's major unique capability among the compliance products is built-in antivirus protection, although of course there are other products that more specifically protect the System i from virus attacks. Another unique feature of iSecurity in the compliance group is control and automatic performance tuning of CPUs, disks, queues, and jobs. Its final unique feature is that it automatically hides from view any database fields defined as confidential. iSecurity has its own knowledgebase that doesn't rely on the user owning other products in a suite, and although other products enable definition of security policies, iSecurity is the only one to offer this function as a wizard-based feature. Like the PowerTech product, iSecurity enables ad hoc compliance queries, and like NetIQ's PSSecure it terminates inactive user sessions automatically. Like NetIQ's PSAudit, it documents users' system-access times. As does NetIQ's PSDetect, it keeps an eye on some system resources and issues storage-problem alerts.

I had a hard time finding unique features for SafeStone's DetectIt product because the online descriptions are among the least specific for this product group. DetectIt does match the basic functions of the other compliance products. Perhaps someone from SafeStone can help us out with this one.

The following paragraph was added on September 24, 2007, with the following input from SafeStone:

DetectIT addresses selective security and compliance requirements via a modular approach. Administration is managed through a graphical front end and centralized across the network. It audits and archives events, alerts, and assessments, while also providing various options for access control and authentication. DetectIT not only reports on compliance, it also provides unique object-level security tools for correcting noncompliance.

SkyView Partners' PolicyMinder is most unique in its emphasis on defining security policies. It includes tools that let users define file shares, library and object settings, and system values. With only Robot/SECURITY of the other products, it also lets users define exit points, job descriptions, and required user profiles. According to the literature, only with Bsafe's product does it share the abilities to define TCP/IP servers and templates for profiles/libraries/objects/directories, as well as import initial values from another system. Alone of all the compliance products, it enables QSYS object creation, automatically remediates application- or system-security plans, automatically changes back system settings that were reset from nonpolicy values by user accounts with special privileges, and specifically monitors programs adopting *ALLOBJ authority. Finally, PolicyMinder is the only compliance product with built-in high-availability features.

As I said, I've probably overlooked or misinterpreted some features, but for now this is the best comparison of unique features I can muster. At least, once all the corrections come in, we can hopefully share here as clear a picture as possible of how the many strong compliance products our market has to offer actually differ from one another.

Posted by on August 31, 2007 at 9:26 AM | Comments (3)

August 28, 2007 1:00 PM

Why Isn't Biometrics Hotter on the System i?

Valid Technologies has just upgraded its Valid Secure System Authentication (VSSA) solution to V2R3. VSSA is currently the only user authentication product for the System i that uses biometrics, a general term for technology that uses end-user biological indicators for identification. VSSA uses fingerprint information (though not fingerprint images) entered from a fingerprint reader. However, biometrics products for other platforms use methods such as palm prints, facial recognition, retina and iris scans, voice recognition, and keystroke dynamics (which is the ability to identify a user by their overall typing speed and unique typing rhythm). VSSA also includes an application-enablement toolkit that lets developers integrate its biometric capabilities into software written in RPG-ILE, Cobol, Java, C++, and Visual Basic. VSSA has been around for exactly two years now, its initial release having been in August of 2005.

There are only two other System i vendors, so far as I can determine, who use biometrics to any extent. Kronos uses fingerprint readers in conjunction with its Workforce Central Suite workforce-management application. Better On-line Solutions uses VSSA to handle authentication for some of its thin-client workstations. But that's about it.

Why isn't biometrics hotter on the System i?

I put that question to Greg Faust, Valid Technologies' CEO. "There aren't more biometrics vendors in the entire enterprise market space, let alone the System i market, because companies at the enterprise level are slow to adopt new technologies," he opined. "The i5 world is even a bit more laggard, although (IBM System i GM) Mark Shearer is trying to turn that around. We have customers who have been testing our product at i5 locations for more than a year but say they're 'still evaluating' it," he continued. Faust pointed out that virtually all biometrics products on the market today are Windows-based and designed primarily for clients and laptops. So it's not just the System i world that's slow to catch on. "There's no biometrics product for the System z," he noted, "nor for HP-UX."

Faust noted that password hand-holding is expensive and said he's seen studies that show some companies spending up to $4 million a year on password-related help desk efforts. "A biometric solution costs a fraction of that," he pointed out. "The situation drives me crazy," he jokingly admitted. But in Faust's opinion, lack of biometrics adoption is primarily because no one has made a strong business case for it. "Change is hard. People don't understand the return on investment because no one's told them about it. It's like imaging technology was back in the 90s. No one would adopt it until someone like Citibank did. The neighbors have got to do it first."

