System iNetwork

August 31, 2007

The Compliance Cornucopia: Parsing the Riches

Special Note: Please see next week's blog, "The Compliance Cornucopia, Part II," for additional vendor information and discussion of this topic.

The August 28th announcement by Help/Systems of Robot/SECURITY pretty much makes it official that compliance solutions from third parties (i.e., other than IBM) are one of the hottest areas for major new System i product introductions over the past couple of years. All of these offerings help enterprises meet Sarbanes-Oxley and other legislative and regulatory mandates for system auditing requirements. Virtually all share such features as protecting application exit points, enabling analyses of user authorities, auditing of system values and other attributes, and providing a central console for monitoring system security settings and user-access activities, all of which meet key compliance objectives.

By and large, given the importance of complying with all the mandates that have arisen from the business scandals of the past 10 years, we are fortunate as a market to have such a wide range of feature-rich toolsets with which to address compliance issues. But this very strength is disadvantageous to us as individuals when we try to decide which of these products offers the set of features that would be best for our particular enterprise. What I hope will be useful is a quick overview of all the products of this type to highlight the unique, or nearly unique, features each of the major players has to offer.

In addition to Robot/SECURITY, the other System i compliance solutions are Bsafe Information Systems' Bsafe/Enterprise Security, NetIQ Corporation's Security Solutions for iSeries suite, The PowerTech Group's PowerLock ComplianceMonitor, Raz-Lee Security's iSecurity, SafeStone Technologies' DetectIT, and SkyView Partners' PolicyMinder.

An important disclaimer: Please note that with a few exceptions, I'm doing this overview based on publicly available online documentation about all these products, because those are resources available to anyone, not just journalists writing articles. Although I've done my best to avoid it, if I'm in error about a particular capability or its uniqueness to a particular product or two, it's purely due to my own inability to find, or correctly interpret, what information I've been able to access. I trust that the vendors involved will quickly point out any errors in my analysis and I welcome those corrections.

A key point in looking at compliance products as a set is the difference between the terms "auditing," "defining," and "monitoring" security-related attributes of System i servers. These three words appear repeatedly in the product literature. The way I'm interpreting these words is as follows. Auditing refers to a specific act of recording a snapshot of present settings for analysis, performed either interactively or in batch, of such attributes as system values, permitted user authorities, security settings, and other system metrics. Defining means tools within a product that automate the process of setting various values, permissions, and policies that affect user access to System i programs and data. Monitoring is the process of logging specific activities, settings, and values for later analysis, and may or may not include some system of alerts to human beings should certain predefined thresholds be met or exceeded.

Bsafe/Enterprise Security is one of two products geared to monitoring multiple, networked System i servers (the other being PowerTech's product). Among other capabilities, Bsafe's product lets you import initial system settings from other System i servers, define templates for system objects (e.g., user profiles, libraries, directories), and monitor multiple servers concurrently. An apparently unique feature is the ability to propose particular security policies on a "what-if" basis and receive an analysis of system impacts for each modification without actually implementing any.

Help/System's Robot/SECURITY's unique feature is a PC-based Forensics module that helps analysts untangle security breach causes after the fact, with help from the joint knowledgebase maintained by the entire suite of Robot products. Almost unique is its ability, shared to a degree with the Bsafe product, to resolve the problem of certain users temporarily needing special authorities by letting them swap profiles with a defined user with greater authority, perhaps just to carry out a single function. This swap can be automated beforehand and gets around the too-common practice of giving some users too much authority just so they can perform one or two special functions. SkyView's PolicyMinder lets system managers establish predefined settings for default adoption in similar circumstances, but it's not clear if these capabilities are totally equivalent. Bsafe's product, Robot/SECURITY, and PolicyMinder are the only three products that specifically monitor programs adopting *ALLOBJ authority. Robot/SECURITY also uniquely offers a "Learn" mode that lets managers learn how to implement security rules without affecting system operations. And it shares only with NetIQ's suite the ability to carry out analyses of system configuration flaws.