I don't know about you, but I already have too many passwords to remember. I have one for my PC network, one for my e-mail, one for my blog, one for our web site . . .and those are just the four I have to remember for work. I'd like it if I could sit down at my PC, have it recognize me by my fingerprint and be able from there to access any software I wanted. Wouldn't you? Single sign-on is catching on, why not go all the way and adopt biometrics as well?

Aside from convenience issues, Faust has a good point that biometric authentication could pay for itself rather quickly. The $4 million figure is obviously for large companies, but the savings a small company could make should be substantial. How hard would it be to make a business analysis of the time spent by help desk workers walking end users through password changes, added to the amount of time end users waste because some password problem keeps them out of networks and software they need to access to do their jobs? Add to that the intangible but huge potential benefit of avoiding a data breach that a password hacker might accomplish, which could be avoided by a biometric authentication, and it starts to look like biometrics should be a no-brainer.

Personally, I'd most like to see a keyboard analytics solution and skip the fingerprint reading. And I don't mean to tout one vendor as "the answer," but right now Valid Technologies is the only game in town for the System i. In fact it's almost a mystery why Valid Technologies doesn't have so much business that other System i vendors shouldn't have jumped on the biometrics bandwagon by now. But as Faust said, and we all know in our hearts, change is slow.

But think about it. There's a huge amount of time and money being spent by too many people fixing passwords. Not to mention the aggravation. Don't your IT people have better things to do? Wouldn't the ones who get stuck with the duty be happier if they had more meaningful work each day than spending a couple of hours resetting passwords? And how about your end users; how about YOU? Wouldn't you all like to say goodbye to password hassles? You're the one who has to make the business case to your own enterprise. Don't you think it would be worth it?

Posted by on August 28, 2007 at 1:00 PM | Comments (8)

August 20, 2007 2:36 PM

'Tis the Season for "Ware"-ing of the Green

Maybe it's just the hot summer, or maybe it's those nasty gas prices making many of us wish we had cheaper energy sources ready to hand, but lately more people seem to be thinking about the global environment. Whatever your personal feelings might be on that issue, I'm seeing and hearing more talk than ever about "Green IT," which is the shorthand term for paying attention to how environmentally friendly your IT operations are.

You don't have to believe in global warming to see that some of the "green" involved in this idea is the kind you can fold up and put in your pocket. And that's where, political issues aside, some positively short-term business interests enter the picture. There's money to be saved, and money to be made, in paying some attention to Green IT, regardless of what platforms you use, and irrespective of how far away on the calendar St. Patrick's Day is.

IBM, in its sometimes lumbering way, is trying to lead a bit here, although the initial efforts aren't squarely aimed at the System i so far. Earlier this month, IBM announced Project Big Green, an internal effort to move the operations of nearly 4,000 distributed servers onto 30 System z machines. The idea is to save at least $200 million dollars by consuming less energy with fewer systems using less hardware and taking up less data center space that needs to be heated, cooled, and otherwise maintained, among other benefits.

This sets a great example, and I'd think should be a wonderful opportunity for IBM to talk about another very similar idea: How other businesses could also see some tidy savings from, for example, consolidating a mess of Windows server operations onto some nice, efficient System i machines. (Of course, we haven't heard that argument from IBM yet. But realize that, for example, at the Grand Canyon, it can take a while for any echo to come back, so perhaps we just need to be a little patient.) Part two of this idea is the Big Green Linux initiative IBM unveiled at Linuxworld two weeks ago, which as the press release put it, is to enable IBM to "help its clients further integrate Linux into the enterprise as a way to reduce costs and energy consumption by building cooler data centers." (I'll politely skip over the argument I could make that simply installing 1,000 game console-equipped recliners in any air-conditioned warehouse would make one of the "coolest" data centers I can imagine.) IBM's money-making idea here is to encourage wider adoption of the Linux-based Information Server Blade systems.

Part three of Project Big Green is also aimed at its System z customers, but does offer some food for thought for System i data-center managers. This part includes IBM Energy Efficiency Services, which provides consulting on making data center power use more efficient, and IBM Asset Recovery Solutions, which offers environmentally responsible disposal of computer equipment. There's also an online quiz you can take about how energy efficient your data center might be, and some white papers on running a green data center, incentive-program ideas, and best practices. Obviously, these ideas aim at the idea of saving money via a Green IT program.

Of course, there's nothing wrong with making some money from environmentally conscious IT operations, either. That idea could be said to have originated with the "paperless office" concept in the '90s. Back then, companies started offering products for reducing mountains of paper, moving the content first to microfiche and then electronic media, and replacing printed reports with online versions, for instance. These weren't touted so much as good for saving trees as for saving dollars on handling and storage, but it had that effect. (And one day, when most of us have been replaced by younger workers who don't need the reassurance of a piece of paper in our hand to make a business document be "official," that ideal might yet achieve its promise.)

IBM is far from the first to cash in on Green IT. Goodwill Industries International sponsors a program called Reconnect, which recycles salvage materials from discarded computer equipment and consumer electronics. That company's Pittsburgh branch just passed the one million-pound mark in collected equipment, and in June launched a similar program in cooperation with Dell Computer for New Jersey and the Philadelphia area. And just last week, Sony Corporation and WM Recycle America, a subsidiary of Waste Management launched the Sony Take Back Recycling program, aimed at reclaiming consumer electronics.

Of course, you'll want to erase the data from any equipment or media you donate. Goodwill offers tips on that on their web site. There are also companies that offer solutions for destroying data on CDs and DVDs, for example, Communication Technologies' DiskEraser.

If you're looking for an idea for your own side business, for example, INK Solution, a North Carolina company, is offering franchises in its ink and toner cartridge recycling business (Note: this is not an endorsement, merely an example!) and a quick search of the web will turn up similar businesses that can help you better dispose of those byproducts of printer operations.

There are plenty of bottom-line reasons to embrace the Green IT idea, even if you don't happen to buy the "good for the environment" point of view. And if you can get behind Green IT just because you think it's a good cause, why not take advantage of the financial benefits as well?

Posted by on August 20, 2007 at 2:36 PM | Comments (0)

August 13, 2007 3:29 PM

Sorting Out the App Building Tools "Generation" Gap

There seems to be a little confusion across the board about what constitutes an "application generator." In particular, the boundaries between application generators and such overlapping terms as conversion/migration tools, code generators, and tools that generate database inquries are sometimes so vague that various products claim some or all of these categorizations. If you're looking for one tool type or another, how can you sort this out? How can you be sure you're looking at the right kind of tool for your needs if you're doing a product search?

Unless you've been actively surfing for one of these solution types, you've probably been only vaguely aware of this situation. Finishing research for a product roundup of application generator products, which will be appearing in the Route Finder insert of October System iNEWS, has brought this discrepancy home to me more clearly.

I think the confusion mostly stems from the similarities between these tool types. The ultimate desired outcome for all of them is an application that carries out one or many functions. This application consists of source code that is largely generated by some automated means. The end product is something that can be tinkered with by hand to provide some additional features or status notifications.

So what are the differences? Let's define our terms.

Basically, an application generator is software that lets you build applications by describing a problem in various ways, for example, electronic forms, diagrams, and other design tools that let you define an application and its parts. It also provides a central repository in which to store those definitions, and uses them in various combinations to automate building source code for producing applications that fulfill the defined functions. A conversion/migration tool, on the other hand, takes an existing application and translates it to another high-level language, or to a form that can run on a computer platform different from the application's original host. Trouble is, in so doing it can undeniably be said to be "generating" an application, and some vendors claim their conversion tools are application generators on that basis.

The definition of code generator is more murky. What I'd call a conventional definition of this tool type is that it's one that generates blocks of code (but not whole applications) in response to, for example, a developer answering a series of questions or presenting a schema. But if you browse many freeware and Java sites, for instance, you'll find references to inputs for code generators being defined as "templates," which are often no different in practice from the electronic forms and diagrams an application generator uses to gather information. What's worse, some vendors outside of our market who offer application generators call them code generators. Then at the other extreme are sources like Wikipedia, which essentially holds that a code generator is nothing more than a compiler.

Finally, there is a group of tools that focus on databases and that simply generate database inquiry programs. But on the basis of the argument that a simple inquiry is an "application," some of those tools also lay claim to the "application generator" mantle.