NetIQ's suite is a little harder to pin down because it consists of multiple products, each of which can run standalone and that cover different aspects of compliance and security. The suite consists of PSAudit, PSDetect, and PSSecure, and you have to buy all three to get the suite's full protection. Individually, these products have a number of unique features. PSAudit audits user activity down to the field and record level, audits system access times for all users, and audits changes to system values, libraries, profiles, device configurations, and PTFs. PSDetect includes many system-resource monitoring tools normally found in system-management products but not compliance products (other than Raz-Lee's), including monitors for message queues and storage systems. It also specifically monitors QSECOFR account activity, a "who's watching the watchers" capability that perhaps some of the others don't have because it's assumed it's usually the security officer using compliance products in the first place. PSSecure automatically generates secure menus, terminates inactive work sessions, and synchronizes user passwords across multiple systems. Like the Help/System product, the suite embodies a knowledgebase.

As I mentioned earlier, PowerTech's PowerLock ComplianceMonitor is one of two products that seems specifically built with the multiple-System i shop in mind. It can compare system values across multiple machines and monitor multiple machines concurrently. It spotlights user profiles using default passwords. It also includes specific tools for designing custom reports (as well as having many standard ones as all the other products do), supports ad hoc queries about compliance metrics (although Raz-Lee's product appears to do this also), and supports batch scheduling of assessments. Alone of all the compliance products, ComplianceMonitor requires JVM 1.4 installed on the System i to operate.

Raz-Lee's iSecurity's major unique capability among the compliance products is built-in antivirus protection, although of course there are other products that more specifically protect the System i from virus attacks. Another unique feature of iSecurity in the compliance group is control and automatic performance tuning of CPUs, disks, queues, and jobs. Its final unique feature is that it automatically hides from view any database fields defined as confidential. iSecurity has its own knowledgebase that doesn't rely on the user owning other products in a suite, and although other products enable definition of security policies, iSecurity is the only one to offer this function as a wizard-based feature. Like the PowerTech product, iSecurity enables ad hoc compliance queries, and like NetIQ's PSSecure it terminates inactive user sessions automatically. Like NetIQ's PSAudit, it documents users' system-access times. As does NetIQ's PSDetect, it keeps an eye on some system resources and issues storage-problem alerts.

I had a hard time finding unique features for SafeStone's DetectIt product because the online descriptions are among the least specific for this product group. DetectIt does match the basic functions of the other compliance products. Perhaps someone from SafeStone can help us out with this one.

The following paragraph was added on September 24, 2007, with the following input from SafeStone:

DetectIT addresses selective security and compliance requirements via a modular approach. Administration is managed through a graphical front end and centralized across the network. It audits and archives events, alerts, and assessments, while also providing various options for access control and authentication. DetectIT not only reports on compliance, it also provides unique object-level security tools for correcting noncompliance.

SkyView Partners' PolicyMinder is most unique in its emphasis on defining security policies. It includes tools that let users define file shares, library and object settings, and system values. With only Robot/SECURITY of the other products, it also lets users define exit points, job descriptions, and required user profiles. According to the literature, only with Bsafe's product does it share the abilities to define TCP/IP servers and templates for profiles/libraries/objects/directories, as well as import initial values from another system. Alone of all the compliance products, it enables QSYS object creation, automatically remediates application- or system-security plans, automatically changes back system settings that were reset from nonpolicy values by user accounts with special privileges, and specifically monitors programs adopting *ALLOBJ authority. Finally, PolicyMinder is the only compliance product with built-in high-availability features.

As I said, I've probably overlooked or misinterpreted some features, but for now this is the best comparison of unique features I can muster. At least, once all the corrections come in, we can hopefully share here as clear a picture as possible of how the many strong compliance products our market has to offer actually differ from one another.

Posted by at August 31, 2007 9:26 AM