If you plug the term "application generator" into a search engine, you''ll come up with examples of all of these cases. Wouldn't it be helpful if we could get all the software companies to agree on what these terms mean? Of course, that's unlikely to happen, simply because vendors are always going to want to describe their products in the most attractive terms possible, and those attractive terms often seem synonymous with the most advanced-sounding technology types, at least from a marketing point of view. But I think it's worth making a statement to help ourselves try to realign the boundaries between these product types, at least intellectually. That way, we can engage in a less-confusing internal dialogue about what we need even if the signposts in the market remain ambiguous. (Hey, we can dream, can't we?)

In my opinion, the best answer is to keep a few guidelines in mind. A true application generator generates a new application that carries out different and multiple task types, built from descriptions of what you want the output to be, and stores this information in a repository. Products that offer only some of these features don't qualify. Conversion/migration tools need to stay in that niche (although perhaps we could give them a grander-sounding name like "application platform reconfigurator") because they're not generating a new application, they're simply generating a new form of an application that already exists. Code generators should be confined to defining tools that automate the building of pieces of applications, reusable or not. And those tools that help users interact with databases to retrieve information shouldn't claim to be building applications in the full sense and should be called something else, like "inquiry program generators."

By the names I've suggested, you can tell I'm not a marketer, I'm guessing. But would you draw the lines between these tool types differently? And what are some more glitzy names we could give them?

Posted by on August 13, 2007 at 3:29 PM | Comments (3)

August 6, 2007 1:39 PM

Wanted: A Web Analytics App for i5/OS

One problem that's surely contributing to the underutilization of the System i as a web site host is lack of a native web analytics application. (I realize there are other challenges as well, but let's focus on this one today.) This is an important tool. The "user-friendly" web site is a moving target, after all. We humans as a whole are a fickle bunch -- what attracts and fascinates in April is old hat by August.

This principle seems to apply to web sites about as much as anything else. Maybe you've set up a dynamite web site, but how do you know six months later that you're still attracting as many eyeballs as you want? In fact, how do you even know for sure, for example, that your home page is still the main landing page for your web site? Unless you've got some sort of web analytics solution, you really can't. Maybe those clever enticements for your products that you're dangling on your home page are being bypassed completely by many visitors. Wouldn't you want to know that?

Web analytics software documents and helps users analyze how people use your web site. It can show what pages are visited most frequently, what web sites people coming to your web site came from, how much time people spend on your site, and even what combinations of page views are the most common, among other metrics. It's vital to gather this information in order to make your web site good enough to attract return visits -- how else are you going to diagnose how well you're doing and look for signs that site traffic isn't following your mental picture of it? People laugh today at web sites with static pages. How long will it be until even dynamic web sites that don't reinvent themselves periodically to conform to their actual use aren't really considered "dynamic" any more? (And will we call them "static dynamic web sites?") How will you know if it's time for you to consider an overhaul? How will you get the funds to carry one out without some concrete evidence to justify the expense?

Your potential customers won't be waiting around for you to get a clue, though. For example, WebCollage, a web content-management company for manufacturers, recently published its "2007 Survey of Online Consumer Product Search Habits," which showed 37 percent of online retail shoppers would go to a competitor's web site, and 55 percent would go to the manufacturer's web site, to find product information if they couldn't find it easily on the first site they checked. I would imagine your personal web habits are similar, why wouldn't your site visitors do likewise?

There are many nonnative products that provide web analytics, but wouldn't it be nice (not to mention more efficient) if such functions could be part of an entirely on-board web-administration package for System i? IBM sells IBM Web Administration for iSeries, which runs on Apache and offers some web site administration tools but not web analytics. WebSphere Commerce offers this capability via IBM's Tivoli WebSite Analytics product or in conjunction with Coremetrics' Surfaid Analytics service (which Coremetrics bought from IBM last year). But unless you've got a better reason than web analytics to pony up that kind of cash, that solution may be out of reach. (If you're interested, there's even a Redbook on using web analytics from IBM, but it's naturally from the WebSphere-user point of view.)

There are several web portal solutions for i5/OS, but they don't include tools for dissecting web page visits. (If I'm wrong about that, someone please correct me.) There are also some products that run under i5/OS that include "web analytics" in their descriptions, but these are primarily business-intelligence tools that offer functions such as online database analytics, which isn't the same.

Would you buy an i5/OS web-analytics solution if one was available? Or do you think existing nonnative solutions of this type are "good enough" and having one that's integrated with other native web-site administration tools wouldn't be a valuable enough investment? Perhaps you think this is a DIY project. Is there a vendor out there that considered providing a tool such as this but decided against it who'd be willing to share their rationale?

Posted by on August 6, 2007 at 1:39 PM | Comments (6)